►
From YouTube: PDXRust October 2016: RustProof
Description
PDXRust: PSU Capstone team shares progress on static analysis using MIR
More on http://www.meetup.com/PDXRust/events/234601233/
Help us caption & translate this video!
http://amara.org/v/2Fi3/
C
Am
extremely
excited
to
be
here
tonight.
This
is
a
this
is
exciting.
All
right.
All
right,
I'll
stay
over
here,
all
right,
so
hello,
everyone,
my
name,
is
Bradley
Rasmussen.
Some
folks
know
Mia's
badger.
This
is
a
Matthew
silken
and
Michael
Salter.
We
are
part
of
the
breast
proof,
capstone
team,
oh.
A
D
C
C
If
you
would
like
to
sponsor
a
project,
there
will
be
details
at
the
end
of
the
slides
on
how
to
how
to
inspire
a
great
idea
with
with
some
with
some
college
students
that
are
all
sorts
of
enthusiastic
all
right.
So
let
me
preface
this:
we
are
enthusiastic
students.
We
are
not
experts,
so
I'm
not
I
admire.
B
C
Means
an
excerpt
of
a
formal
verification
and
I
apologize,
but
some
of
the
some
of
the
things
in
here
are
really
quite
cool.
The
project
we
built
is
strictly
a
concept
in
most
part,
because
everything
that
we
built
was
built
on
unstable
breasts
and
actually
at
the
end
of
our
capstone
project,
are
we
had
to
refer
some
of
our
tended
to
a
outdated
version
of
the
night
ways
in
order
to
get
it
to
work?
It's
still
in
that
state
currently
and
maybe
someday
one
day,
we
will
little
fixin
updated
to
something
newer,
but
yeah.
C
Despite
all
of
this,
we
believe
that
what
we
built
has
value
like
there's
formal
verification,
is
pretty
important
more
on
that
later
so
I'm
going
to
talk
to
you
guys
today
about
why
ye
formal
verification
is
and
why
I
would
like
to
see
it
used
more
often
in
industry
and
a
little
bit
about
the
reasons
why
we
don't
currently
and
so
I
suppose
many
of
us
already
know
right
we'll
see
and
then
we're
going
to
talk
about
the
theory
and
I
do
apologize.
C
It's
going
to
get
it's
going
to
get
a
little,
there's
there's
a
lot
of
theory,
but
we
have
to
explain
it
in
order
to
explain
what
we
did
and
then
we
will
finally
talk
about
rust,
proof
and
the
problems
that
we
encountered
when
building
it.
So
some
of
the
problems
with
formal
verification,
it
is
very
tedious
and
slow
it.
C
It's
a
it's
a
long,
arduous
process
of
learning
like
how
how
to
write
mathematical
proofs,
it's
it's!
That's
it!
It's
a
long
process
process
and
formal
verification
is
it
has
benefits?
Sure
you
can
you
can
you
can
make
promises
about
your
code,
but
it's
really.
No,
it's
not
a
replacement
for
good
testing.
You!
You
will
never
use
a
formal
verification
to
outright
just
will
never
test
again,
we'll
just
do
it
all
with
with
formal
methods
and
we'll
call
it
good
know.
C
C
For
example,
a
a
while
back
I
was
enamored
with
this.
This
project
called
SEL,
for
which
is
a
it's
a
microkernel
written
in
C,
it's
about
7500
lines
of
c
code,
and
it's
in
that
respect,
I
suppose
very
simple.
But
it's
it's
a
formally
proven
microkernel
and
so
the
developers
of
SEO
for
in
order
to
verify
that
the
code
of
the
SEL
for
microkernel
was
correct,
had
to
write
two
hundred
thousand
lines
of
Isabel
code
to
verify
it.
C
C
But
I
tried,
I
tried
to
figure
out
how
to
do
Franta
see
over
the
past
six
months,
and
I
wasn't
very
successful.
So,
as
I
mentioned
before,
formal
verification
is
useful.
