Supertrait item shadowing v2 #3624
Conversation
|
I'd like to know how this would interact with the previous RFC #2845 . Is this meant as a complete replacement or as an extension? I deliberately did not address It reads as a replacement, but fundamentally the same issue also occurs with generic trait bounds, which I was trying to address in the previous RFC. What do you propose in the case where someone has written a generic bound for |
|
This is intended as a replacement for #2845 since it is more general: this RFC effectively proposes one of the alternatives listed in #2845 where we always prefer the sub-trait no matter what generic bounds are in use (and also applying to the more general case of
This RFC would always resolve |
| # Rationale and alternatives | ||
| [rationale-and-alternatives]: #rationale-and-alternatives | ||
|
|
||
| If we choose not to accept this RFC then there doesn't seem to be a reasonable path for adding new methods to the `Iterator` trait if such methods are already provided by `itertools` without a lot of ecosystem churn. |
There was a problem hiding this comment.
Why is picking a different name not a reasonable path? The unavoidable bikeshedding around a new name is annoying, but it seems to me like a small, one-time cost compared to the permanent additional language complexity of this feature.
I also wonder how many times we anticipate to run into this problem in the future. Are there more examples aside from Itertools::intersperse? If we only ran into this problem once within 9 years of Rust being stable, the benefit of this feature seems very limited.
There was a problem hiding this comment.
Picking a new name also has disadvantages other than than the time taken to pick it, users then have to learn the new method name and that it is semantically identical to the Itertools::intersperse() yet has a different name. This is not a one-time cost as it will effect all future users when, for example, searching docs for this method. This would be the case for all methods stabilized from itertools to std which might be quite a few if we had a reliable way to do such a migration.
There was a problem hiding this comment.
users then have to learn the new method name
I don't see the problem. People who are using intersperse from itertools shouldn't expect the standard library to use the exact same name. And I assume few people rely on the unstable version in std for production code, it would be unwise to opt into breaking changes for what amounts to a small ergonomics improvement (which a library can also provide).
For regular Rust users, the function doesn't exist right now. In the future it may - its name is an open question.
This would be the case for all methods stabilized from
itertoolstostdwhich might be quite a few
I agree that this is something to consider, we don't want to have to pick the "second best" name for many functions in std. But first we should think concretely about which methods from itertools might actually make the jump into std. itertools has been around for a long time and I'm not aware of a big push to upstream many of its methods. Which indicates to me, there isn't that much need. But I'm happy to be convinced otherwise. Examples from other libraries besides itertools count as well.
There was a problem hiding this comment.
The issue is that because itertools is used widely, std cannot upstream methods from itertools without causing lots of breakage in all crates currently using itertools. This is a perverse incentive which forces the "second best" issue you mentioned, and it's not limited to itertools, it happens whenever std lacks a function, someone implements an extension trait to add it in a crate (as they should), and everyone picks it up because it is really useful (as they should). The exact sequence of events which leads to strong evidence that something should be in std is also the sequence of events that blocks it from being added to std.
There was a problem hiding this comment.
I understand that. The reason I'm pushing back is that to me, the feature doesn't seem to align with Rust's design principles. This new implicit default doesn't seem obviously correct to me. If I call a method that has two implementations, I would generally prefer the compiler yell at me rather than pick one without telling me. That's why I think we should be certain that we'll make good use of this feature before adding it.
But I'll admit this is a theoretical objection. In practice, the problem may never show up and then it's fine to add the feature. Pragmatism comes first. I guess I just agree with this comment. We should think about edge cases where this could go wrong.
There was a problem hiding this comment.
I would generally prefer the compiler yell at me rather than pick one without telling me
The rfc mentions this:
This behavior can be surprising: adding a method to a sub-trait can change which function is called in unrelated code. A lint could be emitted to warn users about the potential ambiguity.
There was a problem hiding this comment.
