Bringing Rust's safety to C++ through:
1. Static Borrow Checker - Compile-time ownership and lifetime analysis via rusty-cpp-checker.
2. Safe Types - Box<T>, RefCell<T>, Vec<T>, HashMap<K,V>, etc.
3. Rust Idioms - Send/Sync traits, RAII guards, type-state patterns, Result<T,E>/Option<T>, etc.
This project aims to catch memory safety issues at compile-time by applying Rust's proven ownership model to C++ code. It helps prevent common bugs like use-after-move, double-free, and dangling references before they reach production.
Though C++ is flexible enough to mimic Rust's idioms in many ways, implementing a borrow-checking without modifying the compiler system appears to be impossible, as analyzed in this document.
We provide rusty-cpp-checker, a standalone static analyzer that enforces Rust-like ownership and borrowing rules for C++ code, bringing memory safety guarantees to existing C++ codebases without runtime overhead. rusty-cpp-checker does not bringing any new grammar into c++. Everything works through simple annoations such as adding // @safe enables safety checking on a function.
Here's a simple demonstration of how const reference borrowing works:
// @safe
void demonstrate_const_ref_borrowing() {
int value = 42;
// Multiple const references are allowed (immutable borrows)
const int& ref1 = value; // First immutable borrow - OK
const int& ref2 = value; // Second immutable borrow - OK
const int& ref3 = value; // Third immutable borrow - OK
// All can be used simultaneously to read the value
int sum = ref1 + ref2 + ref3; // OK - reading through const refs
}
// @safe
void demonstrate_const_ref_violation() {
int value = 42;
const int& const_ref = value; // Immutable borrow - OK
int& mut_ref = value; // ERROR: Cannot have mutable borrow when immutable exists
// This would violate the guarantee that const_ref won't see unexpected changes
mut_ref = 100; // If allowed, const_ref would suddenly see value 100
}
Analysis Output:
Rusty C++ Checker
Analyzing: example.cpp
✗ Found 2 violation(s) in example.cpp:
Cannot create mutable reference to 'value': already immutably borrowed
Cannot create mutable borrow 'mut_ref': 'value' is already borrowed by 'const_ref'
- 🔄 Borrow Checking: Enforces Rust's borrowing rules (multiple readers XOR single writer)
- 🔒 Ownership Tracking: Ensures single ownership of resources with move semantics
- ⏳ Lifetime Analysis: Validates that references don't outlive their data
- Use-after-move violations
- Multiple mutable borrows
- Dangling references
- Lifetime constraint violations
- RAII violations
- Data races (through borrow checking)
The recommended way to use rusty-cpp is to use cmake to do automatic checking at build. Also consider adding rusty-cpp as a submoduel so it is easy to track updates as rusty-cpp is rapidly evolving. See cmake-example-project/ for a complete working example.
For system-wide installation, use our install script which detects your OS and installs all dependencies:
curl -sSL https://raw.githubusercontent.com/shuaimu/rusty-cpp/main/install.sh | bash
Or clone and run locally:
git clone https://github.com/shuaimu/rusty-cpp
cd rusty-cpp
./install.sh
Supported platforms: macOS (Homebrew), Ubuntu/Debian (apt), Fedora (dnf), CentOS/RHEL 8+ (dnf), Arch Linux (pacman)
Prerequisites (must be installed before building):
- Rust: 1.70+
- LLVM/Clang: 16+ (for parsing C++)
- Z3: 4.8+ (constraint solver)
brew install llvm z3
git clone https://github.com/shuaimu/rusty-cpp
cd rusty-cpp
cargo build --release
sudo apt-get install llvm-16-dev libclang-16-dev clang-16 libz3-dev
git clone https://github.com/shuaimu/rusty-cpp
cd rusty-cpp
cargo build --release
# Install LLVM from https://releases.llvm.org/
set LIBCLANG_PATH=C:\Program Files\LLVM\lib
cargo build --release
# Analyze a single file
rusty-cpp-checker path/to/file.cpp
# Analyze with verbose output
rusty-cpp-checker -vv path/to/file.cpp
# Output in JSON format (for IDE integration)
rusty-cpp-checker --format json path/to/file.cpp
For release distributions, we provide a standalone binary that doesn't require setting environment variables:
# Build standalone release
./build_release.sh
# Install from distribution
cd dist/rusty-cpp-checker-*/
./install.sh
# Or use directly
./rusty-cpp-checker-standalone file.cpp
See RELEASE.md for details on building and distributing standalone binaries.
