<div>
<img src="Pictures/rustacean-flat-happy.svg" width="200">
</div>

# An Introduction to Rust and Lessons Learned from HPE Primera Integration.

By Jonathan Parris and Malachi Thomas

# Agenda
* About Us
* Overview of Rust
    * Performance
    * Ecosystem
    * Language Introduction
* Lessons Learned from Integration into HPE Primera.

---

# About US

* **Jonathan Parris** is a developer based out of Colorado Springs CO working on HPE Primera OS Security. I've been with HPE for 8 Years. 

* **Malachi Thomas** is a developer based out of San Jose, CA working on HPE Primera OS Security. I've been with HPE for 4 Years. 

---

# What is Rust?

* Systems programming language
* Originally created by Graydon Hoare at Mozilla Research in 2010
    - Now mostly a community project, main developers still employed by Mozilla
    - The Rust Core Team recently created a foundation to ensure an independent future
* Emphasis on zero-cost abstractions to ensure memory safety
* Ownership system causes many memory issues to become compile-time errors
    - This includes multithreaded applications!
* Highly expressive type system

---

# Why did we choose Rust?
* The primary deciding factor in choosing Rust was due to its reliability and security.
* Rust’s rich type system and ownership model guarantee memory-safety and thread-safety — and enable you to eliminate many classes of bugs at compile-time. 
* Mozilla [found](https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/) during the rewrite of their CSS engine that 74% of security issues would have been prevented by Rust had been used from the beginning. This was after two previous attempts to overhaul their CSS engine in C++ failed due to similar numbers of errors as the current engine.
* Microsoft has found that [roughly 70%](https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/) of CVEs they filed would have been eliminated by Rust.
* The Chromium project also found that [roughly 70%](https://www.chromium.org/Home/chromium-security/memory-safety) of their security issues are memory-safety related and would have been eliminated by Rust.

---

# Rust's Performance
* Rust is fast and memory-efficient: with no runtime or garbage collector, it can power performance-critical services, run on embedded devices, and easily integrate with other languages. 
* According to the Debian benchmarking game, Rust is comparable to [C](https://benchmarksgame-team.pages.debian.net/benchmarksgame/fastest/rust.html) / [C++](https://benchmarksgame-team.pages.debian.net/benchmarksgame/fastest/rust-gpp.html)  and an order of magnitude faster than [Go](https://benchmarksgame-team.pages.debian.net/benchmarksgame/fastest/rust-go.html).
* The Amazon [Firecracker](https://firecracker-microvm.github.io/) project uses Rust to implement a Virtual Machine Manager that enables a micro-VM to start in 125ms and run with less than 5 MB of overhead.

---

# Rust's Ecosystem
## [Cargo](https://doc.rust-lang.org/cargo/)
* Build system & Dependency Manager.
* [crates.io](https://crates.io) - 47k open source libraries.
* [docs.rs](https://docs.rs) – Hosted documentation, Cargo can produce formatted documentation from comments in code.

# [Clippy](https://github.com/rust-lang/rust-clippy)
* Linter which catch common mistakes.
* Currently 421 individual lints.

## [Fmt](https://github.com/rust-lang/rustfmt) 
* Ensures consistent formatting.

---

<div>
<img src="Pictures/cuddlyferris.svg" width="200">
</div>

# Language Overview

---
## Primitives
* `bool`
* `char`
* signed integers: `i8`, `i16`, `i32`, `i64`, `i128` and `isize`
* unsigned integers: `u8`, `u16`, `u32`, `u64`, `u128` and `usize`
* floating point: `f32`, `f64`
* unit type `()`, which can only be an empty tuple 

---
## `let`'s do some declarations
* The keyword `let` is used to define variables.
* `let <variable name> = <value>;`
    - e.g. `let meaning_of_life = 41;`
* Variables can be type annotated using `<variable name>: <type>`
    - Our previous example can be rewritten `let meaning_of_life: usize = 41;`
    - Rust can often infer or use the a default type
    - Rust is *statically* typed

In [None]:
let meaning_of_life = 41;
meaning_of_life += 1;
println!("Answer to the Ultimate Question of Life, the Universe, and Everything is {}.", meaning_of_life);

---
# Immutability and Mutability
* All variable bindings are immutable by default 
* The `mut` keyword is used make a variable mutable 
* Immutability is stronger than C's `const`, we can't `void *` it away

In [None]:
let mut  meaning_of_life = 41;
meaning_of_life += 1;
println!("Answer to the Ultimate Question of Life, the Universe, and Everything is {}.", meaning_of_life);

---
# Control Flow

## `if`/`else`
* Bog standard with a few twists

In [None]:
let mut foo = String::new();
let n = 10;

if n < 0 {
    foo = format!("{} is negative", n);
} else if n > 0 {
    foo = format!("{} is positive", n);
} else {
    foo = format!("{} is zero", n);
}
println!("{}", foo);

