Part 2: Ownership, Borrowing, and Lifetimes - Rust's Memory Safety

Introduction

When building my WAF scanner, I needed to share an HTTP client across multiple concurrent tasks testing different payloads. In Python, I'd just pass the client around without thinking. In Rust, the compiler immediately complained about ownership. This forced me to understand Rust's most unique—and initially frustrating—feature: the ownership system.

Understanding ownership is crucial for writing Rust. It's what enables memory safety without garbage collection and prevents data races at compile time. This article explains ownership through real examples from simple-waf-scanner.

Why Ownership Exists

The Memory Management Spectrum

Manual Memory Management (C/C++)

char* data = malloc(1024);  // Allocate
// Use data...
free(data);                  // Must remember to free!
// Later use of data = segfault or security vulnerability

Problems:

Use after free
Double free
Memory leaks
No thread safety guarantees

Garbage Collection (Python/Java/Go)

data = allocate_large_buffer()  # Allocate
# Use data...
# GC eventually frees it

Problems:

Unpredictable pauses
Memory overhead
Runtime performance cost

Rust's Ownership

let data = vec![0u8; 1024];  // Allocate
// Use data...
// Automatically freed when data goes out of scope
// Compile-time guarantee of no use-after-free

Benefits:

Memory safety without GC
Zero runtime cost
Thread safety enforced by compiler

The Three Ownership Rules

Each value has a single owner
When the owner goes out of scope, the value is dropped
Ownership can be transferred (moved)

Rule 1: Single Owner

fn main() {
    // `url` owns the String
    let url = String::from("https://example.com");
    
    // `url` goes out of scope here, String is freed
}

Rule 2: Automatic Cleanup

{
    let payloads = vec![
        String::from("<script>alert(1)</script>"),
        String::from("' OR '1'='1"),
    ];
    // payloads is used...
} // payloads goes out of scope, Vec and all Strings are freed

// payloads no longer accessible here

Rule 3: Move Semantics

fn main() {
    let url = String::from("https://example.com");
    
    // Ownership of url is MOVED to test_url
    test_url(url);
    
    // Error! url no longer valid here
    // println!("{}", url);  // Won't compile
}

fn test_url(target: String) {
    println!("Testing: {}", target);
    // target is freed when function returns
}

Real Example: Payload Management

From my WAF scanner:

// This struct owns its data
pub struct Payload {
    pub id: String,           // Owns the id String
    pub value: String,        // Owns the payload String
    pub category: String,     // Owns the category String
}

impl Payload {
    pub fn new(id: String, value: String, category: String) -> Self {
        Payload {
            id,      // Ownership moved into struct
            value,   // Ownership moved into struct
            category // Ownership moved into struct
        }
    }
}

// Usage
fn main() {
    let id = String::from("xss-1");
    let value = String::from("<script>alert(1)</script>");
    let category = String::from("xss");
    
    // Ownership of all three Strings moved into payload
    let payload = Payload::new(id, value, category);
    
    // Error! Can't use id, value, or category anymore
    // println!("{}", id);  // Won't compile
    
    // payload owns the data now
    println!("Created payload: {}", payload.id);
} // payload (and its owned Strings) freed here

Borrowing - Using Without Owning

Immutable References (&T)

fn main() {
    let url = String::from("https://example.com");
    
    // Borrow url (don't move it)
    let len = calculate_length(&url);
    
    // url still valid! We only borrowed it
    println!("URL: {} (length: {})", url, len);
}

fn calculate_length(s: &String) -> usize {
    s.len()  // Can read but not modify
    // s.push_str("/test");  // Error! Can't modify borrowed value
}

Mutable References (&mut T)

fn main() {
    let mut url = String::from("https://example.com");
    
    // Borrow url mutably
    add_path(&mut url, "/api/test");
    
    println!("Modified URL: {}", url);
}

fn add_path(s: &mut String, path: &str) {
    s.push_str(path);  // Can modify because it's &mut
}

Borrowing Rules

Multiple immutable borrows OR one mutable borrow (not both)
References must always be valid (no dangling pointers)

fn main() {
    let mut data = String::from("test");
    
    // OK: Multiple immutable borrows
    let r1 = &data;
    let r2 = &data;
    println!("{} {}", r1, r2);
    
    // Error! Can't borrow mutably while immutable borrows exist
    // let r3 = &mut data;
    
    // OK: r1 and r2 no longer used, can borrow mutably now
    let r3 = &mut data;
    r3.push_str("ing");
}

