Add slice access

[willglynn]

This PR adds slice access to certain storages. Slices allow the user to bolt on an accelerator framework like OpenCL (#553) for high throughput component processing. My thoughts behind this particular design are #553 (comment) and #553 (comment).

Checklist

• I've added tests for all code changes and additions (where applicable)
• I've added a demonstration of the new feature to one or more examples
• I've updated the book to reflect my changes
• Usage of new public items is shown in the API docs

API changes

Non-breaking, strictly additive:

• Add DenseVecStorage<T>::as_slice() -> &[T] and as_mut_slice() -> &mut [T].
• Add VecStorage::unsafe_slice() -> &[T] and unsafe_mut_slice() -> &mut [T].
• Add DefaultVecStorage<T>, which works like VecStorage<T>, requires T: Default, and provides as_slice() -> &[T] and as_mut_slice() -> &mut [T].
• Add as or unsafe [_mut]_slice directly on Storage as appropriate.

[WaDelma]

I think those unsafe_slices should return raw pointers as this is constructing partially initialized slice which I think is UB. Not 100% sure about this though.

[willglynn]

The proposed changeset allows the user to call an unsafe function to obtain a slice containing uninitialized or dropped values. Whether or not that slice should be permitted to exit the caller's unsafe {} code is a good question, and one which depends on the particular component's representation in memory, but either way it doesn't seem wrong for specs to provide this kind of slice to the caller's unsafe {} code.

[WaDelma]

Well if the whole Vec is full then it would be safe yes. But it's practically useless. I would provide way of getting raw pointers and let the user construct slice out of it if they want.

[willglynn]

I don't understand why this is wrong:

impl<T> UnsafeSliceAccess<T> for VecStorage<T> {
    unsafe fn unsafe_slice(&self) -> &[T] {
        self.0.as_slice()
    }
}

As I understand it, constructing a slice isn't UB regardless of its pointer or length.

Accessing such a slice may or may not be UB, but unsafe code commonly involves nonlocal concerns. Even in this one line function, Vec::as_slice() is safe code, but here it is unsafe because VecStorage uses unsafe { Vec::set_len() } and unsafe { ptr::drop_in_place() } elsewhere. You and I know that the slice is unsafe to use, but Vec::as_slice() doesn't.

unsafe_slice() gives users a slice with which they can cause UB, but… that's why it's unsafe. How would returning a pointer and a length improve this? As it stands now, unsafe_slice() returns a slice with a pointer and a length and the correct lifetime, which seems strictly safer than forcing users to construct their own slices.

[WaDelma]

If you have VecStorage<bool> that contains uninitialised values, this would create reference to slice of booleans that have different values than 0 or 1 and I think having such reference might be UB. But I cannot be certain as there is no memory model yet. What I am certain that having &bool to uninitialized bool is insta UB (and so &T of uninitialised value is easily UB). (NOTE: One could object here that bool is quite specific, but this problems is with enums and anything that contains bools or enums)

I might be bit too paranoid here, but unsafe is quite hard to reason about.

https://www.reddit.com/r/rust/comments/95vxdy/understanding_ub_with_stdmemuninitialized/

rust-lang/rust#53491

[willglynn]

Right; accessing an uninitialized &bool is definitely UB. My understanding is that constructing a slice is never UB; a &[bool] is not a &bool, it's syntactic sugar for a struct with a ptr: *const bool and len: usize. Calling as_ptr() and len() is never UB, since they just return the values inside the slice. UB begins only when that pointer is used to produce a &bool, i.e. on get() and the like.

We agree that blindly accessing VecStorage<bool>::unsafe_slice() could definitely cause UB. That's why it's unsafe. However, the user could take that unsafe_slice(), check the mask() for each index, and access only the locations where the slice contains initialized data. This would be safe, and it's basically how VecStorage works right now.

Moreover, this isn't VecStorage<bool>, it's VecStorage<T>. T could be a type for which every bit pattern is valid, in which case uninitialized data is not a safety problem. This is the motivating use case – a VecStorage containing a #[repr(C)] struct of f32s intended for computation in an OpenCL kernel. If every bit pattern of T is a T, there is no UB even for uninitialized data, and thus no need to consult the mask().

[willglynn]

I wonder: is this whole discussion because VecStorage should be storing a Vec<MaybeUninit<T>> instead of a Vec<T>? I'd be totally happy with returning a &[MaybeUninit<T>] instead, and that would make as_slice() safe to boot.

[willglynn]

I pushed a separate branch with 9c2d800 showing what VecStorage+MaybeUninit would look like. fn as_slice(&self) -> &[MaybeUninit<T>] feels a lot better than unsafe fn unsafe_slice(&self) -> &[T], and it feels better for VecStorage's internals to work in terms of MaybeUninit. There's no API breakage with that change, but a MaybeUninit dependency would bump the minimum Rust from 1.34.0 to 1.36.0.

If this is the right direction but we don't want to increase the version requirement right now, I would be happy to keep this new unified SliceAccess design and split all the MaybeUninit and impl SliceAccess for VecStorage into a separate PR. DefaultVecStorage entirely sidesteps the initialization concern and is only marginally more expensive.

[willglynn]

I rearranged my changes and force-pushed the branch for this PR. The first commit adds as_slice()/as_mut_slice() to DenseVecStorage and adds DefaultVecStorage. This is sufficient for my use (and likely others' use) per #553.

The second commit reworks VecStorage to use MaybeUninit per my previous comment and makes it expose as_slice() -> &[MaybeUninit<T>]. These changes are related (it would be nice to slice VecStorage), but they are separable, and I'm happy to move that commit to a new PR if desired.

[WaDelma]

Note that for f32 every bit pattern isn't allowed: Signaling NaN is a UB.
EDIT: Ah actually it isn't: https://stackoverflow.com/questions/43812361/is-transmuting-bytes-to-a-float-safe-or-might-it-produce-undefined-behavior I read somewhere before that it is, but apparently it has changed or I just read some misinformation.

I am not sure if slice is just syntactic sugar from compilers POV. But yeah probably constructing slice isn't UB.

I think having MaybeUninit is good direction to go to as it gives more confidence on the correctness of this stuff. I am not against bumping the minimum rust version myself, but cannot say if that's for others.

[willglynn]

I think having MaybeUninit is good direction to go to as it gives more confidence on the correctness of this stuff. I am not against bumping the minimum rust version myself, but cannot say if that's for others.

👍

[WaDelma]

Related: #646

[willglynn]

I note in #646 (comment) why I now believe that slices must always refer to initialized elements in current Rust, contrary to my earlier comments here.

[WaDelma]

This PR looks otherwise good, but DenseVecStorage should probably be changed to also have MaybeUninit.

[willglynn]

Ah, the Vec<T> is dense and always initialized, it's the the Vec<Index>es which are not. On it.

[WaDelma]

bors r+

[bors]

Build succeeded

• continuous-integration/travis-ci/push