1 | /// Custom code within the destructor. |
2 | /// |
3 | /// When a value is no longer needed, Rust will run a "destructor" on that value. |
4 | /// The most common way that a value is no longer needed is when it goes out of |
5 | /// scope. Destructors may still run in other circumstances, but we're going to |
6 | /// focus on scope for the examples here. To learn about some of those other cases, |
7 | /// please see [the reference] section on destructors. |
8 | /// |
9 | /// [the reference]: https://doc.rust-lang.org/reference/destructors.html |
10 | /// |
11 | /// This destructor consists of two components: |
12 | /// - A call to `Drop::drop` for that value, if this special `Drop` trait is implemented for its type. |
13 | /// - The automatically generated "drop glue" which recursively calls the destructors |
14 | /// of all the fields of this value. |
15 | /// |
16 | /// As Rust automatically calls the destructors of all contained fields, |
17 | /// you don't have to implement `Drop` in most cases. But there are some cases where |
18 | /// it is useful, for example for types which directly manage a resource. |
19 | /// That resource may be memory, it may be a file descriptor, it may be a network socket. |
20 | /// Once a value of that type is no longer going to be used, it should "clean up" its |
21 | /// resource by freeing the memory or closing the file or socket. This is |
22 | /// the job of a destructor, and therefore the job of `Drop::drop`. |
23 | /// |
24 | /// ## Examples |
25 | /// |
26 | /// To see destructors in action, let's take a look at the following program: |
27 | /// |
28 | /// ```rust |
29 | /// struct HasDrop; |
30 | /// |
31 | /// impl Drop for HasDrop { |
32 | /// fn drop(&mut self) { |
33 | /// println!("Dropping HasDrop!" ); |
34 | /// } |
35 | /// } |
36 | /// |
37 | /// struct HasTwoDrops { |
38 | /// one: HasDrop, |
39 | /// two: HasDrop, |
40 | /// } |
41 | /// |
42 | /// impl Drop for HasTwoDrops { |
43 | /// fn drop(&mut self) { |
44 | /// println!("Dropping HasTwoDrops!" ); |
45 | /// } |
46 | /// } |
47 | /// |
48 | /// fn main() { |
49 | /// let _x = HasTwoDrops { one: HasDrop, two: HasDrop }; |
50 | /// println!("Running!" ); |
51 | /// } |
52 | /// ``` |
53 | /// |
54 | /// Rust will first call `Drop::drop` for `_x` and then for both `_x.one` and `_x.two`, |
55 | /// meaning that running this will print |
56 | /// |
57 | /// ```text |
58 | /// Running! |
59 | /// Dropping HasTwoDrops! |
60 | /// Dropping HasDrop! |
61 | /// Dropping HasDrop! |
62 | /// ``` |
63 | /// |
64 | /// Even if we remove the implementation of `Drop` for `HasTwoDrop`, the destructors of its fields are still called. |
65 | /// This would result in |
66 | /// |
67 | /// ```test |
68 | /// Running! |
69 | /// Dropping HasDrop! |
70 | /// Dropping HasDrop! |
71 | /// ``` |
72 | /// |
73 | /// ## You cannot call `Drop::drop` yourself |
74 | /// |
75 | /// Because `Drop::drop` is used to clean up a value, it may be dangerous to use this value after |
76 | /// the method has been called. As `Drop::drop` does not take ownership of its input, |
77 | /// Rust prevents misuse by not allowing you to call `Drop::drop` directly. |
78 | /// |
79 | /// In other words, if you tried to explicitly call `Drop::drop` in the above example, you'd get a compiler error. |
80 | /// |
81 | /// If you'd like to explicitly call the destructor of a value, [`mem::drop`] can be used instead. |
82 | /// |
83 | /// [`mem::drop`]: drop |
84 | /// |
85 | /// ## Drop order |
86 | /// |
87 | /// Which of our two `HasDrop` drops first, though? For structs, it's the same |
88 | /// order that they're declared: first `one`, then `two`. If you'd like to try |
89 | /// this yourself, you can modify `HasDrop` above to contain some data, like an |