It
can
give
your
code
a
degree
of
reliability
that
you
can
you
can
you
can
point
at
it
and
say
we
promise
that
our
code
has
certain
qualities.
We
promise
that
our
code
will
never
have
an
integer
overflow,
for
example.
In
these
particular
cases
yeah
you
can
make
your
code.
You
can
make
your
code
more
security.
C
You
can
shun
start
making
promises
about
your
code
and
really
really
the
key
to
getting
on
with
the
verification
used
in
the
industry.
I
feel,
is
to
automate
it
more
and
make
it
more
accessible
for
everybody
to
use
and
a
formal
verification
condition
generator
allows
us
to
automate
that
process
and
make
it
easier
and
make
it
something
that
people
might
actually
want
to
use.
C
D
So,
there's
a
lot
of
kind
of
theory
that
goes
into
making
this
all
work,
and
you
really
need
to
understand
it
before
you
can
see
why
what
we
did
is
a
thing
and
how
it
works.
So
we're
going
to
go
over
briefly
what
logic
is
and
what
it's
used
for.
It's
just
a
construct.
That's
used
to
reason
about
programs,
and
so
you
define
some
precondition.
P,
that's
basically
the
state
of
your
program
going
into
execution,
and
then
you
have
some
set
of
statements,
s
and
then
a
post
condition.
That's
true.
D
After
those
statements
are
executed,
and
we
can
see
an
example
of
that
right
here
we
give
the
precondition
that
x
is
less
than
four
and
then
after
we
take
that
value
of
x
and
add
one
to
it.
We
can
say
that
it
that
value
is
less
than
10,
and
so
it's
just
purely
a
construct
to
reason
about
the
correctness
of
programs,
but
we
leveraged
it
to
generate
these
weakest
preconditions
and
the
weakest
precondition.
It's
a
it's.
D
D
So
here
we've
got
that
same
example
that
we're
familiar
with,
but
here
working
backwards.
We
we
want
something
new.
Instead
of
P,
we
want
the
weakest
precondition,
and
so
we
take
Q,
which
is
y,
is
less
than
10,
and
then
we
substitute
into
it.
Whatever
is
the
assignments
that
happen
inside
the
statement
blocks
s,
and
so
in
here
we're
going
to
substitute
X,
plus
1
for
the
value
of
y,
and
now
we
have
generated
a
weakest
precondition
and
we
can
look
at
this
and
we
can
see
that
that
could
replace
the
precondition
p.
D
D
So
we
get
this,
this
P
implies
WP
construct
and
we
can
use
this
to
check
for
the
validity
of
the
precondition
you
supplied.
So
in
this
one
shown
at
the
bottom
right
right
there,
the
P
implies
WP.
We
can
see
that
when
x
is
less
than
four
that
implies
that
X
plus
1
is
less
than
10
and
there's
a
little
bit
of
some
nuance.
That's
lost
here,
because
here
x,
is
it's
bound,
is
bound
to
less
than
4
there's
no
value
that
would
make
this
false
right.
D
This
is
a
tautology,
but
if
X
wasn't
bound
effects
could
hold
any
value.
The
FX
was
eleven.
Eleven
plus
one
is
not
less
than
10,
and
so
we
would
have
some
discrepancy
there,
and
so
what
we're
doing
with
all
this?
We
build
up
this,
this
verification
condition
and
then
we
hand
it
off
to
an
external
theorem
prover,
it's
an
smt
silver
and
it
looks
to
see
if
there's
any
way
that
it
can
make
this
thing
invalid,
and
if
there
is
it
reports
it
back
to
us
and.
D
Oh
there's
one
little
caveat
here,
which
is
that
when
you
actually
pass
it
over
the
SMT
solver,
it's
looking
to
find
one
way
in
which
it
can
make
your
formula
valid,
and
so
we
actually
pass
over
the
negation
of
the
formula.
So
it
looks
for
one
way
it
can
make
it
invalid
and
if
it
can't
find
those,
then
we've
proven
that
what
we
have
is
its
ecology
and
law.
