Verified Rust for low-level systems code

After running Verus with the below example, Z3 gives unknown with (:reason-unknown "(incomplete quantifiers)"). I am wondering if this behavior is expected.

fn test_n(n: nat) {
    assert(n >= 5);      // FAILS
}

I expected to see sat for this example but I was a bit surprised to see unknown. @jaybosamiya and I looked into the prelude a bit and found the prelude itself ends in unknown. There are several axioms that give unknown itself. For example, the first assert in the prelude also gives unknown.

;; ... 
;; set-option & declaration 
;; ...

(assert
 (=>
  fuel_defaults
  (forall ((id FuelId)) (!
    (= (fuel_bool id) (fuel_bool_default id))
    :pattern ((fuel_bool id))
))))
(check-sat)      ;; this gives unknown

Span often makes it much harder to read VIR logs. This pull request adds --vir-log-config command line argument to make Verus optionally include span in VIR logs.

When vir-log-config is 0(Default), it logs all but span. when it is 1, it logs all items (as the current version does)

I was trying to implement an exec mode map, Dict. This PR is not done as some of the methods like remove are not implemented yet. Please let me know whether a Dict is expected to be included in pervasive and I am happy to continue working on this PR and contribute to verus.

Hello! I have a question about a potential QI (performance) issue in Verus.

Consider this snippet of Verus code:

spec fn abs(a: int) -> int
{
    if a >= 0 {
        a
    } else {
        -a
    }
}

#[verifier(nonlinear)]
proof fn equal_square_auto()
    ensures forall |a: int, b: int| a * a == b * b ==> abs(a) == abs(b)
{}

#[verifier(nonlinear)]
proof fn equal_square_auto2()
    ensures forall |a: int, b: int| a * a == b * b ==> abs(a) == abs(b)
{}

proof fn fact(a: int)
    requires a * a == 1
    ensures a == 1 || a == -1
{
    equal_square_auto();
    assert(abs(a) == abs(1));
}

where I have two auto lemmas equal_square_auto and equal_square_auto2 with exactly the same statement. And then in the fact proof function I’m using only the first lemma to prove something.

However, running rust_verify with --profile-all shows that both lemmas get instantiated:

note: Observed 20 total instantiations of user-level quantifiers

note: Cost * Instantiations: 448 (Instantiated 16 times - 80% of the total, cost 28) top 1 of 2 user-level quantifiers.
  --> test.rs:20:56
   |
20 |     ensures forall |a: int, b: int| a * a == b * b ==> abs(a) == abs(b)
   |             -------------------------------------------^^^^^^----^^^^^^
   |             |
   |             Triggers selected for this quantifier

note: Cost * Instantiations: 16 (Instantiated 4 times - 20% of the total, cost 4) top 2 of 2 user-level quantifiers.
  --> test.rs:25:56
   |
25 |     ensures forall |a: int, b: int| a * a == b * b ==> abs(a) == abs(b)
   |             -------------------------------------------^^^^^^----^^^^^^
   |             |
   |             Triggers selected for this quantifier

Furthermore, when I look at the terms used for instantiation of the first lemma equal_square_auto, it actually uses the skolem constants of the second lemma equal_square_auto2 (which should be out of context).

Then I was trying to read the SMT query for this function, and the relevant parts look like this:

;; Function-Axioms crate::equal_square_auto
(declare-fun ens%equal_square_auto. () Bool)
(assert
 (= ens%equal_square_auto. (forall ((a~10$ Poly) (b~12$ Poly)) (!
    (=>
     ...
     (=>
      (= (Mul (%I a~10$) (%I a~10$)) (Mul (%I b~12$) (%I b~12$)))
      (= (abs.? a~10$) (abs.? b~12$))
    ))
    :pattern ((abs.? a~10$) (abs.? b~12$))
    :qid user_crate__equal_square_auto_0
    :skolemid skolem_user_crate__equal_square_auto_0
))))

;; Function-Axioms crate::equal_square_auto2
(declare-fun ens%equal_square_auto2. () Bool)
(assert
 (= ens%equal_square_auto2. (forall ((a~10$ Poly) (b~12$ Poly)) (!
    (=>
     ...
     (=>
      (= (Mul (%I a~10$) (%I a~10$)) (Mul (%I b~12$) (%I b~12$)))
      (= (abs.? a~10$) (abs.? b~12$))
    ))
    :pattern ((abs.? a~10$) (abs.? b~12$))
    :qid user_crate__equal_square_auto2_1
    :skolemid skolem_user_crate__equal_square_auto2_1
))))


; the actual VC
(assert
  (=>
   %%query%%
   (not (=>
     ens%equal_square_auto.
     ....

