←back to thread

Compiling C to Safe Rust, Formalized

(arxiv.org)
277 points love2read | 8 comments | 20 Dec 24 23:30 UTC | HN request time: 0.637s | source | bottom
Show context
wffurr ◴[21 Dec 24 00:33 UTC] No.42476523[source]
Note that this is done for “existing formally verified C codebases” which is a lot different from typical systems C code which is not formally verified.
replies(8): >>42476623 #>>42477360 #>>42478051 #>>42478440 #>>42478560 #>>42478707 #>>42479358 #>>42479797 #
tonetegeatinst ◴[21 Dec 24 03:37 UTC] No.42477360[source]
What is the main difference? Can compiler flags force compliance?
replies(3): >>42477457 #>>42477464 #>>42478005 #
1. immibis ◴[21 Dec 24 07:09 UTC] No.42478005[source]
"Formally verified" means someone has written a correct mathematical proof that the code has no bugs (the proof is checked by a computer program to make sure it is correct). This is a very high bar.

I'm not sure what it has to do with translating the code to Rust.

replies(3): >>42478080 #>>42478118 #>>42484000 #
2. swiftcoder ◴[21 Dec 24 07:35 UTC] No.42478080[source]
> I'm not sure what it has to do with translating the code to Rust.

Formally verified C programs typically have had all their undefined behaviour already stamped out during the verification process. That makes mapping it over to Rust a lot simpler.

replies(1): >>42478334 #
3. DonaldPShimoda ◴[21 Dec 24 07:47 UTC] No.42478118[source]
In this case specifically, two separate aspects are being referred to with regard to "formal verification".

The first is that the translation function (from C to Rust) has itself been formally verified. In other words: if you give it a C program that obeys certain necessary pre-conditions, it will give you a safe Rust program. I believe the title of the paper is primarily using "Formalized" with regard to this characteristic.

The second is that the set of programs the authors evaluate their tool on are C programs that have themselves been formally verified. I only barely skimmed the introduction and didn't see it addressed directly there, but I would assume that this is because the pre-conditions necessary for their translation to work are most easily (only?) met by formally verified C programs, where of course the verification has been rendered with respect to properties that would be relevant here (e.g., memory use).

4. tjoff ◴[21 Dec 24 08:52 UTC] No.42478334[source]
Translating undefined behavior is the easy part.
replies(2): >>42479234 #>>42479391 #
5. swiftcoder ◴[21 Dec 24 12:15 UTC] No.42479234{3}[source]
Maybe, but only if you know the specifics of the environment in which it is executing (i.e. which compiler/architecture-specific behaviours the code actually relies on)
replies(1): >>42479394 #
6. ◴[21 Dec 24 12:55 UTC] No.42479391{3}[source]
7. Filligree ◴[21 Dec 24 12:55 UTC] No.42479394{4}[source]
Correctly written C programs don’t have undefined behaviour, so a translator can operate assuming there is none.
8. SAI_Peregrinus ◴[22 Dec 24 02:28 UTC] No.42484000[source]
> "Formally verified" means someone has written a correct mathematical proof that the code has no bugs

No, only that it complies with a formal specification. The code will have bugs if and only if the specification has bugs.

The difficulty of writing a bug-free formal specification is just as great as writing bug-free code. In some domains it's easier to write the specification, but not in most. Fully specifying what a program shoud do is often the hardest part of programming, after all.