11% The Perils Of RAII
22
3- Ownership Based Resource Management (AKA RAII: Resource Acquisition is Initialization) is
3+ Ownership Based Resource Management (AKA RAII: Resource Acquisition Is Initialization) is
44something you'll interact with a lot in Rust. Especially if you use the standard library.
55
66Roughly speaking the pattern is as follows: to acquire a resource, you create an object that
@@ -38,10 +38,8 @@ treating the old copy as uninitialized -- a no-op.
3838
3939While Rust provides a ` Default ` trait for specifying the moral equivalent of a default
4040constructor, it's incredibly rare for this trait to be used. This is because variables
41- aren't implicitly initialized (see [ working with uninitialized memory] [ uninit ] for details).
42- Default is basically only useful for generic programming.
43-
44- In concrete contexts, a type will provide a static ` new ` method for any
41+ [ aren't implicitly initialized] [ uninit ] . Default is basically only useful for generic
42+ programming. In concrete contexts, a type will provide a static ` new ` method for any
4543kind of "default" constructor. This has no relation to ` new ` in other
4644languages and has no special meaning. It's just a naming convention.
4745
@@ -59,20 +57,16 @@ fn drop(&mut self);
5957```
6058
6159This method gives the type time to somehow finish what it was doing. ** After ` drop ` is run,
62- Rust will recursively try to drop all of the fields of the ` self ` struct ** . This is a
60+ Rust will recursively try to drop all of the fields of ` self ` ** . This is a
6361convenience feature so that you don't have to write "destructor boilerplate" to drop
6462children. If a struct has no special logic for being dropped other than dropping its
6563children, then it means ` Drop ` doesn't need to be implemented at all!
6664
67- ** There is no way to prevent this behaviour in Rust 1.0** .
65+ ** There is no stable way to prevent this behaviour in Rust 1.0** .
6866
6967Note that taking ` &mut self ` means that even if you * could* suppress recursive Drop,
7068Rust will prevent you from e.g. moving fields out of self. For most types, this
71- is totally fine:
72-
73- * They own all their data (they don't contain pointers to elsewhere).
74- * There's no additional state passed into drop to try to send things.
75- * ` self ` is about to be marked as uninitialized (and therefore inaccessible).
69+ is totally fine.
7670
7771For instance, a custom implementation of ` Box ` might write ` Drop ` like this:
7872
@@ -120,7 +114,7 @@ impl<T> Drop for SuperBox<T> {
120114}
121115```
122116
123- because after we deallocate the ` box ` 's ptr in SuperBox's destructor, Rust will
117+ After we deallocate the ` box ` 's ptr in SuperBox's destructor, Rust will
124118happily proceed to tell the box to Drop itself and everything will blow up with
125119use-after-frees and double-frees.
126120
@@ -216,7 +210,7 @@ refers to it. The collection will sit around uselessly, holding on to its
216210precious resources until the program terminates (at which point all those
217211resources would have been reclaimed by the OS anyway).
218212
219- We may consider a more restricted form of leak: failing to free memory that
213+ We may consider a more restricted form of leak: failing to drop a value that
220214is unreachable. Rust also doesn't prevent this. In fact Rust has a * function
221215for doing this* : ` mem::forget ` . This function consumes the value it is passed
222216* and then doesn't run its destructor* .
@@ -232,26 +226,26 @@ It is reasonable for safe code to assume that destructor leaks do not happen,
232226as any program that leaks destructors is probably wrong. However * unsafe* code
233227cannot rely on destructors to be run to be * safe* . For most types this doesn't
234228matter: if you leak the destructor then the type is * by definition* inaccessible,
235- so it doesn't matter, right? e.g. if you leak a ` Box<u8> ` then you waste some
236- memory but that's hardly going to violate memory-safety.
229+ so it doesn't matter, right? For instance, if you leak a ` Box<u8> ` then you
230+ waste some memory but that's hardly going to violate memory-safety.
237231
238232However where we must be careful with destructor leaks are * proxy* types.
239233These are types which manage access to a distinct object, but don't actually
240234own it. Proxy objects are quite rare. Proxy objects you'll need to care about
241- are even rarer. However we'll focus on two interesting examples in the
235+ are even rarer. However we'll focus on three interesting examples in the
242236standard library:
243237
244238* ` vec::Drain `
245239* ` Rc `
246-
240+ * ` thread::scoped::JoinGuard `
247241
248242
249243
250244## Drain
251245
252246` drain ` is a collections API that moves data out of the container without
253247consuming the container. This enables us to reuse the allocation of a ` Vec `
254- after claiming ownership over all of its contents. drain produces an iterator
248+ after claiming ownership over all of its contents. It produces an iterator
255249(Drain) that returns the contents of the Vec by-value.
256250
257251Now, consider Drain in the middle of iteration: some values have been moved out,
@@ -376,7 +370,7 @@ in memory.
376370
377371
378372
379- ## thread::scoped
373+ ## thread::scoped::JoinGuard
380374
381375The thread::scoped API intends to allow threads to be spawned that reference
382376data on the stack without any synchronization over that data. Usage looked like:
0 commit comments