Rust

The poster child for memory safety

Rust's memory safety relies on two main principles: ownership and borrowing.

Every value in Rust has an owner, meaning that at any given point in the code there is one thing that can have read/write control over the value. Ownership can be borrowed temporarily, but this is tracked by Rust's compiler and the violation of any ownership rules does not compile.

This is a different approach to other programming languages. As we have seen so far, C has no such concept of memory safety. Higher-level managed languages, such as Python, Java or C#, handle memory-safety in the runtime. This compromises speed, as well as the requirement of a runtime.

This article has a good explanation, as does this Stack Overflow post. The official documentation for this topic is also fantastic.

Ownership

Consider the following code:

fn main() {
    let original = "Hello, World!".to_string();
    let other = original;
    println!("{}", original);
}

While this is valid in many other languages, Rust will throw an error here because the value is moved.

error[E0382]: borrow of moved value: `original`
 --> src/main.rs:4:20
  |
2 |     let original = "Hello, World!".to_string();
  |         -------- move occurs because `original` has type `String`, which does not implement the `Copy` trait
3 |     let other = original;
  |                 -------- value moved here
4 |     println!("{}", original);
  |                    ^^^^^^^^ value borrowed here after move

In the second line, as soon as we define other, it becomes invalid to use original again. This protects against double-frees, use-after-frees and any other sorts of vulnerabilities that can arise due to dangling pointers.

Note that the error talks about how the type String does not implement the Copy trait. If a type does implement this, then an assignment like the second line here would duplicate the variable, copying all of the bits over. This wouldn't cause an issue, as there are two distinct variables owning their respective values. What Rust does not want is two variables refering to the same data in memory, which would occur for String types as they are just pointers to the actual string in memory.

Borrowing

Instead of copying data or transferring ownership, Rust allows you to borrow data. This borrowing can be done immutably or mutably. There are restrictions on borrowing which prevent data races, iterator invalidation and bugs caused by concurrency.

Immutable Borrowing

Immutable borrowing allows for read-only borrows. There can be an any number of these borrows at any one time:

fn main() {
    let original = "Hello, World!".to_string();
    let a = &original;
    let b = &original;

    println!("{}", a);
    println!("{}", b);
}

This compiles correctly, and acts as you would expect.

Mutable Borrowing

Mutable borrowing is a read/write borrow.

fn main() {
    let mut original = "Hello, World!".to_string();
    let a = &mut original;

    println!("{}", a);
    *a = "Test".to_string();
    println!("{}", a);
}

However, to prevent bugs such as data races, we cannot have two mutable borrows:

fn main() {
    let mut original = "Hello, World!".to_string();
    let a = &mut original;
    let b = &mut original;

    println!("{}", a);
    *a = "Test".to_string();
    println!("{}", a);
    println!("{}", b);
}

error[E0499]: cannot borrow `original` as mutable more than once at a time
 --> src/main.rs:4:13
  |
3 |     let a = &mut original;
  |             ------------- first mutable borrow occurs here
4 |     let b = &mut original;
  |             ^^^^^^^^^^^^^ second mutable borrow occurs here
5 |
6 |     println!("{}", a);
  |                    - first borrow later used here

Similarly, we actually can't take an immutable reference either!

fn main() {
    let mut original = "Hello, World!".to_string();
    let a = &mut original;
    let b = &original;

    println!("{}", a);
    *a = "Test".to_string();
    println!("{}", a);
    println!("{}", b);
}

error[E0502]: cannot borrow `original` as immutable because it is also borrowed as mutable
 --> src/main.rs:4:13
  |
3 |     let a = &mut original;
  |             ------------- mutable borrow occurs here
4 |     let b = &original;
  |             ^^^^^^^^^ immutable borrow occurs here
5 |
6 |     println!("{}", a);
  |                    - mutable borrow later used here

So we can have either

• one mutable borrow

• any number of immutable borrows

But it is not allowed for us to mix and match - the compiler enforces this.

Notably, even if the borrow is immutable we are unable to modify the original mutable variable. Take the following example:

fn main() {
    let mut original = "Hello, World!".to_string();
    let a = &original;

    println!("{}", a);
    original = "wot".to_string();
    println!("{}", a);
}

We get the error

error[E0506]: cannot assign to `original` because it is borrowed
 --> src/main.rs:6:5
  |
3 |     let a = &original;
  |             --------- `original` is borrowed here
...
6 |     original = "wot".to_string();
  |     ^^^^^^^^ `original` is assigned to here but it was already borrowed
7 |     println!("{}", a);
  |                    - borrow later used here

Coming from a language like C, we can be forgiven for thinking that we can get a pointer to a variable and, once the variable is modified, read the new value with this pointer. But Rust doesn't allow that!

Lifetimes

A lifetime is what the compiler's borrow checker uses to ensure borrows are valid. A lifetime begins when a variable is created, and ends when it is destroyed. The Rust book has a fantastic description of lifetimes, as well as how you can explicitly control them. The idea is that a variable is tied to the existence of other variables, and dies once they die.

Think about this example:

let r;
{
    let x = 5;
    r = &x;
}

println!("r: {}", r);

In something like C, x would go out of scope and die once the } ends the scope, while r lives on as a dangling reference to where x would have been. In Rust, the compiler catches this and refuses to compile.

error[E0597]: `x` does not live long enough
 --> src/main.rs:5:13
  |
4 |         let x = 5;
  |             - binding `x` declared here
5 |         r = &x;
  |             ^^ borrowed value does not live long enough
6 |     }
  |     - `x` dropped here while still borrowed
7 |
8 |     println!("r: {}", r);
  |                       - borrow later used here

Meanwhile, if we move the println! into the scope defined by the {}, the program compiles fine as x lives long enough for the borrowed value to be used.

No Null Pointers

Rust does not have null pointers - cases must be handled explicitly. This prevents null pointer dereferences and maybe-null bugs.

Out of Bounds

Rust performs out-of-bounds checking at compilation time, but if this is impossible (e.g. the index is provided by the user), it automatically includes runtime OOB checks. Take the following code for example:

use std::io;

fn main() {
    let arr = [10, 20, 30];

    println!("Enter an index:");

    let mut input = String::new();
    io::stdin().read_line(&mut input).unwrap();

    let index: usize = input.trim().parse().unwrap();
    let value = arr[index];

    println!("Value: {}", value);
}

If we run the program and input 5, which is OOB, the program panics:

thread 'main' (7216640) panicked at src/main.rs:13:17:
index out of bounds: the len is 3 but the index is 5