Rust: Beyond the Typechecker

273 点作者 UkiahSmith大约 6 年前

10 条评论

Animats大约 6 年前

This has been done so many times.The Stanford Pascal Verifier was probably the first[1] The Pascal-F Verifier, a project I headed around 1980,[2][3] used preconditions and postconditions very similar to what this guy is doing in Rust. "Specifically, full functional correctness with properties like arithmetic correctness, in-bounds array accesses, state machines correctness, functional correctness with respect to an abstract specification or security properties." - we had all that in 1983. Look at the example starting at page 56 in [2].DEC did a lot of work on this for Modula, and later Java, in the late 1980s.[4] Modula went down with DEC. The work was mostly lost. Dafny is probably the most modern system in this line.Memory safety by proof was coming along well in the early 1980s. Working systems existed. Automatic prover technology was working. Then came C.The "array is a pointer" mindset of C set programming back by decades. In Pascal, there were no buffer overflows. Pascal, Modula, Ada, and on to Rust - no buffer overflows. Everything carried along size information. Subscript checking optimizations had been figured out by the 1980s, so the performance penalty was coming down.The author mentions Sapiens, an attempt to apply machine learning to the problem of null pointers in C. (Anyone have a reference? It's hard to find.) Massive amounts of effort are being applied to try to infer information that C just can't express. This would be a lot more worthwhile if it resulted in translation of C to something better.Forty years, and this still isn't fixed.[1] <a href="http://i.stanford.edu/pub/cstr/reports/cs/tr/79/731/CS-TR-79-731.pdf" rel="nofollow">http://i.stanford.edu/pub/cstr/reports/cs/tr/79/731/CS-TR-79...</a> [2] <a href="http://www.animats.com/papers/verifier/verifiermanual.pdf" rel="nofollow">http://www.animats.com/papers/verifier/verifiermanual.pdf</a> [3] <a href="https://github.com/John-Nagle/pasv" rel="nofollow">https://github.com/John-Nagle/pasv</a> [4] <a href="https://link.springer.com/content/pdf/10.1007/BFb0026441.pdf" rel="nofollow">https://link.springer.com/content/pdf/10.1007/BFb0026441.pdf</a>

评论 #19676205 未加载

评论 #19676243 未加载

评论 #19676825 未加载

评论 #19676847 未加载

评论 #19677333 未加载

评论 #19680979 未加载

ChrisSD大约 6 年前

Here's the Servo pull request that came from formal verification of Rust code:<a href="https://github.com/servo/servo/pull/22458" rel="nofollow">https://github.com/servo/servo/pull/22458</a>

评论 #19674575 未加载

scriptkiddy大约 6 年前

The example given with the `Point` struct is interesting. As a self taught developer with admittedly little language design knowledge, it almost seems like unit tests without all of the boiler plate.For instance, the `is_diagonal` function provided as the "correctness checker" looks to me like something that would be in a unit test for the `double` function. However, I think it goes a little bit deeper than that. In a unit test, you are somewhat required to pass specific values to the constructs you are testing. The given example is more complete than a unit test in that it doesn't just test for the correct value being produced by the `double` function when given specific values, it actually checks all possible outcomes by asserting that the `double` function always produces a `Point` where `p.x == p.y`.Given that the example is relatively trivial, I would like to see how this would work for more complex functions and structures.

评论 #19674879 未加载

评论 #19675412 未加载

评论 #19674982 未加载

评论 #19677867 未加载

评论 #19674627 未加载

评论 #19674533 未加载

Datenstrom大约 6 年前

My biggest wish for Rust right now is dependent types, I find myself wanting them in almost everything I write to ensure it is correct for all possible inputs. It could also improve performance eliminating out of bounds checks in many places.I recall someone mentioning in a RFC that it was on a distant wishful thinking roadmap. I hope it is.

