memory safety in rust
play

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, - PowerPoint PPT Presentation

Feb 18, 2023 •128 likes •490 views

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020 Last lecture Ryan told us the bad news about C and C++ This lecture, Im going to tell you how Rust addresses some of those issues Disclaimer: you can still write buggy

  1. Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020

  2. Last lecture Ryan told us the bad news about C and C++…

  3. This lecture, I’m going to tell you how Rust addresses some of those issues

  4. Disclaimer: you can still write buggy Rust programs! Rust just makes it harder to make certain kinds of mistakes!

  5. Why is it so easy to screw up in C?

  6. A Memory Exercise You should have completed this before class today! ● ○ We thank Will Crichton for this exercise and for giving us permission to use it in this class! Discuss your answers to the exercise in groups (we'll assign you to different ● breakout rooms in Zoom)

  7. Dangling Pointers Vec* vec_new() { Vec vec; vec.data = NULL; vec.length = 0; vec.capacity = 0; return &vec; // OOF }

  8. Double Frees void main() { Vec* vec = vec_new(); vec_push(vec, 107); int* n = &vec->data[0]; vec_push(vec, 110); printf("%d\n", *n); free(vec->data); vec_free(vec); // YIKES }

  9. Iterator Invalidation void main() { Vec* vec = vec_new(); vec_push(vec, 107); int* n = &vec->data[0]; vec_push(vec, 110); printf("%d\n", *n); // :( free(vec->data); vec_free(vec); }

  10. Memory Leaks void vec_push(Vec* vec, int n) { if (vec->length == vec->capacity) { int new_capacity = vec->capacity * 2; int* new_data = (int*) malloc(new_capacity); assert(new_data != NULL); for (int i = 0; i < vec->length; ++i) { new_data[i] = vec->data[i]; } vec->data = new_data; // OOP: we forget to free the old data vec->capacity = new_capacity; } vec->data[vec->length] = n; ++vec->length; }

  11. It is Incredibly Hard to Reason about Programs Sometimes impossible (see CS 103, 154) ● Sometimes more than impossible* ● How do we get around this? ● A: The language and the compiler! ● Image Source: https://www.newyorker.com/culture/culture-desk/living-in-alan-turings-future

  12. The Language and the Compiler In order to make it easier to reason about programs, Rust needs to place some ● restrictions on the programs you can write. This makes it difficult (sometimes impossible) to write certain programs in safe ● Rust (we will talk about unsafe Rust later in the course). A lot of the cool guarantees we get from Rust come the checks its compiler ● performs Rust can sometimes exceed the performance of C because of compiler ● optimizations. If you want to delve deeper into these topics, be sure to take CS 242 (Programming ● Languages) and CS 143 (Compilers) as well as their follow-ons — these particular topics are outside of the scope of CS110L, but let us know if you’d like us to point you to relevant resources for learning more.

  13. Dangling Pointers Vec* vec_new() { Wouldn’t it be nice if the compiler realized that Vec vec; vec “lives” within those two curly braces and vec.data = NULL; therefore its address shouldn’t be returned from vec.length = 0; the function? vec.capacity = 0; return &vec; // OOF }

  14. Double Frees void main() { Vec* vec = vec_new(); vec_push(vec, 107); Wouldn’t it be nice if the compiler enforced int* n = &vec->data[0]; that once free is called on a variable, that variable can no longer be used? vec_push(vec, 110); printf("%d\n", *n); free(vec->data); vec_free(vec); // YIKES }

  15. Iterator Invalidation void main() { Vec* vec = vec_new(); vec_push(vec, 107); Wouldn’t it be nice if the compiler stopped us from modifying the data n was pointing to (as it int* n = &vec->data[0]; does in vec_push)? vec_push(vec, 110); printf("%d\n", *n); // :( free(vec->data); vec_free(vec); }

  16. Memory Leaks void vec_push(Vec* vec, int n) { if (vec->length == vec->capacity) { int new_capacity = vec->capacity * 2; int* new_data = (int*) malloc(new_capacity); Wouldn’t it be nice if the compiler noticed when assert(new_data != NULL); a piece of heap data no longer had anything for (int i = 0; i < vec->length; ++i) { pointing to it? (and so then it could safely be new_data[i] = vec->data[i]; freed?) } vec->data = new_data; // OOP vec->capacity = new_capacity; } vec->data[vec->length] = n; ++vec->length; }

