A Study of Undefined Behavior Across Foreign Function Boundaries in Rust Libraries
arxiv(2024)
摘要
The Rust programming language restricts aliasing and mutability to provide
static safety guarantees, which developers rely on to write secure and
performant applications. However, Rust is frequently used to interoperate with
other languages that have far weaker restrictions. These languages support
cyclic and self-referential design patterns that conflict with current models
of Rust's operational semantics, representing a potentially significant source
of undefined behavior that no current tools can detect. We created MiriLLI, a
tool which uses existing Rust and LLVM interpreters to jointly execute
multi-language Rust applications. We used our tool in a large-scale study of
Rust libraries that call foreign functions, and we found 45 instances of
undefined or undesirable behavior. These include four bugs from libraries that
had over 10,000 daily downloads on average, one from a component of the GNU
Compiler Collection (GCC), and one from a library maintained by the Rust
Project. Most of these errors were caused by incompatible aliasing and
initialization patterns, incorrect foreign function bindings, and invalid type
conversion. The majority of aliasing violations were caused by unsound
operations in Rust, but they occurred in foreign code. The Rust community must
invest in new tools for validating multi-language programs to ensure that
developers can easily detect and fix these errors.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要