Automatic Function Annotations for Hoare Logic

In systems verification we are often concerned with multiple, inter-dependent properties that a program must satisfy. To prove that a program satisfies a given property, the correctness of intermediate states of the program must be characterized. However, this intermediate reasoning is not always phrased such that it can be easily re-used in the proofs of subsequent properties. We introduce a function annotation logic that extends Hoare logic in two important ways: (1) when proving that a function satisfies a Hoare triple, intermediate reasoning is automatically stored as function annotations, and (2) these function annotations can be exploited in future Hoare logic proofs. This reduces duplication of reasoning between the proofs of different properties, whilst serving as a drop-in replacement for traditional Hoare logic to avoid the costly process of proof refactoring. We explain how this was implemented in Isabelle/HOL and applied to an experimental branch of the seL4 microkernel to significantly reduce the size and complexity of existing proofs.

💡 Research Summary

The paper addresses a common pain point in formal verification of complex systems: the need to prove multiple, often inter‑dependent properties of the same code. Traditional Hoare logic treats each property in isolation; even when several properties share the same intermediate reasoning—such as loop invariants, resource ownership conditions, or memory safety constraints—those arguments must be re‑derived for every new proof. This duplication inflates proof size, increases maintenance effort, and makes large‑scale verification brittle.

To solve this, the authors introduce Function Annotation Logic (FAL), an extension of Hoare logic that automatically records the intermediate reasoning performed while proving a Hoare triple and makes that reasoning available as reusable annotations. The core ideas are:

1. Automatic Annotation Generation – When a Hoare triple ⟨P⟩ f ⟨Q⟩ is proved, every sub‑command’s pre‑ and post‑conditions are captured in a meta‑object annotate f. This is achieved by augmenting the standard Hoare proof rules (hoare_seq, hoare_if, hoare_while, etc.) with annotation‑propagation clauses. For a sequential composition c1; c2, the intermediate condition R that links the two commands becomes part of the annotation for the whole sequence.

2. Annotation Reuse – In later proofs of the form ⟨P’⟩ f ⟨Q’⟩, the system can invoke a use_annotation rule. If an existing annotation contains a condition R such that P' ⇒ R and R ⇒ Q', the whole Hoare proof can be discharged by a single step, bypassing the need to reconstruct the intermediate reasoning. Consequently, common invariants, resource accounting facts, or memory safety lemmas are automatically shared across proofs.

The authors formalize annotations as partial‑correctness triples themselves, proving that any annotation derived by the generation rules is sound with respect to the underlying operational semantics. This guarantees that reusing an annotation never compromises the overall proof soundness. Annotations are also typed, allowing them to represent specialized concepts such as separation‑logic tokens or concurrency permissions.

Implementation is carried out in Isabelle/HOL. The annotation mechanism is realized as an attribute that automatically attaches to every Hoare proof step. Users need only add a single `declare