Moving out of a function both owned and borrowed entities?

Wandalen · November 5, 2021, 7:38pm

Thanks. Interesting does it fix the original problem. I will try. Is that solution based on the assumption?

steffahn · November 5, 2021, 7:40pm

It avoids the need for such a conversion, yes.

Wandalen · November 5, 2021, 7:40pm

Basically you moved out dst_buffer_bytes from the structure if I understand it correctly.

Wandalen · November 5, 2021, 7:43pm

Basically as_byte_slice just reinterprets any kind of structure as bytes.

steffahn · November 5, 2021, 7:49pm

That should be a feasible solution as-well. If you want a still-maintained crate alternative, try ouroboros

Wandalen · November 5, 2021, 7:50pm

Oh, cool! Looking into that too.

H2CO3 · November 5, 2021, 8:03pm

Sorry but your assumption is incorrect. If field F of the struct is at address A, and another field points to address A, then it will still point to address A even after you will have moved the struct to another place (say, address B). Hence, it will be a dangling pointer. If you somehow force the compiler to still accept the code, you will have problems with that dangling pointer, and therefore you should not do that.

Wandalen · November 5, 2021, 8:09pm

But owner of data is moved with the reference. Hence no deallcation of memory happen and no dangling pointer.

At least in theory having zero knowledge about the actual implementation of the compiler logic it looks like that.

H2CO3 · November 5, 2021, 9:07pm

The dangling reference isn't created by deallocation. It is created by the fact that the value is moved out of the place where it keeps pointing. That's what a move means: moving the value from one place to another. The place from where it is moved is invalidated, considered uninitialized, and may not be accessed again.

Wandalen · November 6, 2021, 6:10am

But both dst_buffer_bytes and dst_cursor point on the same data which continue to be available. And both returned. I don't understand why that should not work. I thought it is something what Rust have out of the box. Anyway thanks for explanations.

Wandalen · November 6, 2021, 6:24am

I see no theoretical reason why that code should not work. That's a pity Rust does not support it currently.

Wandalen · November 6, 2021, 6:42am

Simplified problem

H2CO3 · November 6, 2021, 7:12am

That is true, and it is not the issue. Those are both borrows. There is no problem with putting two simultaneous borrows into the same struct.

The issue is that the owned buffer, dst_buffer is also inside the same struct that contains borrows to itself. Consider the following, simplified scenario which only involves primitive types for the sake of understanding. I am using raw pointers instead of references, so that I can intentionally shoot myself in the foot despite the attempts of the type system to prevent me from doing exactly that (Playground):

#[derive(Debug)]
struct SelfRef {
    value: usize,
    pointer: *const usize,
}

fn main() {
    let mut x = SelfRef { value: 42, pointer: std::ptr::null() };
    x.pointer = &x.value;
    
    println!("&x.value = {:p}; x = {:#?}", &x.value, x);
    
    // Let's move `x` to another place, say `y`.
    let y = x;
    
    println!("&y.value = {:p}; y = {:#?}", &y.value, y);
}

This prints the following:

&x.value = 0x7fff29c73fa8; x = SelfRef {
    value: 42,
    pointer: 0x00007fff29c73fa8,
}
&y.value = 0x7fff29c74020; y = SelfRef {
    value: 42,
    pointer: 0x00007fff29c73fa8,
}

As you can see, the address of the field y.value is different from the address of the field x.value. This happens because x and y are distinct variables and live in two different locations in memory. However, moves in Rust are just byte-wise copies where the source will be considered invalid (uninitialized) after the move is completed. Therefore, the pointer-valued field isn't magically updated to point to the address of the field inside the new variable, y.value. So y.pointer will still point to x.value, which, however, doesn't exist anymore, precisely because it has been moved out.

To further illustrate this with ASCII art: this is how memory looks like after x is initialized but y is not yet:

+-----------+-------------------------+-----+---------------+---------------+
| value: 42 | pointer: 0x7fff29c73fa8 | ... | uninitialized | uninitialized |
+-----------+-------------------------+-----+---------------+---------------+
^           ^                               ^               ^
|           +-- address 0x7fff29c73fb0      |               +-- address 0x7fff29c74028
+-- address 0x7fff29c73fa8                  +-- address 0x7fff29c74020

And this is what it looks like after the contents of variable x has been moved to variable y:

+---------------+---------------+---------------+-----------+-------------------------+
| uninitialized | uninitialized |      ...      | value: 42 | pointer: 0x7fff29c73fa8 |
+---------------+---------------+---------------+-----------+-------------------------+
^               ^                               ^           ^
|               +-- address 0x7fff29c73fb0      |           +-- address 0x7fff29c74028
+-- address 0x7fff29c73fa8                      +-- address 0x7fff29c74020

As you can see, the values (the actual numerical contents of value and the contents of pointer) didn't change, but the location of the value in memory (i.e., the "identity" of which variable they are stored in) did. That's what a move is.

