ABSTRACT
Rust, a new systems programming language, provides compile-time memory safety checks to help eliminate runtime bugs that manifest from improper memory management. This feature is advantageous for operating system development, and especially for embedded OS development, where recovery and debugging are particularly challenging. However, embedded platforms are highly event-based, and Rust's memory safety mechanisms largely presume threads. In our experience developing an operating system for embedded systems in Rust, we have found that Rust's ownership model prevents otherwise safe resource sharing common in the embedded domain, conflicts with the reality of hardware resources, and hinders using closures for programming asynchronously. We describe these experiences and how they relate to memory safety as well as illustrate our workarounds that preserve the safety guarantees to the largest extent possible. In addition, we draw from our experience to propose a new language extension to Rust that would enable it to provide better memory safety tools for event-driven platforms.
- Rust issue: "borrowck is unsound in the presence of &'static muts". https://github.com/rust-lang/rust/issues/27616.Google Scholar
- The Rust programming language. http://www.rust-lang.org.Google Scholar
- Adya, A., Howell, J., Theimer, M., Bolosky, W. J., and Douceur, J. R. Cooperative task management without manual stack management. In Proceedings of the General Track of the Annual Conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2002), ATEC '02, USENIX Association, pp. 289--302. Google ScholarDigital Library
- Bershad, B. N., Chambers, C., Eggers, S., Maeda, C., McNamee, D., Pardyak, P., Savage, S., and Sirer, E. G. Spin--an extensible microkernel for application-specific operating system services. ACM SIGOPS Operating Systems Review 29, 1 (1995), 74--77. Google ScholarDigital Library
- Bonwick, J., et al. The slab allocator: An object-caching kernel memory allocator. In USENIX summer (1994), vol. 16, Boston, MA, USA. Google ScholarDigital Library
- Cardelli, L., Donahue, J., Jordan, M., Kalsow, B., and Nelson, G. The modula--type system. In Proceedings of the 16th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 1989), POPL '89, ACM, pp. 202--212. Google ScholarDigital Library
- Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., and Kaashoek, M. F. Linux kernel vulnerabilities: State-of-the-art defenses and open problems. In Proceedings of the Second Asia-Pacific Workshop on Systems (2011), ACM, p. 5. Google ScholarDigital Library
- Clarke, D., and Wrigstad, T. External uniqueness is unique enough. ECOOP 2003--Object-Oriented Programming (2003), 59--67.Google ScholarCross Ref
- Hunt, G. C., and Larus, J. R. Singularity: Rethinking the software stack. ACM SIGOPS Operating Systems Review 41, 2 (April 2007), 37--49. Google ScholarDigital Library
- Levis, P., Madden, S., Polastre, J., Szewczyk, R., Whitehouse, K., Woo, A., Gay, D., Hill, J., Welsh, M., Brewer, E., and Culler, D. TinyOS: An operating system for sensor networks. In Ambient Intelligence, W. Weber, J. Rabaey, and E. Aarts, Eds. Springer Berlin Heidelberg, 2005, pp. 115--148.Google Scholar
- Motor Industry Software Reliability Association, et al. MISRA-C: 2012: Guidelines for the Use of the C Language in Critical Systems. MIRA, 2013.Google Scholar
- Swift, M. M., Martin, S., Levy, H. M., and Eggers, S. J. Nooks: An architecture for reliable device drivers. In Proceedings of the 10th workshop on ACM SIGOPS European workshop (2002), ACM, pp. 102--107. Google ScholarDigital Library
- Terei, D., Marlow, S., Peyton Jones, S., and Mazières, D. Safe haskell. In Proceedings of the 2012 Haskell Symposium (New York, NY, USA, 2012), Haskell '12, ACM, pp. 137--148. Google ScholarDigital Library
- Tov, J. A., and Pucella, R. Practical affine types. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 2011), POPL '11, ACM, pp. 447--458. Google ScholarDigital Library
Index Terms
-
Ownership is theft: experiences building an embedded OS in rust
-
Recommendations
-
How do programmers use unsafe rust?
Rust’s ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors ...
-
Understanding memory and thread safety practices and issues in real-world Rust programs
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and ImplementationRust is a young programming language designed for systems software development. It aims to provide safety guarantees like high-level languages and performance efficiency like low-level languages. The core design of Rust is a set of strict safety rules ...
-
An Analysis of the Rust Programming Practice for Memory Safety Assurance
Web Information Systems and ApplicationsAbstractMemory safety is a critical concern in software development, as related issues often lead to program crashes, vulnerabilities, and security breaches, leading to severe consequences for applications and systems. This paper provides a detailed ...
Comments