We
get
to
finally
talk
about
what
we
actually
built.
E
Hi
I'm
Michael
Salter,
so
the
software
we
built
this
cult
rust-proof
and
it's
a
compiler
plugin
and
we're
going
to
go
over
some
of
the
designs,
the
design
decisions
we
made
and
then
actually
follow
through
the
program
kind
of
step
by
step
and
what
it
how
it
works.
So
we're
a
compiler
plugin,
basically
I
mean
we
have
to
access
user
code.
E
The
s
in
the
theory
you
were
looking
at
before
those
are
the
actual
statements
that
you
write
in
your
code,
the
pre
and
the
post,
conditioner
things
that
you
know
you
write
about
because
you
assumedly
think
you
know
what
the
program
I
supposed
to
be
doing.
So
we
need
to
access
the
head
and
the
compile
already
does
that
for
us,
the
compiler
simplifies
it
and
it
does
a
lot
of
the
work
like
type
checking
and
stuff.
You
know,
if
we
had
to
do,
the
neurone
will
be
a
be
complicated.
E
So
as
a
compiler
plugin,
we
need
to
be
on
the
nightly
build
which
has
its
own
set
of
challenges,
but
we
also
get
to
cut
it.
The
nice
feature
that
whenever
you
make
a
change
in
your
code,
you
try
to
recompile
it.
You
end
up
running
rust-proof
again
and
formally
verifying
every
time
you
make
a
change.
So
hopefully
you
can't
break
it
without
knowing
it
easily.
Unless
you
turn
it
off.
E
Of
course,
we
also
ended
up
using
Mir
and
after
you
weren't
familiar
because
it's
a
mid-level
intermediate
representation
that
the
compiler
creates
when
it's
compiling
your
code
to
do
certain
optimizations
and
checks
we
found
using
Mir
was
actually
very
useful,
because
Mir
is
much
simpler
than
user
code,
it's
more
as
much
simpler
than
the
high
level
representation
that
the
compiler
said
that
before
basically,
when
you
get
into
ma
are
everything
is
sort
of
like
a
big
control
flow
graph?
You
have
basic
blocks,
everything's,
an
assignment
statements,
very
simple.
It's
very
easy
to
do.
E
The
weakest
preconditions
generation
makes
everything
easier.
So,
hopefully
a
matter
will
continue
be
useful
in
the
future,
and
so
what
we
used
to
know
my
art
pass.
The
compiler
will
call
rust-proof
when
you
decide
to
call
your
code,
you
have
our
tag
in
there.
The
first
thing
we
do
is
we'll
look
at
the
pre
and
post
conditions
the
user
puts
in
will
try
to
validate
those.
If
those
are
valid
in
the
right
format,
then
will
parse
them,
and
then
we
store
them
internally,
using
a
parser,
Jenner
where's,
your
generator.
E
Bars
are
you
never
called
lollipop,
let's
kind
of
weld?
Oh
then
we
start
to
actually
looking
at
the
user
code
and
traversing
Mir,
which
is
in
sort
of
a
tree
structure,
and
we
start
traversing
those
Emily
our
blocks.
We
do
a
depth-first
search,
go
all
the
way
to
the
end
points
work
our
way
back
up,
generating
the
weakest
precondition
as
we
go.
E
E
E
E
So
we
mostly
moved
on
to
system
testing,
which
also
be
game
kind
of
an
issue
because,
as
a
compiler
plug
in
our
program
runs
when
someone
else
compiles
their
code
and
to
run
tests
and
a
nice
automated
sweet
through
cargo
you'd
have
cargo
call
our
program
to
call
another
program
to
call
our
program
and
it
got
weird.
Sometimes
we
made
it
work
that
we
have
a
pretty
good
sweet
that
covers
most
everything
now,
as
could
be
expected
because
the
student
project,
we
don't
cover
all
the
possible
things
we
encounter
in
west
CO
2
fact.
E
We
cover
a
very
small
subset
of
those,
but
some
of
the
basics.
