Rust vs. C: performance and security in low-level programming (2023)

According to Stack Overflow Developer Survey 2020, Rust is the most popular programming language. It won the title for the fifth year in a row, and the good news doesn't stop there. Also in 2020, the Linux kernel developers proposed including Rust in the Linux kernel originally written in C. More recently, Facebook joined the Rust Foundation, an organization that promotes the development of the Rust language with the intention of helping it become popular.

Given all of this, we decided to see if Rust could replace C inLow-level network programmingto ensure greater security without sacrificing high performance. For usproof of concept, we chose the DPDK library because it is used to write user-space applications for packet processing where performance is a critical factor.

Rust as a system programming language

Rust was created to providehigh performance, comparable to C and C++, with a strong focus on code security. C compilers don't really care about security. This means that programmers must be careful not to write a program that causes memory violations or data races.

In Rust, most of these issues are caught during the build process. You can write code in two different modes: Safe Rust, which imposes additional restrictions on the programmer (e.g. object property management), but ensures that the code works correctly. The other mode is insecure Rust, which gives the programmer more autonomy (e.g. it can work with C-like pointers), but the code can break. For these reasons, Rust is an excellent choice for programming systems that require high performance and security.

C libraries in Rust

Many projects related to low-level systems, such as operating systems, game engines, and network applications, are written in C or C++. This is mainly because there has never been a real alternative that guarantees high performance and easy access to storage and operating system features.

Today Rust is seen as an alternative, although rewriting an entire project if we want to use this language would break most budgets. Luckily we don't have to. Rust supports calling C functions from Rust code with no additional performance overhead.

Suppose we have a simple library written in C:

#contain <stdio.h>#contain <stdlib.h>Structure CStruct { int32_ta ;};Structure CStruct *init_struct(int32_ta ) { Structure CStruct *s= malloc(size of(*s)); What happened if (s!= NULL)s->a =a ; Returnss;}file free_struct(Structure CStruct *s) { for free(s);}

We can create bindings to these functions and structures and use them like this:

#[repr(C)]Structure CStruct {a : i32,}extern "C" { fn init_struct(a : i32) -> *Period CStruct; fn free_struct(s: *Period CStruct);}fn a director() { unsure { leavings= init_struct(5); What happened if !s.is zero() { press!("s->a = {}", (*s).a ); } free_struct(s); }}

These links are easy to write. There are even special tools (the remaining binding) that you can generate automatically. They are unfortunately very raw and requireunsureBlocks to use them, so we can't take full advantage of Rust's features. In this case, the programmer must check whether the mapping was successful (sis not null) before it is dereferenced and an array is accessed. We could theoretically ignore thatinit_structmay return and read nullptr in some casess.awithout this test. This would work most of the time, but sometimes it would fail at runtime - that's why it's not safe in Rust. We must also remember to free memory - or risk a memory leak. However, these bindings are a good first step towards a more decent API that would enforce correct use of this library. The code above can be grouped as follows:

Structure remainderstructure {cstr: *Period CStruct,}imply remainderstructure { fn Novo(a : i32) -> Result<Auto, ()> { // Use raw bindings to create the structure leavingcstr= unsure {init_struct(a )}; // returns Err if the build failed, or Ok if the build was successful What happened ifcstr.is zero() { Returns err(()); } OK(remainderstructure {cstr}) } fn get one(&Auto) -> i32 { // At this point we know that self.cstr is not null// so it's ok to just dereference unsure {(*Auto.cstr).a } }}imply Drop Pro remainderstructure { fn drop(&Period Auto) { // Freeing the structure doesn't fail unsure {free_struct(Auto.cstr)}; }}// You don't have to remember to free the structure - it will be freed when it's out of scopefn a director() -> Result<(), ()> { // We need to handle the case where RustStruct::new fails and// returned Err so we can't use mismatched s leavings= remainderstructure::Novo(5)?; press!("s->a = {}",s.get one()); OK(())}

unsureBlocks are moved into the library code, that is, ina director()We can use the secure Rust API.

DPDK in Rust

allow packet processing in user space,DPDKis a library used for programming high-performance network applications. DPDK is written in C, so using it with Rust without a properly prepared API is inconvenient and unsafe.

We're not the first to try to create bindings for DPDK in Rust. We decided to base our API on another project—ANLAB-KAIST/rust-dpdk. This project uses bindgen when compiling code to generate bindings for the specified DPDK version.

