skip to main content
research-article
Open Access
Artifacts Available
Artifacts Evaluated & Reusable

Coq Coq correct! verification of type checking and erasure for Coq, in Coq

Published:20 December 2019Publication History
Skip Abstract Section

Abstract

Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in Coq is less clear. Indeed, implementing an efficient type checker for CIC is a rather complex task, and many parts of the code rely on implicit invariants which can easily be broken by further evolution of the code. Therefore, on average, one critical bug has been found every year in Coq.

This paper presents the first implementation of a type checker for the kernel of Coq (without the module system and template polymorphism), which is proven correct in Coq with respect to its formal specification and axiomatisation of part of its metatheory. Note that because of Gödel's incompleteness theorem, there is no hope to prove completely the correctness of the specification of Coq inside Coq (in particular strong normalisation or canonicity), but it is possible to prove the correctness of the implementation assuming the correctness of the specification, thus moving from a trusted code base (TCB) to a trusted theory base (TTB) paradigm.

Our work is based on the MetaCoq project which provides metaprogramming facilities to work with terms and declarations at the level of this kernel. Our type checker is based on the specification of the typing relation of the Polymorphic, Cumulative Calculus of Inductive Constructions (PCUIC) at the basis of Coq and the verification of a relatively efficient and sound type-checker for it. In addition to the kernel implementation, an essential feature of Coq is the so-called extraction: the production of executable code in functional languages from Coq definitions. We present a verified version of this subtle type-and-proof erasure step, therefore enabling the verified extraction of a safe type-checker for Coq.

