CogGen Verification Framework

• CogGen is a compositional verification framework that leverages the Cogent language to extend strong static guarantees, such as type and memory safety, into mixed-language systems.
• It employs a controlled foreign function interface that mandates formal contracts and proof obligations to securely integrate and verify untrusted C components.
• The framework uses a multi-layer semantic refinement pipeline to ensure end-to-end correctness in complex systems, including file systems and kernel subsystems.

CogGen refers to a compositional verification framework and methodology centered on the Cogent programming language, enabling the construction and end-to-end verification of systems that integrate both Cogent and foreign C code. The central focus of CogGen is to systematically extend the strong static guarantees of Cogent—such as type safety, memory safety, and correctness—across language boundaries to unverified or partially verified components written in C. The ultimate aim is to facilitate the reliable construction of systems software (notably file systems and kernel subsystems) where correctness properties are maintained in the presence of external, low-level functions.

1. Language Design and Verification Principles

Cogent is a strictly functional programming language with a set of restrictions that significantly aid formal verification:

• Absence of recursion and explicit looping, ensuring total functions.
• Strict uniqueness (linearity) type system, guaranteeing single ownership of heap-allocated mutable state and precluding memory aliasing.
• No closures; first-class functions must be closed over their environment.
• Parametric polymorphism supported at the module/interface level, instantiated via monomorphisation.

These constraints eliminate common sources of verification complexity such as aliasing bugs, unspecified memory behavior, or nontermination, and thus render Cogent programs naturally amenable to program logics and mechanized proofs. The uniqueness property is precisely formalized: at any time, only a single accessible reference exists to any mutable value.

The type preservation theorem central to the Cogent verification effort is stated as:

$\text{If } \Typing{A}{\Gamma}{e}{\tau},\; \VTRUE{U}{\mu}{\Gamma},\; \UpdSemAb{\xi_u}{U}{e}{\mu}{u}{\mu'} \text{ then } \VTRUE{u}{\mu'}{\tau}$

where $\Typing{A}{\Gamma}{e}{\tau}$ denotes that expression $e$ has type $\tau$ in context $\Gamma$, and the other symbols denote value and heap validity under monotonic update ($\UpdSemAb{}$).

2. Foreign Function Interface (FFI): Structure and Obligations

To overcome language-level expressivity restrictions—especially the absence of recursion and loops—Cogent provides a controlled FFI for integration with C functions and data types. This interface is designed to serve as an "escape hatch" while maintaining the integrity of Cogent's invariants.

• All external types and functions imported from C must be described by contracts specifying their interaction with resources and memory.
• The interface requires proof obligations (discharged in Isabelle/HOL or an equivalent formal environment) stipulating that imported entities satisfy:
  • bang (read-only) access separation;
  • no-alias between readable and writable regions;
  • pointer validity;
  • frame invariance (modifications are confined to permitted regions).

The formal contract for no-alias, for example, is given as:

$\textrm{no-alias:}\quad \VTRU{u}{\mu}{\AbsTy{A}{\overline\tau}{r}{w}} \longrightarrow r \cap w = \emptyset$

Each function/type imported via FFI must be wrapped with a logical abstraction relating C-level state and Cogent-level semantics. These abstraction layers are described and proven in a proof assistant, usually leveraging HOL embedding.

3. Multi-Layer Refinement Verification Pipeline

CogGen employs a multi-phase semantic refinement pipeline to ensure system-wide properties hold across all software layers:

1. C code (CC): the actual compiled artifacts, including the foreign C components.
2. Update Semantics (U): imperative operational semantics, explicitly modeling memory state transitions.
3. Monomorphic Value Semantics (V): functional semantics without polymorphism.
4. Polymorphic Value Semantics (P): higher-level, reusable specification allowing abstract type quantification.
5. Shallow Embedding (S): high-level executable specification in Isabelle/HOL.

Refinement theorems relate each adjacent layer, culminating in a result that ensures correctness properties verified at the highest level (in S or P) hold concretely for the compiled, linked C program, subject to all FFI obligations being proven.

A principal refinement theorem links execution of the C function $f_c$ with its abstract shallow specification, maintaining heap types and frame invariants:

$R_{c,s}(a_c,\sigma,a_u,\mu,a_m,a_p,a_s,\tau,r,w) \wedge \CSem{a_c}{f_c}{\sigma}{v_c}{\sigma'} \Rightarrow \exists \ldots:\; \UpdSemAb{\xi}{(x \mapsto a_u)}{f_m}{\mu}{v_u}{\mu'} \wedge \ldots$

where $R_{c,s}$ encodes the cross-layer relation.

4. Verification Workflow for Mixed Cogent–C Systems

For the construction and verification of real-world systems spanning both Cogent and C, such as the BilbyFs file system, the following process is adhered to:

• C code is modeled in Isabelle/HOL using AutoCorres or equivalent translation tools.
• HOL-level abstractions are specified for every foreign type and function imported via FFI.
• All invariants—including uniqueness, bang, valid, and frame—are established for the imported components, typically via a combination of semi-automatic and manual proof.
• Modular refinements are proven, ensuring the overall system's correctness propagates downward and across all language boundaries.
• Once key generic combinators (e.g., array iterators, loop combinators) are proven correct, entire classes of client code (such as search algorithms and file system operations) can inherit these guarantees through instantiation.

5. Practical Examples: Verified Iterators and Real-World File Systems

CogGen underpins the verification of reusable, higher-order constructs that enable functional abstraction despite language restrictions:

• Generic loop combinator (repeat): enables bounded, externally specified iteration without loops/recursion in Cogent code. The function signature:

$\CFunName{repeat} : (U32, (a, b!) \rightarrow Bool, (a, b!) \rightarrow a, a, b!) \rightarrow a$

• Array iterators such as mapAccum and fold are proven once and instantiated for various applications (e.g., binary search, data copying).
• Binary search: Implemented using verified combinators and FFI arrays, with formal grounding of correctness (e.g., returned index $i$ implies $xs[i] = v$, or that $v$ is absent if result indicates so), compositional over both Cogent and C parts.
• BilbyFs: A file system implemented in Cogent with critical array and iterator code in C. CogGen is used to eliminate any assumption about array correctness, providing a unified verification result for the entire system.

6. Multi-Language Systems: Interoperability and Generalization

CogGen addresses the challenge of verifying interoperable systems comprising modules with vastly different levels of static guarantees:

• FFI contracts are formed as proof-carrying certificates, imported into the verification chain to ensure language-agnostic invariants.
• The architectural separation and refinement composition make the approach generalizable to other multi-language scenarios where static verification strength varies across components.
• Once key combinators or containers are verified, their contract and proof artifacts become reusable for a broad range of client code, amortizing proof effort and reinforcing modularity.

In sum, CogGen provides a practical blueprint for achieving end-to-end formal guarantees in mixed-language systems built atop functional languages with certifying compilers and imperative, less-regulated components. The methodology establishes that with a proof-oriented FFI and layered semantics refinement, strong software correctness properties can be compositionally extended to heterogeneous systems, obviating the need for trust in foreign code and enabling scalable, maintainable verification for performance-critical software domains.