skip to main content

GhostCell: separating permissions from data in Rust

Published:19 August 2021Publication History
Skip Abstract Section

Abstract

The Rust language offers a promising approach to safe systems programming based on the principle of aliasing XOR mutability: a value may be either aliased or mutable, but not both at the same time. However, to implement pointer-based data structures with internal sharing, such as graphs or doubly-linked lists, we need to be able to mutate aliased state. To support such data structures, Rust provides a number of APIs that offer so-called interior mutability: the ability to mutate data via method calls on a shared reference. Unfortunately, the existing APIs sacrifice flexibility, concurrent access, and/or performance, in exchange for safety.

In this paper, we propose a new Rust API called GhostCell which avoids such sacrifices by separating permissions from data: it enables the user to safely synchronize access to a collection of data via a single permission. GhostCell repurposes an old trick from typed functional programming: branded types (as exemplified by Haskell’s ST monad), which combine phantom types and rank-2 polymorphism to simulate a lightweight form of state-dependent types. We have formally proven the soundness of GhostCell by adapting and extending RustBelt, a semantic soundness proof for a representative subset of Rust, mechanized in Coq.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a video of the talk accompanying our ICFP 2021 paper, "GhostCell: Separating Permissions from Data in Rust".

3473597.mp4

Presentation Videos

References

  1. Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permission-based programming language. TOPLAS, 38, 4 (2016), https://doi.org/10.1145/2837022 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Alexis Beingessner. 2015. You can’t spell trust without Rust. Master’s thesis. Carleton University. Ottawa, Ontario, Canada.Google ScholarGoogle Scholar
  3. John Tang Boyland. 2010. Semantics of fractional permissions with nesting. ACM Trans. Program. Lang. Syst., 32, 6 (2010), 22:1–22:33. https://doi.org/10.1145/1749608.1749611 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. crossbeam. 2021. crossbeam. https://crates.io/crates/crossbeamGoogle ScholarGoogle Scholar
  5. Manuel Fähndrich and Robert DeLine. 2002. Adoption and Focus: Practical Linear Types for Imperative Programming. In PLDI. https://doi.org/10.1145/512529.512532 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Nick Fitzgerald and Simon Sapin. 2020. The Typed-Arena library. https://crates.io/crates/typed-arenaGoogle ScholarGoogle Scholar
  7. fixedbitset. 2021. fixedbitset. https://crates.io/crates/fixedbitsetGoogle ScholarGoogle Scholar
  8. Matthew Fluet and Riccardo Pucella. 2006. Phantom Types and Subtyping. J. Funct. Program., 16, 6 (2006), https://doi.org/10.1017/S0956796806006046 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In PLDI. https://doi.org/10.1145/512529.512563 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Brook Heisler and Jorge Aparicio. 2020. The Criterion library. https://crates.io/crates/criterionGoogle ScholarGoogle Scholar
  11. Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods. https://doi.org/10.1007/978-3-642-20398-5_4 Google ScholarGoogle ScholarCross RefCross Ref
  12. Ralf Jung. 2020. Understanding and Evolving the Rust Programming Language. Ph.D. Dissertation. Universität des Saarlandes.Google ScholarGoogle Scholar
  13. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. PACMPL, 2, POPL (2018), Article 66, https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2021. Safe Systems Programming in Rust. Commun. ACM, April, https://doi.org/10.1145/3418295 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the Ground Up: A Modular Foundation for Higher-Order Concurrent Separation Logic. Journal of Functional Programming, 28, e20 (2018), Nov., 1–73. https://doi.org/10.1017/S0956796818000151 Google ScholarGoogle ScholarCross RefCross Ref
  16. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In POPL. https://doi.org/10.1145/2676726.2676980 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. A. J. Kfoury and J. B. Wells. 1994. A Direct Algorithm for Type Inference in the Rank-2 Fragment of the Second-Order λ -Calculus. In Proceedings of the 1994 ACM Conference on LISP and Functional Programming. 196–207.Google ScholarGoogle Scholar
  18. Oleg Kiselyov and Chung-chieh Shan. 2007. Lightweight Static Capabilities. Electron. Notes Theor. Comput. Sci., 174, 7 (2007), 79–104. https://doi.org/10.1016/j.entcs.2006.10.039 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic. PACMPL, 2, ICFP (2018), Article 77, 77:1–77:30 pages. https://doi.org/10.1145/3236772 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive proofs in higher-order concurrent separation logic. In POPL. https://doi.org/10.1145/3009837.3009855 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. John Launchbury and Simon L. Peyton Jones. 1995. State in Haskell. LISP and Symbolic Computation, 8, 4 (1995), Dec., 293–341. issn:0892-4635 https://doi.org/10.1007/BF01018827 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. K. Rustan M. Leino and Peter Müller. 2009. A Basis for Verifying Multi-threaded Programs. In ESOP. https://doi.org/10.1007/978-3-642-00590-9_27 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Nicholas D. Matsakis. 2016. Non-lexical lifetimes: Introduction. http://smallcultfollowing.com/babysteps/blog/2016/04/27/non-lexical-lifetimes-introduction/Google ScholarGoogle Scholar
  24. Nicholas D. Matsakis. 2018. An alias-based formulation of the borrow checker. https://smallcultfollowing.com/babysteps/blog/2018/04/27/an-alias-based-formulation-of-the-borrow-checker/ Blog post.Google ScholarGoogle Scholar
  25. Nicholas D. Matsakis and Felix S. Klock II. 2014. The Rust language. In SIGAda Ada Letters. 34, https://doi.org/10.1145/2663171.2663188 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Eugenio Moggi and Amr Sabry. 2001. Monadic encapsulation of effects: A revised approach (extended version). JFP, 11, 6 (2001), Nov., 591–627.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In VMCAI. https://doi.org/10.1007/978-3-662-49122-5_2 Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jim Peters. 2019. The QCell library. https://crates.io/crates/qcellGoogle ScholarGoogle Scholar
  29. petgraph. 2021. petgraph. https://crates.io/crates/petgraphGoogle ScholarGoogle Scholar
  30. John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In LICS. https://doi.org/10.1109/LICS.2002.1029817 Google ScholarGoogle ScholarCross RefCross Ref
  31. Jan Smans, Bart Jacobs, and Frank Piessens. 2009. Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic. In ECOOP. https://doi.org/10.1007/978-3-642-03013-0_8 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Josh Stone and Nicholas D. Matsakis. 2017. The Rayon library. https://crates.io/crates/rayonGoogle ScholarGoogle Scholar
  33. Amin Timany, Léo Stefanesco, Morten Krogh-Jespersen, and Lars Birkedal. 2018. A Logical Relation for Monadic Encapsulation of State: Proving Contextual Equivalences in the Presence of runST. PACMPL, 2, POPL (2018), Article 64, Jan., 28 pages. https://doi.org/10.1145/3158152 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Mads Tofte, Lars Birkedal, Martin Elsman, and Niels Hallenberg. 2004. A Retrospective on Region-Based Memory Management. High. Order Symb. Comput., 17, 3 (2004), 245–265. https://doi.org/10.1023/B:LISP.0000029446.78563.a4 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Joshua Yanovski, Hoang-Hai Dang, Ralf Jung, and Derek Dreyer. 2021. Coq development and supplementary material accompanying this paper. https://plv.mpi-sws.org/rustbelt/ghostcell/Google ScholarGoogle Scholar

Index Terms

  1. GhostCell: separating permissions from data in Rust

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!