OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University - PowerPoint PPT Presentation

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University

“ Rust’s rich type system and ownership model guarantee memory-safety and thread-safety — enabling you to eliminate many classes of bugs at compile-time. – the official Rust website

BORROW CHECKING

WHAT IS A BORROW CHECKER? struct State { ��../ } fn main() { let mut state = State { ��../ }; let init = read_state(&state); update_state(&mut state); let f i n = read_state(&state); consume_state(state); �/0 cannot use `state` anymore }

WHAT IS A BORROW CHECKER? struct State { ��../ } fn main() { let mut state = State { ��../ }; let init = read_state(&state); &state update_state(&mut state); borrow let f i n = read_state(&state); consume_state(state); �/0 cannot use `state` anymore }

WHAT IS A BORROW CHECKER? struct State { ��../ } fn main() { let mut state = State { ��../ }; let init = read_state(&state); update_state(&mut state); &mut state borrow mutable borrow let f i n = read_state(&state); consume_state(state); �/0 cannot use `state` anymore }

WHAT IS A BORROW CHECKER? struct State { ��../ } fn main() { let mut state = State { ��../ }; let init = read_state(&state); update_state(&mut state); borrow mutable borrow let f i n = read_state(&state); consume_state(state); state move �/0 cannot use `state` anymore }

WHAT IS A BORROW CHECKER? fn update_state(state: &mut State) { if should_reset(state) { * state = State { ��../ }; } else { (*state).count += 1 } }

A BORROW CHECKER IS... 🧿 Ownership & Flexible Alias Protection 📗 ✒ ⊕

OXIDE IS OUR EFFORT TO FORMALIZE BORROW CHECKING

OUR EXAMPLE PROGRAM IN OXIDE struct State { ��../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ��../ }; let init = read_state �:; <'a>(&'a shrd state); update_state �:; <'b>(&'b uniq state); let f i n = read_state �:; <'c>(&'c shrd state); consume_state(state); } }

OUR EXAMPLE PROGRAM IN OXIDE struct State { ��../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ��../ }; let init = read_state �:; <'a>(&'a shrd state); shrd update_state �:; <'b>(&'b uniq state); uniq let f i n = read_state �:; <'c>(&'c shrd state); shrd consume_state(state); } }

OUR EXAMPLE PROGRAM IN OXIDE struct State { ��../ } fn main() { letprov<'a, 'b, 'c> { letprov<'a, 'b, 'c> { let state = State { ��../ }; let init = read_state �:; <'a>(&'a shrd state); shrd update_state �:; <'b>(&'b uniq state); uniq let f i n = read_state �:; <'c>(&'c shrd state); shrd consume_state(state); } } }

OUR EXAMPLE PROGRAM IN OXIDE struct State { ��../ } fn main() { letprov<'a, 'b, 'c> { letprov<'a, 'b, 'c> { let state = State { ��../ }; let init = read_state �:; <'a>(&'a shrd state); 'a shrd update_state �:; <'b>(&'b uniq state); 'b uniq let f i n = read_state �:; <'c>(&'c shrd state); 'c shrd consume_state(state); } } }

OUR EXAMPLE PROGRAM IN OXIDE struct State { ��../ } fn main() { letprov<'a, 'b, 'c> { letprov<'a, 'b, 'c> { let state = State { ��../ }; let init = read_state �:; <'a>(&'a shrd state); 'a 'a shrd update_state �:; <'b>(&'b uniq state); 'b 'b uniq let f i n = read_state �:; <'c>(&'c shrd state); 'c 'c shrd consume_state(state); } } }

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS A reference with type… &'a shrd state &'b uniq state

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS A reference with type… &'a shrd state &'b uniq state points to 'a state

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS A reference with type… &'a shrd state &'b uniq state points to points to 'a 'b state state

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS A reference with type… &'a shrd state &'b uniq state points to points to 'a 'b state state Γ ::= ∙ | Γ ♮ ℱ x : T 'a ��|-? { p 1 … p n } ℱ ::= ∙ | ℱ , | ℱ ,

TYPECHECKING A MOVE EXPRESSION struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :; <'a>(&'a shrd state); update_state :; <'b>(&'b uniq state); let f i n = read_state :; <'c>(&'c shrd state); consume_state(state); } }

TYPECHECKING A MOVE EXPRESSION consume_state(state);

TYPECHECKING A MOVE EXPRESSION consume_state(state); state is not aliased Γ ( state ) = State state State Δ ; Γ ⊢ :

TYPECHECKING A BORROW EXPRESSION struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :; <'a>(&'a shrd state); update_state :; <'b>(&'b uniq state); let f i n = read_state :; <'c>(&'c shrd state); consume_state(state); } }

TYPECHECKING A BORROW EXPRESSION update_state �:; <'b>(&'b uniq state);