I think what’s happening here is that Z3 somehow matched the patterns abs(...) of the first lemma on the subterms of the skolemized version of the second (unused) lemma.

I do not believe this opens to any potential unsoundness, especially because it's already possible to write a non-terminating recursive exec function with a loop.

Reported by @matthias-brun.

This introduces the Invariant<V> proof type and the open_invariant feature.

Invariant<V> (defined in pervasive/invariants.rs) is defined to have two methods:

#[proof]
impl<V> Invariant<V> {
    #[verifier(pub_abstract)]
    #[spec]
    pub fn inv(&self, _v: V) -> bool

    #[verifier(pub_abstract)]
    #[spec]
    pub fn namespace(&self) -> int
}

The inv, of course, specifies what the invariant actually is, while namespace helps us ensure we don't open more than one invariant at once.

The open_invariant feature is used like this:

  #[proof] let i : Invariant<V> = ...

  open_invariant!(&i => inner => {
    // assume that i.inv(inner) holds at the beginning
    // ...
    // assert that i.inv(inner) holds at the end
  });

Rust -> VIR

The open_invariant! macro is defined as follows:

#[macro_export]
macro_rules! open_invariant {
    ($eexpr:expr => $iident:ident => $bblock:block) => {
        #[verifier(invariant_block)] {
            #[allow(unused_mut)] let (guard, mut $iident) = crate::open_invariant_begin($eexpr);
            $bblock
            crate::open_invariant_end(guard, $iident);
        }
    }
}

When Verus sees the #[verifier(invariant_block)] attribute, it checks that the AST is EXACTLY the code that would be generated by the macro, to make sure the user doesn't cheat. It then converts it into an OpenInvariant node in VIR.

Modes

The Invariant<V> must of course be a proof variable. Right now, all code inside the invariant block is expected to be proof code, although later we will add the ability to have a single atomic exec instruction. We check the control flow to make sure it is not possible to early-exit out of an invariant block.

Verification conditions

Generating asserts and assumes for i.inv(inner) is the easy part.

The more interesting part is to make sure the user does not open the same invariant twice. It is occasionally useful to open more than one invariant at once. In LinearDafny, this ability is very restricted: nested invariants must be right next to each other. To enforce this, we also require that invariants may only be opened in a non-ghost method, and only ghost code can be inside the invariant (so you can't have nested invariant across method boundaries).

To support nested invariants more generally, the user can declare on a function what invariants it may open. The default is that an exec fn can open any invariant, while a proof fn cannot open any invariant. However, the user can override this with opens_invariants_any() or opens_invariants_none() in the header of a function.

I also added headers for opens_invariants(..) and opens_invariants_except(..) so the user can specify an arbitrary set. However, these aren't implemented right now.

See vir/src/inv_masks.rs for details on the VC generation. I aimed to not have it generate any extra VCs in the common case.

Error messages

Here are some example error messages (rust_verify/example/invariants.rs):

Verifying root module
error: possible invariant collision
  --> rust_verify/example/invariants.rs:37:20
   |
37 |   open_invariant!(&i => inner => {
   |                    ^ this invariant
38 |     open_invariant!(&i => inner2 => {
   |                      ^ might be the same as this invariant

error: Cannot show invariant holds at end of block
  --> rust_verify/example/invariants.rs:57:34
   |
57 |     open_invariant!(&i => inner => {
   |  __________________________________^
58 | |     inner = 1;
59 | |   });
   | |___^

error: callee may open invariants disallowed at call-site
  --> rust_verify/example/invariants.rs:94:20
   |
94 |   open_invariant!(&i => inner => {
   |                    ^ invariant opened here
95 |     callee_mask_full(); // ERROR
   |     ^^^^^^^^^^^^^^^^^^ might be opened again in this call

error: Cannot show invariant namespace is in the mask given by the function signature
   --> rust_verify/example/invariants.rs:100:20
    |
100 |   open_invariant!(&i => inner => { // ERROR
    |                    ^ invariant opened here

error: aborting due to 4 previous errors; 1 warning emitted

Outstanding issues

• The way that the Invariant<V> type, as well as the inv and namespace functions, is kind of jank.
  • The SST -> AIR conversion actually hardcode the names of the inv and namespace functions (which are in pervasive), but arguably Invariant should be a special type in VIR, with inv and namespace being special nodes, so that the VIR is self-contained, and so that all name-hardcoding happens in the rust -> VIR conversion.
  • ~There's a bug where the AIR function declarations for the inv and namespace don't even get generated if the user doesn't explicitly reference them.~ This is now fixed.

