Abstract
Rust is a relatively new programming language that has gained significant traction since its v1.0 release in 2015. Rust aims to be a systems language that competes with C/C++. A claimed advantage of Rust is a strong focus on memory safety without garbage collection. This is primarily achieved through two concepts, namely, reference lifetimes and borrowing. Both of these are well-known ideas stemming from the literature on region-based memory management and linearity/uniqueness. Rust brings both of these ideas together to form a coherent programming model. Furthermore, Rust has a strong focus on stack-allocated data and, like C/C++ but unlike Java, permits references to local variables.
Type checking in Rust can be viewed as a two-phase process: First, a traditional type checker operates in a flow-insensitive fashion; second, a borrow checker enforces an ownership invariant using a flow-sensitive analysis. In this article, we present a lightweight formalism that captures these two phases using a flow-sensitive type system that enforces “type and borrow safety.” In particular, programs that are type and borrow safe will not attempt to dereference dangling pointers. Our calculus core captures many aspects of Rust, including copy- and move-semantics, mutable borrowing, reborrowing, partial moves, and lifetimes. In particular, it remains sufficiently lightweight to be easily digested and understood and, we argue, still captures the salient aspects of reference lifetimes and borrowing. Furthermore, extensions to the core can easily add more complex features (e.g., control-flow, tuples, method invocation). We provide a soundness proof to verify our key claims of the calculus. We also provide a reference implementation in Java with which we have model checked our calculus using over 500B input programs. We have also fuzz tested the Rust compiler using our calculus against 2B programs and, to date, found one confirmed compiler bug and several other possible issues.
- A. Aiken, M. Fähndrich, and R. Levien. 1995. Better static memory management: Improving region-based analysis of higher-order languages. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’95). 174--185.Google Scholar
- Jonathan Aldrich, Valentin Kostadinov, and Craig Chambers. 2002. Alias annotations for program understanding. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). ACM, 311--330.Google ScholarDigital Library
- Paulo Sérgio Almeida. 1997. Balloon types: Controlling sharing of state in data types. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’97). Springer-Verlag, 32--59.Google ScholarCross Ref
- Brian Anderson, Lars Bergstrom, Manish Goregaokar, Josh Matthews, Keegan McAllister, Jack Moffitt, and Simon Sapin. 2016. Engineering the servo web browser engine using Rust. In Proceedings of the International Conference of Software Engineering (ICSE’16). ACM Press, 81--89.Google ScholarDigital Library
- Chris Andreae, James Noble, Yvonne Coady, Celina Gibbs, Jan Vitek, and Tian Zhao. 2006. STARS: Scoped types and aspects for real-time systems. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’06). 1--44.Google Scholar
- Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’19). ACM Press.Google Scholar
- Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permission-based programming language. ACM Trans. Prog. Lang. Syst. 38, 4 (2016), 14:1–14:94.Google ScholarDigital Library
- Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System programming in Rust: Beyond safety. Op. Syst. Rev. 51, 1 (2017), 94--99.Google ScholarDigital Library
- A. Banerjee, N. Heintze, and J. G. Riecke. 1999. Region analysis and the polymorphic lambda calculus. In Proceedings of the ACM/IEEE Symposium on Logic In Computer Science (LICS’99). IEEE Computer Society Press, 88--97.Google Scholar
- Marek Baranowski, Shaobo He, and Zvonimir Rakamarić. 2018. Verifying Rust programs with SMACK. In Automated Technology for Verification and Analysis. Springer-Verlag, 528--535.Google Scholar
- Erik Barendsen and Sjaak Smetsers. 1996. Uniqueness typing for functional languages with graph rewriting semantics. Math. Struct. Comput. Sci. 6, 6 (1996), 579--612.Google ScholarCross Ref
