►
From YouTube: Christian Poveda - Miri, Undefined Behavior and Foreign Functions — RustFest Global 2020
Description
Do you want to write unsafe Rust but don't know how to check its soundness? Do you suspect that your program has Undefined Behavior but you have no way to test it? Are you looking for a cool Rust-related project to contribute to? Then this talk is for you.
More at https://rustfest.global/session/12-miri,-undefined-behavior-and-foreign-functions/
B
Okay,
thank
you.
So
this
stock
install
is
called
very
undefined
behavior
and
for
rank
functions
so,
but
before
even
we
begin,
let
me
just
introduce
me
at
a
bit
myself,
so
I'm
christian
poeda,
I'm
colombian.
As
you
already
know,
I'm
a
phd
student
at
the
india
software
institute.
Occasionally
I
contribute
to
the
ros
compiler
project
and
also
to
the
mirror
project.
B
So,
first
of
all,
I
want
to
say
what
I
want
to
give
this
like
what
I
think
this
is
important.
Somehow
the
first
thing
is
that
unsave
is
a
controversial
topic
in
our
community,
but
at
the
same
time
is
something
that
we
need
is
something
super
special
that
ross
needs
to
work
and
to
be
able
to
do
the
awesome
stuff.
That
already
does
so.
B
That
helps
you
when
you're
unsafe
code
is
wrong,
because
this
goes
in
the
same
direction
as
the
empowering
philosophy
that
the
risk
community
has
of
being
able
to
use
to
build
reliable
software
and,
at
the
same
time,
having
a
super
friendly
community
with
a
bunch
of
tools
that
help
you
to
build
that.
So
it
was
in
that
direction.
B
This
talk
will
have
like
four
parts.
Basically,
first,
I'm
going
to
show
you
a
bit:
do
a
little
introduction
to
unsafe
and
what's
undefined
behavior
and
how
that
everything
works
in
rust,
then
we're
going
to
talk
about
miri
miri.
Is
this
super
cool
tool
I'm
talking
about
and
then
we're
going
to
talk
a
bit
about
following
functions?
B
B
So,
let's
begin
by
talking
about
unsafe,
rust
and
undefined
behavior
before
even
talking
about
undefined
behavior,
I
think
super
important
to
know
or
to
discuss
why
people
use
unsafe,
unsafe
rust
in
the
first
place.
B
There
are
two
main
reasons.
The
first
one
is
that
some
people
using
safe
because
they
are
very
invested
in
performance.
They
want
their
programs
to
run
super
fast,
so
they
are
ensuring
everyone
that
their
programs
are
running
correctly.
Even
if
that
program,
those
programs
don't
have
any
check
to
to
be
sure
that
they're
running
correctly
and
not
doing
a
lot
of
checks
lets
you
squeeze
a
little
bit
more
of
performance
when
you're
running
when
you're
writing
your
programs-
and
there
is
a
lot
of
controversy
around
this
one.
B
Some
people
say
that
yeah
performance
matters,
but
safety
is
first.
There
are
a
lot
of
trade-offs.
You
can
do
there,
but
the
second
reason
is
a
little
bit
more
less
controversial
in
the
sense
that
many
projects
we
have
invest
need
to
interact
with
other
languages
or
with
your
operating
system
or
with
a
bunch
of
resources
that
haven't
written
it
themselves
in
rust.
B
So
most
likely
you
will
have
to
interact
with
a
c
or
c
plus
library
or
use
a
crate
that
interacts
with
a
c
or
c
plus
plus
library
and
those
languages
doesn't
have
like
the
same
guarantees
that
has
about
safety
and
having
sound
programs
and
so
on.
So
all
those
functions
that
interact
with
c
libraries
are
unsafe,
too.
B
B
B
There
are
some
traits
that
are
marked
as
unsafe
too.
So
if
you
want
to
implement
those
traits
like
send
and
sync
from
the
standard
library
you
have
to
use
in
safe,
if
you
want
to
mutate
the
statics,
because
you're
sure
that
the
program
needs
some
sort
of
mutable
global
global
state,
even
if
some
people
don't
like
it,
you
can
easily
save
to
do
that.
You
can
use
a
unsafe
to
access
fields
of
unions.
Unions
are
like
enumerations,
but
they
don't
have
like
this
consistent
tag
to
distinguish
each
variant.
