[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article
Open access

How do programmers use unsafe rust?

Published: 13 November 2020 Publication History

Abstract

Rust’s ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors that frequently occur in conventional imperative programs. However, the restrictions imposed by Rust’s type system make it difficult or impossible to implement certain designs, such as data structures that require aliasing (e.g. doubly-linked lists and shared caches). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust.
Understanding how Rust programmers use unsafe code and, in particular, whether the Rust hypothesis holds is essential for Rust developers and testers, language and library designers, as well as tool developers. This paper studies empirically how unsafe code is used in practice by analysing a large corpus of Rust projects to assess the validity of the Rust hypothesis and to classify the purpose of unsafe code. We identify queries that can be answered by automatically inspecting the program’s source code, its intermediate representation MIR, as well as type information provided by the Rust compiler; we complement the results by manual code inspection. Our study supports the Rust hypothesis partially: While most unsafe code is simple and well-encapsulated, unsafe features are used extensively, especially for interoperability with other languages.

Supplementary Material

Auxiliary Presentation Video (oopsla20main-p32-p-video.mp4)
Rust’s ownership type system allows the compiler to statically prevent, amongst others, memory errors and data races. However, the restrictions imposed by Rust’s type system make it difficult or impossible to implement certain designs (e.g. doubly-linked lists). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust. In this video, we present our paper in which we explored whether the Rust hypothesis holds.

