A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust

Author:
David J. Pearce

Victoria University of Wellington, Wellington, New Zealand

Victoria University of Wellington, Wellington, New Zealand

0000-0003-4535-9677
View Profile

ACM Transactions on Programming Languages and Systems Volume 43 Issue 1Article No.: 3pp 1–73https://doi.org/10.1145/3443420

Published:17 April 2021Publication History

ACM Transactions on Programming Languages and Systems

Abstract

Rust is a relatively new programming language that has gained significant traction since its v1.0 release in 2015. Rust aims to be a systems language that competes with C/C++. A claimed advantage of Rust is a strong focus on memory safety without garbage collection. This is primarily achieved through two concepts, namely, reference lifetimes and borrowing. Both of these are well-known ideas stemming from the literature on region-based memory management and linearity/uniqueness. Rust brings both of these ideas together to form a coherent programming model. Furthermore, Rust has a strong focus on stack-allocated data and, like C/C++ but unlike Java, permits references to local variables.

Type checking in Rust can be viewed as a two-phase process: First, a traditional type checker operates in a flow-insensitive fashion; second, a borrow checker enforces an ownership invariant using a flow-sensitive analysis. In this article, we present a lightweight formalism that captures these two phases using a flow-sensitive type system that enforces “type and borrow safety.” In particular, programs that are type and borrow safe will not attempt to dereference dangling pointers. Our calculus core captures many aspects of Rust, including copy- and move-semantics, mutable borrowing, reborrowing, partial moves, and lifetimes. In particular, it remains sufficiently lightweight to be easily digested and understood and, we argue, still captures the salient aspects of reference lifetimes and borrowing. Furthermore, extensions to the core can easily add more complex features (e.g., control-flow, tuples, method invocation). We provide a soundness proof to verify our key claims of the calculus. We also provide a reference implementation in Java with which we have model checked our calculus using over 500B input programs. We have also fuzz tested the Rust compiler using our calculus against 2B programs and, to date, found one confirmed compiler bug and several other possible issues.