* Each branch is an expression that has a return
* All branches must return the same type
* This means we can assign the result of a `if`/`else`

In [None]:
let n = -10;
let foo = if n < 0 {
    format!("{} is negative", n)
} else if n > 0 {
    format!("{} is positive", n)
} else {
    format!("{} is zero", n)
};
println!("{}", foo);

## `match`
* similar to C's `switch`
* **all possible patterns must be covered**
* are the bee's knees

In [None]:
let boolean = true;
let binary = match boolean {
    true => 1,
};

## other pattern
* Multiple values can be matched with `|`.
    - `2 | 3 | 5 | 7 | 11 => println!("This is a prime"),`
* Ranges can be used
    - `13..20 => println!("A teen"),`
* `_` matches all patterns.
    - `_ => println!("Ain't special"),`

In [None]:
let number = 13;
match number {
    1 => println!("One!"),
    2 | 3 | 5 | 7 | 11 => println!("This is a prime"),
    13..=19 => println!("A teen"),
    _ => println!("Ain't special"),
};

## `loop`
* `loop` is used to create an infinite loop.
* `break` is used to break out of the loop.
* `continue` is used to skip the rest of the loop.

In [None]:
let mut count = 0u32;
loop {
    count += 1;
    if count == 3 {
        println!("three");
        continue;
    }
    println!("{}", count);
     if count == 5 {
        println!("OK, that's enough");
        break;
    }
};

## `while`
* continues to loop while the condition is true

In [None]:
let mut n = 1;
while n < 16 {
    if n % 15 == 0 {
        println!("fizzbuzz");
    } else if n % 3 == 0 {
        println!("fizz");
    } else if n % 5 == 0 {
        println!("buzz");
    } else {
        println!("{}", n);
    }
    n += 1;
};

## `for` and `range`
* `for` allows us to go through an `Iterator`.
* `range` is a notation, `a..b`, to create a `Iterator` for a given range of numbers. 
* We can simplify the previous example.

In [None]:
for n in 1..16 {
    if n % 15 == 0 {
        println!("fizzbuzz");
    } else if n % 3 == 0 {
        println!("fizz");
    } else if n % 5 == 0 {
        println!("buzz");
    } else {
        println!("{}", n);
    }
};

---
# Arrays
* An Array is a collection of objects of the same type and are stored in contiguous memory.
* This means that their size must be known at compile time.
 `let <var>: [<type>; size] = [];`
* They can be indexed like C arrays
 
# Slices
* Are used to borrow a slice of the array
* Uses the range syntax

In [None]:
let array: [i32; 5] = [0, 1, 2, 3, 4];

println!("Indexing directly {}", array[4]);

for x in &array[0..3] {
	println!("x is {}", x);
};

---
# Tuples
* A tuple is a collection of values with different type.
    * Defined using `()` e.g., `("Meaning of life", 42)`
* Often used to return multiple types from a function.

In [None]:
let t = ("Meaning of life", 42);
println!("{} is {}", t.0, t.1);

Tuples can be deconstructed  using let e.g., `let (var1, var2) = tuple`

In [None]:
let t = ("Meaning of life", 42);
let (question, answer) = t;
println!("{} is {}", question, answer);

---
# Functions
* Functions are declared using `fn` e.g., `fn meaning_of_life()`

In [None]:
fn meaning_of_life () {
    println!("42");
}
meaning_of_life();

## Parameters
* Parameter are declared with `<name>: <type>` and delimited with a commas

In [None]:
fn meaning_of_life (meaning: u32) {
    println!("{}", meaning);
}
meaning_of_life(42);

## Returns are declared at the end of the using `->` syntax. 
* `-> <type>`.
    * e.g., `fn meaning_of_life() -> i32`
* `-> (<type1>, <type2>)`.     
    * e.g., `fn i_return_a_tuple() -> (i32, f64, usize)`
* `-> ()` this function does not return anything and can be omitted.
    * `fn i_dont_return_anything()` and `fn i_dont_return_anything() -> ()` are equivalent.
* `!` this function does not return, e.g. a program exiting or the OS shutting down.
        * `fn exit_process() -> !`

In [None]:
fn meaning_of_life () -> u32 {
    42
}
println!("{:?}", meaning_of_life());

---
# Structs
There are three different sytles are structs you'll see.

