Abstract
Rust’s ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors that frequently occur in conventional imperative programs. However, the restrictions imposed by Rust’s type system make it difficult or impossible to implement certain designs, such as data structures that require aliasing (e.g. doubly-linked lists and shared caches). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust.
Understanding how Rust programmers use unsafe code and, in particular, whether the Rust hypothesis holds is essential for Rust developers and testers, language and library designers, as well as tool developers. This paper studies empirically how unsafe code is used in practice by analysing a large corpus of Rust projects to assess the validity of the Rust hypothesis and to classify the purpose of unsafe code. We identify queries that can be answered by automatically inspecting the program’s source code, its intermediate representation MIR, as well as type information provided by the Rust compiler; we complement the results by manual code inspection. Our study supports the Rust hypothesis partially: While most unsafe code is simple and well-encapsulated, unsafe features are used extensively, especially for interoperability with other languages.
Supplemental Material
- Pietro Albini. 2020. The Rustwide library. https://crates.io/crates/rustwide Accessed May 11, 2020.Google Scholar
- Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. Proc. ACM Program. Lang. 3, OOPSLA ( 2019 ), 147 : 1-147 : 30. https://doi.org/10.1145/3360573 Google Scholar
Digital Library
- Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamaric, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. Operating Systems Review 51, 1 ( 2017 ), 94-99. https://doi.org/10. 1145/3139645.3139660 Google Scholar
Digital Library
- Nick Cameron, Sebastien Celles, and Contributions by the Rust Community. 2019. Rust For Systems Programmers. https://github.com/nrc/r4cppp Accessed May 11, 2020.Google Scholar
- David G. Clarke, John Potter, and James Noble. 1998. Ownership Types for Flexible Alias Protection. In Proceedings of the 1998 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications (OOPSLA '98), Vancouver, British Columbia, Canada, October 18-22, 1998, Bjørn N. Freeman-Benson and Craig Chambers (Eds.). ACM, 48-64. https://doi.org/10.1145/286936.286947 Google Scholar
Digital Library
- Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny Capabilities for Safe, Fast Actors. In International Workshop on Programming Based on Actors, Agents, and Decentralized Control (AGERE! 2015 ). ACM, 1-12.Google Scholar
- Clippy developers. 2019. Clippy. https://github.com/rust-lang/rust-clippy Accessed April 4, 2019.Google Scholar
- Code QL. 2020. Website of Code QL. https://semmle.com/codeql Accessed May 11, 2020.Google Scholar
- Compiler-builtins developers. 2020. Safety of intrinsics. https://github.com/rust-lang/compiler-builtins/issues/355 Accessed September 7, 2020.Google Scholar
- Ana Nora Evans, Bradford Campbell, and Mary Lou Sofa. 2020. Is Rust Used Safely by Software Developers? CoRR abs/ 2007.00752 ( 2020 ). arXiv: 2007.00752 https://arxiv.org/abs/ 2007.00752Google Scholar
- Fuchsia Team. 2020. Fuchsia Documentation-Unsafe Code in Rust. https://fuchsia.googlesource.com/fuchsia/+/master/ docs/development/languages/rust/unsafe.md Accessed May 11, 2020.Google Scholar
- Jon Gjengset. 2020. Demystifying unsafe code (Talk at Rust NYC). https://youtu.be/QAz-maaH0KM Accessed on March 19, 2020.Google Scholar
- Colin Stebbins Gordon. 2014. Verifying Concurrent Programs by Controlling Alias Interference. Ph.D. Dissertation. University of Washington.Google Scholar
- Ralf Jung. 2016. The Scope of Unsafe. https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe. html Accessed April 4, 2019.Google Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang. 2, POPL ( 2018 ), 66 : 1-66 : 34. https://doi.org/10.1145/3158154 Google Scholar
Digital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2020. Safe Systems Programming in Rust: The Promise and the Challenge. Commun. ACM (to appear) ( 2020 ). https://people.mpi-sws.org/~dreyer/papers/safe-sysprogrust/paper.pdfGoogle Scholar
- Jupyter Team. 2020. The Jupyter project. https://jupyter.org/ Accessed May 11, 2020.Google Scholar
- Steve Klabnik and Carol Nichols. 2019. The Rust Programming Language. https://doc.rust-lang.org/book/ Accessed May 11, 2020.Google Scholar
- Amit Levy, Bradford Campbell, Branden Ghena, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. The Case for Writing a Kernel in Rust. In Proceedings of the 8th Asia-Pacific Workshop on Systems (Mumbai, India) ( APSys '17). ACM, New York, NY, USA, Article 1, 7 pages. https://doi.org/10.1145/3124680.3124717 Google Scholar
Digital Library
- LLVM Team. 2020. LLVM Atomic Instructions and Concurrency Guide. https://llvm.org/docs/Atomics.html Accessed May 11, 2020.Google Scholar
- Nicholas D. Matsakis. 2016. Unsafe abstractions. http://smallcultfollowing.com/babysteps/blog/2016/05/23/unsafeabstractions Accessed on May 5th, 2020 ; Matsakis is co-leader of the Rust compiler team.Google Scholar