No environment variables required! Both Z3 and LLVM are auto-detected via pkg-config at build time.
If dependencies are in non-standard locations, you can optionally set:
export LIBCLANG_PATH=/path/to/llvm/lib
export Z3_SYS_Z3_HEADER=/path/to/z3.h
The borrow checker uses a two-state safety system with automatic header-to-implementation propagation:
@safe- Functions with full borrow checking and strict calling rules@unsafe- Everything else (unannotated code is @unsafe by default)
| Caller → Can Call | @safe | @unsafe |
|---|---|---|
| @safe | ✅ Yes | ❌ No (use @unsafe block) |
| @unsafe | ✅ Yes | ✅ Yes |
// @safe
void safe_function() {
// ✅ CAN call other @safe functions
safe_helper();
// ❌ CANNOT call @unsafe functions directly
// unsafe_func(); // ERROR: must use @unsafe block
// ✅ CAN call @unsafe functions via @unsafe block
// @unsafe
{
unsafe_func(); // OK: in @unsafe block
std::vector<int> vec; // OK: STL in @unsafe block
}
// ✅ CAN use pointers (treated like references)
int x = 42;
int* ptr = &x; // OK: pointers allowed in safe code
// ❌ CANNOT do pointer arithmetic or use nullptr
// ptr++; // ERROR: pointer arithmetic requires unsafe context
// int* p = nullptr; // ERROR: nullptr requires unsafe context
}
// @unsafe (or no annotation - same thing)
void unsafe_function() {
// ✅ Can call anything, use nullptr, and do pointer arithmetic
safe_function(); // OK: can call safe
another_unsafe(); // OK: can call unsafe
int* ptr = nullptr; // OK: nullptr allowed
ptr++; // OK: pointer arithmetic allowed
std::vector<int> vec; // OK: STL allowed
}
Key Insight: This is a clean two-state model - code is either @safe or @unsafe. Unannotated code is @unsafe by default. To call anything unsafe from @safe code, wrap it in an @unsafe { } block.
Safety annotations in headers automatically apply to implementations:
// math.h
// @safe
int calculate(int a, int b);
// @unsafe
void process_raw_memory(void* ptr);
// math.cpp
#include "math.h"
int calculate(int a, int b) {
// Automatically @safe from header
return a + b;
}
void process_raw_memory(void* ptr) {
// Automatically @unsafe from header
// Pointer operations allowed
}
By default, all STL and external functions are @unsafe, meaning @safe functions cannot call them directly. You have three options:
Option 1 (Recommended): Use Rusty structures
#include <rusty/box.hpp>
#include <rusty/vec.hpp>
// @safe
void safe_with_rusty() {
// ✅ OK: Rusty structures are designed for safe code
rusty::Vec<int> vec;
vec.push_back(42); // Safe by design
rusty::Box<Widget> widget = rusty::Box<Widget>::make(args);
}
Option 2: Use @unsafe blocks for STL
#include <vector>
// @safe
void safe_with_stl() {
// @unsafe
{
std::vector<int> vec;
vec.push_back(42); // OK: in @unsafe block
}
}
Option 3: Mark specific external functions as [safe] via external annotations
If you've audited an external function and want to call it directly from @safe code:
// @external: {
// my_audited_function: [safe, () -> void]
// }
void my_audited_function(); // External function you've audited
// @safe
void caller() {
my_audited_function(); // OK: marked [safe] via external annotation
}
See Complete Annotations Guide for comprehensive documentation on all annotation features, including safety, lifetime, and external annotations.
