Verification-first development (VFD) prioritizes writing formal specifications and proofs before writing implementation code. This approach, while seemingly counterintuitive, aims to clarify requirements and design upfront, leading to more robust and correct software. By starting with a rigorous specification, developers gain a deeper understanding of the problem and potential edge cases. Subsequently, the code becomes a mere exercise in fulfilling the already-proven specification, akin to filling in the blanks. While potentially requiring more upfront investment, VFD ultimately reduces debugging time and leads to higher quality code by catching errors early in the development process, before they become costly to fix.
This paper introduces Crusade, a formally verified translation from a subset of C to safe Rust. Crusade targets a memory-safe dialect of C, excluding features like arbitrary pointer arithmetic and casts. It leverages the Coq proof assistant to formally verify the translation's correctness, ensuring that the generated Rust code behaves identically to the original C, modulo non-determinism inherent in C. This rigorous approach aims to facilitate safe integration of legacy C code into Rust projects without sacrificing confidence in memory safety, a critical aspect of modern systems programming. The translation handles a substantial subset of C, including structs, unions, and functions, and demonstrates its practical applicability by successfully converting real-world C libraries.
HN commenters discuss the challenges and nuances of formally verifying the C to Rust transpiler, Cracked. Some express skepticism about the practicality of fully verifying such a complex tool, citing the potential for errors in the formal proofs themselves and the inherent difficulty of capturing all undefined C behavior. Others question the performance impact of the generated Rust code. However, many commend the project's ambition and see it as a significant step towards safer systems programming. The discussion also touches upon the trade-offs between a fully verified transpiler and a more pragmatic approach focusing on common C patterns, with some suggesting that prioritizing practical safety improvements could be more beneficial in the short term. There's also interest in the project's handling of concurrency and the potential for integrating Cracked with existing Rust tooling.
Summary of Comments ( 17 )
https://news.ycombinator.com/item?id=43402102
Hacker News users discussed the practicality and benefits of verification-first development (VFD). Some commenters questioned its applicability beyond simple examples, expressing skepticism about its effectiveness in complex, real-world projects. Others highlighted potential drawbacks like the added time investment for writing specifications and the difficulty of verifying emergent behavior. However, several users defended VFD, arguing that the upfront effort pays off through reduced debugging time and improved code quality, particularly when dealing with complex logic. Some suggested integrating VFD gradually, starting with critical components, while others mentioned tools and languages specifically designed to support this approach, like TLA+ and Idris. A key point of discussion revolved around finding the right balance between formal verification and traditional testing.
The Hacker News post titled "Verification-First Development" (linking to an article on buttondown.com) generated a moderate amount of discussion, with a number of commenters sharing their experiences and perspectives on the topic.
Several commenters affirmed the value of thinking about verification early in the development process, even if not strictly adhering to a "verification-first" methodology. One user highlighted how focusing on testability from the outset often leads to simpler and more modular designs. They emphasized that while full formal verification might not always be practical, the mindset of considering how to verify functionality early on is beneficial.
Another commenter pointed out the connection between verification-first development and test-driven development (TDD). They argued that TDD, when done correctly, inherently involves thinking about verification before implementation. The act of writing tests first forces developers to define the expected behavior of the code, which is a crucial step in the verification process.
There was some discussion about the tools and techniques used in verification-first development. One commenter specifically mentioned TLA+, a formal specification language, and its usefulness in designing robust systems. They shared a personal anecdote about using TLA+ to catch subtle errors early in the design phase, preventing significant debugging effort later.
A few commenters expressed skepticism about the practicality of verification-first development for all projects. They acknowledged its potential benefits for complex systems, but questioned its suitability for simpler applications where the overhead of formal verification might outweigh the advantages. They suggested that a more pragmatic approach would be to adopt a risk-based strategy, applying more rigorous verification techniques only to critical parts of the system.
Some comments also touched on the challenges of applying verification-first development in practice. One user mentioned the difficulty of accurately specifying the desired behavior of a system, especially in complex domains. They noted that incomplete or incorrect specifications can lead to false confidence in the correctness of the implementation. Another challenge mentioned was the learning curve associated with formal verification tools and techniques, which can be a barrier to adoption for some developers.
Finally, a couple of commenters shared links to related resources, including articles and talks on formal methods and software verification. This suggests a broader interest in the topic within the Hacker News community.