Administrivia

• Lab 0: Rustlings is due (DUE: Jan 20 in 1.5 weeks!)
• Perpetration: Rpi 3 + sdcard + reader (for Lab 1)
• TA office hours:
  • Fri at Coda C0915 Atlantic, 10-11 AM, Yechan Bae
  • Tue at Coda C0906 Underwood, 5-6 PM, Sujin Park

Q&A

1. Is Rust suitable beyond OS development?

Will Rust be adopted by the biggest producers of systems software (Microsoft, Apple, Green Hills Software) and/or open-sourced systems software (Linux, FreeBSD)? What are some hurdles?

Q&A (continue)

2. For linear types, why the function x.m() can’t be called twice?? → Lec 3
3. Why is it so desirable to not have garbage collection? Does garbage collection impact OS/system development? → Lec3 (see, prep question!)
4. MANY questions about unsafe → Lec 4

Summary: about operating system

• Views: interface and abstraction
• Typical operating systems are designed to:
  • Abstract the hardware for convenience and portability
  • Multiplex the hardware among multiple applications (or virtualization)
  • Isolate applications to contain bugs
  • Allow sharing among applications

Agenda

• RAII: Resource Acquisition Is Initialization
• Substructure Type System
• Immutability and Mutability
• Ownership and Borrowing
• Safety rule: {shared}+ xor mutable references

Motivating problem: file descriptor

• How to manage systems resources, like file/socket?

Motivating problem: file descriptor

• How to manage systems resources, like file/socket?
• What if we don’t close(fd)?

fd = open("/etc/passwd", O_RDONLY);
read(fd, buf, sizeof(buf));

// what if we forgot to close?
close(fd);

What about in Python?

• How to correctly implement this in Python?

fd = open("/etc/passwd")
fd.read()

with open("/etc/passwd") as fd:
  fd.read()

Implicit reclamation of file resources

• What’s the magic behind the scene?

fd = open("/etc/passwd")
fd.read()
# del fd -> fd.__del__() -> fd.close()

# fd.__enter__()
with open("/etc/passwd") as fd:
  fd.read()
# fd.__exit__()

Idea: using a scoping rule for returning resource

• File is available only for the local scope (e.g., function)

def func():
  fd = open("/etc/passwd") # <- open
  fd.read()
  # <- free

• Explicitly indicate the scope, called context (i.e., with)

with open("/etc/passwd") as fd: # <- open
  fd.read()
# <- free

RAII: Resource Acquisition Is Initialization

• A popular design pattern in C++ (e.g., ofstream, lock_guard)
• Compilers handle hindsight cases like exception by placing destructors

void WriteToFile(const std::string& message) {
  static std::mutex mutex;
  std::lock_guard<std::mutex> lock(mutex);

  std::ofstream file("/etc/passwd");
  if (!file.is_open())
    throw std::runtime_error("unable to open file");
  file << message << std::endl;
}

Ref. Wikipedia: Resource acquisition is initialization

RAII: scoping rules and ownership

• fd owns the file resource during its lifetime (a local, function scope)
• When fd is reclaimed, it reclaims the owned resource together

def func():
  fd = open("/etc/passwd") # <- open: fd owns the file
  fd.read()
  # <- free: reclaims the file

Ref. Ownership Based Resource Management (OBRM)

RAII: scoping rules and lifetime

• In fact, “scoping” doesn’t have to be just a local scope, so called lifetime
• When the allocated ofstream is freed, it reclaims the file back to OS

  std::ofstream *file = new std::ofstream("/etc/passwd");
  ...
  // @different
  //    function
  //    thread
  //    long long time later
  //    or even when the process dies
  //    ...
  delete file;

Hello, Rust!

Rust: Practical Substructure Type System

• Memory ~= Resource: managing memory based on ownership rules
• Augmenting type systems to constrain malloc()/free() interfaces
  • e.g., variable initialization → ownership assignment
  • e.g., going out of scope → freeing associated memory

→ Memory management can be done statically at compilation time!

Ref. Substructural Type Systems (aka, Linear, Affine type systems)

Agenda for this semester (tentative)!

• Rust 1: Thinking of Rust ← started today!
• Rust 2: Ownership and Lifetime
• Rust 3: Unsafety
• Rust 4: Freestanding/Baremetal Rust
• Rust 5: Generics and Traits
• Rust 7: Interior Mutability
• Rust 8: Zero-cost Abstraction
• Rust 9: Concurrency

Immutability and mutability

• Immutable variables by default

let x = 1;
x = 2;

Notes on error (E0384)

This error occurs when an attempt is made to reassign an 
immutable variable. For example:

  fn main() {
      let x = 3;
      x = 5; // error, reassignment of immutable variable
  }

By default, variables in Rust are immutable. To fix this error, 
add the keyword `mut` after the keyword `let` when declaring the 
variable. For example:

  fn main() {
      let mut x = 3;
      x = 5;
  }

Immutability and mutability

• Opt-in mutability (see, the mut keyword following let)

let mut x = 1;

dbg!(x); //=> x = 1

x = 2;

dbg!(x); //=> x = 2

Desugaring a bit

//
//      +--> variable name (or identifier)
//      |
let mut x: i32 = 1;
//  +--    ---   +-> value
//  |      |
//  |      +--> type (32-bit signed integer)
//  +--> noting mutability
//
x = 2;

Variable and type

Value and type

Strongly typed programming language

• x: i32 is initialized with 1: i32 (not valid syntax)
• x: i32 is assigned with 2: i32 (not valid syntax)
• Strongly typed → i32 of a variable and i32 of the value should be matched!