#include <rusty/box.hpp>
// @safe
void bad_code() {
rusty::Box<int> ptr1 = rusty::Box<int>::make(42);
rusty::Box<int> ptr2 = std::move(ptr1);
*ptr1 = 10; // ERROR: Use after move!
}
Output:
Rusty C++ Checker
Analyzing: example.cpp
✗ Found 1 violation(s) in example.cpp:
Use after move: cannot dereference_write (via operator*) variable 'ptr1' because it has been moved
// @safe
void bad_borrow() {
int value = 42;
int& ref1 = value;
int& ref2 = value; // ERROR: Cannot borrow as mutable twice
}
Output:
Rusty C++ Checker
Analyzing: example.cpp
✗ Found 3 violation(s) in example.cpp:
Cannot create mutable reference to 'value': already mutably borrowed
Cannot create mutable borrow 'ref1': 'value' is already borrowed by 'ref2'
Cannot create mutable borrow 'ref2': 'value' is already borrowed by 'ref1'
// @safe
int& dangling_reference() {
int local = 42;
return local; // ERROR: Returning reference to local variable
}
Output:
Rusty C++ Checker
Analyzing: example.cpp
✗ Found 2 violation(s) in example.cpp:
Safe function 'dangling_reference' returns a reference but has no @lifetime annotation
Cannot return reference to local variable 'local'
┌─────────────┐ ┌──────────┐ ┌────────┐
│ C++ Code │────▶│ Parser │────▶│ IR │
└─────────────┘ └──────────┘ └────────┘
│ │
(libclang) ▼
┌──────────────┐
┌─────────────┐ ┌──────────┐ │ Analysis │
│ Diagnostics │◀────│ Solver │◀──│ Engine │
└─────────────┘ └──────────┘ └──────────────┘
│ │
(Z3) (Ownership/Lifetime)
- Parser (
src/parser/): Uses libclang to build C++ AST - IR (
src/ir/): Ownership-aware intermediate representation - Analysis (
src/analysis/): Core borrow checking algorithms - Solver (
src/solver/): Z3-based constraint solving for lifetimes - Diagnostics (
src/diagnostics/): User-friendly error reporting
RustyCpp provides safe data structures that integrate seamlessly with the borrow checker:
#include <rusty/vec.hpp>
#include <rusty/box.hpp>
// @safe
void example() {
rusty::Vec<int> vec = {1, 2, 3};
int& ref = vec[0]; // Borrows &'vec mut
vec.push_back(4); // ERROR: Cannot modify vec while ref exists
}
For STL structures, use @unsafe blocks:
#include <vector>
// @safe
void stl_example() {
// @unsafe
{
std::vector<int> vec = {1, 2, 3};
vec.push_back(4); // OK: in @unsafe block
}
}
See Complete Annotations Guide for all annotation features.
Annotate third-party functions with safety and lifetime information without modifying their source.
By default, all external functions are @unsafe. You can:
- Use
@unsafeblocks to call them from@safecode - Mark specific functions as
[safe]if you've audited them
// @external: {
// // Mark as [safe] if you've audited the function
// my_audited_function: [safe, () -> void]
//
// // Mark as [unsafe] with lifetime info for documentation
// strchr: [unsafe, (const char* str, int c) -> const char* where str: 'a, return: 'a]
// malloc: [unsafe, (size_t size) -> owned void*]
// }
void my_audited_function();
// @safe
void example() {
my_audited_function(); // OK: marked [safe] via external annotation
// @unsafe
{
const char* text = "hello";
const char* found = strchr(text, 'e'); // OK: in @unsafe block
}
}
See Complete Annotations Guide for comprehensive documentation on safety annotations, lifetime annotations, and external annotations.
