Formal verification tool for Rust: check 100% of execution cases of your programs 🦀 to make applications with no bugs! ✈️ 🚀 ⚕️ 🏦

Formal verification enables the making of software without bugs by showing that it follows a precise specification in all execution cases, in contrast to testing, which only covers a finite amount of cases.

See our blog post Verifying an ERC-20 smart contract in Rust to have an example of formally verified Rust code using coq-of-rust.

The development of coq-of-rust was mainly funded by the crypto-currency Aleph Zero, to develop safer smart contracts. We thank them for their support!

• Example
• Rationale
• Prerequisites
• Installation and User Guide
• Features
• Contact
• Alternative Projects
• Contributing

At the heart of coq-of-rust is the translation of Rust programs to the proof system Coq 🐓. Once some Rust code is translated to Coq, it can then be verified using standard proof techniques.

Here is an example of a Rust function:

fn add_one(x: u32) -> u32 {
    x + 1
}

Running coq-of-rust, it translates in Coq to:

Definition add_one (τ : list Ty.t) (α : list Value.t) : M :=
  match τ, α with
  | [], [ x ] =>
    ltac:(M.monadic
      (let x := M.alloc (| x |) in
      BinOp.Panic.add (| M.read (| x |), Value.Integer Integer.U32 1 |)))
  | _, _ => M.impossible
  end.

Functions such as BinOp.Panic.add are part of the standard library for Rust in Coq that we provide. We can then express and verify specifications on the code in Coq.

Formal verification allows the prevention of all bugs in critical software.

The type system of Rust already offers strong guarantees to avoid bugs that exist in C or Python. We still need to write tests to verify the business rules or the absence of panic. Testing is incomplete as it cannot cover all execution cases.

With formal verification, we cover all cases (code 100% bug-free!). We replace the tests with mathematical reasoning on code. You can view it as an extension of the type system but without restrictions on the expressivity.

The tool coq-of-rust translates Rust programs to the battle-tested formal verification system Coq to make Rust programs 100% safe 🚀.

• Rust
• Coq (see coq-of-rust.opam)

The build tutorial provides detailed instructions on building and installing coq-of-rust, while the user tutorial provides an introduction to the coq-of-rust command line interface and the list of supported options.

The translation works at the level of the THIR intermediate representation of Rust.

We support 99% of the Rust examples from the Rust Book by Examples. This includes:

• basic control structures (like if and match)
• loops (while and for)
• references and mutability (& and &mut)
• closures
• panics
• user types (with struct and enum)
• the definition of traits
• the implementation keyword impl for traits or user types

For formal verification services on your Rust code base, contact us at [email protected]. Formal verification can apply to smart contracts, database engines, or any critical Rust project. This provides the highest confidence level in the absence of bugs compared to other techniques, such as manual reviews or testing.

Here are other projects working on formal verification for Rust:

• Aeneas: Translation from MIR to purely functional Coq/F* code. Automatically put the code in a functional form. See their paper Aeneas: Rust verification by functional translation.
• Hacspec v2: Translation from THIR to Coq/F* code
• Creusot: Translation from MIR to Why3 (and then SMT solvers)
• Verus: Automatic verification for Rust with annotations
• Kani: Model-checking with CBMC

This is all open-source software.

Open some pull requests or issues to contribute to this project. All contributions are welcome! This project is open-source under license AGPL for the Rust code (the translator) and MIT for the Coq libraries. There is a bit of code taken from the Creusot project to make the Cargo command coq-of-rust and run the translation in the same context as Cargo.