The Pain of Real Linear Types in Rust (opens in new tab)

(gankro.github.io)

167 pointsGankro8y ago81 comments

81 comments

A lot of the awkwardness that the author describes comes from destructors, which Rust has taken from C++. In fact, Rust has even inherited the incoherence between destructors and exceptions from C++, due to the lack of a solution to the double-throw problem and the need to write unsafe code that is correct in the face of unwinding.

The 'dropck' pass is one of the corners of the language that has no precedent in a type system that has been proven sound (at least as far as I am aware, someone please correct me if i'm wrong), and it has had a lot of soundness issues in the past.

The fact that destructors have magical powers that the language refuses to bestow on ordinary functions is a bad sign. And destructors are terrible for predictable code: the order in which destructors run for temporary results in a single expression is not even specified by the language, and there are some surprises (https://aochagavia.github.io/blog/exploring-rusts-unspecifie...) that make it harder to write correct unsafe code.

If you were to design a language from the ground up with linear types and no destructors, it would be dramatically simpler than Rust.

kibwen8y ago

I agree that dropck is scary and needs more verification before we can have reasonable assurance of its soundness. But you're being unnecessarily reductive here: the tradeoff between control and ergonomics offered by destructors is well-known. If you think Rust is verbose today, imagine a Rust where every value had to be explicitly disposed of in every scope (including temporaries). Graydon was well aware of strictly-linear type systems, and chose to go with destructors for (heh) sound reasons.

cwzwarich8y ago

It's not like destructors actually remove the complexity. The extra function call you need to add to replace the destructor is already present in your program; it's merely hidden from view. If you are trying to verify the code you have written (either informally or formally) and want to consider all paths through the program, then you need to include the invisible control-flow created by the compiler for destructors. I don't see how it gets any simpler by not being written in your program.

2 more replies

GankroOP8y ago

Yeah dropck is a fun little gem, which has received several post-1.0 revisions due to soundness problems.

I agree the system you propose would be simpler in terms of spec and effort, but I don't know about simpler to use. Much like removing mutable references in favour of `foo(X) -> X` would be a simpler type system, but awful to use compared to `foo(&mut X)`.

cwzwarich8y ago

The simplest system to use is unrestricted references with some form of automatic garbage collection. If you decide that you want a type system that statically tracks resource utilization, why stop halfway at something that only partially solves the problem? I guess you could one-up linear types here and ask for a type system that makes all creation and destruction of information explicit, e.g. https://www.cs.indiana.edu/~sabry/papers/reversible-logic.pd..., but this is probably a more useful route to explore for a hardware design language than a software programming language.

3 more replies

pierrebai8y ago

Double-exception handling during stack unwinding in C++ is the thing I disagree most with.

And Í talk from experience.

Back in the early 2000, I modified both MS VS runtime and gcc to be able to safely throw from destructors. Note to doubters that Java allows such double-exception cases and gcc already had code back then to deal with the Java case.

The way to do it is to implicitly assume that every destructor ran during stack unwinding has a try/catch surrounding it. This way, a first exception can be thrown from a destructor, but all exceptions that ultimately escape a destructor invoked during unwinding gets eaten. (Note: you can still provide your own explicit try catch in a destructor if you care about it.)

My experience with this tweak was that the horror story people come up with to reject this approach is unfounded. Here are the reasons:

1. The actual case of double-exceptions are very, very rare.

2. In the case that do arise, the second exception is often either a consequence of the first (for example, trying to access a DB were teh first exception was a failure in some DB code) or the exact same (for example running out of memory).

3. In my experience (although, since the 2nd exception is lost, I cannot actively prove this), the first exceptionis the relevant one. This is especially true due to point #2.

4. In my experience, code that care about the exact type of exception is most often either wrong or misguided. This is because such code assumes complete prescient power over what exceptions can be thrown.

5. In my experience, catching exceptions is 99% done in the top-level message or task dispatching, which doesn't care about the type of exceptions or how many occured: you just abort the operation and do some logging.