References

A. Aiken, M. Fähndrich, and R. Levien. 1995. Better static memory management: Improving region-based analysis of higher-order languages. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’95). 174--185.Google Scholar
Jonathan Aldrich, Valentin Kostadinov, and Craig Chambers. 2002. Alias annotations for program understanding. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). ACM, 311--330.Google ScholarDigital Library
Paulo Sérgio Almeida. 1997. Balloon types: Controlling sharing of state in data types. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’97). Springer-Verlag, 32--59.Google ScholarCross Ref
Brian Anderson, Lars Bergstrom, Manish Goregaokar, Josh Matthews, Keegan McAllister, Jack Moffitt, and Simon Sapin. 2016. Engineering the servo web browser engine using Rust. In Proceedings of the International Conference of Software Engineering (ICSE’16). ACM Press, 81--89.Google ScholarDigital Library
Chris Andreae, James Noble, Yvonne Coady, Celina Gibbs, Jan Vitek, and Tian Zhao. 2006. STARS: Scoped types and aspects for real-time systems. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’06). 1--44.Google Scholar
Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’19). ACM Press.Google Scholar
Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permission-based programming language. ACM Trans. Prog. Lang. Syst. 38, 4 (2016), 14:1–14:94.Google ScholarDigital Library
Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System programming in Rust: Beyond safety. Op. Syst. Rev. 51, 1 (2017), 94--99.Google ScholarDigital Library
A. Banerjee, N. Heintze, and J. G. Riecke. 1999. Region analysis and the polymorphic lambda calculus. In Proceedings of the ACM/IEEE Symposium on Logic In Computer Science (LICS’99). IEEE Computer Society Press, 88--97.Google Scholar
Marek Baranowski, Shaobo He, and Zvonimir Rakamarić. 2018. Verifying Rust programs with SMACK. In Automated Technology for Verification and Analysis. Springer-Verlag, 528--535.Google Scholar
Erik Barendsen and Sjaak Smetsers. 1996. Uniqueness typing for functional languages with graph rewriting semantics. Math. Struct. Comput. Sci. 6, 6 (1996), 579--612.Google ScholarCross Ref
M. Barnett, B. Evan Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. 2006. Boogie: A modular reusable verifier for object-oriented programs. In Proceedings of the Conference on Formal Methods for Components and Objects (FMCO’06). 364--387.Google ScholarDigital Library
Mike Barnett, Robert DeLine, Manuel Fähndrich, K. Rustan M. Leino, and Wolfram Schulte. 2004. Verification of object-oriented programs with invariants. J. Object Technol. 3, 6 (2004), 27--56.Google ScholarCross Ref
William S. Beebee, Jr. and Martin Rinard. 2001. An implementation of scoped memory for real-time Java. In Proceedings of the 1st International Workshop on Embedded Software (EMSOFT’01). Springer-Verlag, 289--305.Google Scholar
Jean-Philippe Bernardy, Mathieu Boespflug, Ryan R. Newton, Simon Peyton Jones, and Arnaud Spiwack. 2018. Linear Haskell: Practical linearity in a higher-order polymorphic language. Proc. ACM Prog. Lang. 2, POPL (2018), 5:1–5:29.Google ScholarDigital Library
G. M. Bierman and M. J. Parkinson. 2003. Effects and effect inference for a core Java calculus. Electron. Notes Comput. Sci. 82, 8 (2003), 1--26.Google Scholar
Jim Blandy and Jason Ordendorff. 2018. Programming Rust. O’Reilly.Google Scholar
François Bobot, Jean-Christophe Filliâtre, Claude Marché, and Andrei Paskevich. 2011. Why3: Shepherd your herd of provers. In Proceedings of the Workshop on Intermediate Verification Languages (BOOGIE’11).Google Scholar
Robert Bocchino, Vikram Adve, Sarita Adve, and Marc Snir. 2009. Parallel programming must be deterministic by default. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’09).Google Scholar
Gregory Bollella, Ben Brosgol, Peter Dibble, Steve Furr, James Gosling, David Hardin, and Mark Turnbull. 2000. The Real-time Specification for Java. Addison-Wesley.Google ScholarDigital Library
Chandrasekhar Boyapati, Robert Lee, and Martin Rinard. 2002. Ownership types for safe programming: Preventing data races and deadlocks. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). ACM Press, 211--230.Google ScholarDigital Library
Chandrasekhar Boyapati and Martin Rinard. 2001. A parameterized type system for race-free Java programs. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’01). 56--69.Google ScholarDigital Library
John Boyland. 2001. Alias burying: Unique variables without destructive reads. Softw.—Pract. Exper. 31, 6 (May 2001), 533--553.Google Scholar
John Boyland. 2003. Checking interference with fractional permissions. In Proceedings of the Static Analysis Symposium (SAS’03) (LNCS, Vol. 2694). Springer-Verlag, 55--72.Google ScholarCross Ref
John Boyland. 2003. Connecting effects and uniqueness with adoption. In Proceedings of the Workshop on Aliasing, Capabilities and Ownership (IWACO’03) (UU-CS). Utrecht University, 42--57.Google Scholar
Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’12). ACM Press, 133--143.Google ScholarDigital Library
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Conference on Operating Systems Design and Implementation (OSDI’08). 209--224.Google Scholar
