Ownership & Borrowing in Rust

13 min readFeb 22, 2024

What Is Ownership?

At its core, Rust’s ownership model is about managing which part of your code is responsible for freeing memory. Unlike garbage-collected languages where the runtime automatically cleans up unused memory, or languages like C++ where you manually allocate and free memory, Rust introduces a set of rules enforced at compile time to manage memory. These rules are designed to ensure memory safety without needing a garbage collector.

The Rules of Ownership

Rust’s ownership model is built on three simple rules:

Each value in Rust has a variable that’s called its owner.
There can only be one owner at a time.
When the owner goes out of scope, the value will be dropped (freed).

Why Ownership?

You might wonder why Rust bothers with this complexity. The answer lies in memory safety and efficiency. Ownership allows Rust to prevent memory leaks and access to invalid memory, two common issues in systems programming. It does this without the runtime cost of garbage collection, making Rust programs both safe and fast.

Ownership in Action: An Example

Let’s break down an example to see ownership in action. Consider a simple scenario where you have a string variable:

let my_string = String::from("Hello, Rust!");

Here, my_string owns the memory allocated for the string "Hello, Rust!". According to Rust's rules, when my_string goes out of scope, the memory is automatically freed. Now, what happens if you try to copy my_string into another variable?

let another_string = my_string;

Unlike in languages where this might create a shallow copy, in Rust, my_string is moved to another_string. Now, another_string is the owner, and my_string is no longer valid. This prevents a situation called a double free, where both variables go out of scope and try to free the same memory, leading to memory corruption.

Ownership and Functions

Ownership rules also apply when values are passed to functions. When you pass a variable to a function, the ownership can be transferred, just like assigning it to another variable. If the function returns a value, ownership can be transferred back to the caller. This ensures that memory is properly managed without leaks.

fn take_ownership(some_string: String) {
    println!("{}", some_string);
} // `some_string` goes out of scope and `drop` is called. The memory is freed.

let my_string = String::from("Hello, Rust!");
take_ownership(my_string);

// `my_string` can no longer be used here as ownership has been transferred to `take_ownership`.

Why It's Needed

The ownership model is Rust's answer to a fundamental problem in systems programming: ensuring memory safety without sacrificing performance. By enforcing these rules at compile time, Rust eliminates entire classes of bugs that are common in other systems languages, making your code safer and more reliable.

Ownership might seem like a lot to wrap your head around at first, especially if you're not used to thinking about memory management. But it's a powerful tool, laying the foundation for understanding more complex features like borrowing and lifetimes, which we'll get into next.

What is Borrowing?

In Rust, borrowing is a concept that allows you to access data in a variable without taking ownership of it. This is done through references, which come in two flavors: immutable and mutable.

Rules for Borrowing

Rust’s borrowing rules are designed to ensure data race safety at compile time. Here’s the gist:

Immutable References (&T): You can have any number of immutable references to a piece of data. With an immutable reference, the data it points to cannot be modified.
Mutable References (&mut T): You can only have one mutable reference to a piece of data in a particular scope. This reference allows you to modify the data it points to.

Mutable References vs. Immutable References

Immutable references are used when you want to read data without changing it. You can create multiple immutable references to the same data, allowing concurrent read-only access from different parts of your code.

let data = 5;
let ref1 = &data;
let ref2 = &data;
// Data can be read via ref1 and ref2, but not modified.

Mutable references, on the other hand, allow you to modify the data they point to. Rust enforces that if you have a mutable reference to some data, that must be the only reference to that data (in that scope). This rule prevents data races by ensuring that only one part of your code can change the data at any time.

let mut data = 5;
let ref1 = &mut data;
*ref1 += 1; // Allowed to modify data through ref1.
// No other references to `data` are allowed while `ref1` exists.

Aliasing and Mutation: Why Rust Prohibits Them Simultaneously

Rust does not allow “aliasing” (having multiple references to the same data) and “mutation” (modifying the data) to occur simultaneously. This restriction is a key part of Rust’s approach to ensuring thread safety and preventing data races.

Aliasing without Mutation is safe because multiple readers don’t interfere with each other.
Mutation without Aliasing is safe because only one part of the code can change the data at any time, preventing unexpected modifications.

Allowing both would mean that one reference could unexpectedly change the data while another reference is reading it, leading to inconsistent state or data races in a concurrent context. By enforcing these rules, Rust allows developers to write concurrent code without having to worry about many of the complexities and bugs associated with data races.

