VST-A: A Foundationally Sound Annotation Verifier

Litao Zhou, Jianxing Qin, Qinshi Wang, Andrew W. Appel, Qinxiang Cao

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


Program verifiers for imperative languages such as C may be annotation-based, in which assertions and invariants are put into source files and then checked, or tactic-based, where proof scripts separate from programs are interactively developed in a proof assistant such as Coq. Annotation verifiers have been more automated and convenient, but some interactive verifiers have richer assertion languages and formal proofs of soundness. We present VST-A, an annotation verifier that uses the rich assertion language of VST, leverages the formal soundness proof of VST, but allows users to describe functional correctness proofs intuitively by inserting assertions. VST-A analyzes control flow graphs, decomposes every C function into control flow paths between assertions, and reduces program verification problems into corresponding straightline Hoare triples. Compared to existing foundational program verification tools like VST and Iris, in VST-A such decompositions and reductions can nonstructural, which makes VST-A more flexible to use. VST-A's decomposition and reduction is defined in Coq, proved sound in Coq, and computed call-by-value in Coq. The soundness proof for reduction is totally logical, independent of the complicated semantic model (and soundness proof) of VST's Hoare triple. Because of the rich assertion language, not all reduced proof goals can be automatically checked, but the system allows users to prove residual proof goals using the full power of the Coq proof assistant.

Original languageEnglish (US)
Article number69
JournalProceedings of the ACM on Programming Languages
StatePublished - Jan 5 2024

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality


  • Annotated Programs
  • Coq
  • Foundational Verification


Dive into the research topics of 'VST-A: A Foundationally Sound Annotation Verifier'. Together they form a unique fingerprint.

Cite this