Cristiano Calcagno. 2001. Stratified operational semantics for safety and correctness of region calculus. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’01). ACM Press, 155--165.Google ScholarDigital Library
Nicholas Robert Cameron, James Noble, and Tobias Wrigstad. 2010. Tribal ownership. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). 618--633.Google ScholarDigital Library
Kartik Chandra and Rastislav Bodík. 2018. Bonsai: Synthesis-based reasoning for type systems. Proc. ACM Prog. Lang. 2, POPL (2018), 62:1–62:34.Google ScholarDigital Library
P. Charles, C. Grothoff, V. Saraswat, C. Donawa, A. Kielstra, K. Ebcioglu, C. Praun, and V. Sarkar. 2005. X10: An object-oriented approach to non-uniform cluster computing. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’05). 519--538.Google Scholar
Wei-Ngan Chin, Florin Craciun, Shengchao Qin, and Martin C. Rinard. 2004. Region inference for an object-oriented language. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’04). ACM Press, 243--254.Google Scholar
Morten V. Christiansen, Fritz Henglein, Henning Niss, and Per Velschow. 1998. Safe Region-based Memory Management for Objects. Technical Report. DIKU, University of Copenhagen.Google Scholar
Koen Claessen, Jonas Duregård, and Michal H. Palka. 2015. Generating constrained random data with uniform distribution. J. Funct. Prog. 25 (2015), e8.Google ScholarCross Ref
Dave Clarke and Sophia Drossopoulou. 2002. Ownership, encapsulation, and the disjointness of type and effect. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). 292--310.Google ScholarDigital Library
Dave Clarke, James Noble, and Tobias Wrigstad. 2012. Aliasing in Object-oriented Programming (LNCS, Vol. 7850). Springer.Google Scholar
David Clarke, John Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’98). 48--64.Google ScholarDigital Library
David Clarke and Tobias Wrigstad. 2003. External uniqueness is unique enough. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’03). 176--200.Google ScholarCross Ref
Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2020. RustBelt meets relaxed memory. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’20).Google ScholarDigital Library
L. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08). 337--340.Google Scholar
Kyle Dewey, Jared Roesch, and Ben Hardekopf. 2015. Fuzzing the rust typechecker using CLP (T). In Proceedings of the Conference on Automated Software Engineering (ASE’15). IEEE Computer Society Press, 482--493.Google ScholarDigital Library
Ivaylo Donchev and Emilia Todorova. 2015. Implementation of binary search trees via smart pointers. Int. J. Adv. Comput. Sci. Applic. 6, 3 (2015).Google Scholar
Jonas Duregård, Patrik Jansson, and Meng Wang. 2012. Feat: Functional enumeration of algebraic types. In Proceedings of the ACM Symposium on Haskell. ACM Press, 61--72.Google ScholarDigital Library
C. Dymnikov, D. J. Pearce, and A. Potanin. 2013. OwnKit: Inferring modularly checkable ownership annotations for Java. In Proceedings of the Australasian Software Engineering Conference (ASWEC’13). 181--190.Google Scholar
Martin Elsman. 2003. Garbage collection safety for region-based memory management. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’03). ACM Press, 123--134.Google ScholarDigital Library
Manuel Fähndrich and Rob DeLine. 2002. Adoption and focus: Practical linear types for imperative programming. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). 13--24.Google ScholarDigital Library
Josselin Feist, Laurent Mounier, and Marie-Laure Potet. 2014. Statically detecting use after free on binary code. J. Comput. Virol. Hack. Tech. 10, 3 (2014), 211--217.Google ScholarCross Ref
Jean-Christophe Filliâtre, Léon Gondelman, and Andrei Paskevich. 2016. A Pragmatic Type System for Deductive Verification. Technical Report. Laboratoire de Recherche en Informatique, Inria Sacla.Google Scholar
Matthew Fluet, Greg Morrisett, and Amal J. Ahmed. 2006. Linear regions are all you need. In Proceedings of the European Symposium on Programming (ESOP’06) (LNCS, Vol. 3924). Springer-Verlag, 7--21.Google Scholar
Prodromos Gerakios, Nikolaos Papaspyrou, and Konstantinos Sagonas. 2010. Race-free and memory-safe multithreading: Design and implementation in cyclone. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’10). ACM Press, 15--26.Google ScholarDigital Library
Jean-Yves Girard. 1987. Linear logic. Theoret. Comput. Sci. 50 (1987), 1--102.Google ScholarDigital Library
Colin S. Gordon, Matthew J. Parkinson, Jared Parsons, Aleks Bromfield, and Joe Duffy. 2012. Uniqueness and reference immutability for safe parallelism. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’12). ACM Press, 21--40.Google ScholarDigital Library
Dan Grossman. 2003. Type-safe multithreading in Cyclone. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’03). ACM Press, 13--25.Google ScholarDigital Library
Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-based memory management in cyclone. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). ACM, 282--293.Google ScholarDigital Library