B
So
it's
like
you
can
literally
join
two
types
of
the
in
a
single
one
and
use
every
value
of
that
type
as
any
of
the
possible
variants
of
the
at
the
same
time.
So
you
need
to
unsafe
to
access
the
fields.
B
B
And,
given
that
the
first
one
is
the
referencing
row
pointers,
I
think
it's
worth
to
discuss
for
pointers
for
a
moment.
B
So
what
are
raw
pointers?
Many
of
you,
if
you
have
already
using
use
rust,
you
know
that
we
have
references,
we
have
ampersand
mute
and
our
prints
are
ampersand
for
mutable
and
immutable
references.
But
those
types
have
like
these:
two
brothers
or
sisters,
siblings.
Whatever
there
are
called
raw
pointers,
we
have
star
const
and
star
moot
story.
Cons
is
an
immutable
draw,
pointer
and
stormwood
is
a
mutable
row
pointer
and
they
exist
because
they
don't
follow
the
same
rules
as
references.
They
don't
have
these
liveness
constraints.
B
B
So,
for
these
reasons
there
is
something
else,
and
you
can
also
like
offset
those
pointers
using
integers.
So
if
you
have
a
pointer
to
a
particular
remember
particular
memory
address,
you
can
add
it
like
an
integer
and
you
size
to
it
and
you
can
offset
it.
So
you
can
read
like
another
part
of
the
memory
and
maybe
you're
not
supposed
to
for
those
two
reasons.
Those
pointers
might
have
a
lot
of
problems
and
might
misbehave.
B
In
several
reasons,
you
can
have
no
pointers
that
are
real
pointers
that
don't
point
doesn't
point
to
anything
really
they
can
be
dangling.
There
are
pointers
that,
let's
say,
are
pointing
to
something
that
doesn't
belong
to
us.
So
if
you
are
inside
a
vector-
and
you
saw
a
pointer
from
inside
the
vector
to
access
something
outside
the
vector-
that's
an
angling
pointer.
B
Also,
if
you
have
a
pointer
that
you
offset
it
a
bit,
but
you
didn't
do
it
correctly.
So,
for
example,
you
have
a
pointer
between,
I
don't
know
u64s
and
you
just
moved.
I
don't
know
16
bits.
Instead,
instead
of
64
sweets,
you
will
be.
You
will
end
up
reading
like
in
between
values,
that's
an
unaligned,
pointer
and
okay.
So
those
are
all
pointers.
You
can
do
like
a
lot
of
nasty
stuff
with
them.
We
are
not
sure
why
that's
wrong
really
right
now
we
will
go
into
that
later.
B
But
let
me
show
you
an
example:
a
super
tiny
example
of
how
to
use
these
raw
pointers
and
how
to
use
and
save
and
so
on.
So
here
in
my
terminal,
I
have
in
my
editor
I
have
this
tiny
crate.
It
has
a
single
struct,
it's
called
byte
array.
This
byte
array
has
a
mutable
row
pointer
to
and
to
an
u8
and
has
a
new
size
that
represents
this
length.
B
You
can
think
of
this
type
like
a
and
a
slice
or
if
you
want
like
a
vector,
but
here
we
only
have
like
two
simple
functions:
we
can
only
read
stuff
from
it.
We
cannot
grow
it
or
make
it
smaller.
We
can
just
read
stuff
from
it
and
usually
what
happens
in
the
rust
ecosystem
is
that
you
have
like
these
two.
B
Then
it
adds
the
index
to
it
and
cast
that
integer
back
to
a
pointer,
so
we
are
offsetting
the
pointer
by
adding
index
to
it,
and
then
we
reference
it
actually
all
of
this
code.
All
these
all
these
three
lines
are
not
required
to
be
done
inside
an
unsaved
function.
The
only
thing
that
isn't
safe
is
reading
from
the
pointer
calling
the
reference
star
operator
over
it.
So
you
can
use
your
pointer.
B
They
might
just
do
something
like
this.
They
just
import
our
library
use.
This
byte
array
type
call
a
function
that
I
didn't
show
because
it's
not
programmed
for
the
purposes
of
the
stock
that
is
called
zeros
that
just
create
an
array
full
of
zeros
and
they
might
need
to
use
unsafe
because
they
need
to
go
super
fast
with
this
thing,
so
they
are
just
going
to
use
getting
checked
and
zero,
and
if
we
run
this,
it
returns
zero,
so
it
works
as
is
as
intended.