Things to handle in later PRs:

• Need to implement the more general headers for specifying which invariants a function might open.
• Need to add a notion of an atomic instruction.

According to https://github.com/secure-foundations/verus/issues/167, I was trying to implement a Map-like struct for exec mode. I checked how vec is implemented and was trying to implement a dict as a wrapper around std::HashMap. However, when I define the dict struct with generics, it seems that I cannot specify bounds. More details below:

xudongs@xudongs-a01:~/verus/source:$ cat rust_verify/example/myexample.rs                   
#[verifier(external_body)]
pub struct Dict<#[verifier(maybe_negative)] K: std::cmp::Eq + std::hash::Hash, #[verifier(strictly_positive)] V> 
{
    pub dict: std::collections::HashMap<K, V>,
}

fn main() { }

xudongs@xudongs-a01:~/verus/source:$ ./tools/rust-verify.sh rust_verify/example/myexample.rs
error: not yet supported: bounds on datatype parameters
  --> rust_verify/example/myexample.rs:21:1
   |
21 | / pub struct Dict<#[verifier(maybe_negative)] K: std::cmp::Eq + std::hash::Hash, #[verifier(strictly_pos...
22 | | {
23 | |     pub dict: std::collections::HashMap<K, V>,
24 | | }
   | |_^

error: aborting due to previous error

I have also tried to use where clause to specify bounds but where is not supported as well.

Could you please let me know what is the best way for me to specify bounds since it is necessary to implement a wrapper around HashMap? If this can work I am happy to implement a dict for exec mode and send a PR if it is needed.

Hi Verus developers,

Thanks for building verus and I am currently using it to verify some programs I wrote before. But I encountered some confusing errors and need some help from you.

I was running verus (./tools/rust-verify.sh rust_verify/example/myexample.rs) on the following program:

#[allow(unused_imports)]
mod pervasive;
use pervasive::map::*;

#[exec]
pub enum Myenum {
    S1,
    S2,
}

#[exec]
pub fn myfun(map: Map<i32, i32>) -> Myenum {
    if map.dom().contains(10) {
        return Myenum::S1;
    } else {
        return Myenum::S2;
    }
}

#[exec]
fn main() { }

and verus reports the error

error: expression has mode proof, expected mode exec
  --> rust_verify/example/mini.rs:14:16
   |
14 |         return Myenum::S1;
   |                ^^^^^^^^^^

error: aborting due to previous error

If I remove the usage of Map, the error will disappear. I am confused about why this error can happen as I have annotated every function and every enum with exec as shown in the code, and why it is related to the pervasive::map. I have read this doc: https://github.com/secure-foundations/verus/blob/main/source/docs/design/modes.md but still do not know what is the root cause of the error. Could you please let me know what is the best way to address this error?

Thank you

Flesh out the trusted wrapper around std::sync::Atomic

There are a few things we can't yet support:

• compare_exchange(_weak) because Verus doesn't yet support Result
• fetch_nand because (as far as I can tell) Verus doesn't support bitwise negation

There are - fundamentally - two different kinds of "proof" objects. One kind is basically like a normal struct, except that it gets erased. With such types, you build up a "struct" of smaller proof objects.

The other kind is the "base" objects that represent permissions or some other fancy thing, e.g., Permission. To make it easier to handle this second type, I added an attribute #[verifier(unforgeable)] to declare such types.

The rules:

• An unforgeable datatype must be proof.
• An unforgeable datatype can only have spec fields.
• You cannot call a constructor of an unforgeable datatype (in proof mode)
• You cannot modify a field of an unforgeable datatype.

Here, I add the attribute, implement these rules, and add tests. Although, it doesn't look like there is any support at all for field updates yet, so there was nothing to do for the last step.

It only counts instantiations, and reports counts for builtin/internal quantifiers.

It is intended, mainly, to find potential issues with internal quantifiers, not as a tool for the end user.

