How defined is Rust? Florob Scope Undefined behaviour How defined is Rust? Arithmetic Conversions Florian “Florob” Zeitz Aliasing Questions 2019-08-07 1 / 39 How defined is Rust? Florob 1 Scope Scope Undefined behaviour 2 Undefined behaviour Arithmetic Conversions 3 Arithmetic Aliasing Questions 4 Conversions 5 Aliasing 2 / 39 How defined is Rust? Florob 1 Scope Scope Undefined behaviour 2 Undefined behaviour Arithmetic Conversions 3 Arithmetic Aliasing Questions 4 Conversions 5 Aliasing 3 / 39 Previously How defined is Rust? Florob Scope this talk is based around an older one “What you thought you knew Undefined about C” behaviour stripped down the C parts Arithmetic Conversions added Rust’s perspective Aliasing not meant to be C bashing/zealotry Questions if you care about C look on media.ccc.de: sigint12 (english) CCCAC 2015 (german) 4 / 39 Disclaimer: What are we talking about? How defined is Rust? Florob Scope Undefined behaviour C99 and/or C11 Arithmetic not necessarily C++ Conversions but Objective-C, as it works as a real superset Aliasing Questions Rust as of today (many things still being discussed) 5 / 39 How defined is Rust? Florob 1 Scope Scope Undefined behaviour 2 Undefined behaviour Arithmetic Conversions 3 Arithmetic Aliasing Questions 4 Conversions 5 Aliasing 6 / 39 unspecified behaviour more than one possibility (e. g. evaluation of function arguments) undefined behaviour everything goes, input program is considered erroneous (e. g. use-after-free) What’s this? How defined is Rust? Multiple types of “behaviour”: Florob Scope implementation-defined behaviour Undefined behaviour documented implementation choice (e. g. signedness of char) Arithmetic Conversions Aliasing Questions 7 / 39 undefined behaviour everything goes, input program is considered erroneous (e. g. use-after-free) What’s this? How defined is Rust? Multiple types of “behaviour”: Florob Scope implementation-defined behaviour Undefined behaviour documented implementation choice (e. g. signedness of char) Arithmetic Conversions unspecified behaviour Aliasing Questions more than one possibility (e. g. evaluation of function arguments) 7 / 39 What’s this? How defined is Rust? Multiple types of “behaviour”: Florob Scope implementation-defined behaviour Undefined behaviour documented implementation choice (e. g. signedness of char) Arithmetic Conversions unspecified behaviour Aliasing Questions more than one possibility (e. g. evaluation of function arguments) undefined behaviour everything goes, input program is considered erroneous (e. g. use-after-free) 7 / 39 this is (usually) not how things work compilers never look for undefined behavior optimizations work under the assumption there is no undefined behavior we’ll see some examples The “evil compiler (writers)” How defined is Rust? Florob the compiler looks for undefined behavior to subsequently break Scope your code Undefined behaviour all in the name of faster benchmarks Arithmetic don’t care about normal users, just numbers Conversions Aliasing Questions 8 / 39 The “evil compiler (writers)” How defined is Rust? Florob the compiler looks for undefined behavior to subsequently break Scope your code Undefined behaviour all in the name of faster benchmarks Arithmetic don’t care about normal users, just numbers Conversions Aliasing this is (usually) not how things work Questions compilers never look for undefined behavior optimizations work under the assumption there is no undefined behavior we’ll see some examples 8 / 39 How defined is Rust? What does this snippet usually print? Florob (optimized) Scope 1 int a, b; Undefined 2 if (a) { behaviour 3 a = 3; Arithmetic 4 } else { Conversions 5 b = 4; Aliasing 6 } Questions 7 printf("%i\n", a + b); 3 4 5 7 9 / 39 How defined is Rust? What does this snippet usually print? Florob (optimized) Scope 1 int a, b; Undefined 2 if (a) { behaviour 3 a = 3; Arithmetic 4 } else { Conversions 5 b = 4; Aliasing 6 } Questions 7 printf("%i\n", a + b); 3 4 5 7 9 / 39 Uninitialized in safe Rust How defined is Rust? Florob Scope Undefined behaviour Arithmetic Impossible in safe Rust Conversions compiler forbids usage of possibly uninitialized variables Aliasing Questions 10 / 39 Uninitialized in unsafe Rust How defined is Rust? 1 fn main() { Florob 2 let mut a = MaybeUninit::<i32>::uninit(); 3 let mut b = MaybeUninit::<i32>::uninit(); Scope 4 Undefined behaviour 5 if std::env::var("A").is_ok() { Arithmetic 6 unsafe { a.as_mut_ptr().write(3) }; Conversions 7 } else { Aliasing 8 unsafe { b.as_mut_ptr().write(4) }; Questions 9 } 10 11 println!