Rust: Systems Programming for Everyone

Rust: Systems Programming for Everyone

• 1.
  Rust: Systems Programming for Everyone FelixKlock (@pnkfelix), Mozilla space : next slide; esc : overview; arrows navigate http://bit.ly/1LQM
• 2.
  InfoQ.com: News &Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ rust
• 3.
  Purpose of QCon -to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon London www.qconlondon.com
• 4.
  Why ...?
• 5.
  Why use Rust? Fastcode, low memory footprint Go from bare metal (assembly; C FFI) ... ... to high-level (collections, closures, generic containers) ... with zero cost (no GC, unboxed closures, monomorphization of generics) Safety and Parallelism
• 6.
  Safety and Parallelism Safety Nosegmentation faults No undefined behavior No data races (Multi-paradigm) Parallelism msg passing via channels shared state via Arcand atomics, Mutex, etc use native threads... or scoped threads... or work-stealing...
• 7.
  Why would you(Felix) work on Rust? It's awesome! (Were prior slides really not a sufficient answer?) oh, maybe you meant ...
• 8.
  Why would Mozillasponsor Rust? Hard to prototype research-y browser changes atop C++ code base Rust ⇒Servo, WebRender Want Rust for next-gen infrastructure (services, IoT) "Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent." "accessible to all"
• 9.
  Where is Rustnow? 1.0 release was back in May 2015 Rolling release cycle (up to Rust 1.7 as of March 2nd 2016) Open source from the begining https://github.com/rust-lang/rust/ Open model for future change (RFC process) https://github.com/rust-lang/rfcs/ Awesome developer community (~1,000 people in #rust, ~250 people in #rust-internals, ~1,300 unique commiters to rust.git)
• 10.
  Talk plan "Why Rust"Demonstration "Ownership is easy" (... or is it?) Sharing Stuff Sharing capabilities (Language stuff) Sharing work (Parallelism stuff) Sharing code (Open source distribution stuff)
• 11.
  Lightning Demo
• 12.
  Demo: sequential webpage fetch fn sequential_web_fetch() { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", "http://imgur.com", "http://mozilla.org"]; for &site in sites { // step through the array... let client = Client::new(); let res = client.get(site).send().unwrap(); assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site, char_count); } } (lets get rid of the Rust-specific pattern binding in for; this is not a tutorial)
• 13.
  Demo: sequential webpage fetch fn sequential_web_fetch() { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", "http://imgur.com", "http://mozilla.org"]; for site_ref in sites { // step through the array... let site = *site_ref; // (separated for expository purposes) { // (and a separate block, again for expository purposes) let client = Client::new(); let res = client.get(site).send().unwrap(); assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site, char_count); } } }
• 14.
  Demo: concurrent webpage fetch fn concurrent_web_fetch() -> Vec<::std::thread::JoinHandle<()>> { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", "http://imgur.com", "http://mozilla.org"]; let mut handles = Vec::new(); for site_ref in sites { let site = *site_ref; let handle = ::std::thread::spawn(move || { // block code put in closure: ~~~~~~~ let client = Client::new(); let res = client.get(site).send().unwrap(); assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site, char_count); }); handles.push(handle); } return handles; }
• 15.
  Print outs Sequential version: site:http://www.eff.org/ chars: 42425 site: http://rust-lang.org/ chars: 16748 site: http://imgur.com chars: 152384 site: http://mozilla.org chars: 63349 (on every run, when internet, and sites, available) Concurrent version: site: http://imgur.com chars: 152384 site: http://rust-lang.org/ chars: 16748 site: http://mozilla.org chars: 63349 site: http://www.eff.org/ chars: 42425 (on at least one run)
• 16.
  "what is this'soundness' of which you speak?"
• 17.
  Demo: soundness I fnsequential_web_fetch_2() { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", // ~~~~~ `sites`, an array (slice) of strings, is stack-local "http://imgur.com", "http://mozilla.org"]; for site_ref in sites { // ~~~~~~~~ `site_ref` is a *reference to* elem of array. let client = Client::new(); let res = client.get(*site_ref).send().unwrap(); // moved deref here ~~~~~~~~~ assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site_ref, char_count); } }
• 18.