Sample output:

note:  1. Quantifier constructor_accessor_axiom, instantiations: 144041
          at: datatype#225, instantiations: 31253
          at: datatype#63, instantiations: 14099
          at: datatype#54, instantiations: 14099
          at: datatype#57, instantiations: 14099
          at: datatype#60, instantiations: 14099
          at: datatype#235, instantiations: 8070
          at: datatype#232, instantiations: 8070
          at: datatype#21, instantiations: 3790
          at: datatype#216, instantiations: 2628
          at: datatype#219, instantiations: 2628
          at: datatype#138, instantiations: 1673
          at: datatype#126, instantiations: 1673
          at: datatype#144, instantiations: 1673
          at: datatype#135, instantiations: 1673
          at: datatype#141, instantiations: 1673
          at: datatype#147, instantiations: 1673
          at: datatype#129, instantiations: 1673
          at: datatype#132, instantiations: 1673
          at: datatype#69, instantiations: 1649
          at: datatype#96, instantiations: 1319
          at: datatype#99, instantiations: 1319
          at: datatype#93, instantiations: 1319
          at: datatype#203, instantiations: 1180
          at: datatype#200, instantiations: 1180
          at: datatype#36, instantiations: 1126
          at: datatype#39, instantiations: 1126
          at: datatype#42, instantiations: 1126
          at: datatype#45, instantiations: 1126
          at: datatype#27, instantiations: 692
          at: datatype#82, instantiations: 348
          at: datatype#85, instantiations: 348
          at: datatype#193, instantiations: 270
          at: datatype#163, instantiations: 270
          at: datatype#181, instantiations: 270
          at: datatype#187, instantiations: 270
          at: datatype#190, instantiations: 270
          at: datatype#178, instantiations: 270
          at: datatype#175, instantiations: 270
          at: datatype#169, instantiations: 270
          at: datatype#184, instantiations: 270
          at: datatype#172, instantiations: 270
          at: datatype#166, instantiations: 270
          at: datatype#75, instantiations: 261
          at: datatype#15, instantiations: 168
          at: datatype#209, instantiations: 164
          at: datatype#110, instantiations: 79
          at: datatype#113, instantiations: 79
          at: datatype#107, instantiations: 79
          at: datatype#255, instantiations: 73
          at: datatype#252, instantiations: 73
          at: datatype#242, instantiations: 9
          at: datatype#245, instantiations: 9

note:  2. Quantifier prelude_u_clip, instantiations: 9315
          at: #9430!2, instantiations: 9315

note:  3. Quantifier prelude_unbox_box_bool, instantiations: 8348
          at: #62, instantiations: 8348

note:  4. Quantifier prelude_unbox_box_int, instantiations: 6871
          at: #68, instantiations: 6871

note:  5. Quantifier internal_pervasive.seq.Seq.index.?_pre_post_definition, instantiations: 5850
          at: #9587!3, instantiations: 5850

note:  6. Quantifier prelude_nat_clip, instantiations: 5063
          at: #10394!2, instantiations: 5063

note:  7. Quantifier prelude_box_unbox_int, instantiations: 3221
          at: #90!1, instantiations: 3221

[...]

note: 19. Quantifier user_crate__aux_defs__Arch__inv_57, instantiations: 1286
          at: #32797!6, instantiations: 532
          at: #21116!1, instantiations: 243
          at: #23942!1, instantiations: 243
          at: #63864!1, instantiations: 114
          at: #64985!1, instantiations: 73
          at: #62422!1, instantiations: 57
          at: #39736!1, instantiations: 22
          at: #37492!1, instantiations: 2
   --> verified-nrkernel/page-table/aux_defs.rs:313:24
    |
311 |           &&& self.layers.len() <= MAX_NUM_LAYERS
    |  _____________-
312 | |         &&& forall|i:nat|
313 | |             #![trigger self.entry_size(i)]
    | |                        ^^^^^^^^^^^^^^^^^^
314 | |             #![trigger self.num_entries(i)]
    | |                        ^^^^^^^^^^^^^^^^^^^
...   |
318 | |                 &&& self.entry_size_is_next_layer_size(i)
319 | |             }
    | |_____________- Triggers selected for this quantifier

note: 20. Quantifier internal_crate__pt_impl__l2_impl__GhostPageDirectoryEntry_box_axiom_definition, instantiations: 1281
          at: #1351, instantiations: 1281

This wrongly passes mode-checking (it actually fails due to an unrelated erasure error, but this issue isn't about that):

struct Foo {
    #[spec] a: u64,
    #[proof] b: u64,
}

#[proof]
fn some_call(#[spec] x: u64, #[proof] y: u64) { }

#[proof]
fn t() {
    #[proof] let foo = Foo { a: 5, b: 6 };
    #[proof] let Foo { b, a } = foo;

    some_call(b, a);
}

Meanwhile, this wrongly gives an error:

#[proof]
fn t() {
    #[proof] let foo = Foo { a: 5, b: 6 };
    #[proof] let Foo { b, a } = foo;

    some_call(a, b);
}

error: expression has mode spec, expected mode proof
  --> test_pat_destruct.rs:26:18
   |
26 |     some_call(a, b);
   |                  ^

It looks like mode-checking doesn't handle let Foo { b, a } correctly because the order of its fields are wrong.

