Rvalue lifetimes in Rust

9 January 2014

I’ve been working on Issue #3511, which is an effort to rationalize the lifetimes of temporary values in Rust. This issue has been a thorn in the side of Rust users for a while, because the current lifetimes are rather haphazard and frequently too short. Some time ago, I did some thinking on this issue and then let it lie while other things took priority.

Part of the reason that this issue has lasted so long is that the current trans cleanup scheme is very inflexible. I have a branch now that rewrites the cleanup system so that it can handle any rules we would like. The problem I am encountering now, of course, is that it’s unclear what the rules should be. I want to lay out the options I see.

The problem

There are numerous situations in which Rust users borrow temporary values; the tricky part is deciding what the lifetime of these temporary values ought to be. Put another way, when should we run the destructor for these temporaries? To see what I mean, let me show a few examples: I’ll focus on three use cases that I think are fairly representative, and which I see appearing in the code base a lot. It’s possible though that I’m missing some good examples.

Example 1: borrowing an rvalue. Here is the first example:

let map = &mut HashMap::new(); // (1)

The effect of this expression is to create a temporary stack variable and create a pointer to it. It is roughly equivalent to something like this:

let _temp = HashMap::new();
let map = &mut _temp;

The question that I want to consider in this post is what the lifetime of this temporary ought to be. In the explicit expansion, the lifetime of the temporary is clear: it will live as long as the explicit variable _temp. But the correct semantics for the first example are less clear (as we’ll see).

Applying the & operator to an rvalue might seem a bit silly at first. Why not write it using an explicit temporary, after all? There are a couple of reasons though that it’s worth supporting, but the most crucial one is in macros. In macros, it’s useful to be able to apply the borrow operator to any expression in order to avoid moving or copying values when you don’t want to. For example, the expansion of assert_eq!($a, $b) is something like:

    let _a = & $a;
    let _b = & $b;
    if _a != _b {

If we didn’t use the & operator, then the first two lines might cause inapprorpriate moves. For example, if I wrote assert_eq!(x.a, y.b), and the type of x.a was affine, then assert_eq! would move from both x.a and y.b. Not so good.

Example 2: ref bindings and rvalues. The second example is in some way just a different syntax for the same thing (or, I should say, somethign which probably ought to be the same, though some of the rules I describe do not treat it the same way):

let ref mut map = HashMap::new();

Example 3: Autoref in method calls. Method calls in Rust typically take borrowed pointers to their receivers, but one rarely writes this explicitly. Instead, the receiver is implicitly borrowed via a mechanism called “autoref” (this is actually the same as in C++, except that in C++ all method calls are autoref’d, whereas in Rust you can also have method calls that take the receiver by value and not by reference).

One example that is becoming rather common in the rustc code base is the RefCell type. RefCell is a standard library type that allows some of the Rust compiler’s static checks to be converted into dynamic checks; it replaces @mut, which bundled together dynamic checks with managed data, and just isolates out the dynamic check portion so that it can be reused with other smart pointer types.

The way that RefCell works is that you invoke the borrow or borrow_mut methods:

let map: RefCell<HashMap<K,V>> = ...;
let mut r = map.borrow_mut();

These methods check some bits to ensure that the value is not borrowed in an incompatible way already (basically: a mutable borrow must not overlap with any other borrows). These methods then toggle some bits and return a special Ref type (r in the example above). This Ref type has a destructor which resets the bit, effectively ending the borrow. In the meantime, the Ref type can be used to get access to the data itself:

let data = r.get();

Note that there is an implicit borrow of the variable r occurring here. In a sense, that method call could be expanded to:

let data = (&mut r).get();

The key point here is that the lifetime of the variable r exactly corresponds to the lifetime of the dynamic borrow of map. Therefore, having a good understanding of when the destructor for r will run is crucial to know how long your map is borrowed for. For example, if you write code like the following, you will get a fatal error:

let map: RefCell<HashMap<K,V>> = ...;
let mut r1 = map.borrow_mut();
let mut r2 = map.borrow();     // Error: already borrowed!

The problem is that the second borrow (r2) occurs before the first borrow has completed; more operationally, the second borrow occurs before the destructor for r executes.

The lifetime of a borrow is relatively clear so long as explicit temporaries are used, as I showed so far. But it’s kind of verbose. For example, to insert an item into a map, I have to write something like:

let mut r = map.borrow_mut();
r.get().insert(k, v);

It’d be nicer if we could remove the temporary:

map.borrow_mut().get().insert(k, v);
// temporary:   ^~~~^

But this gets right back to the issue were talking about, because the call to get() in fact takes the address of the receiver, and in this case the receiver is an rvalue map.borrow_mut().

Some solutions

OK, so we have three examples where rvalue temporaries are borrowed:

let map = &mut HashMap::new();       // (1)
let ref mut map = HashMap::new();    // (2)
map.borrow_mut().get().insert(k, v); // (3)

I want to explore various rules we could use to decide when the destructors run, and see what the effect would be on each example.

Solution 0: Innermost enclosing statement.

My first attempt (what is currently written on the branch) was to make all temporaries tied to the innermost enclosing statement (roughly, see Appendix B for full details). I think this does the right thing for example 3, in that it releases the borrow at the of the statement:

map.borrow_mut().get().insert(k, v); // (3)

However, examples 1 and 2 both fail to compile:

let map = &mut HashMap::new();       // (1)
let ref mut map = HashMap::new();    // (2)

The reason for this is that, if the hashmap only lives as long as the statement, the value in map gets destructored as soon as it is assigned, and thus cannot safely be used by the following statements. That is, the following code would access freed memory:

let map = &mut HashMap::new();

I think this solution is not workable because one cannot write the assert_eq macro above.