The Borrow Checker: Rust’s Safety Enforcer

At compile time, Rust’s borrow checker examines all borrowing in your code to ensure that the rules for references are followed. This includes checking that there are no simultaneous mutable references and immutable references to the same piece of data, and that mutable references are unique in their scope. The borrow checker’s role is to prevent data races, memory safety violations, and other concurrency bugs that can be difficult to track down and fix in more permissive languages.

When you write Rust code, the borrow checker works in the background, analyzing the lifetimes of variables and how they’re borrowed. If it detects any potential violations of the borrowing rules, it will refuse to compile the code, providing messages about where and why the violations occur. This might seem strict at first, but it’s designed to ensure that Rust programs are memory-safe and thread-safe by default.

Working With the Borrow Checker

Working effectively with the borrow checker requires understanding Rust’s ownership, borrowing, and lifetime concepts. While it can be challenging to get used to, especially for those new to Rust, learning to work with the borrow checker is incredibly rewarding. It teaches you to think more critically about how your code manages memory and accesses data, leading to more robust and reliable programs.

The borrow checker is not just about preventing errors; it’s also about guiding you towards better code. By adhering to its rules, you naturally write code that is efficient, safe, and concurrent without needing to rely on a runtime or garbage collector. This makes Rust an exceptionally powerful tool for systems programming, web assembly, and other performance-critical applications.

In essence, the borrow checker is what allows Rust to offer the powerful guarantees it does, making it a beloved feature among Rustaceans. As you grow more accustomed to thinking in terms of ownership and borrowing, you’ll find the borrow checker becomes less of a strict overseer and more of a helpful guide, steering you towards writing better Rust code.

What is a Lifetime?

Lifetimes in Rust are a fundamental concept that underpins the language’s approach to memory safety, particularly when it comes to borrowing. Understanding lifetimes is crucial for working effectively with references, as they help the compiler ensure that references do not outlive the data they point to.

Explanation of Lifetimes and Their Syntax

A lifetime is a compile-time construct that represents the scope for which a reference is valid. In Rust, every reference has a lifetime, which ensures that references cannot outlive the data they refer to, preventing dangling references and ensuring memory safety.

Lifetimes are denoted by an apostrophe (') followed by a descriptive name, like 'a. These annotations are used in function signatures and struct definitions to connect the lifetimes of different references to each other and to the data they reference.

Lifetimes in Function Signatures

When you have a function that accepts one or more references, you might need to annotate the arguments with lifetimes. This helps the compiler understand the relationship between the lifetimes of the references and the data they point to.

fn longest<'a>(x: &'a str, y: &'a str) -> &'a str {
    if x.len() > y.len() { x } else { y }
}

In this example, the 'a lifetime annotation indicates that the return value of the function has the same lifetime as the smaller of the lifetimes of x and y. This ensures that the returned reference will not outlive the data it points to.

Lifetime Elision Rules

Rust’s compiler is designed to make working with lifetimes as ergonomic as possible. It includes a set of lifetime elision rules that allow you to omit lifetime annotations in certain scenarios, based on a set of predictable patterns. These rules are applied automatically by the compiler, allowing you to write less verbose code while still ensuring memory safety.

The most common elision rules include:

Each parameter that is a reference gets its own lifetime parameter.
If there is exactly one input lifetime parameter, that lifetime is assigned to all output lifetime parameters.
If there are multiple input lifetime parameters, but one of them is &self or &mut self because the method is part of a struct or an enum, the lifetime of self is assigned to all output lifetime parameters.

Advanced Lifetime Patterns

As you gain more experience with Rust, you’ll encounter situations where the basic lifetime annotations and elision rules are not sufficient. This might include cases with complex data structures, implementing traits with lifetimes, or working with lifetime bounds. Advanced patterns, such as lifetime subtyping and lifetime constraints in generic type parameters, allow you to express more complex relationships and constraints in your code.

For example, using lifetimes with structs to ensure that references within a struct do not outlive the data they point to:

struct Borrowed<'a> {
    x: &'a i32,
}

Or, specifying lifetime bounds on generic types to ensure that types implementing a trait have a certain lifetime:

fn print_it<T: std::fmt::Display + 'static>(t: T) {
    println!("{}", t);
}

The Borrow Checker at Work: Common Compiler Errors

Rust’s borrow checker is a sophisticated tool that enforces the language’s strict ownership and borrowing rules at compile time. This ensures memory safety and concurrency without data races. However, these rules can lead to common compiler errors, especially for those new to Rust. Understanding these errors is crucial for debugging and writing correct Rust code.

