Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explain how Vec::with_capacity is faithful #99790

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

workingjubilee
Copy link
Member

@workingjubilee workingjubilee commented Jul 27, 2022

There are concerns that the doc changes in 95dc353
are breaking changes in the promised API. In this commit, I explain in more detail
the exact promise that Vec::with_capacity is really making:
Vec is trying to act unsurprising by relaying information faithfully to the allocator,
it is not committing to internal details of Vec itself beyond that.
As it happens, we don't get useful capacity information from allocators,
but once upon a time Rust did capacity recalculation from available data,
and we should reserve the right to do so again if it seems profitable and correct.

This path avoids adding a duplicate with_capacity_exact to Vec's already-formidable API surface.

closes #99385.

There are concerns that the doc changes in rust-lang/rust@95dc353
are breaking changes in the promised API. In this commit, I explain in more detail
the exact promise that Vec::with_capacity is really making:
Vec is trying to act unsurprising by relaying information faithfully to the allocator,
it is not committing to internal details of Vec itself beyond that.
As it happens, we don't get useful capacity information from allocators,
but once upon a time Rust did capacity recalculation from available data,
and we should reserve the right to do so again if it seems profitable and correct.

This path avoids adding a duplicate `with_capacity_exact` to Vec's already-formidable API surface.
@rustbot rustbot added the T-libs Relevant to the library team, which will review and decide on the PR/issue. label Jul 27, 2022
@rustbot
Copy link
Collaborator

rustbot commented Jul 27, 2022

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

  • Stabilizing library features
  • Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
  • Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
  • Changing public documentation in ways that create new stability guarantees
  • Changing observable runtime behavior of library APIs

@rust-highfive
Copy link
Collaborator

r? @thomcc

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Jul 27, 2022
@workingjubilee workingjubilee added T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools and removed T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Jul 27, 2022
@thomcc
Copy link
Member

thomcc commented Jul 28, 2022

I'm in favor of this, for sure. I'm also not certain if this is a contractual change, or a clarification of the existing contract. I'd lean toward the former, but it's close enough that I'll reassign to someone on libs-api (e.g. someone who can start an FCP about it), just to be sure.

r? @m-ou-se

@JanBeh
Copy link
Contributor

JanBeh commented Aug 24, 2022

The current contract is somewhat inconsistent because the documentation (as of Rust 1.63) currently says here:

vec![x; n], vec![a, b, c, d], and Vec::with_capacity(n), will all produce a Vec with exactly the requested capacity.

But in Vec::with_capacity:

Constructs a new, empty Vec<T> with at least the specified capacity.

Copy link
Contributor

@JanBeh JanBeh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vec![x; n] and Vec::with_capacity(n) produce a Vec that allocates n capacity.

This should probably read "at least n capacity" if this is how Vec behaves. Otherwise it could be left as is. But not sure about the grammar here.

Vec has preferred either answer at different times and may change again.

I don't think it's necessary to explain how things changed in past, and I would thus remove that sentence above. The previous sentence ("In that case, capacity may return either the requested capacity or actual allocated size.") is already clear enough in my opinion.

However, Vec::with_capacity(5) will not deliberately "round up" to Vec::with_capacity(8) for any non-zero-sized type, to respect programmer intent.

I'm not as fond of giving an example here (and if an example is given, it should be phrased with "for example"). Maybe better phrase it like the following:

"However, Vec::with_capacity(n) will not deliberately "round up" in anticipation of the Vec growing beyond n elements. It thus behaves like Vec::new followed by Vec::reserve_exact, but may be faster."

I didn't check how Vec actually behaves. This still needs to be reviewed. I just wanted to comment on the wording here.

@Kixunil
Copy link
Contributor

Kixunil commented Sep 2, 2022

@JanBeh noticed that too and opened an issue which this PR would close: #101316
@workingjubilee I suggest you add closes statement to the PR description.

@workingjubilee
Copy link
Member Author

workingjubilee commented Sep 12, 2022

@JanBeh noticed that too and opened an issue which this PR would close: #101316 @workingjubilee I suggest you add closes statement to the PR description.

I have the power to close issues.

@dpc: An allocator for a system may deliberately choose to match, byte for byte, the requested allocation size, due to being run on a platform that has e.g. different RAM constraints. It is my understanding that the glibc malloc implementation does this for larger objects (not for tiny ~16 byte allocations, but for kilobytes, where the slight overhead of tracking the size is more beneficial than overusing memory), and is widely considered to be of reasonable performance, especially across the variety of different hardware glibc is deployed on. So the design of things like jemalloc is not a universal good, and I believe it is inappropriate for Rust to adopt in a default container, in an explicit API. Designing Vec in such a way that the API naturally works with either being bound against jemalloc-like or glibc-like allocators seems a far superior choice.

@jmaargh
Copy link
Contributor

jmaargh commented Apr 12, 2023

Hi, I'm the original author of #96173. Since this accidentally apparently caused a breaking change I feel I should probably start by apologising for the extra confusion I caused. I am sorry.

With the already suggested change of "with exactly the requested capacity" -> "with capacity at least n" the changes here look good to me.

I'm still a little unclear on the libs team's consensus (if there is one) on the intended behaviour here (having read the various issues linked above, as well as zulip). If this is the wrong place to discuss that, please do let me know where that discussion can be more helpful.

Generally (this discussion for non-ZSTs for the moment), the user can request capacity n, then the allocator allocates space for m >= n elements, and the Vec struct stores and reports of p. According to this comment right now n = m = p for all non-ZSTs. However, it's also been noted that allocators can totally reasonably give m > n. The question is, in those cases what is the guarantee that should be given for p?