## 1. Tuple structs.
Named structs but unamed fields


In [None]:
struct Pair(i32, f32);
let p = Pair(1, 42.0);
println!("{:?}", p.1);

## 2. C style structs
Named structs and named fields 


In [None]:
struct Point {
    x: u32,
    y: u32,
}
let p = Point {x: 42, y:42};
println!("{:?}", p.x);

## 3. Unit structs
Named struct with *no fields*. Useful when implementing generics.
```rust
struct world;
let _ = world;
```

## Struct methods.
* Methods are functions attached to objects.
* The `impl` keyword is used to declare methods.
* Methods are given access to the interior state of the struct by passing the `&self` as the first parameter.
* Methods can mutate the struct by passing `&mut self`


In [None]:
struct Point {
    x: f64,
    y: f64,
}

impl Point {
    fn new(x: f64, y: f64) -> Point {
        Point { x: x, y: y }
    }
    fn print_x(&self) {
        println!("{}",self.x);
    }
    fn set_x(&mut self, nu_x: f64) {
        self.x = nu_x;
    }
}

let mut p = Point::new(0.0, 0.0);
p.print_x();
p.set_x(42.0);
p.print_x();

---
# Enums

The `enum` keyword allow us create a type that enumerates the possible subtypes.

```rust
pub enum SocketAddr {
    V4,
    V6,
}
```

Unlike C these subtypes can contain arbitrary data.
```rust
pub enum SocketAddr {
    V4(SocketAddrV4),
    V6(SocketAddrV6),
}
```


In [None]:
enum Meaning {
    NoData,
    Question(String),
    Answer(u32),
}

fn print_meaning(m: Meaning) {
    match m {
        Meaning::NoData => println!("nada"),
        Meaning::Question(q) => println!("Question is {}", q),
        Meaning::Answer(a) => println!("Answer is {}", a),
    }
}

print_meaning(Meaning::NoData);
print_meaning(Meaning::Question("the meaning of Life, the Universe, and Everything".to_string()));
print_meaning(Meaning::Answer(42));

---
# Error Handling
* Rusts Error Handling is built on `enum`s. The two types you'll encounter are `Option` and `Result`

## Option
* `Option` - a `enum` where the value is optional represented by either `Some` or `None`
```rust
pub enum Option<T> {
    None,
    Some(T),
}
```

In [None]:
let mut v = vec![0, 1, 2];
println!("{:?}", v.pop());
println!("{:?}", v.pop());
println!("{:?}", v.pop());
println!("{:?}", v.pop());

## Result
`Result` - used for returning errors. Return values are wrapped in `Ok` and Errors in `Err`.

```rust
pub enum Result<T, E> {
    Ok(T),
    Err(E),
}
```

In [None]:
#[derive(Debug)]
enum MathError {
    DivideByZero,
}

fn divide(numerator: f64, denominator: f64) -> Result<f64, MathError> {
    if denominator == 0.0 {
        Err(MathError::DivideByZero)
    } else {
        Ok(numerator / denominator)
    }
}
println!("{:?}", divide(42.0, 0.0));
println!("{:?}", divide(42.0, 1.0));

## `unwrap` & `except`
* **Warning** these functions panic. They should not be used in production, only during prototyping and tests
* `unwrap` unpack the `enum` and panics on `None` and `Err`.
* `expect` same as unwrap but adds a message.

In [None]:
#[derive(Debug)]
enum MathError {
    DivideByZero,
}

fn divide(numerator: f64, denominator: f64) -> Result<f64, MathError> {
    if denominator == 0.0 {
        Err(MathError::DivideByZero)
    } else {
        Ok(numerator / denominator)
    }
}
println!("{:?}", divide(42.0, 0.0).expect("whoops"));

## `?`
* Using `Option` and `Result` becomes unwieldly to unpacked the value or propagate the error. The `?` is used to simplify this overhead.

In [None]:
#[derive(Debug)]
enum MathError {
    DivideByZero,
    ImaginaryNumber,
}

fn divide(numerator: f64, denominator: f64) -> Result<f64, MathError> {
    if denominator == 0.0 {
        Err(MathError::DivideByZero)
    } else {
        Ok(numerator / denominator)
    }
}

fn sqrt(num: f64) -> Result<f64, MathError> {
    if num < 0.0 {
        Err(MathError::ImaginaryNumber)
    } else {
        Ok(num.sqrt())
    }
}

fn check_num(num: f64) -> Result<(), MathError> {
    divide(42.0, num)?;
    sqrt(num)?;
    Ok(())
}

println!("{:?}", check_num(0.0));
println!("{:?}", check_num(-1.0));

---
# Ownership

System for working with references and memory allocation

There are 3 rules for ownership:
1. Each value in Rust has a variable that’s called its owner
1. There can only be one owner at a time
1. When the owner goes out of scope, the value will be dropped

In the example below we pass the `String s` to the function `do_somthing`
* This transfers ownership of `String s` to `do_somthing`
* After do_somthing returns `String s` is free`d.
* And we can no longer do anything with it.

In [None]:
fn do_something(_s: String) {
	println!("Aaaaand the String is gone!");
}

let s = "Hello".to_string();
do_something(s);
dbg!(s); // Compile-time error! Value is now owned by do_something() and was freed!

