How do I handle OCaml code with side-effects in coq-of-ocaml?

coq-of-ocaml does not support side-effects outside of a monad; you must refactor code into a monadic style or avoid such constructs, as stated in the supported features list.

What's the learning curve like for writing proofs after translation?

Learning Coq proofs is akin to a new programming paradigm and takes time, but the tool provides examples and documentation to help, similar to organizing tests.

coq-of-ocaml vs. other verification tools for OCaml: which is better?

coq-of-ocaml is best for large-scale, deep property proofs by translating to Coq, unlike lighter tools; it excels in correctness but has a steeper setup and Coq dependency.

How to set up coq-of-ocaml with a custom OCaml build system?

It works automatically with dune via Merlin; for other systems, you need to ensure Merlin is configured correctly, which can be complex and error-prone.

What should I do if the generated Coq code doesn't compile?

The README advises fixing errors by updating the OCaml source, as name collisions or unsupported features may cause issues, and contacting the team for assistance.

Is coq-of-ocaml suitable for verifying performance-critical code?

While it can verify correctness properties, the focus is on formal proofs, not runtime efficiency; generated Coq code may not reflect performance optimizations.

coq-of-ocaml

MITOCaml2.5.3

Translates OCaml programs to Coq for formal verification of properties like invariants, absence of failures, and backward compatibility.

Visit Website

What is coq-of-ocaml?

coq-of-ocaml is a tool that translates OCaml code into similar-looking Coq programs, enabling formal verification of complex properties like invariant preservation or absence of failures. It is designed for large-scale projects, as demonstrated by verifying 80% of files in the 100,000-line OCaml core of the Tezos cryptocurrency protocol. The tool focuses on a subset of OCaml, particularly purely functional and monadic programs, to facilitate reliable proof writing.

Target Audience

OCaml developers working on large-scale, safety-critical systems such as blockchain protocols, financial software, or embedded systems who need formal verification of code properties. It is also suited for researchers or engineers interested in applying Coq-based formal methods to existing OCaml codebases.

Value Proposition

Developers choose coq-of-ocaml for its ability to handle extensive codebases with stable generated Coq code, avoiding generated variable names and supporting proof integration akin to organizing test files. Its unique selling point is enabling formal verification at scale, as proven by its use in Tezos, with a philosophy inspired by TypeScript that brings proofs to a typed language rather than adding types.

Overview

Formal verification for OCaml, with Rocq

Use Cases

Best For

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

GitHub

275 stars20 forks0 contributors

Formally verifying core protocols in blockchain or cryptocurrency projects, such as Tezos, to ensure security and correctness.
Proving complex properties like invariant preservation or absence of assert failures in large OCaml codebases.
Translating purely functional and monadic OCaml programs to Coq for academic research or high-assurance software development.
Integrating formal verification into existing OCaml projects using build systems like dune, with Merlin for dependency handling.
Writing proofs by induction or other Coq techniques on OCaml code translated to similar-looking Coq representations.
Handling multiple-file OCaml projects with support for modules, type definitions, and monadic constructs while avoiding unsupported features like object-oriented programming.

Not Ideal For

Projects heavily using OCaml's object-oriented programming or imperative side-effects outside monads
Codebases requiring full, axiom-free support for GADTs or polymorphic variants without partial workarounds
Small or non-critical applications where the overhead of formal verification and Coq learning curve isn't justified
Teams seeking a plug-and-play verification tool without needing to manage Merlin configurations or dune builds

Pros & Cons

Pros

Large-Scale Verification Proven

Successfully used to verify 80% of files in the 100,000-line OCaml core of Tezos, demonstrating practical application at blockchain scale.

Stable Coq Output

Generates Coq code that closely resembles the original OCaml without generated variable names, ensuring readability and stability across changes.

Proof Integration Simplicity

Allows writing proofs by induction and organizing proof files like tests, as shown in examples, facilitating systematic verification workflows.

Broad OCaml Core Support

Covers essential features like functions, type definitions, monadic programs, and modules, enabling translation of millions of lines of code.

Cons

Restricted OCaml Subset

Excludes side-effects outside monads and object-oriented programming, limiting use with codebases that rely on these features.

Incomplete Advanced Feature Support

GADTs, polymorphic variants, and extensible types have only partial support, often requiring axioms or manual fixes, as admitted in the README.

Complex Setup Dependencies

Requires a compiled project with Merlin configuration, which can be challenging for non-dune build systems or inexperienced users.

Frequently Asked Questions

Home

OCaml

flow

Adds static typing to JavaScript to improve developer productivity and code quality.

A static analyzer for Java, C, C++, and Objective-C

SLAyer is an automatic formal verification tool that uses separation logic to verify memory safety of C programs.

Stars325

Forks24

Last commit10 years ago

#functional-programming