From: Ralf Jung Date: Tue, 23 May 2017 20:58:46 +0000 (-0700) Subject: day 1 of my internship X-Git-Url: https://git.ralfj.de/web.git/commitdiff_plain/debe62ac15b0727d33c334db4afaac785304f861?ds=inline day 1 of my internship --- diff --git a/personal/_posts/2017-05-23-internship-starting.md b/personal/_posts/2017-05-23-internship-starting.md new file mode 100644 index 0000000..1b7269b --- /dev/null +++ b/personal/_posts/2017-05-23-internship-starting.md @@ -0,0 +1,38 @@ +--- +title: Day 1 of my Mozilla Internship +categories: internship rust +--- + +This summer, I am given the awesome opportunity of spending three months in the Mozilla offices in Portland, working on Rust. +I am extremely grateful that Mozilla is providing this opportunity to me; hopefully I can give something back by making some hands-on contributions to the Rust ecosystem. + + +Today is day 1 of my internship -- at least if you start counting at 0, which of course we all do. +I meant to write this yesterday, but the morning was filled with bureaucratics and in the afternoon I got so jetlagged, I essentially was sleeping with my eyes open. +(But don't tell Aaron, my manager, or Niko, my mentor -- I was of course supposed to be working. ;) + +So, what concretely will I be doing in the next three months? +Based on [my prior posts]({{ site.baseurl }}{% post_url 2016-01-09-the-scope-of-unsafe %}) and me being in the [unsafe code guidelines strike team](https://internals.rust-lang.org/t/next-steps-for-unsafe-code-guidelines/3864) (which I totally forgot to announce here... I'm not good at this blogging thing, am I?), it should not be surprising that my main project is going to be related to unsafe code. +More specifically, we want to figure out ways to specify what unsafe code is and what it is not allowed to do (i.e., when its behavior is well-defined, and when it is undefined). +Ultimately, the way I think this should be specified (and lucky enough, my new bosses agree on this) is by defining, for every possible Rust (or rather, MIR) program one could write, what that program is going to do when it is executed. + +Now, one could go all committee and initiate a huge process involving drafting a standard and writing a [700 page document](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf) in English prose, but experience shows that this is not a good way to go: English prose is ambiguous, and it is very easy to forget about some odd combination of corner cases which then ends up not being described by the standard. +One could also go all math and write down a beautifully complicated definition that rigorously defines everything. +That would be huge amounts of work, and in the end, virtually nobody would be able to read such a specification. +(Which doesn't mean I think this shouldn't also happen; such a definition is indeed needed to perform formal proofs -- but at this point, we are not yet concerned about proofs.) + +We are going to do neither of these. +Instead, the goal is to have an *executable specification* for MIR -- in other words, an interpreter. +To understand an interpreter, one has to just read code, so this should be much more accessible to programmers than mathematical definitions. +At the same time, if we forget to cover a case, this will be blatantly obvious -- in fact, most of the time, exhaustiveness checking will catch this. +And finally, an interpreter can be used for testing: We could actually check whether some particular unsafe code has undefined behavior or not. +This will be very important while we are still developing the specification (to check whether our intuition for what should and should not be allowed matches the interpreter), but it is also extremely useful later for authors of unsafe code to check whether they are violating the rules we are going to put in place. + +Lucky enough, such an interpreter already exists: [miri](https://github.com/solson/miri)! +That's great, because it means I do not have to write an interpreter from scratch, defining what a stack is and how to perform integers operations and whatnot. +Instead, I can concentrate on the interesting questions coming up in the unsafe code guidelines: +What exactly do the guarantees "mutable borrows don't have aliases" and "the pointees of shared borrows are not mutated" *mean*? How should they be reflected in a semantics of MIR -- in miri -- such that the desired [optimizations](https://github.com/nikomatsakis/rust-memory-model/tree/master/optimizations) are actually legal, while at the same time the [unsafe code](https://doc.rust-lang.org/nomicon/) people write has the desired behavior? + +That's it for now. +I don't have the answers to these questions, but hopefully my work will help getting closer to an answer. +I will keep you posted on my progress (or lack thereof), probably on a weekly or bi-weekly basis.