How do I formally prove the safety of a Rust crate with generics and trait bounds?

Question

How to give formal proofs by hand? Is there a language specification, as formal as formal logic, that we can build our proof on?

For example, how do I know if this module panics?

mod my_mod {
    use std::marker::PhantomData;
    
    #[derive(Clone, Copy)]
    pub struct A<'id> {
        p: PhantomData<*mut &'id u8>,
        data: u32,
    }
    
    pub fn scoped<T>(data: u32, f: impl for<'id> FnOnce(A<'id>) -> T) -> T {
        f(A {p: PhantomData::default(), data})
    }
    
    impl<'id> PartialEq for A<'id> {
        fn eq(&self, other: &Self) -> bool {
            // Can we prove that this assertion will never failed whatever code is using this mod?
            assert_eq!(self.data, other.data);
            // some UB stuff if the assertion failed here
            true
        }
    }
}

Rust playground

The intuition behind this very specific example is to give type level marks (as a lifetime generic) on the variables, so that we may guarantee two A<'id>'s are always copied from a same source.

"How do we know if this program halts" should be a simple question to answer! — tadman, Jan 01 '23 at 23:53
There is nothing unsafe in your code and there is no UB. If you want your code to never panic, don't use `assert`, `panic`, `unwrap`, etc. — Miiao, Jan 02 '23 at 00:06

score 0 · Answer 1 · answered Jan 03 '23 at 16:28

There is the Prusti Project which enables formal verification of Rust programs with minimal effort from the programmer.

In particular, they state that:

By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.

Their offical page can be reached with this link: https://www.pm.inf.ethz.ch/research/prusti.html

You can read their paper here: https://link.springer.com/chapter/10.1007/978-3-031-06773-0_5

How do I formally prove the safety of a Rust crate with generics and trait bounds?

1 Answers1