Initial attempt (doesn't work):

use reqwest::Client;

async fn scan_payloads(client: Client, payloads: Vec<String>) {
    for payload in payloads {
        // Error! client is moved on first iteration
        test_payload(client, payload).await;
    }
}

async fn test_payload(client: Client, payload: String) {
    // client is moved into this function
    let response = client.get("https://example.com")
        .query(&[("q", payload)])
        .send()
        .await;
}

Solution - use references:

use reqwest::Client;

async fn scan_payloads(client: &Client, payloads: Vec<String>) {
    for payload in payloads {
        // Borrow client (don't move it)
        test_payload(client, payload).await;
    }
}

async fn test_payload(client: &Client, payload: String) {
    // client is borrowed, not owned
    let response = client.get("https://example.com")
        .query(&[("q", payload)])
        .send()
        .await;
}

Even better - use Arc for sharing across threads:

use std::sync::Arc;
use reqwest::Client;
use tokio;

async fn scan_payloads_concurrent(payloads: Vec<String>) {
    // Arc = Atomic Reference Counted smart pointer
    let client = Arc::new(Client::new());
    
    let mut tasks = Vec::new();
    
    for payload in payloads {
        // Clone Arc (cheap - just increments counter)
        let client_clone = Arc::clone(&client);
        
        // Spawn concurrent task
        let task = tokio::spawn(async move {
            test_payload(&client_clone, payload).await
        });
        
        tasks.push(task);
    }
    
    // Wait for all tasks
    for task in tasks {
        task.await.unwrap();
    }
}

Clone vs Copy

Copy Types (Stack-only)

// These types implement Copy (cheap bitwise copy)
let x = 5;         // i32 implements Copy
let y = x;         // Copied (not moved)
println!("{}", x); // x still valid

let point = (10, 20);  // Tuples of Copy types are Copy
let point2 = point;     // Copied
println!("{:?}", point); // point still valid

Clone Types (Explicit Copy)

// String doesn't implement Copy (expensive to copy)
let s1 = String::from("hello");
let s2 = s1;         // Moved
// println!("{}", s1);  // Error! s1 no longer valid

// Explicit clone
let s1 = String::from("hello");
let s2 = s1.clone();  // Explicit deep copy
println!("{} {}", s1, s2);  // Both valid

In My Project

#[derive(Debug, Clone)]  // Derive Clone trait
pub struct Payload {
    pub id: String,
    pub value: String,
    pub category: String,
}

fn process_payloads(payloads: &[Payload]) {
    for payload in payloads {
        // Clone needed to own the data
        let owned_payload = payload.clone();
        
        // Can pass owned_payload to async task
        tokio::spawn(async move {
            test_payload(owned_payload).await
        });
    }
}

Lifetimes - Ensuring References Are Valid

The Problem Lifetimes Solve

fn main() {
    let result;
    
    {
        let data = String::from("temporary");
        result = &data;  // Error! data doesn't live long enough
    } // data is dropped here
    
    // result would be a dangling pointer!
    // println!("{}", result);
}

Lifetime Annotations

// 'a is a lifetime parameter
fn longest<'a>(x: &'a str, y: &'a str) -> &'a str {
    if x.len() > y.len() {
        x
    } else {
        y
    }
}

fn main() {
    let s1 = String::from("long string");
    let s2 = String::from("short");
    
    // Both s1 and s2 must live as long as result
    let result = longest(&s1, &s2);
    println!("Longest: {}", result);
}

Lifetime Elision (Compiler Infers Lifetimes)

These are equivalent:

// Explicit lifetimes
fn first_word<'a>(s: &'a str) -> &'a str {
    s.split_whitespace().next().unwrap()
}

// Compiler infers lifetimes (elision)
fn first_word(s: &str) -> &str {
    s.split_whitespace().next().unwrap()
}

Lifetimes in Structs

// Struct that holds a reference
pub struct PayloadRef<'a> {
    pub value: &'a str,  // Reference with lifetime 'a
    pub category: &'a str,
}

impl<'a> PayloadRef<'a> {
    pub fn new(value: &'a str, category: &'a str) -> Self {
        PayloadRef { value, category }
    }
}

fn main() {
    let value = String::from("<script>alert(1)</script>");
    let category = String::from("xss");
    
    // payload holds references to value and category
    let payload = PayloadRef::new(&value, &category);
    
    println!("{}: {}", payload.category, payload.value);
} // payload, value, and category all dropped together

