Program verifiers for imperative languages such as C may be \emph{annotation-based}, in which assertions and invariants are put into source files and then checked; or tactic-based, where proof scripts separate from programs are \emph{interactively} developed in a proof assistant such as Coq. Annotation verifiers have been more automated and convenient, but some interactive verifiers have richer assertion languages and formal proofs of soundness. We present VST-A, an annotation verifier that uses the rich assertion language of VST, leverages the formal soundness proof of VST, but allows users to describe functional correctness proofs intuitively by inserting assertions.

VST-A analyzes control flow graphs, decomposes every C function into control flow paths between assertions, and reduces program verification problems into corresponding \emph{straightline Hoare triples}. Compared to existing foundational program verification tools like VST and Iris, such decomposition and reduction are allowed to be nonstructural in VST-A, which makes VST-A more flexible to use.

VST-A’s decomposition and reduction is defined in Coq, proved sound in Coq, and computed call-by-value in Coq. The soundness proof for reduction is totally logical, independent of the complicated semantic model (and soundness proof) of VST’s Hoare triple. Because of the rich assertion language, not all reduced proof goals can be automatically checked, but the system allows users to prove residual proof goals using the full power of the Coq proof assistant.