Formal verification tool for Rust 🦀
Made with 🌲 Formal Land
Formal verification enables the making of software without bugs by showing that it follows a precise specification and covers all execution cases.
See our blog post Verifying an ERC-20 smart contract in Rust to have an example of formally verified Rust code using coq-of-rust.
The development of coq-of-rust was mainly funded by the crypto-currency Aleph Zero, for the development of safer smart contracts, that we thanks for the support.
At the heart of coq-of-rust is the translation of Rust programs to the proof system Coq 🐓. Once some Rust code is translated to Coq, it can then be verified using standard proof techniques.
Here is an example of a Rust function:
fn add_one(x: u32) -> u32 {
x + 1
}Running coq-of-rust, it translates in Coq to:
Definition add_one (x : u32.t) : M u32.t :=
let* x := M.alloc x in
let* α0 : u32.t := M.read x in
BinOp.Panic.add α0 ((Integer.of_Z 1) : u32.t).Functions such as BinOp.Panic.add are part standard library for Rust in Coq that we provide. We can then express and verify specifications on the code in Coq.
Formal verification allows the prevention of all bugs in critical software. This is used in the aerospace industry, for example 🧑🚀.
The type system of Rust already offers strong guarantees to avoid bugs that exist in C or Python. We still need to write tests to verify the business rules or the absence of panic. Testing is incomplete as it cannot cover all execution cases.
With formal verification, we cover all cases (code 100% bug-free!). We replace the tests with mathematical reasoning on code. You can view it as an extension of the type system but without restrictions on the expressivity.
The tool coq-of-rust translates Rust programs to the battle-tested formal verification system Coq to make Rust programs 100% safe 🚀.
- Rust
- Coq (version 8.14 or newer)
From the root of this repository, install coq-of-rust with:
cargo install --path lib/Then, in any Rust project, generate a Crate.v file with the Coq translation of the crate:
cargo coq-of-rustThe translation works at the level of the THIR intermediate representation of Rust.
Translate the test files (but show the error/warning messages):
cargo run --bin coq-of-rust -- translate --path examplesUpdate the snapshots of the translations of the test files, including the error messages:
python run_tests.pyCompile the Coq files:
cd CoqOfRust
./configure.sh
makeWe support 80% of the Rust examples from the Rust Book by Examples. This includes:
- basic control structures (like
ifandmatch) - loops (
whileandfor) - references and mutability (
&and&mut) - closures
- panics
- user types (with
structandenum) - the definition of traits
- the implementation keyword
implfor traits or user types
For formal verification services on your Rust code base, contact us at [email protected]. Formal verification can apply to smart contracts, database engines, or any critical Rust project. This provides the highest confidence level in the absence of bugs compared to other techniques, such as manual reviews or testing.
Here are other projects working on formal verification for Rust:
- Aeneas: Translation from MIR to purely functional Coq/F* code. Automatically put the code in a functional form. See their paper Aeneas: Rust verification by functional translation.
- Hacspec v2: Translation from THIR to Coq/F* code
- Creusot: Translation from MIR to Why3 (and then SMT solvers)
- Kani: Model-checking with CBMC
This is all open-source software.
Open some pull requests or issues to contribute to this project. All contributions are welcome! This project is open-source under license AGPL for the Rust code (the translator) and MIT for the Coq libraries. There is a bit of code taken from the Creusot project to make the Cargo command coq-of-rust and run the translation in the same context as Cargo.