Yeah, a lint would make sense if the migration-situation with intersperse is the only use case we expect this feature to be used in practice. But maybe some users will use the shadowing to implement a form of specialization? Or any other unrelated use case I can't think of right now. If that happens, it might lead to a discussion about whether the lint should be enabled by default or not. And if it ends up allow-by-default, it loses much of its value.
|
How about an alternative approach for stabilization where This way we don't have to add any language complexity, while still being able to migrate any methods we like, at the expense that it takes quite a while to do so. |
|
Then we could then add clippy lints for these renamed methods to encourage people to switch back to the stabilized |
ehuss
added
the
T-lang
|
Instead of relying on trait dependence, maybe we can rely on crate dependence? That is, if one crate crate is a dependency of the other use its method. |
|
(not directed at anyone in particular) Keep in mind that this RFC is generally applicable, not specific to |
|
It seems to me like we're adding a feature to the language not because we think it's a good feature on its own, but because it happens to have a convenient side effect for the work of the project. It feels wrong, but I'll always agree to go the pragmatic route. I'll throw in another idea for an alternative: hard-code the method resolution for those exact methods we want to uplift into The advantage I see would be that there is no seemingly useless "feature" in the langauge we have to support forever. There is no user-facing change. We may at some point run crater again and if use of I have no idea how complex this would be in terms of the implementation. This is certainly not worth paying for with much complexity. |
|
We should clarify the problematic scenario here: We've a crate There are several safer alternatives:
I'd think 4 or similar provides the safest solution. We'd stabalize the shadow attribute so that ecosystem crates could benefit too, but only under edition upgrades. |
@senekor, I wonder whether the project would be OK with the implications this has for other (non- I agree that complex features like this must be considered carefully, especially if they can introduce unexpected results. However, hardcoding a list of workarounds for method resolution could easily be "just as confusing", IMHO. |
Yes, that's a good point. It's not an impossible problem to solve, but I'm not fond of the idea myself.
Thank you, that is the kind of situation I was worried about. Although this seems hard to exploit in practice, I think it shows that the language feature isn't very desirable on its own. I like the idea of picking the supertrait method iff the supertrait opted into this shadowing behavior. It makes it clear that this feature is meant for our exact migration use case only. I'm not sure if gating on a specific edition and stabilization are necessary, it seems like those things could be added later as well, if they turn out to be needed. |
|
"A lint could be emitted to warn users about the potential ambiguity." So Perhaps there should also be another lint, that detects when the sub-trait defined that shared the exact same name with the super-trait, to address the "dependents" case. BTW I'm very confused why some comments here keep saying this RFC is a "complex feature". The whole feature is literally described in 4 sentences. The implementation is most likely localized to the probe phase. There isn't much complexity added compared with many other RFCs out there. |
At least for my comment, "complex feature" means a feature introducing language complexity. Many RFCs have more complex implementation details, but this RFC can still be complex language-wise if it makes the code harder to understand. In this case, writing new code using the standard library implementation while old code continues to use the Some programming languages are centred around keeping language complexity to a minimum, even if it comes at the cost of convenience. Now, Rust isn't Zig or Go, and the language complexity introduced by this feature is likely manageable, as this form of method resolution "feels natural" in most cases. As such, I personally don't think the complexity should block this RFC. |
|
@kennytm I am also thinking about langauge complexity, specifically for people learning Rust. I recently taught a Rust workshop and traits were a difficult topic for the participants. I'm wondering if in the future, I'll have to teach people about which trait method will be implicitly selected under which circumstances. Now, it's likely that the average Rust dev will never come into contact with this feature in the first place (meaning I don't have to teach it), because it only ever comes up in such migration situations. In that case, I'm perfectly fine with it. I'm just not sure of it yet. I'm trying to think of ways this feature could be (ab)used in ways that newcomers will have to know about. No success so far, which is a good sign. What would be the downside of always resolving the implementation to the supertrait? For the intended use case, it doesn't matter, because they are the same. It's also closer to what we're trying to achieve in the first place: Move away from the subtrait toward the supertrait. It seems like less potential for spooky-action-at-a-distance to me. Adding or removing a |
adding |
|
I think "complexity" does not capture the concerns here, really neither does "intuitiveness". We do not need a single word that captures the concerns though. Wow @programmerjake that's really nasty. Any idea why that happens? I'd thought inherent methods always won out in resolution? Can we lint against this behavior? Or does std require it somewhere?