( 12 "{}", 13 unsafe { a.assume_init() + b.assume_init() } 14 ); 15 } 11 / 39 How defined is Rust? Florob 1 Scope Scope Undefined behaviour 2 Undefined behaviour Arithmetic Conversions 3 Arithmetic Aliasing Questions 4 Conversions 5 Aliasing 12 / 39 How defined is Rust? What does this snippet usually print when size is INT_MAX? Florob (Optimized with -O3) Scope 1 int size = ...; Undefined 2 if (size > size+1){ behaviour 3 puts("Aborted") Arithmetic 4 abort(); Conversions 5 } Aliasing 6 puts("Fetching memory"); Questions 7 malloc(size+1); Nothing ”Aborted” ”Fetching memory” size 13 / 39 How defined is Rust? What does this snippet usually print when size is INT_MAX? Florob (Optimized with -O3) Scope 1 int size = ...; Undefined 2 if (size > size+1){ behaviour 3 puts("Aborted") Arithmetic 4 abort(); Conversions 5 } Aliasing 6 puts("Fetching memory"); Questions 7 malloc(size+1); Nothing ”Aborted” ”Fetching memory” size 13 / 39 Signed integer overflow (C) How defined is Rust? Florob Scope Undefined behaviour unsigned integer overflow is well-defined: UINT_MAX + 1 == 0 Arithmetic signed integer overflow is not: INT_MAX + 1 == /* undef */ Conversions rumours aside is not Aliasing INT_MAX + 1 INT_MIN Questions Check equality against INT_MAX 14 / 39 How defined is Rust? Florob 1 int size = ...; 2 if (size > size+1){ Scope 3 puts("Aborted") Undefined behaviour 4 abort(); Arithmetic 5 } 6 Conversions puts("Fetching memory"); 7 Aliasing malloc(size+1); Questions Only defined behavior is considered size > size + 1 is always false Optimization removes the branch 15 / 39 Signed integer overflow (Rust) How defined is Rust? Florob Scope same behaviour for all integer types, signed and unsigned Undefined behaviour debug: panic on overflow Arithmetic release: wrap around on overflow Conversions individual methods for specific requirements: Aliasing checked_add() Questions saturating_add() wrapping_add() overflowing_add() 16 / 39 How defined is Rust? Florob What does this snippet usually print? (Unoptimized, on an x86 system) Scope 1 Undefined uint32_t shifty = 1; behaviour 2 shifty = shifty << 32; Arithmetic 3 printf("%"PRIu32"\n", shifty); Conversions Aliasing Questions 0 1 42 neither 17 / 39 How defined is Rust? Florob What does this snippet usually print? (Unoptimized, on an x86 system) Scope 1 Undefined uint32_t shifty = 1; behaviour 2 shifty = shifty << 32; Arithmetic 3 printf("%"PRIu32"\n", shifty); Conversions Aliasing Questions 0 1 42 neither 17 / 39 Oversized shift amounts (C) How defined is Rust? Florob Scope Undefined If the value of the right operand is negative or is greater than or behaviour equal to the width of the promoted left operand, the behavior is Arithmetic undefined. Conversions Aliasing set variables to zero instead Questions easily checked when type width is known 18 / 39 Oversized shift amounts (Rust) How defined is Rust? Florob Scope Undefined debug: panic on oversized shift amount behaviour Arithmetic release: mask right operand to bit width Conversions individual methods for specific requirements: Aliasing checked_shl() Questions wrapping_shl() overflowing_shl() 19 / 39 How defined is Rust? Florob 1 Scope Scope Undefined behaviour 2 Undefined behaviour Arithmetic Conversions 3 Arithmetic Aliasing Questions 4 Conversions 5 Aliasing 20 / 39 How defined is Rust? What does this snippet usually print? Florob (Optimized, clang or gcc) Scope 1 signed int s = -1; Undefined behaviour 2 unsigned int u = 1; Arithmetic 3 if (s < u) Conversions 4 puts("True"); Aliasing 5 else 6 Questions puts("False"); ”True” Nothing ”False” ”Trlse” 21 / 39 How defined is Rust? What does this snippet usually print? Florob (Optimized, clang or gcc) Scope 1 signed int s = -1; Undefined behaviour 2 unsigned int u = 1; Arithmetic 3 if (s < u) Conversions 4 puts("True"); Aliasing 5 else 6 Questions puts("False"); ”True” Nothing ”False” ”Trlse” 21 / 39 How defined is Rust? Florob What does this snippet print? 1 Scope unsigned int u = 1; 2 Undefined signed int s1 = -2; behaviour 3 signed int s2 = u + s1; Arithmetic 4 printf("%i\n", s2); Conversions Aliasing Questions -1 0 4294967295 1 22 / 39 How defined is Rust? Florob What does this snippet print? 1 Scope unsigned int u = 1; 2 Undefined signed int s1 = -2; behaviour 3 signed int s2 = u + s1; Arithmetic 4 printf("%i\n", s2); Conversions Aliasing Questions -1 0 4294967295 1 22 / 39 Usual arithmetic conversions How defined is Rust? Florob Scope Applied for certain operations: Undefined multiplicative (*, /, %) behaviour Arithmetic additive (+, -) Conversions relational (<, >, <=, >=) Aliasing equality (==, !=) Questions bitwise (&, |, ^) conditional (a ? b : c, only to the second and third operand) 23 / 39 Usual arithmetic conversions - Example How defined is Rust? Florob Scope 1 unsigned int a = 1; Undefined 2 signed int b = -1, c = a + b; behaviour 3 if (a > b) printf("True\n"); Arithmetic Conversions a and b have the same rank Aliasing For both + and >, b is converted to unsigned int Questions Effect: