memory safety in rust
play

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, - PowerPoint PPT Presentation

Feb 18, 2023 •128 likes •490 views

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020 Last lecture Ryan told us the bad news about C and C++ This lecture, Im going to tell you how Rust addresses some of those issues Disclaimer: you can still write buggy

  1. Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020

  2. Last lecture Ryan told us the bad news about C and C++…

  3. This lecture, I’m going to tell you how Rust addresses some of those issues

  4. Disclaimer: you can still write buggy Rust programs! Rust just makes it harder to make certain kinds of mistakes!

  5. Why is it so easy to screw up in C?

  6. A Memory Exercise You should have completed this before class today! ● ○ We thank Will Crichton for this exercise and for giving us permission to use it in this class! Discuss your answers to the exercise in groups (we'll assign you to different ● breakout rooms in Zoom)

  7. Dangling Pointers Vec* vec_new() { Vec vec; vec.data = NULL; vec.length = 0; vec.capacity = 0; return &vec; // OOF }

  8. Double Frees void main() { Vec* vec = vec_new(); vec_push(vec, 107); int* n = &vec->data[0]; vec_push(vec, 110); printf("%d\n", *n); free(vec->data); vec_free(vec); // YIKES }

  9. Iterator Invalidation void main() { Vec* vec = vec_new(); vec_push(vec, 107); int* n = &vec->data[0]; vec_push(vec, 110); printf("%d\n", *n); // :( free(vec->data); vec_free(vec); }

  10. Memory Leaks void vec_push(Vec* vec, int n) { if (vec->length == vec->capacity) { int new_capacity = vec->capacity * 2; int* new_data = (int*) malloc(new_capacity); assert(new_data != NULL); for (int i = 0; i < vec->length; ++i) { new_data[i] = vec->data[i]; } vec->data = new_data; // OOP: we forget to free the old data vec->capacity = new_capacity; } vec->data[vec->length] = n; ++vec->length; }

  11. It is Incredibly Hard to Reason about Programs Sometimes impossible (see CS 103, 154) ● Sometimes more than impossible* ● How do we get around this? ● A: The language and the compiler! ● Image Source: https://www.newyorker.com/culture/culture-desk/living-in-alan-turings-future

  12. The Language and the Compiler In order to make it easier to reason about programs, Rust needs to place some ● restrictions on the programs you can write. This makes it difficult (sometimes impossible) to write certain programs in safe ● Rust (we will talk about unsafe Rust later in the course). A lot of the cool guarantees we get from Rust come the checks its compiler ● performs Rust can sometimes exceed the performance of C because of compiler ● optimizations. If you want to delve deeper into these topics, be sure to take CS 242 (Programming ● Languages) and CS 143 (Compilers) as well as their follow-ons — these particular topics are outside of the scope of CS110L, but let us know if you’d like us to point you to relevant resources for learning more.

  13. Dangling Pointers Vec* vec_new() { Wouldn’t it be nice if the compiler realized that Vec vec; vec “lives” within those two curly braces and vec.data = NULL; therefore its address shouldn’t be returned from vec.length = 0; the function? vec.capacity = 0; return &vec; // OOF }

  14. Double Frees void main() { Vec* vec = vec_new(); vec_push(vec, 107); Wouldn’t it be nice if the compiler enforced int* n = &vec->data[0]; that once free is called on a variable, that variable can no longer be used? vec_push(vec, 110); printf("%d\n", *n); free(vec->data); vec_free(vec); // YIKES }

  15. Iterator Invalidation void main() { Vec* vec = vec_new(); vec_push(vec, 107); Wouldn’t it be nice if the compiler stopped us from modifying the data n was pointing to (as it int* n = &vec->data[0]; does in vec_push)? vec_push(vec, 110); printf("%d\n", *n); // :( free(vec->data); vec_free(vec); }

  16. Memory Leaks void vec_push(Vec* vec, int n) { if (vec->length == vec->capacity) { int new_capacity = vec->capacity * 2; int* new_data = (int*) malloc(new_capacity); Wouldn’t it be nice if the compiler noticed when assert(new_data != NULL); a piece of heap data no longer had anything for (int i = 0; i < vec->length; ++i) { pointing to it? (and so then it could safely be new_data[i] = vec->data[i]; freed?) } vec->data = new_data; // OOP vec->capacity = new_capacity; } vec->data[vec->length] = n; ++vec->length; }

  17. Pause

  18. How does Rust prevent us from making the errors we just saw?

  19. Ownership The reason you ran into trouble when decomposing your code! ● From the Rust Book: ●

  20. Controlling references to resources is a broader idea in systems programming that isn’t unique to Rust

  21. Ownership in Context fn main() { let s: String = "im a lil string”.to_string(); let u = s; println!("{}", s); // println!(“{}”, u) compiles just fine! } Note: you can copy/paste this code and run it in your browser @ https://play.rust-lang.org/ ! error[E0382]: borrow of moved value: `s` --> src/main.rs:7:20 | 5 | let s: String = "im a lil string".to_string(); | - move occurs because `s` has type `std::string::String`, which does not implement the `Copy` trait 6 | let u = s; | - value moved here 7 | println!("{}", s); | ^ value borrowed here after move