# Borrowing
* Borrowing has its own rules that enforced at compile time.
* At any time, you can have *either* but not both of
    * One Mutable Reference
    * Infinite Immutable References
* These rules make many memory management issues into compile-time errors
    * Dangling pointer, use after free
* These are also the main rules for avoiding data races!
    * Turns many concurrency errors into compile-time errors
    * Many concurrency issues can be resolved with a combination of the safety provided by the borrow system as well as Rust's type system

### Example
* In our example in order to retain ownership of `s` we can change `do_something` to borrow `s`.
* Using `&` in type declaration indicates the value is borrowed.

In [None]:
fn do_something(_s: &String) {
    println!("It’s still yours!");
}

let s = "Hello".to_string();
do_something(&s);
println!("{}", s);

# Mutable Borrowing
* In order to change `s` we need change our type declaration to include `mut`

In [None]:
fn do_something_mutable(value: &mut String) {
    value.push_str(" world!");
}

let mut s = "Hello".to_string();
do_something_mutable(&mut s);
println!("{}", s);

---

<div>
<img src="Pictures/unsafe.svg" width="200">
</div>

# `unsafe`
* The `unsafe` keyword allows you declare a block of code where it gives access to these five superpowers
    * Dereferencing raw pointers
    * Calling functions or methods which are unsafe; usually FFI functions.
    * Accessing or modifying static mutable variables
    * Implement an unsafe trait
    * Access fields of unions
* This does **not** disable all of rusts safety guarantees just grant access to these superpowers and marks specific location where memory issue can occurs allowing for faster debugging.



In [None]:
let raw_p: *const u32 = &10;

unsafe {
    assert!(*raw_p == 10);
}

---
# FFI Integration
* Rust exposes a C ABI that makes it straightforward to interface with other languages.

## Calling C from Rust
### C
```c
int double_input(int input) {
    return input * 2;
}
```

### Rust
```rust
extern {
    fn double_input(input: libc::c_int) -> libc::c_int;
}

fn main() {
    let input = 4;
    let output = unsafe { double_input(input) };
    println!("{} * 2 = {}", input, output);
}
```

## Calling Rust from C
### Rust
```rust
#[no_mangle]
pub extern fn double_input(input: i32) -> i32 {
    input * 2
}
```

### C
```c
extern int32_t double_input(int32_t input);

int main() {
    int input = 4;
    int output = double_input(input);
    printf("%d * 2 = %d\n", input, output);
    return 0;
}
```
* [For examples binding to other languages see this set of examples](https://github.com/alexcrichton/rust-ffi-examples)

---
# Tests
* Rust has support for inline tests.

```Rust
#[derive(Debug)]
enum MathError {
    DivideByZero,
}

fn divide(numerator: f64, denominator: f64) -> Result<f64, MathError> {
    if denominator == 0.0 {
        Err(MathError::DivideByZero)
    } else {
        Ok(numerator / denominator)
    }
}

#[test]
fn div_by_zero() {
    assert_eq!(divide(42.0), Err(MathError::DivideByZero))
}
```

# Lessons Learned from Integrating into HPE Primera
## Background
* Primera is a distributed storage product that has been around for about 20 years 
* It has a large ~1.5m LOC code based composed mostly of C and TCL
* Changes are considered conservatively and we ship on a yearly cycle

## Nothing will change if you don't ask
* At the beginning of a major rewrite we suggested rewriting in Rust
* It was a shock to management; there wasn't an established procedure for adopting new languages
* Several Presentations on Rust and a Proof of Concept later we we're given the green light

## Rust ships a new stable compiler every six weeks.
* We initially had to rely up the Release and Tools team (R&T) to install Rust.
* Keeping version in sync across build servers was a problem, as we needed to involve R&T for every update
* Later moved to a mechanism so that We can now update Rust without R&T

## Learning Curve
* The ownership model requires programmers to think more carefully about their use of data
* The type system is very robust and takes some getting used to, especially with the improved enums
* These can be confusing at first and lead to a higher than normal learning curve


---
# Further Reading

<div>
<img src="Pictures/rustdocs.png" width="200">
</div>

* [The Rust Programming Language](https://doc.rust-lang.org/book/) a.k.a The Book
* [Std docs](https://doc.rust-lang.org/std/)
* [Nomicon](https://doc.rust-lang.org/nomicon) - The Dark Arts of Unsafe Rust
* [Rust by Example](https://doc.rust-lang.org/stable/rust-by-example/)
* [Evcxr](https://github.com/google/evcxr) - The Rust Jupyter Kernel used during this presentation

---
# Thank You
<div>
<img src="Pictures/rustacean-flat-gesture.svg" width="200">
</div>

* Jonathan.Parris@hpe.com
* Malachi.Thomas@hpe.com