WIP: Add dynamic borrow checking for dereferencing NumPy arrays.

Author: adamreichold

examples/simple-extension/src/lib.rs

@@ -1,5 +1,7 @@
 use numpy::ndarray::{ArrayD, ArrayViewD, ArrayViewMutD};
-use numpy::{Complex64, IntoPyArray, PyArray1, PyArrayDyn, PyReadonlyArrayDyn};
+use numpy::{
+    Complex64, IntoPyArray, PyArray1, PyArrayDyn, PyReadonlyArrayDyn, PyReadwriteArrayDyn,
+};
 use pyo3::{
     pymodule,
     types::{PyDict, PyModule},
@@ -41,8 +43,8 @@ fn rust_ext(_py: Python<'_>, m: &PyModule) -> PyResult<()> {
     // wrapper of `mult`
     #[pyfn(m)]
     #[pyo3(name = "mult")]
-    fn mult_py(a: f64, x: &PyArrayDyn<f64>) {
-        let x = unsafe { x.as_array_mut() };
+    fn mult_py(a: f64, mut x: PyReadwriteArrayDyn<f64>) {
+        let x = x.as_array_mut();
         mult(a, x);
     }
 

src/array.rs

@@ -18,6 +18,7 @@ use pyo3::{
     Python, ToPyObject,
 };
 
+use crate::borrow::{PyReadonlyArray, PyReadwriteArray};
 use crate::convert::{ArrayExt, IntoPyArray, NpyIndex, ToNpyDims, ToPyArray};
 use crate::dtype::Element;
 use crate::error::{DimensionalityError, FromVecError, NotContiguousError, TypeError};
@@ -190,18 +191,8 @@ impl<T, D> PyArray<T, D> {
     }
 
     #[inline(always)]
-    fn check_flag(&self, flag: c_int) -> bool {
-        unsafe { *self.as_array_ptr() }.flags & flag == flag
-    }
-
-    #[inline(always)]
-    pub(crate) fn get_flag(&self) -> c_int {
-        unsafe { *self.as_array_ptr() }.flags
-    }
-
-    /// Returns a temporally unwriteable reference of the array.
-    pub fn readonly(&self) -> crate::PyReadonlyArray<T, D> {
-        self.into()
+    pub(crate) fn check_flags(&self, flags: c_int) -> bool {
+        unsafe { *self.as_array_ptr() }.flags & flags != 0
     }
 
     /// Returns `true` if the internal data of the array is C-style contiguous
@@ -223,18 +214,17 @@ impl<T, D> PyArray<T, D> {
     /// });
     /// ```
     pub fn is_contiguous(&self) -> bool {
-        self.check_flag(npyffi::NPY_ARRAY_C_CONTIGUOUS)
-            | self.check_flag(npyffi::NPY_ARRAY_F_CONTIGUOUS)
+        self.check_flags(npyffi::NPY_ARRAY_C_CONTIGUOUS | npyffi::NPY_ARRAY_F_CONTIGUOUS)
     }
 
     /// Returns `true` if the internal data of the array is Fortran-style contiguous.
     pub fn is_fortran_contiguous(&self) -> bool {
-        self.check_flag(npyffi::NPY_ARRAY_F_CONTIGUOUS)
+        self.check_flags(npyffi::NPY_ARRAY_F_CONTIGUOUS)
     }
 
     /// Returns `true` if the internal data of the array is C-style contiguous.
     pub fn is_c_contiguous(&self) -> bool {
-        self.check_flag(npyffi::NPY_ARRAY_C_CONTIGUOUS)
+        self.check_flags(npyffi::NPY_ARRAY_C_CONTIGUOUS)
     }
 
     /// Get `Py<PyArray>` from `&PyArray`, which is the owned wrapper of PyObject.
@@ -823,28 +813,37 @@ impl<T: Element, D: Dimension> PyArray<T, D> {
         ToPyArray::to_pyarray(arr, py)
     }
 
