|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Polonius update" |
| 4 | +author: Rémy Rakic and Niko Matsakis |
| 5 | +team: The Polonius Working Group <https://www.rust-lang.org/governance/teams/compiler#Polonius%20working%20group> |
| 6 | +--- |
| 7 | + |
| 8 | +This post lays out a roadmap to try to get Polonius on stable by Rust 2024. It identifies some high-level milestones and summarizes the key goals, as well as the recent progress. |
| 9 | + |
| 10 | +## Background on polonius |
| 11 | + |
| 12 | +Polonius refers to a few things. It is a [new formulation](http://smallcultfollowing.com/babysteps/blog/2018/04/27/an-alias-based-formulation-of-the-borrow-checker/) of the borrow check. It is also a [specific project](https://github.com/rust-lang/polonius) that implemented that analysis, based on datalog. Our current plan does not make use of that datalog-based implementation, but uses what we learned implementing it to focus on reimplementing polonius within rustc. |
| 13 | + |
| 14 | +The motivating example for polonius is the so-called ["Problem Case #3: conditional control flow across functions"](https://github.com/rust-lang/rfcs/blob/master/text/2094-nll.md#problem-case-3-conditional-control-flow-across-functions): here, returning a reference out of a function, from a conditional. |
| 15 | + |
| 16 | +```rust= |
| 17 | +fn get_default<'r, K: Hash + Eq + Copy, V: Default>( |
| 18 | + map: &'r mut HashMap<K, V>, |
| 19 | + key: K, |
| 20 | +) -> &'r mut V { |
| 21 | + match map.get_mut(&key) { // -------------+ 'r |
| 22 | + Some(value) => value, // | |
| 23 | + None => { // | |
| 24 | + map.insert(key, V::default()); // | |
| 25 | + // ^~~~~~ ERROR // | |
| 26 | + map.get_mut(&key).unwrap() // | |
| 27 | + } // | |
| 28 | + } // | |
| 29 | +} // v |
| 30 | +``` |
| 31 | + |
| 32 | +Returning the mutable reference `value` in the `Some` path requires the mutable loan on `map` to live until the end of the function. This prevents mutation in the `None` path even though no mutable loan on `map` would exist there in the first place. |
| 33 | + |
| 34 | +Fixing this borrowck issue requires more precision about flow-sensitivity. It also hints at limitations in our modeling of lifetimes, which appear more clearly in cases with only slightly more complicated control flow, like [issue #47680](https://github.com/rust-lang/rust/issues/47680): |
| 35 | + |
| 36 | +```rust= |
| 37 | +struct Thing; |
| 38 | +
|
| 39 | +impl Thing { |
| 40 | + fn maybe_next(&mut self) -> Option<&mut Self> { None } |
| 41 | +} |
| 42 | +
|
| 43 | +fn main() { |
| 44 | + let mut temp = &mut Thing; |
| 45 | +
|
| 46 | + loop { |
| 47 | + match temp.maybe_next() { |
| 48 | + Some(v) => { temp = v; } |
| 49 | + None => { } |
| 50 | + } |
| 51 | + } |
| 52 | +} |
| 53 | +``` |
| 54 | + |
| 55 | +Here, the loan created on iteration N _may be used_ in the `None` path on iteration N+1, however the borrowed variable at that iteration is not the same. |
| 56 | + |
| 57 | +Issues like "NLL problem case #3", issue #47680 and others, were therefore deferred from NLLs, and left as future work, [polonius](http://smallcultfollowing.com/babysteps/blog/2018/04/27/an-alias-based-formulation-of-the-borrow-checker/). |
| 58 | + |
| 59 | +The key ideas being: |
| 60 | +- switching from a model of _lifetimes_ as sets of points in the CFG (with _outlives_ relationships), to a model of _origins_ as sets of loans (with _subset_ relationships). |
| 61 | +- computing and tracking the subset relationships at each point in the Control Flow Graph (whereas the existing borrowck computes a single subtype relation). |
| 62 | + |
| 63 | + |
| 64 | +## Milestones |
| 65 | + |
| 66 | +This is a rough roadmap, where we have the most visibility on the first steps: |
| 67 | +- each step has unknowns that will define what things need to be done in the later steps |
| 68 | +- therefore we're talking more about milestones for the longer term roadmap, and proper tasks for the shorter term. |
| 69 | + |
| 70 | +Here are the roadmap's milestones: |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +### 1. Factoring out higher-ranked concerns from the main path |
| 75 | + |
| 76 | +Today, the trait solver produces higher-ranked outlives constraints and the borrow checker solves them. In the future, we would like to make the [next trait solver](https://github.com/rust-lang/trait-system-refactor-initiative/) responsible for solving these higher-ranked constraints itself, so that it only produces constraints on regions in the root [universe](https://rustc-dev-guide.rust-lang.org/borrow_check/region_inference/placeholders_and_universes.html#what-is-a-universe) (which the borrow checker can easily process). This would allow us to solve implication predicates like `for<T> { if (T: 'a, 'a: 'b) { T: 'b } }` without having to effectively reproduce the same trait solving logic again. |
| 77 | + |
| 78 | +In the shorter term, we can refactor the borrow checker to separate out the higher-ranked processing from the ordinary processing. The goal would be to preprocess the outlives constraints in a kind of polonius ["leak check"](https://rustc-dev-guide.rust-lang.org/traits/hrtb.html#basic-matching-and-placeholder-leaks), where we can compute the higher-ranked errors. This can then be removed once the trait solver can solve these constraints. |
| 79 | + |
| 80 | +Current status: ⏳ members of the types team are starting to work on this task in the next few days. |
| 81 | + |
| 82 | + |
| 83 | +### 2. Location-insensitive loans in scope |
| 84 | + |
| 85 | +Out of the two key differences between polonius and the existing borrow check (regions as "sets of loans", and computing subtyping relations at each point in the CFG), this step is aimed at resolving the *first* difference, but not the second, so we call it the "location *in*sensitive loans in scope" (because subtyping is being done once, not per location): the idea can be described as "NLLs with the polonius model". |
