Skip to main content
Book cover

NASA Formal Methods Symposium

NFM 2022: NASA Formal Methods pp 88–108Cite as

The Prusti Project: Formal Verification for Rust

  • 567 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13260)

Abstract

Rust is a modern systems programming language designed to offer both performance and static safety. A key distinguishing feature is a strong type system, which enforces by default that memory is either shared or mutable, but never both. This guarantee is used to prevent common pitfalls such as memory errors and data races. It can also be used to greatly simplify formal verification, as we demonstrated by developing the Prusti verifier, which can verify rich correctness properties of Rust programs with a very modest annotation overhead. In this paper, we provide an overview of the Prusti project. We outline its main design goals, illustrate examples of its use, and discuss important outcomes from the perspectives of a user, a verification expert, and a tool developer.

Keywords

  • Rust
  • Deductive verification
  • Separation logic

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-06773-0_5
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-031-06773-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   129.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    or its siblings , , , etc.

  2. 2.

    In slight contrast to classical loop invariants, a need only hold for every loop iteration reaching this location inside the loop body.

  3. 3.

    The construct is standard Rust, branching on whether the value can be pattern-matched against (taking the second branch if not, i.e. for ).

  4. 4.

    Values of generic type are compared with the library function from trait , which is specified to satisfy the standard properties of total orders using an external specification; this Prusti feature is explained in Sect. 2.4.

  5. 5.

    External specifications can also be used for functions inside the same crate, allowing developers to apply Prusti without modifying source files, if desired.

  6. 6.

    See for example https://github.com/rust-lang/rust/issues/46420 for an optimisation that used to copy non-duplicable mutable references.

References

  1. Procedural macros documentation (2022). https://doc.rust-lang.org/reference/procedural-macros.html

  2. Abadi, M., Lamport, L.: The existence of refinement mappings. In: Proceedings of the 3rd Annual Symposium on Logic in Computer Science, pp. 165–175, July 1988. https://www.microsoft.com/en-us/research/publication/the-existence-of-refinement-mappings/, lICS 1988 Test of Time Award

  3. Antonopoulos, T., Gorogiannis, N., Haase, C., Kanovich, M., Ouaknine, J.: Foundations for decision problems in separation logic with general inductive predicates. In: Muscholl, A. (ed.) FoSSaCS 2014. LNCS, vol. 8412, pp. 411–425. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54830-7_27

    CrossRef  MATH  Google Scholar 

  4. Astrauskas, V.: Enable compiler consumers to obtain MIR: Body with Polonius facts. https://github.com/rust-lang/rust/pull/86977

  5. Astrauskas, V., Matheja, C., Poli, F., Müller, P., Summers, A.J.: How do programmers use unsafe Rust? Proc. ACM Program. Lang. 4(OOPSLA), 1–27 (2020)

    Google Scholar 

  6. Astrauskas, V., Müller, P., Poli, F., Summers, A.J.: Leveraging rust types for modular specification and verification. Proc. ACM Program. Lang. 3(OOPSLA), 147:1–147:30 (2019). https://doi.org/10.1145/3360573

  7. Baranowski, M., He, S., Rakamarić, Z.: Verifying rust programs with SMACK. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 528–535. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01090-4_32

    CrossRef  Google Scholar 

  8. Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. In: Texts in Theoretical Computer Science. An EATCS Series, pp. XXV–472. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-07964-5

  9. Bloch, J.: Extra, extra - read all about it: Nearly all binary searches and mergesorts are broken, June 2006. https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html

  10. Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. In: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 259–270 (2005)

    Google Scholar 

  11. Clippy developers: Clippy: A collection of lints to catch common mistakes and improve your Rust code. https://github.com/rust-lang/rust-clippy

  12. Crichton, W.: Flowistry: Information flow for Rust. https://github.com/willcrichton/flowistry

  13. Tolnay, D.: Parser for Rust source code (2021). https://crates.io/crates/syn

  14. Denis, X., Jourdan, J.H., Marché, C.: The Creusot environment for the deductive verification of Rust programs (2021)

    Google Scholar 

  15. Dill, D., Grieskamp, W., Park, J., Qadeer, S., Xu, M., Zhong, E.: Fast and reliable formal verification of smart contracts with the Move prover. arXiv preprint arXiv:2110.08362 (2021)