It's not "hard to exploit" in the same sense in which secureity people say "hard to exploit". It's quite easy. An exploit requires work of course, but that's common. Accedental changes cause some concern too here, like when using traits at VM boundaries. @kennytm Cool. Yeah, I figured some lint would appear eventually, but..
As denying should become common, we should ask what solution really makes the most sense here? Around my 3. Afaik, there is no good reason to favor the subtrait method over the supertrait here. It's clear either direction could break agreement between static methods and trait object methods, but we'd break agreement less if we favor supertraits over subtraits. Again, this does not solve the problem I mentioned either, but again it's less bad this way. Around my 4. We want shadowing to remain rare, so op-in attributes should create less work than any op out solution. Yes, op-in is delicate too, but several designs make sense, so they should be seriously discussed. I thought up op-ins that exploit edition boundaries, but maybe other flavors make sense. |
That's probably because the method candidate |
|
I'll single out the simplest seeming solution: Add a Implementation should be similar to this RFC, except the shadowing would be reversed, and turnned off by default. Any errors must originate from the rare excplicit references to There are no impacts on how you read or audit code here: We only have supertraits shadowing subtraits, which sounds safer, for both trait objects and supply chain attacks, but even this shadowing only occurs when explicitly required by the supertrait. Am I missing anything? |
|
Consider this situation:
In this general case, the reason this cannot be resolved in favor of the supertrait is that the method signatures are not necessarily compatible. #![allow(unused)]
mod a {
pub trait Int {
// fn call(&self) -> u32 {
// 0
// }
}
impl Int for () {}
}
mod b {
pub trait Int: super::a::Int {
fn call(&self) -> u8 {
0
}
}
impl Int for () {}
}
use a::Int as _;
use b::Int as _;
fn main() {
let val = ().call();
println!("{}", std::any::type_name_of_val(&val));
}Resolving in favor of @burdges Nothing about this RFC is specific to the standard library, so I don't see how you envision an edition fitting into this. |
|
As far as I can tell, regardless of the outcome of this RFC, we still have to view introduction of trait methods as introducing ambiguity, e.g. for the The main benefit I can see of this RFC is that it allows me as a library maintainer to refactor methods into supertaits without breaking explicit usage of I also think this RFC proposes an idea that feels consistent with both Deref shadowing and also #3245, so the additional complexity doesn't seem high. |
|
@archer-321 @senekor However, item shadowing is already happening with inherent vs trait methods, so that "complexity" already existed. (Not to mention the auto-ref based method resolution mentioned #3624 (comment) which was exploited for like Generalized Autoref-Based Specialization. This is the emergent complexity.). Explaining this RFC is as simple as For each step of auto-deref/auto-ref,
1. Pick the inherent item `S::name` if it existed
2. Find all traits `Tn` that `S` implements, and check every trait that `Tn::name` existed.
If there is a single unique trait `T0` defining `T0::name`
- and no other traits do,
+ which is a subtrait of every other traits that do,
pick `T0::name`, otherwise (if there are >1 such candidates) fail for ambiguity error. |
Also in my proposal.
An edition change provides a flag that downstream code upgraded. There is no reason other code cannot use this flag independently of the standard library, but major version upgrades provide a similar flag.