-    /// Get the immutable view of the internal data of `PyArray`, as
-    /// [`ndarray::ArrayView`](https://docs.rs/ndarray/latest/ndarray/type.ArrayView.html).
+    /// Get an immutable borrow of the NumPy array
+    pub fn readonly(&self) -> PyReadonlyArray<'_, T, D> {
+        PyReadonlyArray::try_new(self).unwrap()
+    }
+
+    /// Get a mutable borrow of the NumPy array
+    pub fn readwrite(&self) -> PyReadwriteArray<'_, T, D> {
+        PyReadwriteArray::try_new(self).unwrap()
+    }
+
+    /// Returns the internal array as [`ArrayView`].
     ///
-    /// Please consider the use of safe alternatives
-    /// ([`PyReadonlyArray::as_array`](../struct.PyReadonlyArray.html#method.as_array)
-    /// or [`to_array`](#method.to_array)) instead of this.
+    /// See also [`PyArrayRef::as_array`].
     ///
     /// # Safety
-    /// If the internal array is not readonly and can be mutated from Python code,
-    /// holding the `ArrayView` might cause undefined behavior.
+    ///
+    /// The existence of an exclusive reference to the internal data, e.g. `&mut [T]` or `ArrayViewMut`, implies undefined behavior.
     pub unsafe fn as_array(&self) -> ArrayView<'_, T, D> {
         let (shape, ptr, inverted_axes) = self.ndarray_shape_ptr();
         let mut res = ArrayView::from_shape_ptr(shape, ptr);
         inverted_axes.invert(&mut res);
         res
     }
 
-    /// Returns the internal array as [`ArrayViewMut`]. See also [`as_array`](#method.as_array).
+    /// Returns the internal array as [`ArrayViewMut`].
+    ///
+    /// See also [`PyArrayRefMut::as_array_mut`].
     ///
     /// # Safety
-    /// If another reference to the internal data exists(e.g., `&[T]` or `ArrayView`),
-    /// it might cause undefined behavior.
+    ///
+    /// The existence of another reference to the internal data, e.g. `&[T]` or `ArrayView`, implies undefined behavior.
     pub unsafe fn as_array_mut(&self) -> ArrayViewMut<'_, T, D> {
         let (shape, ptr, inverted_axes) = self.ndarray_shape_ptr();
         let mut res = ArrayViewMut::from_shape_ptr(shape, ptr);
@@ -920,7 +919,7 @@ impl<D: Dimension> PyArray<PyObject, D> {
     ///
     ///     let pyarray = PyArray::from_owned_object_array(py, array);
     ///
-    ///     assert!(pyarray.readonly().get(0).unwrap().as_ref(py).is_instance::<CustomElement>().unwrap());
+    ///     assert!(pyarray.readonly().as_array().get(0).unwrap().as_ref(py).is_instance::<CustomElement>().unwrap());
     /// });
     /// ```
     pub fn from_owned_object_array<'py, T>(py: Python<'py>, arr: Array<Py<T>, D>) -> &'py Self {
@@ -1069,14 +1068,6 @@ impl<T: Element> PyArray<T, Ix1> {
         self.resize_(self.py(), [new_elems], 1, NPY_ORDER::NPY_ANYORDER)
     }
 
-    /// Iterates all elements of this array.
-    /// See [NpySingleIter](../npyiter/struct.NpySingleIter.html) for more.
-    pub fn iter<'py>(
-        &'py self,
-    ) -> PyResult<crate::NpySingleIter<'py, T, crate::npyiter::ReadWrite>> {
-        crate::NpySingleIterBuilder::readwrite(self).build()
-    }
-
     fn resize_<D: IntoDimension>(
         &self,
         py: Python,

