Rust: No Fear Systems Dev

Felix Klock (@pnkfelix), Mozilla Research

MarComms Agency Day, Paris; 8 Sept 2016

Slides: http://bit.ly/2c0zILe

(space: next slide; shiftspace: previous slide; esc: overview; arrows navigate)

What

Rust: new systems programming language

Mozilla: building new high-perf. browser technology atop Rust

Servo: Browser research platform

Demo: WebRender

https://youtu.be/u0hYIRQRiws

Browser Frames/Second
Chrome 15 fps
Firefox 9 fps
Safari 5 fps
Servo WebRender (web content atop GPU) 60 fps

Background

Systems

Systems Programmers make:

  • Browsers

  • Operating Systems

  • Game Engines

  • Mobile Apps

Willing to invest great effort to optimize resource usage (e.g. low memory overhead), and runtime performance.

Programming Languages

So many to choose from

Actionscript, C, C#, C++, Clojure, Fortran, Go, Java, Javascript, Python, Ruby, Visual Basic, ...

Programming Languages

So many to choose from

Actionscript, C, C#, C++, Clojure, Fortran, Go, Java, Javascript, Python, Ruby, Visual Basic, ...

Most not suitable for systems development ...

  • hard-to-predict or poor performance

Programming Languages

So many to choose from

Actionscript, C, C#, C++, Clojure, Fortran, Go, Java, Javascript, Python, Ruby, Visual Basic, ...

Most not suitable for systems development ...

  • hard-to-predict or poor performance

  • reliance on hard-to-manage runtime machinery e.g. "garbage collection" or atomic ref-counting

... but the languages remaining are unsafe ...

  • bugs might crash application, corrupt data, exposure to "pwnage"

... and complicate utilization of available (multicore) parallelism.

Programming is Hard

Example systems code: direct access to bytes in memory

buffer = new String("Hello");
buf: String data: length: 5 capacity: 8 'H' | 'e' | 'l' | 'l' | 'o' | | |

Example systems code: direct access to bytes in memory

buffer = new String("Hello");  interior = &buffer[2..];  assert_eq!(interior[0], 'l');
buf: String data: length: 5 capacity: 8 'H' | 'e' | 'l' | 'l' | 'o' | | | interior: 
buffer.append(" all!"); // adds five more bytes
buf: String data: 'H' | 'e' | 'l' | 'l' | 'o' | ' ' | 'a' | 'l' | 'l' | '!' | | length:10 capacity:12 'H' | 'e' | 'l' | 'l' | 'o' | | | interior: dangling reference! 
assert_eq!(interior[0], 💣); // 😱

Even Worse: Multithreaded Code

Thread 1 Thread 2 buf: String :buf data: length capacity 'H' | 'e' | 'l' | 'l' | 'o' | | |
Thread 1 Thread 2
buf.append(" left"); buf.append(" right");

Both threads want to update buf

What is outcome?

  • "Hello left right" ?

  • "Hello right left" ?

Again, must reallocate underlying buffer

Thread 1 Thread 2 buf: String :buf data: length capacity 'H' | 'e' | 'l' | 'l' | 'o' | | | tmp: :tmp 'H' | 'e' | 'l' | 'l' | 'o' | | 'r' | 'i' | 'g' | 'h' | 't' | 'H' | 'e' | 'l' | 'l' | 'o' | | 'l' | 'e' | 'f' | 't' | |

Data Race! At end could be any of:

  • "Hello left right" (Thread 1 finishes before Thread 2 starts)

  • "Hello right left" (Thread 2 finishes before Thread 1 starts)

  • "Hello left" (Both start at same time, Thread 2 "wins")

  • "Hello right" (Both start at same time, Thread 1 "wins")

Enter Rust

Objective

Prevent all bugs of this nature

If your Rust code compiles, it does not have:

  • dangling references

  • buffer overflows

  • crashes (segmentation faults)

  • remote code execution vulnerabilities

  • data race conditions (big win for parallel systems)

No popular systems language offers all of above properties

(only ones from research labs)

Why Mozilla Invests

  • Hard to prototype changes atop C++ (e.g. Firefox today yesterday)

  • Rust ⇒ Servo; Servo ⇒ Parallel CSS, WebRender

  • Want Rust for next-gen infrastructure (services, IoT)

Mozilla's mission statement

"Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."

Open and Accessible to All

Open and Accessible to All

Original audience was systems programmers: C/C++, focus on enabling interoperation between Rust and C

But: also have attention from elsewhere

From 2016 Survey
From 2016 Survey

Of 1987 Rust users surveyed, 732 left C and C++ unchecked

Enabling systems programming for those without such experience!

Open Source, Open Community

Rust has been open source since the beginning

Open governance model based on public RFCs

We have an active, amazing community

Language Wars

Community

We have had a code of conduct from the outset, stressing inclusiveness, and evolving it as needed

The Rust community seems to be populated entirely by human beings. I have no idea how this was done. I suspect Graydon Hoare deserves a large share of the credit for leading by example but everyone I have interacted with in the community has been friendly and patient.

http://scattered-thoughts.net/blog/2015/06/04/three-months-of-rust/

We still need help improving diversity, though; see 2016 survey.

Projects are pivoting to Rust

  • Skylight swapped Rust for Ruby back in 2014

  • Maidsafe went from C++ to Rust in 2015

  • Dropbox moved Diskotech from Go to Rust in 2016

  • and ported Broti compression from C to Rust too

  • Friends of Rust: organizations using Rust in production

How to "sell" Rust?

  • If you are a C/C++ programmer ...

  • ... tired of debugging crashes and/or multithreaded programs

You might want to try Rust

  • If you are a "high-level programmer" (Javascript, Ruby) ...

  • ... and you want to expand your mind/skill-set

You might want to try Rust

What's Next

What's Next

Browser Technology

  • Firefox 48 had the first bits of Rust (media parser)

  • Servo marches on (e.g WebRender 2)

  • Incremental integration with Gecko (e.g. Stylo); want "best of both worlds"

To learn more, contact the Servo team, especially @pcwalton

Or try out Servo yourself! Nightlies

What's next

For Rust itself

Still establishing vision for 2017; discussion link

Initial proposals:

  • Lower learning curve

  • Faster compiler

  • Integrated Dev Environment (IDE) support

  • Advanced abstractions for concurrency and parallelism

  • More seamless Foreign Function Interface (FFI)

Thanks

"Hack Without Fear" https://www.rust-lang.org/