However, the pointer not having changed means that it still points inside the now-defunct variable. This in turn means that dereferencing it and using the referred (non-)value is Undefined Behavior. (If you had a reference instead of a raw pointer, the situation would be even worse, because you wouldn't even need to dereference it to cause instant UB: the mere existence of a reference that points to uninitialized memory is considered UB in itself.)

This is not something that needs to be "supported". This is a programmer error that needs to be detected, and Rust is super successful in detecting this kind of mistake.

_{Of course, when an owning heap allocation (e.g. a Box) is involved, you could technically argue that the location of the heap-allocated object doesn't change because things move around on the stack. That is true. However, due to the way references are related to each other, any reference derived from the heap allocation would also be considered invalid after the heap-allocating smart pointer or container has itself moved.

This in turn can be worked around by using raw pointers and unsafe code in a way that is correct and sound. However, is highly recommended against, because needing a self-referential type is a code smell. There are much, much better and cleaner ways of solving this kind of problem safely; the usual recommendation is that you split up the type into an owner and a view type. This also helps with decoupling, encapsulation, and upholding the single responsibility principle.}

Wandalen · November 6, 2021, 9:08am

Thanks. Interesting. I am trying to understand.

Wandalen · November 6, 2021, 9:54am

What about this?

use byte_slice_cast::*;
use owning_ref::*;

fn main() {
    let context = Context::new();
    dbg!(&context);
    dbg!(context.dst.as_owner());
    dbg!(&*context.dst);
}

//

#[derive(Debug)]
struct Context {
    // pub dst_buffer : Box::< [ f32 ] >,
    // pub dst_buffer_bytes : &'a [ u8 ],
    pub dst: OwningRef<Box<[f32]>, [u8]>,
}

//

impl Context {
    fn new() -> Context {
        let len: usize = 2;
        let dst_buffer: Box<[f32]> = vec![0_f32; len].into_boxed_slice();
        // let dst_buffer_bytes = dst_buffer.as_byte_slice();

        let dst = OwningRef::new(dst_buffer);
        let dst = dst.map(|dst_buffer| dst_buffer.as_byte_slice());

        Context { dst }
        // Context { dst_buffer, dst_buffer_bytes }
    }
}

Do you see any problem with such solution?

Playground

H2CO3 · November 6, 2021, 10:23am

OwningRef works by pretty much unconditionally requiring a heap-allocated container. In addition, it uses raw pointers and encapsulates any unsafe code, so that provenance rules aren't violated.

I'm pretty confident it should be safe to use, because it has been around for a long time, and probably many people have scrutinized its implementation.

I don't use it myself, though, and I generally dislike the whole idea of owning references, purely from an architectural point of view. And while I have utmost respect for people who contribute to the community correct abstractions over unsafe implementations, I still prefer not to rely on unsafe except as a last resort. Your mileage may vary, but I feel that Rust's ownership model (and the escape hatches provided by std) fit the overwhelming majority of the kind of real-world code that programmers need to write. Nowadays, I prefer to use unsafe purely for FFI interaction, and basically never for manual memory management.

Wandalen · November 6, 2021, 10:30am

Sound like you prefer Type Theory, Lambda Calculus and Math over Turing Machine and Computer Architecture centered approaches. Thanks for recommendation.

steffahn · November 6, 2021, 10:52am

Actually, there are multiple open soundness issues.