src/borrow.rs

@@ -0,0 +1,229 @@
+use std::cell::UnsafeCell;
+use std::collections::hash_map::{Entry, HashMap};
+use std::ops::Deref;
+
+use ndarray::{ArrayView, ArrayViewMut, Dimension, Ix1, Ix2, IxDyn};
+use pyo3::{FromPyObject, PyAny, PyResult};
+
+use crate::array::PyArray;
+use crate::dtype::Element;
+use crate::error::{BorrowError, NotContiguousError};
+use crate::npyffi::{self, PyArrayObject, NPY_ARRAY_WRITEABLE};
+
+struct BorrowFlags(UnsafeCell<Option<HashMap<usize, isize>>>);
+
+unsafe impl Sync for BorrowFlags {}
+
+impl BorrowFlags {
+    const fn new() -> Self {
+        Self(UnsafeCell::new(None))
+    }
+
+    #[allow(clippy::mut_from_ref)]
+    unsafe fn get(&self) -> &mut HashMap<usize, isize> {
+        (*self.0.get()).get_or_insert_with(HashMap::new)
+    }
+}
+
+static BORROW_FLAGS: BorrowFlags = BorrowFlags::new();
+
+pub struct PyReadonlyArray<'py, T, D>(&'py PyArray<T, D>);
+
+pub type PyReadonlyArray1<'py, T> = PyReadonlyArray<'py, T, Ix1>;
+
+pub type PyReadonlyArray2<'py, T> = PyReadonlyArray<'py, T, Ix2>;
+
+pub type PyReadonlyArrayDyn<'py, T> = PyReadonlyArray<'py, T, IxDyn>;
+
+impl<'py, T, D> Deref for PyReadonlyArray<'py, T, D> {
+    type Target = PyArray<T, D>;
+
+    fn deref(&self) -> &Self::Target {
+        self.0
+    }
+}
+
+impl<'py, T: Element, D: Dimension> FromPyObject<'py> for PyReadonlyArray<'py, T, D> {
+    fn extract(obj: &'py PyAny) -> PyResult<Self> {
+        let array: &'py PyArray<T, D> = obj.extract()?;
+        Ok(array.readonly())
+    }
+}
+
+impl<'py, T, D> PyReadonlyArray<'py, T, D>
+where
+    T: Element,
+    D: Dimension,
+{
+    pub(crate) fn try_new(array: &'py PyArray<T, D>) -> Result<Self, BorrowError> {
+        let address = base_address(array);
+
+        // SAFETY: Access to a `&'py PyArray<T, D>` implies holding the GIL
+        // and we are not calling into user code which might re-enter this function.
+        let borrow_flags = unsafe { BORROW_FLAGS.get() };
+
+        match borrow_flags.entry(address) {
+            Entry::Occupied(entry) => {
+                let readers = entry.into_mut();
+
+                let new_readers = readers.wrapping_add(1);
+
+                if new_readers <= 0 {
+                    cold();
+                    return Err(BorrowError::AlreadyBorrowed);
+                }
+
+                *readers = new_readers;
+            }
+            Entry::Vacant(entry) => {
+                entry.insert(1);
+            }
+        }
+
+        Ok(Self(array))
+    }
+
+    pub fn as_array(&self) -> ArrayView<T, D> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_array() }
+    }
+
+    pub fn as_slice(&self) -> Result<&[T], NotContiguousError> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_slice() }
+    }
+}
+
+impl<'a, T, D> Drop for PyReadonlyArray<'a, T, D> {
+    fn drop(&mut self) {
+        let address = base_address(self.0);
+
+        // SAFETY: Access to a `&'py PyArray<T, D>` implies holding the GIL
+        // and we are not calling into user code which might re-enter this function.
+        let borrow_flags = unsafe { BORROW_FLAGS.get() };
+
+        let readers = borrow_flags.get_mut(&address).unwrap();
+
+        *readers -= 1;
+
+        if *readers == 0 {
+            borrow_flags.remove(&address).unwrap();
+        }
+    }
+}
+
+pub struct PyReadwriteArray<'py, T, D>(&'py PyArray<T, D>);
+
+pub type PyReadwriteArrayDyn<'py, T> = PyReadwriteArray<'py, T, IxDyn>;
+
+impl<'py, T, D> Deref for PyReadwriteArray<'py, T, D> {
+    type Target = PyArray<T, D>;
+
+    fn deref(&self) -> &Self::Target {
+        self.0
+    }
+}
