skip to main content
research-article
Open Access

How do programmers use unsafe rust?

Published:13 November 2020Publication History
Skip Abstract Section

Abstract

Rust’s ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors that frequently occur in conventional imperative programs. However, the restrictions imposed by Rust’s type system make it difficult or impossible to implement certain designs, such as data structures that require aliasing (e.g. doubly-linked lists and shared caches). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust.

Understanding how Rust programmers use unsafe code and, in particular, whether the Rust hypothesis holds is essential for Rust developers and testers, language and library designers, as well as tool developers. This paper studies empirically how unsafe code is used in practice by analysing a large corpus of Rust projects to assess the validity of the Rust hypothesis and to classify the purpose of unsafe code. We identify queries that can be answered by automatically inspecting the program’s source code, its intermediate representation MIR, as well as type information provided by the Rust compiler; we complement the results by manual code inspection. Our study supports the Rust hypothesis partially: While most unsafe code is simple and well-encapsulated, unsafe features are used extensively, especially for interoperability with other languages.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

Rust’s ownership type system allows the compiler to statically prevent, amongst others, memory errors and data races. However, the restrictions imposed by Rust’s type system make it difficult or impossible to implement certain designs (e.g. doubly-linked lists). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust. In this video, we present our paper in which we explored whether the Rust hypothesis holds.

