Creusot 0.11.0 just dropped, right after its developers clinched the Best Overall Team award at VerifyThis 2024. This Rust verification tool proved its mettle in a high-stakes competition, verifying complex problems—including concurrency—without any simplifications. For Rust users building critical software, this signals progress toward reliable formal proofs in real-world scenarios.
VerifyThis Win: Proof Under Pressure
VerifyThis, held at ETAPS in Turin, pits verification tools against tough problems. Teams prove specs using tools like Creusot, judged on correctness, completeness, and elegance. Jacques-Henri Jourdan and Li-yao Xia, dubbing themselves The Steelmakers, used Creusot to dominate. They tackled all challenges as stated, skipping the usual adaptations for tool limits.
The concurrency challenge (Challenge 2) highlighted Creusot’s ghost permissions, introduced earlier this year at CPP 2024 and inspired by Verus (OOPSLA 2023). Ghost permissions let you reason about shared state without runtime overhead—key for multithreaded Rust code. No major tooling hiccups, bar one bug in #[bitwise_mode]. Solutions live in the creusot-examples repo.
Why this matters: Competitions expose tools’ limits. Creusot handled time-constrained, contest-level specs verbatim. Rust’s borrow checker catches many errors, but formal verification nails functional correctness and concurrency bugs that slip through. In finance or crypto, where a single race condition costs millions, this reduces audit burdens.
RustVerify Insights and Std Lib Push
At the RustVerify workshop, Li-yao Xia presented “Verifying the Rust standard library with Creusot.” They targeted slice functions using new proof modes—not yet released. Verifying std sets a high bar; slices underpin vectors, strings, and iterators. Success here could bootstrap trust in Rust’s ecosystem.
Natalie Neamtu et al. covered weak memory models in Creusot and Verus, adding primitives for release-acquire and relaxed atomics. Creusot 0.11.0 includes these, letting you model real hardware behaviors like x86 or ARM. Full concurrency reasoning docs are pending.
Skeptical note: Std lib verification is WIP and ambitious. Rust’s std evolves fast; proofs must keep pace. Tools like Creusot (Why3 backend) and Prusti (Viper) compete, but adoption lags due to annotation overhead—expect 2-10x code bloat for proofs.
Creusot 0.11.0: Incremental Polish
No blockbuster features, per the changelog. Key addition: explicit binders in postconditions. Name and destructure results precisely.
#[ensures(result@ == 0)] // old: implicit `result`
fn zero() -> usize { 0 }
#[ensures(|my_result| my_result@ == 0)] // new: named `my_result`
fn zero() -> usize { 0 }
Destructuring follows similarly, aiding complex returns. Check changelog for fixes like better error messages and solver stability.
New site at creusot.rs clarifies features, resources, and papers. Creusot translates Rust to Why3, leveraging provers like Z3 or CVC5. It enforces memory safety, absence of panics, and custom specs.
Implications for Rust Developers
Rust powers 2.5 million crates on crates.io, but bugs persist—recall the 2022 tokio async flaw or servo renderer overflows. Creusot targets that gap. VerifyThis win boosts credibility; expect integrations with Cargo and IDEs.
Tradeoffs remain: Proofs demand expertise. A simple function might need 20 lines of annotations. Yet for kernels (e.g., Redox OS), embedded crypto, or DeFi protocols, it’s invaluable. Next release teases bigger concurrency tools—watch for std lib proofs landing.
Bottom line: Creusot matures fast. If you write safety-critical Rust, clone the repo, try the examples. It won’t replace tests, but pairs well for zero-downtime confidence.
