HMC: Verifying Functional Programs Using Abstract Interpreters

We present Hindley-Milner-Cousots (HMC), an algorithm that allows any interprocedural analysis for first-order imperative programs to be used to verify safety properties of typed higher-order functional programs. HMC works as follows. First, it uses the type structure of the functional program to generate a set of logical refinement constraints whose satisfaction implies the safety of the source program. Next, it transforms the logical refinement constraints into a simple first-order imperative program that is safe iff the constraints are satisfiable. Thus, in one swoop, HMC makes tools for invariant generation, e.g., based on abstract domains, predicate abstraction, counterexample-guided refinement, and Craig interpolation be directly applicable to verify safety properties of modern functional languages in a fully automatic manner. We have implemented HMC and describe preliminary experimental results using two imperative checkers – ARMC and InterProc – to verify OCaml programs. Thus, by composing type-based reasoning grounded in program syntax and state-based reasoning grounded in abstract interpretation, HMC opens the door to automatic verification of programs written in modern programming languages.

💡 Research Summary

The paper introduces Hindley‑Milner‑Cousots (HMC), a novel verification framework that bridges the gap between type‑based reasoning for higher‑order functional programs and state‑based abstract interpretation techniques traditionally applied to first‑order imperative code. HMC operates in two distinct phases. In the first phase, the Hindley‑Milner type information of a functional program is exploited to generate a set of logical refinement constraints. These constraints capture the relationship between type variables and predicates that must hold at each program point, effectively encoding pre‑ and post‑conditions derived from the program’s syntax and semantics. The generation process is fully automatic: the compiler’s type inference engine supplies the necessary type skeleton, while a systematic refinement extraction algorithm produces the constraints without requiring any manual annotations from the programmer.

The second phase translates the refinement constraints into a simple first‑order imperative program. This translation is semantics‑preserving: the imperative program is safe (i.e., it never reaches an error state) if and only if the original set of constraints is satisfiable. The resulting imperative code consists of ordinary assignments, conditionals, and assertions that directly correspond to the logical predicates of the constraints. Because the target language is deliberately minimal, existing invariant‑generation tools—such as abstract‑domain based analyzers, predicate‑abstraction engines, counterexample‑guided abstraction refinement (CEGAR) loops, and Craig‑interpolation frameworks—can be applied without any modification.

The authors implemented HMC and evaluated it using two mature imperative checkers, ARMC and InterProc, on a collection of OCaml benchmarks that include list processing, recursive tree traversal, and state‑mutating functions. The experimental results demonstrate that HMC can automatically verify a substantial portion of safety properties (e.g., array‑index bounds, absence of pattern‑match failures, and preservation of invariants across recursive calls) that would otherwise require manual proofs or specialized functional‑program verification tools. Verification times were comparable to those of native imperative analyses, confirming that the overhead of the type‑to‑imperative translation is modest.

Key insights of the work include: (1) the observation that Hindley‑Milner types already encode a rich amount of semantic information, making them an ideal substrate for systematic refinement extraction; (2) the design of a translation that flattens higher‑order constructs, closures, and lexical environments into explicit state variables, thereby exposing the program’s control flow to traditional abstract interpreters; and (3) the demonstration that a fully automatic pipeline—type inference, constraint generation, translation, and abstract interpretation—can be assembled from existing components, dramatically lowering the barrier to functional program verification.

Limitations are acknowledged. The current prototype focuses on integer and Boolean domains and does not yet handle complex data structures such as mutable arrays, hash tables, or effectful features like exceptions and I/O. Moreover, the refinement logic is limited to quantifier‑free predicates, which may restrict expressiveness for certain specifications. The authors outline future directions: extending the refinement language with richer theories (e.g., linear arithmetic, algebraic data types), integrating effect systems to model side‑effects, and scaling the approach to multi‑threaded functional programs.

In summary, HMC offers a compelling strategy for reusing the substantial ecosystem of imperative static analysis tools to verify safety properties of modern functional languages. By coupling type‑driven refinement constraints with a sound imperative encoding, HMC achieves fully automatic verification, reduces the need for bespoke functional verification frameworks, and opens a pathway toward scalable, industrial‑strength analysis of higher‑order code bases.