  17. Pause

  18. How does Rust prevent us from making the errors we just saw?

  19. Ownership The reason you ran into trouble when decomposing your code! ● From the Rust Book: ●

  20. Controlling references to resources is a broader idea in systems programming that isn’t unique to Rust

  21. Ownership in Context fn main() { let s: String = "im a lil string”.to_string(); let u = s; println!("{}", s); // println!(“{}”, u) compiles just fine! } Note: you can copy/paste this code and run it in your browser @ https://play.rust-lang.org/ ! error[E0382]: borrow of moved value: `s` --> src/main.rs:7:20 | 5 | let s: String = "im a lil string".to_string(); | - move occurs because `s` has type `std::string::String`, which does not implement the `Copy` trait 6 | let u = s; | - value moved here 7 | println!("{}", s); | ^ value borrowed here after move

  22. Ownership in Context fn om_nom_nom(s: String) { println!("I have consumed {}", s); } fn main() { let s: String = "im a lil string".to_string(); om_nom_nom(s); println!("{}", s); } error[E0382]: borrow of moved value: `s` --> src/main.rs:8:20 | 6 | let s: String = "im a lil string".to_string(); | - move occurs because `s` has type `std::string::String`, which does not implement the `Copy` trait 7 | om_nom_nom(s); | - value moved here 8 | println!("{}", s); | ^ value borrowed here after move

  23. With great power comes great responsibility fn om_nom_nom(s: String) { println!("I have consumed {}", s); } fn main() { let s: String = "im a lil string".to_string(); om_nom_nom(s); println!("{}", s); } Each “owner” has the responsibility to clean up after itself ● When you move s into om_nom_nom , om_nom_nom becomes the owner of s , and it will free ● s when it’s no longer needed in that scope Technically the s parameter in om_nom_nom become the owner ● That means you can no longer use it in main! ●

  24. An Exception to the Syntax: Copying Given what we just saw, how can the following be valid syntax? fn om_nom_nom(n: u32) { println!("{} is a very nice number", n); } fn main() { let n: u32 = 110; let m = n; Output: om_nom_nom(n); 110 is a very nice number 110 is a very nice number om_nom_nom(m); 220 println!("{}", m + n); }

  25. Wait a minute… that seems restrictive and must make it really hard to write code!

  26. Thought experiment Say you have a group of lawyers that are reviewing and signing a contract over ● Google Docs Is this realistic? Nope :) But just pretend! ● What are some ground rules we’d need to set in order to avoid chaos? ● If someone modifies the contract before everyone else reviews/signs it, ● that’s fine But if someone modifies the contract while others are reviewing it, people ● might miss changes and think they’re signing a contract that says something else We should allow a single person to modify, or everyone to read, but not both ●

  27. Borrowing Intuition I should be able to have as many “const” pointers to a piece of data that I ● like However if I have a “non-const” pointer to a piece of data at the same time, ● this could invalidate what the other const pointers are viewing (e.g. they can become dangling pointers…) If I have at most one “non-const” pointer at any given time, this should be ● OK.

  28. Borrowing We can have multiple shared (immutable) references at once (with no ● mutable references) to a value. We can have only one mutable reference at once (no shared references to it) ● This is a paradigm that pops up a lot in systems programming, especially ● when you have “readers” and “writers.” In fact, you’ll see it in CS110 once you start talking about threading and concurrency.

  29. Lifetimes The lifetime of a value starts when it’s created and ends the last time it’s ● used Rust doesn’t let you have a reference to a value that lasts longer than the ● value’s lifetime Rust computes lifetimes at compile time using static analysis (this is often an ● over-approximation) Rust calls the special “drop” function on a value once its lifetime ends (this is ● essentially a destructor).

  30. Borrowing Example fn change_it_up(s: &mut String) { *s = "goodbye".to_string(); } fn make_it_plural(word: &mut String) { word.push('s'); } fn let_me_see(s: &String) { println!("{}", s); } fn main() { let mut s = "hello".to_string(); change_it_up(&mut s); let_me_see(&s); make_it_plural(&mut s); let_me_see(&s); // let's make it even more plural s.push(’s'); // does this seem strange? let_me_see(&s); }

Recommend

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me Sofuware developer PhD student in post-quantum cryptography at IAIK 1 Speaker at RustGraz (twitter @RustGraz) What is rust? What is rust?

