Tree Borrows

Original Article ↗ Hacker News Discussion ↗

Purpose of Tree Borrows and the “unsafe can do this” example

  • Discussion focuses on clarifying that “unsafe code can do X” means “you can write and run it”, not that it is well-defined.
  • The example with taking &mut*mut and using it twice is accepted by the compiler but is intended to be UB.
  • Tree Borrows is presented as a candidate operational model that precisely states which rule is violated, instead of relying on informal “no aliasing” intuitions.
  • The model aims to characterize all programs accepted by the borrow checker, but that compatibility is currently a tested conjecture, not a proved theorem.

Stacked Borrows vs Tree Borrows, and Miri

  • Tree Borrows generalizes earlier Stacked Borrows: Stacked was simpler but rejected a lot of real-world unsafe Rust that seems correct.
  • Tree Borrows is implemented in Miri as an experimental runtime model; examples in the paper refer to that model, not to what rustc’s current compile-time borrow checker enforces.
  • Several commenters show how code snippets that compile fine are flagged as UB when run under Miri with Tree/Stacked Borrows.

Borrow checker variants and type-system debate

  • Some ask about plug-in or selectable borrow checkers with different trade-offs; others argue that would fragment the language into incompatible dialects.
  • Clarification: borrow rules are shared; only the algorithm for proving them could differ.
  • There is an extended debate over whether Rust’s core discipline is best described as affine types, uniqueness types, or “affine + borrowing”, touching on contraction, Copy types, and the Curry–Howard view. No consensus is reached.

Aliasing, C’s strict aliasing, and Rust

  • Long comparative thread: C’s TBAA/strict aliasing vs Rust’s “no aliasing for &mut” plus raw-pointer opt-out.
  • Some argue C’s rules are easier (type-based, compatible types may alias); others highlight notorious C pitfalls (e.g., void* casts) and the prevalence of -fno-strict-aliasing.
  • In Rust, most code stays in safe references where aliasing is statically enforced; difficulty arises mainly when mixing references and raw pointers in unsafe code.

Tooling, UB, and optimizations

  • Miri is widely praised as essential for checking unsafe code and standard library internals, but recognized as slow and incomplete (notably for concurrency and FFI).
  • Several examples show UB found in core Rust libraries; this is framed as evidence the model and tooling are still maturing, not as a unique Rust failure.
  • On performance, estimates for aliasing-based optimizations range from negligible to ~5–10% on some workloads; alias info is especially important for vectorization, but heroic alias analyses likely give modest gains beyond basic cases.