  Demo: soundness II fnconcurrent_web_fetch_2() -> Vec<::std::thread::JoinHandle<()>> { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", // ~~~~~ `sites`, an array (slice) of strings, is stack-local "http://imgur.com", "http://mozilla.org"]; let mut handles = Vec::new(); for site_ref in sites { // ~~~~~~~~ `site_ref` still a *reference* into an array let handle = ::std::thread::spawn(move || { let client = Client::new(); let res = client.get(*site_ref).send().unwrap(); // moved deref here ~~~~~~~~~ assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site_ref, char_count); // Q: will `sites` array still be around when above runs? }); handles.push(handle); } return handles; }
• 19.
  some (white) lies: "Rustis just about ownership"
• 20.
  "Ownership is intuitive"
• 21.
  "Ownership is intuitive" Let'sbuy a car let money: Money = bank.withdraw_cash(); let my_new_car: Car = dealership.buy_car(money); let second_car = dealership.buy_car(money); // <-- cannot reuse money transferred into dealership, and car transferred to us.
• 22.
  "Ownership is intuitive" Let'sbuy a car let money: Money = bank.withdraw_cash(); let my_new_car: Car = dealership.buy_car(money); // let second_car = dealership.buy_car(money); // <-- cannot reuse money transferred into dealership, and car transferred to us. my_new_car.drive_to(home); garage.park(my_new_car); my_new_car.drive_to(...) // now doesn't work (can't drive car without access to it, e.g. taking it out of the garage)
• 23.
  "Ownership is intuitive" Let'sbuy a car let money: Money = bank.withdraw_cash(); let my_new_car: Car = dealership.buy_car(money); // let second_car = dealership.buy_car(money); // <-- cannot reuse money transferred into dealership, and car transferred to us. my_new_car.drive_to(home); garage.park(my_new_car); // my_new_car.drive_to(...) // now doesn't work (can't drive car without access to it, e.g. taking it out of the garage) let my_car = garage.unpark(); my_car.drive_to(work); ...reflection time...
• 24.
  Correction: Ownership isintuitive, except for programmers ... (copying data like integers, and characters, and .mp3's, is "free") ... and anyone else who names things
• 25.
  Über Sinn undBedeutung ("On sense and reference" -- Gottlob Frege, 1892) If ownership were all we had, car-purchase slide seems nonsensical my_new_car.drive_to(home); Does this transfer homeinto the car? Do I lose access to my home, just because I drive to it? We must distinguish an object itself from ways to name that object Above, homecannot be (an owned) Home homemust instead be some kind of reference to a Home
• 26.
  So we willneed references We can solve any problem by introducing an extra level of indirection -- David J. Wheeler
• 27.
  a truth: Ownershipis important
• 28.
  Ownership is important Ownershipenables: which removes: RAII-style destructors a source of memory leaks (or fd leaks, etc) no dangling pointers many resource management bugs no data races many multithreading heisenbugs Do I need to take ownership here, accepting the associated resource management responsibility? Would temporary access suffice? Good developers ask this already! Rust forces function signatures to encode the answers (and they are checked by the compiler)
• 29.
  Sharing Data: Ownership and References
• 30.
  Rust types Move CopyCopy if T:Copy Vec<T>, String, ... i32, char, ... [T; n], (T1,T2,T3), ... struct Car { color: Color, engine: Engine } fn demo_ownership() { let mut used_car: Car = Car { color: Color::Red, engine: Engine::BrokenV8 }; let apartments = ApartmentBuilding::new(); references to data (&mut T, &T): let my_home: &Home; // <-- an "immutable" borrow let christine: &mut Car; // <-- a "mutable" borrow my_home = &apartments[6]; // (read `mut` as "exclusive") let neighbors_home = &apartments[5]; christine = &mut used_car; christine.engine = Engine::VintageV8; }
• 31.
  Why multiple &-referencetypes? Distinguish exclusive access from shared access Enables safe, parallel API's
• 32.
  A Metaphor
• 33.
  (reminder: metaphors never work100%)
• 34.
  let christine =Car::new(); This is "Christine" pristine unborrowed car (apologies to Stephen King)
• 35.
  let read_only_borrow =&christine; single inspector (immutable borrow) (apologies to Randall Munroe)
• 36.
  read_only_borrows[2] = &christine; read_only_borrows[3]= &christine; read_only_borrows[4] = &christine; many inspectors (immutable borrows)
• 37.
