Rust Distilled: An Expressive Tower of Languages

TL;DR

This paper presents a formal semantics for Rust that models ownership and borrowing at a high level, aiming to facilitate verification and extension of Rust's type system and language features.

Contribution

It introduces a high-level, source-like semantics for Rust that simplifies reasoning about ownership, borrowing, and safety, differing from existing MIR-based models.

Findings

A formal semantics capturing ownership and borrowing without lifetime analysis

A family of languages with increasing expressive power for Rust features

Simplified model for verifying Rust's safety and extensions

Abstract

Rust represents a major advancement in production programming languages because of its success in bridging the gap between high-level application programming and low-level systems programming. At the heart of its design lies a novel approach to ownership that remains highly programmable. In this talk, we will describe our ongoing work on designing a formal semantics for Rust that captures ownership and borrowing without the details of lifetime analysis. This semantics models a high-level understanding of ownership and as a result is close to source-level Rust (but with full type annotations) which differs from the recent RustBelt effort that essentially models MIR, a CPS-style IR used in the Rust compiler. Further, while RustBelt aims to verify the safety of unsafe code in Rust's standard library, we model standard library APIs as primitives, which is sufficient to reason about their behavior. This yields a simpler model of Rust and its type system that we think researchers will find easier to use as a starting point for investigating Rust extensions. Unlike RustBelt, we aim to prove type soundness using progress and preservation instead of a Kripke logical relation. Finally, our semantics is a family of languages of increasing expressive power, where subsequent levels have features that are impossible to define in previous levels. Following Felleisen, expressive power is defined in terms of observational equivalence. Separating the language into different levels of expressive power should provide a framework for future work on Rust verification and compiler optimization.