[OOPSLA'21] Natalie Popescu(1), Ziyang Xu(1), Sotiris Apostolakis(2), David I. August(1), and Amit Levy(1)
(1) Princeton (2) Google
Rust, out-of-bounds accesses
Rust programmers can opt out to use the unchecked version get_checked() to
index a slice for performance optimization. However, it is unclear whether this
choice of sacrificing security for performance is really effective.
This paper conducted a study on many popular libraries that use unchecked indexing and found that 76.4% of their benchmarks only incur little or even a negative performance improvement. This counter-intuitive fact may be caused by different compiler optimizations and code layout (affecting how i-cache performs). Table 2 in the paper summarizes common factors affecting performance.
- The paper reveals an interesting and possibly surprising fact: unchecked indexing for performance purpose may not be justified for many programs.
- The paper is clearly written and easy to read.
- Only handling one type of dereferences to array elements (
get_unchecked()).
- A new observation about Rust.
Developers' assumption about programs and the system (compiler, arch, OS, etc.) may be inaccurate or even in correct. Specific to this paper,
Developers cannot always correctly identify the most expensive checks to elide.
The abstract oversells a bit. It says
..., we present NADER, a Rust development tool that makes applications safer by automatically transforming unsafe code into equivalent safe code according to developer preferences and application context.
Although it mentions library bounds checks" in the next sentence, the quoted sentence gives readers the impression that it handles a lot of unsafe code.