From 936b7648ec6c1adce590d498967d9d40f82dca00 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 7 Aug 2022 22:16:31 -0400 Subject: [PATCH 01/16] credit where credit is due --- personal/_posts/2022-08-08-minirust.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/personal/_posts/2022-08-08-minirust.md b/personal/_posts/2022-08-08-minirust.md index f13285b..821c3b9 100644 --- a/personal/_posts/2022-08-08-minirust.md +++ b/personal/_posts/2022-08-08-minirust.md @@ -48,7 +48,9 @@ On the other hand, there are many things that it *can* explain in full precision - what happens when *casting* between pointers and integers - padding (that's why tuples can have 2 elements, so there can be padding between them) -If you re not used to reading interpreter source code, then I guess this can be rather jarring, and there is certainly a *lot* of work that could and should be done to make this more accessible. -But just being able to talk about these questions with precision *at all* has already lead to some interesting discussions in the UCG WG (some of which made me change my mind, and change MiniRust accordingly), so for now it is serving its purpose, and maybe some of you can find it useful, too. -And hopefully we can use it as a starting place for seriously tackling the issue of an *official* specification of Rust. +If you are not used to reading interpreter source code, then I guess this can be rather jarring, and there is certainly a *lot* of work that could and should be done to make this more accessible. +(Like, examples. I hear people like examples.) +But just being able to talk about these questions with precision *at all* has already lead to some interesting discussions in the UCG WG, some of which made me change my mind -- thanks in particular to @digama0 and @JakobDegen for engaging deeply with my ideas. +So for now it is serving its purpose, and maybe some of you can find it useful, too. +Hopefully we can even use this as a starting place for seriously tackling the issue of an *official* specification of Rust. More on that soon. :) -- 2.30.2 From dba4b0e942e3323491479bae1389a2957875b2c4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 7 Aug 2022 22:37:25 -0400 Subject: [PATCH 02/16] cool bear makes their own choices --- personal/_posts/2022-08-08-minirust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal/_posts/2022-08-08-minirust.md b/personal/_posts/2022-08-08-minirust.md index 821c3b9..49564f7 100644 --- a/personal/_posts/2022-08-08-minirust.md +++ b/personal/_posts/2022-08-08-minirust.md @@ -30,7 +30,7 @@ The idea is that anyone who knows Rust should immediately be able to understand Translating it to real Rust means we can actually execute the reference interpreter and test it, and translating it to Coq means we can start proving theorems about it. But I am getting waaaay ahead of myself, these are rather long-term plans. -[^bear]: Is that someone the [cool bear](https://fasterthanli.me/articles/) making an appearance on my blog? We'll never know... and also I'd have to ask fasterthanlime for permission and didn't plan this well enough. ;) +[^bear]: Is that someone the [cool bear](https://fasterthanli.me/articles/) making an appearance on my blog? We'll never know... and also I'd have to ask fasterthanlime to ask them for permission and didn't plan this well enough. ;) So, if you want to look into my brain to see how I see Rust programs, then please go check out [MiniRust](https://github.com/RalfJung/minirust). The README explains the scope and goals, the general structure, and the details of pseudo Rust, as well as a comparison with some related efforts. -- 2.30.2 From b332a56b66610108ae9a93b2953dd1d7f3c5a86c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 8 Aug 2022 08:53:44 -0400 Subject: [PATCH 03/16] shout out more people --- personal/_posts/2022-08-08-minirust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal/_posts/2022-08-08-minirust.md b/personal/_posts/2022-08-08-minirust.md index 49564f7..00d4e31 100644 --- a/personal/_posts/2022-08-08-minirust.md +++ b/personal/_posts/2022-08-08-minirust.md @@ -50,7 +50,7 @@ On the other hand, there are many things that it *can* explain in full precision If you are not used to reading interpreter source code, then I guess this can be rather jarring, and there is certainly a *lot* of work that could and should be done to make this more accessible. (Like, examples. I hear people like examples.) -But just being able to talk about these questions with precision *at all* has already lead to some interesting discussions in the UCG WG, some of which made me change my mind -- thanks in particular to @digama0 and @JakobDegen for engaging deeply with my