Skip Supplemental Material Section

Supplemental Material

a8-sozeau.webm

References

  1. Martin Abadi, Luca Cardelli, P-L Curien, and J-J Lévy. 1991. Explicit substitutions. Journal of functional programming 1, 4 (1991), 375–416.Google ScholarGoogle Scholar
  2. Andreas Abel, Joakim Öhman, and Andrea Vezzosi. 2018. Decidability of conversion for type theory in type theory. PACMPL 2, POPL (2018), 23:1–23:29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Andreas Abel, Brigitte Pientka, David Thibodeau, and Anton Setzer. 2013. Copatterns: programming infinite structures by observations. In The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13, Rome, Italy - January 23 - 25, 2013, Roberto Giacobazzi and Radhia Cousot (Eds.). ACM, 27–38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Belanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In CoqPL. Paris, France. http://conf.researchr. org/event/CoqPL-2017/main-certicoq-a-verified-compiler-for-coqGoogle ScholarGoogle Scholar
  5. Abhishek Anand, Simon Boulier, Cyril Cohen, Matthieu Sozeau, and Nicolas Tabareau. 2018. Towards Certified MetaProgramming with Typed Template-Coq. In ITP 2018 (Lecture Notes in Computer Science), Jeremy Avigad and Assia Mahboubi (Eds.), Vol. 10895. Springer, 20–39. Google ScholarGoogle ScholarCross RefCross Ref
  6. Bruno Barras. 1999. Auto-validation d’un système de preuves avec familles inductives. Thèse de Doctorat. Université Paris 7. http://pauillac.inria.fr/~barras/publi/these_barras.ps.gzGoogle ScholarGoogle Scholar
  7. Bruno Barras and Bruno Bernardo. 2008. The Implicit Calculus of Constructions as a Programming Language with Dependent Types. In FoSSaCS (Lecture Notes in Computer Science), Roberto M. Amadio (Ed.), Vol. 4962. Springer, 365–379.Google ScholarGoogle Scholar
  8. Michael A. Bender, Jeremy T. Fineman, Seth Gilbert, and Robert E. Tarjan. 2015. A New Approach to Incremental Cycle Detection and Related Problems. ACM Trans. Algorithms 12, 2, Article 14 (Dec. 2015), 22 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Thierry Coquand and Gérard Huet. 1988. The Calculus of Constructions. Information and Computation 76, 2–3 (February/-March 1988), 95–120.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Yannick Forster and Fabian Kunze. 2019. A certifying extraction with time bounds from Coq to call-by-value λ-calculus. In Tenth International Conference on Interactive Theorem Proving. Springer.Google ScholarGoogle Scholar
  11. Gallium, Marelle, CEDRIC, and PPS. 2008. The CompCert project. Compilers You Can Formally Trust. http://compcert. inria.fr/index.htmlGoogle ScholarGoogle Scholar
  12. Gaëtan Gilbert, Jesper Cockx, Matthieu Sozeau, and Nicolas Tabareau. 2019. Definitional Proof-Irrelevance without K. In 46th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2019) (POPL). Lisbon, Portugal. https://hal.inria.fr/hal-01859964Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Carlos Eduardo Giménez. 1996. Un calcul de constructions infinies et son application à la vérification de systèmes communicants. Ph.D. Dissertation. Ecole Normale Supérieure de Lyon. ftp://ftp.inria.fr/INRIA/LogiCal/Eduardo.Gimenez/thesis.ps.gzGoogle ScholarGoogle Scholar
  14. Stéphane Glondu. 2012. Vers une certification de l’extraction de Coq. Ph.D. Dissertation. Université Paris Diderot.Google ScholarGoogle Scholar
  15. Armaël Guéneau, Jacques-Henri Jourdan, Arthur Charguéraud, and François Pottier. 2019. Formal Proof and Analysis of an Incremental Cycle Detection Algorithm. In ITP 2019 - 10th Conference on Interactive Theorem Proving. Portland, United States. https://hal.inria.fr/hal-02167236Google ScholarGoogle Scholar
  16. Lars Hupel and Tobias Nipkow. 2018. A verified compiler from Isabelle/HOL to CakeML. In European Symposium on Programming. Springer, 999–1026.Google ScholarGoogle ScholarCross RefCross Ref
  17. Pierre Letouzey. 2002. A New Extraction for Coq.. In TYPES’02 (Lecture Notes in Computer Science), Herman Geuvers and Freek Wiedijk (Eds.), Vol. 2646. Springer, 200–219.Google ScholarGoogle Scholar
  18. Pierre Letouzey. 2004. Programmation fonctionnelle certifiée: l’extraction de programmes dans l’assistant Coq. Thèse de Doctorat. Université Paris-Sud. http://www.pps.jussieu.fr/~letouzey/download/these_letouzey.pdfGoogle ScholarGoogle Scholar
  19. Per Martin-Löf. 1998. An intuitionistic theory of types. In Twenty-five years of constructive type theory (Venice, 1995), Giovanni Sambin and Jan M. Smith (Eds.). Oxford Logic Guides, Vol. 36. Oxford University Press, 127–172.Google ScholarGoogle Scholar
  20. Conor McBride and James McKinna. 2004. The view from the left. J. Funct. Program. 14, 1 (2004), 69–111.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Eric Mullen, Stuart Pernsteiner, James R. Wilcox, Zachary Tatlock, and Dan Grossman. 2018. Œuf: minimizing the Coq extraction TCB. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2018, Los Angeles, CA, USA, January 8-9, 2018, June Andronick and Amy P. Felty (Eds.). ACM, 172–185. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Magnus O Myreen and Scott Owens. 2014. Proof-producing translation of higher-order logic into pure and stateful ML. Journal of Functional Programming 24, 2-3 (2014), 284–315.Google ScholarGoogle ScholarCross RefCross Ref
  23. Pierre-Marie Pédrot and Nicolas Tabareau. 2017. An effectful way to eliminate addiction to dependence. In 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017. IEEE Computer Society, 1–12. Google ScholarGoogle ScholarCross RefCross Ref
  24. Andreas Rossberg, Claudio V. Russo, and Derek Dreyer. 2014. F-ing modules. J. Funct. Program. 24, 5 (2014), 529–607. Google ScholarGoogle ScholarCross RefCross Ref
  25. Steven Schäfer, Tobias Tebbi, and Gert Smolka. 2015. Autosubst: Reasoning with de Bruijn Terms and Parallel Substitutions. In Interactive Theorem Proving - 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings (Lecture Notes in Computer Science), Christian Urban and Xingyuan Zhang (Eds.), Vol. 9236. Springer, 359–374. Google ScholarGoogle ScholarCross RefCross Ref
  26. Gert Smolka. 2015. Confluence and Normalization in Reduction Systems. (2015). https://www.ps.uni-saarland.de/courses/ sem-ws15/ars.pdf Lecture Notes.Google ScholarGoogle Scholar
  27. Matthieu Sozeau, Abhishek Anand, Simon Boulier, Cyril Cohen, Yannick Forster, Fabian Kunze, Gregory Malecha, Nicolas Tabareau, and Théo Winterhalter. 2019. The MetaCoq Project. (June 2019). https://hal.inria.fr/hal-02167423 (submitted).Google ScholarGoogle Scholar
  28. Matthieu Sozeau and Cyprien Mangin. 2019. Equations Reloaded. PACMPL 3, ICFP (August 2019), 86–115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Matthieu Sozeau and Nicolas Tabareau. 2014. Universe Polymorphism in Coq. In Interactive Theorem Proving - 5th International Conference, ITP 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 14-17, 2014. Proceedings (Lecture Notes in Computer Science), Gerwin Klein and Ruben Gamboa (Eds.), Vol. 8558. Springer, 499–514. Google ScholarGoogle ScholarCross RefCross Ref
  30. Pierre-Yves Strub, Nikhil Swamy, Cédric Fournet, and Juan Chen. 2012. Self-certification: Bootstrapping certified typecheckers in F* with Coq. In 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL’12. Philadelphia, United States. https://hal.inria.fr/inria-00628775Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Masako Takahashi. 1989. Parallel reductions in λ-calculus. Journal of Symbolic Computation 7, 2 (1989), 113–123.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. The Coq Development Team. 2019. The Coq Proof Assistant, version 8.9.0. Google ScholarGoogle ScholarCross RefCross Ref
  33. Amin Timany and Matthieu Sozeau. 2017. Consistency of the Predicative Calculus of Cumulative Inductive Constructions (pCuIC). Research Report RR-9105. KU Leuven, Belgium ; Inria Paris. 30 pages. https://hal.inria.fr/hal-01615123Google ScholarGoogle Scholar

Index Terms

  1. Coq Coq correct! verification of type checking and erasure for Coq, in Coq

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!