Niels Hallenberg, Martin Elsman, and Mads Tofte. 2002. Combining region inference and garbage collection. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). ACM Press, 141--152.Google ScholarDigital Library
Philipp Haller and Martin Odersky. 2010. Capabilities for uniqueness and borrowing. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’10). Springer-Verlag, 354--378.Google ScholarCross Ref
Hamza Hamza and Steve Counsell. 2012. Region-based RTSJ memory management: State of the art. Sci. Comput. Prog. 77, 5 (2012), 644--659.Google ScholarDigital Library
Dana Harrington. 2006. Uniqueness logic. Theoret. Comput. Sci. 354, 1 (2006), 24--41.Google ScholarDigital Library
Simon Helsen and Peter Thiemann. 2000. Syntactic type soundness for the region calculus. In Proceedings of the Workshop on Higher Order Operational Techniques in Semantics (HOOTS’00) (Electronic Notes in Computer Science), Vol. 41(3). Elsevier, 1--20.Google Scholar
Fritz Henglein, Henning Makholm, and Henning Niss. 2001. A direct approach to control-flow sensitive region-based memory management. In Proceedings of the Symposium on Principles and Practice of Declarative Programming (PPDP’01). 175--186.Google ScholarDigital Library
Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. 2004. Experience with safe manual memory-management in cyclone. In Proceedings of the International Symposium on Memory Management (ISMM’04). ACM Press, 73--84.Google ScholarDigital Library
John Hogg. 1991. Islands: Aliasing protection in object-oriented languages. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’91). 271--285.Google ScholarDigital Library
A. Igarashi, B. Pierce, and P. Wadler. 2001. Featherweight Java: A minimal core calculus for Java and GJ. ACM Trans. Prog. Lang. Syst. 23, 3 (May 2001), 396--459.Google ScholarDigital Library
Nicholas Jacek, Meng-Chieh Chiu, Benjamin M. Marlin, and Eliot Moss. 2016. Assessing the limits of program-specific garbage collection performance. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’16). ACM Press, 584--598.Google ScholarDigital Library
Daniel Jackson and Craig Damon. 1996. Elements of style: Analyzing a software design feature with a counterexample detector. IEEE Trans. Softw. Eng. 22, 7 (1996), 484--495.Google ScholarDigital Library
Thomas Bracht Laumann Jespersen, Philip Munksgaard, and Ken Friis Larsen. 2015. Session types for Rust. In Proceedings of the Workshop on Generic Programming (WGP’15). 13--22.Google ScholarDigital Library
Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the USENIX Technical Conference. 275--288.Google Scholar
Robert L. Bocchino Jr., Vikram S. Adve, Danny Dig, Sarita V. Adve, Stephen Heumann, Rakesh Komuravelli, Jeffrey Overbey, Patrick Simmons, Hyojin Sung, and Mohsen Vakilian. 2009. A type and effect system for deterministic parallel Java. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’09). 97--116.Google ScholarDigital Library
Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2020. Stacked borrows: An aliasing model for Rust. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’20).Google ScholarDigital Library
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’18). ACM Press, 66:1–66:34.Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the ACM International Conference on Functional Programming (ICFP’16). ACM Press, 256--269.Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Prog. 28 (2018), e20.Google ScholarCross Ref
Jan-Oliver Kaiser, Hoang-Hai Dang, Derek Dreyer, Ori Lahav, and Viktor Vafeiadis. 2017. Strong logic for weak memory: Reasoning about release-acquire consistency in iris. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’17), Vol. 74. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 17:1–17:29.Google Scholar
Casey Klein, John Clements, Christos Dimoulas, Carl Eastlund, Matthias Felleisen, Matthew Flatt, Jay A. McCarthy, Jon Rafkind, Sam Tobin-Hochstadt, and Robert Bruce Findler. 2012. Run your research: On the effectiveness of lightweight mechanization. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’12). ACM Press, 285--296.Google ScholarDigital Library
D. E. Knuth. 1981. The Art of Computer Programming, Volume 2: Seminumerical Algorithms (2nd ed.). Addison-Wesley, Reading.Google Scholar
Naoki Kobayashi. 1999. Quasi-linear types. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’99). ACM Press, 29--42.Google ScholarDigital Library
Daniel Kroening and Michael Tautschnig. 2014. CBMC—C bounded model checker. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’14). Springer-Verlag, 389--391.Google ScholarCross Ref
Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. Multiprogramming a 64kB computer safely and efficiently. In Proceedings of the Symposium on Operating System Principles (SOSP’17). ACM Press, 234--251.Google ScholarDigital Library
Amit Levy, Bradford Campbell, Branden Ghena, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. The case for writing a kernel in Rust. In Proceedings of the Asia-Pacific Workshop on Systems (APSYS’17). ACM, 1:1–1:7.Google ScholarDigital Library
Amit A. Levy, Michael P. Andersen, Bradford Campbell, David E. Culler, Prabal Dutta, Branden Ghena, Philip Levis, and Pat Pannuto. 2015. Ownership is theft: Experiences building an embedded OS in Rust. In Proceedings of the Workshop on Programming Languages and Operating Systems. 21--26.Google ScholarDigital Library
