Google plans to support the use of third-party Rust libraries in its open source browser project Chromium, a significant endorsement of the programming language and its security characteristics.
In a blog post published on Thursday, Dana Jansens, from the Chrome security team, said Google’s software engineers have begun working on a production Rust toolchain to its build system. The hope is to include Rust code in the Chrome binary before the end of the year.
“Our goal in bringing Rust into Chromium is to provide a simpler (no IPC) and safer (less complex C++ overall, no memory safety bugs in a sandbox either) way to satisfy the rule of two, in order to speed up development (less code to write, less design docs, less security review) and improve the security (increasing the number of lines of code without memory safety bugs, decreasing the bug density of code) of Chrome,” explained Jansens.
Rust, when not written to be unsafe, can avoid memory safety flaws, which represent 70 percent of the serious security bugs identified in Chromium. The language doesn’t guarantee code invulnerability but it can mean many fewer potential flaws.
For what it’s worth, Google has also been working on improving memory safety in C++, a language that creator Bjarne Stroustrup insists can be memory safe when it conforms to the ISO C++ standard and adheres to specific guidelines enforced by static analysis.
Jansens thanked Mozilla, which supported the development of Rust until it matured and attracted enough external support to merit its own foundation. Mozilla has long been supported financially by Google, which pays to be the default search engine in Mozilla’s Firefox browser. But the public benefit company has sought out other sources of funding as Chrome eroded usage of Firefox.
Rust and C++, the basis of Chromium, can interact through tools like cxx, autocxx bindgen, cbindgen, diplomat, and crubit, explained Jansens. These tools provide a safe way to call C++ code from Rust code and vice versa. But there are limits to interoperability between the two languages due to differences in their respective designs.
“For example, Rust guarantees temporal memory safety with static analysis that relies on two inputs: lifetimes (inferred or explicitly written) and exclusive mutability,” Jansens explained. “The latter is incompatible with how the majority of Chromium’s C++ is written.”
Jansens observed that because Rust and C++ play by different rules, interoperability can easily go awry. That’s why Google is taking a cautious approach.
Initially, Google will support unidirectional C++ to Rust interoperability to control the shape of the dependency graph. “Rust can not depend on C++ so it cannot know about C++ types and functions, except through dependency injection,” explained Jansens. “In this way, Rust can not land in arbitrary C++ code, only in functions passed through the API from C++.”
And for now Chromium’s exposure to Rust will be only through third-party libraries.
Nonetheless, Google’s deepening commitment to Rust can be expected to enrich the Rust package ecosystem significantly, with the company developing and maintaining tools like crubit to improve bidirectional interoperability between C++ and Rust.
Google has already brought Rust into the Android ecosystem. Microsoft Azure CTO Mark Russinovich has called for the use of Rust rather than C++ in new projects. The Linux kernel has added Rust support. And even Apple, loath to commit to technologies it doesn’t control, has been using Rust. ®