- Nicholas D. Matsakis. 2017. Project idea: datalog output from rustc. https://smallcultfollowing.com/babysteps/blog/2017/ 02/17/project-idea-datalog-output-from-rustc/ Accessed May 11, 2020.Google Scholar
- Kai Mindermann, Philipp Keck, and Stefan Wagner. 2018. How Usable Are Rust Cryptography APIs?. In 2018 IEEE International Conference on Software Quality, Reliability and Security, QRS 2018, Lisbon, Portugal, July 16-20, 2018. IEEE, 143-154. https://doi.org/10.1109/QRS. 2018.00028 Google Scholar
Cross Ref
- Peter Müller. 2002. Modular Specification and Verification of Object-Oriented Programs. Lecture Notes in Computer Science, Vol. 2262. Springer. https://doi.org/10.1007/3-540-45651-1 Google Scholar
Cross Ref
- Alex Ozdemir. 2016. Unsafe in Rust: Syntactic Patterns. https://cs.stanford.edu/~aozdemir/blog/unsafe-rust-syntax Accessed on May 5th, 2020.Google Scholar
- Alex Potanin, Monique Damitio, and James Noble. 2013. Are your incoming aliases really necessary? counting the cost of object ownership. In 35th International Conference on Software Engineering, ICSE ' 13, San Francisco, CA, USA, May 18-26, 2013, David Notkin, Betty H. C. Cheng, and Klaus Pohl (Eds.). IEEE Computer Society, 742-751. https: //doi.org/10.1109/ICSE. 2013.6606620 Google Scholar
Cross Ref
- Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, 763-779. https://doi.org/10.1145/3385412.3386036 Google Scholar
Digital Library
- Redox developers. 2019. Snippet from Redox OS Repository. https://github.com/redox-os/relibc/blob/ 2cbc78f238b3eda426171def100f44707cfe8ae3/src/platform/pte.rs# L337-L345 Accessed May 11, 2020.Google Scholar
- Rust Language Team. 2019. Rust Survey 2019 Results. https://blog.rust-lang.org/ 2020 /04/17/Rust-survey-2019.html Accessed May 15, 2020.Google Scholar
- Rust Team. 2018. Rust: The Reference. https://doc.rust-lang.org/reference/ Accessed May 11, 2020.Google Scholar
- Rust Team. 2019a. Mission Statement of the Secure Code Working Group. https://github.com/rust-secure-code/wg Accessed May 11, 2020.Google Scholar
- Rust Team. 2019b. The Rustonomicon. https://doc.rust-lang.org/nomicon/ Accessed May 2, 2020.Google Scholar
- Rust Team. 2019c. The Cargo Book. https://doc.rust-lang.org/cargo/reference/build-scripts. html#-sys-packages Accessed May 11, 2020.Google Scholar
- Rust Team. 2020a. File: check_unsafety.rs. https://github.com/rust-lang/rust/blob/ 27ae2f0d60d9201133e1f9ec7a04c05c8e55e665/src/librustc_mir/transform/check_unsafety. rs Accessed May 11, 2020.Google Scholar
- Rust Team. 2020b. Rust Documentation of Transmute. https://doc.rust-lang.org/std/mem/fn.transmute. html Accessed September 10, 2020.Google Scholar
- Rust Team. 2020c. Rust: The Reference-Module std::cell. https://doc.rust-lang.org/std/cell/index.html Accessed May 11, 2020.Google Scholar
- Rust Team. 2020d. Rust: The Reference-Module std::slice. https://doc.rust-lang.org/std/slice/index.html Accessed May 11, 2020.Google Scholar
- Rust Team. 2020e. Rust: The Reference-Module std::sync::atomic. https://doc.rust-lang.org/std/sync/atomic/ Accessed October 6, 2020.Google Scholar
- Qrates Team. 2020. Qrates artefact. https://doi.org/10.5281/zenodo.4085004 Source code and dataset: https://github.com/ rust-corpus/qrates. Google Scholar
Cross Ref
- The Libra Association. 2020. Core Repository of the Libra Project. https://github.com/libra/libra/blob/ 8d9bba00629e602051e40bab2b80e7ed89f40c0b/storage/storage-client/src/state_view.rs# L96-L97 Accessed May 11, 2020.Google Scholar
- Unsafe Code Guidelines Working Group. 2020. Project website. https://github.com/rust-lang/unsafe-code-guidelines Accessed August 17, 2020.Google Scholar
- Reinhard Wilhelm, Thomas W. Reps, and Shmuel Sagiv. 2002. Shape Analysis and Applications. In The Compiler Design Handbook: Optimizations and Machine Code Generation, Y. N. Srikant and Priti Shankar (Eds.). CRC Press, 175-218. https://doi.org/10.1201/9781420040579.ch5 Google Scholar
Cross Ref
Index Terms
How do programmers use unsafe rust?
Recommendations
Translating C to safer Rust
Rust is a relatively new programming language that targets efficient and safe systems-level applications. It includes a sophisticated type system that allows for provable memory- and thread-safety, and is explicitly designed to take the place of unsafe ...
Aliasing Limits on Translating C to Safe Rust
The Rust language was created to provide safe low-level systems programming. There is both industrial and academic interest in the problem of (semi-)automatically translating C code to Rust in order to exploit Rust's safety guarantees. We study the ...
Learning and programming challenges of rust: a mixed-methods study
ICSE '22: Proceedings of the 44th International Conference on Software EngineeringRust is a young systems programming language designed to provide both the safety guarantees of high-level languages and the execution performance of low-level languages. To achieve this design goal, Rust provides a suite of safety rules and checks ...






Comments