[Merged by Bors] - yeet World::components_mut >:(

[BoxyUwU]

Objective

make bevy ecs a lil bit less unsound

Solution

yeet unsound API World::components_mut:

use bevy_ecs::prelude::*;

#[derive(Component)]
struct Foo(u8);

#[derive(Debug, Component)]
struct Bar([u8; 100]);

fn main() {
    let mut world = World::new();
    let e = world.spawn().insert(Foo(0)).id();
    *world.components_mut() = Default::default();
    let bar = world.entity_mut(e).remove::<Bar>().unwrap();
    // oopsies reading memory copied from outside allocation
    dbg!(bar);
}

[bjorn3]

Maybe return a Pin and not have any methods on Components that can remove components?

[BoxyUwU]

Pin seems sus as we are not actually using any kind of self referential stuff? this does give me an idea to just introduce a ComponentsPtr<'a> with a private field &mut Components and implement a bunch of fns on it that call the Components methods without ever exposing &mut Components to the user

[bjorn3]

Pin seems sus as we are not actually using any kind of self referential stuff?

We require Components doesn't get moved out, which is exactly what Pin does. It just so happens that the main reason to introduce it was self-referential types.

[BoxyUwU]

Moving out is fine, its mutating the Components in a world (in such a sort of "non appending" way) that is wrong

[bjorn3]

If you move something out of a mutable reference, you have to move something else in which is a non appending mutation.

[BoxyUwU]

Looking at what methods are on Components there are only three that take &mut self

• init_resource this method is also on World and App
• init_non_send this method is also on World and App
• init_component this method is not callable by users because there is no way to get &mut Storages

additionally all fields are private, so I think there is not any harm in just removing World::components_mut

[BoxyUwU]

Oh nevermind init_resource on world is different than on Components that is :/

[james7132]

Looking at what methods are on Components there are only three that take &mut self

* `init_resource` this method is also on `World` and `App`

* `init_non_send` this method is also on `World` and `App`

* `init_component` this method is not callable by users because there is no way to get `&mut Storages`

additionally all fields are private, so I think there is not any harm in just removing World::components_mut

If this is the case, would it be worth privating those APIs too, since there will be no way to reasonably use those from the World API with this removed?

[cart]

bors r+

[cart]

This seems like a reasonable fix for this specific instance of the problem, but I am a little concerned about what this "issue" means for Rust api design. Pasting in some of my thoughts from Discord:

On the topic of "you can override the value stored at the pointer returned by World::components_mut() and break everything" (Boxy's 4092 pr fixes this by removing it), this feels like a really fundamental "hole" in my rust api design approach that I wasn't really thinking about. I think Boxy's "just dont expose it" solution is probably a reasonable fix for this specific case, but I'd like to discuss our options for this style of api.

On the one hand, Rust encourages "nested composition" via ownership rules and a lack of inheritance. The current World design (World contains Components, Storages, Entities) is a direct response to these constraints. I personally really like that (prior to this discovered issue), we could build out the functionality of Components, Storages, and Entities (including mutations) without needing to re-define it all at the top of World.

The only way to do "mutable" operations on World::components is to return a mutable reference to Components. But doing that lets people replace Components with whatever, violating the assumptions made by the system as a whole! (the bug Boxy discovered and fixed via removing the mutable accessor).

Is there really no way to embrace this "nested concerns" pattern? So far the "best" solutions I'm aware of are:

1. Re-expose the relevant Component functionality on top of World and hide the Components collection from users (lots of duplicate code and "globbing together" of concerns).
2. Strictly worse than (1). Re-expose the relevant Component functionality on top of World and dont hide the Components collection from users (same downsides as (1), but with multiple apis, one top level one for mutation and one lower level one for reads).
3. Don't implement any methods on Components and instead put all functionality on World. This provides consistency without code duplication, but at the cost of "globbing everything together".

@BoxyUwU then brought up this solution:

we can have a newtyped &mut Compoennts
i.e. ComponentsMut<'a>
and basically put all the methods on that
[with a Deref impl on ComponentsMut to expose read only methods on Components]

Boxy's solution is definitely a "real" solution, but its definitely not "ideal" from an implementation or documentation perspective because it adds real implementation complexity / makes it so you can't talk about Components as a simple "read / write collection" anymore.

[bors]

Pull request successfully merged into main.

Build succeeded:

• build-android
• build (nightly, ubuntu-latest)
• build (stable, macos-latest)
• build (stable, ubuntu-latest)
• build (stable, windows-latest)
• build-wasm (nightly, ubuntu-latest)
• build-wasm (stable, ubuntu-latest)
• check-benches
• check-doc
• check-markdown-links
• check-missing-examples-in-docs
• check-unused-dependencies
• ci
• markdownlint
• run-examples