Rust aims to offer full memory safety for programs, a guarantee that untamed C programs do not enjoy. How difficult is it to translate existing C code to Rust? To get a complementary view from that of automatic C to Rust translators, we report on a user study asking humans to translate real-world C programs to Rust. Our participants are able to produce safe Rust translations, whereas state-of-the-art automatic tools are not able to do so. Our analysis highlights that the high-level strategy taken by users departs significantly from those of automatic tools we study. We also find that users often choose zero-cost (static) abstractions for temporal safety, which addresses a predominant component of runtime costs in other full memory safety defenses. User-provided translations showcase a rich landscape of specialized strategies to translate the same C program in different ways to safe Rust, which future automatic translators can consider.
翻译:Rust旨在为程序提供完整的内存安全性保证,这是未经约束的C程序所不具备的特性。将现有C代码翻译为Rust的难度如何?为获取与自动C到Rust翻译工具互补的视角,我们通过用户研究邀请实验者将真实场景的C程序翻译为Rust。参与者能够生成安全的Rust翻译版本,而现有最先进的自动工具尚无法实现这一点。我们的分析表明,用户采用的高级策略与所研究的自动工具存在显著差异。研究还发现,用户常选择零成本(静态)抽象机制来保障时序安全性,这解决了其他完整内存安全防护方案中运行时开销的主要构成部分。用户提供的翻译结果展现出丰富多样的专项策略,能够通过不同方式将同一C程序转化为安全的Rust代码,这为未来自动翻译工具的设计提供了参考方向。