  When inspectors arefinished, we are left again with: pristine unborrowed car
• 38.
  let mutable_borrow =&mut christine; // like taking keys ... give_arnie(mutable_borrow); // ... and giving them to someone driven car (mutably borrowed)
• 39.
  Can't mix thetwo in safe code! Otherwise: (data) races!
• 40.
  read_only_borrows[2] = &christine; letmutable_borrow = &mut christine; read_only_borrows[3] = &christine; // ⇒ CHAOS! mixing mutable and immutable is illegal
• 41.
  Ownership T Exclusive access&mut T ("mutable") Shared access &T ("read-only")
• 42.
  Exclusive access
• 43.
  &mut: can Iborrow the car? fn borrow_the_car_1() { let mut christine = Car::new(); { let car_keys = &mut christine; let arnie = invite_friend_over(); arnie.lend(car_keys); } // end of scope for `arnie` and `car_keys` christine.drive_to(work); // I still own the car! } But when her keys are elsewhere, I cannot drive christine! fn borrow_the_car_2() { let mut christine = Car::new(); { let car_keys = &mut christine; let arnie = invite_friend_over(); arnie.lend(car_keys); christine.drive_to(work); // <-- compile error } // end of scope for `arnie` and `car_keys` }
• 44.
  Extending the metaphor Possessingthe keys, Arnie could take the car for a new paint job. fn lend_1(arnie: &Arnie, k: &mut Car) { k.color = arnie.fav_color; } Or lend keys to someone else (reborrowing) before paint job fn lend_2(arnie: &Arnie, k: &mut Car) { arnie.partner.lend(k); k.color = arnie.fav_color; } Owner loses capabilities attached to &mut-borrows only temporarily (*) (*): "Car keys" return guaranteed by Rust; sadly, not by physical world
• 45.
  End of metaphor (onto models)
• 46.
  Pointers, Smart and Otherwise
• 47.
  (More pictures)
• 48.
  Stack allocation let b= B::new(); stack allocation
• 49.
  let b =B::new(); let r1: &B = &b; let r2: &B = &b; stack allocation and immutable borrows (bhas lost write capability)
• 50.
  let mut b= B::new(); let w: &mut B = &mut b; stack allocation and mutable borrows (bhas temporarily lost both read and write capabilities)
• 51.
  Heap allocation: Box<B> leta = Box::new(B::new()); pristine boxed B a(as owner) has both read and write capabilities
• 52.
  Immutably borrowing abox let a = Box::new(B::new()); let r_of_box: &Box<B> = &a; // (not directly a ref of B) let r1: &B = &*a; let r2: &B = &a; // <-- coercion! immutable borrows of heap-allocated B aretains read capabilities (has temporarily lost write)
• 53.
  Mutably borrowing abox let mut a = Box::new(B::new()); let w: &mut B = &mut a; // (again, coercion happening here) mutable borrow of heap-allocated B ahas temporarily lost both read and write capabilities
• 54.
  Heap allocation: Vec<B> letmut a = Vec::new(); for i in 0..n { a.push(B::new()); }
• 55.
  vec, filled tocapacity
• 56.
  Vec Reallocation ... a.push(B::new()); before after
• 58.
  Slices: borrowing partsof an array
• 59.
  Basic Vec<B> let muta = Vec::new(); for i in 0..n { a.push(B::new()); } pristine unborrowed vec (ahas read and write capabilities)
• 60.
  Immutable borrowed slices letmut a = Vec::new(); for i in 0..n { a.push(B::new()); } let r1 = &a[0..3]; let r2 = &a[7..n-4]; mutiple borrowed slices vec (ahas only read capability now; shares it with r1and r2)
• 61.
  Safe overlap between&[..] let mut a = Vec::new(); for i in 0..n { a.push(B::new()); } let r1 = &a[0..7]; let r2 = &a[3..n-4]; overlapping slices
• 62.
  Basic Vec<B>again pristine unborrowedvec (ahas read and write capabilities)
• 63.
  Mutable slice ofwhole vec let w = &mut a[0..n]; mutable slice of vec (ahas no capabilities; wnow has read and write capability)
• 64.
  Mutable disjoint slices let(w1,w2) = a.split_at_mut(n-4); disjoint mutable borrows (w1and w2share read and write capabilities for disjoint portions)
• 65.
  Shared Ownership
• 66.
