impl<T> Clone for Cell<Rc<T>>

glaebhoerl · 2017-07-11T13:16:02.366Z

Maybe the problem is that Rust isn’t pure (= doesn’t have type of pure functions)? If we could require F to be pure then I think that would close off all of these tricks for sneakily accessing things through side channels, and then our Sync bounds would actually be sufficient.

rkruppe · 2017-07-11T14:57:04.242Z

As has been pointed out in past discussions, “pure” means different things to different people. I’m not sure what the right definition of “pure” for this problem would be. Any of the variants implying referential transparency are a bit too strong to bea satisfactory solution (e.g., they rule out almost all uses of mutable references). Approaching it from the other end, merely “doesn’t access globals” is too weak because of re-entrant locks and similar things.

RalfJung · 2017-07-11T17:22:24.455Z

SimonSapin:

This would work, but as you noted it excludes Rc::clone. I think the real criteria for safety of manipulation of data inside Cell is “does not ever touch this particular cell again”, which is much more subtle to express systematically. Perhaps it helps to reason about reference cycles? Since a cycle would be needed to reach that cell again.

This makes “cell-freeness” generic in which cell it is talking about (as in, “this particular cell”). The way I think about it (based on how this works in some concurrency logics, which have a similar problem of avoiding reentrancy) is that each cell has some “color” or “class” or however you want to call it. There’s some default class that is used when safe code just instantiates a cell, but unsafe code like Rc can declare its cells to be in a different class. Cell-safety for a class then means that no cell of that class is accessed.

Essentially, this is a static approximation making sure there no reference cycles are followed.

SimonSapin:

Yes, .clone().is_none() would be unsound with an arbitrary T in Cell<Option<T>>, it was only proposed for Cell<Option<Rc<U>>>.

However, .is_none() should be sound with an arbitrary Cell<Option<T>>.

SimonSapin · 2017-07-11T17:35:22.448Z

RalfJung:

However, .is_none() should be sound with an arbitrary Cell<Option<T>>.

Agreed.

earthengine · 2018-10-22T23:00:16.158Z

To be honest it is not hard to do on a newtyped Cell<Rc<T>>:

use std::cell::Cell;
use std::rc::Rc;

struct CellRc<T>(Cell<Rc<T>>);

impl<T> Clone for CellRc<T> {
    fn clone(&self) -> Self {
        unsafe {
            CellRc(Cell::new((*self.0.as_ptr()).clone()))
        }
    }
}
impl CellRc {
    fn new(t: T) -> Self {
        Self(Cell::new(Rc::new(t)))
    }
}

fn main() {
    let c = CellRc::new(10);
    let g = c.clone();
}

or have a free function

pub fn clone_cell_rc<T>(t: &Cell<Rc<T>>) -> Cell<Rc<T>> {
    unsafe {
        Cell::new((*t.as_ptr()).clone())
    }
}

in general we can do

pub fn clone_cell<T: Clone>(t: &Cell<T>) -> Cell<T> {
    unsafe {
        Cell::new((*t.as_ptr()).clone())
    }
}

But we need to justify the unsafe block above.

system · 2019-03-25T08:28:39.745Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.