References

  1. Pietro Albini. 2020. The Rustwide library. https://crates.io/crates/rustwide Accessed May 11, 2020.Google ScholarGoogle Scholar
  2. Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. Proc. ACM Program. Lang. 3, OOPSLA ( 2019 ), 147 : 1-147 : 30. https://doi.org/10.1145/3360573 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamaric, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. Operating Systems Review 51, 1 ( 2017 ), 94-99. https://doi.org/10. 1145/3139645.3139660 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Nick Cameron, Sebastien Celles, and Contributions by the Rust Community. 2019. Rust For Systems Programmers. https://github.com/nrc/r4cppp Accessed May 11, 2020.Google ScholarGoogle Scholar
  5. David G. Clarke, John Potter, and James Noble. 1998. Ownership Types for Flexible Alias Protection. In Proceedings of the 1998 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications (OOPSLA '98), Vancouver, British Columbia, Canada, October 18-22, 1998, Bjørn N. Freeman-Benson and Craig Chambers (Eds.). ACM, 48-64. https://doi.org/10.1145/286936.286947 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny Capabilities for Safe, Fast Actors. In International Workshop on Programming Based on Actors, Agents, and Decentralized Control (AGERE! 2015 ). ACM, 1-12.Google ScholarGoogle Scholar
  7. Clippy developers. 2019. Clippy. https://github.com/rust-lang/rust-clippy Accessed April 4, 2019.Google ScholarGoogle Scholar
  8. Code QL. 2020. Website of Code QL. https://semmle.com/codeql Accessed May 11, 2020.Google ScholarGoogle Scholar
  9. Compiler-builtins developers. 2020. Safety of intrinsics. https://github.com/rust-lang/compiler-builtins/issues/355 Accessed September 7, 2020.Google ScholarGoogle Scholar
  10. Ana Nora Evans, Bradford Campbell, and Mary Lou Sofa. 2020. Is Rust Used Safely by Software Developers? CoRR abs/ 2007.00752 ( 2020 ). arXiv: 2007.00752 https://arxiv.org/abs/ 2007.00752Google ScholarGoogle Scholar
  11. Fuchsia Team. 2020. Fuchsia Documentation-Unsafe Code in Rust. https://fuchsia.googlesource.com/fuchsia/+/master/ docs/development/languages/rust/unsafe.md Accessed May 11, 2020.Google ScholarGoogle Scholar
  12. Jon Gjengset. 2020. Demystifying unsafe code (Talk at Rust NYC). https://youtu.be/QAz-maaH0KM Accessed on March 19, 2020.Google ScholarGoogle Scholar
  13. Colin Stebbins Gordon. 2014. Verifying Concurrent Programs by Controlling Alias Interference. Ph.D. Dissertation. University of Washington.Google ScholarGoogle Scholar
  14. Ralf Jung. 2016. The Scope of Unsafe. https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe. html Accessed April 4, 2019.Google ScholarGoogle Scholar
  15. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang. 2, POPL ( 2018 ), 66 : 1-66 : 34. https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2020. Safe Systems Programming in Rust: The Promise and the Challenge. Commun. ACM (to appear) ( 2020 ). https://people.mpi-sws.org/~dreyer/papers/safe-sysprogrust/paper.pdfGoogle ScholarGoogle Scholar
  17. Jupyter Team. 2020. The Jupyter project. https://jupyter.org/ Accessed May 11, 2020.Google ScholarGoogle Scholar
  18. Steve Klabnik and Carol Nichols. 2019. The Rust Programming Language. https://doc.rust-lang.org/book/ Accessed May 11, 2020.Google ScholarGoogle Scholar
  19. Amit Levy, Bradford Campbell, Branden Ghena, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. The Case for Writing a Kernel in Rust. In Proceedings of the 8th Asia-Pacific Workshop on Systems (Mumbai, India) ( APSys '17). ACM, New York, NY, USA, Article 1, 7 pages. https://doi.org/10.1145/3124680.3124717 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. LLVM Team. 2020. LLVM Atomic Instructions and Concurrency Guide. https://llvm.org/docs/Atomics.html Accessed May 11, 2020.Google ScholarGoogle Scholar
  21. Nicholas D. Matsakis. 2016. Unsafe abstractions. http://smallcultfollowing.com/babysteps/blog/2016/05/23/unsafeabstractions Accessed on May 5th, 2020 ; Matsakis is co-leader of the Rust compiler team.Google ScholarGoogle Scholar
  22. Nicholas D. Matsakis. 2017. Project idea: datalog output from rustc. https://smallcultfollowing.com/babysteps/blog/2017/ 02/17/project-idea-datalog-output-from-rustc/ Accessed May 11, 2020.Google ScholarGoogle Scholar
  23. Kai Mindermann, Philipp Keck, and Stefan Wagner. 2018. How Usable Are Rust Cryptography APIs?. In 2018 IEEE International Conference on Software Quality, Reliability and Security, QRS 2018, Lisbon, Portugal, July 16-20, 2018. IEEE, 143-154. https://doi.org/10.1109/QRS. 2018.00028 Google ScholarGoogle ScholarCross RefCross Ref
  24. Peter Müller. 2002. Modular Specification and Verification of Object-Oriented Programs. Lecture Notes in Computer Science, Vol. 2262. Springer. https://doi.org/10.1007/3-540-45651-1 Google ScholarGoogle ScholarCross RefCross Ref
  25. Alex Ozdemir. 2016. Unsafe in Rust: Syntactic Patterns. https://cs.stanford.edu/~aozdemir/blog/unsafe-rust-syntax Accessed on May 5th, 2020.Google ScholarGoogle Scholar
  26. Alex Potanin, Monique Damitio, and James Noble. 2013. Are your incoming aliases really necessary? counting the cost of object ownership. In 35th International Conference on Software Engineering, ICSE ' 13, San Francisco, CA, USA, May 18-26, 2013, David Notkin, Betty H. C. Cheng, and Klaus Pohl (Eds.). IEEE Computer Society, 742-751. https: //doi.org/10.1109/ICSE. 2013.6606620 Google ScholarGoogle ScholarCross RefCross Ref
  27. Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, 763-779. https://doi.org/10.1145/3385412.3386036 Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Redox developers. 2019. Snippet from Redox OS Repository. https://github.com/redox-os/relibc/blob/ 2cbc78f238b3eda426171def100f44707cfe8ae3/src/platform/pte.rs# L337-L345 Accessed May 11, 2020.Google ScholarGoogle Scholar
  29. Rust Language Team. 2019. Rust Survey 2019 Results. https://blog.rust-lang.org/ 2020 /04/17/Rust-survey-2019.html Accessed May 15, 2020.Google ScholarGoogle Scholar
  30. Rust Team. 2018. Rust: The Reference. https://doc.rust-lang.org/reference/ Accessed May 11, 2020.Google ScholarGoogle Scholar
  31. Rust Team. 2019a. Mission Statement of the Secure Code Working Group. https://github.com/rust-secure-code/wg Accessed May 11, 2020.Google ScholarGoogle Scholar
  32. Rust Team. 2019b. The Rustonomicon. https://doc.rust-lang.org/nomicon/ Accessed May 2, 2020.Google ScholarGoogle Scholar
  33. Rust Team. 2019c. The Cargo Book. https://doc.rust-lang.org/cargo/reference/build-scripts. html#-sys-packages Accessed May 11, 2020.Google ScholarGoogle Scholar
  34. Rust Team. 2020a. File: check_unsafety.rs. https://github.com/rust-lang/rust/blob/ 27ae2f0d60d9201133e1f9ec7a04c05c8e55e665/src/librustc_mir/transform/check_unsafety. rs Accessed May 11, 2020.Google ScholarGoogle Scholar
  35. Rust Team. 2020b. Rust Documentation of Transmute. https://doc.rust-lang.org/std/mem/fn.transmute. html Accessed September 10, 2020.Google ScholarGoogle Scholar
  36. Rust Team. 2020c. Rust: The Reference-Module std::cell. https://doc.rust-lang.org/std/cell/index.html Accessed May 11, 2020.Google ScholarGoogle Scholar
  37. Rust Team. 2020d. Rust: The Reference-Module std::slice. https://doc.rust-lang.org/std/slice/index.html Accessed May 11, 2020.Google ScholarGoogle Scholar
  38. Rust Team. 2020e. Rust: The Reference-Module std::sync::atomic. https://doc.rust-lang.org/std/sync/atomic/ Accessed October 6, 2020.Google ScholarGoogle Scholar
  39. Qrates Team. 2020. Qrates artefact. https://doi.org/10.5281/zenodo.4085004 Source code and dataset: https://github.com/ rust-corpus/qrates. Google ScholarGoogle ScholarCross RefCross Ref
  40. The Libra Association. 2020. Core Repository of the Libra Project. https://github.com/libra/libra/blob/ 8d9bba00629e602051e40bab2b80e7ed89f40c0b/storage/storage-client/src/state_view.rs# L96-L97 Accessed May 11, 2020.Google ScholarGoogle Scholar
  41. Unsafe Code Guidelines Working Group. 2020. Project website. https://github.com/rust-lang/unsafe-code-guidelines Accessed August 17, 2020.Google ScholarGoogle Scholar
  42. Reinhard Wilhelm, Thomas W. Reps, and Shmuel Sagiv. 2002. Shape Analysis and Applications. In The Compiler Design Handbook: Optimizations and Machine Code Generation, Y. N. Srikant and Priti Shankar (Eds.). CRC Press, 175-218. https://doi.org/10.1201/9781420040579.ch5 Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. How do programmers use unsafe rust?

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image Proceedings of the ACM on Programming Languages
            Proceedings of the ACM on Programming Languages  Volume 4, Issue OOPSLA
            November 2020
            3108 pages
            EISSN:2475-1421
            DOI:10.1145/3436718
            Issue’s Table of Contents

            Copyright © 2020 Owner/Author

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 13 November 2020
            Published in pacmpl Volume 4, Issue OOPSLA

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!