  22. Ownership in Context fn om_nom_nom(s: String) { println!("I have consumed {}", s); } fn main() { let s: String = "im a lil string".to_string(); om_nom_nom(s); println!("{}", s); } error[E0382]: borrow of moved value: `s` --> src/main.rs:8:20 | 6 | let s: String = "im a lil string".to_string(); | - move occurs because `s` has type `std::string::String`, which does not implement the `Copy` trait 7 | om_nom_nom(s); | - value moved here 8 | println!("{}", s); | ^ value borrowed here after move

  23. With great power comes great responsibility fn om_nom_nom(s: String) { println!("I have consumed {}", s); } fn main() { let s: String = "im a lil string".to_string(); om_nom_nom(s); println!("{}", s); } Each “owner” has the responsibility to clean up after itself ● When you move s into om_nom_nom , om_nom_nom becomes the owner of s , and it will free ● s when it’s no longer needed in that scope Technically the s parameter in om_nom_nom become the owner ● That means you can no longer use it in main! ●

  24. An Exception to the Syntax: Copying Given what we just saw, how can the following be valid syntax? fn om_nom_nom(n: u32) { println!("{} is a very nice number", n); } fn main() { let n: u32 = 110; let m = n; Output: om_nom_nom(n); 110 is a very nice number 110 is a very nice number om_nom_nom(m); 220 println!("{}", m + n); }

  25. Wait a minute… that seems restrictive and must make it really hard to write code!

  26. Thought experiment Say you have a group of lawyers that are reviewing and signing a contract over ● Google Docs Is this realistic? Nope :) But just pretend! ● What are some ground rules we’d need to set in order to avoid chaos? ● If someone modifies the contract before everyone else reviews/signs it, ● that’s fine But if someone modifies the contract while others are reviewing it, people ● might miss changes and think they’re signing a contract that says something else We should allow a single person to modify, or everyone to read, but not both ●

  27. Borrowing Intuition I should be able to have as many “const” pointers to a piece of data that I ● like However if I have a “non-const” pointer to a piece of data at the same time, ● this could invalidate what the other const pointers are viewing (e.g. they can become dangling pointers…) If I have at most one “non-const” pointer at any given time, this should be ● OK.

  28. Borrowing We can have multiple shared (immutable) references at once (with no ● mutable references) to a value. We can have only one mutable reference at once (no shared references to it) ● This is a paradigm that pops up a lot in systems programming, especially ● when you have “readers” and “writers.” In fact, you’ll see it in CS110 once you start talking about threading and concurrency.

  29. Lifetimes The lifetime of a value starts when it’s created and ends the last time it’s ● used Rust doesn’t let you have a reference to a value that lasts longer than the ● value’s lifetime Rust computes lifetimes at compile time using static analysis (this is often an ● over-approximation) Rust calls the special “drop” function on a value once its lifetime ends (this is ● essentially a destructor).

  30. Borrowing Example fn change_it_up(s: &mut String) { *s = "goodbye".to_string(); } fn make_it_plural(word: &mut String) { word.push('s'); } fn let_me_see(s: &String) { println!("{}", s); } fn main() { let mut s = "hello".to_string(); change_it_up(&mut s); let_me_see(&s); make_it_plural(&mut s); let_me_see(&s); // let's make it even more plural s.push(’s'); // does this seem strange? let_me_see(&s); }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me Sofuware developer PhD student in post-quantum cryptography at IAIK 1 Speaker at RustGraz (twitter @RustGraz) What is rust? What is rust?

1.47k views • 82 slides
Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng ,

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng ,

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei CONTENTS 3 1 2 PART ONE PART TWO PART THREE Why SGX Why Rust Rust SGX SDK PART 1 Why SGX Why SGX War in memory Ring

1.17k views • 51 slides
OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system and ownership model guarantee memory-safety and thread-safety enabling you to eliminate many classes of bugs at compile-time. the

1.27k views • 89 slides
TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware Engineer @ Engineers Gate Real-time trading systems Scalable data infrastructure Python/C++/Rust developer MOTIVATION Rust focuses on memory

1.47k views • 100 slides
Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

http://talks.edunham.net/scale15x Rust 101 E. Dunham @qedunham Intro Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust Improve Rust E. Dunham @qedunham March 5, 2017

865 views • 75 slides
The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You Thank you to rust-lang.org for providing content and examples! Overview The sales pitch Use cases The Rust language Other Languages

