Uploaded bynikomatsakis
5,391 views

Guaranteeing Memory Safety in Rust

Rust provides both control and safety through its ownership and borrowing model. It enforces safe patterns using the type system to prevent issues like data races, use-after-free errors, and iterator invalidation. This is achieved with no runtime overhead. Rust also supports building efficient abstractions through features like zero-cost abstractions and its approach to concurrency that guarantees freedom from data races. While Rust borrows ideas from other languages, its type system and ownership rules allow building applications that have control without compromising on safety.

Embed presentation

Downloaded 151 times
Rust Nicholas Matsakis Mozilla Research
What makes Rust different? C++ Haskell Java ML More Control More Safety Rust: Control and safety
Why Mozilla? Browsers need control. Browsers need safety. Servo: Next-generation browser built in Rust.
What is control? void example() { vector<string> vector; … auto& elem = vector[0]; … } Stack and inline layout. Lightweight references Deterministic destruction [0] string el…em vector data length capacity […] [n] … ‘H’ ‘e’ … Stack Heap C++
Zero-cost abstraction Ability to define abstractions that optimize away to nothing. vector data length cap. [0] […] data cap. ‘H’ ‘e’ […] Not just memory layout: - Static dispatch - Template expansion - … Java
What is safety? void example() { vector<string> vector; … auto& elem = vector[0]; vector.push_back(some_string); cout << elem; } vector data length capacity [0] … [0] [1] elem Aliasing: more than one pointer to same memory. Dangling pointer: pointer to freed memory. C++ Mutating the vector freed old contents.
What about GC? No control. Requires a runtime. Insufficient to prevent related problems: iterator invalidation, data races.
void foo(Foo &&f, …) { vec.push_back(f); } C++ Gut it: void foo(const Foo &f, …) { use(f.bar); } Read it: void foo(Foo &f, …) { f.bar = …; } Write it: void foo(unique_ptr<Foo> f, …) { … } Keep it:
Definitely progress. ! But definitely not safe: ! - Iterator invalidation. - Double moves. - Pointers into stack or freed memory. - Data races. - … all that stuff I talked about before … ! Ultimately, C++ mechanisms are unenforced.
The Rust Solution Codify and enforce safe patterns using the type system: ! 1. Always have a clear owner. 2. While iterating over a vector, don’t change it. 3. … ! No runtime required.
Credit where it is due Rust borrows liberally from other great languages: C++, Haskell, ML/Ocaml, Cyclone, Erlang, Java, C#, … Rust has an active, amazing community. ❤
The Rust type system
Observation Danger arises from… Aliasing Mutation Hides dependencies. Causes memory to be freed. { auto& e = v[0]; … v.push_back(…); }
Three basic patterns fn foo(v: T) { … } Ownership fn foo(v: &T) { … } Shared borrow fn foo(v: &mut T) { … } Mutable borrow
Ownership! ! n. The act, state, or right of possessing something.
Aliasing Mutation Ownership (T)
vec data length capacity 1 2 fn give() { let mut vec = Vec::new(); vec.push(1); vec.push(2); take(vec); … } fn take(vec: Vec<int>) { // … } ! Take ownership ! of a Vec<int> !
Compiler enforces moves fn give() { let mut vec = Vec::new(); vec.push(1); vec.push(2); take(vec); vec.… push(2); } fn take(vec: Vec<int>) { // … } ! ! Error: ve! c has been moved Prevents: - use after free - double moves - …
Borrow! ! v. To receive something with the promise of returning it.
Aliasing Mutation Shared borrow (&T)
Aliasing Mutation Mutable borrow (&mut T)
fn lender() { let mut vec = Vec::new(); vec.push(1); vec.push(2); use(&vec); … } fn use(vec: &Vec<int>) { // … } ! ! ! 1 data length capacity vec 2 vec “Shared reference to Vec<int>” Loan out vec
fn dot_product(vec1: &Vec<int>, vec2: &Vec<int>) elem1 elem2 sum -> int { let mut sum = 0; for (elem1, elem2) in vec1.iter().zip(vec2.iter()) { sum += (*elem1) * (*elem2); } return sum; } walk down matching indices elem1, elem2 are references into the vector 1 2 3 4 5 6 * vec1 vec2
Why “shared” reference? fn dot_product(vec1: &Vec<int>, vec2: &Vec<int>) -> int {…} ! fn magnitude(vec: &Vec<int>) -> int { sqrt(dot_product(vec, vec)) } two shared references to the same vector — OK!
