What the &~#@<!? (Memory Management in Rust)

cs4414 Fall 2013
University of Virginia
David Evans

Plan for Today
Some early comments on PS2 (how many
processes?)
Explicit vs. implicit memory management
Pointers in Rust
21 September 2013 University of Virginia cs4414 1
Notes for today will be posted later today.

How many processes should a
browser create?
New challenge for Exercise 1 & 2: what is the fewest number of processes you can
have running on your machine?

1990’s answer:
1 process since
processes waste
memory and CPU
which are expensive
and limited

2000s answer:
http://www.google.com/googlebooks/chrome/

“Start from Scratch” = start from scratch
constrained by using programming tools
and methods developed in the 1960s

What should the 2010s answer be?

Only two colors, but 4-8 cores!
(+ loads of GPU cores)
Samsung Galaxy S4
Apple iPhone 5C
Five colors, 2 cores!
Note: the colors vs. cores tradeoff can probably be overcome by good engineering,
but addressing the energy vs. cores tradeoffs require some theoretical advances also.

Humans should not
be getting bored and
grumpy waiting for
their browser to
render a page while
cores are sitting idle!

“Start from Scratch” = start from scratch
constrained by using programming tools
and methods developed in the 1960s

2010s answer:
A modern browser should have enough
processes to efficiently use all the machine
resources available to provide human users
with a good browsing experience!
Unfortunately, it is not
(humanly) possible to build such
a browser (in a way that will
also be secure, robust, and
reliable) using languages whose
primary design goal was to fit
on a 4K machine.

Why do our
Rust stickers
have a gear
on them?
Servo: the main reason
Rust is being developed is
so Mozilla can build a
better browser!

Really starting from
scratch is really hard…
this is why getting
Servo to the point
where it can render a
static page is cake-
worthy!

What Dave was doing when you
were learning to crawl…

ACM Foundations in Software Engineering, 1994

comp.os.linux post, August 1994

$ man malloc # on my Macbook Air
MALLOC(3) BSD Library Functions Manual
SYNOPSIS
...
void free(void *ptr);
void *malloc(size_t size);
...
DESCRIPTION
The malloc(), calloc(), valloc(), realloc(), and reallocf() functions
allocate memory. The allocated memory is aligned such that it can
be used for any data type, …. The free() function frees allocations
that were created via the preceding allocation functions.
The malloc() function allocates size bytes of memory and returns a
pointer to the allocated memory.
MemorymanagementinC

# include <stdlib.h>
# include <stdio.h>
int main(int _argc, char **_argv) {
int *x = (int *) malloc (sizeof(*x));
*x = 4414;
printf("x = %dn", *x);
return 0;
}
gash> gcc -Wall toofree.c
gash> ./a.out
x = 4414

# include <stdio.h>
*x = 4414;
free(x);
return 0;
}
gash> ./a.out
x = 4414

# include <stdio.h>
*x = 4414;
free(x);
free(x);
return 0;
}
gash> ./a.out
a.out(23685) malloc: *** error for object 0x10a1008d0:
pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6
Note: this is what happens to
happen on my computer, but the C
behavior is undefined. It would be
“correct” for a C program like this
to do absolutely anything!

This gets
tricky…
(from locale.h)
struct lconv
{
char *decimal_point;
char *thousands_sep;
char *grouping;
char *int_curr_symbol;
char *currency_symbol;
… } ;
// in my code…
struct lconv *local = localeconv (void);
…
free(local->decimal_point); // ?
free(local); // ?

Should we really care?
November 2009

http://www.phrack.org/issues.html?issue=61&id=6

(Why) Doesn’t C++ solve this?
new = malloc
delete = free

Doesn’t Java solve this?

(Advanced “comic book” version of GC)

Getting back to my story…

“Willy-Nilly” Memory Management
Systematic Memory Management

Static Detection of Dynamic Memory Errors, David Evans, PLDI May 1996

Note: these are “compile-time” errors (just produced by a separate tool).

Annotations?
Where we are going,
we don’t need
annotations!

A box is a reference to a heap allocation holding another value.
There are two kinds of boxes: managed boxes and owned boxes.
An owned box type or value is constructed by the prefix tilde sigil ~.
Rust Manual, Section 9.1.4
extern /*@only@*/ char *gname;
void setName(/*@temp@*/ char *pname) {
gname = pname;
}

A box is a reference to a heap allocation holding another value.
There are two kinds of boxes: managed boxes and owned boxes.
An owned box type or value is constructed by the prefix tilde sigil ~.
Rust Manual, Section 9.1.4
gname = pname;
}
static gname : ~str = ~"";
fn set_name(pname : &str) {
gname = pname;
}
*Note: we can’t really have a global, owned string like this in Rust.+

gname = pname;
}
gash> splint sample.c
sample.c:5: Only storage gname not released before assignment:
gname = pname
sample.c:1: Storage gname becomes only
sample.c:5: Temp storage pname assigned to only: gname = pname
sample.c:3: Storage pname becomes temp
static gname : ~str = ~"Where we're going, we don't need roads!”;
fn set_name(pname : &str) {
gname = pname;
}
gash> rustc sample.rs
sample.rs:4:12: 4:17 error: mismatched types: expected `~str` but found `&str`
(str storage differs: expected ~ but found &)
sample.rs:4 gname = pname;

static gname : ~str = ~"annotations";
fn set_name(pname : ~str) {
gname = pname;
}
fn main() {
set_name("roads");
}
gash> rustc sample2.rs
sample2.rs:8:13: 8:20 error: mismatched types: expected
`~str` but found `&'static str` (str storage differs: expected ~
but found &'static )
sample2.rs:8 set_name("roads");

fn set_name(gname : &mut ~str, pname : ~str) {
*gname = pname;
}
fn main() {
let mut gname : ~str = ~"annotations";
println(fmt!("gname = %s", gname));
set_name(&mut gname, ~"frees");
println(fmt!("gname = %s", gname));
}
gash> rust run good.rs
gname = annotations
gname = frees

Why doesn’t Rust complain about the missing free?
fn set_name(gname : &mut ~str, pname : ~str) {
*gname = pname;
}

Free()s?
Where we are going,
we don’t need free()s!

PS2 is due Monday Sept 30.
You can use any language you want for this, but if
your submission has any double-free vulnerabilities,
buffer overflow vulnerabilities, or memory leaks you
get a -10 on this assignment.
Managing memory safely and explicitly gets really
complicated since we often do want to share
objects. We’ll talk about pointer types Rust
provides for more complex sharing next class.

Charge
Next class: complexities of memory
management
PS2 is due Monday, 30 September
https://botbot.me/mozilla/rust/

What the &~#@&lt;!? (Memory Management in Rust)

More Related Content

Viewers also liked

Similar to What the &~#@&lt;!? (Memory Management in Rust)

More from David Evans

Recently uploaded

What the &~#@&lt;!? (Memory Management in Rust)

What the &~#@<!? (Memory Management in Rust)

Similar to What the &~#@<!? (Memory Management in Rust)

What the &~#@<!? (Memory Management in Rust)