- M. Barnett, B. Evan Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. 2006. Boogie: A modular reusable verifier for object-oriented programs. In Proceedings of the Conference on Formal Methods for Components and Objects (FMCO’06). 364--387.Google ScholarDigital Library
- Mike Barnett, Robert DeLine, Manuel Fähndrich, K. Rustan M. Leino, and Wolfram Schulte. 2004. Verification of object-oriented programs with invariants. J. Object Technol. 3, 6 (2004), 27--56.Google ScholarCross Ref
- William S. Beebee, Jr. and Martin Rinard. 2001. An implementation of scoped memory for real-time Java. In Proceedings of the 1st International Workshop on Embedded Software (EMSOFT’01). Springer-Verlag, 289--305.Google Scholar
- Jean-Philippe Bernardy, Mathieu Boespflug, Ryan R. Newton, Simon Peyton Jones, and Arnaud Spiwack. 2018. Linear Haskell: Practical linearity in a higher-order polymorphic language. Proc. ACM Prog. Lang. 2, POPL (2018), 5:1–5:29.Google ScholarDigital Library
- G. M. Bierman and M. J. Parkinson. 2003. Effects and effect inference for a core Java calculus. Electron. Notes Comput. Sci. 82, 8 (2003), 1--26.Google Scholar
- Jim Blandy and Jason Ordendorff. 2018. Programming Rust. O’Reilly.Google Scholar
- François Bobot, Jean-Christophe Filliâtre, Claude Marché, and Andrei Paskevich. 2011. Why3: Shepherd your herd of provers. In Proceedings of the Workshop on Intermediate Verification Languages (BOOGIE’11).Google Scholar
- Robert Bocchino, Vikram Adve, Sarita Adve, and Marc Snir. 2009. Parallel programming must be deterministic by default. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’09).Google Scholar
- Gregory Bollella, Ben Brosgol, Peter Dibble, Steve Furr, James Gosling, David Hardin, and Mark Turnbull. 2000. The Real-time Specification for Java. Addison-Wesley.Google ScholarDigital Library
- Chandrasekhar Boyapati, Robert Lee, and Martin Rinard. 2002. Ownership types for safe programming: Preventing data races and deadlocks. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). ACM Press, 211--230.Google ScholarDigital Library
- Chandrasekhar Boyapati and Martin Rinard. 2001. A parameterized type system for race-free Java programs. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’01). 56--69.Google ScholarDigital Library
- John Boyland. 2001. Alias burying: Unique variables without destructive reads. Softw.—Pract. Exper. 31, 6 (May 2001), 533--553.Google Scholar
- John Boyland. 2003. Checking interference with fractional permissions. In Proceedings of the Static Analysis Symposium (SAS’03) (LNCS, Vol. 2694). Springer-Verlag, 55--72.Google ScholarCross Ref
- John Boyland. 2003. Connecting effects and uniqueness with adoption. In Proceedings of the Workshop on Aliasing, Capabilities and Ownership (IWACO’03) (UU-CS). Utrecht University, 42--57.Google Scholar
- Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’12). ACM Press, 133--143.Google ScholarDigital Library
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Conference on Operating Systems Design and Implementation (OSDI’08). 209--224.Google Scholar
- Cristiano Calcagno. 2001. Stratified operational semantics for safety and correctness of region calculus. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’01). ACM Press, 155--165.Google ScholarDigital Library
- Nicholas Robert Cameron, James Noble, and Tobias Wrigstad. 2010. Tribal ownership. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). 618--633.Google ScholarDigital Library
- Kartik Chandra and Rastislav Bodík. 2018. Bonsai: Synthesis-based reasoning for type systems. Proc. ACM Prog. Lang. 2, POPL (2018), 62:1–62:34.Google ScholarDigital Library
- P. Charles, C. Grothoff, V. Saraswat, C. Donawa, A. Kielstra, K. Ebcioglu, C. Praun, and V. Sarkar. 2005. X10: An object-oriented approach to non-uniform cluster computing. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’05). 519--538.Google Scholar
- Wei-Ngan Chin, Florin Craciun, Shengchao Qin, and Martin C. Rinard. 2004. Region inference for an object-oriented language. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’04). ACM Press, 243--254.Google Scholar
- Morten V. Christiansen, Fritz Henglein, Henning Niss, and Per Velschow. 1998. Safe Region-based Memory Management for Objects. Technical Report. DIKU, University of Copenhagen.Google Scholar