6. The fact that double exceptions are handled gracefully informs your design, which builds up and reinforce all previous points.

I once had discussion on this in the 90s in comp.lang.std.c++ and comp.lang.c++. People would not listen.

Note: to do it with STL, you do have to add try/catch within destroy() calls within containers to be able to destroy all items.

cwzwarich8y ago

I agree. The sad thing is that an effect system to ensure that destructors and other unwinding code can't throw new exceptions is quite simple to add to a language. Depending on the language/libraries it might cause a need to expose some new library functions that don't throw exceptions, but it's already a bad sign if you're doing nontrivial failure-prone work in destructors anyways.

Animats8y ago

Destructors seem to be a pain point for functional programming people. They're inherently imperative; they don't return anything because they have no one to return it to.

The "unsafe code" problem comes mostly from backpointers. If you have a data structure with a doubly linked list, and the forward pointer and backpointer are both pure references and can't be null, no order of destruction is strictly valid. You can't create, destroy, or manipulate a doubly linked list or a tree with backpointers in safe Rust. That's a problem.

Maybe forward pointer/backpointer pairs need to be a language level concept. The compiler needs to know that the forward pointer and the backpointer are in a relationship. The pair needs to be manipulated as a unit. You have to have mutable ownership of both references to manipulate either. The borrow checker and destructor ordering need to understand this.

derefr8y ago

> They're inherently imperative; they don't return anything because they have no one to return it to.

If your think of your whole program as being a wrapped in an implicit State monad, holding a POSIXProcessState (e.g. exit code, registered signal handlers, file descriptors, etc.), then destructors are (POSIXProcessState -> POSIXProcessState) functions.

> You can't create, destroy, or manipulate a doubly linked list or a tree with backpointers in safe Rust. ... Maybe forward pointer/backpointer pairs need to be a language level concept.

You can define abstractions like this using unsafe code just fine. It doesn't need to be part of the language. (Think about how C++ "smart pointers" work: it's just a library.)

mafribe8y ago

   Destructors seem to be a 
   pain point

The problem is not so much typing as such (things that don't return anything but terminate -- as destructors do -- can be typed as Unit) but rather to find a good trade-off between expressivity of the language and simplicity of the typing system.

Basically explicit destructors mean the typing system needs to track lifetimes and ownership in some form or shape. There seem to be two main options.

- Simple lifetime/ownership scheme, but then you need a garbage collector anyway, and that it's mostly pointless to have explicit destructors. Just let every variable be cleaned up by the GC makes for a simpler language (under the hood clever escape analysis might be used for stack allocation of variables that don't escape their activation context).

- Avoid a GC, but then you need a complex typing system with unique owners to have any chance at expressivity (and you still need unsafe blocks and reference counting). This is Rust's choice.

Another issue is how consistently to combine destructors with other effects, in particular exceptions.

   Pointer/backpointer pairs 
   need to be a language level 
   concept.

As "JoshTriplett" also suggests, this is certainly an interesting idea, but I don't think a compelling choice has been found yet.

1 more reply

JoshTriplett8y ago

> Maybe forward pointer/backpointer pairs need to be a language level concept. The compiler needs to know that the forward pointer and the backpointer are in a relationship. The pair needs to be manipulated as a unit. You have to have mutable ownership of both references to manipulate either. The borrow checker and destructor ordering need to understand this.

There are many more patterns where that came from, and you don't want to teach the compiler about all of them. I don't think there's anything wrong with having a lower-level "unsafe" mechanism to let you use the language itself to build new types of structures that then provide a safe interface.

As a random example, consider the rust "intrusive-collections" crate (https://crates.io/crates/intrusive-collections), which provides the kind of "no extra pointer" linked list where you can embed a list head (or multiple list heads) directly in your structure. I don't think every such crate should have its functionality native in the compiler.

