9 March 2023
Lifetimes seem to trip up every programmer new to Rust: just when you
start to feel like you’re getting the hang of things, the compiler
complains that a variable “doesn’t live long enough” and you find
yourself adding 'a or 'static in random places
without really understanding what you’re doing.
I have a theory why lifetimes are hard to wrap your head around, and it’s not that they’re particularly complicated. The trouble is that the Rust compiler does a pretty good job of figuring out lifetimes for simple cases. That’s a good thing of course – otherwise we’d have to litter our code with lifetime annotations – but it means that the first time you encounter them will be one of the complicated cases where the compiler needs the programmer’s help. You’re thrown in at the deep end, that’s why if feels frustrating.
Let’s try to avoid that here and start at the beginning. Why do we
need to worry about lifetimes? In Rust: The Stack and the
Heap I talked about the lifetime of stack- and heap-allocated
objects. That was fairly straightforward. Things get more interesting
when we look at references: if x is a reference, then at
any place in your code that says *x the Rust compiler needs
to make sure that the value x refers to is still valid.
That’s not the case in other languages; in Go or Java this would be the
garbage collector’s responsibility, in C or C++ it’s the programmer’s
responsibility.
If a reference exists only inside a single function this is usually easy to figure out:
struct Point {
x: i32,
y: i32,
}
fn use_point() {
let p = Point { x: 3, y: 0 };
let x = &p.x;
println!("x = {}", *x); // ok
}Since x is a reference to a field inside p,
we should never be able to dereference x after
p has been deallocated. In use_point,
p is deallocated at the end of the function, so
dereferencing x anywhere in the function is fine. Here’s an
example that will result in a compiler error:
fn use_point_bad() {
let x: &i32;
{
let p = Point { x: 3, y: 0 };
x = &p.x;
}
println!("x = {}", *x); // error!
}The example is a bit contrived, but I think you get the idea: I
defined the inner scope (marked by {…}) so that
p would be deallocated just before we try to access one of
its fields with *x. The compiler will rejects the code with
this error:
`p.x` does not live long enoughThe problem is that x refers to p.x and the
lifetime of x is longer than the lifetime of
p.x. That’s what we need to avoid: the lifetime of a
reference can be the same as the lifetime of whatever it refers to, or
it can be shorter, but it must never be longer.
So what about that 'a syntax? So far we didn’t have to
write any code to tell the compiler about lifetimes. That’s because
within functions, the Rust compiler will infer lifetimes automatically.
However, it won’t do that across function calls.
Let’s take a look at a function that returns a reference:
fn get_x<'a>(p: &'a Point) -> &'a i32 {
&p.x
}What’s going on here? This is using the <…> syntax
of generic functions, but instead of a type parameter we have
'a. The ' indicates this is a lifetime
parameter. In the parameter and return types, &'a
means “this is a reference with lifetime a”. The compiler will use this
information when checking the lifetimes within the function (pretty
simple here) and when checking the lifetimes in each function that calls
get_x. For example, let’s say we have this call somewhere
in our code:
let x = get_x(&p);Just like the compiler can infer that p must be a
Point and x will be a reference to
i32, it can infer that &p and
x must both have lifetime 'a, and it can
figure out what 'a will be for this particular call. (This
is a form of generics after all, so 'a will be different
for different calls.)
The compiler actually has a bit more wiggle room here: a longer
lifetime can be coerced into a smaller one, so it only needs to find a
lifetime 'a that’s smaller than (or equal to) the lifetime
of p and larger than (or equal to) the lifetime of
x. You can think of that as similar to how an i32 value can
be coerced to i16 but not to u32 or i64.
Here’s a slightly more complex case:
fn largest_x<'a>(p: &'a Point, q: &'a Point) -> &'a i32 {
if p.x > q.x { &p.x } else { &q.x }
}The return value can refer to either p or
q, so the lifetime annotations ensure that the return
value’s lifetime will be the same or shorter than the lifetime of both
parameters. Functions can have more than one lifetime parameter:
fn get_both_x<'a, 'b>(p: &'a Point, q: &'b Point) -> (&'a i32, &'b i32) {
(&p.x, &q.x)
}Using a, b, … is the usual convention for
lifetime parameters.
Lifetime annotations on methods work the same way, you just need to
remember that &self or &mut self is
also a reference. Here’s an example:
impl Point {
fn get_x_and_y<'a, 'b>(&'a self, msg: &'b str) -> (&'a i32, &'a i32) {
println!("Message: {}", msg);
(&self.x, &self.y)
}
}Looking at that last example you may be asking, do we really need the
'b parameter? It does’t do much in terms of restricting
lifetimes for code that calls get_x_and_y. The Rust
developers had the same idea, so they added a set of lifetime
elision rules that let you leave out the annotations in simple
cases (“elision” means leaving something out). Here they are, straight
from the Rust
Reference:
&Self or &mut Self, then the lifetime
of that reference to Self is assigned to all elided output lifetime
parameters.Rule 1 and 2 mean that we can write the get_x function
without any lifetime annotations:
fn get_x(p: &Point) -> &i32 {
&p.x
}We can also write the get_x_and_y method without
annotation thanks to rule 3 and 1:
impl Point {
fn get_x_and_y(&self, msg: &str) -> (&i32, &i32) {
println!("Message: {}", msg);
(&self.x, &self.y)
}
}The largest_x and get_both_x functions
still need annotations. As a little exercise, remove the annotations
from one of the example functions, then go through the lifetime elision
rules yourself. Do they add all the annotations back? If not, that
function needs explicit lifetime annotations.
If a struct includes a reference, the struct definition always has to
have a lifetime annotation; there’s no lifetime elision rule for
structs. As an example, let’s look at a struct that wraps a reference to
a std::fs::File and provides a convenient method to get the
file size:
struct FileWrapper<'a> {
file: &'a File,
}
impl<'a> FileWrapper<'a> {
fn size(&self) -> io::Result<u64> {
Ok(self.file.metadata()?.len())
}
}
fn use_file_wrapper() -> io::Result<()> {
let f = File::open("foo.txt")?;
let w = FileWrapper { file: &f };
println!("file size: {}", w.size()?);
Ok(())
}The lifetime annotations tell us that in
use_file_wrapper, the lifetime of w needs to
be shorter than or equal to that of f. That’s clearly the
case here, so we won’t get any errors about lifetimes.
const ORIGIN: Point = Point { x: 0, y: 0 };What about constants? As far as the rest of the program is concerned,
their lifetime is infinite – when you have a reference to a constant you
never need to worry about whether it’s still valid. Rust provides a
special lifetime called 'static for this case:
fn get_origin() -> &'static Point {
&ORIGIN
}You see 'static most often with string literals: every
"bla bla" in your code technically has type
&'static str.