B
B
So
yep,
that's
the
demo
and
the
big
question
now
is
well
actually
what
can
go
wrong
when
you,
when
you
use
unsafe-
and
you
might
have
heard
answers
like?
Oh,
if
you
doesn't
save
wrong,
then
you're
causing
undefined
behavior
or
undefined
behavior
is
so
bad.
Anything
can
happen
when
you're
dealing
with
undefined
behavior.
So,
let's
discuss
a
bit
undefined
behavior.
B
Let's
say
the
ros
compiler
was
written
under
same
10
assumptions
about
how
programs
work
about
the
programs
we
write.
We
write
programs
that
need
to
meet
certain
conditions,
so
the
compiler
can
actually
compile
them
into
what
we
want.
If
we
break
any
of
these
rules,
we
say
we're
calling
undefined
behavior.
As
stefan
said,
this
is
a
way
of
saying
like
if
there
is
something
that
is
not
actually
specified
by
the
compiler
in
a
clear
way.
B
If
the
compiler
is
trusting
that
to
happen,
and
if
you
break
that
that
rule
then
you're
causing
undefined
behavior,
there
is
something
super
important
is
that
undefined
behavior
is
different
in
each
language.
So
c
has
a
lot
of
rules
for
undefined
behavior
and
those
rules
are
not
the
same
for
us.
For
example,
what
stefan
told
you
about
adding
an
integer
and
going
let's
say
going
out
of
bounds
in
the
interior
like
adding
too
much
to
an
interior
because
it
can
fit
a
number
stupid?
B
Then
that's
not
undefined
behavior
in
rust,
but
that's
undefined
behavior
in
c,
because
both
compilers
were
built
with
different
guarantees
in
mind
and
actually
the
list
of
things
that
rust
considers
important
rules
when
we're
dealing
with
undefined
behavior
is
a
little
bit
tricky.
So
I'm
just
going
to
mention
some
of
them.
Your
program
might
have
undefined
behavior
if
you
are
dereferencing
a
pointer
that
is
dangling
or
unaligned.
B
Also,
if
you
try
to
produce
or
if
you
manage
to
produce
a
value
that
is
incorrect
for
their
type.
So,
for
example,
booleans
when
you
look
at
the
actual
memory,
let's
say:
booleans
are
represented
by
bytes.
They
take
one
byte
exactly
so
you
have
r1
or
a
zero.
B
But
abide
has
like
eight
bits,
so
you
have
a
lot
of
values
that
you
could
use.
So
one
is
true.
Zero
is
false,
but
for
example,
if
you
take
a
three
and
you
try
to
put
that
into
a
boolean
doing,
that
is
undefined
behavior,
because
three
is
not
specified
as
a
boolean.
The
compiler
doesn't
know.
What
should
it
do?
B
What
you
do
if
this
is,
if
it
sees
a
tree
instead
of
a
one
or
a
zero
causing
data
races,
is
also
undefined
behavior
and,
as
I
said
before,
there
are
a
lot
of
subtle
rules
that
must
be
taken
into
account
here.
B
Basically
work.
Basically,
rust
cannot
work
correctly.
We
lose
this
guarantee
that
has
that
of
producing
programs
that
do
what
we
want
them
to
do.
They
ca
rus
can
no
longer
compile
a
program
correctly.
So
what
this
means
is
that
in
the
best
case,
your
program
might
not
run.
B
B
We
don't
even
know
anymore,
so
there
are
good
news
for
us
for
us
developers,
people
in
the
rush
community
if
we
are
using
safe
rust,
if
we
promise
to
never
never
never
using
safe,
we
don't
have
to
worry
worry
about
undefined
behavior,
because
undefined
behavior
shouldn't
happen
in
safe
rust.
B
Also,
if
you
are
using
unsafe-
and
you
are
super
sure-
you're
not
causing
undefined
behavior,
you
might
actually
get
any
performance
benefits
or
you
can
interact
with
c
libraries
and
so
on
correctly,
if
you
don't
cause
undefined
behavior,
that's
also
good.
B
There
are
also
not
so
good
news
and
is
that
unsafe
is
a
super
important
part
of
our
ecosystem,
even
if
we
are
not
causing
undefined
behavior
ourselves.
Someone
else
in
one
of
our
dependencies
might
be
might
be
doing
it
here.
