Affiliation:
1. MPI-SWS, Germany / Mozilla, USA
2. MPI-SWS, Germany
3. KAIST, South Korea
Abstract
Type systems are useful not just for the safety guarantees they provide, but also for helping compilers generate more efficient code by simplifying important program analyses. In Rust, the type system imposes a strict discipline on pointer aliasing, and it is an express goal of the Rust compiler developers to make use of that alias information for the purpose of program optimizations that reorder memory accesses. The problem is that Rust also supports unsafe code, and programmers can write unsafe code that bypasses the usual compiler checks to violate the aliasing discipline. To strike a balance between optimizations and unsafe code, the language needs to provide a set of rules such that unsafe code authors can be sure, if they are following these rules, that the compiler will preserve the semantics of their code despite all the optimizations it is doing.
In this work, we propose
Stacked Borrows
, an operational semantics for memory accesses in Rust. Stacked Borrows defines an aliasing discipline and declares programs violating it to have
undefined behavior
, meaning the compiler does not have to consider such programs when performing optimizations. We give formal proofs (mechanized in Coq) showing that this rules out enough programs to enable optimizations that reorder memory accesses around unknown code and function calls, based solely on intraprocedural reasoning. We also implemented this operational model in an interpreter for Rust and ran large parts of the Rust standard library test suite in the interpreter to validate that the model permits enough real-world unsafe Rust code.
Funder
Horizon 2020 Framework Programme
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,Software
Reference33 articles.
1. ANSI. 1978. Programming Language FORTRAN. ANSI X3.9-1978. ANSI. 1978. Programming Language FORTRAN. ANSI X3.9-1978.
2. Ulrich Drepper. 2007. Memory part 5: What programmers can do. LWN article. https://lwn.net/Articles/255364/ . Ulrich Drepper. 2007. Memory part 5: What programmers can do. LWN article. https://lwn.net/Articles/255364/ .
3. Bruno De Fraine. 2014. Wrong results with union and strict-aliasing. LLVM issue #21725. https://bugs.llvm.org/show_bug. cgi?id=21725 . Bruno De Fraine. 2014. Wrong results with union and strict-aliasing. LLVM issue #21725. https://bugs.llvm.org/show_bug. cgi?id=21725 .
4. On the importance of points-to analysis and other memory disambiguation methods for C programs
5. Dan Gohman. 2015. Incorrect liveness in DeadStoreElimination. LLVM issue #25422. https://bugs.llvm.org/show_bug.cgi? id=25422 . Dan Gohman. 2015. Incorrect liveness in DeadStoreElimination. LLVM issue #25422. https://bugs.llvm.org/show_bug.cgi? id=25422 .
Cited by
36 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Taming shared mutable states of operating systems in Rust;Science of Computer Programming;2024-12
2. Term Search in Rust;Proceedings of the 9th ACM SIGPLAN International Workshop on Type-Driven Development;2024-08-28
3. A Safe Low-Level Language for Computer Algebra and Its Formally Verified Compiler;Proceedings of the ACM on Programming Languages;2024-08-15
4. Formally understanding Rust’s ownership and borrowing system at the memory level;Formal Methods in System Design;2024-07-09
5. RefinedRust: A Type System for High-Assurance Verification of Rust Programs;Proceedings of the ACM on Programming Languages;2024-06-20