CFML: Characteristic Formulae for ML

CFML can be used to verify Caml programs using the Coq proof assistant. It is based on Characteristic Formulae, which I have developed during my thesis. CFML consists of:
  • a generator that parses Caml code and produces characteristic formulae expressed as Coq axioms (the generator itself is implemented in Caml),
  • a Coq library that provides tactics for manipulating characteristic formulae interactively.


  • The stable source files can be obtained by running:
    git clone -b master
  • CFML compiles with Coq v8.5 and OCaml (>= 4.01).
  • The developments rely on my Coq library TLC.
  • If you want to install CFML, please send me an e-mail
    (because a new installation procedure is in development).
  • Warning: most examples currently do not compile (migration in progress).
  • All the files are distributed under the GNU-LGPL license.

Related publications

Higher-order Representation Predicates in Separation Logic
CPP: Certified Programs and Proofs, January 2016
Machine-Checked Verification of the Correctness and Amortized Complexity of an Efficient Union-Find Implementation
with François Pottier
ITP: International Conference on Interactive Theorem Proving, August 2015
Characteristic Formulae for the Verification of Imperative Programs
Report, journal version of the ICFP'11 paper, October 2012
Characteristic Formulae for the Verification of Imperative Programs
ICFP: International Conference on Functional Programming, September 2011
Program Verification Through Characteristic Formulae
ICFP: International Conference on Functional Programming, September 2010
Characteristic Formulae for Mechanized Program Verification
PhD thesis, December 2010

Imperative programs verified

  • Union-find with union-by-rank and path compression (with complexity analysis)
  • Bootstrapped chunked sequences (with complexity analysis)
  • Dijkstra's shortest path algorithm
  • Reachability analysis using DFS
  • Eratosthene's sieve
  • Binary search tree
  • Sparse arrays (from the Vacid challenge)
  • Mutable list: destructive append, and CPS-append (a challenge by Reynolds)
  • Higher-order iterator: call to iter on a list of counters
  • Fixed-point combinators: Y, and Landin's knot (recursion through the store)

Purely-functional programs verified, from Okasaki's book

  • Batched queue (page 43)
  • Bankers queue (page 65)
  • Physicists queue (page 73)
  • Real-time queue (page 83)
  • Implicit queue (page 174)
  • Bootstrapped queue (page 149)
  • Hood-Melville queue (page 105)
  • Leftist heap (page 20)
  • Pairing heap (page 54)
  • Lazy pairing heap (page 80)
  • Splay heap (page 50)
  • Binominal heap (page 24)
  • Unbalanced set (page 14)
  • Red-black set (page 28)
  • Bottom-up merge sort (page 77)
  • Catenable lists (page 156)
  • Binary random-access lists (page 123)

Program verification using characteristic formulae

In my thesis, I have developed a new approach to program verification based on the notion of characteristic formula. This approach is implemented in a tool, called CFML, which can be used to establish in Coq the full functional correctness of arbitrarily complex Caml programs.

The characteristic formula of a piece of code is a logical formula that describes the semantics of this code (it is a form of strongest post-condition). This characteristic formula satisfies the following property:

  • it is built compositionally and automatically from the source code alone,
  • it has a size linear in that of the source code,
  • it can be displayed in the logic in a way that closely resembles source code (using Coq notation system),
  • it can be manipulated through a small set of specialized tactics that make it unnecessary to know how the formula is constructed
  • it is not just a sound, but also a complete description of the code semantics, meaning that characteristic formulae do not restrict in any way the ability to reason about the code;
  • it supports modular verification, and it integrates the frame rule, which enables local reasoning.

The concept of characteristic formula

The general concept of characteristic formula is not new: it originates in work on process calculi from the 80's (Park, 1981). In this setting, every syntactic process definition is mapped to a formula of Hennessy-Milner's logic. This mapping is such that two syntactic processes are behaviorally equivalent if and only if their associated formulae are logically equivalent. More recently, these results on process calculi were adapted to lambda-calculi by Honda, Berger and Yoshida, who derived a sound and complete Hoare logic for PCF (2006). I have turned the concept of characteristic formula into an effective approach to program verification my building formulae of linear size, expressed in a standard higher-order logic, associated with a pretty-printer, and including support for local reasoning.

It is useful to understand what the characteristic formula approach is not:

  • it is not a verification condition generator (VCG): the source code needs not be annotated with invariants; instead, invariants are provided in interactive proofs;
  • it is not a deep embedding: there is no inductive data type used to represent code syntax, so we avoid all technical issues related to the representation and manipulation of program syntax;
  • it is not a shallow embedding: Caml functions are not represented as Coq functions, so there is no need to resort to monadic programming for avoiding the mismatch between program functions, which can be partial, and logical functions, which must be total;
  • it is not a dynamic logic: characteristic formulae are not expressed in ad-hoc logic but instead in a standard higher-order logic, making it possible to leverage on existing theorem provers.

Earlier work: the deep embedding approach

Before developing characteristic formulae, I worked on a deep embedding approach to reasoning about Caml programs using Coq. I showed that, by introducing the right definition, notation and tactics, it is actually feasible to scale up the deep embedding approach to a realistic programming language, more precisely to the pure fragment of Caml.
Interactive Verification of Call-by-Value Functional Programs Through a Deep Embedding
Report, March 2009
Nevertheless, specifications were polluted with the need to relate embedded Caml values with the corresponding Coq values, and proofs involved heavy custom tactics whose use resulted in big proof terms. Characteristic formulae appeared as a way to avoid all of the issues of the deep embedding, while retaining all of the expressivity of this approach.