Only Bounds
bounds are going to be the most impactful change to Rust that you’ve never heard of. They are currently being designed and developed by the Arm team (David Wood, Rémy Rakic, et al.) as part of the Sized Hierarchy and Scalable Vector Extension project goal. This post explores the feature and aims to answer a particular question about the design (the scope of bounds, I’ll explain). But before I dive in, I want to give a bit of context. In today’s Rust, every type parameter (except for ) has a default bound called : A type implements if the compiler can compute the size of a value at compilation time. This is true for almost every type, with a few notable exceptions. Consider , which refers to “some number of instances”. We know that a single is 4 bytes, but without knowing how many there are, you can’t know the size of . This means you can’t have a value of type on the stack (how big should the stack frame be?). However, if you have a function like , that just takes the value by reference (i.e., by pointer), you shouldn’t need to know how big the value is, because you’re not manipulating it directly. You can have a type parameter that doesn’t require , but you have to explicitly “opt out” from the default bound: As a fun bit of historical trivia, this system was introduced way back in 2014 to accommodate Dynamically Sized Types . Before that, was actually a built-in, indivisible type; we even wrote it like for a time. 1 The vs design has served us reasonably well but it is also showing its limits. It turns out that “value has a statically computable size” vs “each value has a distinct size computable at runtime” doesn’t cover all the things you might want. For example, types are types whose values have no known size, even at runtime. And then Arm’s Scalable Vector Extension want to describe SIMD types where every value of the type has the same size (unlike and , where each value can have a different length) but where that size is not known until runtime. Rather than just or , what we really want is to have a richer hierarchy. The current plans look something like this: Two caveats: But now we have a kind of problem. The notation was predicated 3 on the idea that users should specify the default bound they are opting out of – i.e., the is meant to say “I don’t know if this is or not” (unlike the default, where you know it is ). But “opting out” from a bound doesn’t work so well with a multi-level hierarchy. When you write , does that correspond to (but not )? And what if we want to insert another level in between and later? Then we either have to change what means (to refer to the new bound) or we have to have drop two levels down the hierarchy. Even more annoying, what do we do while that middle rung is unstable? Surely shouldn’t refer to an unstable trait… what if we decide to remove it The new proposal is to write or instead of . An bound combines two things: The name comes from the fact that implies . So the default of already means that for free; but when you write only MetadataSized, you are saying “I don’t need the full hierarchy, just will do”. A nice feature of bounds is that they work more like a regular bound. Whereas a bound is saying “I don’t need this”, an bound is saying what you do need. So e.g. if you are writing a function that just has references to values of type does not care what their size is, you can write If you are writing a function that does need to compute the size of values of type , you can ask for that capability: A nice feature of bounds is that, later on, we can add new levels to the hierarchy, and they work normally. For example, suppose we wish to add something like where the size is not known at compilation time but the alignment is . We could change the hierarchy to and functions with (like ) and with (with ) would continue to have the same requirements. But new functions could be written with that would use the new bound. And there is no conflict with stabilization; code that writes can be considered unstable until that middle hierarchy is finalized. Like any other bound, bounds are combined with other bounds to form the overall requirements. So it is possible to write e.g. . This is equivalent to and therefore equivalent to the default and therefore kind of pointless, but you can write it. Similarly, given that , if you write , that is kind of pointless too: you might as well write , which would be equivalent. We plan to have a warn-by-default lint for that. The final strength of bounds is that they allow us to introduce whole new families of default bounds. One example is the idea of introducing a bound . Note that this is a distinct feature and is not covered under the current RFC . All types in Rust today are “movable” and “forgettable”, meaning that you can memcpy the value from place to place so long as you stop using the previous location and you can recycle the memory where it is stored without running the value’s destructor. There is one notable exception – when you pin a value, you it can no longer be moved, and you must run its destructor before its memory is reused – but otherwise this is a hard-and-fast rule. And that’s annoying! The problem is that not being able to guarantee that a destructor runs blocks a lot of unsafe code patterns. For example, scoped tasks a la depend on a destructor for safety . In sync code, this works because we’ve decided it’s UB to unwind