I
have
like
some
super
interesting
statistics
about
this
twenty
percent.
Twenty
percent
of
all
the
crates
that
are
in
crates
I
uses,
uses
using
save
directly
and
seventy
four
twenty.
Seventy
four
sorry
and
of
those
20
crates,
all
those
crates.
B
B
So
I
also
have
a
good
news,
actually
the
best
news
and
is
that
there
is
a
tool
that
you
can
use
to
detect
undefined
behavior
in
your
programs
and
the
spoiler
is
in
the
title
of
this
stock
is
called
bearing.
So
let's
talk
about
miri.
B
If
you
want
to
take
a
look
at
the
repository
now
or
maybe
later,
this
is
the
url.
You
can
find
all
the
code
in
github.com,
slash,
roslink
miri,
so
what's
miri.
Actually
miri
is
a
virtual
machine
for
those
programs.
This
means
that
miri
doesn't
compile
your
program.
It
interprets
it
in
the
same
sense
that
the
jvm
interprets
java
code
or
bytecode,
or
that
the
python
interpreter
runs
python
or
that
drove
interpreter
runs,
ruby
and
so
on.
B
Mirror
is
like
that,
but
for
rust,
and
it
has
a
super
cool
feature
that
none
of
the
other
interpreters
has
and
is
that
it
can
detect
almost
all
cases
of
underhind
behavior
while
running
our
code
and
okay.
There
is
also
something
interesting
and
is
that
some
of
the
code
that
is
used
in
miri
is
using
the
engine
that
does
compile
time
function
evaluation.
So
if
you
have
any
const
item
in
your
program,
you
have
a
constant.
You
have
a
cons
function.
B
Part
of
the
mirror
code
is
used
to
run
that
function
or
that
or
to
evaluate
that
constant.
So
it's
pretty
common
to
hear
stuff,
like
oh
yeah
mirror,
is
the
constant
evaluation
for
plus,
but
here
we
will
be
talking
just
as
mary
as
just
the
standalone
tool
outside
the
compiler
that
can
interpret
your
programs
so
how
to
use
miri.
You
need
an
elevator
version
of
the
compiler
to
do
this.
B
So
if
you
have
restock
you
have
to
install
the
nightly
tool
chain,
you
can
do
this
by
running
rooftop
tool
chain
installed
nightly,
and
then
you
can
install
miri
just
as
a
component,
so
it's
the
same
as
installing
clippy
or
fmt
or
whatever
you
just
have
to
do:
browstop,
component.miri
and
then
after
mirroring
installs,
it
has
to
download
some
additional
stuff.
It
takes
a
while
compiling,
but
you
can
run
binaries.
B
You
can
run
your
your
whole
program
if
you
want
with
miri
or
you
can
run
just
your
test
suite
if
you
have
tests
okay,
so
let's
do
a
tiny
demo
with
the
same
code.
I
was
showing
you
before
so
again
we
have
this
super
tiny
use.
User
super
super
tiny
program
that
is
using
an
external
crate.
Let's
say
that
is
using
the
safe
and
maybe
the
person
that
is
writing
this
program
doesn't
know
about
the
guarantees
that
that
trait
has
to
be
sure
that
these
functions
doesn't
don't
cause
undefined
behavior.
B
So
you
might
be
tempted
to
do
something
like
I
don't
know.
Why
can
I
read
the
eleventh
position
of
an
array
with
10
elements
like
who
is
stopping
me?
The
compiler
is
not
complaining,
so
if
I,
if
I
do
cargo
run,
it
works,
it
actually
returns
zero.
That
is
a
perfectly
good
value
because
it
returns
the
same
as
before.
B
So
it's
fine,
but
if
you
run
this
with
miri,
you
will
find
this
super
cool
error
that
says
undefined
behavior
pointer
to
allocation
was
the
references
after
this
allocation
got
freed
and
it
points
to
the
part
of
the
code
in
the
original
trade
that
does
that
causes
this
undefined
behavior
and
is
a
pointer
of
the
reference,
and
you
can
see
more
information
and
so
on.
But
the
important
part
here
is
that
what's
happening
in
the
model
of
execution
of
mirror
is
that
this
function
is
creating
a
pointer
that
is
dangling.
B
You
create
a
you
created,
a
pointer
that
is
outside
the
actual
rainbow
range
of
the
vector.