  16. Evans, A.N., Campbell, B., Soffa, M.L.: Is rust used safely by software developers? In: 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pp. 246–257. IEEE (2020)

    Google Scholar 

  17. Facebook: MIRAI: an abstract interpreter for the Rust compiler’s mid-level intermediate representation. https://github.com/facebookexperimental/MIRAI

  18. Garavel, H., Beek, M.H., Pol, J.: The 2020 expert survey on formal methods. In: ter Beek, M.H., Ničković, D. (eds.) FMICS 2020. LNCS, vol. 12327, pp. 3–69. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58298-2_1

    CrossRef  Google Scholar 

  19. Goes, C.: The interblockchain communication protocol: an overview. arXiv preprint arXiv:2006.15918 (2020)

  20. Hahn, F.: Rust2Viper: building a static verifier for Rust. Master’s thesis, ETH Zurich (2015)

    Google Scholar 

  21. Informal Systems Inc. and ibc-rs authors: Rust implementation of the Inter-Blockchain Communication (IBC) protocol (2021). https://docs.rs/ibc

  22. Iosif, R., Rogalewicz, A., Vojnar, T.: Deciding entailments in inductive separation logic with tree automata. In: Cassez, F., Raskin, J.-F. (eds.) ATVA 2014. LNCS, vol. 8837, pp. 201–218. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11936-6_15

    CrossRef  Google Scholar 

  23. Ishtiaq, S.S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: POPL, pp. 14–26. ACM (2001)

    Google Scholar 

  24. Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_4

    CrossRef  Google Scholar 

  25. Jung, R.: The scope of unsafe, January 2016. https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe.html

  26. Jung, R., Dang, H.H., Kang, J., Dreyer, D.: Stacked borrows: an aliasing model for Rust. Proc. ACM Program. Lang. 4(POPL), 1–32 (2019)

    Google Scholar 

  27. Jung, R., Jourdan, J.H., Krebbers, R., Dreyer, D.: RustBelt: securing the foundations of the Rust programming language. Proc. ACM Program. Lang. 2(POPL), 1–34 (2017)

    Google Scholar 

  28. Seonghoon, K., et al.: Chrono: Date and Time for Rust (2021). https://docs.rs/chrono

  29. Kassios, I.T.: The dynamic frames theory. Formal Aspects Comput. 23(3), 267–289 (2011)

    MathSciNet  CrossRef  Google Scholar 

  30. Klabnik, S., Nichols, C.: Unsafe Rust (2022). https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html

  31. Lindner, M., Aparicius, J., Lindgren, P.: No panic! Verification of Rust programs by symbolic execution. In: 2018 IEEE 16th International Conference on Industrial Informatics (INDIN), pp. 108–114. IEEE (2018)

    Google Scholar 

  32. Matsakis, N.D.: Unsafe abstractions (2016). http://smallcultfollowing.com/babysteps/blog/2016/05/23/unsafe-abstractions

  33. Matsushita, Y.: Extensible functional-correctness verification of rust programs by the technique of prophecy. Master’s thesis, University of Tokyo (2021)

    Google Scholar 

  34. Matsushita, Y., Tsukada, T., Kobayashi, N.: RustHorn: CHC-based verification for Rust programs. In: ESOP, pp. 484–514 (2020)

    Google Scholar 

  35. Meyer, B.: Design by contract. In: Mandrioli, D., Meyer, B. (eds.) Advances in Object-Oriented Software Engineering, pp. 1–50. Prentice Hall (1991)

    Google Scholar 

  36. Miri developers: Miri: An interpreter for Rust’s mid-level intermediate representation. https://github.com/rust-lang/miri

  37. de Moura, L., Kong, S., Avigad, J., van Doorn, F., von Raumer, J.: The lean theorem prover (system description). In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 378–388. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21401-6_26

    CrossRef  Google Scholar 

  38. Müller, P., Schwerhoff, M., Summers, A.J.: Viper: a verification infrastructure for permission-based reasoning. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 41–62. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49122-5_2

