Abstract
The Rust language offers a promising approach to safe systems programming based on the principle of aliasing XOR mutability: a value may be either aliased or mutable, but not both at the same time. However, to implement pointer-based data structures with internal sharing, such as graphs or doubly-linked lists, we need to be able to mutate aliased state. To support such data structures, Rust provides a number of APIs that offer so-called interior mutability: the ability to mutate data via method calls on a shared reference. Unfortunately, the existing APIs sacrifice flexibility, concurrent access, and/or performance, in exchange for safety.
In this paper, we propose a new Rust API called GhostCell which avoids such sacrifices by separating permissions from data: it enables the user to safely synchronize access to a collection of data via a single permission. GhostCell repurposes an old trick from typed functional programming: branded types (as exemplified by Haskell’s ST monad), which combine phantom types and rank-2 polymorphism to simulate a lightweight form of state-dependent types. We have formally proven the soundness of GhostCell by adapting and extending RustBelt, a semantic soundness proof for a representative subset of Rust, mechanized in Coq.
Supplemental Material
- Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permission-based programming language. TOPLAS, 38, 4 (2016), https://doi.org/10.1145/2837022 Google Scholar
Digital Library
- Alexis Beingessner. 2015. You can’t spell trust without Rust. Master’s thesis. Carleton University. Ottawa, Ontario, Canada.Google Scholar
- John Tang Boyland. 2010. Semantics of fractional permissions with nesting. ACM Trans. Program. Lang. Syst., 32, 6 (2010), 22:1–22:33. https://doi.org/10.1145/1749608.1749611 Google Scholar
Digital Library
- crossbeam. 2021. crossbeam. https://crates.io/crates/crossbeamGoogle Scholar
- Manuel Fähndrich and Robert DeLine. 2002. Adoption and Focus: Practical Linear Types for Imperative Programming. In PLDI. https://doi.org/10.1145/512529.512532 Google Scholar
Digital Library
- Nick Fitzgerald and Simon Sapin. 2020. The Typed-Arena library. https://crates.io/crates/typed-arenaGoogle Scholar
- fixedbitset. 2021. fixedbitset. https://crates.io/crates/fixedbitsetGoogle Scholar
- Matthew Fluet and Riccardo Pucella. 2006. Phantom Types and Subtyping. J. Funct. Program., 16, 6 (2006), https://doi.org/10.1017/S0956796806006046 Google Scholar
Digital Library
- Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In PLDI. https://doi.org/10.1145/512529.512563 Google Scholar
Digital Library
- Brook Heisler and Jorge Aparicio. 2020. The Criterion library. https://crates.io/crates/criterionGoogle Scholar
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods. https://doi.org/10.1007/978-3-642-20398-5_4 Google Scholar
Cross Ref
- Ralf Jung. 2020. Understanding and Evolving the Rust Programming Language. Ph.D. Dissertation. Universität des Saarlandes.Google Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. PACMPL, 2, POPL (2018), Article 66, https://doi.org/10.1145/3158154 Google Scholar
Digital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2021. Safe Systems Programming in Rust. Commun. ACM, April, https://doi.org/10.1145/3418295 Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the Ground Up: A Modular Foundation for Higher-Order Concurrent Separation Logic. Journal of Functional Programming, 28, e20 (2018), Nov., 1–73. https://doi.org/10.1017/S0956796818000151 Google Scholar
Cross Ref
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In POPL. https://doi.org/10.1145/2676726.2676980 Google Scholar
Digital Library
- A. J. Kfoury and J. B. Wells. 1994. A Direct Algorithm for Type Inference in the Rank-2 Fragment of the Second-Order λ -Calculus. In Proceedings of the 1994 ACM Conference on LISP and Functional Programming. 196–207.Google Scholar
- Oleg Kiselyov and Chung-chieh Shan. 2007. Lightweight Static Capabilities. Electron. Notes Theor. Comput. Sci., 174, 7 (2007), 79–104. https://doi.org/10.1016/j.entcs.2006.10.039 Google Scholar
Digital Library
- Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic. PACMPL, 2, ICFP (2018), Article 77, 77:1–77:30 pages. https://doi.org/10.1145/3236772 Google Scholar
Digital Library
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive proofs in higher-order concurrent separation logic. In POPL. https://doi.org/10.1145/3009837.3009855 Google Scholar
Digital Library
- John Launchbury and Simon L. Peyton Jones. 1995. State in Haskell. LISP and Symbolic Computation, 8, 4 (1995), Dec., 293–341. issn:0892-4635 https://doi.org/10.1007/BF01018827 Google Scholar
Digital Library
- K. Rustan M. Leino and Peter Müller. 2009. A Basis for Verifying Multi-threaded Programs. In ESOP. https://doi.org/10.1007/978-3-642-00590-9_27 Google Scholar
Digital Library
- Nicholas D. Matsakis. 2016. Non-lexical lifetimes: Introduction. http://smallcultfollowing.com/babysteps/blog/2016/04/27/non-lexical-lifetimes-introduction/Google Scholar
- Nicholas D. Matsakis. 2018. An alias-based formulation of the borrow checker. https://smallcultfollowing.com/babysteps/blog/2018/04/27/an-alias-based-formulation-of-the-borrow-checker/ Blog post.Google Scholar
- Nicholas D. Matsakis and Felix S. Klock II. 2014. The Rust language. In SIGAda Ada Letters. 34, https://doi.org/10.1145/2663171.2663188 Google Scholar
Digital Library
- Eugenio Moggi and Amr Sabry. 2001. Monadic encapsulation of effects: A revised approach (extended version). JFP, 11, 6 (2001), Nov., 591–627.Google Scholar
Digital Library
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In VMCAI. https://doi.org/10.1007/978-3-662-49122-5_2 Google Scholar
Digital Library
- Jim Peters. 2019. The QCell library. https://crates.io/crates/qcellGoogle Scholar
- petgraph. 2021. petgraph. https://crates.io/crates/petgraphGoogle Scholar
- John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In LICS. https://doi.org/10.1109/LICS.2002.1029817 Google Scholar
Cross Ref
- Jan Smans, Bart Jacobs, and Frank Piessens. 2009. Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic. In ECOOP. https://doi.org/10.1007/978-3-642-03013-0_8 Google Scholar
Digital Library
- Josh Stone and Nicholas D. Matsakis. 2017. The Rayon library. https://crates.io/crates/rayonGoogle Scholar
- Amin Timany, Léo Stefanesco, Morten Krogh-Jespersen, and Lars Birkedal. 2018. A Logical Relation for Monadic Encapsulation of State: Proving Contextual Equivalences in the Presence of runST. PACMPL, 2, POPL (2018), Article 64, Jan., 28 pages. https://doi.org/10.1145/3158152 Google Scholar
Digital Library
- Mads Tofte, Lars Birkedal, Martin Elsman, and Niels Hallenberg. 2004. A Retrospective on Region-Based Memory Management. High. Order Symb. Comput., 17, 3 (2004), 245–265. https://doi.org/10.1023/B:LISP.0000029446.78563.a4 Google Scholar
Digital Library
- Joshua Yanovski, Hoang-Hai Dang, Ralf Jung, and Derek Dreyer. 2021. Coq development and supplementary material accompanying this paper. https://plv.mpi-sws.org/rustbelt/ghostcell/Google Scholar
Index Terms
GhostCell: separating permissions from data in Rust
Recommendations
Leveraging rust types for modular specification and verification
Rust's type system ensures memory safety: well-typed Rust programs are guaranteed to not exhibit problems such as dangling pointers, data races, and unexpected side effects through aliased references. Ensuring correctness properties beyond memory safety,...
RustBelt: securing the foundations of the Rust programming language
Rust is a new systems programming language that promises to overcome the seemingly fundamental tradeoff between high-level safety guarantees and low-level control over resource management. Unfortunately, none of Rust's safety claims have been formally ...
RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code
PLDI 2022: Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and ImplementationRust is a systems programming language that offers both low-level memory operations and high-level safety guarantees, via a strong ownership type system that prohibits mutation of aliased state. In prior work, Matsushita et al. developed RustHorn, a ...






Comments