ideas. +But just being able to talk about these questions with precision *at all* has already lead to some interesting discussions in the UCG WG, some of which made me change my mind -- thanks in particular to @digama0, @JakobDegen, and @alercah for engaging deeply with my ideas. So for now it is serving its purpose, and maybe some of you can find it useful, too. Hopefully we can even use this as a starting place for seriously tackling the issue of an *official* specification of Rust. More on that soon. :) -- 2.30.2 From 9c19e3f88a2a012960a5b4f40817da7d0a2d881d Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 8 Aug 2022 09:58:52 -0400 Subject: [PATCH 04/16] the Cool Bear can be on this blog :) --- personal/_posts/2022-08-08-minirust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/personal/_posts/2022-08-08-minirust.md b/personal/_posts/2022-08-08-minirust.md index 00d4e31..b78dfe2 100644 --- a/personal/_posts/2022-08-08-minirust.md +++ b/personal/_posts/2022-08-08-minirust.md @@ -23,14 +23,14 @@ English language, on the other hand, is not very precise. So my compromise solution is to write down the semantics in a format that is hopefully known to everyone who could be interested: in Rust code. Specifically, MiniRust is specified by a *reference interpreter* that describes the step-by-step process of executing a MiniRust program, *including* checking at each step whether the program has Undefined Behavior. -"Hold on", I hear someone say, "you are defining Rust in Rust code? Isn't that cyclic?"[^bear] +"Hold on", I hear a [Cool Bear](https://fasterthanli.me/articles/) say, "you are defining Rust in Rust code? Isn't that cyclic?"[^bear] Well, yes and no. It's not *really* Rust code. It's what I call "pseudo Rust", uses only a tiny fragment of the language (in particular, no `unsafe`), and then extends the language with some conveniences to make things less verbose. The idea is that anyone who knows Rust should immediately be able to understand what this code means, but also hopefully eventually if this idea pans out we can have tooling to translate pseudo Rust into "real" languages -- in particular, real Rust and Coq. Translating it to real Rust means we can actually execute the reference interpreter and test it, and translating it to Coq means we can start proving theorems about it. But I am getting waaaay ahead of myself, these are rather long-term plans. -[^bear]: Is that someone the [cool bear](https://fasterthanli.me/articles/) making an appearance on my blog? We'll never know... and also I'd have to ask fasterthanlime to ask them for permission and didn't plan this well enough. ;) +[^bear]: Thanks to fasterthanlime for facilitating the bear's appearance on this blog. So, if you want to look into my brain to see how I see Rust programs, then please go check out [MiniRust](https://github.com/RalfJung/minirust). The README explains the scope and goals, the general structure, and the details of pseudo Rust, as well as a comparison with some related efforts. -- 2.30.2 From 3b92763e32c9d13a80fe4ab85037d5ea4eb20c69 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 8 Aug 2022 10:06:22 -0400 Subject: [PATCH 05/16] a note on the name --- personal/_posts/2022-08-08-minirust.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/personal/_posts/2022-08-08-minirust.md b/personal/_posts/2022-08-08-minirust.md index b78dfe2..1049ac0 100644 --- a/personal/_posts/2022-08-08-minirust.md +++ b/personal/_posts/2022-08-08-minirust.md @@ -15,7 +15,9 @@ We have [Miri](https://github.com/rust-lang/miri/), which is a much quicker orac So I have promised for a long time to find some more holistic way to write down my thoughts on unsafe Rust semantics. I thought I could do it in 2021, but I, uh, "slightly" missed that deadline... but better late than never! -At long last, I can finally present to you: [**MiniRust**](https://github.com/RalfJung/minirust). +At long last, I can finally present to you: [**MiniRust**](https://github.com/RalfJung/minirust).[^name] + +[^name]: I am beginning to wonder if this name was a bad choice. Naming is not my strong suit. Maybe "CoreRust" would have been better? Alas... The purpose of MiniRust is to describe the semantics of an interesting fragment of Rust in a way that is both precise and understandable to as many people as possible. These goals are somewhat at odds with each other -- the most precise definitions, e.g. carried out in the Coq Proof Assistant, tend to not be very accessible. -- 2.30.2 From bf71dce513ed20aa8fbcb5d97131c6c8e4f202e2 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 13 Aug 2022 12:14:19 -0400 Subject: [PATCH 06/16] nod to Rust readers --- personal/_posts/2020-12-14-provenance.