Arthur Charguéraud
Publications
by date
by topic
by venue
Software
CFML
TLC
PASL
FormalMetaCoq
OptiTrust
Teaching
Separation Logic
Coq tutorials
Concours Castor
France-ioi
Misc
The RE command
 
OptiTrust
OptiTrust draft paper
OptiTrust traces
OptiTrust website
 
JFLA'25 drafts
Typing overloading
Bijection C/λ-calculus
 
HomeContact

CFML: Characteristic Formulae for ML

CFML is a tool for the interactive verification of OCaml programs, using Coq and Separation Logic.

Download

  • The source files can be obtained from:

    git clone git@github.com:charguer/cfml.git

  • For installation instruction, read the README file.
  • The developments rely on my Coq library TLC.
  • All the files are distributed under the GNU-LGPL license.

Related publications

Separation Logic Foundations, 2nd edition
Arthur Charguéraud
SF: Volume 6 of the Software Foundations series — Reference book, all in Coq, Dec 2023
website - companion course notes
A Modern Eye on Separation Logic for Sequential Programs
Arthur Charguéraud
Habilitation manuscript, March 2023
paper - abstract
Specification and Verification of a Transient Stack
Alexandre Moine, Arthur Charguéraud, François Pottier
CPP: Certified Programs and Proofs, January 2022
paper - abstract - talk video - Distinguished Paper Award
Separation Logic Foundations
Arthur Charguéraud
SF: Volume 6 of the Software Foundations series — Reference book, all in Coq, May 2021
website
Separation Logic for Sequential Programs
Arthur Charguéraud
ICFP: International Conference on Functional Programming, August 2020
Published in the journal Proceedings of the ACM on Programming Languages (PACMPL)
paper - abstract - course material - talk video
Formal Proof and Analysis of an Incremental Cycle Detection Algorithm
Armaël Guéneau, Jacques-Henri Jourdan, Arthur Charguéraud, and François Pottier
ITP: International Conference on Interactive Theorem Proving, September 2019
paper - abstract
A Fistful of Dollars: Formalizing Asymptotic Complexity Claims via Deductive Program Verification
Armaël Guéneau, Arthur Charguéraud, and François Pottier
ESOP: European Symposium on Programming, April 2018
paper - abstract - scripts
Verifying the Correctness and Amortized Complexity of a Union-Find Implementation in Separation Logic with Time Credits
Arthur Charguéraud and François Pottier
JAR: Journal of Automated Reasoning, September 2017
paper - abstract - scripts
Temporary Read-Only Permissions for Separation Logic
Arthur Charguéraud and François Pottier
ESOP: European Symposium on Programming, April 2017
paper - abstract - scripts
Higher-order Representation Predicates in Separation Logic
Arthur Charguéraud
CPP: Certified Programs and Proofs, January 2016
paper - abstract
Machine-Checked Verification of the Correctness and Amortized Complexity of an Efficient Union-Find Implementation
Arthur Charguéraud and François Pottier
ITP: International Conference on Interactive Theorem Proving, August 2015
paper - abstract - slides
Characteristic Formulae for the Verification of Imperative Programs
Arthur Charguéraud
Report, journal version of the ICFP'11 paper, October 2012
paper - abstract - scripts
Characteristic Formulae for the Verification of Imperative Programs
Arthur Charguéraud
ICFP: International Conference on Functional Programming, September 2011
paper - abstract - slides - scripts
Program Verification Through Characteristic Formulae
Arthur Charguéraud
ICFP: International Conference on Functional Programming, September 2010
paper - abstract - slides - scripts
Characteristic Formulae for Mechanized Program Verification
Arthur Charguéraud
PhD thesis, December 2010
paper - abstract - slides - scripts

Program verification using characteristic formulae

In my thesis, I have developed a new approach to program verification based on the notion of characteristic formula. This approach is implemented in a tool, called CFML, which can be used to establish in Coq the full functional correctness of arbitrarily complex Caml programs.

The characteristic formula of a piece of code is a logical formula that describes the semantics of this code (it is a form of strongest post-condition). This characteristic formula satisfies the following property:

  • it is built compositionally and automatically from the source code alone,
  • it has a size linear in that of the source code,
  • it can be displayed in the logic in a way that closely resembles source code (using Coq notation system),
  • it can be manipulated through a small set of specialized tactics that make it unnecessary to know how the formula is constructed
  • it is not just a sound, but also a complete description of the code semantics, meaning that characteristic formulae do not restrict in any way the ability to reason about the code;
  • it supports modular verification, and it integrates the frame rule, which enables local reasoning.

The concept of characteristic formula

The general concept of characteristic formula is not new: it originates in work on process calculi from the 80's (Park, 1981). In this setting, every syntactic process definition is mapped to a formula of Hennessy-Milner's logic. This mapping is such that two syntactic processes are behaviorally equivalent if and only if their associated formulae are logically equivalent. More recently, these results on process calculi were adapted to lambda-calculi by Honda, Berger and Yoshida, who derived a sound and complete Hoare logic for PCF (2006). I have turned the concept of characteristic formula into an effective approach to program verification my building formulae of linear size, expressed in a standard higher-order logic, associated with a pretty-printer, and including support for local reasoning.

It is useful to understand what the characteristic formula approach is not:

  • it is not a verification condition generator (VCG): the source code needs not be annotated with invariants; instead, invariants are provided in interactive proofs;
  • it is not a deep embedding: there is no inductive data type used to represent code syntax, so we avoid all technical issues related to the representation and manipulation of program syntax;
  • it is not a shallow embedding: Caml functions are not represented as Coq functions, so there is no need to resort to monadic programming for avoiding the mismatch between program functions, which can be partial, and logical functions, which must be total;
  • it is not a dynamic logic: characteristic formulae are not expressed in ad-hoc logic but instead in a standard higher-order logic, making it possible to leverage on existing theorem provers.