Dangling References

A dangling reference occurs when a reference points to memory that has been deallocated. Rust’s borrow checker prevents dangling references by ensuring that data cannot go out of scope before its references do.

fn main() {
    let reference_to_nothing;
    {
        let some_value = 42;
        reference_to_nothing = &some_value;
    } // `some_value` goes out of scope here.
// Error: `reference_to_nothing` now references memory that has been deallocated.
}

Lifetime Mismatches

Lifetime mismatches happen when the compiler detects that some references may outlive the data they’re pointing to, or when it can’t guarantee that references will remain valid for the duration of their intended use.

fn main() {
    let string1 = String::from("Rust");
    let result;
    {
        let string2 = String::from("Programming");
        result = longest(&string1, &string2);
    } // `string2` goes out of scope here.
    
    println!("The longest string is {}", result);
    // Error: `result` might reference data borrowed from `string2`, which is no longer valid.
}

Mutable Aliasing

Mutable aliasing errors occur when there are two or more mutable references to the same data, or a mutable reference exists alongside one or more immutable references. This violates Rust’s rule that you can’t have mutable and immutable references to the same data simultaneously.

fn main() {
    let mut data = 42;
    let ref1 = &mut data;
    let ref2 = &mut data; // Error: second mutable borrow occurs here.
    *ref1 += 1;
    println!("Data: {}", data); // Error: use of potentially mutated `data` here.
}

Strategies for Resolving Common Borrow Checker Errors

Clarify Lifetimes: Ensure that all references have correct lifetime annotations, particularly in function signatures. This can prevent lifetime mismatch errors by making the relationships between different lifetimes explicit to the compiler.
Reduce Scope of References: Limit the scope of mutable references to the smallest block possible. This minimizes the chance of mutable aliasing and makes it easier to reason about the lifetimes of mutable data.
Use Ownership Instead of Borrowing: When possible, transfer ownership instead of borrowing. This can simplify the code and eliminate many borrowing-related errors, though at the cost of potentially more data being moved around.
Split Data Structures: If you’re running into mutable aliasing issues, consider splitting your data structure into smaller parts that can be independently borrowed or mutated. This can allow for more granular control over mutability and borrowing.
Utilize Interior Mutability Patterns: Use Cell and RefCell for copy types or single ownership scenarios, and Mutex or RwLock for safe concurrent mutation. These types allow for mutation of data even when it's behind an immutable reference, bypassing usual borrowing rules in a controlled manner.

Understanding and resolving borrow checker errors is a key part of becoming proficient in Rust. While these errors can be frustrating at first, they are also teaching moments that lead to safer, more efficient code. As you gain experience with Rust’s ownership and borrowing model, you’ll find these errors become less frequent and easier to resolve.

Advanced Topics in Borrowing

As you become more comfortable with Rust’s borrowing system, you’ll encounter scenarios where the standard borrowing rules are too restrictive for your needs. Rust provides advanced features that offer more flexibility while still ensuring safety. These include interior mutability patterns, the use of unsafe Rust to bypass the borrow checker, and understanding how the borrow checker uses static and dynamic analyses.

Interior Mutability Patterns

Interior mutability is a design pattern in Rust that allows you to mutate data even when there are immutable references to that data. This is achieved through types that use unsafe code internally to safely encapsulate mutable state, providing a safe API to the outside world.

RefCell<T>: Offers interior mutability with dynamic borrowing rules checked at runtime rather than compile time. It's used in single-threaded scenarios and allows for borrowing data as mutable or immutable dynamically. Violations result in runtime panics rather than compile-time errors.
Mutex<T> and RwLock<T>: Provide thread-safe interior mutability. A Mutex allows only one thread to access the data at a time, while RwLock allows multiple readers or exclusively one writer. These types are essential for safe concurrency in Rust.

Unsafe Rust: When and How to Carefully Bypass the Borrow Checker

Rust allows you to write unsafe code blocks, functions, or traits, giving you the power to bypass some of the compiler's checks, including those enforced by the borrow checker. This is necessary when interfacing with other languages, performing certain low-level operations, or optimizing code for performance reasons.

When to Use Unsafe Rust: Use it sparingly and only when absolutely necessary. Common cases include interfacing with C libraries, manipulating raw pointers, or accessing and modifying mutable static variables.
How to Use Unsafe Rust Safely: Always encapsulate unsafe code as much as possible, exposing a safe API to the rest of your code. Thoroughly review and document the invariants you’re responsible for maintaining.

