Papers
Topics
Authors
Recent
Search
2000 character limit reached

Mostly Automatic Translation of Language Interpreters from C to Safe Rust

Published 25 Jun 2026 in cs.PL, cs.MA, and cs.SE | (2606.27122v1)

Abstract: Translating C programs to safe Rust is challenging owing to significant differences in typing constraints, ownership, and borrowing rules. Interpreter programs are particularly important targets for such translation, as they often handle untrusted inputs and suffer from memory-related vulnerabilities. We present Reboot, a mostly-automatic technique that translates real-world interpreter programs from C to safe Rust. Using Reboot, we have translated six interpreters ranging from 6k to 23k lines of C code to safe Rust, with each translation requiring only 1 to 11 brief user interventions. All translations pass 100% of the provided test suites, and achieve 62%--92% pass rates on separately created validation tests that were never exposed to the system. A security case study on mujs shows that memory vulnerabilities such as heap buffer overflows and use-after-free present in C are eliminated in the safe Rust translation. Two ideas underpin Reboot. First, feature reduction decomposes the translation by program features, creating a sequence of milestones where each is a complete, testable program; the translation starts from the simplest version and incrementally restores features, with each milestone validated before proceeding. Second, a multi-agent architecture orchestrates inherently unreliable coding agents through automated validation and feedback, keeping long-running translation workflows on track with minimal human involvement. An ablation study confirms that feature reduction improves translation correctness compared to using multi-agent translation alone, with 6%--20% improvements in pass rates on validation test suites.

Summary

  • The paper introduces Reboot, a system that uses feature reduction and multi-agent orchestration to automatically translate C interpreters to safe Rust.
  • It achieves high validation rates, marked improvements in test suites, and eliminates memory vulnerabilities across multiple benchmarks.
  • The approach minimizes user intervention and outperforms prior rule-based and LLM-driven translation methods in producing idiomatic, memory-safe Rust code.

Mostly Automatic Translation of Language Interpreters from C to Safe Rust: An Analysis of Reboot

Problem Statement and Context

Translating interpreter programs written in C to safe Rust is complex due to fundamentally distinct memory and type systems. Interpreters are prominent in a variety of software contexts, frequently serve as interfaces for untrusted inputs, and are notorious for historical memory-related vulnerabilities. Rule-based translators and recent LLM-driven approaches have been limited in their ability to produce idiomatic, fully memory-safe Rust translations for large, real-world interpreters, particularly due to the challenges posed by Rust's ownership model and cross-cutting features in interpreter architectures.

Approach: Feature Reduction and Multi-Agent Orchestration

Reboot advances automated translation by integrating two principal concepts: feature reduction and multi-agent orchestration. Feature reduction decomposes translation by language features—rather than syntactic units—allowing each milestone to be a complete, testable program, and providing flexibility for restructuring code to satisfy Rust's safety requirements. Figure 1

Figure 1: Workflow representation for the translation process using Reboot, delineating phases and management via feature reduction and multi-agent orchestration.

This strategy is supported by a multi-agent system (MAS) that automates translation, validation, and code review, mitigating agent unreliability via iterative validation and finite-state workflow guards. Agents are managed hierarchically across three implementation levels (L3 phase controller, L2 branch managers, and L1 worker agents), with automatic escalation and feedback mechanisms restricting user involvement to a minimum. Figure 2

Figure 2: Three-level implementation architecture of Reboot, showing phase controller, branch controllers and managers, worker agents, and user delegate escalation.

Feature reduction enables handling of interpreter features such as closures, exception handling, or regular expressions—which cut across multiple functions and modules—by systematically simplifying and then reintegrating features in successive Rust translations. Reboot’s orchestration ensures long-running translation workflows are self-correcting, with explicit management of agent failure modes based on a taxonomy of observed and reported faults.

Technical Implementation

Reboot uses the Claude Code agent system, instructed via curated prompts and guarded by FSMs that enforce invariant-preserving workflows. Each program and test suite is isolated in its own Git worktree, with automated backup/recovery operations. L1 Agents (Translation, Simplification, Validation, Review) operate in controlled Docker environments, while branch and phase management guarantee correct progression and sandboxed execution. User interventions are routed via a delegator agent at L3 that auto-resolves routine failure modes.

Empirical Evaluation

Reboot was evaluated on six interpreter programs ranging from 6k to 23k lines of C, spanning Awk, JavaScript (mujs), Picoc (C subset), GNU-bc, Wren, and PocketPy (Python). Each translation produced idiomatic, fully memory-safe Rust (zero unsafe blocks, all tests passing) with modest code size inflation. Figure 3

Figure 3: Illustration of incremental source code and test suite changes across feature levels during translation.

Validation on independently-created unseen test suites yields pass rates from 62% to 92%. For mujs, ECMA-262 conformance (Test262@mujs) improves from 35.91% (no feature reduction) to 83.91%, highlighting substantial correctness gains. Each program translation required just 1–11 user interventions, averaging ∼\sim5 minutes each, and incurred translation times of 28–90 hours and costs of $460–$1,780 USD. Figure 4

Figure 4

Figure 4: Aggregate runtime comparisons for C vs. Reboot-generated Rust implementations across different interpreter programs.

On the security front, Reboot eliminated or mitigated all memory safety CVEs in mujs by replacing manual memory management and error handling with Rust’s ownership, bounds checking, and safe APIs. All heap buffer overflows, use-after-free, and null dereferences vanished; denial-of-service bugs (e.g., stack exhaustion) persisted as expected. Performance overheads are modest (median slowdowns 1.28x–1.51x). An ablation study demonstrates that feature reduction is critical for scalability and correctness, especially as program complexity grows; for PocketPy (largest benchmark), translation failed without feature reduction.

Comparison With Prior Work

Reboot outperforms rule-based (C2Rust, CROWN) and contemporary LLM-driven translation systems (SmartC2Rust, C2SaferRust) in producing fully safe, idiomatic Rust at scale. Where prior translators retain extensive raw pointers, unsafe blocks, and require substantial manual intervention, Reboot’s decompositional and multi-agent workflow achieves high-fidelity, safe translation with minimal user input. Feature reduction is found to crucially enable success on large, structurally interdependent codebases—function-based decomposition alone is insufficient.

Implications and Future Directions

Reboot demonstrates that integrated feature-based decomposition and agent workflow management enable scalable translation of critical interpreter systems to safe Rust, drastically improving security stance and supporting robust validation. Practical implications include direct applicability to interpreters, command-line utilities, and other software with cross-cutting architectural features. Theoretical implications are two-fold: 1) decomposition by feature—rather than syntactic unit—fundamentally changes scalability and correctness properties; 2) reliable automated translation demands explicit orchestration (validation, feedback, recovery), not just agent competence.

Notable directions include generalizing feature reduction beyond interpreters, optimizing agent orchestration for reduced user interventions, and narrowing correctness gaps on validation suites. Further, investigating the limits of agent orchestration fidelity and V/HV/H reliability, as well as expanding to programs less likely to be within an LLM's training corpus, will be necessary to validate broader applicability.

Conclusion

Reboot introduces a robust, largely automatic methodology for C-to-safe-Rust translation of interpreter programs via feature decomposition and multi-agent workflow control. The system achieves high validation rates, eliminates memory vulnerabilities, and scales well with minimal user intervention. Feature reduction is both necessary and sufficient for correctness on large interpreters, and its principles are potentially extensible to similar software domains. Robust orchestration of agent workflows is crucial for reliability as translation complexity increases.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 5 likes about this paper.