We
have
integer,
arithmetic,
bullion's,
half
of
assertions
and
conditionals.
You
know
if
else
statements.
So
as
long
as
your
code
only
has
those
things,
rustproof
can
try
to
prove
things
about
it
in
the
future,
we're
looking
at
the
loops
and
other
stuff.
The
theory
is
pretty
clear.
We
just
have
to
look
at
how
to
actually
implement
it
in
a
good
way.
D
Let's
take
a
look
at
some
of
the
things
that
rough
grip
can
prove
that
our
programs
for
us
we've
defined
a
function
called
foo.
It
has
one
argument
which
is
a
64
bit
unsigned
integer
and
it
returns
a
64
bit
unsigned
integer.
This
function
takes
one
argument:
X
and
returns
10
divided
by
X
when
using
rescue
you
supply,
pre
and
post
conditions
to
a
function
like
this.
The
precondition
we've
defined
here
is
that
X
is
equal
to
5,
and
the
post
condition
is
that
the
return
value
is
equal
to
2.
D
Now,
what
this
is
saying
in
logic
is
that,
given
the
precondition
that
x
equals
5,
the
return
will
be
too.
So,
let's
just
take
a
look
at
how
that
would
work
can
convince
ourselves.
That's
true
in
this
function,
with
an
input
of
5
10,
/
5
will
yield
a
result
of
2,
so
this
should
be
true
and
match
up
with
this
function.
Let's
take
a
look
at
what
rust-proof
tells
us
about
this
function
in
this
attribute.
D
So
rust-proof
is
telling
us
the
condition
is
valid
and
that's
good.
Let's
take
a
look
at
what
rust-proof
says
if
we
mess
up
the
condition
and
say
that
the
return
should
be
three
instead
of
two
rust
group
here
tells
us
that
our
verification
condition
is
not
valid.
It
also
tells
us
under
what
condition
the
verification
condition
is
not
valid.
D
So
let's
take
a
look
at
how
we
can
change
this
function,
to
prove
it
for
all
cases
of
input,
and
not
just
this
specific
case
where
x
equals
5,
so
we're
going
to
delete
this
restriction
that
x
equals
5
and
we're
going
to
allow
X
to
hold
any
value
on
the
input
and
for
the
post
condition
will
say
that
return
is
equal
to
10
/.
Our
argument,
X.
D
So
here
rust-proof
is
calling
us
that
our
verification
condition
is
not
valid.
So
that's
a
bad
thing.
That
means
there's
some
discrepancy
between
our
code,
in
our
verification
condition.
Here,
rest
group
is
saying
that
when
x
is
equal
to
zero,
we
have
some
error
in
our
code.
So
let's
take
a
look
at
what
that
could
be
here.
10
is
being
divided
by
our
argument.
D
So
rest
group
says
that
our
verification
condition
is
valid,
so
here
we've
proven
that
when
X
doesn't
equal
zero
for
all
other
cases
of
input,
this
function
is
valid
and
that's
pretty
cool
to
write
a
unit
test
that
tested
all
these
conditions.
You
would
need
a
loop
with
18
billion
billion,
iterations
I.
E
Although
is
edifying
for
some
of
you
and
then
land
well,
I
didn't
know
any
how
to
scroll
in
this
okay,
and
then
we
just
wanted
to
mention
that
the
psu
capture
of
capstone
program
is
always
looking
for
sponsors.
Please
check
it
out.
If
you
have
you
no
idea
for
a
cool
project
or
you're
part
of
an
organization
that
might
one
of
the
bank,
our
sponsors,
Gina,
sharp
and
Aaron
tome
and
be
any
questions.
B
B
C
So,
during
the
process
of
building
rust
proof,
we
had
no
limitations
on
performance
on
and
in
some
cases
we
can't
have
limitations
on
performance
because
the
tool
that
we
use
xiii
being
what
it
is,
it's
trying
to
solve
a
it's
trying
to
solve
the
halting
problem.