// x stores the value 1 (i32)
let mut x: i32 = 1;

// x is assigned with the value 2 (i32)
x = 2;

Assigning a value to a variable

Ownership

• A variable owns a value: the owner is in charge of reclaiming the memory
  • e.g., x (a variable) owns 1 (a value)

// x owns 1
let mut x: i32 = 1;

// x now owns 2
x = 2;

More interesting example

let mut x = String::from("Hello!");
let y = String::from("World!");

x = y; // typically say, assigning a value of y to x

dbg!(y);

Move semantics

• A value of a variable moves to another variable by an assignment operator (=)

let mut x = String::from("Hello!");
let y = String::from("World!");

// y's value is moved to x and x now owns "World!"
x = y;

// error: y doesn't own any value!
dbg!(y);

Move semantics and alloc()/free()

{
    // x <- alloc("Hello!")
    let mut x = String::from("Hello!");

    // y <- alloc("World!")
    let y = String::from("World!");

    // drop(x): free("Hello!")
    x = y;

    ...
} 
// drop(x): free("World!")

Behind the move operation

• x/y owns a string, which uniquely owns an array of chars
• OBRM: drop() frees the memory that the variable is in charge of

Borrowing via references

• A variable borrows a value (i.e., shared reference) from an owner

let x = String::from("Hello!");
let y = x; // move a value

dbg!(x); // WARNING. not allowed!

let x = String::from("Hello!");
let y = &x; // borrow a value (i.e., move a shared reference) 

dbg!(x);

Borrowing via references

1. Rule 1. there can be many outstanding shared references

let x = String::from("Hello");
let y = &x; // borrow a value for reading
let z = &x; // borrow a value for reading

dbg!(y); //=> "Hello"
dbg!(z); //=> "Hello"
dbg!(x); //=> "Hello"

Borrowing via references

2. Rule 2. there should be only one outstanding mutable reference

let mut x = String::from("Hello");
let y = &mut x; // borrow a value for writing
let z = &mut x; // borrow a value for writing
...

Borrowing via references

3. Rule 3. there should be no shared and mutable reference at the same time

let mut x = String::from("Hello");
let y = &x;     // borrow a value for reading
let z = &mut x; // borrow a value for writing
...

Safety rule: {shared}+ xor mutable references

1. Rule 1. there can be many outstanding shared references
2. Rule 2. There should be only one mutable reference
3. Safety rule: Rule 1 xor Rule 2

Implication 1. aliasing analysis

• Reasoning aliases of a pointer becomes easier → better optimization!

// $ man 3 memcpy
//
// NOTES
//   Failure to observe the requirement that the memory 
//   areas do not overlap has  been  the  source of
//   significant bugs.
//
void *memcpy(void *dst, const void *src, size_t n);

// dst and src can not point to the same value!
fn memcpy<T>(dst: &mut T, src: &T);

Implication 2. data race freedom

• Safety rule helps us avoid potentially problematic situations
• In practice, this rule is too strict → including more idioms that we know safe!

Big ideas in Rust

• OBRM plus {shared}+ ^ mutable references
  • Memory safety
  • Thread safety

→ With modern type system, abstractions, build system, package managers, etc.

How other HLL tackle memory safety?

• No memory abstraction is exposed in languages (pure)
• Automatic memory management at runtime:
  • Using Reference Counting (RC): python, etc
  • Using Garbage Collection (GC): Go, Java, JavaScript, etc

Important features for system languages

• Explicit memory management (i.e., no GC/RC by default)
• Zero-cost abstraction (i.e., no RTTI, pay what you use)
• Supporting FFI without cognitive burden

Notes on safety for OS development

• Memory safety
  • Alas, you have to write lots of unsafe code in early labs
• Thread safety
  • Luckily, don’t have to worry about until we have mutlicore!

→ We will try hard to distinguish what’s safe and unsafe in each labs

Agenda for this semester (tentative)!

• Rust 1: Thinking of Rust
• Rust 2: Ownership and Lifetime
• Rust 3: Unsafety
• Rust 4: Freestanding/Baremetal Rust
• Rust 5: Generics and Traits
• Rust 7: Interior Mutability
• Rust 8: Zero-cost Abstraction
• Rust 9: Concurrency

Next lecture

• Next: Rust 2: Ownership and Lifetime
• Sign-up for Piazza
• Don’t forget to submit “preparation question” (DUE: 10pm)
• “Lab 0: Rustlings” is due in 1.5 weeks (DUE: Jan 20)
• Perpetration: Rpi 3 + sdcard + reader (for Lab 1-5)