Verus overview
Getting started
Getting started
Tutorial
Basic specifications
Specification code, proof code, executable code
Recursion and loops
Datatypes: struct and enum
1. Defining datatypes
2. Querying the discriminant (#[is_variant])
3. Proving properties of fields
Basic libraries and spec closures
Quantifiers
Higher-order executable functions
1. Passing functions as values
2. Closures
SMT solving, automation, and where automation fails
1. What's decidable, what's undecidable, what's fast, what's slow
2. Integers and nonlinear arithmetic
3. Bit vectors and bitwise operations
4. forall and exists: writing and using triggers, inline functions
5. Recursive functions
6. Extensional equality
7. Libraries: incomplete axioms for Seq, Set, Map
Improving SMT performance
1. Modules, hiding, opaque, reveal
2. Quantifier profiling
3. Hiding local proofs with assert (...) by { ... }
4. Structured proof by calculation
5. Proof by computation
6. Spinning off separate SMT queries
7. Breaking proofs into smaller pieces
Mutation, references, and borrowing
1. Requires and ensures with mutable references
2. Assertions containing mutable references
Traits
Ghost and tracked variables
Concurrency and Unsafe Code
Attributes and directives
1. external and external_body
2. inline
3. opaque
4. decreases_by
5. when_used_as_spec
Strings
1. String library
2. String literals
Macros
Tools and command-line options
1. Proof Debugger
2. IDE Support
3. Syntax Highlighting
Verification and Rust
1. Why Rust?
2. Supported Rust features
3. Borrowing and lifetimes
4. Mutable borrows
5. Interior mutability
6. Alternatives to unsafe
Understanding the guarantees of a verified program
1. Assumptions and trusted components
2. Identifying a project's TCB
3. Memory safety is conditional on verification
Project setup and development
1. Working with crates
2. Invoking Verus code from Rust
3. Documentation with Rustdoc
Reference
Supported and unsupported Rust features
Verus syntax overview
Modes
1. Function modes
2. Variable modes
Spec expressions
1. Rust subset
2. Arithmetic
3. Spec equality (==)
4. Extensional equality (=~=, =~~=)
5. Prefix and/or (&&& and |||)
6. Chained operators
7. Implication (==>, <==, and <==>)
8. Quantifiers (forall, exists)
9. Such that (choose)
10. Function expressions
11. Trigger annotations
12. The view function @
13. Spec index operator []
Proof features
1. assert and assume
2. assert ... by
3. assert forall ... by
4. assert ... by(bit_vector)
5. assert ... by(nonlinear_arith)
6. assert ... by(compute) / by(compute_only)
7. reveal
8. fuel
Function specifications
1. requires / ensures
2. opens_invariants
3. recommends
Loop specifications
1. invariant
2. invariant_except_break / ensures
Recursion and termination
1. decreases ...
2. decreases ... when ...
3. decreases ... via ...
4. Datatype ordering
5. Cyclic definitions
Misc. Rust features
1. Statics
2. char
Command line
1. --record
Planned future work

Specification code, proof code, executable code

Verus classifies code into three modes: spec, proof, and exec, where:

spec code describes properties about programs
proof code proves that programs satisfy properties
exec code is ordinary Rust code that can be compiled and run

Both spec code and proof code are forms of ghost code, so we can organize the three modes in a hierarchy:

code
- ghost code
  - spec code
  - proof code
- exec code

Every function in Verus is either a spec function, a proof function, or an exec function:

spec fn f1(x: int) -> int {
    x / 2
}

proof fn f2(x: int) -> int {
    x / 2
}

// "exec" is optional, and is usually omitted
exec fn f3(x: u64) -> u64 {
    x / 2
}

exec is the default function annotation, so it is usually omitted:

fn f3(x: u64) -> u64 { x / 2 } // exec function

The rest of this chapter will discuss these three modes in more detail. As you read, you can keep in mind the following relationships between the three modes:

	spec code	proof code	exec code
can contain `spec` code, call `spec` functions	yes	yes	yes
can contain `proof` code, call `proof` functions	no	yes	yes
can contain `exec` code, call `exec` functions	no	no	yes