+
+impl<'py, T: Element, D: Dimension> FromPyObject<'py> for PyReadwriteArray<'py, T, D> {
+    fn extract(obj: &'py PyAny) -> PyResult<Self> {
+        let array: &'py PyArray<T, D> = obj.extract()?;
+        Ok(array.readwrite())
+    }
+}
+
+impl<'py, T, D> PyReadwriteArray<'py, T, D>
+where
+    T: Element,
+    D: Dimension,
+{
+    pub(crate) fn try_new(array: &'py PyArray<T, D>) -> Result<Self, BorrowError> {
+        if !array.check_flags(NPY_ARRAY_WRITEABLE) {
+            return Err(BorrowError::NotWriteable);
+        }
+
+        let address = base_address(array);
+
+        // SAFETY: Access to a `&'py PyArray<T, D>` implies holding the GIL
+        // and we are not calling into user code which might re-enter this function.
+        let borrow_flags = unsafe { BORROW_FLAGS.get() };
+
+        match borrow_flags.entry(address) {
+            Entry::Occupied(entry) => {
+                let writers = entry.into_mut();
+
+                if *writers != 0 {
+                    cold();
+                    return Err(BorrowError::AlreadyBorrowed);
+                }
+
+                *writers = -1;
+            }
+            Entry::Vacant(entry) => {
+                entry.insert(-1);
+            }
+        }
+
+        Ok(Self(array))
+    }
+
+    pub fn as_array(&self) -> ArrayView<T, D> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_array() }
+    }
+
+    pub fn as_slice(&self) -> Result<&[T], NotContiguousError> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_slice() }
+    }
+
+    pub fn as_array_mut(&mut self) -> ArrayViewMut<T, D> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_array_mut() }
+    }
+
+    pub fn as_slice_mut(&self) -> Result<&mut [T], NotContiguousError> {
+        // SAFETY: Thread-local borrow flags ensure aliasing discipline on this thread,
+        // and `PyArray` is neither `Send` nor `Sync`
+        unsafe { self.0.as_slice_mut() }
+    }
+}
+
+impl<'a, T, D> Drop for PyReadwriteArray<'a, T, D> {
+    fn drop(&mut self) {
+        let address = base_address(self.0);
+
+        // SAFETY: Access to a `&'py PyArray<T, D>` implies holding the GIL
+        // and we are not calling into user code which might re-enter this function.
+        let borrow_flags = unsafe { BORROW_FLAGS.get() };
+
+        borrow_flags.remove(&address).unwrap();
+    }
+}
+
+// FIXME(adamreichold): This is a coarse approximation and needs to be refined,
+// i.e. borrows of non-overlapping views into the same base should not be considered conflicting.
+fn base_address<T, D>(array: &PyArray<T, D>) -> usize {
+    let py = array.py();
+    let mut array = array.as_array_ptr();
+
+    loop {
+        let base = unsafe { (*array).base };
+
+        if base.is_null() {
+            return unsafe { (*array).data } as usize;
+        } else if unsafe { npyffi::PyArray_Check(py, base) } != 0 {
+            array = base as *mut PyArrayObject;
+        } else {
+            return base as usize;
+        }
+    }
+}
+
+#[cold]
+#[inline(always)]
+fn cold() {}

src/error.rs

@@ -113,3 +113,22 @@ impl fmt::Display for NotContiguousError {
 }
 
 impl_pyerr!(NotContiguousError);
+
+/// Inidcates why borrowing an array failed.
+#[derive(Debug)]
+#[non_exhaustive]
+pub enum BorrowError {
+    AlreadyBorrowed,
+    NotWriteable,
+}
+
+impl fmt::Display for BorrowError {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            Self::AlreadyBorrowed => write!(f, "The given array is already borrowed"),
+            Self::NotWriteable => write!(f, "The given is not writeable"),
+        }
+    }
+}
+
+impl_pyerr!(BorrowError);