Safe System Programming

This is the home page for the "Safe System Programming" course. Here, you will find (in a badly-organised form) all the material, slides, and information needed to attend the course

For the previous edition of the course, check the old websites (2020 or 2022).

Lessons:

• First lesson: 2023/12/15, 9:00 -> 12:00 (video - in italian)
  • Introduction to the course
  • Programming languages and safety
• Second lesson: 2023/12/18, 9:00 -> 12:00 (video, part 1 and part 2 - in italian)
  • Something more on safety
  • Introduction to Rust
• Third lesson: 2024/01/12, 9:00 -> 11:00 (video - in italian)
  • More details on Rust
  • The Rust type system
  • Some programming examples
• Fourth lesson: 2024/01/19, 9:00 -> 11:00 (video - in italian)
  • Rust data types, again
  • Programming examples on Rust data types
• Fifth lesson: 2024/01/25, 9:00 -> 11:00 (video - in italian)
  • Rust advanced data types
  • Introduction to Rust abstractions
• Sixth lesson: 2024/02/02, 9:00 -> 11:00 (video - in italian)
  • Something mode on rust abstractions
  • Introduction to lifetimes
• Seventh lesson: 2024/02/09, 9:00 -> 11:00 (video - in italian)
  • Introduction to smart pointers in Rust
  • Some examples about the Box smart pointer (including RDT implementation: natural numbers according to Peano)
    • Implemening an add method for natural numbers
• Eighth lesson: 2024/02/16, 9:00 -> 11:00 (video - in italian)
  • Examples on various kinds of smart pointers
  • Implementing various kinds of lists
  • Some advanced topics such as closures, functions and friends (look at this document - in italian - for some important definitions about these concepts)
• Nineth lesson: 2024/02/23, 9:00 -> 11:00

Ideas about Possible Projects for the Exam

Links and other teaching material:

Here is a paper comparing the performance of user-space device drivers written in different languages.

In order to better understand Rust and some aspects of its design, it is important to know some concepts about programming languages (not directly related to Rust or to safe programming languages, but applicable to many different programming languages). Here is a simple document (in Italian) defining some of these important concepts.

The "inventor or NULL" apologizes for his billion dollar mistake (and here is a video of the presentation). Seriously speaking, the existence of NULL pointers/references can lead to many programming errors, and safe languages should not allow them; the solution to this issue is provided by the option types ("Nothing" cannot be dereferenced, and trying to dereference it results in a build-time error!).

Here is an example of NULL pointer derefencing in Java.

To understand where Rust's concept of ownership (and the move semantics) come from, have a look at Linear Types

On the internet it is possible to find a huge amount of tutorial showing how to write kernels, hypervisors or bare-metal applications in Rust. For example, look at Philipp Oppermann's blog (note: in the example showed during the course, Rust is used to code a library that is linked to some startup code written in Assembly; in the current version of the blog, Rust is used to write the main application, using a "bootloader" crate. The blog uses cargo --- in particular, cargo xbuild --- to cross-compile bare-metal Rust applications). The new version of the blog will show how to build and boot UEFI applications using rust. Other useful links can be toyos-rs and eduOS-rs.

Interesting news: QEMU developers are thinking about moving QEMU to Rust.

Check the infrastructure for building user-space VMMs in Rust.

Check the infrastructure for writing Linux kernel modules in Rust.

How to install Rust

The simplest way to install a Rust compiler is to use rustup: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh.

For other possible installation methods, use the OS package manager or see the Rust installation page.

Code examples:

First of all, some examples about safety: we all know that C is not a safe programming language, as shown by this example about out-of-boud access to an array, or by this example about a bad printf usage. Languages like C++ introduce a vector type to (partly) address some issues. Here is how Rust address the previous issues: print and array.

Some more examples about Rust. Notice that the return type of the main() function is omitted (a function returns a "unit" value by default) and notice the ";" after "println!()" (can it be omitted?).

• Simple "hello world" in Rust
• Example about a simple function in Rust (notice how the return value is passed)
• More complex example: computing the greatest common divisor of two numbers (and here is the recursive version)

Some examples about ownership and move semantics in Rust (do not care about syntax, Box, and new yet):

• Simple example of RAII in Rust: when p goes out of scope, the dynamically allocated structure is freed
• In Rust, assignments move the ownership of a value: this example does not build because after "p1 = p", p is not valid anymore
• p is not valid even after p1 goes out of scope. Hence, this example does not build too
• In this example, a new "p" variable shadows the old one. Try to comment out "let mut" in the second p definition, and see the result
• Instead of moving it, a value can be borrowed. In this case, the program build without issues
• A value can also be borrowed as mutable...
• ...Or borrowed multiple times...
• ...But borrowed values cannot be modified!