So
when
the
vector
gets
deleted
because
rust
deleted
it
after
everyone
has
used,
it
has
used
it.
You
still
have
this
dangling
pointer,
pointing
to
nothing
but,
for
example,
if
we
go
back
to
the
perfect
case
where
we
didn't
have
like
any
undefined
behavior,
we
can
just
do
cargo
miri
run
and
mirror
one
complain
and
will
return
the
same
as
your
regular
program.
B
Okay,
so
that's
like
how
we
can
use
miri,
we
can
use
it
to
detect
undefined
behavior
if
our
program
is
causing
undefined
behavior
in
that
descenary.
But
now
I
want
to
show
you.
I
want
to
discuss
a
little
bit
like
how
midi
works
actually
and
to
talk
about
how
miri
works.
We
have
to
dig
a
little
bit
on
how
the
rust
compiler
works.
B
B
So
we
always
start
like
add
source
code
with
our
dot
rs
file
and
end
up
in
a
in
machine
code,
or
you
know
in
a
binary,
a
wasn't
binary
or
a
dynamic
library.
Something
like
that
and
what
happens
in
the
middle
are
like
basically,
four
stages.
The
first
one
is
parsing,
so
ros
reads
the
text
of
your
source
code,
let's
say
and
parses
it
to
produce
an
abstract,
syntax
tree
radius
d.
B
Then
this
isd
is
transformed
and
processed
to
produce
a
high
level
intermediate
representation
or
h.
I
r
in
this
stage,
is
where
most
of
the
type
inference
process
happens.
So
a
lot
of
types
are
inferred
here.
In
this
stage,
then
this
hir
is
lowered
to
another
representation,
intermediate
representation,
but
this
is
a
middle,
a
mid-level
intermediate
representation
mir,
and
here
is
where
the
borrow
checking
happens.
Most
of
it
in
the
mir
also
is
when
the
compiler
does
some
optimizations
about
your
code
and
after
that
we
start
interacting
with
llvm.
B
That
is
a
backend
for
compilers
that
resist,
and
these
this
llvm
project
also
has
their
own
intermediate
representation.
So
we
lower
miri
mir
to
mir
to
the
other
vm
intermediate
representation
and
lldm
dots,
a
lot
of
optimizations
over
your
code
and
finally,
llvm.
Does
the
code
generation
to
produce
your
binary
file
or
your
library
or
so
on?
B
Melee
works
almost
in
this
way.
The
only
difference
is
that
the
code
generation
stages
don't
run,
so
we
don't
get
to
talk
with
a
little
well
with
llvm.
What
happens
is
that
miri
lets
the
compiler
run
until
you
have
the
mir
of
your
program
and
miri
interprets
that
mir
as
if
it
were
by
code.
B
So
if
java
has
by
code
in
the
jbm
brush,
has
mir
for
the
when
running
miri,
so
that's
why
miri
is
called
mirror
because
he's
some
mir
interpreter
mere
I'm
showing
you
this,
because
here
is
something
super
important
is
that
miri
cannot
interpret
programs
that
aren't
ros
programs.
So
you
have
a
c
library
that
you
run
with
your
ros
program,
where
you
cannot
interpret
that
in
any
way.
B
That
program
doesn't
have
like
the
same
syntax.
The
compiler
doesn't
even
understand
that
program,
so
you
cannot
interpret
that
using
miri
and
there
are
many
limitations.
Actually,
there
are
some
limitations
that
miri
has
smeared
is
not
perfect.
It's
not
a
silver
bullet
for
your
undefined
behavior
problems.
B
B
And
the
other
important
point
is
that
mirror
can
only
attack
undefined
behavior
if
it's
happening.
So,
as
I
show
you
in
the
example,
we
have
a
program
that
might
have
from
behind
behavior.
Is
someone
calls
a
function
with
a
certain
argument,
but
if
that
doesn't
actually
happens,
mary
won't
warn
the
user
about
this
case.
B
B
This
one
is
super
important.
You
might
be
wondering
why
does
this
matter
and
it's
because,
well
you
know
programs
don't
run
in
isolation.
We
tend
to
use
files,
we
can
access
files,
get
resources
over
the
network,
interact
with
databases
create
all
stress,
so
we
need
to
access
the
concurrency
primitives
of
our
operating
system
or
whatever,
and
the
main
the
mechanism
that
rust
uses
to
interact
with
all
those
are
foreign
functions,
and
that's
where
I
this
last
part
is
about
frame
functions.