Essentially-
and
there
are
some
conditions
where
our
code
might
never
return
from
z,
z,
3
or
xiii
I
suppose
specifically
will
never
return,
and
this
is
true
for
for
all
SMT,
solvers
and
so,
though
buy
it
by
by
by
no
means
is
our
code
at
all
efficient
and
it's
yeah.
D
F
C
Currently,
no,
it
might
be
a
think
that
we
do
in
the
future,
because
that
would
be.
That
would
be
better
because
you
know
this
being
what
it
is.
Our
current
compilation
times
can
sometimes
measure
in
minutes,
depending
on
how
complicated
how
complicated
the
code
can
be.
C
G
Less
a
question
more
of
a
comment:
if
this
project
had
preceded
the
flight
controller
project
by
like
two
years,
it
would
have
been
greatly
useful
when
we
were
writing
our
our
flight
controller.
It's
definitely
the
kind
of
thing
that
we
would
have
used
if
it
was
available.
Rust
is,
of
course,
a
new
language,
and
things
still
need
to
be
built
for
it,
but
that,
like
operating
systems,
all
those
things
would
be
would
be
really
really
useful
to
have.
I
have.
D
A
comment
about
your
earlier
question:
the
algorithm
that
we're
using
is
basically
that
weakest
preconditions
generation
stuff
and
that
that's
really
quick.
We
just
examined
all
the
basic
block
structure
that
you
have
in
your
code
and
since
we're
not
dealing
with
loops
or
anything,
we
can't
get
caught
in
a
loop
trying
to
figure
out
what
the
invariant
is
or
something
like
that.
So
none
of
the
actual
slowness
of
the
program
is
really
related
to
our
code.
It's
pretty
much
all
on
xiii-2
return
when
it
wants
a.
F
Topic
systems
are
Pam
valet
and
with
best
proof,
because
it
looks
almost
exactly
like
it
from
me
sitting
here,
can't
would
rust
proof
be
able
to
handle
I
mean
apart.
Guess
you
can
put
the
the
platform
to
rust
proof
of
rust
proof
to
their
platform,
because
it
looks
the
only
thing
that
that
statement
didn't
have
was
a
what
well,
you
say,
handles
what,
if
it
didn't
have
what
they
call.
Cece
saw
the
condition,
return,
see
cities,
because
you
have
that
it
looks
exactly
like
those.
F
My
background
is
extremely
aviation
and
computers
and
I
did
something
that
someone
told
me
I
couldn't
do
they
said.
Well,
you
can't
write.
You
can't
write
a
parser
and
sort
online.
I
did
a
bubble
sort
online
and
I
grow
the
extreme
parses
using
the
hashing
algorithm
with
a
binary
having
also
and
they
kept
everything
down
to
a
sub
second-
and
the
guy
was
amazed
at
that.
That's
nice,
that's!
Okay!
If
it
measures
good
as
long
as
it
works,
but
well
that
was
good.
Focusing
on
how
easy
would
it
be?
D
D
A
B
D
Far
as
I
know,
and
so
we
haven't
implemented,
actual
function,
calls
inside
what
we've
done
so
far,
so
we
haven't
dealt
with
that,
but
the
theory
that
I
know
behind
it
is
that
it's
kind
of
based
on
the
contracts
surrounding
the
function
that
you're
calling
and
the
post
condition
of
that
function
and
that,
if
you
set
it
up
all
right,
you
don't
need
to
worry
about
what's
happening
outside.
You
can
just
worry
about
your
own
contracts
on
your
own
functions.
B
H
You
require
that
the
postcondition
declared
for
the
function
you're
calling
has
to
imply
the
post
condition
that
follows
the
call
and
then
the
precondition
the
week
is
precondition
for
the
function
call
is
going
to
be
the
precondition
for
the
function,
you're,
calling
it's
actually
a
little
more
complicated
than
that,
but
but
you
basically
just
copy
the
pre
and
post
conditions
from
the
function
you're
calling
into
the
call
site.
Does
that
make
sense.