Little Orphan Impls
14 January 2015
We’ve recently been doing a lot of work on Rust’s orphan rules,
which are an important part of our system for guaranteeing trait
coherence. The idea of trait coherence is that, given a trait and
some set of types for its type parameters, there should be exactly one
impl that applies. So if we think of the trait Show, we want to
guarantee that if we have a trait reference like MyType : Show, we
can uniquely identify a particular impl. (The alternative to coherence
is to have some way for users to identify which impls are in scope at
any time. It has its own complications; if you’re curious for
more background on why we use coherence, you might find this
rust-dev thread from a while back to be interesting
reading.)
The role of the orphan rules in particular is basically to prevent
you from implementing external traits for external types. So
continuing our simple example of Show, if you are defining your own
library, you could not implement Show for Vec<T>, because both
Show and Vec are defined in the standard library. But you can
implement Show for MyType, because you defined MyType. However,
if you define your own trait MyTrait, then you can implement
MyTrait for any type you like, including external types like
Vec<T>. To this end, the orphan rule intuitively says “either the
trait must be local or the self-type must be local”.
More precisely, the orphan rules are targeting the case of two “cousin” crates. By cousins I mean that the crates share a common ancestor (i.e., they link to a common library crate). This would be libstd, if nothing else. That ancestor defines some trait. Both of the crates are implementing this common trait using their own local types (and possibly types from ancestor crates, which may or may not be in common). But neither crate is an ancestor of the other: if they were, the problem is much easier, because the descendant crate can see the impls from the ancestor crate.
When we extended the trait system to support multidispatch, I confess that I originally didn’t give the orphan rules much thought. It seemed like it would be straightforward to adapt them. Boy was I wrong! (And, I think, our original rules were kind of unsound to begin with.)
The purpose of this post is to lay out the current state of my thinking on these rules. It sketches out a number of variations and possible rules and tries to elaborate on the limitations of each one. It is intended to serve as the seed for a discussion in the Rust discusstion forums.
The first, totally wrong, attempt
The first attempt at the orphan rules was just to say that an impl is
legal if a local type appears somewhere. So, for example, suppose that I
define a type MyBigInt and I want to make it addable to integers:
impl Add<i32> for MyBigInt { ... }
impl Add<MyBigInt> for i32 { ... }
Under these rules, these two impls are perfectly legal, because
MyBigInt is local to the current crate. However, the rules also
permit an impl like this one:
impl<T> Add<T> for MyBigInt { ... }
Now the problems arise because those same rules also permit an impl like this one (in another crate):
impl<T> Add<YourBigInt> for T { ... }
Now we have a problem because both impls are applicable to
Add<YourBigInt> for MyBigInt.
In fact, we don’t need multidispatch to have this problem. The same
situation can arise with Show and tuples:
impl<T> Show for (T, MyBigInt) { ... } // Crate A
impl<T> Show for (YourBigInt, T) { ... } // Crate B
(In fact, multidispatch is really nothing than a compiler-supported version of implementing a trait for a tuple.)
The root of the problem here lies in our definition of “local”, which completely ignored type parameters. Because type parameters can be instantiated to arbitrary types, they are obviously special, and must be considered carefully.
The ordered rule
This problem was first brought to our attention by arielb1, who filed Issue 19470. To resolve it, he proposed a rule that I will call the ordered rule. The ordered rule goes like this:
- Write out all the type parameters to the trait, starting with
Self. - The name of some local struct or enum must appear on that line before the first
type parameter.
- More formally: When visiting the types in pre-order, a local type must be visited before any type parameter.
In terms of the examples I gave above, this rule permits the following impls:
impl Add<i32> for MyBigInt { ... }
impl Add<MyBigInt> for i32 { ... }
impl<T> Add<T> for MyBigInt { ... }
However, it avoids the quandry we saw before because it rejects this impl:
impl<T> Add<YourBigInt> for T { ... }
This is because, if we wrote out the type parameters in a list, we would get:
T, YourBigInt
and, as you can see, T comes first.
This rule is actually pretty good. It meets most of the requirements I’m going to unearth. But it has some problems. The first is that it feels strange; it feels like you should be able to reorder the type parameters on a trait without breaking everything (we will see that this is not, in fact, obviously true, but it was certainly my first reaction).