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/personal/_posts/2020-12-14-provenance.md b/personal/_posts/2020-12-14-provenance.md index ee3f5b6..b591c00 100644 --- a/personal/_posts/2020-12-14-provenance.md +++ b/personal/_posts/2020-12-14-provenance.md @@ -55,10 +55,12 @@ int sum_up(int i, int j, unsigned int n) { // optimized version {% endhighlight %} However, that transformation is actually incorrect. If we imagine a caller using this function as `sum_up(INT_MAX, 1, 0)`, then this is a perfectly correct way to call `sum_up`: the loop is never entered, so the overflowing addition `INT_MAX+1` is never performed. -However, after the desired optimization, the program now causes a signed integer overflow, which is UB (Undefined Behavior) and thus May Never Happen! +However, after the desired optimization, the program now causes a signed integer overflow, which is UB (Undefined Behavior) and thus May Never Happen![^signed-int-overflow] [^loop]: If you are a regular reader of my blog, you will recognize this as the same optimization that already played a crucial role in [a previous post of mine]({% post_url 2020-07-15-unused-data %}). Loop-invariant code motion is a great optimization to look at when considering corner cases of IR semantics. +[^signed-int-overflow]: If you are coming here from Rust, imagine `i + j` was written as `i.unchecked_add(j)`. + One might be tempted to ignore this problem because the UB on integer overflow is a compiler-only concept; every target supported by the compiler will do the obvious thing and just produce an overflowing result. However, there might be other compiler passes running after the optimization we are considering. One such pass might inline `sum_up`, and another pass might notice the `INT_MAX+1` and replace it by `unreachable` since UB code is "by definition" unreachable, and another pass might then just remove all our code since it is unreachable. -- 2.30.2 From f2e7fedc0197ea19bee98b6fd5fe304181246503 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 13 Aug 2022 12:15:00 -0400 Subject: [PATCH 07/16] wording --- personal/_posts/2020-12-14-provenance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal/_posts/2020-12-14-provenance.md b/personal/_posts/2020-12-14-provenance.md index b591c00..249c3e4 100644 --- a/personal/_posts/2020-12-14-provenance.md +++ b/personal/_posts/2020-12-14-provenance.md @@ -59,7 +59,7 @@ However, after the desired optimization, the program now causes a signed integer [^loop]: If you are a regular reader of my blog, you will recognize this as the same optimization that already played a crucial role in [a previous post of mine]({% post_url 2020-07-15-unused-data %}). Loop-invariant code motion is a great optimization to look at when considering corner cases of IR semantics. -[^signed-int-overflow]: If you are coming here from Rust, imagine `i + j` was written as `i.unchecked_add(j)`. +[^signed-int-overflow]: If you are coming here with a Rust mindset, imagine `i + j` was written as `i.unchecked_add(j)`. One might be tempted to ignore this problem because the UB on integer overflow is a compiler-only concept; every target supported by the compiler will do the obvious thing and just produce an overflowing result. However, there might be other compiler passes running after the optimization we are considering. -- 2.30.2 From e033d6a32a2432def813fc091dc7b397bf664597 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 15 Aug 2022 21:34:10 -0400 Subject: [PATCH 08/16] announce my ETH position :-)) --- personal/_posts/2022-08-16-eth.md | 32 +++++++++++++++++++++++++++++++ research/index.html | 3 +++ 2 files changed, 35 insertions(+) create mode 100644 personal/_posts/2022-08-16-eth.md diff --git a/personal/_posts/2022-08-16-eth.md b/personal/_posts/2022-08-16-eth.md new file mode 100644 index 0000000..86ad9ee --- /dev/null +++ b/personal/_posts/2022-08-16-eth.md @@ -0,0 +1,32 @@ +--- +title: "A New Beginning" +categories: research rust +--- + +I have some very exciting news to share: starting November 1st, I will work at ETH Zürich as an assistant professor! +Becoming a professor in the first place is a dream come true, and becoming a professor at a place like ETH Zürich is not something I even dared to dream of. +I still cannot quite believe that this is actually happening (I will be *professor*?!??), but [the news is out](https://twitter.com/CSatETH/status/1548944615285350400) so I guess this is real. :D + + + +I feel excited and terrified in about equal parts. +Excited by all the new possibilities, by the prospect of working with students and inspiring the next generation of researchers; +terrified by all the responsibility