在不安全的代码中,对同一数组有多个可变引用(而不是指针)是否正确,只要它们不用于写入相同的索引?
上下文
我想生成底层数组的几个(不同的)可变视图,我可以从不同的线程修改这些视图。
如果不相交的部分是连续的,这是微不足道的,只需在切片上调用split_at_mut:
let mut v = [1, 2, 3, 4];
{
let (left, right) = v.split_at_mut(2);
left[0] = 5;
right[0] = 6;
}
assert!(v == [5, 2, 6, 4]);
但我也想公开不连续的不相交部分。为了简单起见,假设我们想为偶数索引检索一个可变的"视图",为奇数索引检索另一个可变"视图"。
与split_at_mut()相反,我们无法检索两个可变引用(我们想要一个安全的抽象!),因此我们使用两个结构实例,只公开对偶数(resp.odd)索引的可变访问:
let data = &mut [0i32; 11];
let (mut even, mut odd) = split_fields(data);
// …
使用一些不安全的代码,很容易获得这样一个安全的抽象。这里有一个可能的实现:
use std::marker::PhantomData;
struct SliceField<'a> {
ptr: *mut i32,
len: usize,
field: usize,
marker: PhantomData<&'a mut i32>,
}
impl SliceField<'_> {
fn inc(&mut self) {
unsafe {
for i in (self.field..self.len).step_by(2) {
*self.ptr.add(i) += 1;
}
}
}
fn dec(&mut self) {
unsafe {
for i in (self.field..self.len).step_by(2) {
*self.ptr.add(i) -= 1;
}
}
}
}
unsafe impl Send for SliceField<'_> {}
fn split_fields(array: &mut [i32]) -> (SliceField<'_>, SliceField<'_>) {
(
SliceField {
ptr: array.as_mut_ptr(),
len: array.len(),
field: 0,
marker: PhantomData,
},
SliceField {
ptr: array.as_mut_ptr(),
len: array.len(),
field: 1,
marker: PhantomData,
},
)
}
fn main() {
let data = &mut [0i32; 11];
{
let (mut even, mut odd) = split_fields(data);
rayon::join(|| even.inc(), || odd.dec());
}
// this prints [1, -1, 1, -1, 1, -1, 1, -1, 1, -1, 1]
println!("{:?}", data);
}
到目前为止,一切都很好。
问题
然而,访问原始指针非常方便:与切片相反,我们不能使用运算符[]或迭代器。
unsafe {
for i in (self.field..self.len).step_by(2) {
*self.ptr.add(i) += 1;
}
}
显而易见的想法是在不安全的实现中将原始指针本地转换为切片:
let slice = unsafe { slice::from_raw_parts_mut(self.ptr, self.len) };
然后,例如,我们可以用功能风格重写我们的实现:
slice.iter_mut().skip(self.field).step_by(2).for_each(|x| *x += 1);
对于这个示例,它可能不值得,但对于更复杂的代码,使用切片而不是原始指针可能会方便得多。
问题
这是正确的吗?