B
Some
of
us
might
be,
let's
say,
maybe
think
that
we
don't
need
frame
functions
at
all.
Maybe
you
we
have
never
used
external
fan
in
our
project,
so
we
think
no,
that's
fine.
I
I
usually
don't
interact
with
frame
functions,
but
I'm
not
sure
that
anyone,
or
almost
everyone
has
interacted
with
the
standard
library
to
do
any
operation
to
read
files
or
whatever,
and
that
means
that
somehow
you're
using
following
functions,
for
example,
this
is
the
stack
trace
when
you
call
file
open
the
standard
library
function
for
opening
files.
B
There
are
like
six
functions
here,
the
first
three,
the
first
two
are
like
rust
functions.
They
are
in
the
standard
library,
there
are
platform
independents,
so
these
work
in
any
platform
in
windows,
linux,
mac
os.
Whatever,
then
we
have
like
four
functions
that
are
specific
four
units
unix
like
platform,
so
those
only
run
on
linux
and
mac,
os
and
vsd
and
so
on,
and
then
we
have
this
open
64
function
at
the
end,
the
funny
part
about
this
open
64
function
is
that
it's
not
even
a
ros
function.
It's
a
c
function.
B
B
The
good
news
is
that
yes,
miri
can
actually
run
your
program
in
a
particularly
interesting
way
and
yes,
mary
cannot
interpret
your
following
function,
but
it
can
intercept
this
call.
So
when
you're
running
your
program,
if
you
call
open
64,
maybe
we'll
say,
okay,
someone
is
calling
up.64,
that's
a
foreign
function
that
I
don't
know,
that's
not
a
ras
function
and
then
the
merry
contributors
can
write
whatever
code
they
want
to
emulate
that
function.
B
We
call,
though,
that
the
code
that
emulates
a
function,
we
call
it
a
shim
s-h-I-m
and
if
machine
needs
to
interact
with
the
operating
system
or
with
any
of
the
resources
that
the
standard
library
provides,
we
use
the
standard
library
for
that.
So
it's
funny
because
the
standard
library
uses
foreign
functions
but
miri
uses
the
standard
library
to
emulate
some
of
those
following
functions.
B
B
B
and
we're
doing
the
same,
we're
just
printing
something
after
using
save.
If
we
try
to
run
this
with
miri,
we
will
get
an
error,
but
it's
not
because
we're
causing
undefined
behavior.
B
We
have
this
on
support
operation
open
it's
not
available
when
installation
is
enabled.
So
this
is
the
open
64
function
I
was
talking
about
open,
is
not
available
when
installation
is
is
enabled.
Please
pause
the
mirror
disabled
installation
flag
to
disable
this
isolation.
So
if
we
do
that.
B
And
set
the
miriflux
environment
variable
to
merely
disable
insulation.
We
can
actually
run
the
program
and
in
this
particular
case
it
seems
that
the
config
file
is
actually
causing
undefined
behavior.
It
says
memory
access,
failed
pointer
must
be
involved
in
bounce
at
11,
but
it's
outside
of
bounds
for
the
allocation
which
has
size
10..
So
this
seems
to
be
the
same
problem
as
before
that
someone
is
reading
11
11th
position
of
something
with
only
10
elements,
and
if
we
check
our
config
file
yeah,
it's
a
salary
that
is
reading
the
10th
position
or
the
11th.
B
If
you
want
to
think
in
0
in
in
0
base
indexes
and
that's
the
whole
problem,
so
yeah
we
can
use
miri
to
detect
undefined
behavior
either
in
programs
that
use
foreign
functions.
That's
super
cool
and
actually
other
than
handling
files.
Where
you
can
do
a
lot
of
stuff,
you
can
manipulate
directories,
you
can
delete
files,
create
symbolic
links.
You
can
spawn
threads,
you
can
use
logs
anatomics
if
you're
doing
concurrency
somewhere,
you
can
emulate
some
concurrency
stuff.
B
You
can
use
it
to
get
the
current
time,
so
you
can
actually
like
run
clocks
inside
your
mute
program.
Your
last
program
running
miri,
you
can
handle
environment
variables
and
each
of
those
operations
is
possible
because
someone
decided
to
wrote
decided
to
rotation
for
that
specific
foreign
function,
and
this
has
a
super
cool
side
effect.
