"A Verified Foreign Function Interface between Coq and C", by me, Kathrin Stark and Andrew W. Appel will appear at POPL 2025! www.cs.princeton.edu/~appel/paper... this is the culmination of years of research (and most of my grad school work), so I'm excited to see it finally published! 🎉 - ThreadSky

joomy.bsky.social • 191 days ago

"A Verified Foreign Function Interface between Coq and C", by me, Kathrin Stark and Andrew W. Appel will appear at POPL 2025! https://www.cs.princeton.edu/~appel/papers/VeriFFI.pdf

this is the culmination of years of research (and most of my grad school work), so I'm excited to see it finally published! 🎉

Comments

kirancodes.me•191 days ago

Super cool work!! Congratss!! This defo sounds like a huge amount of work omw! This along with Melocoton, it's cool to see more works verifying FFIs and the interaction between functional code and C (bcs its so easy to screw up, I know from wayyy too much experience).

kirancodes.me•191 days ago

Section 12 was my favourite part, the monadic array encoding + C implementation was a very practical application of the framework. Do you forsee any challenges in completing the proof that the C implementation of `runM` satisfies the spec?

joomy.bsky.social•190 days ago

Thank you!

I don't foresee a huge challenge for the mutable array example: We have a purely functional model that computes the same result; VST is good at such proofs. We also now have proofs about how the GC deals with mutation.

joomy.bsky.social•190 days ago

The path is less clear for other effectful programs. There is work on proving effectful programs correct:
* https://github.com/search?q=repo%3APrincetonUniversity%2FVST%20itree&type=code
* https://doi.org/10.4230/LIPIcs.ITP.2021.32
* https://doi.org/10.1145/3293880.329410

Expressing the program with an ITree and writing an execution function for it in C is probably the way to go.

joomy.bsky.social•190 days ago

We didn't go the full ITree route in the paper since the tree is parametrized by a stack of event types, which complicates how the execution function has to be written. (can also have a runtime cost so we have to be careful) But I imagine the ITree approach would organize the proof+program better.

arourhs.bsky.social•191 days ago

congratulations, very interesting work!
could this approach inspire a framework for runtime checks of dynamically changing models?

joomy.bsky.social•191 days ago

thank you!

can you clarify what you mean by dynamically changing models? do you mean based on input from the outside world? I think you would have to model that as an effect, like in section 12.2.

joomy.bsky.social•191 days ago

if I misunderstood and you were asking about dynamic checks for safe FFI, there's some work on that too: https://www.cs.princeton.edu/~appel/papers/safejni.pdf

arourhs.bsky.social•191 days ago

i was reffering to the latter, thank you very much!

Comments

Posting Rules

Reply