- Koen Claessen, Jonas Duregård, and Michal H. Palka. 2015. Generating constrained random data with uniform distribution. J. Funct. Prog. 25 (2015), e8.Google ScholarCross Ref
- Dave Clarke and Sophia Drossopoulou. 2002. Ownership, encapsulation, and the disjointness of type and effect. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’02). 292--310.Google ScholarDigital Library
- Dave Clarke, James Noble, and Tobias Wrigstad. 2012. Aliasing in Object-oriented Programming (LNCS, Vol. 7850). Springer.Google Scholar
- David Clarke, John Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’98). 48--64.Google ScholarDigital Library
- David Clarke and Tobias Wrigstad. 2003. External uniqueness is unique enough. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’03). 176--200.Google ScholarCross Ref
- Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2020. RustBelt meets relaxed memory. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’20).Google ScholarDigital Library
- L. de Moura and N. Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08). 337--340.Google Scholar
- Kyle Dewey, Jared Roesch, and Ben Hardekopf. 2015. Fuzzing the rust typechecker using CLP (T). In Proceedings of the Conference on Automated Software Engineering (ASE’15). IEEE Computer Society Press, 482--493.Google ScholarDigital Library
- Ivaylo Donchev and Emilia Todorova. 2015. Implementation of binary search trees via smart pointers. Int. J. Adv. Comput. Sci. Applic. 6, 3 (2015).Google Scholar
- Jonas Duregård, Patrik Jansson, and Meng Wang. 2012. Feat: Functional enumeration of algebraic types. In Proceedings of the ACM Symposium on Haskell. ACM Press, 61--72.Google ScholarDigital Library
- C. Dymnikov, D. J. Pearce, and A. Potanin. 2013. OwnKit: Inferring modularly checkable ownership annotations for Java. In Proceedings of the Australasian Software Engineering Conference (ASWEC’13). 181--190.Google Scholar
- Martin Elsman. 2003. Garbage collection safety for region-based memory management. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’03). ACM Press, 123--134.Google ScholarDigital Library
- Manuel Fähndrich and Rob DeLine. 2002. Adoption and focus: Practical linear types for imperative programming. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). 13--24.Google ScholarDigital Library
- Josselin Feist, Laurent Mounier, and Marie-Laure Potet. 2014. Statically detecting use after free on binary code. J. Comput. Virol. Hack. Tech. 10, 3 (2014), 211--217.Google ScholarCross Ref
- Jean-Christophe Filliâtre, Léon Gondelman, and Andrei Paskevich. 2016. A Pragmatic Type System for Deductive Verification. Technical Report. Laboratoire de Recherche en Informatique, Inria Sacla.Google Scholar
- Matthew Fluet, Greg Morrisett, and Amal J. Ahmed. 2006. Linear regions are all you need. In Proceedings of the European Symposium on Programming (ESOP’06) (LNCS, Vol. 3924). Springer-Verlag, 7--21.Google Scholar
- Prodromos Gerakios, Nikolaos Papaspyrou, and Konstantinos Sagonas. 2010. Race-free and memory-safe multithreading: Design and implementation in cyclone. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’10). ACM Press, 15--26.Google ScholarDigital Library
- Jean-Yves Girard. 1987. Linear logic. Theoret. Comput. Sci. 50 (1987), 1--102.Google ScholarDigital Library
- Colin S. Gordon, Matthew J. Parkinson, Jared Parsons, Aleks Bromfield, and Joe Duffy. 2012. Uniqueness and reference immutability for safe parallelism. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’12). ACM Press, 21--40.Google ScholarDigital Library
- Dan Grossman. 2003. Type-safe multithreading in Cyclone. In Proceedings of the Workshop on Types in Languages Design and Implementation (TLDI’03). ACM Press, 13--25.Google ScholarDigital Library
- Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-based memory management in cyclone. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). ACM, 282--293.Google ScholarDigital Library
- Niels Hallenberg, Martin Elsman, and Mads Tofte. 2002. Combining region inference and garbage collection. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’02). ACM Press, 141--152.Google ScholarDigital Library
