CFML: Characteristic Formulae for ML

CFML can be used to verify Caml programs using the Coq proof assistant. It is based on Characteristic Formulae, which I have developed during my thesis. CFML consists of:
  • a generator that parses Caml code and produces characteristic formulae expressed as Coq axioms (the generator itself is implemented in Caml),
  • a Coq library that provides tactics for manipulating characteristic formulae interactively.

Download

  • The stable source files can be obtained by running:
    git clone -b master https://gforge.inria.fr/git/cfml/cfml.git
  • CFML compiles with Coq v8.5 and OCaml (>= 4.01).
  • The developments rely on my Coq library TLC.
  • If you want to install CFML, please send me an e-mail
    (because a new installation procedure is in development).
  • Warning: most examples currently do not compile (migration in progress).
  • All the files are distributed under the GNU-LGPL license.

Related publications

Temporary Read-Only Permissions for Separation Logic
Arthur Charguéraud and François Pottier
Submitted, October 2016
Higher-order Representation Predicates in Separation Logic
Arthur Charguéraud
CPP: Certified Programs and Proofs, January 2016
Machine-Checked Verification of the Correctness and Amortized Complexity of an Efficient Union-Find Implementation
Arthur Charguéraud and François Pottier
ITP: International Conference on Interactive Theorem Proving, August 2015
Characteristic Formulae for the Verification of Imperative Programs
Arthur Charguéraud
Report, journal version of the ICFP'11 paper, October 2012
Characteristic Formulae for the Verification of Imperative Programs
Arthur Charguéraud
ICFP: International Conference on Functional Programming, September 2011
Program Verification Through Characteristic Formulae
Arthur Charguéraud
ICFP: International Conference on Functional Programming, September 2010
Characteristic Formulae for Mechanized Program Verification
Arthur Charguéraud
PhD thesis, December 2010

Program verification using characteristic formulae

In my thesis, I have developed a new approach to program verification based on the notion of characteristic formula. This approach is implemented in a tool, called CFML, which can be used to establish in Coq the full functional correctness of arbitrarily complex Caml programs.

The characteristic formula of a piece of code is a logical formula that describes the semantics of this code (it is a form of strongest post-condition). This characteristic formula satisfies the following property:

  • it is built compositionally and automatically from the source code alone,
  • it has a size linear in that of the source code,
  • it can be displayed in the logic in a way that closely resembles source code (using Coq notation system),
  • it can be manipulated through a small set of specialized tactics that make it unnecessary to know how the formula is constructed
  • it is not just a sound, but also a complete description of the code semantics, meaning that characteristic formulae do not restrict in any way the ability to reason about the code;
  • it supports modular verification, and it integrates the frame rule, which enables local reasoning.

The concept of characteristic formula

The general concept of characteristic formula is not new: it originates in work on process calculi from the 80's (Park, 1981). In this setting, every syntactic process definition is mapped to a formula of Hennessy-Milner's logic. This mapping is such that two syntactic processes are behaviorally equivalent if and only if their associated formulae are logically equivalent. More recently, these results on process calculi were adapted to lambda-calculi by Honda, Berger and Yoshida, who derived a sound and complete Hoare logic for PCF (2006). I have turned the concept of characteristic formula into an effective approach to program verification my building formulae of linear size, expressed in a standard higher-order logic, associated with a pretty-printer, and including support for local reasoning.

It is useful to understand what the characteristic formula approach is not:

  • it is not a verification condition generator (VCG): the source code needs not be annotated with invariants; instead, invariants are provided in interactive proofs;
  • it is not a deep embedding: there is no inductive data type used to represent code syntax, so we avoid all technical issues related to the representation and manipulation of program syntax;
  • it is not a shallow embedding: Caml functions are not represented as Coq functions, so there is no need to resort to monadic programming for avoiding the mismatch between program functions, which can be partial, and logical functions, which must be total;
  • it is not a dynamic logic: characteristic formulae are not expressed in ad-hoc logic but instead in a standard higher-order logic, making it possible to leverage on existing theorem provers.

Earlier work: the deep embedding approach

Before developing characteristic formulae, I worked on a deep embedding approach to reasoning about Caml programs using Coq. I showed that, by introducing the right definition, notation and tactics, it is actually feasible to scale up the deep embedding approach to a realistic programming language, more precisely to the pure fragment of Caml.
Interactive Verification of Call-by-Value Functional Programs Through a Deep Embedding
Arthur Charguéraud
Report, March 2009
Nevertheless, specifications were polluted with the need to relate embedded Caml values with the corresponding Coq values, and proofs involved heavy custom tactics whose use resulted in big proof terms. Characteristic formulae appeared as a way to avoid all of the issues of the deep embedding, while retaining all of the expressivity of this approach.