RustyCpp provides drop-in replacements for C++ standard library types with built-in safety guarantees:
rusty::Box<T>- Single ownership pointer with move-only semanticsrusty::Box<Widget> widget = rusty::Box<Widget>::make(42); auto widget2 = std::move(widget); // OK: explicit ownership transfer // widget.get(); // ERROR: use-after-move detected
rusty::RefCell<T>- Runtime borrow checking for interior mutabilityrusty::RefCell<int> cell(42); { auto ref = cell.borrow(); // Immutable borrow // auto mut_ref = cell.borrow_mut(); // ERROR: already borrowed } auto mut_ref = cell.borrow_mut(); // OK: previous borrow ended
-
rusty::Vec<T>- Dynamic array with iterator invalidation detectionrusty::Vec<int> vec = {1, 2, 3}; auto it = vec.begin(); // vec.push_back(4); // ERROR: would invalidate iterator -
rusty::HashMap<K, V>- Hash map with safe concurrent access patterns -
rusty::HashSet<T>- Hash set with ownership semantics -
rusty::Rc<T>- Reference counted pointer (single-threaded) -
rusty::Arc<T>- Atomic reference counted pointer (thread-safe)
rusty::Option<T>- Explicit handling of optional valuesrusty::Result<T, E>- Explicit error handling
Include the headers:
#include <rusty/box.hpp>
#include <rusty/refcell.hpp>
#include <rusty/vec.hpp>
#include <rusty/hashmap.hpp>
These types are designed to work seamlessly with the borrow checker and enforce Rust's safety guarantees at runtime.
RustyCpp implements key Rust design patterns for safer concurrent programming:
RustyCpp implements Rust's Send trait using an explicit opt-in system that prevents accidental data races at compile-time:
#include <rusty/sync/mpsc.hpp>
// ✅ Primitives are pre-marked as Send
auto [tx, rx] = rusty::sync::mpsc::channel<int>();
// ✅ Rusty types are Send if their content is Send
auto [tx, rx] = rusty::sync::mpsc::channel<rusty::Arc<int>>();
// ❌ Rc is NOT Send (non-atomic reference counting)
auto [tx, rx] = rusty::sync::mpsc::channel<rusty::Rc<int>>(); // Compile error!
// ❌ Unmarked user types are NOT Send (must explicitly mark)
struct MyType { int value; };
auto [tx, rx] = rusty::sync::mpsc::channel<MyType>(); // Compile error!
How to mark your types as Send:
// Method 1: Static marker (recommended for your types)
class ThreadSafe {
public:
static constexpr bool is_send = true; // Explicitly mark as Send
// ... your thread-safe implementation
};
// Method 2: External specialization (for third-party types)
namespace rusty {
template<>
struct is_explicitly_send<ThirdPartyType> : std::true_type {};
}
Key Features:
- Safe by default: Types are NOT Send unless explicitly marked
- Compositional safety:
struct { Rc<T> }is automatically rejected (no Send marker) - Clear errors: Compiler tells you exactly how to fix the issue
- No deep analysis needed: Simple marker check at compile-time
Example - Compositional Safety:
// Without marker, this is NOT Send (safe!)
struct ContainsRc {
rusty::Rc<int> data; // Non-thread-safe
};
auto [tx, rx] = channel<ContainsRc>(); // ✗ Compile error!
// Error: ContainsRc must be Send (marked explicitly)
// Arc is thread-safe, so use it instead
struct ThreadSafeVersion {
static constexpr bool is_send = true;
rusty::Arc<int> data; // Thread-safe
};
auto [tx, rx] = channel<ThreadSafeVersion>(); // ✓ Works!
