The original code (which desugars to the snippet you posted) is:

    fn two_phase(mut x: Vec<usize>) {
        x.push(x.len());
    }

This should clearly be accepted (this is self evident in my opinion); if you need to jump through loops to write code like this then the language is too restrictive to write normal code.

The standard implementation of Rust does indeed accept this, and there is no soundness hole here.

The existing semantics for aliasing and borrowing from MPI (Stacked Borrows) don’t allow this, which means the semantics are overly restrictive; we want this to be accepted.

This work “fixes” this issue by extending the semantics to admit the behaviour exhibited by the standard implementation.

The rules for the borrow checker are not fully formalised and to some extent the rustc implementation is the specification; formalising the rules (i.e. RustBelt, Stacked Borrows, etc.) is important, but we don’t want to formalise something that is strictly more restrictive than the reference implementation, especially if there’s no soundness hole.

The borrow checker was made for correctness, not correctness for the borrow checker.

You have ownership of a Vec, you get its length, then you push to it through a mutable reference; nothing evil happens here except the order of the statements (which is an implementation detail that people might not think about when writing the short form x.push(x.len())). The code above is perfectly safe if written in C, which is why the borrow checker was extended to also allow it in Rust. You could make the argument that simpler borrow checker rules lead to a simpler mental model. The counterargument (that won in the end) is that "if it's safe, the borrow checker allows it" is a mental model worth pursuing.

> silently passing something as "non mut" and it actually does "mut" stuff

No, it's the opposite that's happening here: a mutable borrow of the vector is made, and then a non-mutable thing is done with it (getting the length), before finally mutating it (pushing).

I’ve been learning rust and I spend the vast majority of my time dealing with lifetimes and borrow checking. Common ways in used to doing things simply don’t work in rust and a lot of effort has to go into keeping track of how and where data is used.

I’ve worked in OOP languages, functional languages, and dynamic languages but all of them were essentially garbage collected, so having to keep track in my head of how data ownership is managed is a big learning curve.

As a c++ programmer, one of the great things about rust is that I no longer have to keep track of data ownership and management in head.

I can outsource this to the compiler and if I get it wrong the program won’t compile.

In c++ you still need to do all the same tracking and management if you want safe and correct programs, but you don’t get nearly as much help from the compiler if you make a mistake.

I think this is largely overblown if one uses modern C++. One of the things I do is stateful multi-threaded business servers and frankly comparatively to the overall project this "data ownership maintenance" is small to the point of being practically absent.

>"Does anybody else wish the compiler wouldn't"

Compiler being obtuse and not being able to figure when it is safe to "break rules" is the problem. Not twisting brain of the programmer into being "safe compiler". This sounds like a Stockholm syndrome.

>"you should be following immutable practices"

No I should not. I should do what makes sense in particular situation and not bending over for some zealots trying to enforce one and the only way.

In C++ or C, you are always twisting the brain of the programmer into being a "safe compiler". I don't think that is an advantage personally.

Lifetimes don't go away just because there isn't a borrow checker or way to define them in the source code.

I do not have this impression. As for managing lifetimes in modern C++ I've already stated elsewhere that from my personal experience this problem practically does not not exist for application level programming. People writing OS level code will of course disagree but luckily I am not in that domain. I do write code for low power microcontrollers but I use plain C and do not have any real problems as there are no allocations / freeing. Just be careful with interrupts when handling shared data.

This isnt quite true, you can have memory-safe single ownership without borrow checking, and it feels quite different than what Rust has us do.

I think one measurable outcome here is what kind of error message you get when you do violate a rule and whether rust users know what to do to fix their code. As a person who loves to explore the complexity behind seemingly simple interfaces, this stuff is really cool. On the other hand, I don't relish having people break their brains to understand why similar code is accepted vs not.

I'm not a rust user myself, but I'm guessing from all the references to raw pointers that a lot of the code referenced here is actually not idiomatic for all but small snippets of high perf code, so maybe the complexity is not going to affect too many people.

I work with many people who are quite intelligent but early in their career or not domain experts in PL implementation. These people are perfectly respectable, but how long would it take to teach them how to map their source to the lifetime dependency tree with subtle rules in order to understand a borrow checker result that triggers an error? Without that understanding, a dev using rust would maybe try poking at their code unsystematically in hopes of getting it to work. I've seen this happen in other domains while people are ascending the learning curve.

I have to apologize here. Not sure what was with my brain at the moment but I've misunderstood your entire original reply.

> Compiler being obtuse and not being able to figure when it is safe to "break rules" is the problem.

Compiler afaik will never be able to correctly 100% identify you are or aren't breaking some properties due to Rice's Theorem.

That said, you're committing a Nirvana fallacy. Perfect doesn't prevent improvement.

E.g. seatbelts don't prevent being stabbed by a large metal pole, ergo it's useless.

Every week I see newbies coming and asking why won't compiler allow this - and then point a hugely unsafe action.

Hell, I ran into a similar issue. I wanted to expose something mutable as immutable. My argumentation was but it was immutable at time of calling. However as someone in Rust discord pointed, using that you could cause UB trivially.

>"Compiler afaik will never be able to correctly 100% identify"

Nobody here is talking about 100%. I responded to a post that has left me with the impression that it is up to the user to bend backwards and make their brains work as a compiler rather than try to improve compiler.

> that it is up to the user to bend backwards and make their brains work as a compiler

What do you mean? You always have to track lifetimes and what outlives what (i.e. work of a compiler). Especially in C++. Not doing that results in UB.

In Rust you have a compiler double checking you. And it errs on side of caution. And no, errors aren't horrible, they come with suggestions for fixing them.