1 more reply

stuhood8y ago

This is a really interesting thought. In the presence of must-use types, you'd imagine that types with side effecting Drop impls (like files), would want to migrate to eventually being used/consumed by a "close" method. But doing that safely in the presence of panics would require... exception handlers?...

panic8y ago

You could use something like Go's 'defer' statement to ensure 'close' is called before the current function returns.

1 more reply

kibwen8y ago

Because it's not entirely clear from the title and introduction, this essay is actually arguing against extending Rust's type system to include linear types, rather than critiquing the type system as it currently exists (which people often colloquially describe as having "linear types" even if it technically doesn't).

EDIT: The intro has been updated to be clearer, so now I just look like an idiot. :)

mafribe8y ago

   arguing against

The argument doesn't come from a position of deep understanding of substructural types. Once you have affine types (as Rust does), linear is not really a major step. Whether it's worthwhile from a pragmatic POV is a different question.

GankroOP8y ago

This is really ignoring how relevant and affine types interact with different features. For example, unwinding makes perfect sense with affine, not so with relevant. Rust has unwinding, and no effect system to track whether something can or can't unwind.

I also make it very clear that the implementation is mostly free. It's just using tools we already have with minor tweaks. Most of my issues are exactly the pragmatic matters: your standard library isn't built to handle it, nothing in the ecosystem is built to handle it, and it everyone has to opt into support for backwards compatibility reasons.

johncolanduoni8y ago

> Whether it's worthwhile from a pragmatic POV is a different question.

Which is exactly what they're purporting to answer...

kibwen8y ago

Pragmatic concerns appear to be the bulk of this argument against them.

1 more reply

lmm8y ago

As a Scala user: the further I've got into a functional/MLey style the more linear my code has become. Options or collections are very naturally handled with "fold" (cata). Loops probably shouldn't be infinite - if you're looping it's usually because you're folding along a data structure, and those ought to be finite (one of the ideas I'm toying with is a type-level natural indexed recursion-schemes like library, to make it easy to construct recursive structures that are known-finite).

I don't know if it's where Rust wants to be, but I want a practical-oriented ML-family language that does this.

burntsushi8y ago

Friendly challenge (because I agree with you, but constantly run into limitations):

I loop over strings a lot. Can I fit them into a nice recursive structure without runtime overhead?

Bonus round: My loops over strings often aren't straight-forward one-byte-at-a-time iterations. Sometimes my loops look at 8 or even 16 bytes in a single iteration. How does that fit in with more sophisticated types like you're describing?

lmm8y ago

In practice, probably not.

In theory, there's no reason one couldn't compile a linked list in source to a flat array at runtime if the access pattern was right (and linear types should make that kind of optimization a lot more practical. This might even be something one could implement "in userspace" in a language with linear types - like a safe version of an iterator. Certainly I'd be excited to try - I'm not claiming this is immediately production-quality). Or one could ask where the string is coming from in the first place, and trust some kind of fusion-style optimization to remove the intermediate datastructure entirely at runtime.

Peeling off the front 8 or 16 elements should be no harder than peeling off the front 1, though naively you might have to handle each partial case from 1 to 15.

2 more replies

mafribe8y ago

As a typing system developer I suspect there is a hard trade-off / sweetspot between complexity of the types/fold constructs and guarantees that can be enforced by types.

   How does that fit

Probably doesn't and typing systems for general purpose languages will probably have to fall back on general recursion to handle it. And there's nothing wrong with this. Language simplicity is also a virtue. If your recursion is complicated and correctness so important that testing is insufficient, then I recommend post-programming verification with a program logic.

1 more reply

_lm_8y ago

You might find Idris's totality checking very interesting, if you haven't already seen it!

http://docs.idris-lang.org/en/latest/tutorial/typesfuns.html...

adamnemecek8y ago

CMU has a class on Substructural Logics https://www.cs.cmu.edu/~fp/courses/15816-f16/

Up until 2012 it was just about Linear Logic IIRC.

johncolanduoni8y ago

I was actually thinking about this precise issue this morning (due to this GitHub issue[1]). I think a valuable middleground would be to include this kind of check even without the ?Leave stuff. In essence, the compiler could just give an error if it would have needed to issue a Drop call anywhere for the type.