Another problem is that the rule is kind of fragile. It can easily
reject impls that don’t seem particularly different from impls that it
accepts. For example, consider the case of the Modifier trait
that is used in hyper and iron. As you can see in this issue,
iron wants to be able to define a Modifier impl like the following:
struct Response;
...
impl Modifier<Response> for Vec<u8> { .. }
This impl is accepted by the ordered rule (thre are no type parameters at all, in fact). However, the following impl, which seems very similar and equally likely (in the abstract), would not be accepted:
struct Response;
...
impl<T> Modifier<Response> for Vec<T> { .. }
This is because the type parameter T appears before the local type
(Response). Hmm. It doesn’t really matter if T appears in the local type,
either; the following would also be rejected:
struct MyHeader<T> { .. }
...
impl<T> Modifier<MyHeader<T>> for Vec<T> { .. }
Another trait that couldn’t be handled properly is the BorrowFrom trait
in the standard library. There a number of impls like this one:
impl<T> BorrowFrom<Rc<T>> for T
This impl fails the ordered check because T comes first. We can make
it pass by switching the order of the parameters, so that the
BorrowFrom trait becomes Borrow.
A final “near-miss” occurred in the standard library with the Cow
type. Here is an impl from libcollections of FromIterator for a
copy-on-write vector:
impl<'a, T> FromIterator<T> for Cow<'a, Vec<T>, [T]>
Note that Vec is a local type here. This impl obeys the ordered
rule, but somewhat by accident. If the type parameters of the Cow
trait were in a different order, it would not, because then [T]
would precede Vec<T>.
The covered rule
In response to these shortcomings, I proposed an alternative rule that
I’ll call the covered rule. The idea of the covered rule was to say
that (1) the impl must have a local type somewhere and (2) a type
parameter can only appear in the impl if the type parameter is
covered by a local type. Covered means that it appears “inside” the
type: so T is covered by MyVec in the type MyVec<T> or
MyBox<Box<T>>, but not in (T, MyVec<int>). This rule has the
advantage of having nothing to do with ordering and it has a certain
intution to it; any type parameters that appear in your impls have to
be tied to something local.
This rule turns out to give us the required orphan rule guarantees. To see why, consider this example:
impl<T> Foo<T> for A<T> // Crate A
impl<U> Foo<B<U>> for U // Crate B
If you tried to make these two impls apply to the same type, you wind
up with infinite types. After all, T = B<U>, but U=A<T>, and hence
you get T = B<A<T>>.
Unlike the previous rule, this rule happily accepts the BorrowFrom
trait impls:
impl<T> BorrowFrom<Rc<T>> for T
The reason is that the type parameter T here is covered by the
(local) type Rc.
However, after implementing this rule, we found out that it actually
prohibits a lot of other useful patterns. The most important of them is
the so-called auxiliary pattern, in which a trait takes a type parameter
that is a kind of “configuration” and is basically orthogonal to the types
that the trait is implemented for. An example is the Hash trait:
impl<H> Hash<H> for MyStruct
The type H here represents the hashing function that is being used. As you can imagine,
for most types, they will work with any hashing function. Sadly, this impl is rejected,
because H is not covered by any local type. You could make it work by adding a parameter
H to MyStruct:
impl<H> Hash<H> for MyStruct<H>
But that is very weird, because now when we create our struct we are
also deciding which hash functions can be used with it. You can also
make it work by moving the hash function parameter H to the hash
method itself, but then that is limiting. It makes the Hash trait
not object safe, for one thing, and it also prohibits us from writing
types that are specialized to particular hash functions.
Another similar example is indexing. Many people want to make types indexable by any integer-like thing, for example:
impl<I:Int, T> Index<I> for Vec<T> {
type Output = T;
}
Here the type parameter I is also uncovered.
