How do I install Verus and set it up with my Rust project?

Follow the installation instructions in the README, which involve setting up the toolchain and solvers; the Verus Playground offers a browser-based option for quick experimentation without local setup.

What Rust features are not supported by Verus?

Verus supports a growing but limited subset of Rust; unsupported features likely include certain macros, advanced traits, and external crates. Check the documentation or Zulip for current compatibility details.

Verus vs Rust's borrow checker: what's the difference in safety guarantees?

Rust's borrow checker ensures memory safety at compile time, while Verus allows formal proofs of functional correctness for low-level and concurrent code, going beyond memory safety to verify specific behaviors.

How to write a formal specification for a simple function in Verus?

Use Verus's syntax to define preconditions, postconditions, and invariants; the tutorial provides examples, such as specifying that a function returns a non-negative integer or maintains data structure invariants.

Can Verus verify concurrent algorithms like mutexes or lock-free data structures?

Yes, Verus has specialized support for concurrent code verification, as outlined in the state machines guide, allowing proofs for properties like thread safety and deadlock avoidance.

Is Verus production-ready for safety-critical systems in aerospace or embedded?

Given its beta status and incomplete features, Verus is best suited for research, prototyping, or projects where formal verification is prioritized over stability, but it shows promise for future production use.

verus — Static Verifier for Rust Code

What is verus?

Verus is a verification tool for Rust that enables developers to write formal specifications for their code and then statically prove that the executable Rust code will always satisfy those specifications. It uses powerful solvers to mathematically verify correctness at compile time, going beyond Rust's standard type system to check low-level operations like raw pointer manipulation. The tool is designed to bring rigorous formal verification to practical Rust development, especially for safety-critical and low-level systems code.

Target Audience

Rust developers working on safety-critical systems, low-level systems code, or concurrent programs who need to prove correctness properties beyond what Rust's type system can guarantee. This includes developers in industries like embedded systems, operating systems, or security-sensitive applications where formal verification is valuable.

Value Proposition

Developers choose Verus over alternatives because it provides static verification for a subset of Rust, using automated solvers to prove correctness for all possible executions without runtime overhead. Its unique selling point is the ability to verify low-level operations like raw pointer manipulation and concurrent code, which are often challenging for traditional type systems.

Overview

Verified Rust for low-level systems code

Use Cases

Best For

Verifying the correctness of low-level systems code that manipulates raw pointers in Rust.
Proving formal specifications for safety-critical Rust applications, such as in embedded or aerospace systems.
Statically checking concurrent Rust programs for correctness properties.
Developing formally verified Rust libraries or crates that require mathematical guarantees.
Teaching or researching formal methods and verification techniques in a practical Rust context.
Enhancing Rust projects with compile-time proofs to eliminate certain classes of bugs without runtime checks.

Not Ideal For

Projects that rely on the full breadth of Rust's language features, such as advanced macros or traits not yet supported by Verus's subset.
Teams engaged in rapid prototyping or iterative development where the overhead of writing formal specifications would hinder agility.
Production-critical systems requiring stable, mature tooling with no breaking changes and comprehensive documentation.
Developers without a background in formal methods or those unwilling to invest in learning specification syntax and solver integration.

Pros & Cons

Pros

Static Proofs of Correctness

Uses automated solvers to mathematically verify that code satisfies formal specifications for all possible executions, eliminating runtime checks as highlighted in the README.

Low-Level Systems Verification

Extends beyond Rust's standard type system to verify operations like raw pointer manipulation, making it suitable for safety-critical systems code, a key feature mentioned.

Concurrent Code Support

Includes specialized verification for concurrent programs, addressing complex correctness properties that are challenging with traditional type systems.

Active Research Backing

Backed by academic and industry projects, with publications and a growing community, as listed on the projects page, ensuring ongoing development and support.

Cons

Beta Status Limitations

The README explicitly states Verus is under active development with broken or missing features and incomplete documentation, making it unstable for production use.

Restricted Language Subset

Only supports a subset of Rust, which can limit its applicability to codebases using unsupported features like certain libraries or language constructs.

High Initial Investment

Requires learning formal specification techniques and integrating with external solvers, posing a steep learning curve and setup complexity for new users.

verus

What is verus?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

verus

What is verus?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?