Abstract
Rust’s novel type system has proved an attractive target for verification and program analysis tools, due to the rich guarantees it provides for controlling aliasing and mutability. However, fully understanding, extracting and exploiting these guarantees is subtle and challenging: existing models for Rust’s type checking either support a smaller idealised language disconnected from real-world Rust code, or come with severe limitations in terms of precise modelling of Rust borrows, composite types storing them, function signatures and loops.
In this paper, we present Place Capability Graphs: a novel model of Rust’s type-checking results, which lifts these limitations, and which can be directly calculated from the Rust compiler’s own programmatic representations and analyse…
Abstract
Rust’s novel type system has proved an attractive target for verification and program analysis tools, due to the rich guarantees it provides for controlling aliasing and mutability. However, fully understanding, extracting and exploiting these guarantees is subtle and challenging: existing models for Rust’s type checking either support a smaller idealised language disconnected from real-world Rust code, or come with severe limitations in terms of precise modelling of Rust borrows, composite types storing them, function signatures and loops.
In this paper, we present Place Capability Graphs: a novel model of Rust’s type-checking results, which lifts these limitations, and which can be directly calculated from the Rust compiler’s own programmatic representations and analyses. We demonstrate that our model supports over 97% of Rust functions in the most popular public crates, and show its suitability as a general-purpose basis for verification and program analysis tools by developing promising new prototype versions of the existing Flowistry and Prusti tools.
Formats available
You can view the full content in the following formats:
References
[1]
Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust types for modular specification and verification. Proc. ACM Program. Lang., 3, OOPSLA (2019), 147:1–147:30. https://doi.org/10.1145/3360573
[2]
Yechan Bae, Youngsuk Kim, Ammar Askar, Jungwon Lim, and Taesoo Kim. 2021. Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale. In SOSP ’21: ACM SIGOPS 28th Symposium on Operating Systems Principles, Virtual Event / Koblenz, Germany, October 26-29, 2021, Robbert van Renesse and Nickolai Zeldovich (Eds.). ACM, 84–99. https://doi.org/10.1145/3477132.3483570
[3]
John Boyland. 2001. Alias burying: Unique variables without destructive reads. Softw. Pract. Exp., 31, 6 (2001), 533–553. https://doi.org/10.1002/SPE.370
[4]
Elias Castegren and Tobias Wrigstad. 2016. Reference Capabilities for Concurrency Control. In 30th European Conference on Object-Oriented Programming (ECOOP 2016), Shriram Krishnamurthi and Benjamin S. Lerner (Eds.) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 56). Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany. 5:1–5:26. isbn:978-3-95977-014-9 issn:1868-8969 https://doi.org/10.4230/LIPIcs.ECOOP.2016.5
[5]
Dave Clarke and Tobias Wrigstad. 2003. External Uniqueness Is Unique Enough. In ECOOP 2003 - Object-Oriented Programming, 17th European Conference, Darmstadt, Germany, July 21-25, 2003, Proceedings, Luca Cardelli (Ed.) (LNCS, Vol. 2743). Springer, 176–200. https://doi.org/10.1007/978-3-540-45070-2_9
[6]
David G. Clarke, John Potter, and James Noble. 1998. Ownership Types for Flexible Alias Protection. In Proceedings of the 1998 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications, OOPSLA 1998, Vancouver, British Columbia, Canada, October 18-22, 1998, Bjørn N. Freeman-Benson and Craig Chambers (Eds.). ACM, 48–64. https://doi.org/10.1145/286936.286947
[7]
Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny Capabilities for Safe, Fast Actors. In International Workshop on Programming Based on Actors, Agents, and Decentralized Control. ACM, 1–12.