Ordered vs Covered
By now I’ve probably lost you in the ins and outs, so let’s see a
summary. Here’s a table of all the examples I’ve covered so far. I’ve
tweaked the names so that, in all cases, any type that begins with
My is considered local to the current crate:
+----------------------------------------------------------+---+---+
| Impl Header | O | C |
+----------------------------------------------------------+---+---+
| impl Add<i32> for MyBigInt | X | X |
| impl Add<MyBigInt> for i32 | X | X |
| impl<T> Add<T> for MyBigInt | X | |
| impl<U> Add<MyBigInt> for U | | |
| impl<T> Modifier<MyType> for Vec<u8> | X | X |
| impl<T> Modifier<MyType> for Vec<T> | | |
| impl<'a, T> FromIterator<T> for Cow<'a, MyVec<T>, [T]> | X | X |
| impl<'a, T> FromIterator<T> for Cow<'a, [T], MyVec<T>> | | X |
| impl<T> BorrowFrom<Rc<T>> for T | | X |
| impl<T> Borrow<T> for Rc<T> | X | X |
| impl<H> Hash<H> for MyStruct | X | |
| impl<I:Int,T> Index<I> for MyVec<T> | X | |
+----------------------------------------------------------+---+---+
As you can see, both of these have their advantages. However, the
ordered rule comes out somewhat ahead. In particular, the places where
it fails can often be worked around by reordering parameters, but
there is no answer that permits the covered rule to handle the
Hash example (and there are a number of other traits that fit that
pattern in the standard library).
Hybrid approach #1: Covered self
You might be wondering – if neither rule is perfect, is there a way
to combine them? In fact, the rule that is current implemented is such
a hybrid. It imposes the covered rules, but only on the Self
parameter. That means that there must be a local type somewhere in
Self, and any type parameters appearing in Self must be covered by
a local type. Let’s call this hybrid CS, for “covered apply to
Self”.
+----------------------------------------------------------+---+---+---+
| Impl Header | O | C | S |
+----------------------------------------------------------+---+---+---|
| impl Add<i32> for MyBigInt | X | X | X |
| impl Add<MyBigInt> for i32 | X | X | |
| impl<T> Add<T> for MyBigInt | X | | X |
| impl<U> Add<MyBigInt> for U | | | |
| impl<T> Modifier<MyType> for Vec<u8> | X | X | |
| impl<T> Modifier<MyType> for Vec<T> | | | |
| impl<'a, T> FromIterator<T> for Cow<'a, MyVec<T>, [T]> | X | X | X |
| impl<'a, T> FromIterator<T> for Cow<'a, [T], MyVec<T>> | | X | X |
| impl<T> BorrowFrom<Rc<T>> for T | | X | |
| impl<T> Borrow<T> for Rc<T> | X | X | X |
| impl<H> Hash<H> for MyStruct | X | | X |
| impl<I:Int,T> Index<I> for MyVec<T> | X | | X |
+----------------------------------------------------------+---+---+---+
O - Ordered / C - Covered / S - Covered Self
As you can see, the CS hybrid turns out to miss some important cases that the pure ordered full achieves. Notably, it prohibits:
impl Add<MyBigInt> for i32impl Modifier<MyType> for Vec<u8>
This is not really good enough.
Hybrid approach #2: Covered First
We can improve the covered self approach by saying that some type
parameter of the trait must meet the rules (some local type; impl type
params covered by a local type), but not necessarily Self. Any type parameters
which precede this covered parameter must consist exclusively of remote types (no impl
type parameters, in particular).
+----------------------------------------------------------+---+---+---+---+
| Impl Header | O | C | S | F |
+----------------------------------------------------------+---+---+---|---|
| impl Add<i32> for MyBigInt | X | X | X | X |
| impl Add<MyBigInt> for i32 | X | X | | X |
| impl<T> Add<T> for MyBigInt | X | | X | X |
| impl<U> Add<MyBigInt> for U | | | | |
| impl<T> Modifier<MyType> for Vec<u8> | X | X | | X |
| impl<T> Modifier<MyType> for Vec<T> | | | | |
| impl<'a, T> FromIterator<T> for Cow<'a, MyVec<T>, [T]> | X | X | X | X |
| impl<'a, T> FromIterator<T> for Cow<'a, [T], MyVec<T>> | | X | X | X |
| impl<T> BorrowFrom<Rc<T>> for T | | X | | |
| impl<T> Borrow<T> for Rc<T> | X | X | X | X |
| impl<H> Hash<H> for MyStruct | X | | X | X |
| impl<I:Int,T> Index<I> for MyVec<T> | X | | X | X |
+----------------------------------------------------------+---+---+---+---+
O - Ordered / C - Covered / S - Covered Self / F - Covered First
As you can see, this is a strict improvement over the other
appraoches. The only thing it can’t handle that the other rules can is
the BorrowFrom rule.
