What the &~#@<!? (Memory Management in Rust)

3,738 views

Published on

Operating Systems course lecture on memory management in Rust.

Browser design from 1990s (one process) to 2000s (one process per tag) to 2010s and beyond (enough processes to efficiently use machine resources to provide good user experience).

malloc, free, double-free vulnerabilities

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,738
On SlideShare
0
From Embeds
0
Number of Embeds
1,237
Actions
Shares
0
Downloads
11
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

What the &~#@<!? (Memory Management in Rust)

  1. 1. cs4414 Fall 2013 University of Virginia David Evans
  2. 2. Plan for Today Some early comments on PS2 (how many processes?) Explicit vs. implicit memory management Pointers in Rust 21 September 2013 University of Virginia cs4414 1 Notes for today will be posted later today.
  3. 3. 21 September 2013 University of Virginia cs4414 2
  4. 4. How many processes should a browser create? 21 September 2013 University of Virginia cs4414 3 New challenge for Exercise 1 & 2: what is the fewest number of processes you can have running on your machine?
  5. 5. 21 September 2013 University of Virginia cs4414 4 1990’s answer: 1 process since processes waste memory and CPU which are expensive and limited
  6. 6. 21 September 2013 University of Virginia cs4414 5 2000s answer: http://www.google.com/googlebooks/chrome/
  7. 7. 21 September 2013 University of Virginia cs4414 6
  8. 8. 21 September 2013 University of Virginia cs4414 7
  9. 9. 21 September 2013 University of Virginia cs4414 8 “Start from Scratch” = start from scratch constrained by using programming tools and methods developed in the 1960s
  10. 10. What should the 2010s answer be? 21 September 2013 University of Virginia cs4414 9
  11. 11. 21 September 2013 University of Virginia cs4414 10 Only two colors, but 4-8 cores! (+ loads of GPU cores) Samsung Galaxy S4 Apple iPhone 5C Five colors, 2 cores! Note: the colors vs. cores tradeoff can probably be overcome by good engineering, but addressing the energy vs. cores tradeoffs require some theoretical advances also.
  12. 12. 21 September 2013 University of Virginia cs4414 11 Humans should not be getting bored and grumpy waiting for their browser to render a page while cores are sitting idle!
  13. 13. 21 September 2013 University of Virginia cs4414 12 “Start from Scratch” = start from scratch constrained by using programming tools and methods developed in the 1960s
  14. 14. 2010s answer: 21 September 2013 University of Virginia cs4414 13 A modern browser should have enough processes to efficiently use all the machine resources available to provide human users with a good browsing experience! Unfortunately, it is not (humanly) possible to build such a browser (in a way that will also be secure, robust, and reliable) using languages whose primary design goal was to fit on a 4K machine.
  15. 15. 21 September 2013 University of Virginia cs4414 14 Why do our Rust stickers have a gear on them? Servo: the main reason Rust is being developed is so Mozilla can build a better browser!
  16. 16. 21 September 2013 University of Virginia cs4414 15 Really starting from scratch is really hard… this is why getting Servo to the point where it can render a static page is cake- worthy!
  17. 17. What Dave was doing when you were learning to crawl… 21 September 2013 University of Virginia cs4414 16
  18. 18. 21 September 2013 University of Virginia cs4414 17 ACM Foundations in Software Engineering, 1994
  19. 19. 21 September 2013 University of Virginia cs4414 18 comp.os.linux post, August 1994
  20. 20. $ man malloc # on my Macbook Air MALLOC(3) BSD Library Functions Manual SYNOPSIS ... void free(void *ptr); void *malloc(size_t size); ... DESCRIPTION The malloc(), calloc(), valloc(), realloc(), and reallocf() functions allocate memory. The allocated memory is aligned such that it can be used for any data type, …. The free() function frees allocations that were created via the preceding allocation functions. The malloc() function allocates size bytes of memory and returns a pointer to the allocated memory. MemorymanagementinC 21 September 2013 University of Virginia cs4414 19
  21. 21. 21 September 2013 University of Virginia cs4414 20 # include <stdlib.h> # include <stdio.h> int main(int _argc, char **_argv) { int *x = (int *) malloc (sizeof(*x)); *x = 4414; printf("x = %dn", *x); return 0; } gash> gcc -Wall toofree.c gash> ./a.out x = 4414
  22. 22. 21 September 2013 University of Virginia cs4414 21 # include <stdlib.h> # include <stdio.h> int main(int _argc, char **_argv) { int *x = (int *) malloc (sizeof(*x)); *x = 4414; free(x); printf("x = %dn", *x); return 0; } gash> gcc -Wall toofree.c gash> ./a.out x = 4414
  23. 23. 21 September 2013 University of Virginia cs4414 22 # include <stdlib.h> # include <stdio.h> int main(int _argc, char **_argv) { int *x = (int *) malloc (sizeof(*x)); *x = 4414; free(x); free(x); printf("x = %dn", *x); return 0; } gash> gcc -Wall toofree.c gash> ./a.out a.out(23685) malloc: *** error for object 0x10a1008d0: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Abort trap: 6 Note: this is what happens to happen on my computer, but the C behavior is undefined. It would be “correct” for a C program like this to do absolutely anything!
