Creusot: A Foundry for the Deductive Verification of Rust Programs

Abstract: Rust is a fairly recent programming language for system programming, bringing static guarantees of memory safety through a strict ownership policy. The strong guarantees brought by this feature opens promising progress for deductive verication, which aims at proving the conformity of Rust code with respect to a specication of its intended behavior. We present the foundations of Creusot, a tool for the formal specication and deductive verication of Rust code. A rst originality comes from Creusot's specication l… Show more

“…In this section we measure the performance of both the proofs of iterators and their clients, using the Creusot [4] tool for verification of Rust programs. It allows for verification of Rust programs, and requires some annotations to verify the functional correctness of Rust programs.…”

“…This provides a way to verify the functional correctness of programs using higher-order iterators, while requiring lightweight annotations. -We provide a freely available 1 implementation of our proposal in Creusot [4]. This tool is a state-of-the-art verification platform for safe Rust code, allowing users to verify programs by adding contracts to their functions.…”

“…One important aspect of specifications of imperative programs is their memory model, that is the way they handle pointers and mutations performed through them. Following previous work [7,8,4], we choose to leverage the non-aliasing guarantees of Rust's type system. Because of the non-aliasing guarantees, a given memory location can be mutated through at most one reference at a given point in time, excluding all "spooky actions at a distance" that are customary with pointer aliasing.…”

“…As a result, the Rust type Box<T> of heap-allocated pointers, and the Rust type &T of read-only references are simply modeled by wrappers over values of type T in our specifications. As shown in previous work [4,7,8], this interpretation of Rust programs is key to verifying complex Rust programs, because it avoids the use of any kind of separation logic or dynamic frames, which are challenging to automate. The handling of mutable references &mut T requires caution.…”

“…RustHorn [7] and RustHornBelt [8] show how the non-aliasing guarantees of Rust can be used for reducing the verification of Rust programs into the proof of first-order logic formulas. These works serve as theoretical foundations for Creusot [4], which we use to evaluate our specification scheme for iterators.…”

Specifying and Verifying Higher-order Rust Iterators

“…In this section we measure the performance of both the proofs of iterators and their clients, using the Creusot [4] tool for verification of Rust programs. It allows for verification of Rust programs, and requires some annotations to verify the functional correctness of Rust programs.…”

“…This provides a way to verify the functional correctness of programs using higher-order iterators, while requiring lightweight annotations. -We provide a freely available 1 implementation of our proposal in Creusot [4]. This tool is a state-of-the-art verification platform for safe Rust code, allowing users to verify programs by adding contracts to their functions.…”

“…One important aspect of specifications of imperative programs is their memory model, that is the way they handle pointers and mutations performed through them. Following previous work [7,8,4], we choose to leverage the non-aliasing guarantees of Rust's type system. Because of the non-aliasing guarantees, a given memory location can be mutated through at most one reference at a given point in time, excluding all "spooky actions at a distance" that are customary with pointer aliasing.…”

“…As a result, the Rust type Box<T> of heap-allocated pointers, and the Rust type &T of read-only references are simply modeled by wrappers over values of type T in our specifications. As shown in previous work [4,7,8], this interpretation of Rust programs is key to verifying complex Rust programs, because it avoids the use of any kind of separation logic or dynamic frames, which are challenging to automate. The handling of mutable references &mut T requires caution.…”

“…RustHorn [7] and RustHornBelt [8] show how the non-aliasing guarantees of Rust can be used for reducing the verification of Rust programs into the proof of first-order logic formulas. These works serve as theoretical foundations for Creusot [4], which we use to evaluate our specification scheme for iterators.…”

Specifying and Verifying Higher-order Rust Iterators

The Prusti Project: Formal Verification for Rust

Verified Scalable Parallel Computing with Why3