90 | /// integer, and then use it in the `println!` inside of `Drop`. This behavior is |
91 | /// guaranteed by the language. |
92 | /// |
93 | /// Unlike for structs, local variables are dropped in reverse order: |
94 | /// |
95 | /// ```rust |
96 | /// struct Foo; |
97 | /// |
98 | /// impl Drop for Foo { |
99 | /// fn drop(&mut self) { |
100 | /// println!("Dropping Foo!" ) |
101 | /// } |
102 | /// } |
103 | /// |
104 | /// struct Bar; |
105 | /// |
106 | /// impl Drop for Bar { |
107 | /// fn drop(&mut self) { |
108 | /// println!("Dropping Bar!" ) |
109 | /// } |
110 | /// } |
111 | /// |
112 | /// fn main() { |
113 | /// let _foo = Foo; |
114 | /// let _bar = Bar; |
115 | /// } |
116 | /// ``` |
117 | /// |
118 | /// This will print |
119 | /// |
120 | /// ```text |
121 | /// Dropping Bar! |
122 | /// Dropping Foo! |
123 | /// ``` |
124 | /// |
125 | /// Please see [the reference] for the full rules. |
126 | /// |
127 | /// [the reference]: https://doc.rust-lang.org/reference/destructors.html |
128 | /// |
129 | /// ## `Copy` and `Drop` are exclusive |
130 | /// |
131 | /// You cannot implement both [`Copy`] and `Drop` on the same type. Types that |
132 | /// are `Copy` get implicitly duplicated by the compiler, making it very |
133 | /// hard to predict when, and how often destructors will be executed. As such, |
134 | /// these types cannot have destructors. |
135 | /// |
136 | /// ## Drop check |
137 | /// |
138 | /// Dropping interacts with the borrow checker in subtle ways: when a type `T` is being implicitly |
139 | /// dropped as some variable of this type goes out of scope, the borrow checker needs to ensure that |
140 | /// calling `T`'s destructor at this moment is safe. In particular, it also needs to be safe to |
141 | /// recursively drop all the fields of `T`. For example, it is crucial that code like the following |
142 | /// is being rejected: |
143 | /// |
144 | /// ```compile_fail,E0597 |
145 | /// use std::cell::Cell; |
146 | /// |
147 | /// struct S<'a>(Cell<Option<&'a S<'a>>>, Box<i32>); |
148 | /// impl Drop for S<'_> { |
149 | /// fn drop(&mut self) { |
150 | /// if let Some(r) = self.0.get() { |
151 | /// // Print the contents of the `Box` in `r`. |
152 | /// println!("{}" , r.1); |
153 | /// } |
154 | /// } |
155 | /// } |
156 | /// |
157 | /// fn main() { |
158 | /// // Set up two `S` that point to each other. |
159 | /// let s1 = S(Cell::new(None), Box::new(42)); |
160 | /// let s2 = S(Cell::new(Some(&s1)), Box::new(42)); |
161 | /// s1.0.set(Some(&s2)); |
162 | /// // Now they both get dropped. But whichever is the 2nd one |
163 | /// // to be dropped will access the `Box` in the first one, |
164 | /// // which is a use-after-free! |
165 | /// } |
166 | /// ``` |
167 | /// |
168 | /// The Nomicon discusses the need for [drop check in more detail][drop check]. |
169 | /// |
170 | /// To reject such code, the "drop check" analysis determines which types and lifetimes need to |
171 | /// still be live when `T` gets dropped. The exact details of this analysis are not yet |
172 | /// stably guaranteed and **subject to change**. Currently, the analysis works as follows: |
173 | /// - If `T` has no drop glue, then trivially nothing is required to be live. This is the case if |
174 | /// neither `T` nor any of its (recursive) fields have a destructor (`impl Drop`). [`PhantomData`] |
175 | /// and [`ManuallyDrop`] are considered to never have a destructor, no matter their field type. |
176 | /// - If `T` has drop glue, then, for all types `U` that are *owned* by any field of `T`, |
177 | /// recursively add the types and lifetimes that need to be live when `U` gets dropped. The set of |
178 | /// owned types is determined by recursively traversing `T`: |