| 86 | + |
| 87 | +Note that other aspects of the existing borrow checker are still flow-sensitive. |
| 88 | + |
| 89 | +In this step, we will compute the set of live loans via outlives constraints only, instead of computing the CFG points where regions are live (which is then used to compute when loans go out of scope). We believe this is equivalent to the existing borrow check in terms of the errors that get reported. |
| 90 | + |
| 91 | +Importantly, this change paves the way for adding location sensitivity (sets of loans are also a better foundation for far-future improvements to the borrow checker such as safe internal references). |
| 92 | + |
| 93 | +Current status: ✅ we have completed prototypes, and have [an open PR](https://github.com/rust-lang/rust/pull/113218) to land this under a `-Z` flag, which should happen in the near future. |
| 94 | + |
| 95 | +### 3. Verify full test suite passes with location-insensitive polonius |
| 96 | + |
| 97 | +That PR does pass the full 15000+ tests in our suite, but we haven't yet checked on the crates published on crates.io with a crater run. |
| 98 | + |
| 99 | +Compared to our internal test suite, the vast majority of published crates are expected to build without errors. In that regard, it should be unlikely that issues would be found there, but it will be done regardless. |
| 100 | + |
| 101 | +Current status: ⏳ in-progress, should be finalized right when the PR is just ready to land. |
| 102 | + |
| 103 | + |
| 104 | +### 4. Replace parts of the borrow checker with location-insensitive polonius |
| 105 | + |
| 106 | + |
| 107 | +The prototype only does additional work, and does not modify the existing analysis. |
| 108 | + |
| 109 | +In this step, we will refactor the borrow checker so that its data structures store sets of loans, and do more performance work: for example, remove redundant computation, investigate worst-case scalability and constant factors. |
| 110 | + |
| 111 | +It's expected that performance will be similar, and we can then imagine enabling the location-insensitive pass without the feature flag, and removing some of the old code. |
| 112 | + |
| 113 | +To keep the high quality diagnostics from the years of work of many contributors, it's possible that the new analysis could run, and if errors are detected, only then use the existing analysis and diagnostics. |
| 114 | + |
| 115 | +Current status: we've done some early investigations on the data-structures changes needed, some of redundant parts that could be removed, etc. |
| 116 | + |
| 117 | +### 5. Location-sensitive pass on nightly |
| 118 | + |
| 119 | +Then the (harder-to-do-efficiently) work to incorporate location-sensitivity can start. This step will implement the first version of the analysis. |
| 120 | + |
| 121 | +At this point it can still be inefficient, and use the feature flag, but this is when the borrow checker should accept more expressive code than the current NLLs. |
| 122 | + |
| 123 | +Current status: we're in the design phase here, to adapt our datalog prototype and algorithms to rustc, imagining alternative ways to compute and propagate the subset constraints along the CFG. |
| 124 | + |
| 125 | +### 6. Model borrow checking and polonius in a-mir-formality |
| 126 | + |
| 127 | +The types team is building a model of Rust's MIR and trait system called [`a-mir-formality`][]. Once it reaches a sufficiently complete status, the intent is that the model will always be extended to cover new language features prior to stabilization. We are therefore working to add polonius into the model. This will in fact be the second time doing such modeling, as we already added polonius to a previous incarnation of a-mir-formality. In fact, that modeling work is what gave us the insights that enabled the location-insensitive polonius formulation now landing on nightly. |
| 128 | + |
| 129 | +[`a-mir-formality`]: https://github.com/rust-lang/a-mir-formality |
| 130 | + |
| 131 | +Interestingly, this work is completely independent of rustc, and could in theory be started soon, and done in parallel with the other efforts. |
| 132 | + |
| 133 | +### 7. Location-sensitive pass stable |
| 134 | + |
| 135 | +In this milestone, we expect a lot of work on optimizations, and productization. |
| 136 | + |
| 137 | +If a similar experience to NLLs in edition 2018 is to be expected again, another substantial amount of work and polish will also be needed to handle diagnostic differences and issues, ensuring errors and notes are clear enough, as well as the documentation. |
| 138 | + |
| 139 | +At this point, the location-sensitive pass is hopefully efficient enough, tested in practice, somewhat formally verified, and can be enabled in edition 2024. |
| 140 | + |
| 141 | +Around this time, librarification efforts can also be rebooted, to turn the in-tree polonius into a library, maybe using [Stable MIR][]. This is so that it could be reused elsewhere, for example in [rust-analyzer][], or [gccrs][], or by researchers working on verification tools (like [kani][]), [prusti][] and [creusot][]). |
| 142 | + |
| 143 | +[Stable MIR]: https://github.com/rust-lang/team/pull/729 |
| 144 | +[rust-analyzer]: https://github.com/rust-lang/rust-analyzer |
| 145 | +[gccrs]: https://github.com/Rust-GCC/gccrs |
| 146 | +[kani]: https://github.com/model-checking/kani/ |
| 147 | +[prusti]: https://github.com/viperproject/prusti-dev/ |
| 148 | +[creusot]: https://github.com/xldenis/creusot |
| 149 | + |
| 150 | +## Conclusion |
| 151 | + |
| 152 | +We are very excited to see the plan for polonius coming into focus. At the moment, as we are still doing foundational work, we are not looking for volunteers or contributors unless they are well versed in the compiler. We do expect that as the project proceeds, there will be more and more need for new contributions. Stay tuned for updates! |
0 commit comments