What
not
so
side
effect.
Some
people
were
actually
targeting
to
get
this
working
and
is
that
the
standard
ros
library
works
in
many
platforms,
you
can
run
it.
B
You
can
use
file
opening,
basically
any
tier
one
tier
zero
platform.
So
this
means
that
you
can
emulate
foreign
functions.
Even
if
you
are
not
in
the
platform,
the
program
is
going
to
be
compiled
on
so,
for
example,
if
you
have
a
program
that
is
supposed
to
run
in
windows,
but
you
don't
have
a
windows
machine,
you
can
use
miri
to
interpret
that
program
as
if
it
were
a
windows
program.
Let
me
show
you.
B
B
We
can
use
the
size
environment
variable
to
set
the
size
of
the
array
we
set
the
index
to
one,
because
we
want
to
run
that
and
we
disable
this
isolation
and
I'm
using
a
linux
machine,
but
I'm
going
to
run
it
for
a
target.
That
is
windows.
I
don't
have
windows
installed
here
and
it
works,
and
if
I
want
to
run
it
in
anything
else,
I
can
do
it.
B
I'm
running
it
on
my
regular
linux
target
and
it's
working.
So
this
is
super
cool
because
maybe
you
can
use
miri
in
one
situation
when
you're
not
sure.
If
this
code
that
you
wrote
specifically
for
windows
is
working
correctly,
maybe
you
can
use
mirror
for
that
too.
Even
if
you're
not
using
save,
you
just
want
to
be
sure
that
your
program
runs
as
intended
and
yeah.
Basically,
that's
like
the
hard
content
of
my
talk
and
I
want
to
spend
like
the
last
few
minutes
talking
about
contributing
to
miri.
B
So
if
anything
of
this
caught
your
attention,
I
encourage
you
to
contribute
to
miri.
For
many
reasons.
My
personal
reasons
is
that
I
always
wanted
to
work
like
in
compilers,
because
I
find
them
super
interesting.
I
really
like
rust
and
I
didn't
know
where
to
start
so
I
found
miri.
I
say
like
oh
yeah,
I
could
implement
like
maybe
some
following
functions
for
opening
files
or
whatever
it
sounds
not
too
hard.
It's
it
was.
B
It
took
a
while,
while
I
understood
some
miri
specific
stuff,
but
it
actually
helped
me
a
lot
to
understand
how
the
compiler
works
and
get
involved
in
a
lot
of
stuff
that
I
wouldn't
be
able
to
do.
Otherwise,
even
then,
if
you
don't
feel
comfortable
yet
contributing
because
I
don't
know
you
can
help
this
project
by
just
using
it.
B
Maybe
you
want
to
use
it
because
you
actually
write
unsafe
and
you
want
to
be
sure
you're
not
causing
undefined
behavior.
Maybe
some
of
your
dependencies
use
unsafe
and
you
want
to
be
sure
that
them
don't
cause
any
undefined
behavior
so
yeah
there
is
that
you
can
save
yourself
for
a
lot
of
others.
Many
many
headaches
debugging,
whereas
undefined
behavior
books
and
maybe
you're,
expecting
that
mary
catches,
something
and
it
isn't
it
doesn't
it
doesn't
or
maybe
their
way
around.
B
You
think
this
program
is
correct
and
mirror
is
complaining.
Maybe
we
can
you
can
open
any
issue
for
that?
You
can
talk
with
someone
from
the
rest
from
the
midi
contributors
to
discuss
it
or
from
the
unsafe
working
group.
Also,
there
is
something
super
important,
and
this
is
not
like
an
obligation
you
have
with
the
community
if
your,
if
your
program
is
runs
really
slow
in
miri.
That's
fine!
B
I
mean
you,
don't
have
to
to
give
us
to
give
everyone
anyone
coverage
for
this,
but
if
you
are
super
interested
in
contributing
to
me
writing
a
shame
is
super.
Is
a
super
easy
way
to
start
or
if
you
want
just
request
it,
because
you
need
it
and
you
don't
have
the
time.
That's
fine,
too,
if
you
want
to
write
it
yourself,
it's
super
cool,
because
what
you
have
to
learn
is
actually
like.
You
have
to
read
your
platform
specification
about
how
that
following
function
works
and
the
stuff
that
you
need
to
learn
about.