and the prospect of having to stand in a classroom and give a lecture in only a few months' time. +But somehow everyone else seems confident that I can do this, so I guess I'll just play along and hope that I will not prove them wrong... + +I am also humbled and eternally thankful for being given this opportunity. +Being able to work in an environment like ETH is a privilege beyond imagination, and I don't know how I got so lucky. +I probably used up all my Karma points for the rest of my life, and will do my best to honor this privilege. +I feel hugely indebted to everyone I worked with, first and foremost of course my PhD advisor [Derek Dreyer](https://people.mpi-sws.org/~dreyer/). +But I would also like to specifically call out the Rust community, because I don't think this would have happened without Rust -- thanks to *everyone* who contributed to this language that I am essentially building my career on[^rust], and thanks in particular to everyone who indulged in my ideas for how Rust should approach unsafe code and helped me shape that corner of the language. + +[^rust]: Before anyone gets worried, I also have some [ideas](https://iris-project.org/) I want to pursue that are unrelated to Rust. But Rust is currently by far the biggest inspiration for new research problems for me, and without Rust I don't think my research would be anywhere near as applied and impactful as it is today, which I am sure played a key role in the decision of ETH to hire me. + +So what's next? +I will soon finish my post-doc at MIT and move back to Europe, and then move to Zürich in October. +And then I will have to figure out how this being-a-professor thing works. ;) +My first main priority is building a research group: the "Programming Language Foundations Lab"[^lab]. +So if you are interested in doing a PhD or post-doc working on, well, programming language foundations, and in particular formal foundations for Rust, or if you are an ETH student interested in a Master Thesis in that area -- please [reach out](https://research.ralfj.de/contact.html)! +I am still figuring out how to do things like hiring people and finding suitable projects, but there is no shortage of open problems that need solving and theorems that need proving. :) + +[^lab]: Yes, I have a lab coat. I don't usually wear it though... and if you want to see me wear it, that will cost you some beer. diff --git a/research/index.html b/research/index.html index f471122..2616ea6 100644 --- a/research/index.html +++ b/research/index.html @@ -7,6 +7,9 @@ title: Ralf Jung

I am a post-doctoral researcher in the PDOS group at MIT CSAIL under the supervision of Frans Kaashoek and Nickolai Zeldovich.
Previously, I completed my PhD at MPI-SWS and Saarland University in Saarbrücken, Germany; my advisor was Derek Dreyer.

+

I will start my position as assistant professor at ETH Zürich on November 1st. +If you are interested in doing a PhD or post-doc working on programming language foundations, and in particular formal foundations for Rust, or if you are an ETH student interested in a Master Thesis in that area -- please [reach out](https://research.ralfj.de/contact.html)!

+

My two main lines of work are about Rust and Iris.
On the Rust side, I am working (also in collaboration with the Rust language team) towards a solid formal foundation for the language, including in particular the unsafe parts. One key result here is our type safety proof, which also describes a methodology for establishing type safety of well-encapsulated unsafe code. -- 2.30.2 From fac358e418d27bc4179128859f82a7902a88a2c4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 15 Aug 2022 21:35:26 -0400 Subject: [PATCH 09/16] fix link --- research/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/research/index.html b/research/index.html index 2616ea6..da89172 100644 --- a/research/index.html +++ b/research/index.html @@ -8,7 +8,7 @@ title: Ralf Jung Previously, I completed my PhD at MPI-SWS and Saarland University in Saarbrücken, Germany; my advisor was Derek Dreyer.

I will start my position as assistant professor at ETH Zürich on November 1st. -If you are interested in doing a PhD or post-doc working on programming language foundations, and in particular formal foundations for Rust, or if you are an ETH student interested in a Master Thesis in that area -- please [reach out](https://research.ralfj.de/contact.html)!

+If you are interested in doing a PhD or post-doc working on programming language foundations, and in particular formal foundations for Rust, or if you are an ETH student interested in a Master Thesis in that area -- please reach out!

My two main lines of work are about Rust and Iris.