a stack frame without running the destructors of values stored there, and so if you put a local variable on the stack, you can be sure its destructor will run. But that doesn’t work in code! And there are times when unwinding without running destructors would be nice. The solution is to introduce a second family of default traits. Unlike the family we saw before, this family defines fine-grained capabilities about how values of that type can be used: The meaning of the traits are as follows: This introduces new checks into the compiler: Some implications: The spur for writing this blog post was a question in a lang team meeting on how bounds ought to work given the existence of multiple “families” of default traits, as I described above. Although the current RFC is looking only at the traits, we expect to look at the “access family” in a future RFC, so we want to be sure we are not making any decisions that won’t scale to cover both. The way I imagine it working is like this. Each default traits is associated with one or more “families”. When you have an only bound, it “opts out” from all default traits in each family that the trait is associated with: You may also want to “opt back in” to some defaults. For example, is a sensible thing to do. It means values that can be moved and destructed but not leaked or forgotten. is an example of a function that only needs . You need to be able to destructure (which moves the optional value out into a local variable and then invoke the closure , which again moves the wrapped value : One interesting thing is the result type . Using only the stuff I wrote in this blog post, it needs to be , because the result will be moved into the value and so forth. But in-place-init would allow for this definition to omit the bound because we could statically guarantee that the will be constructed in place and never moved after that. The method on returns if it is and otherwise returns . This is an interesting one because the value may not be used and therefore requires bounds. The type is an example where we would want to relax bounds from both families: I believe the proper minimum bounds for are: The post may be a bit confusing here. The current RFC is looking only at the proposed “Sized” traits. The family is a speculative future extension that we are exploring but at a much earlier stage. In the beginning, the plan would be that can only be used for well-known, default traits (e.g., , , etc). In the future though there are some thoughts to generalizing it. An alternative that was proposed is to have the opt-out be per-type-parameter. So you might write something like which would “opt out” from all defaulted bounds. Obviously we’d have to bikeshed the syntax, but ignore that for now. The question is whether opting out of all defaults is better than opting out of a single family. I prefer the per-family option for two reasons: Because the , , and similar traits mostly apply to owned values. The examples we saw with were quite typical. And when you are moving values of type around, you need that to be . Yes, that’s true, and I think that particular combo will be common. I don’t think that’s an argument for the approach on its own, though, particularly since that case would not be much cleaner or shorter… …what I think that argues for is actually trait aliases and shorthands . Yes! I think that a future RFC could extend only bounds to allow you to define trait aliases with “only bounds” as supertraits: You could then use an bound to define : Without the , would just be a regular trait bound and would not opt-out from any defaults. Yes, we could! You could define an alias like : Since and are both implemented for all types, this effectively becomes part of both families: Then you can do and opt out from both families at once. Ay, there’s the rub. If we wish to add a new family in the future, let’s say for values that don’t live in the same memory space ( …?), then would be “out of date” because code written against would still be assuming uni-memory-space values. But we could make into an edition-dependent alias or something like that, as has been discussed. Yes! We can introduce a root trait at any time. So we can add the -ness family first, then the family, and then see how we feel. Maybe we find people are very commonly opting out of both– in which case, some aliases are useful, or perhaps a variant. The only way we might “regret” it is if, in practice, people usually just opted out of both and then opted back in to what they want specifically. But we already know that will be common and clearly is more awkward in that case, so I don’t consider that very likely. That name comes from the RFC. There are a few reasons to move away from . The first is that it is possible to have a destructor even if you don’t implement : really refers to user-provided logic in the destructor, but the compiler adds its own logic (“drop glue”, it’s sometimes called) to drop all the fields in the value. The second reason is that the trait itself needs some revision, so moving away from that name lets us have other ways to specify custom logic (e.g., pinned self, or by-value, etc etc). Quite beautifully! In fact, the proposal from Arm for SVE is to introduce the idea of being “a type whose size can be computed at compilation time”, which I find quite elegant. Similarly was proposed by the const RFC as a way to say that a