[8]
Rust Community and Language Team. 2025. Place Expressions and Value Expressions (The Rust Reference). https://doc.rust-lang.org/reference/expressions.html##place-expressions-and-value-expressions Accessed July 2025
[9]
Will Crichton, Gavin Gray, and Shriram Krishnamurthi. 2023. A Grounded Conceptual Model for Ownership Types in Rust. Proc. ACM Program. Lang., 7, OOPSLA2 (2023), Article 265, Oct., 29 pages. https://doi.org/10.1145/3622841
[10]
Will Crichton, Marco Patrignani, Maneesh Agrawala, and Pat Hanrahan. 2022. Modular information flow through ownership. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022). Association for Computing Machinery, New York, NY, USA. 1–14. isbn:9781450392655 https://doi.org/10.1145/3519939.3523445
[11]
Xavier Denis, Jacques-Henri Jourdan, and Claude Marché. 2022. Creusot: A Foundry for the Deductive Verification of Rust Programs. In Formal Methods and Software Engineering - 23rd International Conference on Formal Engineering Methods, ICFEM 2022, Madrid, Spain, October 24-27, 2022, Proceedings, Adrián Riesco and Min Zhang (Eds.) (LNCS, Vol. 13478). Springer, 90–105. https://doi.org/10.1007/978-3-031-17244-1_6
[12]
Prusti Developers. 2024-2025. Personal Communication.
[13]
Prusti Developers. 2025. PCG Repository. https://github.com/prusti/pcg Accessed August 21, 2025
[14]
Verus Developers. 2022. Returning mutable references (discussion). https://github.com/verus-lang/verus/discussions/35 Accessed March, 2025
[15]
Colin S. Gordon, Matthew J. Parkinson, Jared Parsons, Aleks Bromfield, and Joe Duffy. 2012. Uniqueness and reference immutability for safe parallelism. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’12). Association for Computing Machinery, New York, NY, USA. 21–40. isbn:9781450315616 https://doi.org/10.1145/2384616.2384619
[16]
Zachary Grannan, Aurel Bílý, Jonáš Fiala, Jasper Geer, Markus de Medeiros, Peter Müller, and Alexander J. Summers. 2025. Artefact for “Place Capability Graphs: A General- Purpose Model of Rust’s Ownership and Borrowing Guarantees”. https://doi.org/10.5281/zenodo.16597989
[17]
Zachary Grannan, Aurel Bílý, Jonáš Fiala, Jasper Geer, Markus de Medeiros, Peter Müller, and Alexander J. Summers. 2025. Place Capability Graphs: A General-Purpose Model of Rust’s Ownership and Borrowing Guarantees. arxiv:2503.21691. arxiv:2503.21691
[18]
Philipp Haller and Martin Odersky. 2010. Capabilities for Uniqueness and Borrowing. In ECOOP 2010 – Object-Oriented Programming, Theo D’Hondt (Ed.). Springer, Berlin, Heidelberg. 354–378. isbn:978-3-642-14107-2 https://doi.org/10.1007/978-3-642-14107-2_17
[19]
Son Ho, Aymeric Fromherz, and Jonathan Protzenko. 2024. Sound Borrow-Checking for Rust via Symbolic Semantics. Proc. ACM Program. Lang., 8, ICFP (2024), Article 251, Aug., 29 pages. https://doi.org/10.1145/3674640
[20]
Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust verification by functional translation. Proc. ACM Program. Lang., 6, ICFP (2022), 711–741. https://doi.org/10.1145/3547647
[21]
Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2020. Stacked borrows: an aliasing model for Rust. Proc. ACM Program. Lang., 4, POPL (2020), 41:1–41:32. https://doi.org/10.1145/3371109
[22]
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: securing the foundations of the Rust programming language. Proc. ACM Program. Lang., 2, POPL (2018), 66:1–66:34. https://doi.org/10.1145/3158154
[23]
Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, 28 (2018), e20. https://doi.org/10.1017/S0956796818000151
[24]
Shuanglong Kan, David Sanán, Shang-Wei Lin, and Yang Liu. 2018. K-Rust: An Executable Formal Semantics for Rust. CoRR, abs/1804.07608 (2018), arxiv:1804.07608. https://doi.org/10.48550/arXiv.1804.07608
[25]
Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types (extended version). CoRR, abs/2303.05491 (2023), arXiv:2303.05491. https://doi.org/10.48550/arXiv.2303.05491
[26]
Nico Lehmann, Adam Geller, Gilles Barthe, Niki Vazou, and Ranjit Jhala. 2022. Flux: Liquid Types for Rust. CoRR, abs/2207.04034 (2022), arXiv:2207.04034. https://doi.org/10.48550/arXiv.2207.04034
[27]
Yusuke Matsushita, Xavier Denis, Jacques-Henri Jourdan, and Derek Dreyer. 2022. RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code. In PLDI ’22: 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, San Diego, CA, USA, June 13 - 17, 2022, Ranjit Jhala and Isil Dillig (Eds.). ACM, 841–856. https://doi.org/10.1145/3519939.3523704
[28]