Real Example from My Scanner

// Configuration holds references to avoid cloning
pub struct ScanContext<'a> {
    pub config: &'a Config,
    pub client: &'a Client,
}

impl<'a> ScanContext<'a> {
    pub fn new(config: &'a Config, client: &'a Client) -> Self {
        ScanContext { config, client }
    }
    
    pub async fn test_payload(&self, payload: &str) -> Result<bool, Error> {
        // Can use self.config and self.client
        let response = self.client
            .get(&self.config.target_url)
            .query(&[("test", payload)])
            .timeout(std::time::Duration::from_secs(self.config.timeout))
            .send()
            .await?;
        
        Ok(response.status().is_success())
    }
}

Smart Pointers

Box - Heap Allocation

// Allocate large data on heap
let large_data = Box::new([0u8; 1024 * 1024]);  // 1MB on heap

// Useful for recursive types
enum Node {
    Value(i32),
    Next(Box<Node>),  // Box required for recursive type
}

Rc - Reference Counted (Single-threaded)

use std::rc::Rc;

fn main() {
    let data = Rc::new(String::from("shared"));
    
    let ref1 = Rc::clone(&data);  // Increment count
    let ref2 = Rc::clone(&data);  // Increment count
    
    println!("Count: {}", Rc::strong_count(&data));  // 3
    
    // All references must go out of scope before data is freed
}

Arc - Atomic Reference Counted (Thread-safe)

use std::sync::Arc;
use tokio;

#[tokio::main]
async fn main() {
    let payloads = Arc::new(vec![
        String::from("payload1"),
        String::from("payload2"),
    ]);
    
    // Share across async tasks
    let payloads1 = Arc::clone(&payloads);
    let task1 = tokio::spawn(async move {
        process(payloads1).await
    });
    
    let payloads2 = Arc::clone(&payloads);
    let task2 = tokio::spawn(async move {
        process(payloads2).await
    });
    
    task1.await.unwrap();
    task2.await.unwrap();
}

async fn process(payloads: Arc<Vec<String>>) {
    for p in payloads.iter() {
        println!("Processing: {}", p);
    }
}

Real-World Pattern: Scanner Implementation

Complete example combining ownership concepts:

use std::sync::Arc;
use reqwest::Client;
use tokio;

pub struct Scanner {
    config: Config,
    client: Arc<Client>,
}

pub struct Config {
    pub target_url: String,
    pub concurrency: usize,
    pub payloads: Vec<Payload>,
}

#[derive(Clone)]
pub struct Payload {
    pub id: String,
    pub value: String,
}

impl Scanner {
    pub fn new(config: Config) -> Self {
        Scanner {
            config,
            client: Arc::new(Client::new()),
        }
    }
    
    pub async fn scan(&self) -> Vec<Finding> {
        let mut tasks = Vec::new();
        
        // Process payloads concurrently
        for payload in &self.config.payloads {
            // Clone what we need to move into async task
            let client = Arc::clone(&self.client);
            let url = self.config.target_url.clone();
            let payload = payload.clone();
            
            let task = tokio::spawn(async move {
                // Task owns: client (Arc), url (String), payload (Payload)
                test_payload(client, url, payload).await
            });
            
            tasks.push(task);
        }
        
        // Collect results
        let mut findings = Vec::new();
        for task in tasks {
            if let Ok(Some(finding)) = task.await {
                findings.push(finding);
            }
        }
        
        findings
    }
}

async fn test_payload(
    client: Arc<Client>,
    url: String,
    payload: Payload,
) -> Option<Finding> {
    // Implementation...
    None
}

pub struct Finding {
    pub payload_id: String,
    pub successful: bool,
}

Common Ownership Patterns

Pattern 1: Taking Ownership for Consumption

// Function consumes the data
fn process_and_log(data: String) {
    println!("Processing: {}", data);
    // data is dropped when function returns
}

// Caller loses access
let data = String::from("test");
process_and_log(data);
// Can't use data anymore

Pattern 2: Borrowing for Inspection

// Function borrows, doesn't consume
fn inspect(data: &String) -> usize {
    data.len()
}

// Caller retains ownership
let data = String::from("test");
let len = inspect(&data);
println!("Data: {}, Length: {}", data, len);  // data still accessible

Pattern 3: Borrowing Mutably for Modification

// Function modifies data in place
fn append_suffix(data: &mut String, suffix: &str) {
    data.push_str(suffix);
}

// Caller retains ownership but data is modified
let mut data = String::from("test");
append_suffix(&mut data, "_modified");
println!("{}", data);  // "test_modified"

