Logical Foundations for the Future of Safe Systems Programming

The RustBelt project is motivated by a longstanding open question in the design of languages for programming complex software systems, namely: How can we provide programmers with both safety and control? Systems programming languages like C and C++ give programmers low-level control over resource management at the expense of safety, whereas most other modern languages give programmers safe, high-level abstractions at the expense of control. It has long been a "holy grail" of programming languages research to overcome this seemingly fundamental tradeoff and design a language that offers programmers both high-level safety and low-level control.

Rust is a relatively new language, developed at Mozilla Research, that marries together the low-level flexibility of modern C++ with a strong "ownership-based" type system guaranteeing type safety, memory safety, and data race freedom. As such, Rust has the potential to revolutionize systems programming, making it possible to build software systems that are safe by construction, without having to give up low-level control over performance.

Unfortunately, prior to the RustBelt project, none of Rust's safety claims had been formally investigated, and there was reason to doubt whether they held. To rule out data races and other common programming errors, Rust's core type system prohibits the aliasing of mutable state, but this is too restrictive for implementing many low-level data structures. Consequently, Rust's standard libraries make widespread internal use of "unsafe blocks", which enable the implementations to deploy potentially dangerous operations. The hope is that such unsafe code is properly encapsulated, so that Rust's language-level safety guarantees are preserved. But due to Rust's reliance on a "relaxed" memory model of concurrency, along with its bleeding-edge type system, verifying that Rust and its libraries are actually safe requires fundamental advances to the state of the art.

In this project, we have equipped Rust programmers with the first formal tools for verifying safe encapsulation of unsafe code. Achieving this goal required us to develop a number of breakthrough results in the areas of concurrent program logics, relaxed memory models, and semantics of type systems. Any realistic languages targeting this domain in the future will encounter the same problem, so we expect our results to have lasting impact.

The project led to a number of major breakthrough results in program semantics and verification. These results have been published in top venues in Programming Languages, such as POPL and PLDI, as well as receiving a number of major awards. In particular, our work on *Iris* has had major impact on the field of separation logic verification, and *RustBelt* spearheaded an exciting line of work on the semantics and verification of Rust.

- Relaxed-Memory Concurrency: Rust inherits its relaxed-memory concurrency model from C/C++11, but the C11 model is known to suffer from a fatal flaw called the "out-of-thin-air" problem. We proposed a breakthrough solution to this problem, which we called the "promising semantics". In addition, we have identified a previously unknown flaw in C11 pertaining to the treatment of sequentially consistent accesses, and we proposed a revised semantics, dubbed RC11, that fixes this flaw. Our fix to C11 was incorporated into the language standard.

- Low-Level Program Verification: We have developed Iris, a general framework for higher-order concurrent separation logic, which supports the verification of complex, low-level, concurrent programs in the Coq proof assistant. Crucially, Iris is *parameterized* by the language we are reasoning about, which enabled us to experiment with different semantics and memory models for Rust. In addition, Iris was designed to make it easy to soundly *derive* custom logics for different application domains, a facility we make essential use of in the RustBelt verification. Last but not least, we have equipped Iris with a powerful interactive proof mode, which has made it possible for users to develop interactive proofs within Iris in the same convenient tactical style that they normally use when developing proofs within Coq.

- Formalizing the Rust Language: We have given a formal definition of a core typed calculus called LambdaRust, which encapsulates the central features of the Rust language. This is the first formal account of such a significant subset of the Rust language.

- Proving Safety of Rust: We have developed RustBelt, a semantic soundness proof for LambdaRust, which establishes formally that Rust's safety guarantees do in fact hold both for the LambdaRust type system, as well as for a variety of widely-used Rust libraries that internally make use of unsafe features. This constitutes the first formal validation of the safety of a significant subset of the Rust language, under both sequentially consistent and relaxed-memory semantics. Our verification makes essential use of the power of Iris to define custom domain-specific logics.

We have also made several breakthroughs on problems that were not envisioned at the start of the project:

- Validating Powerful Compiler Optimizations for Rust: We developed Stacked Borrows, a new semantics for memory accesses in Rust which is in the process of being integrated into the language specification. Stacked Borrows makes it possible for the Rust compiler to safely employ strong type-based optimizations, even in the presence of unsafe code.

- Automated and Foundational Verification of C: Going beyond Rust, we have also developed a new tool called RefinedC, which uses refined ownership types to support automated verification of C programs while also producing foundational, machine-checked proofs of their correctness in Iris/Coq. RefinedC is closely inspired by the semantic soundness proof of RustBelt.

Iris (https://iris-project.org) has had major impact on the field of separation logic verification. It has enabled many researchers worldwide to derive new custom separation logics soundly within a unified framework in the Coq proof assistant. This has resulted in over 40 published papers at top venues, and not only by our group: Iris has been adopted as a core verification technology both by top systems researchers at MIT (in the Perennial project for crash-safe systems verification) and by the systems verification startup BedRock Systems.

RustBelt has sparked an exciting new field of work on the semantics and verification of the Rust programming language. Our flagship RustBelt paper is the most highly cited paper of POPL'18.

The clearest evidence of the success of the RustBelt project is the attention received by Ralf Jung's landmark PhD thesis, which encompasses the projects Iris, RustBelt, and Stacked Borrows. It has already received the ETAPS Doctoral Dissertation Award, as well as Honorable Mention for the ACM Doctoral Dissertation Award (the highest international accolade for PhDs in Computer Science).

The PI has also received the ACM SIGPLAN Robin Milner Young Researcher Award, the highest international award for mid-career researchers in Programming Languages. The award citation explicitly mentions the ERC RustBelt project as one of the PI's most notable achievements.

Finally, papers published as part of this project have received 4 Distinguished Paper Awards, as well as a PLDI Distinguished Artifact Award for RefinedC.