179 | /// - Recursively descend through `PhantomData`, `Box`, tuples, and arrays (including arrays of |
180 | /// length 0). |
181 | /// - Stop at reference and raw pointer types as well as function pointers and function items; |
182 | /// they do not own anything. |
183 | /// - Stop at non-composite types (type parameters that remain generic in the current context and |
184 | /// base types such as integers and `bool`); these types are owned. |
185 | /// - When hitting an ADT with `impl Drop`, stop there; this type is owned. |
186 | /// - When hitting an ADT without `impl Drop`, recursively descend to its fields. (For an `enum`, |
187 | /// consider all fields of all variants.) |
188 | /// - Furthermore, if `T` implements `Drop`, then all generic (lifetime and type) parameters of `T` |
189 | /// must be live. |
190 | /// |
191 | /// In the above example, the last clause implies that `'a` must be live when `S<'a>` is dropped, |
192 | /// and hence the example is rejected. If we remove the `impl Drop`, the liveness requirement |
193 | /// disappears and the example is accepted. |
194 | /// |
195 | /// There exists an unstable way for a type to opt-out of the last clause; this is called "drop |
196 | /// check eyepatch" or `may_dangle`. For more details on this nightly-only feature, see the |
197 | /// [discussion in the Nomicon][nomicon]. |
198 | /// |
199 | /// [`ManuallyDrop`]: crate::mem::ManuallyDrop |
200 | /// [`PhantomData`]: crate::marker::PhantomData |
201 | /// [drop check]: ../../nomicon/dropck.html |
202 | /// [nomicon]: ../../nomicon/phantom-data.html#an-exception-the-special-case-of-the-standard-library-and-its-unstable-may_dangle |
203 | #[lang = "drop" ] |
204 | #[stable (feature = "rust1" , since = "1.0.0" )] |
205 | // FIXME(effects) #[const_trait] |
206 | pub trait Drop { |
207 | /// Executes the destructor for this type. |
208 | /// |
209 | /// This method is called implicitly when the value goes out of scope, |
210 | /// and cannot be called explicitly (this is compiler error [E0040]). |
211 | /// However, the [`mem::drop`] function in the prelude can be |
212 | /// used to call the argument's `Drop` implementation. |
213 | /// |
214 | /// When this method has been called, `self` has not yet been deallocated. |
215 | /// That only happens after the method is over. |
216 | /// If this wasn't the case, `self` would be a dangling reference. |
217 | /// |
218 | /// # Panics |
219 | /// |
220 | /// Implementations should generally avoid [`panic!`]ing, because `drop()` may itself be called |
221 | /// during unwinding due to a panic, and if the `drop()` panics in that situation (a “double |
222 | /// panic”), this will likely abort the program. It is possible to check [`panicking()`] first, |
223 | /// which may be desirable for a `Drop` implementation that is reporting a bug of the kind |
224 | /// “you didn't finish using this before it was dropped”; but most types should simply clean up |
225 | /// their owned allocations or other resources and return normally from `drop()`, regardless of |
226 | /// what state they are in. |
227 | /// |
228 | /// Note that even if this panics, the value is considered to be dropped; |
229 | /// you must not cause `drop` to be called again. This is normally automatically |
230 | /// handled by the compiler, but when using unsafe code, can sometimes occur |
231 | /// unintentionally, particularly when using [`ptr::drop_in_place`]. |
232 | /// |
233 | /// [E0040]: ../../error_codes/E0040.html |
234 | /// [`panic!`]: crate::panic! |
235 | /// [`panicking()`]: ../../std/thread/fn.panicking.html |
236 | /// [`mem::drop`]: drop |
237 | /// [`ptr::drop_in_place`]: crate::ptr::drop_in_place |
238 | #[stable (feature = "rust1" , since = "1.0.0" )] |
239 | fn drop(&mut self); |
240 | } |
241 | |