(Initial, incomplete commit for draft pull request) This completely changes the way Verus erases ghost code for compilation and the way Verus checks tracked variable lifetimes in ghost code. In the long run, this should allow us to completely replace the old ghost code erasure with the proposed ghost block extension to rustc. In the short run, this should allow us to replace the old ghost code erasure with a macro-based erasure that would remove the last major dependency on our fork of rustc, hopefully allowing us to use a standard rustc build. It also simplifies the way programmers use tracked variables (at least compared to the current rules for tracked).

I'll first review the old erasure mechanism, then discuss the long-term proposal, then the short-term proposal.

Note: lifetime_generate.rs is still incomplete in this draft commit.

Old Erasure Mechanism

The old mechanism was based on the observation that only exec code gets compiled, and only exec and proof code get borrow checked:

exec/proof/spec code --> type-check, mode-check
exec/proof code      --> type-check, mode-check --> lifetime (borrow) check
exec code            --> type-check, mode-check --> lifetime (borrow) check --> compile

Based on this, the old mechanism erased spec code after type checking and then erased proof code after lifetime checking, leaving only exec code at the end to compile. However, while this erasure was simple in principle, it was difficult to erase code in Rust's HIR/THIR/MIR formats without making major changes to rustc. Therefore, the actual implementation ran rustc three times, erasing different amounts of code near the rustc front end (in Rust's AST format) in each of the three runs. This had many drawbacks:

1. Running rustc multiple times was slow. In particular, users only get verification feedback after the 2nd run, doubling the startup latency for verification.
2. Mode checking operated on Rust HIR, while ghost code erasure operated on Rust AST. To connect AST to HIR, we used spans, which was a hack.
3. We needed our own fork of rustc.
4. Running rustc three times with slightly different AST meant that type inference was not always consistent between the three runs. Users often had to add extra type annotations to make sure that type checking succeeded in all three runs.

Ghost blocks

There has been a recent proposal to add ghost code as a Rust feature. This proposal is syntactic: ghost code is marked explicitly in the source code by writing the ghost code in "ghost blocks". In addition, ghost variables may be represented using new types (e.g. x: Ghost<t> instead of ghost x: t). This proposal would have the advantage of requiring only one run of rustc, rather than three.

To prepare for this proposal, Verus has been switching over the last year to a more coarse-grained, syntactic style of expressing ghost code. For example, calls from exec code to proof lemmas are now written inside of explicit proof blocks. In fact, the syntactic distinction between exec and non-exec code may help make the code more readable. However, we've also moved to a style that syntactically distinguishes between proof code and spec code, and this seems to be just annoying. In particular, proof (tracked) arguments to functions have to be marked as tracked, as in let z = f(tracked x, tracked y); rather than just let z = f(x, y);. The mode checker can easily infer these tracked annotations, but unfortunately, the mode checking runs after the syntactic splitting into exec/proof/spec code, when it's too late for the mode inference to help:

all code --> split into exec/proof/spec --> type-check, mode-check --> lifetime (borrow) check --> compile

Long-term proposal

To make programming in Verus more pleasant, this pull request reduces the reliance on syntax to distinguish between the different code modes. Syntax is used to distinguish between exec and non-exec code (e.g. by using proof blocks), but not to distinguish between proof and spec code inside a proof block. This allows programmers to write let z = f(x, y); rather than let z = f(tracked x, tracked y);.

This pull request assumes the simplest possible treatment of lifetime checking for non-exec code in the new ghost code Rust proposal: it assumes that the proposal skips lifetime checking of non-exec code entirely. This means that Verus needs to have a separate way to check lifetimes of proof code. This separate checking is the main purpose of this pull request. Roughly, this separate checking looks like the following:

all code --> split into exec/non-exec --> type-check, mode-check --+--> lifetime (borrow) check exec code --> compile
                                                                   |
                                                                   +--> lifetime (borrow) check proof code

In this design, rustc performs type checking of all code, Verus performs mode checking of all code, rustc performs lifetime checking and compilation of exec code, and Verus performs lifetime checking of proof code. (Verus will only need to check proof code that manipulates tracked data; proofs that work only on spec data trivially satisfy lifetime constraints.)