On the Rust side, I am working (also in collaboration with the Rust language team) towards a solid formal foundation for the language, including in particular the unsafe parts. -- 2.30.2 From 5d977d85506a7929af1e04ed78a420f3568d9c19 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 14 Sep 2022 09:39:38 +0200 Subject: [PATCH 10/16] add update on the current state on ptr2int transmutation --- personal/_posts/2022-04-11-provenance-exposed.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/personal/_posts/2022-04-11-provenance-exposed.md b/personal/_posts/2022-04-11-provenance-exposed.md index 53d0b84..39237ae 100644 --- a/personal/_posts/2022-04-11-provenance-exposed.md +++ b/personal/_posts/2022-04-11-provenance-exposed.md @@ -277,13 +277,19 @@ Because of that, I think we should move towards discouraging, deprecating, or ev That means a cast is the only legal way to turn a pointer into an integer, and after the discussion above we got our casts covered. A [first careful step](https://github.com/rust-lang/rust/pull/95547) has recently been taken on this journey; the `mem::transmute` documentation now cautions against using this function to turn pointers into integers. +**Update (2022-09-14):** After a lot more discussion, the current model pursued by the Unsafe Code Guidelines WG is to say that pointer-to-integer transmutation is permitted, but just strips provenance without exposing it. +That means the program with the casts replaced by transmutation is UB, because the `ptr` it ends up dereferencing has invalid provenance. +However, the transmutation itself is not UB. +Basically, pointer-to-integer transmutation is equivalent to [the `addr` method](https://doc.rust-lang.org/nightly/std/primitive.pointer.html#method.addr), with all its caveats -- in particular, transmuting a pointer to an integer and back is like calling `addr` and then calling [`ptr::invalid`](https://doc.rust-lang.org/nightly/std/ptr/fn.invalid.html); that is not a lossless round-trip. +This model has some nice properties that help compiler optimizations (such as removing unnecessary store-load round-trips). **/Update** + ## A new hope for Rust All in all, while the situation may be very complicated, I am actually more hopeful than ever that we can have both -- a precise memory model for Rust *and* all the optimizations we can hope for! The three core pillars of this approach are: - making pointer-integer casts "expose" the pointer's provenance, - offering `ptr.addr()` to learn a pointer's address *without* exposing its provenance, -- and disallowing pointer-integer transmutation. +- and disallowing pointer-integer transmutation round-trips. Together, they imply that we can optimize "nice" code (that follows Strict Provenance, and does not "expose" or use integer-pointer casts) perfectly, without any risk of breaking code that does use pointer-integer round-trips. In the easiest possible approach, the compiler can simply treat pointer-integer and integer-pointer casts as calls to some opaque external function. @@ -367,8 +373,8 @@ Because of all that, I think it is reasonable for Rust to make a different choic This was a long post, but I hope you found it worth reading. :) To summarize, my concrete calls for action in Rust are: -- Code that uses pointer-integer transmutation should migrate to regular casts or `MaybeUninit` transmutation ASAP. - I think we should declare pointer-integer transmutation Undefined Behavior and not accept such code as well-defined. +- Code that uses pointer-integer transmutation round-trips should migrate to regular casts or `MaybeUninit` transmutation ASAP. + I think we should declare pointer-integer transmutation as "losing" provenance, so code that assumes a lossless transmutation round-trip has Undefined Behavior. - Code that uses pointer-integer or integer-pointer *casts* might consider migrating to the Strict Provenance APIs. You can do this even on stable with [this polyfill crate](https://crates.io/crates/sptr). However, such code *is and remains* well-defined. It just might not be optimized as well as one could hope, it might not compile on CHERI, and Miri will probably miss some bugs. -- 2.30.2 From cd1d77b71a948549ede3af63debdc118955b11fc Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 14 Sep 2022 09:55:15 +0200 Subject: [PATCH 11/16] tweak the update --- personal/_posts/2022-04-11-provenance-exposed.