Aliasing Mutation Shared references are immutable: fn use(vec: &Vec<int>) { vec.push(3); vec[1] += 2; } * Error: cannot mutate shared reference * Actually: mutation only in controlled circumstances
Mutable references fn push_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { to.push(*elem); } } mutable reference to Vec<int> push() is legal
Mutable references fn push_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { 1 2 3 to.push(*elem); } } from to elem 1 2 3 …
What if from and to are equal? fn push_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { 1 2 3 from to elem 1 2 3 … 1 to.push(*elem); } } dangling pointer
fn push_all(from: &Vec<int>, to: &mut Vec<int>) {…} ! fn caller() { let mut vec = …; push_all(&vec, &mut vec); } shared reference Error: cannot have both shared and mutable reference at same time A &mut T is the only way to access the memory it points at
{ let mut vec = Vec::new(); … for i in range(0, vec.len()) { let elem: &int = &vec[i]; … vec.push(…); } … vec.push(…); } Borrows restrict access to the original path for their duration. Error: vec[i] is borrowed, cannot mutate OK. loan expired. & &mut no writes, no moves no access at all
Abstraction! ! n. freedom from representational qualities in art.
Rust is an extensible language • Zero-cost abstraction • Rich libraries: - Containers - Memory management - Parallelism - … • Ownership and borrowing let libraries enforce safety.
fn example() { let x: Rc<T> = Rc::new(…); { let y = x.clone(); let z = &*y; … } // runs destructor for y } // runs destructor for x x 1 [0] y 2 1 … z Stack Heap
Borrowing and Rc fn deref<‘a,T>(r: &’a Rc<T>) -> &’a T { … } Given a borrowed reference to an `Rc<T>`… …return a reference to the `T` inside with same extent New reference can be thought of as a kind of sublease. Returned reference cannot outlast the original.
fn example() -> &T { let x: Rc<T> = Rc::new(…); return &*x; } // runs destructor for x Error: extent of borrow exceeds lifetime of `x`
Concurrency! ! n. several computations executing simultaneously, and potentially interacting with each other
Data race ✎ ✎ ✎ ✎ Two unsynchronized threads accessing same data! where at least one writes.
Aliasing Mutation No ordering Data race Sound familiar?
Messaging! (ownership)
data length capacity fn parent() { let (tx, rx) = channel(); spawn(proc() {…}); let m = rx.recv(); } proc() { let m = Vec::new(); … tx.send(m); } rx tx tx m
Shared read-only access! (ownership, borrowing)
Arc<Vec<int>> (ARC = Atomic Reference Count) Owned, so no aliases. Vec<int> &Vec<int> ref_count data length capacity [0] [1] Shared reference, so Vec<int> is immutable.
✎ ✎ Locked mutable access! (ownership, borrowing)
fn sync_inc(mutex: &Mutex<int>) { let mut data = mutex.lock(); *data += 1; } Destructor releases lock Yields a mutable reference to data Destructor runs here
And beyond… Parallelism is an area of active development. ! Either already have or have plans for: - Atomic primitives - Non-blocking queues - Concurrent hashtables - Lightweight thread pools - Futures - CILK-style fork-join concurrency - etc. Always data-race free
Parallel! ! adj. occurring or existing at the same time
Concurrent vs parallel Blocks Concurrent threads Parallel jobs
fn qsort(vec: &mut [int]) { let pivot = vec[random(vec.len())]; let mid = vec.partition(vec, pivot); let (less, greater) = vec.mut_split_at(mid); qsort(less); qsort(greater); } let vec: &mut [int] = …; [0] [1] [2] [3] […] [n] less greater
fn parallel_qsort(vec: &mut [int]) { let pivot = vec[random(vec.len())]; let mid = vec.partition(vec, pivot); let (less, greater) = vec.mut_split(mid); parallel::do(&[ || parallel_qsort(less), || parallel_qsort(greater) ]); } let vec: &mut [int] = …; [0] [1] [2] [3] […] [n] less greater
Unsafe! ! adj. not safe; hazardous
Safe abstractions fn something_safe(…) { ! unsafe { ! … ! } ! } Validates input, etc. Trust me. • Uninitialized memory • Interfacing with C code • Building parallel abstractions like ARC • …
Status of Rust “Rapidly stabilizing.”! ! ! Goal for 1.0: - Stable syntax, core type system - Minimal set of core libraries
Conclusions • Rust gives control without compromising safety: • Zero-cost abstractions • Zero-cost safety • Guarantees beyond dangling pointers: • Iterator invalidation in a broader sense • Data race freedom