References

[1]
Pietro Albini. 2020. The Rustwide library. https://crates.io/crates/rustwide Accessed May 11, 2020.
[2]
Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. Proc. ACM Program. Lang. 3, OOPSLA ( 2019 ), 147 : 1-147 : 30. https://doi.org/10.1145/3360573
[3]
Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamaric, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. Operating Systems Review 51, 1 ( 2017 ), 94-99. https://doi.org/10. 1145/3139645.3139660
[4]
Nick Cameron, Sebastien Celles, and Contributions by the Rust Community. 2019. Rust For Systems Programmers. https://github.com/nrc/r4cppp Accessed May 11, 2020.
[5]
David G. Clarke, John Potter, and James Noble. 1998. Ownership Types for Flexible Alias Protection. In Proceedings of the 1998 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications (OOPSLA '98), Vancouver, British Columbia, Canada, October 18-22, 1998, Bjørn N. Freeman-Benson and Craig Chambers (Eds.). ACM, 48-64. https://doi.org/10.1145/286936.286947
[6]
Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny Capabilities for Safe, Fast Actors. In International Workshop on Programming Based on Actors, Agents, and Decentralized Control (AGERE! 2015 ). ACM, 1-12.
[7]
Clippy developers. 2019. Clippy. https://github.com/rust-lang/rust-clippy Accessed April 4, 2019.
[8]
Code QL. 2020. Website of Code QL. https://semmle.com/codeql Accessed May 11, 2020.
[9]
Compiler-builtins developers. 2020. Safety of intrinsics. https://github.com/rust-lang/compiler-builtins/issues/355 Accessed September 7, 2020.
[10]
Ana Nora Evans, Bradford Campbell, and Mary Lou Sofa. 2020. Is Rust Used Safely by Software Developers? CoRR abs/ 2007.00752 ( 2020 ). arXiv: 2007.00752 https://arxiv.org/abs/ 2007.00752
[11]
Fuchsia Team. 2020. Fuchsia Documentation-Unsafe Code in Rust. https://fuchsia.googlesource.com/fuchsia/+/master/ docs/development/languages/rust/unsafe.md Accessed May 11, 2020.
[12]
Jon Gjengset. 2020. Demystifying unsafe code (Talk at Rust NYC). https://youtu.be/QAz-maaH0KM Accessed on March 19, 2020.
[13]
Colin Stebbins Gordon. 2014. Verifying Concurrent Programs by Controlling Alias Interference. Ph.D. Dissertation. University of Washington.
[14]
Ralf Jung. 2016. The Scope of Unsafe. https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe. html Accessed April 4, 2019.
[15]
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang. 2, POPL ( 2018 ), 66 : 1-66 : 34. https://doi.org/10.1145/3158154
[16]
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2020. Safe Systems Programming in Rust: The Promise and the Challenge. Commun. ACM (to appear) ( 2020 ). https://people.mpi-sws.org/~dreyer/papers/safe-sysprogrust/paper.pdf
[17]
Jupyter Team. 2020. The Jupyter project. https://jupyter.org/ Accessed May 11, 2020.
[18]
Steve Klabnik and Carol Nichols. 2019. The Rust Programming Language. https://doc.rust-lang.org/book/ Accessed May 11, 2020.
[19]
Amit Levy, Bradford Campbell, Branden Ghena, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. The Case for Writing a Kernel in Rust. In Proceedings of the 8th Asia-Pacific Workshop on Systems (Mumbai, India) ( APSys '17). ACM, New York, NY, USA, Article 1, 7 pages. https://doi.org/10.1145/3124680.3124717
[20]
LLVM Team. 2020. LLVM Atomic Instructions and Concurrency Guide. https://llvm.org/docs/Atomics.html Accessed May 11, 2020.
[21]
Nicholas D. Matsakis. 2016. Unsafe abstractions. http://smallcultfollowing.com/babysteps/blog/2016/05/23/unsafeabstractions Accessed on May 5th, 2020 ; Matsakis is co-leader of the Rust compiler team.
[22]
Nicholas D. Matsakis. 2017. Project idea: datalog output from rustc. https://smallcultfollowing.com/babysteps/blog/2017/ 02/17/project-idea-datalog-output-from-rustc/ Accessed May 11, 2020.
[23]
Kai Mindermann, Philipp Keck, and Stefan Wagner. 2018. How Usable Are Rust Cryptography APIs?. In 2018 IEEE International Conference on Software Quality, Reliability and Security, QRS 2018, Lisbon, Portugal, July 16-20, 2018. IEEE, 143-154. https://doi.org/10.1109/QRS. 2018.00028
[24]
Peter Müller. 2002. Modular Specification and Verification of Object-Oriented Programs. Lecture Notes in Computer Science, Vol. 2262. Springer. https://doi.org/10.1007/3-540-45651-1
[25]
Alex Ozdemir. 2016. Unsafe in Rust: Syntactic Patterns. https://cs.stanford.edu/~aozdemir/blog/unsafe-rust-syntax Accessed on May 5th, 2020.
[26]
Alex Potanin, Monique Damitio, and James Noble. 2013. Are your incoming aliases really necessary? counting the cost of object ownership. In 35th International Conference on Software Engineering, ICSE ' 13, San Francisco, CA, USA, May 18-26, 2013, David Notkin, Betty H. C. Cheng, and Klaus Pohl (Eds.). IEEE Computer Society, 742-751. https: //doi.org/10.1109/ICSE. 2013.6606620
[27]
Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, 763-779. https://doi.org/10.1145/3385412.3386036
[28]
Redox developers. 2019. Snippet from Redox OS Repository. https://github.com/redox-os/relibc/blob/ 2cbc78f238b3eda426171def100f44707cfe8ae3/src/platform/pte.rs# L337-L345 Accessed May 11, 2020.
[29]
Rust Language Team. 2019. Rust Survey 2019 Results. https://blog.rust-lang.org/ 2020 /04/17/Rust-survey-2019.html Accessed May 15, 2020.
[30]
Rust Team. 2018. Rust: The Reference. https://doc.rust-lang.org/reference/ Accessed May 11, 2020.
[31]
Rust Team. 2019a. Mission Statement of the Secure Code Working Group. https://github.com/rust-secure-code/wg Accessed May 11, 2020.
[32]
Rust Team. 2019b. The Rustonomicon. https://doc.rust-lang.org/nomicon/ Accessed May 2, 2020.
[33]
Rust Team. 2019c. The Cargo Book. https://doc.rust-lang.org/cargo/reference/build-scripts. html#-sys-packages Accessed May 11, 2020.
[34]
Rust Team. 2020a. File: check_unsafety.rs. https://github.com/rust-lang/rust/blob/ 27ae2f0d60d9201133e1f9ec7a04c05c8e55e665/src/librustc_mir/transform/check_unsafety. rs Accessed May 11, 2020.
[35]
Rust Team. 2020b. Rust Documentation of Transmute. https://doc.rust-lang.org/std/mem/fn.transmute. html Accessed September 10, 2020.
[36]
Rust Team. 2020c. Rust: The Reference-Module std::cell. https://doc.rust-lang.org/std/cell/index.html Accessed May 11, 2020.
[37]
Rust Team. 2020d. Rust: The Reference-Module std::slice. https://doc.rust-lang.org/std/slice/index.html Accessed May 11, 2020.
[38]
Rust Team. 2020e. Rust: The Reference-Module std::sync::atomic. https://doc.rust-lang.org/std/sync/atomic/ Accessed October 6, 2020.
[39]
Qrates Team. 2020. Qrates artefact. https://doi.org/10.5281/zenodo.4085004 Source code and dataset: https://github.com/ rust-corpus/qrates.
[40]
The Libra Association. 2020. Core Repository of the Libra Project. https://github.com/libra/libra/blob/ 8d9bba00629e602051e40bab2b80e7ed89f40c0b/storage/storage-client/src/state_view.rs# L96-L97 Accessed May 11, 2020.
[41]
Unsafe Code Guidelines Working Group. 2020. Project website. https://github.com/rust-lang/unsafe-code-guidelines Accessed August 17, 2020.
[42]
Reinhard Wilhelm, Thomas W. Reps, and Shmuel Sagiv. 2002. Shape Analysis and Applications. In The Compiler Design Handbook: Optimizations and Machine Code Generation, Y. N. Srikant and Priti Shankar (Eds.). CRC Press, 175-218. https://doi.org/10.1201/9781420040579.ch5