value has a constant destructor. My original proposal for introducing linear types had extending . This would mean that the proposal could simply do and not . However, Alice Ryhl and others pointed out that there are immovable types that must nonetheless be destructed, so it doesn’t make sense to combine those. The Project Goal has a lot of details. The latest updates are available on the tracking issue . If you like watching videos, I recommend David Wood’s Rust Nation talk . I want to close with a meta-observation and a big shout-out to the Arm team. I think they are showing how awesome open-source can be. The Arm team’s primary motivation is adding support for Scalable Vector Extension. This helps Rust make full use of Arm processors. This is, in and of itself, a laudable goal, and valuable to Rust: One of Rust’s assets, in my view, is that it gives you access to all the power your processor has to provide, and that should include unique extensions. But rather than add the feature as a kind of special-case extension to Rust, the Arm team is going further and driving a general purpose improvement, one that will unlock a bunch of other features (extern types and, to some extent, guaranteed destructors; guaranteed destructores themselves unlock scoped async threads and better Wasm integration). I love that. In fact, I recall that in one of my blog posts I proposed writing as the way to spell . I kinda wish we had done that just for the sheer wackiness of it ( ). ↩︎ I prefer names that refer to the operations that can be performed on the values, so e.g. instead of I would prefer , since it means that you can invoke the function on it. ↩︎ Little logic pun there for you. ↩︎ means that all values have the same size and that size can be computed knowing only the type. means that values can have different sizes and that size can be computed given the metadata attached to a reference to the value. Examples include or . is implemented for all values and tells you nothing about the value’s size. I’m excluding the way that Arm’s Scalable Vector Extension fit into this, because it’s orthogonal. The trait names aren’t settled. I’m using the names I understand the libs-api team to prefer; they’re not my favorites, but that’s ultimately the team who owns stdlib bikesheds, so I defer to them. 2 Like any bound, it includes a “minimum requirement” – i.e., means that must implement at least . It additionally disables some default bounds – i.e., we will not add the default bound. , the default, says that you can recycle the memory for a value without running its destructor. says that you can skip running a destructor for a value, but only if you never reuse the memory where the value resides. says that if you have a value of this type, you can reuse the memory where it resides by running its destructor. , which already exists, says that you can memcpy the place and keep using the original place; it’s not really a default, but I included it because it is relevant. , another default, says that you can memcpy the value to a new place if you stop using the original. is the root of this family. It indicates a value that can be “accessed in place” (basically, any value at all). When you move a value (i.e., where is not used later), we will check that the type implements (whereas today, it is always allowed). When you exit a scope, we will check that the values in each local variables have either been moved or have a type that implements . If your function owns a value of type , then you must destruct it before your function returns. You can’t move it (because you don’t know if it implements ) and you can’t leak or forget it either. If your function owns a value of type , then the only thing you can do with it is move it somewhere else. You can’t drop it (because you don’t know if it implements ). No function can own a value of type , because you wouldn’t be able to move it nor drop it, and hence you could not return. But you could have such a value (say) in a . opts out from , , – but not . opts out from , , and – but not . opts out from – but not or . opts out from – but not or . because while it can store or things, it doesn’t have to, it can also store things of an non-computable size (although it does raise the question of how they would be freed, but that’s an allocator concern). because values can form cycles and thus we can’t ever guarantee the destructor will be run. Interestingly, can implement even its contents don’t. First, things like demonstrate that you might very reasonably which to opt out from a single family but retain the default bound. I think it’s likely that there will be many functions that want to opt out of or but not both . You might think that we could make to get the same effect, but I think that would be a mistake. The fact that a value’s size must be computed dynamically doesn’t inherently mean it can’t be moved. Second, it makes it harder to introduce new families later, if we decide there are other orthogonal properties of values that we’d like to relax. In fact, I recall that in one of my blog posts I proposed writing as the way to spell . I kinda wish we had done that just for the sheer wackiness of it ( ). ↩︎ I prefer names that refer to the operations that can be performed on the values, so e.g. instead of I would prefer , since it means that you can invoke the function on it. ↩︎ Little logic pun there for you. ↩︎