A Verified Foreign Function Interface between Coq and C

Joomy Korkut; Kathrin Stark; Andrew W. Appel

doi:10.1145/3704860

A Verified Foreign Function Interface between Coq and C

Joomy Korkut, Kathrin Stark, Andrew W. Appel

Research output: Contribution to journal › Article › peer-review

2 Citations (Scopus)

6 Downloads (Pure)

Abstract

One can write dependently typed functional programs in Coq, and prove them correct in Coq; one can write low-level programs in C, and prove them correct with a C verification tool. We demonstrate how to write programs partly in Coq and partly in C, and interface the proofs together. The Verified Foreign Function Interface (VeriFFI) guarantees type safety and correctness of the combined program. It works by translating Coq function types (and constructor types) along with Coq functional models into VST function-specifications; if the user can prove in VST that the C functions satisfy those specs, then the C functions behave according to the user-specified functional models (even though the C implementation might be very different) and the proofs of Coq functions that call the C code can rely on that behavior. To achieve this translation, we employ a novel, hybrid deep/shallow description of Coq dependent types.

Original language	English
Article number	24
Journal	Proceedings of the ACM on Programming Languages
Volume	9
Issue number	POPL
DOIs	https://doi.org/10.1145/3704860
Publication status	Published - 9 Jan 2025

Keywords

C
Coq
foreign function interface

ASJC Scopus subject areas

Software
Safety, Risk, Reliability and Quality

Access to Document

10.1145/3704860Licence: CC BY

Download pdf
Copyright © 2025 Owner/Author. This work is licensed under a Creative Commons Attribution International 4.0 License.
Final published version, 3.12 MBLicence: CC BY

Cite this

@article{e126dc3dea57490386ce67d34c2046a3,

title = "A Verified Foreign Function Interface between Coq and C",

abstract = "One can write dependently typed functional programs in Coq, and prove them correct in Coq; one can write low-level programs in C, and prove them correct with a C verification tool. We demonstrate how to write programs partly in Coq and partly in C, and interface the proofs together. The Verified Foreign Function Interface (VeriFFI) guarantees type safety and correctness of the combined program. It works by translating Coq function types (and constructor types) along with Coq functional models into VST function-specifications; if the user can prove in VST that the C functions satisfy those specs, then the C functions behave according to the user-specified functional models (even though the C implementation might be very different) and the proofs of Coq functions that call the C code can rely on that behavior. To achieve this translation, we employ a novel, hybrid deep/shallow description of Coq dependent types.",

keywords = "C, Coq, foreign function interface",

author = "Joomy Korkut and Kathrin Stark and Appel, {Andrew W.}",

year = "2025",

month = jan,

day = "9",

doi = "10.1145/3704860",

language = "English",

volume = "9",

journal = "Proceedings of the ACM on Programming Languages",

issn = "2475-1421",

publisher = "Association for Computing Machinery",

number = "POPL",

}

TY - JOUR

T1 - A Verified Foreign Function Interface between Coq and C

AU - Korkut, Joomy

AU - Stark, Kathrin

AU - Appel, Andrew W.

PY - 2025/1/9

Y1 - 2025/1/9

N2 - One can write dependently typed functional programs in Coq, and prove them correct in Coq; one can write low-level programs in C, and prove them correct with a C verification tool. We demonstrate how to write programs partly in Coq and partly in C, and interface the proofs together. The Verified Foreign Function Interface (VeriFFI) guarantees type safety and correctness of the combined program. It works by translating Coq function types (and constructor types) along with Coq functional models into VST function-specifications; if the user can prove in VST that the C functions satisfy those specs, then the C functions behave according to the user-specified functional models (even though the C implementation might be very different) and the proofs of Coq functions that call the C code can rely on that behavior. To achieve this translation, we employ a novel, hybrid deep/shallow description of Coq dependent types.

AB - One can write dependently typed functional programs in Coq, and prove them correct in Coq; one can write low-level programs in C, and prove them correct with a C verification tool. We demonstrate how to write programs partly in Coq and partly in C, and interface the proofs together. The Verified Foreign Function Interface (VeriFFI) guarantees type safety and correctness of the combined program. It works by translating Coq function types (and constructor types) along with Coq functional models into VST function-specifications; if the user can prove in VST that the C functions satisfy those specs, then the C functions behave according to the user-specified functional models (even though the C implementation might be very different) and the proofs of Coq functions that call the C code can rely on that behavior. To achieve this translation, we employ a novel, hybrid deep/shallow description of Coq dependent types.

KW - C

KW - Coq

KW - foreign function interface

UR - http://www.scopus.com/inward/record.url?scp=85215408075&partnerID=8YFLogxK

U2 - 10.1145/3704860

DO - 10.1145/3704860

M3 - Article

SN - 2475-1421

VL - 9

JO - Proceedings of the ACM on Programming Languages

JF - Proceedings of the ACM on Programming Languages

IS - POPL

M1 - 24

ER -

A Verified Foreign Function Interface between Coq and C

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this