  Shared Ownership let rc1= Rc::new(B::new()); let rc2 = rc1.clone(); // increments ref-count on heap-alloc'd value shared ownership via ref counting (rc1and rc2each have read access; but neither can statically assume exclusive (mut) access, nor can they provide &mutborrows without assistance.)
• 67.
  Dynamic Exclusivity
• 68.
  RefCell<T>: Dynamic Exclusivity letb = Box::new(RefCell::new(B::new())); let r1: &RefCell<B> = &b; let r2: &RefCell<B> = &b; box of refcell
• 69.
  RefCell<T>: Dynamic Exclusivity letb = Box::new(RefCell::new(B::new())); let r1: &RefCell<B> = &b; let r2: &RefCell<B> = &b; let w = r2.borrow_mut(); // if successful, `w` acts like `&mut B` fallible mutable borrow
• 70.
  // below panicsif `w` still in scope let w2 = b.borrow_mut();
• 71.
  Previous generalizes to sharedownership
• 72.
  Rc<RefCell<T>> let rc1 =Rc::new(RefCell::new(B::new())); let rc2 = rc1.clone(); // increments ref-count on heap-alloc'd value shared ownership of refcell
• 73.
  Rc<RefCell<T>> let rc1 =Rc::new(RefCell::new(B::new())); let rc2 = rc1.clone(); let r1: &RefCell<B> = &rc1; let r2: &RefCell<B> = &rc2; // (or even just `r1`) borrows of refcell can alias
• 74.
  Rc<RefCell<T>> let rc1 =Rc::new(RefCell::new(B::new())); let rc2 = rc1.clone(); let w = rc2.borrow_mut(); there can be only one!
• 75.
  What static guaranteesdoes Rc<RefCell<T>>have? Not much! If you want to port an existing imperative algorithm with all sorts of sharing, you could try using Rc<RefCell<T>>. You then might spend much less time wrestling with Rust's type (+borrow) checker. The point: Rc<RefCell<T>>is nearly an anti-pattern. It limits static reasoning. You should avoid it if you can.
• 76.
  Other kinds ofshared ownership TypedArena<T> Cow<T> Rc<T>vs Arc<T>
• 77.
  Sharing Work: Parallelism / Concurrency
• 78.
  Threading APIs (plural!) std::thread dispatch:OS X-specific "Grand Central Dispatch" crossbeam: Lock-Free Abstractions, Scoped "Must-be" Concurrency rayon: Scoped Fork-join "Maybe" Parallelism (inspired by Cilk) (Only the first comes with Rust out of the box)
• 79.
  std::thread fn concurrent_web_fetch() ->Vec<::std::thread::JoinHandle<()>> { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method let sites = &["http://www.eff.org/", "http://rust-lang.org/", "http://imgur.com", "http://mozilla.org"]; let mut handles = Vec::new(); for site_ref in sites { let site = *site_ref; let handle = ::std::thread::spawn(move || { // block code put in closure: ~~~~~~~ let client = Client::new(); let res = client.get(site).send().unwrap(); assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site, char_count); }); handles.push(handle); } return handles; }
• 80.
  dispatch fn concurrent_gcd_fetch() ->Vec<::dispatch::Queue> { use hyper::{self, Client}; use std::io::Read; // pulls in `chars` method use dispatch::{Queue, QueueAttribute}; let sites = &["http://www.eff.org/", "http://rust-lang.org/", "http://imgur.com", "http://mozilla.org"]; let mut queues = Vec::new(); for site_ref in sites { let site = *site_ref; let q = Queue::create("qcon2016", QueueAttribute::Serial); q.async(move || { let client = Client::new(); let res = client.get(site).send().unwrap(); assert_eq!(res.status, hyper::Ok); let char_count = res.chars().count(); println!("site: {} chars: {}", site, char_count); }); queues.push(q); } return queues; }
• 81.
  crossbeam lock-free data structures scopedthreading abstraction upholds Rust's safety (data-race freedom) guarantees
• 82.
  lock-free data structures
• 83.
  crossbeamMPSC benchmark mean ns/msg(2 producers, 1 consumer; msg count 10e6; 1G heap) Rust channel crossbeam MSQ crossbeam SegQueue Scala MSQ Java ConcurrentLinkedQue 108ns 98ns 53ns 461ns 192ns
• 84.