1.47k views • 82 slides
Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng ,

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng ,

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei CONTENTS 3 1 2 PART ONE PART TWO PART THREE Why SGX Why Rust Rust SGX SDK PART 1 Why SGX Why SGX War in memory Ring

1.17k views • 51 slides
OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system and ownership model guarantee memory-safety and thread-safety enabling you to eliminate many classes of bugs at compile-time. the

1.27k views • 89 slides
TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware Engineer @ Engineers Gate Real-time trading systems Scalable data infrastructure Python/C++/Rust developer MOTIVATION Rust focuses on memory

1.47k views • 100 slides
Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

http://talks.edunham.net/scale15x Rust 101 E. Dunham @qedunham Intro Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust Improve Rust E. Dunham @qedunham March 5, 2017

865 views • 75 slides
The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You Thank you to rust-lang.org for providing content and examples! Overview The sales pitch Use cases The Rust language Other Languages

1.18k views • 63 slides
Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Institute of Operating Systems and Computer Networks Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019 Signe Rsch, Kai Bleeke, Rdiger Kapitza ruesch@ibr.cs.tu-bs.de Technische Universitt

1.94k views • 32 slides
Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc : overview; arrows navigate http://bit.ly/1LQM3PS Why ...? Why use Rust? Fast code, low memory footprint Go from bare metal (assembly; C FFI)

1.41k views • 113 slides
Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us What is tremor Tremor Script &lt;3 OSS What is Wayfair? Sells rugs (and couches!) Large online retailer for furniture

851 views • 46 slides
www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29, 2019 CIS 352 Rust Overview 1 / 1 CIS 352 Rust Overview 2 / 1 References Sample code: Factorial, 1 The Rust Programming Language by S. Klabnik and

589 views • 7 slides
Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit, Helsinki Outline The Rust language and ecosystem Rust on embedded systems Rust on RIOT Simple things: functions and variables fn

804 views • 24 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q.

Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q.

Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q. What is Rust? A. High-level code, low-level performance Q. Why should I care? 3 Decisions GC Control, flexibility

1.15k views • 67 slides
Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop (OSEW 2019) Berkeley, July 2019 https://mesatee.org Rust and Keystone Enclave Open-Source Enclave (RISC-V Hardware/Keystone Enclave) :

662 views • 32 slides
#02: Mining Before we start Download and install Rust if you want to code along:

#02: Mining Before we start Download and install Rust if you want to code along:

Blockchain In Rust #02: Mining Before we start Download and install Rust if you want to code along: https://www.rust-lang.org/ If youre on Windows, youll also need Microsoft Visual C++ Build Tools 2017:

372 views • 11 slides
Extending Python with Rust Introduction and a hands-on demo of writing Python extension in Rust

Extending Python with Rust Introduction and a hands-on demo of writing Python extension in Rust

Extending Python with Rust Introduction and a hands-on demo of writing Python extension in Rust This talk Why? Why Rust? Binginds Dynamic library Web service example Docker example Compile and distribute

336 views • 14 slides
https://xkcd.com/303/ CS 152: Programming Language Paradigms Rust Prof. Tom Austin San Jos

https://xkcd.com/303/ CS 152: Programming Language Paradigms Rust Prof. Tom Austin San Jos

https://xkcd.com/303/ CS 152: Programming Language Paradigms Rust Prof. Tom Austin San Jos State University What is wrong with C/C++? Painfully slow build times Not memory safe No good concurrency story &quot;When the three of us

647 views • 18 slides
Aaron Turon Mozilla Research C/C++ ML/Haskell Rust Safe systems programming Why

Aaron Turon Mozilla Research C/C++ ML/Haskell Rust Safe systems programming Why

Aaron Turon Mozilla Research C/C++ ML/Haskell Rust Safe systems programming Why Mozilla? Browsers need control . Browsers need safety . Servo: Next-generation browser built in Rust. C++ What is control? void example() {

2.01k views • 174 slides
sled and rio Rust DB + io_uring = @sadisticsystems sled.rs who am I building Rust databases

sled and rio Rust DB + io_uring = @sadisticsystems sled.rs who am I building Rust databases

sled and rio Rust DB + io_uring = @sadisticsystems sled.rs who am I building Rust databases since 2014 previously worked at some social media &amp; infrastructure companies for fun, I build and destroy distributed databases

1.58k views • 52 slides
Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online

Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online

Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online Print Manning liveVideo Integer 32 Rust Core Team (yep, Im biased) Plan Railroad industry C Rust What the software

1.66k views • 140 slides
https://xkcd.com/303/ CS 252: Advanced Programming Language Principles Rust Prof. Tom Austin

https://xkcd.com/303/ CS 252: Advanced Programming Language Principles Rust Prof. Tom Austin

https://xkcd.com/303/ CS 252: Advanced Programming Language Principles Rust Prof. Tom Austin San Jos State University What is wrong with C/C++? Painfully slow build times Not memory safe No good concurrency story &quot;When the

606 views • 18 slides

More recommend