Abstract
Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in Coq is less clear. Indeed, implementing an efficient type checker for CIC is a rather complex task, and many parts of the code rely on implicit invariants which can easily be broken by further evolution of the code. Therefore, on average, one critical bug has been found every year in Coq.
This paper presents the first implementation of a type checker for the kernel of Coq (without the module system and template polymorphism), which is proven correct in Coq with respect to its formal specification and axiomatisation of part of its metatheory. Note that because of Gödel's incompleteness theorem, there is no hope to prove completely the correctness of the specification of Coq inside Coq (in particular strong normalisation or canonicity), but it is possible to prove the correctness of the implementation assuming the correctness of the specification, thus moving from a trusted code base (TCB) to a trusted theory base (TTB) paradigm.
Our work is based on the MetaCoq project which provides metaprogramming facilities to work with terms and declarations at the level of this kernel. Our type checker is based on the specification of the typing relation of the Polymorphic, Cumulative Calculus of Inductive Constructions (PCUIC) at the basis of Coq and the verification of a relatively efficient and sound type-checker for it. In addition to the kernel implementation, an essential feature of Coq is the so-called extraction: the production of executable code in functional languages from Coq definitions. We present a verified version of this subtle type-and-proof erasure step, therefore enabling the verified extraction of a safe type-checker for Coq.
Supplemental Material
- Martin Abadi, Luca Cardelli, P-L Curien, and J-J Lévy. 1991. Explicit substitutions. Journal of functional programming 1, 4 (1991), 375–416.Google Scholar
- Andreas Abel, Joakim Öhman, and Andrea Vezzosi. 2018. Decidability of conversion for type theory in type theory. PACMPL 2, POPL (2018), 23:1–23:29. Google Scholar
Digital Library
- Andreas Abel, Brigitte Pientka, David Thibodeau, and Anton Setzer. 2013. Copatterns: programming infinite structures by observations. In The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13, Rome, Italy - January 23 - 25, 2013, Roberto Giacobazzi and Radhia Cousot (Eds.). ACM, 27–38. Google Scholar
Digital Library
- Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Belanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In CoqPL. Paris, France. http://conf.researchr. org/event/CoqPL-2017/main-certicoq-a-verified-compiler-for-coqGoogle Scholar
- Abhishek Anand, Simon Boulier, Cyril Cohen, Matthieu Sozeau, and Nicolas Tabareau. 2018. Towards Certified MetaProgramming with Typed Template-Coq. In ITP 2018 (Lecture Notes in Computer Science), Jeremy Avigad and Assia Mahboubi (Eds.), Vol. 10895. Springer, 20–39. Google Scholar
Cross Ref
- Bruno Barras. 1999. Auto-validation d’un système de preuves avec familles inductives. Thèse de Doctorat. Université Paris 7. http://pauillac.inria.fr/~barras/publi/these_barras.ps.gzGoogle Scholar
- Bruno Barras and Bruno Bernardo. 2008. The Implicit Calculus of Constructions as a Programming Language with Dependent Types. In FoSSaCS (Lecture Notes in Computer Science), Roberto M. Amadio (Ed.), Vol. 4962. Springer, 365–379.Google Scholar
- Michael A. Bender, Jeremy T. Fineman, Seth Gilbert, and Robert E. Tarjan. 2015. A New Approach to Incremental Cycle Detection and Related Problems. ACM Trans. Algorithms 12, 2, Article 14 (Dec. 2015), 22 pages. Google Scholar
Digital Library
- Thierry Coquand and Gérard Huet. 1988. The Calculus of Constructions. Information and Computation 76, 2–3 (February/-March 1988), 95–120.Google Scholar
Digital Library
- Yannick Forster and Fabian Kunze. 2019. A certifying extraction with time bounds from Coq to call-by-value λ-calculus. In Tenth International Conference on Interactive Theorem Proving. Springer.Google Scholar
- Gallium, Marelle, CEDRIC, and PPS. 2008. The CompCert project. Compilers You Can Formally Trust. http://compcert. inria.fr/index.htmlGoogle Scholar
- Gaëtan Gilbert, Jesper Cockx, Matthieu Sozeau, and Nicolas Tabareau. 2019. Definitional Proof-Irrelevance without K. In 46th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2019) (POPL). Lisbon, Portugal. https://hal.inria.fr/hal-01859964Google Scholar
Digital Library
- Carlos Eduardo Giménez. 1996. Un calcul de constructions infinies et son application à la vérification de systèmes communicants. Ph.D. Dissertation. Ecole Normale Supérieure de Lyon. ftp://ftp.inria.fr/INRIA/LogiCal/Eduardo.Gimenez/thesis.ps.gzGoogle Scholar
- Stéphane Glondu. 2012. Vers une certification de l’extraction de Coq. Ph.D. Dissertation. Université Paris Diderot.Google Scholar
- Armaël Guéneau, Jacques-Henri Jourdan, Arthur Charguéraud, and François Pottier. 2019. Formal Proof and Analysis of an Incremental Cycle Detection Algorithm. In ITP 2019 - 10th Conference on Interactive Theorem Proving. Portland, United States. https://hal.inria.fr/hal-02167236Google Scholar