More Related Content

PDF
Intro to Rust from Applicative / NY Meetup
bynikomatsakis
 
PDF
Rust: Reach Further (from QCon Sao Paolo 2018)
bynikomatsakis
 
PDF
Rust "Hot or Not" at Sioux
bynikomatsakis
 
PDF
Rust tutorial from Boston Meetup 2015-07-22
bynikomatsakis
 
PDF
Rust: Unlocking Systems Programming
byC4Media
 
PDF
Rust Mozlando Tutorial
bynikomatsakis
 
PDF
Rust concurrency tutorial 2015 12-02
bynikomatsakis
 
PDF
Rust-lang
byAnthony Broad-Crawford
 
Intro to Rust from Applicative / NY Meetup
bynikomatsakis
 
Rust: Reach Further (from QCon Sao Paolo 2018)
bynikomatsakis
 
Rust "Hot or Not" at Sioux
bynikomatsakis
 
Rust tutorial from Boston Meetup 2015-07-22
bynikomatsakis
 
Rust: Unlocking Systems Programming
byC4Media
 
Rust Mozlando Tutorial
bynikomatsakis
 
Rust concurrency tutorial 2015 12-02
bynikomatsakis
 
Rust-lang
byAnthony Broad-Crawford
 

What's hot

PDF
Introduction to Rust
byJean Carlo Machado
 
PPTX
Introduction to Rust language programming
byRodolfo Finochietti
 
PDF
The Rust Programming Language: an Overview
byRoberto Casadei
 
PDF
Why rust?
byMats Kindahl
 
ODP
Rust言語紹介
byPaweł Rusin
 
PDF
Rust All Hands Winter 2011
byPatrick Walton
 
PDF
Rust Intro @ Roma Rust meetup
byClaudio Capobianco
 
PPTX
What the &~#@&lt;!? (Pointers in Rust)
byDavid Evans
 
PDF
Engineering fast indexes (Deepdive)
byDaniel Lemire
 
PDF
To Swift 2...and Beyond!
byScott Gardner
 
PDF
Clojure ♥ cassandra
byMax Penet
 
PDF
Python Asíncrono - Async Python
byJavier Abadía
 
PDF
Rust: код может быть одновременно безопасным и быстрым, Степан Кольцов
byYandex
 
PDF
Multithreading done right
byPlatonov Sergey
 
KEY
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
byCharles Nutter
 
PDF
Engineering fast indexes
byDaniel Lemire
 
PDF
Look Ma, “update DB to HTML5 using C++”, no hands! 
byaleks-f
 
PDF
HexRaysCodeXplorer: make object-oriented RE easier
byAlex Matrosov
 
PPT
bluespec talk
bySuman Karumuri
 
PDF
Introduce to Rust-A Powerful System Language
byAnchi Liu
 
Introduction to Rust
byJean Carlo Machado
 
Introduction to Rust language programming
byRodolfo Finochietti
 
The Rust Programming Language: an Overview
byRoberto Casadei
 
Why rust?
byMats Kindahl
 
Rust言語紹介
byPaweł Rusin
 
Rust All Hands Winter 2011
byPatrick Walton
 
Rust Intro @ Roma Rust meetup
byClaudio Capobianco
 
What the &~#@&lt;!? (Pointers in Rust)
byDavid Evans
 
Engineering fast indexes (Deepdive)
byDaniel Lemire
 
To Swift 2...and Beyond!
byScott Gardner
 
Clojure ♥ cassandra
byMax Penet
 
Python Asíncrono - Async Python
byJavier Abadía
 
Rust: код может быть одновременно безопасным и быстрым, Степан Кольцов
byYandex
 
Multithreading done right
byPlatonov Sergey
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
byCharles Nutter
 
Engineering fast indexes
byDaniel Lemire
 
Look Ma, “update DB to HTML5 using C++”, no hands! 
byaleks-f
 
HexRaysCodeXplorer: make object-oriented RE easier
byAlex Matrosov
 
bluespec talk
bySuman Karumuri
 
Introduce to Rust-A Powerful System Language
byAnchi Liu
 

Similar to Guaranteeing Memory Safety in Rust

PDF
Rust Workshop - NITC FOSSMEET 2017
bypramode_ce
 
PDF
Rust: Reach Further
bynikomatsakis
 
PDF
Le langage rust
byGeeks Anonymes
 
PDF
An introduction to Rust: the modern programming language to develop safe and ...
byClaudio Capobianco
 