This makes updating the API to the latest DPDK version easy. Also, much of the high-level API was already well-written, so we didn't have to write it from scratch. Finally, we just added a few features to this library and fixed some issues. Our final version of this API is here:codylime/rust-dpdk.

The interface for communicating with the DPDK is designed in such a way that the programmer does not have to remember any non-obvious dependencies that can lead to errors in DPDK applications. Below we present some examples of the API with the corresponding code in C.

EAL initialization

{ intret= rte_eal_init(Argc,argv);Argc-=ret;argv+=ret; // Parse application-specific arguments // ... rte_eal_cleanup();}

{ // args - The command line argument leavingreal= Eal::Novo(&Periodargument)?; // Parse each specific argument // Parse application-specific arguments // ...} // eal.drop() calls rte_eal_cleanup() and others

Most DPDK functions can only be called after EAL initialization. In Rust this was solved by creating an instance of aEalStructure. This framework provides more functionality in your methods. In addition, thanks to the participation of the EAL in the structure, it is not necessary to carry out a cleanup at the end of the program. It will be called automatically when therealstructure falls.

Ethdev and RX/TX queue initialization

{ RTE_ETH_FOREACH_DEV(ported) { // Configure the device and create 1 RX and 1 TX queue rte_eth_dev_configure(ported, 1, 1, &port_config); // configure queues rte_eth_rx_queue_setup(ported, 0,nb_rxd, rte_eth_dev_socket_id(ported), &rxq_config,pktmbuf_pool); rte_eth_tx_queue_setup(ported, 0,nb_txd, rte_eth_dev_socket_id(ported), &txq_config); rte_eth_dev_start(ported); rte_eth_promiscuous_enable(ported); } // ... // deinitialization RTE_ETH_FOREACH_DEV(ported) { rte_eth_dev_stop(ported); rte_eth_dev_close(ported); }}

{ leavinguninit_ports=real.doors()?; leavingdoors_with_queues=uninit_ports.into_iter().Map(|uninit_port| { // Configure the device, create and configure 1 RX and 1 TX queue leaving (porta, (rxqs,Many Thanks)) =uninit_port.Start(1, 1, none);porta.begin().unpacking();porta.set_promiscuous(real); (porta, (rxqs,Many Thanks)) }).collect::<vec<_>>(); // ...} // port.drop() chama rte_eth_dev_stop() und rte_eth_dev_close()

In DPDK applications, ethdev is normally initialized once at program startup. Multiple queues can be passed to the configuration at startup. in rust,real.ports()returns a list of uninitialized ports, which can later be initialized separately, producing a structure corresponding to the initialized port and lists of RX and TX queues. vocationreal.ports()a second time causes a runtime error, preventing a single device from booting multiple times.

Our Rust API simplifies initialization - a large part of the DPDK function calls are hidden in theuninit_port.init()Implementation. Of course, this means we don't have much power when configuring devices and queues in Rust, but we get a simpler implementation.

RX/TX queues

{ Structure rte_mbuf *pkts_burst[MAX_PKT_BURST]; uint16_tnb_recv= rte_eth_rx_burst(ported,line identifier,pkts_burst,MAX_PKT_BURST); // ... uint16_tnb_sent= rte_eth_tx_burst(ported,line identifier,pkts_burst,MAX_PKT_BURST);}

{ leaving PeriodPkt= ArrayVec::<Package<TestPriv>, MAX_PKT_BURST>::Novo(); leavingnb_recv=rx_queue.Reception(&PeriodPkt); // ... leavingnb_sent=tx_queue.tx(&PeriodPkt);}

Each queue is associated with an ethdev, so it would be easier to work with queues than devices when sending and receiving packets. In Rust we have specific structures for RX and TX queues, so working with them is easier.

Also, the RX and TX queues in DPDK are not thread-safe, so the frameworks are designed in such a way that any attempt to use them in multiple threads will result in a compile-time error.

