{"id":14966253,"url":"https://github.com/aeneasverif/aeneas","last_synced_at":"2026-05-28T07:02:52.662Z","repository":{"id":37421654,"uuid":"423842039","full_name":"AeneasVerif/aeneas","owner":"AeneasVerif","description":"A verification toolchain for Rust programs","archived":false,"fork":false,"pushed_at":"2026-05-22T13:59:32.000Z","size":14976,"stargazers_count":766,"open_issues_count":187,"forks_count":76,"subscribers_count":8,"default_branch":"main","last_synced_at":"2026-05-22T16:24:05.878Z","etag":null,"topics":["compiler","coq","deductive-reasoning","formal-methods","formal-verification","fstar","hol4","lean","ocaml","program-verification","proofs","rust","rust-lang"],"latest_commit_sha":null,"homepage":"https://aeneasverif.github.io/","language":"OCaml","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AeneasVerif.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-11-02T12:51:26.000Z","updated_at":"2026-05-21T18:59:21.000Z","dependencies_parsed_at":"2024-11-06T13:26:35.216Z","dependency_job_id":"478ce462-aab8-4bb6-adcb-1525614d225e","html_url":"https://github.com/AeneasVerif/aeneas","commit_stats":{"total_commits":2289,"total_committers":18,"mean_commits":"127.16666666666667","dds":"0.12887723896898207","last_synced_commit":"3f8d5281735ad91549b6b4ddc439f12178df7220"},"previous_names":[],"tags_count":124,"template":false,"template_full_name":null,"purl":"pkg:github/AeneasVerif/aeneas","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AeneasVerif%2Faeneas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AeneasVerif%2Faeneas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AeneasVerif%2Faeneas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AeneasVerif%2Faeneas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AeneasVerif","download_url":"https://codeload.github.com/AeneasVerif/aeneas/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AeneasVerif%2Faeneas/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33597808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-28T02:00:06.440Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compiler","coq","deductive-reasoning","formal-methods","formal-verification","fstar","hol4","lean","ocaml","program-verification","proofs","rust","rust-lang"],"created_at":"2024-09-24T13:36:05.070Z","updated_at":"2026-05-28T07:02:52.649Z","avatar_url":"https://github.com/AeneasVerif.png","language":"OCaml","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp\u003e\u003cdiv style=\"text-align: center\"\u003e\n\u003cimg src=\"static/Aeneas.jpg\"\n     alt=\"Iapyx removing arrowhead from Aeneas\" title=\"Iapyx removing arrowhead from Aeneas\"\n     style=\"\"/\u003e\n\u003cfigcaption\u003e\nUnknown author, \u003ci\u003eIapyx removing arrowhead from Aeneas\u003c/i\u003e [Fresco].\nWall in Pompei, digital image from Michael Lahanis.\n\u003ca href=\"https://commons.wikimedia.org/w/index.php?curid=1357010\"\u003eSource\u003c/a\u003e\n\u003c/figcaption\u003e\n\u003c/div\u003e\u003c/p\u003e\n\n# Aeneas\n\nAeneas (pronunced [Eh-nee-as]) is a verification toolchain for Rust programs.  It relies on a translation from Rust's MIR\ninternal language to a pure lambda calculus.  It is intended to be used in combination with\n[Charon](https://github.com/AeneasVerif/charon), which compiles Rust programs to an intermediate\nrepresentation called LLBC. It currently has backends for [F\\*](https://www.fstar-lang.org),\n[Coq](https://coq.inria.fr/), [HOL4](https://hol-theorem-prover.org/) and [LEAN](https://leanprover.github.io/).\n\nIf you want to contribute or ask questions, we strongly encourage you to join the\n[Zulip](https://aeneas-verif.zulipchat.com/). In particular, we welcome external\ncontributions but ask contributors to engage with us before making deep modifications of\nthe code or implementing non trivial features, as these require in-depth design\ndiscussions and careful reviews. If you want to contribute a new feature you should either\ndiscuss it on the Zulip or open the corresponding issue on github.\n\n## Project Structure\n\n- `src`: the OCaml sources. Note that we rely on [Dune](https://github.com/ocaml/dune)\n  to build the project.\n- `backends`: standard libraries for the existing backends (definitions for\n   arithmetic operations, for standard collections like vectors, theorems, tactics, etc.)\n- `tests`: files generated by applying Aeneas on some of the test files of Charon,\n  completed with hand-written files (proof scripts, mostly).\n\n## Installation \u0026 Build\n\nYou need to install OCaml, together with some packages.\n\nWe suggest you to follow those [instructions](https://ocaml.org/docs/install.html),\nand install OPAM on the way (same instructions).\n\nWe are developing Aeneas by using **OCaml 5**. For instance, if you want to use OCaml 5.3.0:\n```\nopam switch create 5.3.0\n```\n\nYou can then install the dependencies with the following command:\n```\nopam install ppx_deriving visitors easy_logging zarith yojson core_unix odoc \\\n  ocamlgraph menhir ocamlformat.0.27.0 unionFind zarith progress domainslib\n```\n\nMoreover, Aeneas uses the [Charon](https://github.com/AeneasVerif/charon) project and library.\nFor Aeneas to work, `./charon` must contain a clone of the [Charon](https://github.com/AeneasVerif/charon)\nrepository, at the commit specified in `./charon-pin`.  The easiest way to set this up is to call\n`make setup-charon`\n(this uses either [rustup](https://rustup.rs/) or [nix](https://nixos.org/download/) to build Charon, depending on which one is installed).\nIn case of version mismatch, you will be instructed to update Charon.\n\nIf you're also developing on Charon, you can instead set up `./charon` to be a symlink to your local version:\n`ln -s PATH_TO_CHARON_REPO charon`. In this case, the scripts will not check that your Charon\ninstallation is on a compatible commit. When you pull a new version of Aeneas, you will occasionally\nneed to update your Charon repository so that Aeneas builds and runs correctly.\n\nFinally, building the project simply requires running `make` in the top\ndirectory.\n\nYou can also use `make test` and `make verify` to run the tests, and check\nthe generated files. As `make test` will run tests which use the Charon tests,\nyou will need to regenerate the `.llbc` files. To do this, run `make setup-charon` before `make\ntest`. Alternatively, call `REGEN_LLBC=1 make test-...` to regenerate only the needed files.\n\n## Documentation\n\nIf you run `make`, you will generate a documentation accessible from [`doc.html`](./doc.html).\n\nAdditionally, a tutorial for using the Aeneas Lean backend is available [here](./tests/lean/Tutorial/); the original Rust file can be found [here](./tests/src/tutorial/src/lib.rs).\nIt requires a working installation of Lean.\n\n## Usage\n\nYou should first generate the serialized `.llbc` file by calling Charon from *inside*\n(similarly to cargo) the crate you want to translate. **Important:** you should call\nCharon with the following option:\n```bash\ncharon cargo --preset=aeneas\n```\n\nThe Aeneas binary is in `bin`; you can run: `./bin/aeneas -backend {fstar|coq|lean|hol4} [OPTIONS] LLBC_FILE`,\nwhere `LLBC_FILE` is an .llbc file generated by Charon.\n\nAeneas provides a lot of flags and options to tweak its behaviour: you can use `--help`\nto display a detailed documentation.\n\n\u003e [!IMPORTANT]\n\u003e There are additional steps for the Lean backend. Files generated by the Lean backend\n\u003e import the `Aeneas` package from Aeneas. To use those files in Lean:\n\u003e  1. Create a new Lean package using `lake new`.\n\u003e  2. Overwrite the `lean-toolchain` with the one inside `./backends/lean`.\n\u003e  3. Add `aeneas` as a dependency in the `lakefile.lean`:\n\u003e     ```lean\n\u003e     require aeneas from \"PATH_TO_AENEAS_REPO/backends/lean\"\n\u003e     ```\n\u003e     or in the `lakefile.toml`:\n\u003e     ```toml\n\u003e     [[require]]\n\u003e     name = \"aeneas\"\n\u003e     path = \"PATH_TO_AENEAS_REPO/backends/lean\"\n\u003e     ```\n\u003e     If you don't have Aeneas cloned locally, you can specify the dependency using\n\u003e     the GitHub repository. If you opt for this method, consider adding a specific\n\u003e     commit hash to ensure that future updates do not break your project.\n\u003e     ```toml\n\u003e     [[require]]\n\u003e     name = \"aeneas\"\n\u003e     git = { url = \"https://github.com/AeneasVerif/aeneas\", subDir = \"backends/lean\" }\n\u003e     rev = \"COMMIT_HASH_HERE\"\n\u003e     ```\n\n## Targeted Subset And Current Limitations\n\nAeneas currently functionalizes a subset of safe Rust, and we are in the process\nof extending the functional model with reasoning based on separation logic to\nsupport unsafe code and concurrent code.\n\nWe currently have the following limitations on the *safe* subset, that we plan to address\none by one:\n- **loops**: `return` inside *nested* loops, or `break`/`continue` to *outer* loops\n  are not supported yet (e.g., `'a : loop { loop { break 'a; } } `). This is a\n  technical limitation, not a fundamental issue, that we plan to address in the\n  near future and that we can prioritize depending on our users' needs.\n\nThe following limitations will be lifted by the ongoing work on separation logic:\n- **unsafe code**\n- **concurrency**\n\nFeel free to contact the team or join the Zulip if you need some specific features or if\nyou're interested in contributing.\n\n## Backend Support\n\nWe currently support F\\*, Coq, HOL4 and Lean. We would be interested in having an Isabelle\nbackend. Our most mature backends are Lean and HOL4, for which we have in particular\nsupport for partial functions and extrinsic proofs of termination (see\n`./backends/lean/Base/Diverge/Elab.lean` and `./backends/hol4/divDefLib.sig` for instance)\nand tactics specialized for monadic programs (see\n`./backends/lean/Base/Progress/Progress.lean` and `./backends/hol4/primitivesLib.sml`).\n\n## Adding Models of Rust Definitions to the Lean Backend\n\nWhen translating a crate which requires external definitions (i.e., definitions\ncoming from external dependencies such as the Rust standard library), we advise using the\n`-split-files` option. With `-split-files`, Aeneas will generate template files listing\nthe missing definitions for which the user will have to provide hand-written models.\nFor instance, it can lead to the following structure in Lean:\n```\n... // Files containing type definitions, etc.\nFunsExternal_Template.lean // automatically generated template file\nFunsExternal.lean // hand-written file maintained by the user (not overwritten during the translation)\nFuns.lean // automatically generated file which imports FunsExternal.lean\n```\n\nRather than adding models to the `TypesExternal.lean`, `FunsExternal.lean`, etc. files it\nis possible to port the models to the Aeneas standard library, so that all client projects\ncan benefit from them. When doing so, it is important to make Aeneas aware of those new\nmodels. This is done by annotating the Lean models with the appropriate attribute\n(`rust_type`, `rust_const`, `rust_fun`, `rust_trait` or `rust_trait_impl`) then running the\ncommand `make extract-lean-std`. This command will build the Lean library for Aeneas,\ncollect those definitions, and regenerate the `src/extract/ExtractBuiltinLean.ml` file,\nwhich provides information about those models.\n\nNote that Aeneas automatically introduces the `rust_type`, etc. attributes when\nlisting the missing external definitions in the `TypesExternal.lean`, etc. files:\nthe user just needs to copy/paste those definitions and fill in the holes. Also note that\nthose attributes have quite a few options to tweak the behavior of the extraction: we\ninvite the users to read their docstrings for more information.\n\n## Quick start for Nix users\n\nAssuming Nix is installed, with a support for Flakes (`*`):\n\n```console\n$ # Run Charon with the exact same version required by Aeneas\n$ nix run github:aeneasverif/aeneas#charon -L\n$ nix run github:aeneasverif/aeneas -L -- -backend your_preferred_backend your_llbc.file\n```\n\nTo regenerate the extraction, just run step 2 and step 3 again.\n\n`(*)` : Flakes are not necessary, here is an example of how to do similar steps without it:\n\n```console\n$ nix-shell '\u003caeneas\u003e' -A packages.x86_64-linux.charon --run \"charon\" -I aeneas=https://github.com/AeneasVerif/aeneas/archive/main.tar.gz\n$ nix-shell '\u003caeneas\u003e' -A packages.x86_64-linux.default --run \"aeneas --backend your_preferred_backend your_llbc.file\" -I aeneas=https://github.com/AeneasVerif/aeneas/archive/main.tar.gz\n```\n\n## Formalization\n\nThe translation has been formalized and published at ICFP2022: [Aeneas: Rust\nverification by functional\ntranslation](https://dl.acm.org/doi/abs/10.1145/3547647)\n([long version](https://arxiv.org/abs/2206.07185)). We also have a proof that\nthe symbolic execution performed by Aeneas during its translation correctly\nimplements a borrow checker, and published it at ICFP 2024: [Sound Borrow-Checking for Rust via Symbolic Semantics](https://dl.acm.org/doi/10.1145/3674640) ([long version](https://arxiv.org/abs/2404.02680)).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faeneasverif%2Faeneas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faeneasverif%2Faeneas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faeneasverif%2Faeneas/lists"}