This pull request implements Verus's lifetime checking for proof code. This checking no longer uses erase.rs and erase_rewrite.rs; these will eventually be deleted entirely. Instead, the checking works by constructing synthetic Rust code to abstractly represent the various actions that the proof code performs, such as variable declarations, function calls, and pattern matching. It then sends this synthetic code to a separate invocation of rustc. (We could also consider using some other checker, such as Polonius, although generating synthetic Rust code is fairly easy.) Since this synthetic code generation occurs after mode inference, it can use the infered modes to guide the synthetic code generation.

This approach should solve the drawbacks listed above:

1. It only requires running rustc once on the original source code. (It does internally invoke rustc a second time, but only on a relatively small amount of synthetic code with no macros. Furthermore, when verifying only one function at a time, we could configure Verus to only run the lifetime checking only on the function being verified.)
2. Both the mode checking and proof lifetime checking operate on Rust HIR/THIR, not on Rust AST. There's no need to connect AST to HIR with spans.
3. Assuming the ghost code proposal becomes part of Rust, there will be no need to use our own fork of rustc. (Until this happens, we might need our own fork of rustc to implement the ghost code proposal. However, see the short-term proposal below for a way to use the standard rustc even without the ghost code proposal.)
4. Type checking happens only once, so there's no chance for multiple runs of rustc to encounter different type inference results. Full type information is available to when generating the synthetic code, so it doesn't need to rely on type inference.

Short-term proposal

The long-term proposal relies on the ghost code proposal being implemented and adopted. Before that happens, we can still use this pull request's proof-mode lifetime checking in a slightly hackier way to get some of the benefits of the long-term proposal. In particular, the short-term proposal should be able to run with standard rustc, without relying on a separate fork of rustc, and the short-term proposal will allow programmers to write let z = f(x, y); rather than let z = f(tracked x, tracked y);. The short-term proposal still requires running rustc multiple times on the original source code, although only twice instead of three times:

exec code --> type-check, mode-check --> lifetime (borrow) check exec code --> compile

all code --> type-check, mode-check --+
                                      |
                                      +--> lifetime (borrow) check proof code

To avoid needing a fork of rustc, the short-term proposal uses the syntax macro to erase non-exec code, rather than relying on erase.rs and erase_rewrite.rs.

This pull request implements the short-term proposal in its entirety (when using the new command-line option --erasure macro), except that there are still a few leftover unrelated dependencies of Verus on our rustc fork, so it doesn't completely get us off the fork. But the remaining dependencies should be relatively easy to remove.

Possible alternative (even longer-term): MIR rewriting

There may be other ways to implement erasure and lifetime checking for Verus. For example, if rustc exposes an official interface to read and transform "stable" MIR code, we might be able to use MIR transformation to erase spec code and proof code. However, this support is likely to be further in the future. It would also mean we'd have to perform MIR transformations based on HIR mode checking, although we might be able to rerun the mode checking at the MIR level. I think we should continue to think about alternatives like this, but my hope is that this pull request can improve our lives in the short term regardless of future alternatives.

Ghost types

Right now, our ghost types (Ghost<T> and Tracked<T>) are somewhat annoying because programmers have to explicitly dereference them to retrieve the underlying T ghost value. This is an orthogonal issue to this pull request, and this pull request does not address it. However, as part of the long-term solution above, but separately from this pull request, we could try to integrate some automatic dereferencing of ghost types into the ghost code proposal, so that the Rust type checker could automatically add the necessary dereferencing. As far as I recall, something like this was part of the original discussion for ghost code, although I don't think the details were ever settled.

Implementation details

Order of operations: long-term proposal

As discussed above, in the long-term proposal, rustc would only run once on the original source code. Here's what would happen during that one run:

1. Parsing, AST construction, macro expansion (including the Verus syntax macro)
2. Rust AST -> HIR
3. Rust's type checking
4. Rust HIR/THIR -> MIR conversion
5. Rust's lifetime/borrow checking for non-ghost (exec) code
6. Verus HIR/THIR -> VIR conversion
7. Verus mode checking
8. Verus lifetime/borrow checking for proof code (by generating synthetic code and running rustc)
9. Verus SMT solving
10. Rust compilation to machine code (if --compile is set)

Order of operations: short-term proposal

The order of operations in the short-term proposal is a little messier because we have to run rustc twice on the original source code, once erasing ghost code and once keeping ghost code. This causes some tension in the order of operations: it would be cleanest to run one rustc invocation entirely, and then the other entirely, but this would be slow. For example, if we ran the ghost-erase rustc and then the ghost-keep rustc, then the user would receive no feedback about verification until parsing and macro expansion for both rustc invocations had completed. On the other hand, if we ran the ghost-keep rustc and then the ghost-erase rustc, the user would receive no feedback about lifetime/borrow checking errors in exec functions until verification had completed. So for better latency, the implementation interleaves the two rustc invocations (marked GHOST for keeping ghost and EXEC for erasing ghost):

