Abstract
Rust is a modern systems programming language designed to offer both performance and static safety. A key distinguishing feature is a strong type system, which enforces by default that memory is either shared or mutable, but never both. This guarantee is used to prevent common pitfalls such as memory errors and data races. It can also be used to greatly simplify formal verification, as we demonstrated by developing the Prusti verifier, which can verify rich correctness properties of Rust programs with a very modest annotation overhead. In this paper, we provide an overview of the Prusti project. We outline its main design goals, illustrate examples of its use, and discuss important outcomes from the perspectives of a user, a verification expert, and a tool developer.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
or its siblings
, 
, 
, etc. - 2.
In slight contrast to classical loop invariants, a
need only hold for every loop iteration reaching this location inside the loop body. - 3.
The
construct is standard Rust, branching on whether the value can be pattern-matched against 
(taking the second branch if not, i.e. for 
). - 4.
Values of generic type
are compared with the library function 
from trait 
, which is specified to satisfy the standard properties of total orders using an external specification; this Prusti feature is explained in Sect. 2.4. - 5.
External specifications can also be used for functions inside the same crate, allowing developers to apply Prusti without modifying source files, if desired.
- 6.
See for example https://github.com/rust-lang/rust/issues/46420 for an optimisation that used to copy non-duplicable mutable references.
, 
, 
, etc.
need only hold for every loop iteration reaching this location inside the loop body.
construct is standard Rust, branching on whether the value can be pattern-matched against 
(taking the second branch if not, i.e. for 
).
are compared with the library function 
from trait 
, which is specified to satisfy the standard properties of total orders using an external specification; this Prusti feature is explained in Sect. References
Procedural macros documentation (2022). https://doc.rust-lang.org/reference/procedural-macros.html
Abadi, M., Lamport, L.: The existence of refinement mappings. In: Proceedings of the 3rd Annual Symposium on Logic in Computer Science, pp. 165–175, July 1988. https://www.microsoft.com/en-us/research/publication/the-existence-of-refinement-mappings/, lICS 1988 Test of Time Award
Antonopoulos, T., Gorogiannis, N., Haase, C., Kanovich, M., Ouaknine, J.: Foundations for decision problems in separation logic with general inductive predicates. In: Muscholl, A. (ed.) FoSSaCS 2014. LNCS, vol. 8412, pp. 411–425. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54830-7_27
Astrauskas, V.: Enable compiler consumers to obtain MIR: Body with Polonius facts. https://github.com/rust-lang/rust/pull/86977
Astrauskas, V., Matheja, C., Poli, F., Müller, P., Summers, A.J.: How do programmers use unsafe Rust? Proc. ACM Program. Lang. 4(OOPSLA), 1–27 (2020)
Astrauskas, V., Müller, P., Poli, F., Summers, A.J.: Leveraging rust types for modular specification and verification. Proc. ACM Program. Lang. 3(OOPSLA), 147:1–147:30 (2019). https://doi.org/10.1145/3360573
Baranowski, M., He, S., Rakamarić, Z.: Verifying rust programs with SMACK. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 528–535. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01090-4_32
Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. In: Texts in Theoretical Computer Science. An EATCS Series, pp. XXV–472. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-07964-5
Bloch, J.: Extra, extra - read all about it: Nearly all binary searches and mergesorts are broken, June 2006. https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html
Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. In: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 259–270 (2005)
Clippy developers: Clippy: A collection of lints to catch common mistakes and improve your Rust code. https://github.com/rust-lang/rust-clippy
Crichton, W.: Flowistry: Information flow for Rust. https://github.com/willcrichton/flowistry
Tolnay, D.: Parser for Rust source code (2021). https://crates.io/crates/syn
Denis, X., Jourdan, J.H., Marché, C.: The Creusot environment for the deductive verification of Rust programs (2021)
Dill, D., Grieskamp, W., Park, J., Qadeer, S., Xu, M., Zhong, E.: Fast and reliable formal verification of smart contracts with the Move prover. arXiv preprint arXiv:2110.08362 (2021)
Evans, A.N., Campbell, B., Soffa, M.L.: Is rust used safely by software developers? In: 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pp. 246–257. IEEE (2020)
Facebook: MIRAI: an abstract interpreter for the Rust compiler’s mid-level intermediate representation. https://github.com/facebookexperimental/MIRAI
Garavel, H., Beek, M.H., Pol, J.: The 2020 expert survey on formal methods. In: ter Beek, M.H., Ničković, D. (eds.) FMICS 2020. LNCS, vol. 12327, pp. 3–69. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58298-2_1
Goes, C.: The interblockchain communication protocol: an overview. arXiv preprint arXiv:2006.15918 (2020)
Hahn, F.: Rust2Viper: building a static verifier for Rust. Master’s thesis, ETH Zurich (2015)
Informal Systems Inc. and ibc-rs authors: Rust implementation of the Inter-Blockchain Communication (IBC) protocol (2021). https://docs.rs/ibc