github.com/Kimundi/owning-ref-rs

`OwningRef::map` is unsound

opened 12:20PM - 18 Jan 21 UTC

steffahn

```rust fn main() { let x = OwningRef::new(Box::new(())); let z: Owni…ngRef<Box<()>, str>; { let s = "Hello World!".to_string(); let s_ref: &str = &s; let y: OwningRef<Box<()>, &str> = x.map(|_| &s_ref); z = y.map(|s: &&str| *s); // s deallocated here } println!("{}", &*z); // printing garbage, accessing `s` after it’s freed } ``` ## Explanation Since ```rust pub fn map<F, U: ?Sized>(self, f: F) -> OwningRef<O, U> where O: StableAddress, F: FnOnce(&T) -> &U, ``` supports non-`'static` types for `U` and `F`, we can use `U == &'short T` to turn ```rust OwningRef<Box<()>, ()> ``` into ```rust OwningRef<Box<()>, &'short T> ``` In the example code above, `T == str` and the call to `map` is `.map(|_| &s_ref)`. Then, on the next call to `map`, you only need to provide an ```rust FnOnce(&&'short T) -> &U ``` i.e. ```rust for<'a> FnOnce(&'a &'short T) -> &'a U ``` Since `&'a &'short T` comes with an implicit `'short: 'a` bound, you can easily turn the ```rust OwningRef<Box<()>, &'short T> ``` into ```rust OwningRef<Box<()>, T> ``` in effect liberating yourself from the `'short` bound. The call to `map` in the example is `.map(|s: &&str| *s)`. ## Another example I also managed to create a general `transmute_lifetime` function: ```rust fn transmute_lifetime<'a, 'b, T>(r: &'a T) -> &'b T { let r = &r; let x = OwningRef::new(Box::new(())).map(|_| &r).map(|r| &***r); &*Box::leak(Box::new(x)) } ``` which works like this: ```rust OwningRef<Box<()>, ()> ⇓ // by OwningRef::map OwningRef<Box<()>, &'short &'a T> ⇓ // by OwningRef::map OwningRef<Box<()>, T> ⇓ // by Box::new Box<OwningRef<Box<()>, T>> ⇓ // by Box::leak &'b OwningRef<Box<()>, T> ⇓ // dereferencing &'b T ```

github.com/Kimundi/owning-ref-rs

OwningRefMut::as_owner and as_owner_mut are unsound

opened 02:24AM - 22 Mar 20 UTC

comex

No fancy Stacked Borrows stuff in this one, just normal memory unsafety. These …methods of `OwningRefMut`: ```rust /// A reference to the underlying owner. pub fn as_owner(&self) -> &O { &self.owner } /// A mutable reference to the underlying owner. pub fn as_owner_mut(&mut self) -> &mut O { &mut self.owner } ``` ...are both unsound, because they can be used to access the owner object while the associated reference thinks it has unique access to it. In particular, it can be used to modify that data and invalidate the reference. (Doing so is straightforward with `as_owner_mut`, and is still possible with `as_owner` with some interior mutability shenanigans.) [Here is a simple test case](https://github.com/comex/owning_ref_bug/blob/master/src/main.rs) for both methods. Clone the repo and run either - `RUSTFLAGS="-Zsanitizer=address" cargo test as_owner_mut_is_unsound` - `RUSTFLAGS="-Zsanitizer=address" cargo test as_owner_is_unsound` and you should get a heap-use-after-free error. This doesn't affect the non-Mut `OwningRef`; `OwningRef::as_owner` is sound.

github.com/Kimundi/owning-ref-rs

OwningRef is in conflict with `noalias`

opened 09:40AM - 14 Aug 19 UTC

RalfJung

See the discussion [starting here](https://github.com/rust-lang/unsafe-code-guid…elines/issues/194#issuecomment-520934222): It is possible to trigger UB in safe code using owning-ref. Specifically, the assertion in the following [snippet by @comex](https://play.rust-lang.org/?version=stable&mode=release&edition=2018&gist=12d8fae25300c0d99406146470945199) fails, even though it should succeed: ```rust extern crate owning_ref; // 0.4.0 use owning_ref::OwningRef; use std::cell::Cell; fn helper(owning_ref: OwningRef<Box<Cell<u8>>, Cell<u8>>) -> u8 { owning_ref.as_owner().set(10); owning_ref.set(20); owning_ref.as_owner().get() // should return 20 } fn main() { let val: Box<Cell<u8>> = Box::new(Cell::new(25)); let owning_ref = OwningRef::new(val); let res = helper(owning_ref); assert_eq!(res, 20); // assertion fails! } ```

Most of them should be fixable, some of them are super old; the crate probably could be more actively maintained than it currently is.

system · February 4, 2022, 10:52am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Moving out of a function both owned and borrowed entities properly? help	24	703	February 9, 2022
Moving out of a borrow (exception)?	14	1886	January 12, 2023
"Cannot move out of borrowed content", why? help	10	5163	January 12, 2023
Move out of borrowed content and assignment help	8	1611	January 12, 2023
Cannot move out of borrowed context: access struct field help	3	5351	January 12, 2023

Moving out of a function both owned and borrowed entities?

Related Topics