An alternative approach: distinguishing “self-like” vs “auxiliary” parameters
One disappointment about the hybrid rules I presented thus far is that
they are inherently ordered. It runs somewhat against my intuition,
which is that the order of the trait type parameters shouldn’t matter
that much. In particular it feels that, for a commutative trait like
Add, the role of the left-hand-side type (Self) and
right-hand-side type should be interchangable (below, I will argue
that in fact some kind of order may well be essential to the notion of
coherence as a whole, but for now let’s assume we want Add to treat
the left- and right-hand-side as equivalent).
However, there are definitely other traits where the parameters are
not equivalent. Consider the Hash trait example we saw before. In
the case of Hash, the type parameter H refers to the hashing
algorithm and thus is inherently not going to be covered by the type
of the value being hashed. It is in some sense completely orthogonal
to the Self type. For this reason, we’d like to define impls that
apply to any hasher, like this one:
impl<H> Hash<H> for MyType { ... }
The problem is, if we permit this impl, then we can’t allow another crate to define an impl with the same parameters, but in a different order:
impl<H> Hash<MyType> for H { ... }
One way to permit the first impl and not the second without invoking ordering is to classify type parameters as self-like and auxiliary.
The orphan rule would require that at least one self-like parameter
references a local type and that all impl type parameters appearing in
self-like types would be covered. The Self type is always self-like,
but other types would be auxiliary unless declared to be self-like (or
perhaps the default would be the opposite).
Here is a table showing how this new “explicit” rule would work,
presuming that the type parameters on Add and Modifier were
declared as self-like. The Hash and Index parameters would be
declared as auxiliary.
+----------------------------------------------------------+---+---+---+---+---+
| Impl Header | O | C | S | F | E |
+----------------------------------------------------------+---+---+---|---|---+
| impl Add<i32> for MyBigInt | X | X | X | X | X |
| impl Add<MyBigInt> for i32 | X | X | | X | X |
| impl<T> Add<T> for MyBigInt | X | | X | X | |
| impl<U> Add<MyBigInt> for U | | | | | |
| impl<T> Modifier<MyType> for Vec<u8> | X | X | | X | X |
| impl<T> Modifier<MyType> for Vec<T> | | | | | |
| impl<'a, T> FromIterator<T> for Cow<'a, MyVec<T>, [T]> | X | X | X | X | X |
| impl<'a, T> FromIterator<T> for Cow<'a, [T], MyVec<T>> | | X | X | X | X |
| impl<T> BorrowFrom<Rc<T>> for T | | X | | | X |
| impl<T> Borrow<T> for Rc<T> | X | X | X | X | X |
| impl<H> Hash<H> for MyStruct | X | | X | X | X |
| impl<I:Int,T> Index<I> for MyVec<T> | X | | X | X | X |
+----------------------------------------------------------+---+---+---+---+---+
O - Ordered / C - Covered / S - Covered Self / F - Covered First
E - Explicit Declarations
You can see that it’s quite expressive, though it is very restrictive
about generic impls for Add. However, it would push quite a bit of
complexity onto the users, because now when you create a trait, you
must classify its type parameter as self.
In defense of ordering
Whereas at first I felt that having the rules take ordering into
account was unnatural, I have come to feel that ordering is, to some
extent, inherent in coherence. To see what I mean, let’s consider an
example of a new vector type, MyVec<T>. It might be reasonable to
permit MyVec<T> to be addable to anything can converted into an
iterator over T elements. Naturally, since we’re overloading +,
we’d prefer for it to be commutative:
impl<T,I> Add<I> for MyVec<T> where I : IntoIterator<Output=T> {
type Output = MyVec<T>;
...
}
impl<T,I> Add<MyVec<T>> for I where I : IntoIterator<Output=T> {
type Output = MyVec<T>;
...
}
Now, given that MyVec<T> is a vector, it should be iterable as well:
impl<T> IntoIterator for MyVec<T> {
type Output = T;
...
