Prusti
Prusti is a prototype verifier for Rust, built upon the Viper verification infrastructure.
By default Prusti verifies absence of integer overflows and panics, proving that statements such as unreachable!()
and panic!()
are unreachable.
Overflow checking can be disabled with a configuration flag, treating all integers as unbounded.
In Prusti, the functional behaviour of functions and external libraries can be specified by using annotations, among which are preconditions, postconditions, and loop invariants.
The tool checks them, reporting error messages when the code does not adhere to the provided specification.
Useful links
π» VSCode extension to use Prusti from your IDE.π User guide, containing installation instructions, a guided tutorial and a description of various verification features.π§° Developer guide, meant for new contributors.π List of publications. To cite Prusti, please use this BibTeX entry.βοΈ License of the source code (Mozilla Public License Version 2.0, with exceptions).π¬ Do you still have questions? Open an issue or contact us on the Zulip chat.
Getting Prusti
The easiest way to try out Prusti is by using the "Prusti Assistant" extension for VS Code. See the requirements and the troubleshooting section in its readme.
Alternatively, if you wish to use Prusti from the command line there are three options:
- Download the precompiled binaries for Ubuntu, Windows, or macOS x64 from a GitHub release.
- Compile from the source code, by installing rustup, running
./x.py setup
and then./x.py build --release
. - (unmaintained) Build a Docker image from this
Dockerfile
.
All three options provide the prusti-rustc
and cargo-prusti
programs that can be used analogously to, respectively, rustc
and cargo build
.
For more detailed instructions, refer to the guides linked above.
Quick example
- Take the following program:
/// A monotonically increasing discrete function, with domain [0, domain_size) trait Function { fn domain_size(&self) -> usize; fn eval(&self, x: usize) -> i32; } /// Find the `x` s.t. `f(x) == target` fn bisect<T: Function>(f: &T, target: i32) -> Option<usize> { let mut low = 0; let mut high = f.domain_size(); while low < high { let mid = (low + high) / 2; let mid_val = f.eval(mid); if mid_val < target { low = mid + 1; } else if mid_val > target { high = mid; } else { return Some(mid) } } None }
- Run Prusti. You get the following error:
error: [Prusti: verification error] assertion might fail with "attempt to add with overflow" --> example.rs:12:15 | 12 | let mid = (low + high) / 2; | ^^^^^^^^^^^^ Verification failed
- Fix the buggy line with
let mid = low + ((high - low) / 2);
- Run Prusti. Now the
bisect
function verifies.
Congratulations! You just proved absence of panics and integer overflows in the bisect
function. To additionally prove that the result is correct (i.e. such that f(x) == target
), see this example.