PDF
Introduction to Rust Programming Language
byJohn Liu
 
PPTX
Rust Intro
byArthur Gavkaluk
 
PPT
Rust Programming Language
byJaeju Kim
 
PDF
Introduction to Rust - Waterford Tech Meetup 2025
byJohn Rellis
 
PDF
Who go Types in my Systems Programing!
byJared Roesch
 
PDF
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
byCodemotion
 
PPTX
Tour of Rust
bySanghyeon Seo
 
PPTX
Briefly Rust
byDaniele Esposti
 
PDF
Deep drive into rust programming language
byVigneshwer Dhinakaran
 
PDF
Go is geting Rusty
by👋 Alon Nativ
 
PDF
Степан Кольцов — Rust — лучше, чем C++
byYandex
 
PPTX
The Rust Programming Language vs The C Programming Language
byjmquimosing
 
PDF
Rust: Systems Programming for Everyone
byC4Media
 
PDF
Introduction to the rust programming language
byNikolay Denev
 
PDF
Embedded Rust on IoT devices
byLars Gregori
 
PDF
intro_to_rust.pptx_123456789012446789.pdf
bysoumyadipiitk231026
 
Rust Workshop - NITC FOSSMEET 2017
bypramode_ce
 
Rust: Reach Further
bynikomatsakis
 
Le langage rust
byGeeks Anonymes
 
An introduction to Rust: the modern programming language to develop safe and ...
byClaudio Capobianco
 
Introduction to Rust Programming Language
byJohn Liu
 
Rust Intro
byArthur Gavkaluk
 
Rust Programming Language
byJaeju Kim
 
Introduction to Rust - Waterford Tech Meetup 2025
byJohn Rellis
 
Who go Types in my Systems Programing!
byJared Roesch
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
byCodemotion
 
Tour of Rust
bySanghyeon Seo
 
Briefly Rust
byDaniele Esposti
 
Deep drive into rust programming language
byVigneshwer Dhinakaran
 
Go is geting Rusty
by👋 Alon Nativ
 
Степан Кольцов — Rust — лучше, чем C++
byYandex
 
The Rust Programming Language vs The C Programming Language
byjmquimosing
 
Rust: Systems Programming for Everyone
byC4Media
 
Introduction to the rust programming language
byNikolay Denev
 
Embedded Rust on IoT devices
byLars Gregori
 
intro_to_rust.pptx_123456789012446789.pdf
bysoumyadipiitk231026
 

Recently uploaded

PPTX
Short Film Script Development Process HARMONIA
byzdolezalmedia
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PDF
AI/ML Infra Meetup | Open Source Michelangelo: Uber's Predictive to Generativ...
byAlluxio, Inc.
 
PDF
NYC ACE 12-Nov-2025-Combined Presentation.pdf
byAUGNYC
 
PPTX
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
PDF
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
PDF
Connecting Strategy to Delivery Teams Using OnePlan.pdf
byOnePlan Solutions
 
PDF
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
PDF
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PPTX
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
PDF
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
PDF
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
PPTX
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
PDF
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
PDF
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
PDF
DSD-INT 2025 Thermal and chemical plumes of sea cooling water from PEM platfo...
byDeltares
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
Short Film Script Development Process HARMONIA
byzdolezalmedia
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
AI/ML Infra Meetup | Open Source Michelangelo: Uber's Predictive to Generativ...
byAlluxio, Inc.
 
NYC ACE 12-Nov-2025-Combined Presentation.pdf
byAUGNYC
 
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
Connecting Strategy to Delivery Teams Using OnePlan.pdf
byOnePlan Solutions
 
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
AWS Certified Developer - Associate certificate.pdf
byGabriellaSantosRodri
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
DSD-INT 2025 Thermal and chemical plumes of sea cooling water from PEM platfo...
byDeltares
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 