Static and Dynamic Analyses: How the Borrow Checker Implements Them

The borrow checker primarily relies on static analysis to enforce borrowing rules, analyzing the source code at compile time without executing it. This allows Rust to catch potential memory safety issues before the program runs.

Static Analysis: The compiler examines the relationships between variables, lifetimes, and scopes to ensure that all borrowing rules are followed. This process is rigorous and ensures safety without runtime overhead.
Dynamic Analysis: While Rust’s borrow checker is mostly static, some patterns, like those involving RefCell<T>, require dynamic checks. These checks occur at runtime, with the overhead of these checks being a trade-off for increased flexibility.

Case Studies

Rust’s borrow checker is not just a theoretical construct; it has real-world implications for software reliability and performance. Below are case studies that illustrate how the borrow checker prevents common bugs encountered in systems programming and how its optimizations can lead to significant performance gains.

Preventing Bugs with the Borrow Checker

Case Study: Accessing Freed Memory in Web Servers

Problem: In languages without strict memory safety guarantees, it’s common for web servers to access freed memory due to improper handling of client connections, leading to security vulnerabilities and system crashes.
Solution: Rust’s borrow checker prevents this by ensuring references to memory are not used after the memory has been freed. For instance, in a Rust web server, once a connection is closed and the associated data is freed, the borrow checker ensures no dangling references exist, eliminating the risk of accessing freed memory.

Case Study: Concurrent Data Access in Multi-threaded Applications

Problem: Concurrently accessing and modifying shared data without proper synchronization can lead to data races, resulting in undefined behavior and difficult-to-track bugs.
Solution: The borrow checker, coupled with Rust’s ownership and type system, ensures that data is either safely shared between threads using immutable references or exclusively accessed by one thread at a time through mutable references. This model simplifies writing safe concurrent code, as seen in Rust’s async runtimes and parallel computing libraries.

Performance Implications of Borrow Checker Optimizations

Case Study: Zero-Cost Abstractions in High-Performance Computing

Problem: High-performance computing (HPC) applications demand maximum efficiency. Traditional languages often require manual optimization techniques, which can compromise code safety and readability.
Solution: Rust’s borrow checker enables zero-cost abstractions by allowing developers to write safe, high-level code without sacrificing performance. For example, iterators in Rust can be as fast as traditional loop constructs because the borrow checker ensures they are used safely, allowing the compiler to aggressively optimize these patterns without the overhead of runtime checks.

Case Study: Memory Management in Game Development

Problem: Game development involves managing complex, dynamic scenes with stringent performance requirements. Manual memory management is error-prone and can lead to performance degradation due to fragmentation and leaks.
Solution: The borrow checker aids in efficient memory management by enforcing strict ownership and borrowing rules, preventing leaks and ensuring memory is efficiently reused. This results in smoother performance and lower overhead, as demonstrated by several game engines and frameworks that leverage Rust for critical subsystems.

Recap

The borrow checker, Rust’s strict but fair referee, enforces a set of rules that might seem daunting at first glance. Yet, these rules are the bedrock of Rust’s promise for safer, concurrent, and more reliable code. By keeping a tight leash on ownership, borrowing, and lifetimes, the borrow checker slashes the risk of common bugs that have long plagued system-level code — dangling pointers, data races, you name it — without the performance hit typically associated with garbage collection.

But let’s zoom out a bit. The advent of Rust and its borrow checker symbolizes a broader evolution in system programming. We’re witnessing a paradigm shift from the old mantra of “fast but dangerous” to something more akin to “fast and safe.” This shift doesn’t just mean fewer bugs and security vulnerabilities; it’s about empowering developers to write high-performance applications with confidence, without constantly looking over their shoulder for memory management gremlins.

In a way, Rust’s borrow checker is a glimpse into the future of system programming. A future where safety and performance coexist without compromise, where developers can push the boundaries of what’s possible without being bogged down by the complexities of manual memory management.

And there you have it — a look into how Rust’s meticulous approach to memory safety is reshaping the way we build software, one borrow check at a time. Whether you’re a seasoned Rustacean or just dipping your toes into the waters of system programming, there’s no denying the profound impact of Rust’s borrow checker on our quest for safer, more efficient code.

References and Further Reading

“Rust by Example.” The Rust Programming Language, Rust Project Developers, https://doc.rust-lang.org/rust-by-example/
“Rust Reference.” The Rust Programming Language, Rust Project Developers, https://doc.rust-lang.org/reference/
“The Rust Programming Language Book.” The Rust Programming Language, Rust Project Developers, https://doc.rust-lang.org/book/