Solution 1: Innermost enclosing block.

To address the problem with solution 0, we might try to use the innermost enclosing block. This makes examples 1 and 2 work find, but example 3 doesn’t work so well:

map.borrow_mut().get().insert(k, v); // (3)

The problem is that here the borrow isn’t released until the end of the enclosing block, rather than the enclosing statement. This probably way too late. For example, code like the following would fail dynamically:

  ref_map.borrow_mut().get().insert(key1, value);
  let v = *ref_map.borrow().get().find(key2);

I think this solution is not workable because it is too painful to work with RefCell.

Solution 2: Variations on the C++ rule (roughly).

Interestingly, C++ has a similar problem concerning temporaries, and they have a rather custom rule that attempts to address exactly the issue I encountered with solution 0. The C++ rule, as I understand it, is that temporaries live as long as the innermost enclosing statement, unless the temporary is assigned to an (reference) variable, in which case it lives as long as that variable.

So, for example, if I had a call to a function that took a map rvalue reference, as follows:

V& find(const map<K,V>& m) { ... }


then the map will be freed after use() returns. This is true even though the temporary was created as an argument to find(). Basically the temporary will live until the next semicolon, roughly speaking.

Now there is one exception to this rule. If I asssign the temporary to a variable, then it lives as long as the variable:

const map<K,V>& m = map(...);

In this case, the destructor for map will run once m goes out of scope.

It is a bit challenging to make a direct equivalent to this rule in Rust. For one thing, we have explicit borrows (the & operator) and also ref bindings. For another, assignments can be more complicated, e.g.:

let Foo { a: ref a, b: b } = create_foo();

In this case, one of the fields is bound by reference, but the other is moved.

Variation A. Still, we could make a rule that says something like this: let bindings where the initializer is an rvalue first store the initializer into a temporary with the lifetime of the innermost block, and then assign from that temporary into the pattern. So effectively let pat = rvalue becomes:

let _temp = rvalue;
let pat = temp;

This rule treats examples 1 and 2 rather differently:

let m = &mut HashMap::new();     // (1) Error
let ref mut m2 = HashMap::new(); // (2) OK

Example 1 is unaffected by the rule and hence still an error for the same reasons as Solution 0: the temporary created by the explicit borrow goes out of scope at the end of the let statement, rather than the block. Example 2 would work, though, because the temporary in that case would have an extended lifetime. In the case of Example 3 (the RefCell), the borrow would terminate at the end of the statement, as desired.

Variation B. Another option would be to say that the borrow operator & uses the lifetime of the innermost enclosing block, but all other temporaries use the innermost enclosing statement. This rule is easier to explain than variation A, and it has the opposite effect on examples 1 and 2:

let m = &mut HashMap::new();     // (1) OK
let ref mut m2 = HashMap::new(); // (2) Error

In Example 2, the temporary used for let initializers only lives until the end of the statement, so we get a compilation error.

Variation C. We could extend the lifetime of both explicit & uses as well as let initializers. In that case, both examples 1 and 2 work the same way:

let m = &mut HashMap::new();     // (1) OK
let ref mut m2 = HashMap::new(); // (2) OK

Summary. I think variations A, B, or C would all be potentially workable.

Solution 3: Inference.

Finally, we can rely on inference. Essentially the compiler would decide the smallest lifetime that makes the program legal. This makes all of the examples I’ve given work, but at a cost in predictability – it’s hard to know when your destructors run. For things like RefCell, this is of course a potential problem. Overall, while I think inference is workable, it is almost universally unpopular, simply because people do not like the idea of an ill-defined lifetime inference algorithm dictating when their destructor will execute.


All in all I guess I leans towards some variation of Solution 2. I like Variation B (make the lifetime of the explicit & operator be the innermost enclosing block; otherwise, innermost enclosing statement) because it’s easy to express and implement, but I also like Variation C because it treats examples 1 and 2 the same way. Whatever we do, having an explicit option seems like a good idea (see Appendix A).

Appendix A. Explicit annotation

Regardless of what rule we pick, it is possible to permit users to explicitly annotation temporary lifetimes. One of the motivations for the current lifetime syntax was to permit users to annotate blocks (and perhaps statements/expressions) with lifetime names and then refer to those later. For example, one might create a temporary and explicitly state that it should be destructed in an outer block:

'a: {
        let m = &'a mut HashMap::new();

There would be some limits to these explicit temporaries. For example, you could not create a temporary in an outer block if you are within an if or loop statement (this is needed to ensure fixed size stacks and to ensure we know what values to run destructors on statically).

Appendix B. Tail expressions in block.

In many of the rules above, I’ve referenced the innermost enclosing block or statement. But what is the innermost enclosing block or statement in a situation like:

let v = {
    &mut HashMap::new()

It might be nice to make the tail expression in a block belong, effectively, to its parent.

In my existing code (which implements Solution 0), the actual rule is not ““innermost enclosing statement” but rather “innermost enclosing statement, loop body, or function”. I do not consider the tail expression of a block to be in a statement. This means that temporaries in the tail expression effectively have the lifetime of the statement (or loop body, or function body) in which the block appears.

Appendix C. Match expressions.

Ref bindings can also appear in match expressions, of course. Regardless, I think the semantics of match on an rvalue probably ought to be that the temporary value lives as long as the enclosing statement, regardless of what bindings it contains; that seems to be what most people expect.