Thread-safe message passing channel, identical to Rust's std::sync::mpsc:
#include <rusty/sync/mpsc_lockfree.hpp> // Lock-free (recommended)
// or
#include <rusty/sync/mpsc.hpp> // Mutex-based
#include <thread>
using namespace rusty::sync::mpsc::lockfree; // or ::mutex
void example() {
// Create channel
auto [tx, rx] = channel<int>();
// Clone sender for multiple producers
auto tx2 = tx.clone();
// Producer threads
std::thread t1([tx = std::move(tx)]() mutable {
tx.send(42);
});
std::thread t2([tx2 = std::move(tx2)]() mutable {
tx2.send(100);
});
// Consumer receives from both
for (int i = 0; i < 2; i++) {
auto result = rx.recv();
if (result.is_ok()) {
int value = result.unwrap();
std::cout << "Received: " << value << "\n";
}
}
t1.join();
t2.join();
}
Two Implementations Available:
-
Lock-Free (
mpsc_lockfree.hpp) - Recommended- 28 M msg/s throughput, 3.3 μs p50 latency
- Batch operations (4x faster under contention)
- Wait-free consumer, lock-free producers
- See User Guide and Developer Guide
-
Mutex-Based (
mpsc.hpp)- Simple, straightforward implementation
- Lower throughput but easier to understand
- Good for low-frequency communication
Common Features:
- Blocking operations:
send(),recv() - Non-blocking operations:
try_send(),try_recv() - Disconnection detection
- Type-safe with Send constraint
- Rust-compatible API
Compile-time marker for types safe to share references between threads:
template<typename T>
concept Sync = /* implementation */;
Scope-based resource management following Rust's guard pattern:
// MutexGuard automatically unlocks on scope exit
auto guard = mutex.lock();
// ... use protected data ...
// Guard destroyed here, mutex automatically unlocked
Encode state machines in the type system:
struct Unopened {};
struct Opened {};
template<typename State>
class File {
// Only available when Opened
std::string read_line() requires std::same_as<State, Opened>;
};
File<Unopened> file("data.txt");
File<Opened> opened = file.open(); // State transition via move
std::string line = opened.read_line(); // OK
Rust-style Result and Option types:
rusty::Result<int, std::string> parse_number(const std::string& str);
rusty::Option<int> find_value(const std::string& key);
// Pattern matching style
auto result = parse_number("42");
if (result.is_ok()) {
int value = result.unwrap();
} else {
std::string error = result.unwrap_err();
}
Writing C++ that is easier to debug by adopting principles from Rust.
Explicitness is one of Rust's core philosophies. It helps prevent errors that arise from overlooking hidden or implicit code behaviors.
Constructors should be limited to initializing member variables and establishing the object's memory layout—nothing more. For additional initialization steps, create a separate Init() function. When member variables require initialization, handle this in the Init() function rather than in the constructor.
Similarly, if you need computation in a destructor (such as setting flags or stopping threads), implement a Destroy() function that must be explicitly called before destruction.
Avoid inheritance whenever possible.
When polymorphism is necessary, limit inheritance to a single layer: an abstract base class and its implementation class. The abstract class should contain no member variables, and all its member functions should be pure virtual (declared with = 0). The implementation class should be marked as final to prevent further inheritance.
Except for primitive types, prefer using move instead of copy operations. There are multiple ways to disallow copy constructors; our convention is to inherit from the boost::noncopyable class:
class X: private boost::noncopyable {};
If copy from an object is necessary, implement move constructor and a Clone function:
Object obj1 = move(obj2.Clone()); // move can be omitted because it is already a right value.
Avoid using raw pointers except when required by system calls, in which case wrap them in a dedicated class.
Try to use POD types if possible. POD means "plain old data". A class is POD if:
- No user-defined copy assignment
- No virtual functions
- No destructor
Some languages (like D, Zig, and Swift) offer seamless integration with C++. This makes it easier to adopt these languages in existing C++ projects, as you can simply write new code in the chosen language and interact with existing C++ code without friction.
Unfortunately, Rust does not support this level of integration (perhaps intentionally to avoid becoming a secondary option in the C++ ecosystem), as discussed here. Currently, the best approach for C++/Rust interoperability is through the cxx/autocxx crates. This interoperability is implemented as a semi-automated process based on C FFIs (Foreign Function Interfaces) that both C++ and Rust support. However, if your C++ code follows the guidelines in this document, particularly if all types are POD, the interoperability experience can approach the seamless integration offered by other languages (though this remains to be verified).
Two projects that (attempt to) implement borrow checking in C++ at compile time are Circle C++, and Crubit.