Cited By

View all
  • (2024)Overview of Embedded Rust Operating Systems and FrameworksSensors10.3390/s2417581824:17(5818)Online publication date: 7-Sep-2024
  • (2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
  • (2024)Counterexamples in Safe RustProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694943(128-135)Online publication date: 27-Oct-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages
Proceedings of the ACM on Programming Languages  Volume 4, Issue OOPSLA
November 2020
3108 pages
EISSN:2475-1421
DOI:10.1145/3436718
Issue’s Table of Contents
This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2020
Published in PACMPL Volume 4, Issue OOPSLA

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Rust
  2. Rust hypothesis
  3. empirical study
  4. unsafe code

Qualifiers

  • Research-article

Funding Sources

  • SNSF

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1,336
  • Downloads (Last 6 weeks)138
Reflects downloads up to 10 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Overview of Embedded Rust Operating Systems and FrameworksSensors10.3390/s2417581824:17(5818)Online publication date: 7-Sep-2024
  • (2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
  • (2024)Counterexamples in Safe RustProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694943(128-135)Online publication date: 27-Oct-2024
  • (2024)Semi-Automated Verification of Interior Unsafe Code Encapsulation in Real-World Rust SystemsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695373(2435-2437)Online publication date: 27-Oct-2024
  • (2024)Rust for Embedded Systems: Current State and Open ProblemsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690275(2296-2310)Online publication date: 2-Dec-2024
  • (2024)When Is Parallelism Fearless and Zero-Cost with Rust?Proceedings of the 36th ACM Symposium on Parallelism in Algorithms and Architectures10.1145/3626183.3659966(27-40)Online publication date: 17-Jun-2024
  • (2024)Demystifying Compiler Unstable Feature Usage and Impacts in the Rust EcosystemProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623352(1-13)Online publication date: 20-May-2024
  • (2024)Yuga: Automatically Detecting Lifetime Annotation Bugs in the Rust LanguageIEEE Transactions on Software Engineering10.1109/TSE.2024.344767150:10(2602-2613)Online publication date: 1-Oct-2024
  • (2024)rCanary: Detecting Memory Leaks Across Semi-Automated Memory Management Boundary in RustIEEE Transactions on Software Engineering10.1109/TSE.2024.344362450:9(2472-2484)Online publication date: 13-Aug-2024
  • (2024)ERASan: Efficient Rust Address Sanitizer2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00258(4053-4068)Online publication date: 19-May-2024
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media