- Philipp Haller and Martin Odersky. 2010. Capabilities for uniqueness and borrowing. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’10). Springer-Verlag, 354--378.Google ScholarCross Ref
- Hamza Hamza and Steve Counsell. 2012. Region-based RTSJ memory management: State of the art. Sci. Comput. Prog. 77, 5 (2012), 644--659.Google ScholarDigital Library
- Dana Harrington. 2006. Uniqueness logic. Theoret. Comput. Sci. 354, 1 (2006), 24--41.Google ScholarDigital Library
- Simon Helsen and Peter Thiemann. 2000. Syntactic type soundness for the region calculus. In Proceedings of the Workshop on Higher Order Operational Techniques in Semantics (HOOTS’00) (Electronic Notes in Computer Science), Vol. 41(3). Elsevier, 1--20.Google Scholar
- Fritz Henglein, Henning Makholm, and Henning Niss. 2001. A direct approach to control-flow sensitive region-based memory management. In Proceedings of the Symposium on Principles and Practice of Declarative Programming (PPDP’01). 175--186.Google ScholarDigital Library
- Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. 2004. Experience with safe manual memory-management in cyclone. In Proceedings of the International Symposium on Memory Management (ISMM’04). ACM Press, 73--84.Google ScholarDigital Library
- John Hogg. 1991. Islands: Aliasing protection in object-oriented languages. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’91). 271--285.Google ScholarDigital Library
- A. Igarashi, B. Pierce, and P. Wadler. 2001. Featherweight Java: A minimal core calculus for Java and GJ. ACM Trans. Prog. Lang. Syst. 23, 3 (May 2001), 396--459.Google ScholarDigital Library
- Nicholas Jacek, Meng-Chieh Chiu, Benjamin M. Marlin, and Eliot Moss. 2016. Assessing the limits of program-specific garbage collection performance. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’16). ACM Press, 584--598.Google ScholarDigital Library
- Daniel Jackson and Craig Damon. 1996. Elements of style: Analyzing a software design feature with a counterexample detector. IEEE Trans. Softw. Eng. 22, 7 (1996), 484--495.Google ScholarDigital Library
- Thomas Bracht Laumann Jespersen, Philip Munksgaard, and Ken Friis Larsen. 2015. Session types for Rust. In Proceedings of the Workshop on Generic Programming (WGP’15). 13--22.Google ScholarDigital Library
- Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the USENIX Technical Conference. 275--288.Google Scholar
- Robert L. Bocchino Jr., Vikram S. Adve, Danny Dig, Sarita V. Adve, Stephen Heumann, Rakesh Komuravelli, Jeffrey Overbey, Patrick Simmons, Hyojin Sung, and Mohsen Vakilian. 2009. A type and effect system for deterministic parallel Java. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’09). 97--116.Google ScholarDigital Library
- Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2020. Stacked borrows: An aliasing model for Rust. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’20).Google ScholarDigital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’18). ACM Press, 66:1–66:34.Google ScholarDigital Library
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the ACM International Conference on Functional Programming (ICFP’16). ACM Press, 256--269.Google ScholarDigital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Prog. 28 (2018), e20.Google ScholarCross Ref
- Jan-Oliver Kaiser, Hoang-Hai Dang, Derek Dreyer, Ori Lahav, and Viktor Vafeiadis. 2017. Strong logic for weak memory: Reasoning about release-acquire consistency in iris. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’17), Vol. 74. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 17:1–17:29.Google Scholar
- Casey Klein, John Clements, Christos Dimoulas, Carl Eastlund, Matthias Felleisen, Matthew Flatt, Jay A. McCarthy, Jon Rafkind, Sam Tobin-Hochstadt, and Robert Bruce Findler. 2012. Run your research: On the effectiveness of lightweight mechanization. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’12). ACM Press, 285--296.Google ScholarDigital Library
- D. E. Knuth. 1981. The Art of Computer Programming, Volume 2: Seminumerical Algorithms (2nd ed.). Addison-Wesley, Reading.Google Scholar
- Naoki Kobayashi. 1999. Quasi-linear types. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’99). ACM Press, 29--42.Google ScholarDigital Library