P. Müller. 2002. Modular Specification and Verification of Object-Oriented Programs (LNCS, Vol. 2262). Springer.
[29]
Peter Müller and Arsenii Rudich. 2007. Ownership transfer in universe types. In Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2007, October 21-25, 2007, Montreal, Quebec, Canada, Richard P. Gabriel, David F. Bacon, Cristina Videira Lopes, and Guy L. Steele Jr. (Eds.). ACM, 461–478. https://doi.org/10.1145/1297027.1297061
[30]
Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings, Barbara Jobstmann and K. Rustan M. Leino (Eds.) (LNCS, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2
[31]
David J. Pearce. 2021. A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust. ACM Trans. Program. Lang. Syst., 43, 1 (2021), 3:1–3:73. https://doi.org/10.1145/3443420
[32]
Eric W. Reed. 2015. Patina: A Formalization of the Rust Programming Language. University of Washington.
[33]
Rust contributors. 2019. The Polonius Reference Implementation for the Rust Borrow-Checker. https://github.com/rust-lang/polonius Accessed April 4, 2019
[34]
Rémy Rakic and Niko Matsakis on behalf of The Polonius Working Group. 2023. Polonius Update. https://blog.rust-lang.org/inside-rust/2023/10/06/polonius-update.html Accessed March 24, 2025
[35]
Sven Stork, Karl Naden, Joshua Sunshine, Manuel Mohr, Alcides Fonseca, Paulo Marques, and Jonathan Aldrich. 2014. Æ minium: A Permission-Based Concurrent-by-Default Programming Language Approach. ACM Trans. Program. Lang. Syst., 36, 1 (2014), Article 2, March, 42 pages. issn:0164-0925 https://doi.org/10.1145/2543920
[36]
Ferrous Systems and contributors. 2025. Rust-analyzer. https://rust-analyzer.github.io/ Accessed July 30, 2025
[37]
Alexa VanHattum, Daniel Schwartz-Narbonne, Nathan Chong, and Adrian Sampson. 2022. Verifying Dynamic Trait Objects in Rust. In 44th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE (SEIP) 2022, Pittsburgh, PA, USA, May 22-24, 2022. IEEE, 321–330. https://doi.org/10.1109/ICSE-SEIP55303.2022.9794041
[38]
Neven Villani, Johannes Hostert, Derek Dreyer, and Ralf Jung. 2025. Tree Borrows. Proc. ACM Program. Lang., 9, PLDI (2025), Article 188, June, https://doi.org/10.1145/3735592
[39]
Feng Wang, Fu Song, Min Zhang, Xiaoran Zhu, and Jun Zhang. 2018. KRust: A Formal Executable Semantics of Rust. CoRR, abs/1804.10806 (2018), arxiv:1804.10806. https://doi.org/10.48550/arXiv.1804.10806
[40]
Aaron Weiss, Daniel Patterson, and Amal Ahmed. 2018. Rust Distilled: An Expressive Tower of Languages. arXiv preprint arXiv:1806.02693, https://doi.org/10.48550/arXiv.1806.02693
[41]
Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. CoRR, abs/1903.00982 (2019), https://doi.org/10.48550/arXiv.1903.00982