Guaranteeing Memory Safety in Rust

  • 1.
    Rust Nicholas Matsakis Mozilla Research
  • 2.
    What makes Rustdifferent? C++ Haskell Java ML More Control More Safety Rust: Control and safety
  • 3.
    Why Mozilla? Browsersneed control. Browsers need safety. Servo: Next-generation browser built in Rust.
  • 4.
    What is control? void example() { vector<string> vector; … auto& elem = vector[0]; … } Stack and inline layout. Lightweight references Deterministic destruction [0] string el…em vector data length capacity […] [n] … ‘H’ ‘e’ … Stack Heap C++
  • 5.
    Zero-cost abstraction Abilityto define abstractions that optimize away to nothing. vector data length cap. [0] […] data cap. ‘H’ ‘e’ […] Not just memory layout: - Static dispatch - Template expansion - … Java
  • 6.
    What is safety? void example() { vector<string> vector; … auto& elem = vector[0]; vector.push_back(some_string); cout << elem; } vector data length capacity [0] … [0] [1] elem Aliasing: more than one pointer to same memory. Dangling pointer: pointer to freed memory. C++ Mutating the vector freed old contents.
  • 7.
    What about GC? No control. Requires a runtime. Insufficient to prevent related problems: iterator invalidation, data races.
  • 8.
    void foo(Foo &&f,…) { vec.push_back(f); } C++ Gut it: void foo(const Foo &f, …) { use(f.bar); } Read it: void foo(Foo &f, …) { f.bar = …; } Write it: void foo(unique_ptr<Foo> f, …) { … } Keep it:
  • 9.
    Definitely progress. ! But definitely not safe: ! - Iterator invalidation. - Double moves. - Pointers into stack or freed memory. - Data races. - … all that stuff I talked about before … ! Ultimately, C++ mechanisms are unenforced.
  • 10.
    The Rust Solution Codify and enforce safe patterns using the type system: ! 1. Always have a clear owner. 2. While iterating over a vector, don’t change it. 3. … ! No runtime required.
  • 11.
    Credit where itis due Rust borrows liberally from other great languages: C++, Haskell, ML/Ocaml, Cyclone, Erlang, Java, C#, … Rust has an active, amazing community. ❤
  • 12.
  • 13.
    Observation Danger arisesfrom… Aliasing Mutation Hides dependencies. Causes memory to be freed. { auto& e = v[0]; … v.push_back(…); }
  • 14.
    Three basic patterns fn foo(v: T) { … } Ownership fn foo(v: &T) { … } Shared borrow fn foo(v: &mut T) { … } Mutable borrow
  • 15.
    Ownership! ! n.The act, state, or right of possessing something.
  • 16.
  • 17.
    vec data length capacity 1 2 fn give() { let mut vec = Vec::new(); vec.push(1); vec.push(2); take(vec); … } fn take(vec: Vec<int>) { // … } ! Take ownership ! of a Vec<int> !
  • 18.
    Compiler enforces moves fn give() { let mut vec = Vec::new(); vec.push(1); vec.push(2); take(vec); vec.… push(2); } fn take(vec: Vec<int>) { // … } ! ! Error: ve! c has been moved Prevents: - use after free - double moves - …
  • 19.
    Borrow! ! v.To receive something with the promise of returning it.
  • 20.
  • 21.
  • 22.
    fn lender() { let mut vec = Vec::new(); vec.push(1); vec.push(2); use(&vec); … } fn use(vec: &Vec<int>) { // … } ! ! ! 1 data length capacity vec 2 vec “Shared reference to Vec<int>” Loan out vec
  • 23.
    fn dot_product(vec1: &Vec<int>,vec2: &Vec<int>) elem1 elem2 sum -> int { let mut sum = 0; for (elem1, elem2) in vec1.iter().zip(vec2.iter()) { sum += (*elem1) * (*elem2); } return sum; } walk down matching indices elem1, elem2 are references into the vector 1 2 3 4 5 6 * vec1 vec2
  • 24.
    Why “shared” reference? fn dot_product(vec1: &Vec<int>, vec2: &Vec<int>) -> int {…} ! fn magnitude(vec: &Vec<int>) -> int { sqrt(dot_product(vec, vec)) } two shared references to the same vector — OK!
  • 25.
    Aliasing Mutation Sharedreferences are immutable: fn use(vec: &Vec<int>) { vec.push(3); vec[1] += 2; } * Error: cannot mutate shared reference * Actually: mutation only in controlled circumstances
  • 26.
    Mutable references fnpush_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { to.push(*elem); } } mutable reference to Vec<int> push() is legal
  • 27.
    Mutable references fnpush_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { 1 2 3 to.push(*elem); } } from to elem 1 2 3 …