}
The problem is that these three impls are inherently
overlapping. After all, if I try to add two MyVec instances, which
impl do I get?
Now, this isn’t a problem for any of the rules I proposed in this
thread, because all of them reject that pair of impls. In fact, both
the “Covered” and “Explicit Declarations” rules go farther: they
reject both impls. This is because the type parameter I is
uncovered; since the rules don’t consider ordering, they can’t allow
an uncovered iterator I on either the left- or the right-hand-side.
The other variations (“Ordered”, “Covered Self”, and “Covered First”),
on the other hand, allow only one of those impls: the one where
MyVec<T> appears on the left. This seems pretty reasonable. After
all, if we allow you to define an overloaded + that applies to an
open-ended set of types (those that are iterable), there is the
possibility that others will do the same. And if I try to add a
MyVec<int> and a YourVec<int>, both of which are iterable, who
wins? The ordered rules give a clear answer: the left-hand-side wins.
There are other blanket cases that also get prohibited which might on their
face seem to be reasonable. For example, if I have a BigInt type, the ordered
rules allow me to write impls that permit BigInt to be added to any concrete
int type, no matter which side that concrete type appears on:
impl Add<BigInt> for i8 { type Output = BigInt; ... }
impl Add<i8> for BigInt { type Output = BigInt; ... }
...
impl Add<BigInt> for i64 { type Output = BigInt; ... }
impl Add<i64> for BigInt { type Output = BigInt; ... }
It might be nice, if I could just write the following two impls:
impl<R:Int> Add<BigInt> for R { type Output = BigInt; ... }
impl<L:Int> Add<L> for BigInt { type Output = BigInt; ... }
Now, this makes some measure of sense because Int is a trait that is
only intended to be implemented for the primitive integers. In
principle all bigints could use these same rules without conflict, so
long as none of them implement Int. But in fact, nothing prevents
them from implementing Int. Moreover, it’s not hard to imagine
other crates creating comparable impls that would overlap with the
ones above:
struct PrintedInt(i32);
impl Int for PrintedInt;
impl<R:Show> Add<PrintedInt> for R { type Output = BigInt; ... }
impl<L:Show> Add<L> for PrintedInt { type Output = BigInt; ... }
Assuming that BigInt implements Show, we now have a problem!
In the future, it may be interesting to provide a way to use traits to
create “strata” so that we can say things like “it’s ok to use an
Int-bounded type parameter on the LHS so long as the RHS is bounded
by Foo, which is incompatible with Int”, but it’s a subtle and
tricky issue (as the Show example demonstrates).
So ordering basically means that when you define your traits, you
should put the “principal” type as Self, and then order the other
type parameters such that those which define the more “principal”
behavior come afterwards in order.
The problem with ordering
Currently I lean towards the “Covered First” rule, but it bothers me that it allows something like
impl Modifier<MyType> for Vec<u8>
but not
impl<T> Modifier<MyType> for Vec<T>
However, this limitation seems to be pretty inherent to any rules that do not explicitly identify “auxiliary” type parameters. The reason is that the ordering variations all use the first occurrence of a local type as a “signal” that auxiliary type parameters should be permitted afterwards. This implies that another crate will be able to do something like:
impl<U> Modifier<U> for Vec<YourType>
In that case, both impls apply to Modifier<MyType> for Vec<YourType>.
Conclusion
This is a long post, and it covers a lot of ground. As I wrote in the introduction, the orphan rules turn out to be hiding quite a lot of complexity. Much more than I imagined at first. My goal here is mostly to lay out all the things that aturon and I have been talking about in a comprehensive way.
I feel like this all comes down to a key question: how do we identify the “auxiliary” input type parameters? Ordering-based rules identify this for each impl based on where the first “local” type appears. Coverage-based rules seem to require some sort of explicit declaration on the trait.
I am deeply concerned about asking people to understand this
“auxiliary” vs “self-like” distinction when declaring a trait. On the
other hand, there is no silver bullet: under ordering-based rules,
they will be required to sometimes reorder their type parameters just
to pacify the seemingly random ordering rule. (But I have the feeling
that people intuitively put the most “primary” type first, as Self,
and the auxiliary type parameters later.)