An Empirical Study On The Safety Of Real-world Rust Programs

Rust is an emerging programming language that balances efficiency and security.It is mainly used for system software development,such as browsers,operating systems,blockchains,and databases.Its security is ensured by a strict set of security rules that are enforced at compile time.But in order to support more low-level operations,Rust allows developers to write unsafe code to by-pass these compiler checks.To understand what safety problems exist in real-world Rust programs,and how the Rust safety mechanisms affect programming practice,this paper focuses on three issues:(1)Why should Rust developers write unsafe code,and how to write unsafe code correctly.(2)What memory safety issues exist in real-world Rust programs.(3)What concurrency bugs will Rust developers make.This paper conducts the first empirical study on the safety of Rust.The main objects of analysis are real-world Rust applications,the actual widely-used projects developed with Rust,rather than the use cases constructed by language designers to explore the language.The study of real-world Rust ap-plications can better reflect the actual use of Rust.The studied real-world Rust applications include 850 unsafe code usages and 170 bugs in five open-source Rust projects,five widely used Rust libraries,two online security databases,and the Rust standard library.On this basis,this paper puts forward 11 insights and 8 suggestions for Rust designers and developers.This paper implements one IDE plugin,proposes 9 static bug detection algorithms,and builds 4 static bug detectors.All these detectors find previously unknown bugs,a total of 91.The detailed work is as follows:1.This paper mainly obtains three results from the study of the unsafe code in Rust programs:(a)By analyzing the reasons for unsafe code usages in Rust programs,this paper finds that most of the unsafe code in Rust is used for good and unavoidable reasons,indicating that Rust's safety rule checks are sometimes too strict,and it is indispensable for Rust developers to provide an alternative method to bypass these checks.Therefore,de-velopers should try to locate the source of unsafety and only export this piece of code as an unsafe interface,to minimize the unsafe in-terface and reduce the workload of code inspection.(b)By analyzing the removal logs of unsafe code in Rust programs,this paper finds that "interior unsafe" is a good way to encapsulate unsafe code.Therefore,Rust developers should try to use interior unsafe functions to encapsulate unsafe code before exposing the unsafe code as an unsafe API.(c)By analyzing the encapsulation of interior unsafe code,this paper finds that some safety conditions of unsafe code are difficult to check.The safety of interior unsafe functions usually depends on correct in-puts and execution environments.Therefore,if the safety of a func-tion depends on how it is used,it is best to mark it as "unsafe" rather than“interior unsafe";Rust designers should also differentiate“interior mutability" from real immutable functions.Based on the above re-search results,this paper finds 19 cases where interior unsafe code is improperly encapsulated from our studied Rust programs and the standard library.2.This paper mainly obtains two results from the study of memory bugs in Rust programs:(a)By analyzing the spread of memory bugs in Rust programs,this paper finds that Rust's safety mechanisms(in the stable version of Rust)are very effective in preventing memory bugs.All memory safety issues involve unsafe code,although many of them also involve safe code.Therefore,future memory bug detectors can ignore safe code that has nothing to do with unsafe code to reduce false positives and improve execution efficiency.(b)By analyzing the impact and fix of memory bugs in Rust programs,this paper finds that Rust memory bugs are mostly related to devel-opers' misunderstanding of lifetime.Based on the above research re-sults,this paper proposes the Rust memory bug detection algorithms and implements Use After Free detector.3.This paper mainly obtains two results from the study of concurrency bugs(including blocking and non-blocking bugs)in Rust programs:(a)By analyzing the blocking bugs in Rust programs,this paper finds that lack of in-depth understanding of Rust's lifetime rules is a common cause of blocking bugs.Therefore,future IDEs should add plugins to highlight the location of implicit unlocking,which can help de-velopers avoid a large number of blocking bugs.Rust should also add Mutex's explicit unlocking API to facilitate developers to fix such bugs.Based on the above research results,this paper proposes the Rust blocking bug detection algorithms,and implements Double Lock and Conflicting Lock detectors.(b)By analyzing the non-blocking bugs in Rust programs,this paper finds that how data is shared is not necessarily related to how non-blocking bugs happen.The former can be in unsafe code,while the latter can be in safe code.Therefore,internal mutual exclusion must be carefully reviewed for interior mutability functions in structs im-plementing the Sync trait.Fixing strategies of Rust non-blocking(and blocking)bugs are similar to traditional languages.Existing au-tomated bug fixing techniques are likely to work on Rust.Based on the above research results,this paper proposes the Rust non-blocking bug detection algorithms,and implements Atomicity Violation detec-tor.The innovation of this paper is reflected in the new viewpoints and opin-ions on the use of Rust unsafe code,a new classification of common memory and concurrency bugs in Rust programs,and new detection algorithms for Rust-related bugs.This paper answers the doubts about how Rust developers should use unsafe code,and proposes detection algorithms and ideas for Rust bugs,which are of great significance for guiding the safety practices of Rust devel-opers and improving the safety of the Rust language.