- Daniel Kroening and Michael Tautschnig. 2014. CBMC—C bounded model checker. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’14). Springer-Verlag, 389--391.Google ScholarCross Ref
- Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. Multiprogramming a 64kB computer safely and efficiently. In Proceedings of the Symposium on Operating System Principles (SOSP’17). ACM Press, 234--251.Google ScholarDigital Library
- Amit Levy, Bradford Campbell, Branden Ghena, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. The case for writing a kernel in Rust. In Proceedings of the Asia-Pacific Workshop on Systems (APSYS’17). ACM, 1:1–1:7.Google ScholarDigital Library
- Amit A. Levy, Michael P. Andersen, Bradford Campbell, David E. Culler, Prabal Dutta, Branden Ghena, Philip Levis, and Pat Pannuto. 2015. Ownership is theft: Experiences building an embedded OS in Rust. In Proceedings of the Workshop on Programming Languages and Operating Systems. 21--26.Google ScholarDigital Library
- Ondrej Lhoták and Kwok-Chiang Andrew Chung. 2011. Points-to analysis with efficient strong updates. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’11). ACM Press, 3--16.Google ScholarDigital Library
- Paley Li, Nicholas Cameron, and James Noble. 2012. Sheep cloning with ownership types. In Proceedings of the Workshop on Foundations of Object-oriented Languages (FOOL’12).Google Scholar
- M. Lindner, J. Aparicius, and P. Lindgren. 2018. No panic! Verification of Rust programs by symbolic execution. In Proceedings of the International Conference on Industrial Informatics (INDIN’18). 108--114.Google Scholar
- M. Lindner, N. Fitinghoff, J. Eriksson, and P. Lindgren. 2019. Verification of safety functions implemented in Rust—A symbolic execution based approach. In Proceedings of the International Conference on Industrial Informatics (INDIN’19), Vol. 1. 432--439.Google Scholar
- Yi Lu and John Potter. 2006. On ownership and accessibility. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’06). Springer-Verlag, 99--123.Google ScholarDigital Library
- Nicholas D. Matsakis. 2012. Parallel closures: A new twist on an old idea. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’12).Google Scholar
- Nicholas D. Matsakis and Thomas R. Gross. 2009. Programming with intervals. In Proceedings of the International Workshop on Languages and Compilers for Parallel Computing. Springer-Verlag, 203--217.Google Scholar
- Nicholas D. Matsakis and Thomas R. Gross. 2010. Reflective parallel programming: Extensible and high-level control of runtime, compiler, and application interaction. In Proceedings of the Workshop on Hot Topics in Parallelism (HotPar’10).Google Scholar
- Nicholas D. Matsakis and Thomas R. Gross. 2010. A time-aware type system for data-race protection and guaranteed initialization. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). ACM Press, 634--651.Google Scholar
- Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-based verification for Rust programs. In Programming Languages and Systems. Springer-Verlag, 484--514.Google Scholar
- Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C semantics and pointer provenance. In Proceedings of the ACM Symposium on the Principles of Programming Languages (POPL’19). 67:1–67:32.Google ScholarDigital Library
- Scott Meyers. 1994. Effective C++. Addison-Wesley.Google Scholar
- R. Milner. 1978. A theory of type polymorphism in programming. J. Comput. Syst. Sci. 17 (1978), 348--375.Google ScholarCross Ref
- P. Müller. 2002. Modular Specification and Verification of Object-oriented Programs (LNCS, Vol. 2262).Google Scholar
- P. Müller, M. Schwerhoff, and A. J. Summers. 2016. Viper: A verification infrastructure for permission-based reasoning. In Proceedings of the Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’16). 41--62.Google Scholar
- Vikram Narayanan, Marek S. Baranowski, Leonid Ryzhyk, Zvonimir Rakamarić, and Anton Burtsev. 2019. RedLeaf: Towards an operating system for safe and verified firmware. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS’19). ACM Press, 37--44.Google ScholarDigital Library