Change in package content

{ Structure rte_ether_hdr *eth= rte_pktmbuf_mtod(Package, Structure rte_ether_hdr *); Structure rte_ether_addrgossip= (Structure rte_ether_addr) { .addr_bytes= {1, 2, 3, 4, 5, 6} }; Structure rte_ether_addrdmac= (Structure rte_ether_addr) { .addr_bytes= {6, 5, 4, 3, 2, 1} }; memcpy(&eth->d_adr.addr_bytes, &dmac.addr_bytes, size of(dmac.addr_bytes)); memcpy(&eth->s_adr.addr_bytes, &gossip.addr_bytes, size of(gossip.addr_bytes));}

{ leaving Periodeth= Spiel Quadro-Ethernet::new_checked(Package.data_mut())?;eth.set_src_addr(Ethernet-Address([1, 2, 3, 4, 5, 6]));eth.set_dst_addr(Ethernet-Address([6, 5, 4, 3, 2, 1]));}

By using Rust, we can easily add functionality written by someone else by simply adding box names to the Cargo.toml file. So in case of packet data changes (e.g. header change) we can just use external libraries. We tested and compared several open source libraries - conclusions and performance tests are below.

several topics

{ RTE_LCORE_FOREACH_WORKER(lcore_id) { rte_eal_remote_launch(lcore_function,Private,lcore_id); }}

{ dpdk::fio::to reach(|to reach| { Prolcorenoreal.lcores() {lcore.throw(to reach, |Private| lcore_function(Private)); } })?;}

The DPDK allows us to launch code on a specific logical core. We combine Rust thread management with DPDK Lcore management. Thanks to this, the API allows you to create threads in specific colors while providing the convenience and security that Rust threads are known for.

Example: l2fwd

To test the Rust API, we implemented a DPDK fonts application in Rust. We decided to test l2fwd (l2fwd description). It's a simple application that can receive packets from a port, change MAC addresses in an Ethernet header, and forward the packets to another port. Here you can find the source codes ofl2fwd em Cel2fwd in Rost.

>> Discover ourrust development services

Rust vs C: Performance Comparison

We compared the performance of both applications in a bare metal environment with two Intel Xeon Gold 6252 CPUs. l2fwd used a core from the first CPU (NUMA node 0), while theTRex traffic generatorused 16 cores from the other cpu (node ​​NUMA 1). Both applications used local memory of the NUMA node, so they didn't share any resources that could affect performance (e.g. caches, memory).

Additionally, l2fwd used a single interface of an Intel XXV710 25Gbps Ethernet network adapter connected to NUMA node 0 and an RX and TX queue for traffic management. TRex used a NIC with a 25 Gbps interface connected to NUMA node 1.

The generated traffic consisted of L2 packets with a single IPv4 header and UDP with multiple IP addresses and UDP ports. Added additional data to the end of the packet when testing larger packet sizes. Further details on the subject of the environment can be found in ourRepository.

Coward. 1 The environment used for testing

We also measured the core utilization during the test. In the main function, l2fwd polls incoming packets in an endless loop. This allowed us to achieve better performance than traditional interrupt packet handling. However, CPU utilization is always around 100%, so measuring actual core utilization is more difficult. We use the method describedon hereto measure CPU usage.

With each loop iteration, l2fwd attempts to read a maximum of 32 packetsrte_eth_rx_burst(). We can calculate the average number of packets received from these calls. If the average value is high, it means that l2fwd is receiving and processing packets on most of the loops. When this value is low, l2fwd usually loops without doing any meaningful work.

overload test

The congestion test sent as much traffic as possible to exceed l2fwd's processing resources. In this case, we wanted to test software performance, knowing that l2fwd would always have something to do.

Table 1 Rust vs. C: Overload test results

Rust performed significantly worse on this test. Rust l2fwd received about 1.2 fewer packets than C l2fwd and sent fewer packets. We can also see that the average RX burst for Rust l2fwd is max (32) and we get about 24.5 RX burst size for C l2fwd. All of this means that the C implementation is faster overall because it can handle more packets. We believe the main reason for these differences is that handling deleted packages written in Rust is less efficient compared to C.

The drop rate is very high in both applications. The most likely cause is that we were using a single TX queue and it couldn't handle more packets.

It also explains why the C implementation's crash rate is higher than Rust's. Both applications wanted to send more than the TX queue could handle, but C was faster than Rust and attempted to send more packets, resulting in a higher drop rate.

RFC2544

We ran the RFC2544 test on both l2fwd implementations. The results are shown below.

Note that the actual packet sizes sent in the charts consist of the packet data plus an additional 13 bytes added by TRex (preamble and IFG).

Coward. 2 Throughput comparison between C and Rust [bps].

Coward. 3 Comparison of productivity C vs Rust [pps]. The bigger the packet, the fewer packets you have to send to reach 25 Gbps. This explains the decrease in pps for larger packets.