Ondrej Lhoták and Kwok-Chiang Andrew Chung. 2011. Points-to analysis with efficient strong updates. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’11). ACM Press, 3--16.Google ScholarDigital Library
Paley Li, Nicholas Cameron, and James Noble. 2012. Sheep cloning with ownership types. In Proceedings of the Workshop on Foundations of Object-oriented Languages (FOOL’12).Google Scholar
M. Lindner, J. Aparicius, and P. Lindgren. 2018. No panic! Verification of Rust programs by symbolic execution. In Proceedings of the International Conference on Industrial Informatics (INDIN’18). 108--114.Google Scholar
M. Lindner, N. Fitinghoff, J. Eriksson, and P. Lindgren. 2019. Verification of safety functions implemented in Rust—A symbolic execution based approach. In Proceedings of the International Conference on Industrial Informatics (INDIN’19), Vol. 1. 432--439.Google Scholar
Yi Lu and John Potter. 2006. On ownership and accessibility. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’06). Springer-Verlag, 99--123.Google ScholarDigital Library
Nicholas D. Matsakis. 2012. Parallel closures: A new twist on an old idea. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’12).Google Scholar
Nicholas D. Matsakis and Thomas R. Gross. 2009. Programming with intervals. In Proceedings of the International Workshop on Languages and Compilers for Parallel Computing. Springer-Verlag, 203--217.Google Scholar
Nicholas D. Matsakis and Thomas R. Gross. 2010. Reflective parallel programming: Extensible and high-level control of runtime, compiler, and application interaction. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’10).Google Scholar
Nicholas D. Matsakis and Thomas R. Gross. 2010. A time-aware type system for data-race protection and guaranteed initialization. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). ACM Press, 634--651.Google Scholar
Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-based verification for Rust programs. In Programming Languages and Systems. Springer-Verlag, 484--514.Google Scholar
Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C semantics and pointer provenance. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’19). 67:1–67:32.Google ScholarDigital Library
Scott Meyers. 1994. Effective C++. Addison-Wesley.Google Scholar
R. Milner. 1978. A theory of type polymorphism in programming. J. Comput. Syst. Sci. 17 (1978), 348--375.Google ScholarCross Ref
P. Müller. 2002. Modular Specification and Verification of Object-oriented Programs (LNCS, Vol. 2262).Google Scholar
P. Müller, M. Schwerhoff, and A. J. Summers. 2016. Viper: A verification infrastructure for permission-based reasoning. In Proceedings of the Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’16). 41--62.Google Scholar
Vikram Narayanan, Marek S. Baranowski, Leonid Ryzhyk, Zvonimir Rakamarić, and Anton Burtsev. 2019. RedLeaf: Towards an operating system for safe and verified firmware. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS’19). ACM Press, 37--44.Google ScholarDigital Library
Flemming Nielson, Hanne R. Nielson, and Chris L. Hankin. 1999. Principles of Program Analysis. Springer-Verlag.Google ScholarDigital Library
James Noble, David G. Clarke, and John Potter. 1999. Object ownership for dynamic alias protection. In Proceedings of the IEEE Conference on Technology of Object-oriented Languages and Systems. IEEE Computer Society Press, 176--187.Google ScholarCross Ref
James Noble, Jan Vitek, and John Potter. 1998. Flexible alias protection. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’98) (LNCS, Vol. 1445). Springer-Verlag, 158--185.Google ScholarCross Ref
Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby C. Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement through restraint: Bringing down the cost of verification. In Proceedings of the ACM International Conference on Functional Programming (ICFP’16). ACM Press, 89--102.Google ScholarDigital Library
Johan Östlund, Tobias Wrigstad, Dave Clarke, and Beatrice Åkerblom. 2008. Ownership, uniqueness and immutability. In Proceedings of the Conference on Technology of Object-oriented Languages and Systems (TOOLS Europe’08).Google ScholarCross Ref
D. J. Pearce. 2005. Some Directed Graph Algorithms and Their Application to Pointer Analysis. Ph.D. Dissertation. Imperial College, London.Google Scholar
Quan Phan and Gerda Janssens. 2007. Static region analysis for mercury. In Proceedings of the ACM International Conference on Logic Programming (ICLP’07) (LNCS, Vol. 4670). Springer-Verlag, 317--332.Google ScholarCross Ref
B. C. Pierce. 2002. Types and Programming Languages. The MIT Press.Google ScholarDigital Library
Robert Pollack. 1998. How to believe a machine-checked proof. In Twenty Five Years of Constructive Type Theory, G. Sambin and J. Smith (Eds.). Oxford University Press.Google Scholar
Alex Potanin, James Noble, Dave Clarke, and Robert Biddle. 2006. Generic ownership. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’06). ACM Press.Google Scholar