- Flemming Nielson, Hanne R. Nielson, and Chris L. Hankin. 1999. Principles of Program Analysis. Springer-Verlag.Google ScholarDigital Library
- James Noble, David G. Clarke, and John Potter. 1999. Object ownership for dynamic alias protection. In Proceedings of the IEEE Conference on Technology of Object-oriented Languages and Systems. IEEE Computer Society Press, 176--187.Google ScholarCross Ref
- James Noble, Jan Vitek, and John Potter. 1998. Flexible alias protection. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’98) (LNCS, Vol. 1445). Springer-Verlag, 158--185.Google ScholarCross Ref
- Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby C. Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement through restraint: Bringing down the cost of verification. In Proceedings of the ACM International Conference on Functional Programming (ICFP’16). ACM Press, 89--102.Google ScholarDigital Library
- Johan Östlund, Tobias Wrigstad, Dave Clarke, and Beatrice Åkerblom. 2008. Ownership, uniqueness and immutability. In Proceedings of the Conference on Technology of Object-oriented Languages and Systems (TOOLS Europe’08).Google ScholarCross Ref
- D. J. Pearce. 2005. Some Directed Graph Algorithms and Their Application to Pointer Analysis. Ph.D. Dissertation. Imperial College, London.Google Scholar
- Quan Phan and Gerda Janssens. 2007. Static region analysis for mercury. In Proceedings of the ACM International Conference on Logic Programming (ICLP’07) (LNCS, Vol. 4670). Springer-Verlag, 317--332.Google ScholarCross Ref
- B. C. Pierce. 2002. Types and Programming Languages. The MIT Press.Google ScholarDigital Library
- Robert Pollack. 1998. How to believe a machine-checked proof. In Twenty Five Years of Constructive Type Theory, G. Sambin and J. Smith (Eds.). Oxford University Press.Google Scholar
- Alex Potanin, James Noble, Dave Clarke, and Robert Biddle. 2006. Generic ownership. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’06). ACM Press.Google Scholar
- Alex Potanin, James Noble, Tian Zhao, and Jan Vitek. 2005. A high integrity profile for memory safe programming in real-time Java. In Proceedings of the Workshop on Java Technologies for Real-time and Embedded Systems (JTRES’05).Google Scholar
- Feng Qian and Laurie Hendren. 2002. An adaptive, region-based allocator for Java. In Proceedings of the International Symposium on Memory Management (ISMM’02). ACM Press, 127--138.Google ScholarDigital Library
- Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding memory and thread safety practices and issues in real-world Rust programs. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI’20). ACM Press, 763--779.Google ScholarDigital Library
- Erik Reed. 2015. Patina: A Formalization of the Rust Programming Language. Technical Report. University of Washington.Google Scholar
- Michael Roberson, Melanie Harries, Paul T. Darga, and Chandrasekhar Boyapati. 2008. Efficient software model checking of soundness of type systems. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’08). ACM Press, 493--504.Google ScholarDigital Library
- Grigore Rosu and Traian-Florin Serbanuta. 2010. An overview of the K semantic framework. J. Logic Algeb. Prog. 79, 6 (2010), 397--434.Google ScholarCross Ref
- Rust Team. [n.d.]. Rust Homepage. Retrieved from www.rust-lang.org.Google Scholar
- Rust Team. [n.d.]. The Rust Programming Language. Retrieved from doc.rust-lang.org/book/.Google Scholar
- Rust Team. [n.d.]. The Rustonomicon—The Dark Arts of Advanced and Unsafe Rust Programming. Retrieved from doc.rust-lang.org/nomicon/.Google Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Technical Conference. 309--318.Google Scholar
- Marco Servetto, D. J. Pearce, and Lindsay Groves. 2013. Balloon types for safe parallelisation over arbitrary object graphs. In Proceedings of the Workshop on Determinism and Correctness in Parallel Programming (WODET’13).Google Scholar
- Sriram Srinivasan and Alan Mycroft. 2008. Kilim: Isolation-typed actors for Java. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’08). 104--128.Google ScholarDigital Library
- Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: Fast detector of uninitialized memory use in C++. In Proceedings of the Conference on Code Generation and Optimisation (CGO’15). IEEE Computer Society Press, 46--55.Google Scholar
