On the Comparison of Dynamic and Static Unsafe Objects Identification in Rust Programs
摘要
Rust offers C/C++-level performance while enforcing memory safety through compile-time rules such as ownership and lifetimes. When these rules prove too restrictive, programmers can annotate regions as unsafe, bypassing static checks and re-introducing the risk that erroneous or malicious code corrupts otherwise safe memory. Ensuring runtime isolation therefore hinges on accurately locating every memory object an unsafe block may touch. This paper proposes and prototypes two complementary identification algorithms: (i) a dynamic scheme that tracks pointer provenance at runtime, and (ii) a static scheme that analyzes a value-flow graph built from LLVM IR. We evaluate both techniques on widely used Rust crates, highlighting trade-offs in precision and coverage.