这显然违反了借用规则:两个线程可能同时持有对同一内存位置的可变引用。然而,它们可能永远不会写入相同的索引。
可变引用别名并没有被列为不安全的超能力,但该列表并不是详尽无遗的。
可变引用的别名是否正确
不,这是永远不会更正别名可变引用(可变指针是一个更微妙的概念)。这违反了引用的主要规则之一。
您提供的任何限定条件都无关紧要——您不能有可变的引用别名。位于unsafe块内部的代码没有任何区别。这样做是自动且即时的未定义行为。
fn main() {
let mut x = [42, 84];
let x_raw = &mut x as *mut _;
let x_even: &mut [i32; 2] = unsafe { &mut *x_raw };
let x_odd: &mut [i32; 2] = unsafe { &mut *x_raw };
println!("{}, {}", x_even[0], x_odd[1]);
}
Miri表示:
error[E0080]: constant evaluation error: Borrow being dereferenced (Uniq(1772)) does not exist on the stack
--> src/main.rs:8:24
|
8 | println!("{}, {}", x_even[0], x_odd[1]);
| ^^^^^^^^^ Borrow being dereferenced (Uniq(1772)) does not exist on the stack
|
= note: inside call to `main` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:34
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:53
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:297:40
= note: inside call to `std::panicking::try::do_call::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:293:5
= note: inside call to `std::panicking::try::<i32, [closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe]>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panic.rs:388:9
= note: inside call to `std::panic::catch_unwind::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:25
= note: inside call to `std::rt::lang_start_internal` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:5
= note: inside call to `std::rt::lang_start::<()>`
虽然UnsafeCell可以帮助您构建安全的抽象,但您仍然必须遵守引用规则。用UnsafeCell替换类型将而不是使事情神奇地工作:
use std::cell::UnsafeCell;
fn main() {
let x = UnsafeCell::new([42, 84]);
let x_even: &mut [i32; 2] = unsafe { &mut *x.get() };
let x_odd: &mut [i32; 2] = unsafe { &mut *x.get() };
println!("{}, {}", x_even[0], x_odd[1]);
}
error[E0080]: constant evaluation error: Borrow being dereferenced (Uniq(1776)) does not exist on the stack
--> src/main.rs:9:24
|
9 | println!("{}, {}", x_even[0], x_odd[1]);
| ^^^^^^^^^ Borrow being dereferenced (Uniq(1776)) does not exist on the stack
|
= note: inside call to `main` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:34
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:53
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:297:40
= note: inside call to `std::panicking::try::do_call::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:293:5
= note: inside call to `std::panicking::try::<i32, [closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe]>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panic.rs:388:9
= note: inside call to `std::panic::catch_unwind::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:25
= note: inside call to `std::rt::lang_start_internal` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:5
= note: inside call to `std::rt::lang_start::<()>`
UnsafeCell的文档明确指出:
&mut T引用可以发布为安全代码,前提是其他&mut T和&T都不与之共存。&mut T必须始终是唯一的。
事实上,即使切片不是从同一点开始,但它们以某种方式重叠,这也是混叠和未定义的行为:
fn main() {
let mut x = [0, 1, 2];
let x_raw = &mut x as *mut [i32];
let x_0: &mut [i32] = unsafe { &mut (*x_raw)[0..2] };
let x_1: &mut [i32] = unsafe { &mut (*x_raw)[1..3] };
if x_0 == x_1 {
println!("They are equal");
}
}
error[E0080]: constant evaluation error: Borrow being dereferenced (Uniq(1807)) does not exist on the stack
--> /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/cmp.rs:1041:65
|
1041 | fn eq(&self, other: &&'b mut B) -> bool { PartialEq::eq(*self, *other) }
| ^^^^^ Borrow being dereferenced (Uniq(1807)) does not exist on the stack
|
note: inside call to `std::cmp::impls::<impl std::cmp::PartialEq<&'b mut B> for &'a mut A><[i32], [i32]>::eq` at src/main.rs:8:8
--> src/main.rs:8:8
|
8 | if x_0 == x_1 {
| ^^^^^^^^^^
= note: inside call to `main` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:34
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:53
= note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:297:40
= note: inside call to `std::panicking::try::do_call::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:293:5
= note: inside call to `std::panicking::try::<i32, [closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe]>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panic.rs:388:9
= note: inside call to `std::panic::catch_unwind::<[closure@DefId(1/1:1900 ~ std[82ff]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:25
= note: inside call to `std::rt::lang_start_internal` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:64:5
= note: inside call to `std::rt::lang_start::<()>`
UnsafeCell的文档说明:
UnsafeCell<T>类型是获得被认为是可变的可别名数据的唯一合法方法
[…]
编译器基于以下知识进行优化:&T不是可变别名或变异的,并且&mut T是唯一的。
所以不,除非您使用UnsafeCell,否则您尝试的内容是无效的。