  • 28.
    What if fromand to are equal? fn push_all(from: &Vec<int>, to: &mut Vec<int>) { for elem in from.iter() { 1 2 3 from to elem 1 2 3 … 1 to.push(*elem); } } dangling pointer
  • 29.
    fn push_all(from: &Vec<int>,to: &mut Vec<int>) {…} ! fn caller() { let mut vec = …; push_all(&vec, &mut vec); } shared reference Error: cannot have both shared and mutable reference at same time A &mut T is the only way to access the memory it points at
  • 30.
    { let mutvec = Vec::new(); … for i in range(0, vec.len()) { let elem: &int = &vec[i]; … vec.push(…); } … vec.push(…); } Borrows restrict access to the original path for their duration. Error: vec[i] is borrowed, cannot mutate OK. loan expired. & &mut no writes, no moves no access at all
  • 31.
    Abstraction! ! n.freedom from representational qualities in art.
  • 32.
    Rust is anextensible language • Zero-cost abstraction • Rich libraries: - Containers - Memory management - Parallelism - … • Ownership and borrowing let libraries enforce safety.
  • 33.
    fn example() { let x: Rc<T> = Rc::new(…); { let y = x.clone(); let z = &*y; … } // runs destructor for y } // runs destructor for x x 1 [0] y 2 1 … z Stack Heap
  • 34.
    Borrowing and Rc fn deref<‘a,T>(r: &’a Rc<T>) -> &’a T { … } Given a borrowed reference to an `Rc<T>`… …return a reference to the `T` inside with same extent New reference can be thought of as a kind of sublease. Returned reference cannot outlast the original.
  • 35.
    fn example() ->&T { let x: Rc<T> = Rc::new(…); return &*x; } // runs destructor for x Error: extent of borrow exceeds lifetime of `x`
  • 36.
    Concurrency! ! n.several computations executing simultaneously, and potentially interacting with each other
  • 37.
    Data race ✎ ✎ ✎ ✎ Two unsynchronized threads accessing same data! where at least one writes.
  • 38.
    Aliasing Mutation Noordering Data race Sound familiar?
  • 39.
  • 40.
    data length capacity fn parent() { let (tx, rx) = channel(); spawn(proc() {…}); let m = rx.recv(); } proc() { let m = Vec::new(); … tx.send(m); } rx tx tx m
  • 41.
    Shared read-only access! (ownership, borrowing)
  • 42.
    Arc<Vec<int>> (ARC =Atomic Reference Count) Owned, so no aliases. Vec<int> &Vec<int> ref_count data length capacity [0] [1] Shared reference, so Vec<int> is immutable.
  • 43.
    ✎ ✎ Lockedmutable access! (ownership, borrowing)
  • 44.
    fn sync_inc(mutex: &Mutex<int>){ let mut data = mutex.lock(); *data += 1; } Destructor releases lock Yields a mutable reference to data Destructor runs here
  • 45.
    And beyond… Parallelismis an area of active development. ! Either already have or have plans for: - Atomic primitives - Non-blocking queues - Concurrent hashtables - Lightweight thread pools - Futures - CILK-style fork-join concurrency - etc. Always data-race free
  • 46.
    Parallel! ! adj.occurring or existing at the same time
  • 47.
    Concurrent vs parallel Blocks Concurrent threads Parallel jobs
  • 48.
    fn qsort(vec: &mut[int]) { let pivot = vec[random(vec.len())]; let mid = vec.partition(vec, pivot); let (less, greater) = vec.mut_split_at(mid); qsort(less); qsort(greater); } let vec: &mut [int] = …; [0] [1] [2] [3] […] [n] less greater
  • 49.
    fn parallel_qsort(vec: &mut[int]) { let pivot = vec[random(vec.len())]; let mid = vec.partition(vec, pivot); let (less, greater) = vec.mut_split(mid); parallel::do(&[ || parallel_qsort(less), || parallel_qsort(greater) ]); } let vec: &mut [int] = …; [0] [1] [2] [3] […] [n] less greater
  • 50.
    Unsafe! ! adj.not safe; hazardous
  • 51.
    Safe abstractions fnsomething_safe(…) { ! unsafe { ! … ! } ! } Validates input, etc. Trust me. • Uninitialized memory • Interfacing with C code • Building parallel abstractions like ARC • …
  • 52.
    Status of Rust “Rapidly stabilizing.”! ! ! Goal for 1.0: - Stable syntax, core type system - Minimal set of core libraries
  • 53.
    Conclusions • Rustgives control without compromising safety: • Zero-cost abstractions • Zero-cost safety • Guarantees beyond dangling pointers: • Iterator invalidation in a broader sense • Data race freedom