Characterizing Unsafe Code Encapsulation In Real-world Rust Systems (2406.07936v1)

Abstract: Interior unsafe is an essential design paradigm advocated by the Rust community in system software development. However, there is little official guidance or few best practices regarding how to encapsulate unsafe code and achieve interior unsafe. The problem is critical because the Rust compiler is incapable of verifying the soundness of a safe function containing unsafe code. Falsely declaring an interior unsafe function as safe may undermine the fundamental memory-safety guarantee of Rust. To address this issue, this paper studies how interior unsafe is achieved in practice, aiming to identify best practices to guide Rust code design concerning unsafe code encapsulation. Specifically, we propose a novel unsafety isolation graph to model the essential usage and encapsulation of unsafe code. Based on the graph, we further propose four major isolation types and nine structural patterns to split a graph into several small self-contained subgraphs. These subgraphs can serve as useful audit units for examining the soundness of unsafe code encapsulation. We applied our approach to four real-world Rust projects. The experimental results demonstrate that our method is effective in characterizing their encapsulation code. Additionally, we identified two common issues in these projects that could complicate soundness verification or incur unsoundness issues.