TYPECHECKING A BORROW EXPRESSION update_state �:; <'b>(&'b uniq state); state is not aliased Γ ( state ) = State Δ ; Γ ⊢ &'a uniq state : &'a uniq State

TYPECHECKING A BORROW EXPRESSION state is not uniquely aliased Γ ( state ) = State Δ ; Γ ⊢ &'a shrd state : &'a shrd State update_state �:; <'b>(&'b uniq state); state is not aliased Γ ( state ) = State Δ ; Γ ⊢ &'a uniq state : &'a uniq State

OWNERSHIP SAFETY: “IS NOT ALIASED” Δ ; Γ ⊢ x ⇒ { … } Δ ; Γ ⊢ x ⇒ { … } uniq shrd

OWNERSHIP SAFETY: “IS NOT ALIASED” Δ ; Γ ⊢ x ⇒ { … } Δ ; Γ ⊢ x ⇒ { … } uniq shrd ω ::= uniq | shrd π ::= x | π . n | π . f Δ ; Γ ⊢ ω π ⇒ { p 1 … p n }

OWNERSHIP SAFETY: “IS NOT ALIASED” Δ ; Γ ⊢ x ⇒ { … } Δ ; Γ ⊢ x ⇒ { … } uniq shrd ω ::= uniq | shrd π ::= x | π . n | π . f Δ ; Γ ⊢ ω π ⇒ { p 1 … p n } places

OWNERSHIP SAFETY: “IS NOT ALIASED” Δ ; Γ ⊢ x ⇒ { … } Δ ; Γ ⊢ x ⇒ { … } uniq shrd ω ::= uniq | shrd π ::= x | π . n | π . f Δ ; Γ ⊢ ω π ⇒ { p 1 … p n } places place expressions

THE STORY SO FAR Γ ( state ) = State state is not aliased state State Δ ; Γ ⊢ : Γ ( state ) = State state is not aliased Δ ; Γ ⊢ &'a uniq state : &'a uniq State Γ ( state ) = State state is not uniquely aliased Δ ; Γ ⊢ &'a shrd state : &'a shrd State

THE STORY SO FAR Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } state State Δ ; Γ ⊢ : Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } Δ ; Γ ⊢ &'a uniq state : &'a uniq State Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ shrd } Δ ; Γ ⊢ &'a shrd state : &'a shrd State

A BIT OF A SNAG Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } state State Δ ; Γ ⊢ : Can we use state again?

A BIT OF A SNAG Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } state State Δ ; Γ ⊢ : Can we use state again?

A CONVENTIONAL APPROACH... ? ⊢ Γ ↝ Γ 1 ⊞ Γ 2 Convention:

A CONVENTIONAL APPROACH... ? ⊢ Γ ↝ Γ 1 ⊞ Γ 2 Convention: Rust: struct Point(i32, i32) let pt = Point(5, 6); ��../ add_one(pt.0); ��../ add_one(pt.1);

AN (UN)CONVENTIONAL APPROACH Environment passing! Γ ( state ) = State state state Δ ; Γ ⊢ uniq ⇒ { } state State Δ ; Γ ⊢ :

AN (UN)CONVENTIONAL APPROACH Environment passing! Γ ( state ) = State state state Δ ; Γ ⊢ uniq ⇒ { } state State Δ ; Γ ⊢ :

AN (UN)CONVENTIONAL APPROACH Environment passing! Γ ( state ) = State state state Δ ; Γ ⊢ uniq ⇒ { } † state State ⇒ Γ [state ��|-? State ] state State Δ ; Γ ⊢ Δ ; Γ ⊢ : :

EXAMPLE: PROJECTING OUT OF A TUPLE

EXAMPLE: PROJECTING OUT OF A TUPLE •; x : (i32, i32)

EXAMPLE: PROJECTING OUT OF A TUPLE •; x : (i32, i32) ⊢

EXAMPLE: PROJECTING OUT OF A TUPLE •; x : (i32, i32) ⊢ x.0 : i32

EXAMPLE: PROJECTING OUT OF A TUPLE •; x : (i32, i32) ⊢ x.0 : i32 ⇒

EXAMPLE: PROJECTING OUT OF A TUPLE † •; x : (i32, i32) ⊢ x.0 : i32 ⇒ x : (i32, i32)

GOOD FOR PROVENANCE TRACKING, TOO! Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } Δ ; Γ ⊢ &'a uniq state : &'a uniq State Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ shrd } Δ ; Γ ⊢ &'a shrd state : &'a shrd State

GOOD FOR PROVENANCE TRACKING, TOO! Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ uniq } Δ ; Γ ⊢ &'a uniq state : &'a uniq State Δ ; Γ ⊢ &'a uniq state : &'a uniq State ⇒ Γ ['a ��|-? {state}] Γ ( state ) = State state state ⇒ { Δ ; Γ ⊢ shrd } Δ ; Γ ⊢ &'a shrd state : &'a shrd State