Iosif, R., Rogalewicz, A., Vojnar, T.: Deciding entailments in inductive separation logic with tree automata. In: Cassez, F., Raskin, J.-F. (eds.) ATVA 2014. LNCS, vol. 8837, pp. 201–218. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11936-6_15
Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: POPL, pp. 14–26. ACM (2001)
Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_4
Jung, R.: The scope of unsafe, January 2016. https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe.html
Jung, R., Dang, H.H., Kang, J., Dreyer, D.: Stacked borrows: an aliasing model for Rust. Proc. ACM Program. Lang. 4(POPL), 1–32 (2019)
Jung, R., Jourdan, J.H., Krebbers, R., Dreyer, D.: RustBelt: securing the foundations of the Rust programming language. Proc. ACM Program. Lang. 2(POPL), 1–34 (2017)
Seonghoon, K., et al.: Chrono: Date and Time for Rust (2021). https://docs.rs/chrono
Kassios, I.T.: The dynamic frames theory. Formal Aspects Comput. 23(3), 267–289 (2011)
Klabnik, S., Nichols, C.: Unsafe Rust (2022). https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html
Lindner, M., Aparicius, J., Lindgren, P.: No panic! Verification of Rust programs by symbolic execution. In: 2018 IEEE 16th International Conference on Industrial Informatics (INDIN), pp. 108–114. IEEE (2018)
Matsakis, N.D.: Unsafe abstractions (2016). http://smallcultfollowing.com/babysteps/blog/2016/05/23/unsafe-abstractions
Matsushita, Y.: Extensible functional-correctness verification of rust programs by the technique of prophecy. Master’s thesis, University of Tokyo (2021)
Matsushita, Y., Tsukada, T., Kobayashi, N.: RustHorn: CHC-based verification for Rust programs. In: ESOP, pp. 484–514 (2020)
Meyer, B.: Design by contract. In: Mandrioli, D., Meyer, B. (eds.) Advances in Object-Oriented Software Engineering, pp. 1–50. Prentice Hall (1991)
Miri developers: Miri: An interpreter for Rust’s mid-level intermediate representation. https://github.com/rust-lang/miri
de Moura, L., Kong, S., Avigad, J., van Doorn, F., von Raumer, J.: The lean theorem prover (system description). In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 378–388. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21401-6_26
Müller, P., Schwerhoff, M., Summers, A.J.: Viper: a verification infrastructure for permission-based reasoning. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 41–62. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49122-5_2
O’Hearn, P.: Separation logic. Commun. ACM 62(2), 86–95 (2019)
Parkinson, M.J., Summers, A.J.: The relationship between separation logic and implicit dynamic frames. Log. Methods Comput. Sci. 8(3:01), 1–54 (2012)
Pratt, V.R.: Top down operator precedence. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 41–51 (1973)
Reid, A., Church, L., Flur, S., de Haas, S., Johnson, M., Laurie, B.: Towards making formal methods normal: meeting developers where they are. arXiv preprint arXiv:2010.16345 (2020)
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74. IEEE (2002)
Rust-analyzer developers: Rust-analyzer: A Rust compiler front-end for ides. https://github.com/rust-analyzer/rust-analyzer
Schwerhoff, M., Summers, A.J.: Lightweight support for magic wands in an automatic verifier. In: 29th European Conference on Object-Oriented Programming (ECOOP 2015), vol. 37, pp. 614–638. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2015)
Schwerhoff, M.H.: Advancing automated, permission-based program verification using symbolic execution. Ph.D. thesis, ETH Zurich (2016)
The Prusti Team: Prusti User Guide (2020). https://viperproject.github.io/prusti-dev/user-guide/
The Prusti Team: Prusti NFM 2022 Online Appendix (2022). https://github.com/viperproject/prusti-dev/tree/master/prusti-tests/tests/verify_overflow/pass/nfm22
The Rust Survey Team: Rust survey 2019 results: Rust blog, April 2020. https://blog.rust-lang.org/2020/04/17/Rust-survey-2019.html
Ullrich, S.: Simple verification of Rust programs via functional purification. Master’s thesis, Karlsruher Institut für Technologie (KIT) (2016)
VanHattum, A., Schwartz-Narbonne, D., Chong, N., Sampson, A.: Verifying dynamic trait objects in Rust (2022)
Wolff, F., Bílý, A., Matheja, C., Müller, P., Summers, A.J.: Modular specification and verification of closures in Rust. Proc. ACM Program. Lang. 5(OOPSLA), 1–29 (2021)
Acknowledgements
We warmly thank Nicholas D. Matsakis, Nick Cameron, Derek Dreyer and Ralf Jung for extensive discussions and feedback in the early stages of this project, and are very grateful to Florian Hahn for his work on a precursor to Prusti [20], as well as numerous Master’s and undergraduate students who have since contributed via projects.
This work was partially funded by the Swiss National Science Foundation (SNSF) (Grant No. 200021_169503), the Natural Sciences and Engineering Research Council of Canada (NSERC) (ref. RGPIN-2020-06072), Amazon Research Awards, Meta (then Facebook) Research and the Interchain Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Astrauskas, V. et al. (2022). The Prusti Project: Formal Verification for Rust. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds) NASA Formal Methods. NFM 2022. Lecture Notes in Computer Science, vol 13260. Springer, Cham. https://doi.org/10.1007/978-3-031-06773-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-06773-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06772-3
Online ISBN: 978-3-031-06773-0
eBook Packages: Computer ScienceComputer Science (R0)