- Lars Hupel and Tobias Nipkow. 2018. A verified compiler from Isabelle/HOL to CakeML. In European Symposium on Programming. Springer, 999–1026.Google Scholar
Cross Ref
- Pierre Letouzey. 2002. A New Extraction for Coq.. In TYPES’02 (Lecture Notes in Computer Science), Herman Geuvers and Freek Wiedijk (Eds.), Vol. 2646. Springer, 200–219.Google Scholar
- Pierre Letouzey. 2004. Programmation fonctionnelle certifiée: l’extraction de programmes dans l’assistant Coq. Thèse de Doctorat. Université Paris-Sud. http://www.pps.jussieu.fr/~letouzey/download/these_letouzey.pdfGoogle Scholar
- Per Martin-Löf. 1998. An intuitionistic theory of types. In Twenty-five years of constructive type theory (Venice, 1995), Giovanni Sambin and Jan M. Smith (Eds.). Oxford Logic Guides, Vol. 36. Oxford University Press, 127–172.Google Scholar
- Conor McBride and James McKinna. 2004. The view from the left. J. Funct. Program. 14, 1 (2004), 69–111.Google Scholar
Digital Library
- Eric Mullen, Stuart Pernsteiner, James R. Wilcox, Zachary Tatlock, and Dan Grossman. 2018. Œuf: minimizing the Coq extraction TCB. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2018, Los Angeles, CA, USA, January 8-9, 2018, June Andronick and Amy P. Felty (Eds.). ACM, 172–185. Google Scholar
Digital Library
- Magnus O Myreen and Scott Owens. 2014. Proof-producing translation of higher-order logic into pure and stateful ML. Journal of Functional Programming 24, 2-3 (2014), 284–315.Google Scholar
Cross Ref
- Pierre-Marie Pédrot and Nicolas Tabareau. 2017. An effectful way to eliminate addiction to dependence. In 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017. IEEE Computer Society, 1–12. Google Scholar
Cross Ref
- Andreas Rossberg, Claudio V. Russo, and Derek Dreyer. 2014. F-ing modules. J. Funct. Program. 24, 5 (2014), 529–607. Google Scholar
Cross Ref
- Steven Schäfer, Tobias Tebbi, and Gert Smolka. 2015. Autosubst: Reasoning with de Bruijn Terms and Parallel Substitutions. In Interactive Theorem Proving - 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings (Lecture Notes in Computer Science), Christian Urban and Xingyuan Zhang (Eds.), Vol. 9236. Springer, 359–374. Google Scholar
Cross Ref
- Gert Smolka. 2015. Confluence and Normalization in Reduction Systems. (2015). https://www.ps.uni-saarland.de/courses/ sem-ws15/ars.pdf Lecture Notes.Google Scholar
- Matthieu Sozeau, Abhishek Anand, Simon Boulier, Cyril Cohen, Yannick Forster, Fabian Kunze, Gregory Malecha, Nicolas Tabareau, and Théo Winterhalter. 2019. The MetaCoq Project. (June 2019). https://hal.inria.fr/hal-02167423 (submitted).Google Scholar
- Matthieu Sozeau and Cyprien Mangin. 2019. Equations Reloaded. PACMPL 3, ICFP (August 2019), 86–115. Google Scholar
Digital Library
- Matthieu Sozeau and Nicolas Tabareau. 2014. Universe Polymorphism in Coq. In Interactive Theorem Proving - 5th International Conference, ITP 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 14-17, 2014. Proceedings (Lecture Notes in Computer Science), Gerwin Klein and Ruben Gamboa (Eds.), Vol. 8558. Springer, 499–514. Google Scholar
Cross Ref
- Pierre-Yves Strub, Nikhil Swamy, Cédric Fournet, and Juan Chen. 2012. Self-certification: Bootstrapping certified typecheckers in F* with Coq. In 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL’12. Philadelphia, United States. https://hal.inria.fr/inria-00628775Google Scholar
Digital Library
- Masako Takahashi. 1989. Parallel reductions in λ-calculus. Journal of Symbolic Computation 7, 2 (1989), 113–123.Google Scholar
Digital Library
- The Coq Development Team. 2019. The Coq Proof Assistant, version 8.9.0. Google Scholar
Cross Ref
- Amin Timany and Matthieu Sozeau. 2017. Consistency of the Predicative Calculus of Cumulative Inductive Constructions (pCuIC). Research Report RR-9105. KU Leuven, Belgium ; Inria Paris. 30 pages. https://hal.inria.fr/hal-01615123Google Scholar
Index Terms
Coq Coq correct! verification of type checking and erasure for Coq, in Coq
Recommendations
Completeness and decidability of converse PDL in the constructive type theory of Coq
CPP 2018: Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and ProofsThe completeness proofs for Propositional Dynamic Logic (PDL) in the literature are non-constructive and usually presented in an informal manner. We obtain a formal and constructive completeness proof for Converse PDL by recasting a completeness proof ...
LOGIC: A Coq Library for Logics
Dependable Software Engineering. Theories, Tools, and ApplicationsAbstractLOGIC is a Coq library for formalizing logic studies, concerning both logics’ applications and logics themselves (meta-theories). For applications, users can port derived rules and efficient proof automation tactics from LOGIC to their own program-...
Nominal Reasoning Techniques in Coq
We explore an axiomatized nominal approach to variable binding in Coq, using an untyped lambda-calculus as our test case. In our nominal approach, alpha-equality of lambda terms coincides with Coq's built-in equality. Our axiomatization includes a ...






Comments