Alex Potanin, James Noble, Tian Zhao, and Jan Vitek. 2005. A high integrity profile for memory safe programming in real-time Java. In Proceedings of the Workshop on Java Technologies for Real-time and Embedded Systems (JTRES’05).Google Scholar
Feng Qian and Laurie Hendren. 2002. An adaptive, region-based allocator for Java. In Proceedings of the International Symposium on Memory Management (ISMM’02). ACM Press, 127--138.Google ScholarDigital Library
Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding memory and thread safety practices and issues in real-world Rust programs. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’20). ACM Press, 763--779.Google ScholarDigital Library
Erik Reed. 2015. Patina: A Formalization of the Rust Programming Language. Technical Report. University of Washington.Google Scholar
Michael Roberson, Melanie Harries, Paul T. Darga, and Chandrasekhar Boyapati. 2008. Efficient software model checking of soundness of type systems. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’08). ACM Press, 493--504.Google ScholarDigital Library
Grigore Rosu and Traian-Florin Serbanuta. 2010. An overview of the K semantic framework. J. Logic Algeb. Prog. 79, 6 (2010), 397--434.Google ScholarCross Ref
Rust Team. [n.d.]. Rust Homepage. Retrieved from www.rust-lang.org.Google Scholar
Rust Team. [n.d.]. The Rust Programming Language. Retrieved from doc.rust-lang.org/book/.Google Scholar
Rust Team. [n.d.]. The Rustonomicon—The Dark Arts of Advanced and Unsafe Rust Programming. Retrieved from doc.rust-lang.org/nomicon/.Google Scholar
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Technical Conference. 309--318.Google Scholar
Marco Servetto, D. J. Pearce, and Lindsay Groves. 2013. Balloon types for safe parallelisation over arbitrary object graphs. In Proceedings of the Workshop on Determinism and Correctness in Parallel Programming (WODET’13).Google Scholar
Sriram Srinivasan and Alan Mycroft. 2008. Kilim: Isolation-typed actors for Java. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’08). 104--128.Google ScholarDigital Library
Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: Fast detector of uninitialized memory use in C++. In Proceedings of the Conference on Code Generation and Optimisation (CGO’15). IEEE Computer Society Press, 46--55.Google Scholar
R. Strom and S. Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng. 12, 1 (1986), 157--171.Google ScholarDigital Library
Robert E. Strom and Daniel M. Yellin. 1993. Extending typestate checking using conditional liveness analysis. IEEE Trans. Softw. Eng. 19, 5 (1993), 478--485.Google ScholarDigital Library
David Svoboda and Lutz Wrage. 2014. Pointer ownership model. In Proceedings of the Hawaii International Conference on System Sciences (HICSS’14). IEEE Computer Society Press, 5090--5099.Google ScholarDigital Library
Nikhil Swamy, Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. 2006. Safe manual memory management in cyclone. Sci. Comput. Prog. 62, 2 (2006), 122--144.Google ScholarDigital Library
J.-P. Talpin and P. Jouvelot. 1992. Polymorphic type, region, and effect inference. J. Funct. Prog. 2, 3 (1992), 245–271.Google ScholarCross Ref
Mads Tofte and Lars Birkedal. 1998. A region inference algorithm. ACM Trans. Prog. Lang. Syst. 20, 4 (1998), 734–767.Google ScholarDigital Library
Mads Tofte, Lars Birkedal, Martin Elsman, and Niels Hallenberg. 2004. A retrospective on region-based memory management. High.-order Symb. Comput. 17, 3 (2004), 245--265.Google ScholarDigital Library
Mads Tofte and Jean-Pierre Talpin. 1997. Region-based memory management. Inf. Comput. 132, 2 (1997), 109--176.Google ScholarDigital Library
J. Toman, S. Pernsteiner, and E. Torlak. 2015. Crust: A bounded verifier for Rust. In Proceedings of the Conference on Automated Software Engineering (ASE’15). 75--80.Google Scholar
Mohsen Vakilian, Danny Dig, Robert Bocchino, Jeffrey Overbey, Vikram Adve, and Ralph Johnson. 2009. Inferring method effect summaries for nested heap regions. In Proceedings of the Conference on Automated Software Engineering (ASE’09). 421--432.Google ScholarDigital Library
P. Wadler. 1990. Linear types can change the world!. In Proceedings of the IFIP TC 2 Working Conference on Programming Concepts and Methods. 347--359.Google Scholar
David Walker and Kevin Watkins. 2001. On regions and linear types. In Proceedings of the ACM International Conference on Functional Programming (ICFP’01). 181--192.Google Scholar
F. Wang, F. Song, M. Zhang, X. Zhu, and J. Zhang. 2018. KRust: A formal executable semantics of Rust. In Proceedings of the Symposium on Theoretical Aspects of Software Engineering (TASE’18). 44--51.Google Scholar
Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. arxiv:cs.PL/1903.00982 (2019).Google Scholar
A. K. Wright and M. Felleisen. 1994. A syntactic approach to type soundness. Inf. Comput. 115, 1 (1994), 38--94.Google ScholarDigital Library
Tian Zhao, James Noble, and Jan Vitek. 2004. Scoped types for real-time Java. In Proceedings of the Real-time Systems Symposium (RTSS’04). IEEE Computer Society Press, 241--251.Google ScholarDigital Library
Yoav Zibin, Alex Potanin, Paley Li, Mahmood Ali, and Michael D. Ernst. 2010. Ownership and immutability in generic Java. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). 598--617.Google Scholar