1. GHOST: Parsing, AST construction, macro expansion (including the Verus syntax macro, keeping ghost code)
2. GHOST: Rust AST -> HIR
3. GHOST: Rust's type checking
4. GHOST: Verus HIR/THIR -> VIR conversion
5. GHOST: Verus mode checking
6. GHOST: Verus lifetime/borrow checking for both proof and exec code (by generating synthetic code and running rustc), but delaying any lifetime/borrow checking error messages until EXEC has a chance to run
7. GHOST: If there were no lifetime/borrow checking errors, run Verus SMT solving
8. EXEC: Parsing, AST construction, macro expansion (including the Verus syntax macro, erasing ghost code)
9. EXEC: Rust AST -> HIR
10. EXEC: Rust's type checking
11. EXEC: Rust HIR/THIR -> MIR conversion
12. EXEC: Rust's lifetime/borrow checking for non-ghost (exec) code
13. GHOST: If there were no EXEC errors, but there were GHOST lifetime/borrow checking errors, print the GHOST lifetime/borrow checking errors
14. EXEC: Rust compilation to machine code (if --compile is set)

To avoid having to run the EXEC lifetime/borrow checking before verification, which would add latency before verification, the short-term implementation takes advantage of the synthetic-code lifetime/borrow checking to perform a quick early test for lifetime/borrow checking on all code (even pure exec code). If this detects any lifetime/borrow errors, the implementation skips verification and gives the EXEC rustc a chance to run, on the theory that the EXEC rustc will generate better error messages for any exec lifetime/borrow errors. The GHOST lifetime/borrow errors are printed only if the EXEC rustc finds no errors. Note that the long-term proposal avoids this complex interleaving; rustc only runs once on the original source code, and it naturally prints the regular exec lifetime/borrow checking errors first without so much effort. The long-term proposal also doesn't require the synthetic code generation for all functions; it only requires it for proof code.

Synthetic code generation

The --log-all or --log-lifetime options will print the generated synthetic code for lifetime/borrow checking to a file in the .verus-log directory. For the following example source code:

struct S {
}

spec fn fspec(i: u32, s1: S, s2: S) -> u32 {
    i
}

proof fn fproof(i: u32, tracked s1: S, tracked s2: S) -> u32 {
    i
}

fn fexec(i: u32, s1: S, s2: S) -> u32 {
    i
}

proof fn test_proof(i: u32, tracked s: S) {
    let j = fspec(i, s, s);
    let k = fproof(i, s, s);
}

fn test_exec(i: u32, s: S)
    requires i < 100
{
    proof {
        let j = fspec(i, s, s);
        let k = fproof(i, s, s);
    }
    let k = fexec(i, s, s);
    let n = fexec(i, s, s);
}

the following crate-lifetime.rs file is generated when logging is enabled:

#![allow(non_camel_case_types)]
fn f<A, B>(a: A) -> B { unimplemented!() }
fn notdet() -> bool { unimplemented!() }

struct T_0_S {
}

fn x_3_f_fexec_3(
    x_1_i: u32,
    x_4_s1: T_0_S,
    x_5_s2: T_0_S,
) -> u32
{
    x_1_i
}

fn x_8_f_test_proof_8(
    x_6_s: T_0_S,
)
{
    f::<_, u32>((x_6_s, x_6_s, ));
}

fn x_12_f_test_exec_12(
    x_1_i: u32,
    x_6_s: T_0_S,
)
{
    {
        f::<_, u32>((x_6_s, x_6_s, ));
    };
    let x_9_k = f::<_, u32>((x_1_i, x_6_s, x_6_s, ));
    let x_10_n = f::<_, u32>((x_1_i, x_6_s, x_6_s, ));
}

Note that the synthetic code erases all spec code, keeping only exec and proof code. Also note that the synthetic code is simpler than the original source code in various ways, keeping only what's necessary for lifetime/borrow checking. For example, all function calls are redirected to the same function f, which takes the function arguments as a tuple.