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/personal/_posts/2022-04-11-provenance-exposed.md b/personal/_posts/2022-04-11-provenance-exposed.md index 39237ae..709dbc6 100644 --- a/personal/_posts/2022-04-11-provenance-exposed.md +++ b/personal/_posts/2022-04-11-provenance-exposed.md @@ -280,8 +280,10 @@ A [first careful step](https://github.com/rust-lang/rust/pull/95547) has recentl **Update (2022-09-14):** After a lot more discussion, the current model pursued by the Unsafe Code Guidelines WG is to say that pointer-to-integer transmutation is permitted, but just strips provenance without exposing it. That means the program with the casts replaced by transmutation is UB, because the `ptr` it ends up dereferencing has invalid provenance. However, the transmutation itself is not UB. -Basically, pointer-to-integer transmutation is equivalent to [the `addr` method](https://doc.rust-lang.org/nightly/std/primitive.pointer.html#method.addr), with all its caveats -- in particular, transmuting a pointer to an integer and back is like calling `addr` and then calling [`ptr::invalid`](https://doc.rust-lang.org/nightly/std/ptr/fn.invalid.html); that is not a lossless round-trip. -This model has some nice properties that help compiler optimizations (such as removing unnecessary store-load round-trips). **/Update** +Basically, pointer-to-integer transmutation is equivalent to [the `addr` method](https://doc.rust-lang.org/nightly/std/primitive.pointer.html#method.addr), with all its caveats -- in particular, transmuting a pointer to an integer and back is like calling `addr` and then calling [`ptr::invalid`](https://doc.rust-lang.org/nightly/std/ptr/fn.invalid.html). +That is a *lossy* round-trip: it loses provenance information, making the resulting pointer invalid to dereference. +It is lossy even if we use a regular integer-to-pointer cast (or `from_exposed_addr`) for the conversion back to a pointer, since the original provenance might never have been exposed. +Compared to declaring the transmutation itself UB, this model has some nice properties that help compiler optimizations (such as removing unnecessary store-load round-trips). **/Update** ## A new hope for Rust @@ -289,7 +291,7 @@ All in all, while the situation may be very complicated, I am actually more hope The three core pillars of this approach are: - making pointer-integer casts "expose" the pointer's provenance, - offering `ptr.addr()` to learn a pointer's address *without* exposing its provenance, -- and disallowing pointer-integer transmutation round-trips. +- and making pointer-integer transmutation round-trips lossy (such that the resulting pointer cannot be dereferenced). Together, they imply that we can optimize "nice" code (that follows Strict Provenance, and does not "expose" or use integer-pointer casts) perfectly, without any risk of breaking code that does use pointer-integer round-trips. In the easiest possible approach, the compiler can simply treat pointer-integer and integer-pointer casts as calls to some opaque external function. -- 2.30.2 From ffa3b27d4d3b8802b1ea3bc5eda55cb12407b9f3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Sep 2022 13:11:26 +0200 Subject: [PATCH 12/16] add cargo-careful blog post --- personal/_posts/2022-09-26-cargo-careful.md | 24 +++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 personal/_posts/2022-09-26-cargo-careful.md diff --git a/personal/_posts/2022-09-26-cargo-careful.md b/personal/_posts/2022-09-26-cargo-careful.md new file mode 100644 index 0000000..28bfec9 --- /dev/null +++ b/personal/_posts/2022-09-26-cargo-careful.md @@ -0,0 +1,24 @@ +--- +title: "carego careful: run your Rust code with extra careful debug checking" +categories: rust +--- + +Did you know that the standard library is full of useful checks that users never get to see? +There are plenty of debug assertions in the standard library that will do things like check that `char::from_u32_unchecked` is called on a valid `char`, that `CStr::from_bytes_with_nul_unchecked` does not have internal nul bytes, or that pointer functions such as `read`, `copy`, or `copy_nonoverlapping` are called on suitably aligned non-null (and non-overlapping) pointers. +However, the regular standard library that is distributed by rustup is compiled without debug assertions, so there is no easy way for users to benefit from all this extra checking. + + + +[`cargo careful`](https://github.com/RalfJung/cargo-careful) is here to close this gap: +when invoked the first time, it builds a standard library with debug assertions from source, and then runs your program or test suite with that standard library. +Installing `cargo careful` is as easy as `cargo install cargo-careful`, and then