Creusot is a deductive verifier for Rust code. It verifies your code is safe from panics, overflows, and assertion failures. By adding annotations you can take it further and verify your code does the correct thing.
Creusot works by translating Rust code to Coma, an intermediate verification language of the Why3 Platform. Users can then leverage the full power of Why3 to (semi)-automatically discharge the verification conditions!
See ARCHITECTURE.md for technical details.
If you need help using Creusot or would like to discuss, you can post on the discussions forum or join our Zulip chat!
If you would like to cite Creusot in academic contexts, we encourage you to use our ICFEM'22 publication.
To get an idea of what verifying a program with Creusot looks like, we encourage you to take a look at some of our test suite:
More examples are found in examples and tests/should_succeed.
- CreuSAT is a verified SAT solver written in Rust and verified with Creusot. It really pushes the tool to its limits and gives an idea of what 'use in anger' looks like.
- Another big project is in the works :)
- Install
rustup, to get the suitable Rust toolchain - Get
opam, the package manager for OCaml - Clone the creusot repository,
then move into the
creusotdirectory.git clone https://github.com/creusot-rs/creusot cd creusot - Install Creusot:
- Check that the installation succeeded:
See the Creusot guide: Installation for more details.
- Enter the cloned Creusot git repository used previously to install Creusot
- Update Creusot's sources:
- Update opam's package listing:
- Reinstall Creusot:
See CONTRIBUTING.md for information on the developer workflow for hacking on the Creusot codebase.