Add tool: VeriFast #213
Comments
|
Hi Bart ! Thanks a lot for submitting the application ! Below is a recap of the (requirements)[https://model-checking.github.io/verify-rust-std/general-rules.html] to get a tool integrated:
We are good on this one.
I’m going to assemble a group to audit verifast’s recently intoduced support for Rust and lifetime logic. However any supporting documents you can provide (papers, documentation etc), pointers to relevant code in the Verifast repository, etc. would be immensely helpful to help us get started.
No need to elaborate too much on the core principles underlying Verifast (you've already published a lot on Verifast), but you could at least elaborate a little bit on the approach you took to porting the liftetime logic from RustBelt to Verifast, and the classes of UB and even functional properties this allows to cover when verifying Rust.
Here you could perhaps give links to Verifast’s own regression tests suite, specifically for Rust, and CI checks/status if you have any CI checks automated via github. Examples of negative tests (failing proofs due to known bugs) would also be good to help confirm the tool can detect bugs when they are present.
This point requires some precision: The PR must effectively provide a github action that runs your tool against the current version of the verify-std-lib repository. The CI integration via a github action is a very (if not the most) important part of the tool integration, since we ultimately want the proofs to be performed at each release of the rust std library, and not just be one-off events. For reference, this is the github action that runs Kani against the repo: https://github.com/model-checking/verify-rust-std/blob/main/.github/workflows/kani.yml Setting up something similar for Verifast might require you to package Verifast and its dependencies in a format that can be executed via a github action (docket container, etc.). This also may require a mechanism to identify which files need to be analyzed by Verifast (unless Verifast can quickly scan the repository and analyze relevant files). Ultimately the goal is to be able to block a CI pipeline on proof failure.
This means that modifications made to the code repo and break the github action will not cause the tool to lose approval, but will most likely trigger a support request from people who try to use the tool to complete some verification task and issue a PR that relies on Verifast. |
|
Many thanks for your guidance, Remi!! I will provide all of the requested information asap. Here is a first batch: Architecture of VeriFast for RustI first explain the architecture of VeriFast for C, which existed first and which VeriFast for Rust extends. Architecture of VeriFast for CFrontend
Core engine
For some more details, see the README. Rust frontendThe Rust frontend essentially provides an alternative parser, providing the same kind of raw parse tree to verifast1.ml that the C parser provides. It gets called in verifast.ml for
Notable functions in vf_mir_translator.ml include:
If the user provides an explicit spec for a Rust function that is not marked as Prelude and standard library specsBesides the source code for VeriFast for Rust, the other important ingredient is the prelude (the set of definitions always implicitly imported) and the specifications used for the standard library.
Test suiteThe VeriFast CI runs testsuite.mysh, which runs most of the examples in examples and tests. All of the Rust examples and test cases are in tests/rust; the command lines are in tests/rust/testsuite.mysh. See the README for more info. The test suite has only a few negative test cases (look for Soundness of VeriFast for RustThe soundness property we are targeting with VeriFast for Rust is that if
|
|
For the GitHub action, one approach would be to have a parallel source tree below a
Option A is simpler but causes more CI failures; Option B will allow the action to succeed in case changes occur that do not affect the annotated/verified parts of the file. It's not clear that option B is worth the trouble. Perhaps it is best if we simply do Option A for now; if it turns out this causes too much noise, we can still move to Option B later? |
|
The fact that |
|
Running VeriFast in CI is as simple as downloading the Linux binary release, extracting it to anywhere, and running I'm afraid there are no papers or other documentation specifically on VeriFast for Rust yet; a tutorial is in preparation. I think this addresses your questions. If you need anything else, just let me know. |
|
I thought I'd add the following guide to the reader of the core engine source code:
|
This PR updates the tool application section of our book. The key changes are: - Specify how to submit tool applications (through an issue). Also provide a "Tool Application" issue template. - Move the details about specifying differences with other tools and audit information to the application so they're harder to miss. (These changes are inspired by our experience with the [Verifast application](#213); I realized there's a few things we can make clearer on our end). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Michael Tautschnig <mt@debian.org>
|
@btj thanks a lot for all the leads. Currently looking for auditors, will post updates here. |
Remi Delmas recently suggested that I participate in the challenges using VeriFast. I went ahead and had a go at Challenge 5 (
linked_list.rs); today I reached a state where I consider the challenge solved. I used VeriFast 24.12 (released today). I guess I should get the tool accepted now. Here is the tool application form:The following form is designed to provide information for your tool that should be included in the effort to verify the Rust standard library. Please note that the tool will need to be supported if it is to be included.
Tool Name
VeriFast
Description
VeriFast is a tool for modularly verifying absence of undefined behavior as well as functional correctness properties of single-threaded and multithreaded C, Java, or Rust programs. It takes as input the source code for a module (object file/jar file/crate) with function/method preconditions and postconditions and other specification and proof hint constructs (such as loop invariants) included as special comments, and verifies each function/method separately by symbolically executing it, starting from a symbolic state that represents an arbitrary state that satisfies the precondition, and checking that the state upon return satisfies the postcondition. It uses a separation logic representation of memory.
Tool Information
Licenses
Please list the license(s) that are used by your tool, and if to your knowledge they conflict with the Rust standard library license(s).
MIT license
Steps to Use the Tool
/path/to/verifast/bin/verifast -c /path/to/the/file.rsExtra command-line options may be required; see
tests/rust/testsuite.myshto see the command lines used for the Rust examples.Artifacts
VeriFast has been used by Nathan Chong at AWS to verify the core concurrent queue data structure used for task scheduling in FreeRTOS: https://nchong.github.io/talks/CAVLightning-23July2020.pdf https://nchong.github.io/papers/ewc21.pdf , and then by Tobias Reinhard while interning with Mark Tuttle at AWS to verify the same in Multicore FreeRTOS. We have also used it for other small "industrial case studies": https://people.cs.kuleuven.be/~bart.jacobs/verifast/vf-case-studies-scp2012.pdf We have won several verification competitions with VeriFast: VerifyThis 2012 and VerifyThis 2016. But VeriFast has mostly been a vehicle for developing new ideas in modular verification. See references in https://arxiv.org/pdf/1507.07697 and at https://distrinet.cs.kuleuven.be/people/BartJacobs .
CI & Versioning
I mostly use the nightly builds; I create named releases only irregularly, when the need arises. I created a new release today: VeriFast 24.12.
The text was updated successfully, but these errors were encountered: