who would thought that the "safe" system language rust needs a formal model checker, plus formal concurrences checkers (loom and shuttle). what about a type checker also? or maybe just redefine "safe", so that truly safe languages stand out a bit.
note that formal model checkers cannot prove termination, only memory and type safeties.
Excerpt from Kani doc :
Kani is especially useful for verifying unsafe code in Rust.
and regarding loom and shuttle :
Excerpt from The Rustonomicon :
Safe Rust guarantees an absence of data races, which are defined as:
1) two or more threads concurrently accessing a location of memory
2) one or more of them is a write
3) one or more of them is unsynchronized
However Rust does not prevent general race conditions.
This is pretty fundamentally impossible, and probably honestly undesirable.
concurrency safety does exist. checkout such languages, you'll be surprised. pony latest, but also singularity or concurrent pascal. also all other safeties rust only promises cannot provide
Did you known that in its early days Rust did take a more Pony-like approach but as ownership/borrowing took shape it was obvious that it was more scalable to move that abstraction into libraries.
What safe mean is not that easy to define.
From the Pony FAQ:
Pony prevents data races. It can’t stop you from writing race conditions into your program.
Also keep in mind that Rust is not garbage collected, the guarantees Rust provide regarding safety are a huge step forward but of course a lot need to be done.
note that formal model checkers cannot prove termination, only memory and type safeties.