评论 #19675611 未加载

评论 #19676210 未加载

评论 #19675145 未加载

评论 #19677657 未加载

lapinot大约 6 年前

I'm surprised there is no name dropping of `Hoare logic' here or in the article so i'm gonna do it. Hoare logic is made of triplets (precondition, command, postcondition). A whole bunch of things are based on that. To go further one can also search about separation logic which adds an account for abstract memory locations into hoare logic.But actually i must say i'm not very fond of these kind of approaches. As is rightly made explicit in the post, a lot of nice properties of Rust come from it's type system. A type system is a way to annotate usual programming constructs with additional infos (types) together with a decidable procedure for testing whether or not a particular program is well-typed. And then we provide several key lemmas asserting that all well-typed program enjoy such and such property. On the other hand, program verification is a different beast: you annotate parts of your program with some form of specification (hoare triplets and the like) and then you try to solve the (in most case undecidable) problem of coming up with proofs that your program satisfies the specifications you gave.The approach is very different: on one hand you restrict (maybe severely) the programs so that you can decide whether or not some properties hold, on the other hand you (mostly) don't restrict the programs and you hope to give enough hints so that the solver doesn't get stuck. Bottom-up versus top-down. Correct-by-construction versus maybe-provably-correct. I feel like type checking is robust/reliable/simple whereas verification is a black-box which isn't easy to understand and thus never feels very "principled". Sure types can sometimes be too explicit and heavy on the user, but they are also more predictable and consistent.My 2cts... Anyway i'm not saying i think this project is useless or anything, most systems actually live somewhere between bottom-up and top-down, ideas from one side may help the other, and deductive verification may arguably be much more bottom-up than other verification techniques (all flavors of model checking, abstract interpretation etc).

pron大约 6 年前

Code-level specifications (sometimes called contracts) that can be verified by various means (including manual deductive proofs, and automated solvers) exist for mainstream programming languages. The most mature ones are probably JML for Java (verified with <a href="https://www.openjml.org/" rel="nofollow">https://www.openjml.org/</a> and various other tools) and ACSL for C (verified with <a href="https://frama-c.com/" rel="nofollow">https://frama-c.com/</a>). C# has Spec#, but I'm not sure it's still used.It is still unclear how best to use such code level verification, as the effort required grows very quickly with code size, and it's unclear how much sporadic verification of properties that are easy to prove actually improves correctness, but this is all still ongoing research.

评论 #19676195 未加载

mavelikara大约 6 年前

I found this case study by the author, linked from the article, more interesting: <a href="https://blog.merigoux.ovh/en/2019/04/16/textinput.html" rel="nofollow">https://blog.merigoux.ovh/en/2019/04/16/textinput.html</a>

int_19h大约 6 年前

Looking at examples of syntax for pre/post-conditions and invariants, it's all Rust expressions inside strings. Is there no other way for an attribute to have some associated inline code? Strings are not optimal for this, because they break tooling (syntax highlighting, code completion and navigation, refactoring etc).

评论 #19677687 未加载

kaiby大约 6 年前

There's actually already a library that does what the author is talking about: <a href="https://github.com/nrc/libhoare" rel="nofollow">https://github.com/nrc/libhoare</a>They call it "design by contract" rather than "deductive verification" though.Wish there wouldn't be so many terms for the same thing.edit: There's also an existing RFC for this: <a href="https://github.com/rust-lang/rfcs/issues/1077" rel="nofollow">https://github.com/rust-lang/rfcs/issues/1077</a>

评论 #19683849 未加载

ainar-g大约 6 年前

<pre><code> Why doesn’t this category of bugs exist for Rust programs? Simply because you cannot write a program that contains a null-pointer error. </code></pre> Hate to be that guy, but this is strictly not true. Observe:<pre><code> $ nl -ba nulltmp.rs 1 use std::ptr; 2 3 fn main() { 4 unsafe { 5 let p = ptr::null::<i64>(); 6 println!("{}", *p); 7 } 8 } $ rustc nulltmp.rs $ ./nulltmp Segmentation fault (core dumped) </code></pre> Raw pointers exist. Unsafe Rust exists. Any large enough Rust project will end up with some unsafe code. That doesn't mean that the things OP is doing aren't great—they are—but merely that, when considering tools to be used for real-world Rust, people shouldn't assume that their tools will only be used in a shiny rainbow unicorn world of Safe Rust.

评论 #19677156 未加载

评论 #19678595 未加载