A Study of Undefined Behavior Across Foreign Function Boundaries in Rust Libraries

Rust编程语言限制别名和可变性，以提供静态安全性保证，开发人员依赖这一点来编写安全和高效的应用程序。然而，Rust经常用于与其他限制更弱的语言进行交互。这些语言支持与Rust当前的操作语义模型相冲突的循环和自引用设计模式，这可能是未定义行为的一个重要来源，目前没有任何工具可以检测到。我们创建了MiriLLI工具，该工具使用现有的Rust和LLVM解释器来共同执行多语言Rust应用程序。我们在对调用外部函数的Rust库进行的大规模研究中使用了我们的工具，并发现了45个未定义或不良行为实例。其中包括平均每天下载量超过10,000次的四个库中的四个错误，一个来自GNU编译器集合（GCC）的组件，以及一个来自Rust项目维护的库。这些错误中的大多数是由不兼容的别名和初始化模式、不正确的外部函数绑定和无效的类型转换引起的。大多数别名违规是由Rust中不安全的操作引起的，但它们出现在外部代码中。Rust社区必须投资于开发新的工具来验证多语言程序，以确保开发人员可以轻松地检测和修复这些错误。

MiriLLI: Validating Multi-Language Rust Applications by Jointly Executing Rust and LLVM Interpreters

The paper proposes a tool called MiriLLI that uses existing Rust and LLVM interpreters to jointly execute multi-language Rust applications and detect undefined behavior caused by incompatible aliasing and initialization patterns, incorrect foreign function bindings, and invalid type conversion.

The tool was used in a large-scale study of Rust libraries that call foreign functions, and 45 instances of undefined or undesirable behavior were found, including bugs in libraries with over 10,000 daily downloads on average, a component of the GNU Compiler Collection (GCC), and a library maintained by the Rust Project. The majority of aliasing violations were caused by unsound operations in Rust, but they occurred in foreign code. The paper suggests that the Rust community should invest in new tools for validating multi-language programs.

There are no specific mentions of related work in the abstract.