  crossbeamMPMC benchmark mean ns/msg(2 producers, 2 consumers; msg count 10e6; 1G heap) Rust channel (N/A) crossbeam MSQ crossbeam SegQueue Scala MSQ Java ConcurrentLinkedQue 102ns 58ns 239ns 204ns See "Lock-freedom without garbage collection" https://aturon.github.io/blog/2015/08/27/epoch/
• 85.
  scoped threading? std::theaddoes notallow sharing stack-local data fn std_thread_fail() { let array: [u32; 3] = [1, 2, 3]; for i in &array { ::std::thread::spawn(|| { println!("element: {}", i); }); } } error: `array` does not live long enough
• 86.
  crossbeamscoped threading fn crossbeam_demo(){ let array = [1, 2, 3]; ::crossbeam::scope(|scope| { for i in &array { scope.spawn(move || { println!("element: {}", i); }); } }); } ::crossbeam::scopeenforces parent thread joins on all spawned children before returning ensures that it is sound for children to access local references passed into them.
• 87.
  crossbeam scope: "must- beconcurrency" Each scope.spawn(..)invocation fires up a fresh thread (Literally just a wrapper around std::thread)
• 88.
  rayon: "maybe parallelism"
• 89.
  rayondemo 1: mapreduce Sequential fn demo_map_reduce_seq(stores: &[Store], list: Groceries) -> u32 { let total_price = stores.iter() .map(|store| store.compute_price(&list)) .sum(); return total_price; } Parallel (potentially) fn demo_map_reduce_par(stores: &[Store], list: Groceries) -> u32 { let total_price = stores.par_iter() .map(|store| store.compute_price(&list)) .sum(); return total_price; }
• 90.
  Rayon's Rule the decisionof whether or not to use parallel threads is made dynamically, based on whether idle cores are available i.e., solely for offloading work, not for when concurrent operation is necessary for correctness (uses work-stealing under the hood to distribute work among a fixed set of threads)
• 91.
  rayondemo 2: quicksort fnquick_sort<T:PartialOrd+Send>(v: &mut [T]) { if v.len() > 1 { let mid = partition(v); let (lo, hi) = v.split_at_mut(mid); rayon::join(|| quick_sort(lo), || quick_sort(hi)); } } fn partition<T:PartialOrd+Send>(v: &mut [T]) -> usize { // see https://en.wikipedia.org/wiki/ // Quicksort#Lomuto_partition_scheme ... }
• 92.
  rayondemo 3: buggyquicksort fn quick_sort<T:PartialOrd+Send>(v: &mut [T]) { if v.len() > 1 { let mid = partition(v); let (lo, hi) = v.split_at_mut(mid); rayon::join(|| quick_sort(lo), || quick_sort(hi)); } } fn quick_sort<T:PartialOrd+Send>(v: &mut [T]) { if v.len() > 1 { let mid = partition(v); let (lo, hi) = v.split_at_mut(mid); rayon::join(|| quick_sort(lo), || quick_sort(lo)); // ~~ data race! } } (See blog post "Rayon: Data Parallelism in Rust" bit.ly/1IZcku4)
• 93.
  Big Idea 3rd partiesidentify (and provide) new abstractions for concurrency and parallelism unanticipated in std lib.
• 94.
  Soundness and 3rd PartyConcurrency
• 95.
  The Secret Sauce Send Sync lifetimebounds
• 96.
  Send and Sync T:Sendmeans an instance of Tcan be transferred between threads (i.e. move or copied as appropriate) T: Syncmeans two threads can safely share a reference to an instance of T
• 97.
  Examples T: Send: Tcanbe transferred between threads T: Sync: two threads can share refs to a T Stringis Send Vec<T>is Send(if Tis Send) (double-check: why not require T: Syncfor Vec<T>: Send?) Rc<T>is not Send(for any T) but Arc<T>is Send(if Tis Sendand Sync) (to ponder: why require T:Sendfor Arc<T>?) &Tis Sendif T: Sync &mut Tis Sendif T: Send
• 98.
  Send and Syncare only half the story other half is lifetime bounds; come see me if curious
• 99.
  Sharing Code: Cargo
• 100.
  Sharing Code std::threadis providedwith std lib But dispatch, crossbeam, and rayonare 3rd party (not to mention hyperand a host of other crates used in this talk's construction) What is Rust's code distribution story?