  24. 24. This gets tricky… 21 September 2013 University of Virginia cs4414 23 (from locale.h) struct lconv { char *decimal_point; char *thousands_sep; char *grouping; char *int_curr_symbol; char *currency_symbol; … } ; // in my code… struct lconv *local = localeconv (void); … free(local->decimal_point); // ? free(local); // ?
  25. 25. Should we really care? 21 September 2013 University of Virginia cs4414 24 November 2009
  26. 26. 21 September 2013 University of Virginia cs4414 25
  27. 27. 21 September 2013 University of Virginia cs4414 26
  28. 28. 21 September 2013 University of Virginia cs4414 27 http://www.phrack.org/issues.html?issue=61&id=6
  29. 29. (Why) Doesn’t C++ solve this? 21 September 2013 University of Virginia cs4414 28 new = malloc delete = free
  30. 30. Doesn’t Java solve this? 21 September 2013 University of Virginia cs4414 29
  31. 31. 21 September 2013 University of Virginia cs4414 30
  32. 32. 21 September 2013 University of Virginia cs4414 31 (Advanced “comic book” version of GC)
  33. 33. 21 September 2013 University of Virginia cs4414 32 Getting back to my story…
  34. 34. “Willy-Nilly” Memory Management 21 September 2013 University of Virginia cs4414 33 Systematic Memory Management
  35. 35. 21 September 2013 University of Virginia cs4414 34 Static Detection of Dynamic Memory Errors, David Evans, PLDI May 1996
  36. 36. 21 September 2013 University of Virginia cs4414 35 Static Detection of Dynamic Memory Errors, David Evans, PLDI May 1996
  37. 37. 21 September 2013 University of Virginia cs4414 36 Note: these are “compile-time” errors (just produced by a separate tool). Static Detection of Dynamic Memory Errors, David Evans, PLDI May 1996
  38. 38. 21 September 2013 University of Virginia cs4414 37 Annotations? Where we are going, we don’t need annotations!
  39. 39. 21 September 2013 University of Virginia cs4414 38 A box is a reference to a heap allocation holding another value. There are two kinds of boxes: managed boxes and owned boxes. An owned box type or value is constructed by the prefix tilde sigil ~. Rust Manual, Section 9.1.4 extern /*@only@*/ char *gname; void setName(/*@temp@*/ char *pname) { gname = pname; }
  40. 40. 21 September 2013 University of Virginia cs4414 39 A box is a reference to a heap allocation holding another value. There are two kinds of boxes: managed boxes and owned boxes. An owned box type or value is constructed by the prefix tilde sigil ~. Rust Manual, Section 9.1.4 extern /*@only@*/ char *gname; void setName(/*@temp@*/ char *pname) { gname = pname; } static gname : ~str = ~""; fn set_name(pname : &str) { gname = pname; } *Note: we can’t really have a global, owned string like this in Rust.+
  41. 41. 21 September 2013 University of Virginia cs4414 40 extern /*@only@*/ char *gname; void setName(/*@temp@*/ char *pname) { gname = pname; } gash> splint sample.c sample.c:5: Only storage gname not released before assignment: gname = pname sample.c:1: Storage gname becomes only sample.c:5: Temp storage pname assigned to only: gname = pname sample.c:3: Storage pname becomes temp static gname : ~str = ~"Where we're going, we don't need roads!”; fn set_name(pname : &str) { gname = pname; } gash> rustc sample.rs sample.rs:4:12: 4:17 error: mismatched types: expected `~str` but found `&str` (str storage differs: expected ~ but found &) sample.rs:4 gname = pname;
  42. 42. 21 September 2013 University of Virginia cs4414 41 static gname : ~str = ~"annotations"; fn set_name(pname : ~str) { gname = pname; } fn main() { set_name("roads"); } gash> rustc sample2.rs sample2.rs:8:13: 8:20 error: mismatched types: expected `~str` but found `&'static str` (str storage differs: expected ~ but found &'static ) sample2.rs:8 set_name("roads");
  43. 43. 21 September 2013 University of Virginia cs4414 42 fn set_name(gname : &mut ~str, pname : ~str) { *gname = pname; } fn main() { let mut gname : ~str = ~"annotations"; println(fmt!("gname = %s", gname)); set_name(&mut gname, ~"frees"); println(fmt!("gname = %s", gname)); } gash> rust run good.rs gname = annotations gname = frees
  44. 44. 21 September 2013 University of Virginia cs4414 43 Why doesn’t Rust complain about the missing free? fn set_name(gname : &mut ~str, pname : ~str) { *gname = pname; }
  45. 45. 21 September 2013 University of Virginia cs4414 44 Free()s? Where we are going, we don’t need free()s!
  46. 46. 21 September 2013 University of Virginia cs4414 45 PS2 is due Monday Sept 30. You can use any language you want for this, but if your submission has any double-free vulnerabilities, buffer overflow vulnerabilities, or memory leaks you get a -10 on this assignment. Managing memory safely and explicitly gets really complicated since we often do want to share objects. We’ll talk about pointer types Rust provides for more complex sharing next class.
  47. 47. Charge Next class: complexities of memory management PS2 is due Monday, 30 September 21 September 2013 University of Virginia cs4414 46 https://botbot.me/mozilla/rust/

×