Modular specification and verification of closures in Rust

Fabian Wolff,Aurel Bílý,Christoph Matheja,Alexander J Summers,Peter Müller

doi:10.1145/3485522

Fabian Wolff, Aurel Bílý + Show 3 more

Open Access

https://doi.org/10.1145/3485522

Copy DOI

Abstract

Closures are a language feature supported by many mainstream languages, combining the ability to package up references to code blocks with the possibility of capturing state from the environment of the closure's declaration. Closures are powerful, but complicate understanding and formal reasoning, especially when closure invocations may mutate objects reachable from the captured state or from closure arguments. This paper presents a novel technique for the modular specification and verification of closure-manipulating code in Rust. Our technique combines Rust's type system guarantees and novel specification features to enable formal verification of rich functional properties. It encodes higher-order concerns into a first-order logic, which enables automation via SMT solvers. Our technique is implemented as an extension of the deductive verifier Prusti, with which we have successfully verified many common idioms of closure usage.

Highlights

Dating back to at least 1964 [Landin 1964], the programming language community has seen a renewed interest in closures as a language feature this millennium, with their addition to many imperative and object-oriented mainstream languages, including C++, Java (v. 8), and C# (v. 3.0) [Mazinanian et al 2017]
While formally reasoning about such concurrent programs requires many of the solutions we present in this paper for handling the closure-related reasoning, verification of concurrent Rust is beyond the direct scope of our work here
All of the use cases presented so far occur in programming languages other than Rust, so what makes closures in Rust interesting? In this subsection, we argue that Rust simplifies some aspects of reasoning about such closure uses thanks to the specifics of its type system

Summary

Introduction

Dating back to at least 1964 [Landin 1964], the programming language community has seen a renewed interest in closures as a language feature this millennium, with their addition to many imperative and object-oriented mainstream languages, including C++ (in C++11), Java (v. 8), and C# (v. 3.0) [Mazinanian et al 2017]. Dating back to at least 1964 [Landin 1964], the programming language community has seen a renewed interest in closures as a language feature this millennium, with their addition to many imperative and object-oriented mainstream languages, including C++ (in C++11), Java Closures allow for the encapsulation of code fragments as functions that ś in contrast to an object’s methods ś can be passed around as first-class values without revealing the existence of associated state. A filter function in a data structure API might take a closure as argument, allowing callers to instantiate the filtering criterion; a closure passed to filter might store in its associated state how many times the criterion was invoked. We refer to functions (such as filter) taking closures as arguments as higher-order functions.

Objectives

Methods

Results

Conclusion