you can do `cargo careful run`/`cargo careful test` to execute your binary crates and test suites with an extra amount of debug checking. + +This will naturally be slower than a regular debug or release build, but it is *much* faster than executing your program in [Miri](https://github.com/rust-lang/miri) and still helps find some Undefined Behavior. +Unlike Miri, it is fully FFI-compatible (though the code behind the FFI barrier is completely unchecked). +Of course Miri is much more thorough and `cargo careful` will miss many problems (for instance, it cannot detect out-of-bounds pointer arithmetic -- but it *does* perform bounds checking on `get_unchecked` slice accesses). + +Note that for now, some of these checks (in particular for raw pointer methods) cause an abrupt abort of the program via SIGILL without a nice error message or backtrace. +There are probably ways to improve this in the future. +Meanwhile, if you have some `unsafe` code that for one reason or another you cannot test with Miri, give [`cargo careful`] a try and let me know how it is doing. :) + +[`cargo careful`]: https://github.com/RalfJung/cargo-careful -- 2.30.2 From 8d13548a457cbf0cce1b9cbfec282c8bcffe7746 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Sep 2022 13:12:08 +0200 Subject: [PATCH 13/16] fix the title *oops* --- personal/_posts/2022-09-26-cargo-careful.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal/_posts/2022-09-26-cargo-careful.md b/personal/_posts/2022-09-26-cargo-careful.md index 28bfec9..36381ef 100644 --- a/personal/_posts/2022-09-26-cargo-careful.md +++ b/personal/_posts/2022-09-26-cargo-careful.md @@ -1,5 +1,5 @@ --- -title: "carego careful: run your Rust code with extra careful debug checking" +title: "cargo careful: run your Rust code with extra careful debug checking" categories: rust --- -- 2.30.2 From f009c167b41b9ca680340c6694fce16318ec2670 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Sep 2022 13:13:12 +0200 Subject: [PATCH 14/16] add reddit link --- personal/_posts/2022-09-26-cargo-careful.md | 1 + 1 file changed, 1 insertion(+) diff --git a/personal/_posts/2022-09-26-cargo-careful.md b/personal/_posts/2022-09-26-cargo-careful.md index 36381ef..2c90da1 100644 --- a/personal/_posts/2022-09-26-cargo-careful.md +++ b/personal/_posts/2022-09-26-cargo-careful.md @@ -1,6 +1,7 @@ --- title: "cargo careful: run your Rust code with extra careful debug checking" categories: rust +eddit: /rust/comments/xogayv/cargo_careful_run_your_rust_code_with_extra/ --- Did you know that the standard library is full of useful checks that users never get to see? -- 2.30.2 From 68229b6543e6943883e988a8ddc24e524765b1e4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Sep 2022 13:13:37 +0200 Subject: [PATCH 15/16] fix typo --- personal/_posts/2022-09-26-cargo-careful.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/personal/_posts/2022-09-26-cargo-careful.md b/personal/_posts/2022-09-26-cargo-careful.md index 2c90da1..fbc49ca 100644 --- a/personal/_posts/2022-09-26-cargo-careful.md +++ b/personal/_posts/2022-09-26-cargo-careful.md @@ -1,7 +1,7 @@ --- title: "cargo careful: run your Rust code with extra careful debug checking" categories: rust -eddit: /rust/comments/xogayv/cargo_careful_run_your_rust_code_with_extra/ +reddit: /rust/comments/xogayv/cargo_careful_run_your_rust_code_with_extra/ --- Did you know that the standard library is full of useful checks that users never get to see? -- 2.30.2 From dae0e0ad81a42e13968764a30821b444b1dcba80 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Sep 2022 15:28:12 +0200 Subject: [PATCH 16/16] advertise that I am looking for students :D --- personal/_posts/2022-09-26-cargo-careful.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/personal/_posts/2022-09-26-cargo-careful.md b/personal/_posts/2022-09-26-cargo-careful.md index fbc49ca..3a1fc6a 100644 --- a/personal/_posts/2022-09-26-cargo-careful.md +++ b/personal/_posts/2022-09-26-cargo-careful.md @@ -23,3 +23,5 @@ There are probably ways to improve this in the future. Meanwhile, if you have some `unsafe` code that for one reason or another you cannot test with Miri, give [`cargo careful`] a try and let me know how it is doing. :) [`cargo careful`]: https://github.com/RalfJung/cargo-careful + +*By the way, I am soon [starting as a professor at ETH Zürich]({% post_url 2022-08-16-eth %}), so if you are interested in working with me on programming language theory as a master student, PhD student, or post-doc, then please [reach out](https://research.ralfj.de/contact.html)!* -- 2.30.2