This ability is pretty useful when dealing with destructors that need context that you don't want to always wrap with the given type (sometimes for performance reasons).

[1]: https://github.com/gfx-rs/gfx/issues/1216

Animats8y ago

The author tries too hard to avoid using the word "object".

"Must use" objects don't seem to be all that useful. More justification is needed. Is the author thinking of Javascript-like callback approaches, broken "promises", and such?

moosingin3space8y ago

Rust's Result type is a "must use" type, which makes it impossible to skip an error check.

Thiez8y ago

Hardly impossible, just prefix the expression with `[` and suffix with `]` and the warning is gone. Or with `(` and `,)` (creating a tuple of arity one).

Animats8y ago

Can you assign it to a variable and then ignore it?

1 more reply

haskellandchill8y ago

> It's poorly named, and so are most of the concepts it introduces

Hostility towards academia check

Anyway it's fine not to have proper linear types in Rust, but I don't think linear types are the enemy here.

hyperpape8y ago

Right or wrong, simply saying something is poorly named doesn't show that someone is hostile towards academia. By that standard, most of the academics I know would be hostile to academia, since they invariably think something in their field has a bad name.

johncolanduoni8y ago

I'm just miffed that they're complaining about names that are actual words. How would you like if they were all named after their discoverers, and therefore an a priori undistinguished mishmash of proper names? (cf. separation axioms[1])

[1]: https://en.wikipedia.org/wiki/Separation_axiom

3 more replies

bradleyjg8y ago

Simply saying it is poorly named doesn't, but this sentence:

"Just so you can look this stuff up in The Literature, I'll be providing all these bad names with a Trademark of Disdain™, but otherwise I'd prefer to use Rust-centric terminology." pretty clearly does.

The TM thing is obnoxious.

2 more replies

kibwen8y ago

Gankro has a... distinctive writing style. :) He also has a master's in computer science, so if he actually has any enmity for academia it might very well be justified. :P

jcranberry8y ago

What I find asinine is that the writer says substructural type systems (the concept which the names of the types are inherited from) are badly named, yet I'm somewhat dubious that he knows anything about them? I certainly don't, and although the relationship between affine types and affine spaces is not immediately obvious to me, the relationship between linear types and linearity is very clear.

j / k navigate · click thread line to collapse

81 comments

cwzwarich8y ago

If you were to design a language from the ground up with linear types and no destructors, it would be dramatically simpler than Rust.

kibwen8y ago

cwzwarich8y ago

2 more replies

GankroOP8y ago

Yeah dropck is a fun little gem, which has received several post-1.0 revisions due to soundness problems.

cwzwarich8y ago

3 more replies

pierrebai8y ago

Double-exception handling during stack unwinding in C++ is the thing I disagree most with.

And Í talk from experience.

My experience with this tweak was that the horror story people come up with to reject this approach is unfounded. Here are the reasons:

1. The actual case of double-exceptions are very, very rare.

3. In my experience (although, since the 2nd exception is lost, I cannot actively prove this), the first exceptionis the relevant one. This is especially true due to point #2.

6. The fact that double exceptions are handled gracefully informs your design, which builds up and reinforce all previous points.

I once had discussion on this in the 90s in comp.lang.std.c++ and comp.lang.c++. People would not listen.

Note: to do it with STL, you do have to add try/catch within destroy() calls within containers to be able to destroy all items.

cwzwarich8y ago

Animats8y ago

Destructors seem to be a pain point for functional programming people. They're inherently imperative; they don't return anything because they have no one to return it to.

derefr8y ago

> They're inherently imperative; they don't return anything because they have no one to return it to.