- R. Strom and S. Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng. 12, 1 (1986), 157--171.Google ScholarDigital Library
- Robert E. Strom and Daniel M. Yellin. 1993. Extending typestate checking using conditional liveness analysis. IEEE Trans. Softw. Eng. 19, 5 (1993), 478--485.Google ScholarDigital Library
- David Svoboda and Lutz Wrage. 2014. Pointer ownership model. In Proceedings of the Hawaii International Conference on System Sciences (HICSS’14). IEEE Computer Society Press, 5090--5099.Google ScholarDigital Library
- Nikhil Swamy, Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. 2006. Safe manual memory management in cyclone. Sci. Comput. Prog. 62, 2 (2006), 122--144.Google ScholarDigital Library
- J.-P. Talpin and P. Jouvelot. 1992. Polymorphic type, region, and effect inference. J. Funct. Prog. 2, 3 (1992), 245–271.Google ScholarCross Ref
- Mads Tofte and Lars Birkedal. 1998. A region inference algorithm. ACM Trans. Prog. Lang. Syst. 20, 4 (1998), 734–767.Google ScholarDigital Library
- Mads Tofte, Lars Birkedal, Martin Elsman, and Niels Hallenberg. 2004. A retrospective on region-based memory management. High.-order Symb. Comput. 17, 3 (2004), 245--265.Google ScholarDigital Library
- Mads Tofte and Jean-Pierre Talpin. 1997. Region-based memory management. Inf. Comput. 132, 2 (1997), 109--176.Google ScholarDigital Library
- J. Toman, S. Pernsteiner, and E. Torlak. 2015. Crust: A bounded verifier for Rust. In Proceedings of the Conference on Automated Software Engineering (ASE’15). 75--80.Google Scholar
- Mohsen Vakilian, Danny Dig, Robert Bocchino, Jeffrey Overbey, Vikram Adve, and Ralph Johnson. 2009. Inferring method effect summaries for nested heap regions. In Proceedings of the Conference on Automated Software Engineering (ASE’09). 421--432.Google ScholarDigital Library
- P. Wadler. 1990. Linear types can change the world!. In Proceedings of the IFIP TC 2 Working Conference on Programming Concepts and Methods. 347--359.Google Scholar
- David Walker and Kevin Watkins. 2001. On regions and linear types. In Proceedings of the ACM International Conference on Functional Programming (ICFP’01). 181--192.Google Scholar
- F. Wang, F. Song, M. Zhang, X. Zhu, and J. Zhang. 2018. KRust: A formal executable semantics of Rust. In Proceedings of the Symposium on Theoretical Aspects of Software Engineering (TASE’18). 44--51.Google Scholar
- Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. arxiv:cs.PL/1903.00982 (2019).Google Scholar
- A. K. Wright and M. Felleisen. 1994. A syntactic approach to type soundness. Inf. Comput. 115, 1 (1994), 38--94.Google ScholarDigital Library
- Tian Zhao, James Noble, and Jan Vitek. 2004. Scoped types for real-time Java. In Proceedings of the Real-time Systems Symposium (RTSS’04). IEEE Computer Society Press, 241--251.Google ScholarDigital Library
- Yoav Zibin, Alex Potanin, Paley Li, Mahmood Ali, and Michael D. Ernst. 2010. Ownership and immutability in generic Java. In Proceedings of the ACM Conference on Object-oriented Programming, Systems, Languages and Applications (OOPSLA’10). 598--617.Google Scholar
Index Terms
- A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust
Recommendations
RustHorn: CHC-based Verification for Rust Programs
Reduction to satisfiability of constrained Horn clauses (CHCs) is a widely studied approach to automated program verification. Current CHC-based methods, however, do not work very well for pointer-manipulating programs, especially those with dynamic ...
Leveraging rust types for modular specification and verification
Rust's type system ensures memory safety: well-typed Rust programs are guaranteed to not exhibit problems such as dangling pointers, data races, and unexpected side effects through aliased references. Ensuring correctness properties beyond memory safety,...
RustBelt: securing the foundations of the Rust programming language
Rust is a new systems programming language that promises to overcome the seemingly fundamental tradeoff between high-level safety guarantees and low-level control over resource management. Unfortunately, none of Rust's safety claims have been formally ...
Comments