Practical Deductive Verification of OCaml Programs (Extended Version)
Mário Pereira
TL;DR
The paper presents a practical, tutorial-style approach to deductive verification of OCaml programs using GOSPEL and the Cameleer tool, demonstrating a pipeline that translates annotated OCaml into WhyML for Why3-based verification with SMT solvers. It targets both purely functional programs and imperative code with mutable state and exceptions, illustrating modular verification with OCaml functors through two representative case studies: a functional merge routine and a linear array search, then extending to a purely functional tree comparison (same fringe) and an imperative Boyer-Moore MJRTY algorithm. Key contributions include a concrete workflow that combines GOSPEL specifications, modular design via functors, and a spectrum of proofs (including lemmas and invariants) that enable automation, as well as a discussion of verification challenges and debugging within the Why3/Reasoning environment. The work underscores the practicality of making formal methods accessible to regular OCaml programmers, highlights the role of lemmas for automation, and provides an artifact with additional case studies, paving the way for broader adoption of deductive verification in real-world OCaml development with tool-assisted guarantees.
Abstract
In this paper, we provide a comprehensive, hands-on tutorial on how to apply deductive verification to programs written in OCaml. In particular, we show how one can use the GOSPEL specification language and the Cameleer tool to conduct mostly-automated verification on OCaml code. In our presentation, we focus on two main classes of programs: first, purely functional programs with no mutable state; then on imperative programs, where one can mix mutable state with subtle control-flow primitives, such as locally-defined exceptions.