> You can't create, destroy, or manipulate a doubly linked list or a tree with backpointers in safe Rust. ... Maybe forward pointer/backpointer pairs need to be a language level concept.

You can define abstractions like this using unsafe code just fine. It doesn't need to be part of the language. (Think about how C++ "smart pointers" work: it's just a library.)

mafribe8y ago

   Destructors seem to be a 
   pain point

Basically explicit destructors mean the typing system needs to track lifetimes and ownership in some form or shape. There seem to be two main options.

- Avoid a GC, but then you need a complex typing system with unique owners to have any chance at expressivity (and you still need unsafe blocks and reference counting). This is Rust's choice.

Another issue is how consistently to combine destructors with other effects, in particular exceptions.

   Pointer/backpointer pairs 
   need to be a language level 
   concept.

As "JoshTriplett" also suggests, this is certainly an interesting idea, but I don't think a compelling choice has been found yet.

1 more reply

JoshTriplett8y ago

1 more reply

stuhood8y ago

panic8y ago

You could use something like Go's 'defer' statement to ensure 'close' is called before the current function returns.

1 more reply

kibwen8y ago

EDIT: The intro has been updated to be clearer, so now I just look like an idiot. :)

mafribe8y ago

   arguing against

GankroOP8y ago

johncolanduoni8y ago

> Whether it's worthwhile from a pragmatic POV is a different question.

Which is exactly what they're purporting to answer...

kibwen8y ago

Pragmatic concerns appear to be the bulk of this argument against them.

1 more reply

lmm8y ago

I don't know if it's where Rust wants to be, but I want a practical-oriented ML-family language that does this.

burntsushi8y ago

Friendly challenge (because I agree with you, but constantly run into limitations):

I loop over strings a lot. Can I fit them into a nice recursive structure without runtime overhead?

lmm8y ago

In practice, probably not.

Peeling off the front 8 or 16 elements should be no harder than peeling off the front 1, though naively you might have to handle each partial case from 1 to 15.

2 more replies

mafribe8y ago

As a typing system developer I suspect there is a hard trade-off / sweetspot between complexity of the types/fold constructs and guarantees that can be enforced by types.

   How does that fit

1 more reply

_lm_8y ago

You might find Idris's totality checking very interesting, if you haven't already seen it!

http://docs.idris-lang.org/en/latest/tutorial/typesfuns.html...

adamnemecek8y ago

CMU has a class on Substructural Logics https://www.cs.cmu.edu/~fp/courses/15816-f16/

Up until 2012 it was just about Linear Logic IIRC.

johncolanduoni8y ago

This ability is pretty useful when dealing with destructors that need context that you don't want to always wrap with the given type (sometimes for performance reasons).

[1]: https://github.com/gfx-rs/gfx/issues/1216

Animats8y ago

The author tries too hard to avoid using the word "object".

"Must use" objects don't seem to be all that useful. More justification is needed. Is the author thinking of Javascript-like callback approaches, broken "promises", and such?

moosingin3space8y ago

Rust's Result type is a "must use" type, which makes it impossible to skip an error check.

Thiez8y ago

Hardly impossible, just prefix the expression with `[` and suffix with `]` and the warning is gone. Or with `(` and `,)` (creating a tuple of arity one).

Animats8y ago

Can you assign it to a variable and then ignore it?

1 more reply

haskellandchill8y ago

> It's poorly named, and so are most of the concepts it introduces

Hostility towards academia check

Anyway it's fine not to have proper linear types in Rust, but I don't think linear types are the enemy here.

hyperpape8y ago

johncolanduoni8y ago

[1]: https://en.wikipedia.org/wiki/Separation_axiom

3 more replies

bradleyjg8y ago

Simply saying it is poorly named doesn't, but this sentence:

The TM thing is obnoxious.

2 more replies

kibwen8y ago

Gankro has a... distinctive writing style. :) He also has a master's in computer science, so if he actually has any enmity for academia it might very well be justified. :P

jcranberry8y ago

j / k navigate · click thread line to collapse