  1. "What you asked for": p = n will probably avoid surprise for many uses and was what the previous documentation guaranteed (though reserve and reserve_exact both were documented with the weaker guarantee).
  2. "What's actually there": p = m will probably avoid surprise for users who are sensitive to exactly what is allocated.

My main motivating example for moving to 2 is mentioned in #95614, where you need to break a vec into raw parts (e.g. for FFI) and then re-construct. The docs for from_raw_parts are quite clear that the "capacity" passed in there must match what the allocator gave. The (not-stabilised) into_raw_parts guarantees that the "capacity" it returns is that from the allocator, presumably exactly for this reason. These together strongly suggest to me that p = m is the correct choice, since m will need to be tracked anyway for these use-cases.

Assuming this is all right and there is consensus on it, then this behaviour is already incorrect, is it not? The comment states that allocators "currently" return the requested size, but the Allocator::allocate docs explicitly state that "The returned block may have a larger size than specified by layout.size()". To bring everything into alignment, the extra cost of doing capacity: ptr.len() / mem::size_of::<T>() will have to be swallowed, surely?

@workingjubilee
Copy link
Member Author

I do not believe that suggestion applies, although I am not entirely sure what line people are suggesting it for, given people are talking inexactly about substrings instead of highlighting them in the UI.

What this attempts to explain is that Vec acts on the programmer's intention, and that sometimes this constitutes a surprising reality, i.e. that Vec, the programmatic entity, allocates with that capacity, and then the Allocator decides the capacity.

Copy link
Contributor

@jmaargh jmaargh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies, I now understand your intention. I've made some suggested changes which I believe makes that intention more explicit.

Comment on lines +361 to +373
/// `vec![x; n]` and [`Vec::with_capacity(n)`] produce a `Vec` that allocates `n` capacity.
/// `vec![a, b, c, d, e]` produces a `Vec` which allocates once for all items (in this case 5).
/// An allocator may return an allocation with a size larger than the requested capacity.
/// In that case, [`capacity`] may return either the requested capacity or actual allocated size.
/// `Vec` has preferred either answer at different times and may change again.
/// However, `Vec::with_capacity(5)` will not deliberately "round up" to `Vec::with_capacity(8)`
/// for any non-zero-sized type, to respect programmer intent.
///
/// Excess capacity an allocator has given `Vec` is still discarded by [`shrink_to_fit`].
/// If <code>[len] == [capacity]</code>, then a `Vec<T>` can be converted
/// to and from a [`Box<[T]>`][owned slice] without reallocating or moving the elements.
/// `Vec` exploits this fact as much as reasonable when implementing common conversions
/// such as [`into_boxed_slice`].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some suggestions for re-wording based on your stated intent, which I hope read a little clearer with a clearer distinction between "requested", "allocated", and "reported" capacities (none of which are guaranteed to equal any other).

Para 1: These are the ways of constructing with a specific capacity, they provide this guarantee on the allocation request.

Para 2: Allocator may return more space, and Vec is not guaranteed to report capacity as exactly the requested or the allocated capacity

Suggested change
/// `vec![x; n]` and [`Vec::with_capacity(n)`] produce a `Vec` that allocates `n` capacity.
/// `vec![a, b, c, d, e]` produces a `Vec` which allocates once for all items (in this case 5).
/// An allocator may return an allocation with a size larger than the requested capacity.
/// In that case, [`capacity`] may return either the requested capacity or actual allocated size.
/// `Vec` has preferred either answer at different times and may change again.
/// However, `Vec::with_capacity(5)` will not deliberately "round up" to `Vec::with_capacity(8)`
/// for any non-zero-sized type, to respect programmer intent.
///
/// Excess capacity an allocator has given `Vec` is still discarded by [`shrink_to_fit`].
/// If <code>[len] == [capacity]</code>, then a `Vec<T>` can be converted
/// to and from a [`Box<[T]>`][owned slice] without reallocating or moving the elements.
/// `Vec` exploits this fact as much as reasonable when implementing common conversions
/// such as [`into_boxed_slice`].
/// `vec![x; n]` and [`Vec::with_capacity(n)`] produce a `Vec` that allocates `n` capacity;
/// that is, they request a capacity for `n` elements from the allocator. Similarly,
/// `vec![a, b, c, d, e]` requests an allocation to cover the number of given elements (in this case 5).
/// `Vec` is guaranteed request exactly these capacities and not "round up" the allocation request
/// to speculatively avoid potential future allocations in these cases, to respect programmer
/// intent.
///
/// Any allocator may return an allocation with a size larger than the requested capacity, so
/// the allocated capacity may exceed the requested capacity. The reported capacity, as returned
/// by [`capacity`], is guaranteed to be at least the requested capacity and not more than the
/// allocated capacity, but is not guaranteed to be either. So if the programmer requests a
/// capacity of `n` the the allocator will be asked for `n` but may allocate space for `m >= n`, and
/// [`capacity`] may therefore also return `c >= n` (but `c <= m` is guaranteed).
///
/// Excess capacity an allocator has given `Vec` is still discarded by [`shrink_to_fit`].
/// If <code>[len] == [capacity]</code>, then a `Vec<T>` can be converted
/// to and from a [`Box<[T]>`][owned slice] without reallocating or moving the elements.
/// `Vec` exploits this fact as much as reasonable when implementing common conversions
/// such as [`into_boxed_slice`].

@bors
Copy link
Contributor

bors commented Jan 19, 2024

☔ The latest upstream changes (presumably #120121) made this pull request unmergeable. Please resolve the merge conflicts.

@Dylan-DPC Dylan-DPC added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jul 24, 2024
@Dylan-DPC
Copy link
Member

@workingjubilee if you can resolve the conflicts we can push this forward. Thanks

@alex-semenyuk alex-semenyuk added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Removal of exact capacity guarantee for Vec::with_capacity() is a breaking change