Some examples about Rust's data types:

• An example about using boolean predicates (in an "if" expression)
• Something about compound types:
  • A simple example with arrays. Notice how Rust performs array boundary checks at runtime, but errors such as accesses to "v[6]" are detected at build time
  • A similar example, passing the array as an argument to a function
  • An example with array slices
  • An example about structures
  • Another similar example, about tuple structures
  • Passing structures to a function... Note: can you use "s" again, after passing it to "display_struct()"?
  • Check this different implementation... Can you see why "s" can be used again, in this case?
  • How to associate a function to a structure. Notice that this is an associated structure, not a method.
• An example about parsing a string, showing that the type inference mechanism here needs some help...

More complex examples:

• Some examples on advanced data types and pattern matching:
  • Example about tuples and pattern matching
  • Again, with tuples as function parameters
  • Example about enumerated types
  • Same example, using C-like structures
• Some more examples on methods and associated function:
  • Passing an enumerated type to a function
  • Using a method instead
  • Another example with more methods and associated functions
• Some examples about traits and generics:
  • Example with a simple trait
  • Example of a generic structure depending on 2 type parameters
  • Example of a generic function exchanging the elements of a tuple (again, there are 2 type parameters)
  • Same example, with a different syntax to express trait bounds
• Examples about dynamic traits (trait objects):
  • Example of a figure trait, implementing an area() method. In this case, the compiler is able to perform the monomorphization of the print_area() function at build time! Notice that this function receives its parameter by value; what is the consequence of this?
  • Same example passing the argument by reference
  • Using a reference to dynamic trait (also called trait object) to resolve the method at runtime (no build-time monomorphization)
• About the Copy trait:
  • Enumerations have a move semantic for assignments, so this example does not build!
  • Implementing the Copy trait changes the assignment semantic, so this example builds
  • A different implementation of the clone() method
  • Deriving the Copy and Clone traits automatically
  • Implementing only the Clone trait is not enough

And now, some examples about smart pointers:

• Example of usage of a box to dynamically allocate memory. Memory is managed according to the RAII paradigm (a box can be used as a reference to the allocated memory; the memory is freed when the reference goes out of scope; assignment has a move semantic)
• Similar example with a box showing that even if the memory is dynamically allocated, a mutable reference cannot be taken if other reference to the variable already exist
• Example with a reference counter (Rc): in this case, the allocated data can have multiple owners (for every new owner, a reference counter is increased; when an owner is destroyed, the reference counter is decreased; when the reference counter is 0, the data is deallocated)
• Similar example showing that the clone() method of a reference counted smart pointer returns immutable references to the allocated data
• Example showing how to use a RefCell smart pointer to move borrow checking at runtime. The example compiles and runs without issues because "r1" and "r2" are immutable references... Hence, something like "r2.v = 0" will not compile. To make it compile, the "let r2 = cell.borrow();" must be changed to "let mut r2 = cell.borrow_mut();". With this change, the code will compile but will generate an exception at runtime (it is still illegal to borrow a mutable reference when other references are already been borrowed)
• Example showing how to use a RefCell smart pointer to borrow mutable and immutable references (at different times!)
• Another example about RefCell
• Yet another RefCell example showing runtime borrow checking (compiles, but generates an exception at runtime)
• Finally, here is how to combine RefCell and Rc to allow multiple mutable references (again, the check about no simultaneous mutable references is performed at runtime)

Some experiments implementing lists in Rust (see this tutorial for a more detailed description of more appropriate approaches):

• Simple example showing how to model immutable lists in Rust
• Other example using a "more traditional" node (notice the usage of Rc, to allow multiple references to each node, and Option, to avoid NULL)
• How NOT TO implement a doubly-linked list. Notice how the refcounting mechanism miserably fails, here!!!
• Better implementation of a doubly-linked list, using weak references. This time, the refcounting mechanism works correctly
• Same example, with a type alias definition, to make the code less verbose
• Simplifying even more, thanks to "use"

Examples about functions and closures:

• Rust functions are denotable, storable, and expressible entities...
• ...However, Rust functions cannot capture non-local entities! (in other words, a function has no environment binding non-local symbols) As a result, the program does not compile
• How to fix the previous program using a closure. Notice that the "n" variable is borrowed by the closure, not moved in the closure (it can still be used outside of the closure). Here is how to move the value in the closure (notice that Rust integers implement the Copy trait, so the program still compiles... Try using a structure instead of an integer!)
• Example showing that by default, closures capture references... Can you see why the program does not build? And how to fix it?
• Another example about capturing by move...

Some final examples, about threads:

• Simple example creating a parallel thread that counts from 1 to 9
• Similar example, passing a constant value to the thread body. Note that this is not a real argument passing (the argument must be a literal constant!).
• Creating multiple threads and passing multiple arguments to them. Notice that this works only because i32 implements the Copy trait
• The thread body is a closure, and captures references to non-local symbols... Hence, this example does not build (the reference to "n" in the thread can have a longer lifetime than "n")
• The issue with the previous example can be fixed by moving "n" in the closure/thread body
• Notice that the moved value cannot be used in the main thread
• To really share a variable between the two threads, Arc and Mutex are needed. Notice how verbose the access to the shared variable is
  • Here is a simpler version, using the .unwrap() method.

How to use the Option type, with some simplifications.

Very simple kernel written in Rust, and a similar one based on UEFI.