1.18k views • 63 slides
Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Institute of Operating Systems and Computer Networks Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019 Signe Rsch, Kai Bleeke, Rdiger Kapitza ruesch@ibr.cs.tu-bs.de Technische Universitt

1.94k views • 32 slides
Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc : overview; arrows navigate http://bit.ly/1LQM3PS Why ...? Why use Rust? Fast code, low memory footprint Go from bare metal (assembly; C FFI)

1.41k views • 113 slides
Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us What is tremor Tremor Script &lt;3 OSS What is Wayfair? Sells rugs (and couches!) Large online retailer for furniture

851 views • 46 slides
www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29, 2019 CIS 352 Rust Overview 1 / 1 CIS 352 Rust Overview 2 / 1 References Sample code: Factorial, 1 The Rust Programming Language by S. Klabnik and

589 views • 7 slides
Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit, Helsinki Outline The Rust language and ecosystem Rust on embedded systems Rust on RIOT Simple things: functions and variables fn

804 views • 24 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q.

Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q.

Rust: Reach F us th es ! Nich om as Matsakis 1 Q. What is Rust? Q. Why should I care? 2 Q. What is Rust? A. High-level code, low-level performance Q. Why should I care? 3 Decisions GC Control, flexibility

1.15k views • 67 slides
Model for Student Table SELECT * FROM students; +----+-----------+------------+------+------+ |

Model for Student Table SELECT * FROM students; +----+-----------+------------+------+------+ |

Model for Student Table SELECT * FROM students; +----+-----------+------------+------+------+ | id | name | birth | gpa | grad | +----+-----------+------------+------+------+ | 1 | Anderson | 1987-10-22 | 3.9 | 2009 | | 2 |

338 views • 13 slides
Genesis 32:22-32 Bibles Are Available On The Back Table Please Silence Your Phones Download This

Genesis 32:22-32 Bibles Are Available On The Back Table Please Silence Your Phones Download This

Open Your Bible To: Genesis 32:22-32 Bibles Are Available On The Back Table Please Silence Your Phones Download This Presentation At LivingWaterCorona.com/slides Genesis 32 You Need To Wrestle With God Genesis 32 You Need To Wrestle With

332 views • 14 slides
PyLLVM A compiler from a subset of Python to LLVM-IR Anna Herlihy MongoDB EuroPython Bilbao

PyLLVM A compiler from a subset of Python to LLVM-IR Anna Herlihy MongoDB EuroPython Bilbao

PyLLVM A compiler from a subset of Python to LLVM-IR Anna Herlihy MongoDB EuroPython Bilbao 2016 Outline 1. Motivation 2. PyLLVM Features 3. Related Work 4. Analysis and Benchmarking 5. Conclusion Motivation Motivation: Tupleware

828 views • 44 slides
Prof. Dorien Herremans SUTD Town Hall, 28 November 2018 History SUTD Game Lab Established

Prof. Dorien Herremans SUTD Town Hall, 28 November 2018 History SUTD Game Lab Established

Prof. Dorien Herremans SUTD Town Hall, 28 November 2018 History SUTD Game Lab Established in 2012 To continue the work of the Singapore-MIT GAMBIT Game Lab, funded by NRF under Game Research, Education and Training (GREaT) Funding

660 views • 28 slides
disciple-making sermon series 2014-2015 disciple-making christmas Advent lent

disciple-making sermon series 2014-2015 disciple-making christmas Advent lent

disciple-making sermon series 2014-2015 disciple-making christmas Advent lent ordinar y time easter pentecost , , , ,

538 views • 16 slides
Matt 9:35-38 and announcing the Good News about the Kingdom. And he healed every kind of disease

Matt 9:35-38 and announcing the Good News about the Kingdom. And he healed every kind of disease

9/26/2012 Community, Compassion, Commission! Scripture: Matt 9:35-38 Key Bible Truth: God sends us out to have compassion and to serve the community. 2 Jesus Model of Service 3 4 Background (Matt 4:23-9:35) Introduction 4:23 Jesus

650 views • 8 slides
XENOPHOBIA 12 MARCH 2020 COVID-19 DECLARED A PANDEMIC These educational resources by

XENOPHOBIA 12 MARCH 2020 COVID-19 DECLARED A PANDEMIC These educational resources by

LESSON PACKAGE TWO XENOPHOBIA 12 MARCH 2020 COVID-19 DECLARED A PANDEMIC These educational resources by Halogen Foundation can be used for free and are not for commercial purposes. Attribution is appreciated. Image Source: The Washington

617 views • 22 slides
The Issue of Computational Thinking Education In European Humanistic Departments Gianfranco

The Issue of Computational Thinking Education In European Humanistic Departments Gianfranco

The Issue of Computational Thinking Education In European Humanistic Departments Gianfranco Basti Faculty of Philosophy Pontifical Lateran University www.irafs.org IRAFS website: www.irafs.org http://www.stoqatpul.org - basti@pul.it

491 views • 11 slides

More recommend