Is Rust Used Safely by Software Developers?

Rust, an emerging programming language with explosive growth, provides a robust type system that enables programmers to write memory-safe and data-race free code. To allow access to a machine's hardware and to support low-level performance optimizations, a second language, Unsafe Rust, is embedded in Rust. It contains support for operations that are difficult to statically check, such as C-style pointers for access to arbitrary memory locations and mutable global variables. When a program uses these features, the compiler is unable to statically guarantee the safety properties Rust promotes. In this work, we perform a large-scale empirical study to explore how software developers are using Unsafe Rust in real-world Rust libraries and applications. Our results indicate that software engineers use the keyword unsafe in less than 30% of Rust libraries, but more than half cannot be entirely statically checked by the Rust compiler because of Unsafe Rust hidden somewhere in a library's call chain. We conclude that although the use of the keyword unsafe is limited, the propagation of unsafeness offers a challenge to the claim of Rust as a memory-safe language. Furthermore, we recommend changes to the Rust compiler and to the central Rust repository's interface to help Rust software developers be aware of when their Rust code is unsafe.

[1]  Ahmad-Reza Sadeghi,et al.  K-Miner: Uncovering Memory Corruption in Linux , 2018, NDSS.

[2]  Matthias Hauswirth,et al.  Use at your own risk: the Java unsafe API in the wild , 2015, OOPSLA.

[3]  Lin Zhong,et al.  Theseus: a State Spill-free Operating System , 2017, PLOS@SOSP.

[4]  Scott Shenker,et al.  NetBricks: Taking the V out of NFV , 2016, OSDI.

[5]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[6]  Leonid Ryzhyk,et al.  System Programming in Rust: Beyond Safety , 2017, HotOS.

[7]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Aaron Weiss,et al.  Oxide: The Essence of Rust , 2019, ArXiv.

[9]  Yi Lin,et al.  Rust as a language for high performance GC implementation , 2016, ISMM.

[10]  Jeehoon Kang,et al.  Stacked borrows: an aliasing model for Rust , 2019, Proc. ACM Program. Lang..

[11]  Xiang Li,et al.  SafeCheck: Safety Enhancement of Java Unsafe API , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[12]  Patrick Lam,et al.  How C++ Developers Use Immutability Declarations: An Empirical Study , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[13]  Alexander Serebrenik,et al.  How Swift Developers Handle Errors , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[14]  Andrzej Wasowski,et al.  Why Does Code Review Work for Open Source Software Communities? , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[15]  Barbara G. Ryder,et al.  Constructing the Call Graph of a Program , 1979, IEEE Transactions on Software Engineering.

[16]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[17]  Andy Zaidman,et al.  Modern code reviews in open-source projects: which problems do they fix? , 2014, MSR 2014.

[18]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[19]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[20]  Daniel M. Germán,et al.  Contemporary Peer Review in Action: Lessons from Open Source Development , 2012, IEEE Software.

[21]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[22]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Martin Odersky,et al.  Call graphs for languages with parametric polymorphism , 2016, OOPSLA.

[24]  Brian Anderson,et al.  Engineering the Servo Web Browser Engine Using Rust , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[25]  Philip Levis,et al.  Multiprogramming a 64kB Computer Safely and Efficiently , 2017, SOSP.

[26]  Pramodita Sharma 2012 , 2013, Les 25 ans de l’OMC: Une rétrospective en photos.

[27]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[28]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[29]  Premkumar T. Devanbu,et al.  Assert Use in GitHub Projects , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[30]  Daniel M. German,et al.  Open source software peer review practices , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.