    CrossRef  MATH  Google Scholar 

  39. O’Hearn, P.: Separation logic. Commun. ACM 62(2), 86–95 (2019)

    CrossRef  Google Scholar 

  40. Parkinson, M.J., Summers, A.J.: The relationship between separation logic and implicit dynamic frames. Log. Methods Comput. Sci. 8(3:01), 1–54 (2012)

    Google Scholar 

  41. Pratt, V.R.: Top down operator precedence. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 41–51 (1973)

    Google Scholar 

  42. Reid, A., Church, L., Flur, S., de Haas, S., Johnson, M., Laurie, B.: Towards making formal methods normal: meeting developers where they are. arXiv preprint arXiv:2010.16345 (2020)

  43. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74. IEEE (2002)

    Google Scholar 

  44. Rust-analyzer developers: Rust-analyzer: A Rust compiler front-end for ides. https://github.com/rust-analyzer/rust-analyzer

  45. Schwerhoff, M., Summers, A.J.: Lightweight support for magic wands in an automatic verifier. In: 29th European Conference on Object-Oriented Programming (ECOOP 2015), vol. 37, pp. 614–638. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2015)

    Google Scholar 

  46. Schwerhoff, M.H.: Advancing automated, permission-based program verification using symbolic execution. Ph.D. thesis, ETH Zurich (2016)

    Google Scholar 

  47. The Prusti Team: Prusti User Guide (2020). https://viperproject.github.io/prusti-dev/user-guide/

  48. The Prusti Team: Prusti NFM 2022 Online Appendix (2022). https://github.com/viperproject/prusti-dev/tree/master/prusti-tests/tests/verify_overflow/pass/nfm22

  49. The Rust Survey Team: Rust survey 2019 results: Rust blog, April 2020. https://blog.rust-lang.org/2020/04/17/Rust-survey-2019.html

  50. Ullrich, S.: Simple verification of Rust programs via functional purification. Master’s thesis, Karlsruher Institut für Technologie (KIT) (2016)

    Google Scholar 

  51. VanHattum, A., Schwartz-Narbonne, D., Chong, N., Sampson, A.: Verifying dynamic trait objects in Rust (2022)

    Google Scholar 

  52. Wolff, F., Bílý, A., Matheja, C., Müller, P., Summers, A.J.: Modular specification and verification of closures in Rust. Proc. ACM Program. Lang. 5(OOPSLA), 1–29 (2021)

    Google Scholar 

Download references

Acknowledgements

We warmly thank Nicholas D. Matsakis, Nick Cameron, Derek Dreyer and Ralf Jung for extensive discussions and feedback in the early stages of this project, and are very grateful to Florian Hahn for his work on a precursor to Prusti [20], as well as numerous Master’s and undergraduate students who have since contributed via projects.

This work was partially funded by the Swiss National Science Foundation (SNSF) (Grant No. 200021_169503), the Natural Sciences and Engineering Research Council of Canada (NSERC) (ref. RGPIN-2020-06072), Amazon Research Awards, Meta (then Facebook) Research and the Interchain Foundation.

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Zurich, Switzerland

    Vytautas Astrauskas, Aurel Bílý, Jonáš Fiala, Peter Müller & Federico Poli

  2. University of British Columbia, Vancouver, Canada

    Zachary Grannan & Alexander J. Summers

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christoph Matheja

Authors
  1. Vytautas Astrauskas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aurel Bílý
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jonáš Fiala
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zachary Grannan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christoph Matheja
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Peter Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Federico Poli
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Alexander J. Summers
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander J. Summers .

Editor information

Editors and Affiliations

  1. University of Southern California, Los Angeles, CA, USA

    Jyotirmoy V. Deshmukh

  2. Jet Propulsion Laboratory, California Institute of Technology, Pasadena, CA, USA

    Dr. Klaus Havelund

  3. National Institute of Aerospace, Hampton, VA, USA

    Ivan Perez

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Astrauskas, V. et al. (2022). The Prusti Project: Formal Verification for Rust. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds) NASA Formal Methods. NFM 2022. Lecture Notes in Computer Science, vol 13260. Springer, Cham. https://doi.org/10.1007/978-3-031-06773-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-06773-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-06772-3

  • Online ISBN: 978-3-031-06773-0

  • eBook Packages: Computer ScienceComputer Science (R0)