Index Terms

A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
    2. General programming languages
      1. Language types
        Imperative languages
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management
2. Theory of computation
  1. Logic
    1. Type theory

Recommendations

RustHorn: CHC-based Verification for Rust Programs
Reduction to satisfiability of constrained Horn clauses (CHCs) is a widely studied approach to automated program verification. Current CHC-based methods, however, do not work very well for pointer-manipulating programs, especially those with dynamic ...
Read More
Leveraging rust types for modular specification and verification

Rust's type system ensures memory safety: well-typed Rust programs are guaranteed to not exhibit problems such as dangling pointers, data races, and unexpected side effects through aliased references. Ensuring correctness properties beyond memory safety,...
Read More
RustBelt: securing the foundations of the Rust programming language

Rust is a new systems programming language that promises to overcome the seemingly fundamental tradeoff between high-level safety guarantees and low-level control over resource management. Unfortunately, none of Rust's safety claims have been formally ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 43, Issue 1
March 2021
239 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/3450362
Editor:
Andrew Myers
Cornell University, USA
Issue’s Table of Contents
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 April 2021
- Accepted: 1 December 2020
- Revised: 1 November 2020
- Received: 1 August 2019
Published in toplas Volume 43, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Rust
model checking
ownership
type theory
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 3,394
  Total Downloads
- Downloads (Last 12 months)1,294
- Downloads (Last 6 weeks)168
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust

ACM Transactions on Programming Languages and Systems

Abstract

References

Cited By

Index Terms

Recommendations

RustHorn: CHC-based Verification for Rust Programs

Leveraging rust types for modular specification and verification

RustBelt: securing the foundations of the Rust programming language