B
B
I
just
have
like
I
just
know
some
little
parts
here
and
there
and
I
implemented
a
lot
of
games
because
I
like
them,
even
if
you
don't
need
that,
if
you
don't
need
that
team,
maybe
someone
else
needs
it
and
you
are
not
just
testing
the
undefined
behavior
for
the
standard
library,
you're
testing
on
the
file
you're
helping
everyone
write
better
on
safe
code,
because
a
lot
of
people
use
a
bunch
of
chains
that
the
standard
library
doesn't
use.
B
B
It
will
fail,
but
it
will
fail,
because
this
function
create
file.
W
has
not
been
implemented
yet
so
maybe
one
of
you
want
to
do
it.
That's
super
cool.
There
are
a
bunch
of
stuff
that
haven't
been
implemented
yet,
and
that's
all
so.
Thank
you
for
your
time.
I
hope
you
find
this
interesting
and
I
think
we
can
do
some
questions
now.
If
you
want
where.
C
Are
we
yes,
the
questions
so
where
there
was
the
demo
with
accessing
the
11th
element
in
the
air
raid
airmen
said
about
accessing
allocation?
It
was
free.
B
Yeah,
so
this
is
not
clear
for
me.
Actually,
sometimes
this
program
fails,
because
when
miri
interprets
it,
it
frees
the
memory
for
the
array
before
you
read
the
pointer,
so
it
complains
about
memory
being
freed
or
sometimes
the
pointer.
The
array
is
not
deleted
yet
so
it
hasn't
been
dropped,
so
it
complains
about
it
being
out
of
bound
access,
even
though
the
race
is
still
there.
B
B
B
Yeah
but
for
example,
there
is
this
flacking
nightly
ros
that
lets
you
run
it.
I
don't
remember
the
name
is
it's
something
like
maybe
unleashed
something
you
can
run
like.
Let's
say:
undisrupted,
constant
evaluation,
all
powerful
to
run,
basically
whatever
it
wants
and
most
of
the
times
it
breaks
the
compiler
but
yeah
you
can
actually
run
like
whatever
you
want
using
mirror
inside
the
compiler.
But
that's
like
super
experimental.
B
In
principle,
yes,
but
there
are
a
lot
of
questions
about
like,
for
example,
you
read
a
file
and
then
you
use
that
file
to,
I
don't
know,
create
some
constant
or
you
define
a
type
using
congeneric,
so
that
might
make
your
calculation
unsound,
because
every
time
you
read
the
file,
the
file
might
change
and
then
you
compile
it
or
maybe
you
are
using
random
number
generators
and
you
you
shouldn't,
allow
those
inside
your
computer.
C
You
think
in
the
in
a
very
distant
future,
it
will
be
possible
to
have
miri
included
in
a
binary
to
have
rust
as
a
scripting
language
inside
your
ras
program.
B
C
C
Was
this
the
python
like
thing
like.
B
C
What
happened
with
that
yeah
interesting
another
question
from
the
audience:
would
it
be
possible
to
do
this
kind
of
analysis
on
general
llvm
ir.
B
I'm
tempted
to
say
yes,
yes,
you
could.
The
thing
is
that
you
don't
have
a
lot
of
the
type
information
that
you
have
when
you're
interpreting
the
mir.
So,
for
example,
in
the
yr
you
have
the
lifetimes
for
every
single
value.
You
can
do
a
lot
of
reasoning
around
that.
I
don't
know
if
you
can
do
that
in
little
vmir
directly,
but
in
principle
yeah
you
can
build,
for
example,
and
stack
borrows
model
for
a
little
vm
ir.
If
you
want.
B
C
Cool
is
there
anything
you
would
like
to
show
off
like
a
final
use
case
or
like
having
you
have
like
an
idea
of
like
hey.
If
someone
is
bored,
maybe
give
a
shout.
B
B
B
So
there
are
a
lot
of
really
tiny.
Let's
say
really
contain
problems
that
you
can
solve
here,
for
example,
maybe
doesn't
support
custom
allocators
and
in
the
rash,
in
the
last
version
now
box,
the
heap
pointer
allows
for
a
custom
allocator,
so.
B
C
Wonderful,
so
I
think
we
have
almost
reached
the
end.
I
don't
see
any
more
questions
anymore,
but
it
was
very
well
received
and
great
talk.
Thank
you
again.
Various
thank
you
as
well.
Okay,
thank
you.