Coward. Comparison of 4C and average Rust latency

Coward. 5 Comparison C with Rust jitter

Coward. 6 Difference between TRex RX and Rust l2fwd and C l2fwd

During testing, we observed that the average number of packets per RX burst was always less than 2. This means that l2fwd was mostly idle during the test, which explains why the results for C and Rust are so similar. To see visible differences, we would have to test them with more complex applications.

We couldn't get 25Gbps on smaller packages, even though l2fwd was pretty much idle. This can be attributed to a single TX queue not being able to handle all the traffic.

We can also see that there were some tests where Rust performs slightly better than C, even though it performs worse in the overload test. We suspect that the Rust implementation is mostly worse at handling dropped packets, so in the case of RFC2544 where drops are not allowed, we can see that the Rust implementation gives comparable or sometimes better results than C.

Appendix: Package processing libraries

We tested some libraries for package data changes. The tests consisted of modifying the packet data (setting the source and destination MAC addresses and the source IP address to constant values). All testing was done locally on a single machine, so only memory changes made by libraries were tested, not traffic management. Test sources can be found on ourRepository.

Tests compiled with link-time optimizations performed significantly better than those without them, so we compared these two cases.

Etherparse library

Forether parse, we tried different methods of modifying packages:

• Instead of just changing the required locations, build the package from scratch:

Coward. 7 link timing optimizations enabled vs disabled using the Etherparse library (build packages from scratch).

• Using Rust std::io::Cursor which only copies the required memory:

Coward. 8 Link timing optimizations enabled vs. disabled using the Etherparse library (using std::io::Cursor).

• Using pure slices instead of cursors:

Coward. 9 link timing optimizations enabled vs disabled using Etherparse library (using slices).

We compare the assembly instructions generated after link-time optimization in all these cases:

• Slice Method:

  • 465 asm instructions
  • includes calls to memcpy, memset, malloc

• Cursor Method:

  • 871 asm instructions, almost twice as long as the slice method. That's why the results in benchmarks are worse than in slices
  • includes calls to memcpy, memset, malloc

• Create package from scratch:

  (Video) Rust Runs on EVERYTHING, Including the Arduino | Adventures in Embedded Rust Programming
  • 881 asm instructions
  • too much memory manipulation
  • Allocate and free storage space

pnet library

nopnet, In-Place Package Changes:

Coward. 10 link timing optimizations enabled or disabled using the Pnet library.

Checking the assembly instructions generated after link-time optimizations:

• 19 asm statements
• 2 branches

A smoltcp library

nosmoltcp, In-Place Package Changes:

Coward. 11 link timing optimizations enabled or disabled using the smoltcp library.

Checking the assembly instructions generated after link-time optimizations:

• 27 asm instructions
• 5 branches

Conclusions from the performance results

A comparison of all libraries can be found below:

Coward. 12 Comparison of all libraries with connection time optimization enabled

Coward. 13 Comparison of all libraries with disabled link time optimization

Without link-time optimizations, pnet and smoltcp are very different, although both modify packages in-place. A possible reason is the poorer implementation of the pnet library, which was more difficult for the compiler to optimize. After enabling link timing optimizations, pnet and smoltcp returned similar timing results, although smoltcp generated more assembler statements and branches than pnet. All of these branches were error checks, so the branch predictor didn't have much trouble optimizing them.

Etherparse generates a lot more assembler instructions than pnet and smoltcp, and it also seems better suited to building packages from scratch than modifying them.

We used smoltcp in the l2fwd implementation because it worked very well with and without link time optimizations.

Check out our other articles on rust:

• Why is the Rust programming language so popular?
• Rust vs C++– the main differences between these popular programming languages
• Rust vs Go– What do you need to know about these programming languages?

final thoughts

Our tests show that replacing C with Rust resulted in performance degradation. An implementation written in Rust achieved about 85% of the performance of C in the overload test, but we still see room for improvement in the implementation of the bindings, which can bring us closer to the performance of C. On the other hand, at the cost of performance loss, we get Rust security controls that make it easier to create secure code. When programming the system, e.g. B. network applications, this is very valuable.

We also used a very simple l2fwd, which is why the RFC2544 results were so close. We can't be sure how Rust would perform in a more demanding scenario. Because of this, in the future we intend to build a complex application in C and Rust using the bindings we have described. This would allow us to do a more detailed performance comparison.

Language developers learned their lesson and developed Rust, a modern alternative to C and C++ that solves many of the problems (e.g. related to memory management and/or multithreaded programming) in programming languages. We are happy that it replaces C and C++ in some use cases.