Error reporting

As discussed in the order of operations above, the implementation lets rustc print any exec-mode lifetime/borrow errors first. In the example above, this results in the following output:

error[E0382]: use of moved value: `s`
   --> .\rust_verify\example\features.rs:210:25
    |
203 | fn test_exec(i: u32, s: S)
    |                      - move occurs because `s` has type `S`, which does not implement the `Copy` trait
...
210 |     let k = fexec(i, s, s);
    |                      -  ^ value used here after move
    |                      |
    |                      value moved here

error[E0382]: use of moved value: `s`
   --> .\rust_verify\example\features.rs:211:22
    |
203 | fn test_exec(i: u32, s: S)
    |                      - move occurs because `s` has type `S`, which does not implement the `Copy` trait
...
210 |     let k = fexec(i, s, s);
    |                         - value moved here
211 |     let n = fexec(i, s, s);
    |                      ^ value used here after move

error[E0382]: use of moved value: `s`
   --> .\rust_verify\example\features.rs:211:25
    |
203 | fn test_exec(i: u32, s: S)
    |                      - move occurs because `s` has type `S`, which does not implement the `Copy` trait
...
211 |     let n = fexec(i, s, s);
    |                      -  ^ value used here after move
    |                      |
    |                      value moved here

error: aborting due to 3 previous errors

If we change the example by commenting out the exec-mode error lines, then we will see the ghost-mode lifetime/borrow errors from the synthetic code:

error: use of moved value: `s`
   --> .\rust_verify\example\features.rs:198:37
    |
198 | proof fn test_proof(i: u32, tracked s: S) {
    |                                     ^
199 |     let j = fspec(i, s, s);
200 |     let k = fproof(i, s, s);
    |                       ^  ^

error: use of moved value: `s`
   --> .\rust_verify\example\features.rs:203:22
    |
203 | fn test_exec(i: u32, s: S)
    |                      ^
...
208 |         let k = fproof(i, s, s);
    |                           ^  ^

error: aborting due to 2 previous errors

The error messages here aren't quite as detailed, but hopefully they should be adequate. The ghost-mode messages are generated by running rustc on the synthetic code, with rustc configured to generate errors in JSON format, capturing the JSON errors and parsing them to retrieve the line/column information and error messages, converting the synthetic line/column information back into spans for the original source code, and then sending the error messages and spans to the rustc diagnostics for the original source code. It's possible that if we used, say, Polonius, instead of rustc, to do the lifetime/borrow checking, we wouldn't have to jump through so many hoops to manage the line/column/span information in the errors, but I haven't looked into this.

This code

#![allow(unused_imports)]
use builtin::*;
use builtin_macros::*;

verus! {
pub const RC_WIDTH: nat = 4 as nat;
}

fn main() { }

results in

error[E0605]: non-primitive cast: `i32` as `builtin::nat`
 --> rust_verify/example/scache/testcase.rs:6:27
  |
6 | pub const RC_WIDTH: nat = 4 as nat;
  |                           ^^^^^^^^ an `as` expression can only be used to convert between primitive types or to coerce to a specific trait object

error: aborting due to previous error

For more information about this error, try `rustc --explain E0605`.
verification results:: verified: 0 errors: 0

This ought to fail the type well-founded-recursion-checking, but it doesn't:

struct Qux<T> {
    t: T,
}

struct Bar<T> {
    s: Box<Set<Qux<T>>>,
}

struct Foo {
    bar: Bar<Foo>,
}

e.g. you can do the usual russell's paradox set-of-sets-that-do-not-contain themselves:

proof fn prove_false()
    ensures false
{
    let s = Set::<Qux<Foo>>::new(
        |qux: Qux<Foo>| !qux.t.bar.s.contains(qux)
    );
    let qux = Qux{ t: Foo { bar: Bar { s: box s } } };
    assert(qux.t.bar.s.contains(qux));
    assert(!qux.t.bar.s.contains(qux));
    assert(false);
}

This PR simply changes the path for Box::new(), from std::box::Box::<T>::new to std::boxed::Box::<T>::new

Just for context: When I was using Box::new(), I encountered the error below.

error: `alloc::boxed::{impl#0}::new` is not supported (note: currently Verus does not support definitions external to the crate, including most features in std)

After correcting the path, this issue seems to be resolved.

The program

pub struct Lock {}

#[is_variant]
pub enum OptionX<T> {
    NoneX,
    SomeX(T)
}

pub fn what_is_wrong() -> bool
{
    let opt_lock = OptionX::SomeX(Lock{});
    let lock = opt_lock.get_SomeX_0();   // This line triggers panic
    true
}

gives the error:

thread 'rustc' panicked at 'internal error: expected Some(Expr) src/linear/linear.rs:60:16: 60:38 (#23505)', rust_verify/src/erase.rs:431:28

Mode-checking algorithm should catch this and present a nicer error message.