Sure. We'd exploit the edition boundary in my proposal precisely because itertools has an incompatible method signature, since itertools' methods are not In general, subtraits being favored brings a similar problem too. We could build examples that this RFC breaks too: Initially a crate has both At a high level, all this seems extremely rare, so it's much worse to make auditing hard across the whole ecosystem. If you ship this RFC as proposed, then supply chain attacks should eventually make In fact, we'll definitely have future legislation about supply chain attacks in many jurisdictions, especially for government contractors. It's likely legislation cares about upgrades, but does not care about build breakage, which could make |
|
Thanks for the explanations all, my opposition to this is dwindling. I agree with @burdges proposal to make this behavior opt-in from the supertrait side. So far, there hasn't been a use case discussed where it would be desirable for this shadowing to happen without the knowledge / consent of the supertrait author. So I don't see a reason to extend this implicit behavior beyond its intended use case. |
In the
This would mean that
An attribute could be an interesting idea, but in a different way: we could explicitly mark specific methods on the |
|
@traviscross proposal cancelled. |
rfcbot
removed
the
final-comment-period
rustbot
added
the
T-types
rfcbot
removed
the
disposition-merge
|
@rfcbot fcp merge For this one, let's just go ahead and include types on the FCP then. Let's not treat this as precedent, though. I'm inclined toward what Niko said:
That is, if we were to require full types team sign-off on RFCs like this so as to check implementation feasibility, then I'm not sure why we wouldn't also want to require full compiler team sign-off on essentially all lang RFCs for the same reason. We do of course want to consider implementation feasibility, but perhaps there are other ways to achieve that. That's an interesting policy question that we can take up sometime later for discussion. |
|
Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members:
Concerns:
Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
rfcbot
added
proposed-final-comment-period
|
The kind of thing that i would expect a types FCP to involve for a feature like this is about its interactions with the rest of the type system which tbh this RFC is not suited to answer. Even if we FCP this now we're just going to want to FCP this when actual stabilization comes up and implementation has been done and we can actually answer questions about impact on inference and whatnot. Involving types during the RFC phase for types related features seems very reasonable atleast just to get a temperature check (after all what's the point in lang FCP'ing something that types cant implement). I don't even really know what I'm agreeing to by ticking my box here, because its not that i think we should just stabilize this immediately. |
|
I'm just going to tick my box because I don't want to block work happening here but I don't want that to be taken as having a level of confidence in the proposed design that is not actually intended |
traviscross
removed
the
I-lang-nominated
|
Maybe a blocking concern "get vibes from the types team" would suffice for cases like this, but I definitely feel better about this RFC based on @compiler-errors's feedback. :) |
As was pointed out by compiler-errors, some of the details in this section are wrong. More broadly, though, specifying these details goes beyond the purpose of this RFC. These can be worked out later.
What this RFC had referred to as "name resolution" is actually method selection, as pointed out by compiler-errors, so let's fix this everywhere. In doing this, we remove one of the purported drawbacks of RFC 2845, as it makes less sense as stated after this fix.
Thanks to fbstj for pointing out this potential ambiguity.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
rfcbot
added
the
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rfcbot
removed
the
proposed-final-comment-period
|
When this RFC is merged, and the tracking issue gets created, please tag the tracking issue relnotes, so that we remember this will be one to document thoroughly. |
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
|
The RFC has been merged! Thanks to @Amanieu for writing this, and to everyone who reviewed and contributed to it. Tracking issue at rust-lang/rust#89151. The next step is an implementation in nightly. |
…owing, r=<try> Implement RFC 3624 `supertrait_item_shadowing` (v2) Implements RFC 3624 and the associated lint in the RFC. Implements: * Shadowing algorithm * Lint for call-site shadowing (allow by default, gated) * Lint for definition-site shadowing (allow by default, gated) Tracking: - rust-lang#89151 cc `@Amanieu` and rust-lang/rfcs#3624 and rust-lang#89151
Tracking issue: rust-lang/rust#89151
This is an alternative to #2845 which aims to resolve the issues surrounding the stabilization of
Iterator::intersperse.Summary
When name resolution encounters an ambiguity between 2 trait methods, if one trait is a sub-trait of the other then select that method instead of reporting an ambiguity error.
Rendered