Pattern 4: Returning Owned Data

// Function creates and returns new owned data
fn create_payload(id: &str, value: &str) -> Payload {
    Payload {
        id: id.to_string(),
        value: value.to_string(),
    }
}

// Caller owns the returned Payload
let payload = create_payload("xss-1", "<script>");

Fighting the Borrow Checker

Common Error: Multiple Mutable Borrows

let mut data = String::from("test");

let r1 = &mut data;
let r2 = &mut data;  // Error! Can't have two mutable borrows

r1.push_str("1");
r2.push_str("2");

Solution: Don't overlap mutable borrows:

let mut data = String::from("test");

{
    let r1 = &mut data;
    r1.push_str("1");
} // r1 goes out of scope

let r2 = &mut data;  // OK: r1 no longer exists
r2.push_str("2");

Common Error: Borrowing Moved Value

let data = String::from("test");
let moved = data;  // data moved to moved

println!("{}", data);  // Error! data was moved

Solution: Clone or borrow:

// Option 1: Clone
let data = String::from("test");
let cloned = data.clone();
println!("{} {}", data, cloned);  // Both valid

// Option 2: Borrow
let data = String::from("test");
let borrowed = &data;
println!("{} {}", data, borrowed);  // Both valid

Iterator Ownership

let payloads = vec![String::from("test1"), String::from("test2")];

// .iter() - borrows elements
for payload in payloads.iter() {
    // payload is &String
    println!("{}", payload);
}
println!("payloads still valid: {:?}", payloads);

// .into_iter() - takes ownership of elements
for payload in payloads.into_iter() {
    // payload is String (owned)
    println!("{}", payload);
}
// Error! payloads was consumed
// println!("{:?}", payloads);

Key Takeaways

Ownership = automatic memory management: No GC needed
One owner at a time: Prevents use-after-free
Borrowing allows access without ownership: Read-only (&T) or mutable (&mut T)
Only one mutable borrow OR many immutable borrows: Prevents data races
Lifetimes ensure references are valid: No dangling pointers
Arc for sharing across threads: Atomic reference counting
Clone when you need separate ownership: Explicit copying

When to Use What

Move (take ownership): Consuming data, passing to async tasks
Borrow (&T): Reading without modification
Mutable borrow (&mut T): Modifying in place
Clone: When you need independent copies
Arc: Sharing across threads/async tasks
Rc: Sharing within single thread (rare in async code)

Next in Series

In Part 3: Error Handling and Result Types, we'll explore how Rust forces explicit error handling, preventing the silent failures common in other languages. We'll see how to handle HTTP errors, JSON parsing failures, and build robust error types for the scanner.

Based on implementing concurrent payload testing in simple-waf-scanner, where ownership and borrowing ensure thread-safe operation without data races.

PreviousPart 1: Getting Started with Rust - Setting Up and Basic Types NextPart 3: Error Handling and Result Types - Robust Production Code

Last updated 15 hours ago

hashtagIntroduction

hashtagWhy Ownership Exists

hashtagThe Memory Management Spectrum

hashtagThe Three Ownership Rules

hashtagRule 1: Single Owner

hashtagRule 2: Automatic Cleanup

hashtagRule 3: Move Semantics

hashtagReal Example: Payload Management

hashtagBorrowing - Using Without Owning

hashtagImmutable References (&T)

hashtagMutable References (&mut T)

hashtagBorrowing Rules

hashtagReal Example: HTTP Client Sharing

hashtagClone vs Copy

hashtagCopy Types (Stack-only)

hashtagClone Types (Explicit Copy)

hashtagIn My Project

hashtagLifetimes - Ensuring References Are Valid

hashtagThe Problem Lifetimes Solve

hashtagLifetime Annotations

hashtagLifetime Elision (Compiler Infers Lifetimes)

hashtagLifetimes in Structs

hashtagReal Example from My Scanner

hashtagSmart Pointers

hashtagBox - Heap Allocation

hashtagRc - Reference Counted (Single-threaded)

hashtagArc - Atomic Reference Counted (Thread-safe)

hashtagReal-World Pattern: Scanner Implementation

hashtagCommon Ownership Patterns

hashtagPattern 1: Taking Ownership for Consumption

hashtagPattern 2: Borrowing for Inspection

hashtagPattern 3: Borrowing Mutably for Modification

hashtagPattern 4: Returning Owned Data

hashtagFighting the Borrow Checker

hashtagCommon Error: Multiple Mutable Borrows

hashtagCommon Error: Borrowing Moved Value

hashtagIterator Ownership

hashtagKey Takeaways

hashtagWhen to Use What

hashtagNext in Series