kyju.org
The Edge of Safe Rust
Horribly misusing Rust features to provide provable memory safety and tracing<br>garbage collection for pointer soup.
2026-04-22
Introduction
Background
Pointers in Rust without clear ownership is Very Hard
Rust is actually just really good at Vec
But Rust is pretty bad at safe circular references
Generativity, or for is the coolest feature in Rust
Dealing with "reachability" via tracing
A sketch of a real, raw-pointer based GC
Wrapping up -- The Bigger Picture
Talk slides are here!
Errata: The talk slides and this blog post<br>have had a lot of typos and minor code errors, more than I think I usually let<br>slip through. I blame my complete lack of sleep! I'm fixing those as I find them<br>to make sure they don't interfere with the points I'm trying to make. If you<br>notice a discrepancy between the slides linked here and the slides in a video<br>version (whenever that is posted), the slides here are more correct, so pretend<br>I used those instead :) Sorry for doing this so late!
Introduction
This is the text version of a talk that I am giving for the first ever<br>TokioConf on April 22. I'm writing this talk first<br>as a mostly normal blog post because I find that writing these things as prose<br>first helps me prepare.
I'm including a link to the slides here if you're watching my talk and would<br>like to follow along, and whenever a video version is ready I will also link<br>that.
When picking what to do for a talk, I'm always torn between two conflicting<br>goals:
Write about something that I know well and will be interesting to a large<br>audience.
Write about something that I have a unique perspective on, where I might be<br>able to say things that few others can.
Neither of these is a bad strategy, but this talk / post will be almost<br>entirely an example of the second goal. I have been recently living in a very<br>strange corner of the Rust language, and I decided to base my talk around that<br>experience.
This talk is going to be about something that might seem unusual for<br>TokioConf, it's going to be about, at least on the surface, garbage collection<br>and VMs in safe Rust. Since I've decided on the second approach to my talk,<br>I have to confront the reality that I haven't actually written a lot of real<br>networking code lately ¯\(ツ)/¯ (and any networking code I write is always<br>video game centric, which is not really the same what Tokio is used for). More<br>than that though, for the last few months I've been working with Kong (one of<br>the sponsors of TokioConf!) on exactly this topic, they've contracted me to<br>help them design small, isolated, safe Rust VMs for their networking rules<br>engine. Therefore, I would argue, it must be at least a little on topic!<br>But really, this is what I've been working on, this is what I have at least a<br>chance of saying something interesting on, so this is what my talk is.
I hope you find it interesting!
I'm also assuming here no familiarity with any of my other work or talks or<br>previous blog posts, so I will definitely cover some things I've talked about<br>before.
Background
A long while ago I had an obsession with trying to integrate tracing garbage<br>collection into safe Rust.
I was far from the only one<br>who tried, but I may have been the only one who had two specific, very<br>aggressive, core goals:
Totally zero-cost pointers[1]This is subtle, but what I mean<br>is that Gc pointers themselves would be transparent wrappers around<br>*const T and Copy, and thus have exactly the same cost as a raw pointer,<br>even if there is obviously (unavoidable) overhead in the allocation and<br>collection parts.
Usable from completely safe Rust
I consider myself to largely have failed and determined that doing this<br>in the general case more or less required language support that didn't<br>exist yet. However I must not have failed that badly, because my best<br>attempt at solving this, gc-arena[2]Since being used by Ruffle, gc-arena has had lots of really core<br>contributions from Ruffle devs, I am not trying to take sole credit for it!<br>is now used by two projects that are used by millions of<br>people. Ruffle, the browser<br>based flash emulator, uses gc-arena for its ActionScript VM, and Fields<br>of Mistria is using (in its next release)<br>my own project fabricator, a<br>GameMaker replacement runtime which in turn also uses<br>gc-arena.[3]What actually happened is that the problem I did<br>manage solve (garbage collecting only when no Rust code is "active" within the<br>GC "context") is perfect for games, because games (and Ruffle is basically a<br>game engine) never really need to bother garbage collecting within a frame,<br>and code (other than special things like coroutines) never runs for more than<br>a single frame. This should be viewed as a wonderful example of "do you maybe<br>have a different problem that I can solve instead?"
This is obviously a brag, but more than that, I've realized that<br>I, along with just a few other people, exist in an exceedingly<br>strange ecosystem that barely anyone using<br>Rust is even aware of. This is...