What tools are available today to verify Rust programs in Coq? I mean verification using Coq of existing Rust code (as opposed to extraction). Something around Iris & RustBelt, I guess?
I thought this was the state of the art: https://gitlab.mpi-sws.org/iris/lambda-rust/-/tree/master/theories/typing/lib
There's also this, which is at a higher level of abstraction (closer to the language's syntax), but seems to be less mature https://github.com/aatxe/oxide
Although I just realized that they don't have much Coq code in the repo after browsing it a bit (I had only looked at the paper, where they claim to be working on formalizing everything in Coq)
Formalizing != releasing I guess, but yes Oxide seems less mature... the two projects also have different focuses
RustBelt focuses on unsafe code (tho it also gives semantics to safe code), while IIUC Oxide focuses on safe code? But I'd rather ask @Ralf Jung.
and as a follow-up (loaded) question, is there any public tooling geared to "verifying Rust programs" more in general, building on RustBelt?
IIRC, RustBelt focuses on safety and functional correctness of key pieces of unsafe code, but you translate the code into Coq ASTs in CPS by hand (eg https://gitlab.mpi-sws.org/iris/lambda-rust/-/blob/master/theories/typing/lib/rwlock/rwlock_code.v) — no AST generation, right?
@Ralf Jung Would POPL people call the missing tooling 'just engineering' (even if huge amounts of) or would there be research challenges as well?
@Paolo Giarrusso Yes, these questions are exactly what I was wondering :) Hope Ralf can say more.
yeah what we published with RustBelt so far relies on manual translation and is geared towards verifying safe encapsulation of unsafe code behind a typed API surface
but verifying functional properties of Rust code and having more automated translation is certainly on the agenda for us :)
Paolo Giarrusso said:
Ralf Jung Would POPL people call the missing tooling 'just engineering' (even if huge amounts of) or would there be research challenges as well?
I would say there are some research challenges left in developing systems for verifying functional correctness of Rust programs
We've collected a number of formal method tools for rust here: https://rust-formal-methods.github.io/tools.html
The three methods that work for surface rust, as far is I know are:
oh right, a full Rust spec needs to deal with the semantics of unsafe code, sometimes with similar questions to those for C/C++ — from pointer provenance to atomics to ...
Paolo Giarrusso said:
oh right, a full Rust spec needs to deal with the semantics of unsafe code, sometimes with similar questions to those for C/C++ — from pointer provenance to atomics to ...
indeed. there's a reason I am talking so much about pointer provenance the last year(s). ;)
I should add that oxide also treats surface rust. So, do some of the other none Coq tools in the link above.
@Maxime Dénès what are you looking for?
I haven't looked at all of them yet, but I'm still wondering what would be the way to go if one wanted to reason on an existing Rust codebase. I guess, as you wrote, some work first has to be done to mechanically specify the Rust language itself.
depends on the codebase -- if its safe Rust, most of the tricky questions of the Rust spec are not relevant
In the last RFMIG we had a specification challenge. Creusot/rustHorn and prusti were presented.
The first group seems to be most concise.
The tools I mentioned above would probably be less suitable for an existing tool base, but could work well if you can start with a clean slate and are in a specific domain.
Last updated: Oct 08 2024 at 16:02 UTC