Coq Coq correct! verification of type checking and erasure for Coq, in Coq

Coq is built around a well-delimited kernel that perfoms typechecking for definitions in a variant of the Calculus of Inductive Constructions (CIC). Although the metatheory of CIC is very stable and reliable, the correctness of its implementation in Coq is less clear. Indeed, implementing an efficient type checker for CIC is a rather complex task, and many parts of the code rely on implicit invariants which can easily be broken by further evolution of the code. Therefore, on average, one critical bug has been found every year in Coq. This paper presents the first implementation of a type checker for the kernel of Coq (without the module system and template polymorphism), which is proven correct in Coq with respect to its formal specification and axiomatisation of part of its metatheory. Note that because of Gödel's incompleteness theorem, there is no hope to prove completely the correctness of the specification of Coq inside Coq (in particular strong normalisation or canonicity), but it is possible to prove the correctness of the implementation assuming the correctness of the specification, thus moving from a trusted code base (TCB) to a trusted theory base (TTB) paradigm. Our work is based on the MetaCoq project which provides metaprogramming facilities to work with terms and declarations at the level of this kernel. Our type checker is based on the specification of the typing relation of the Polymorphic, Cumulative Calculus of Inductive Constructions (PCUIC) at the basis of Coq and the verification of a relatively efficient and sound type-checker for it. In addition to the kernel implementation, an essential feature of Coq is the so-called extraction: the production of executable code in functional languages from Coq definitions. We present a verified version of this subtle type-and-proof erasure step, therefore enabling the verified extraction of a safe type-checker for Coq.

[1]  Matthieu Sozeau,et al.  Equations Reloaded , 2017 .

[2]  Matthew Z. Weaver,et al.  CertiCoq : A verified compiler for Coq , 2016 .

[3]  Pierre Letouzey,et al.  A New Extraction for Coq , 2002, TYPES.

[4]  Eduardo Giménez,et al.  Un calcul de constructions infinies et son application a la verification de systemes communicants , 1996 .

[5]  Stéphane Glondu,et al.  Vers une certification de l'extraction de Coq. (Towards certification of the extraction of Coq) , 2012 .

[6]  Andreas Abel,et al.  Decidability of conversion for type theory in type theory , 2017, Proc. ACM Program. Lang..

[7]  Matthieu Sozeau,et al.  Consistency of the Predicative Calculus of Cumulative Inductive Constructions (pCuIC) , 2017, ArXiv.

[8]  Pierre Letouzey,et al.  Programmation fonctionnelle certifiée : L'extraction de programmes dans l'assistant Coq. (Certified functional programming : Program extraction within Coq proof assistant) , 2004 .

[9]  Nicolas Tabareau,et al.  Universe Polymorphism in Coq , 2014, ITP.

[10]  Brigitte Pientka,et al.  Copatterns: programming infinite structures by observations , 2013, POPL.

[11]  Nicolas Tabareau,et al.  An effectful way to eliminate addiction to dependence , 2017, 2017 32nd Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[12]  Simon Boulier,et al.  The MetaCoq Project , 2020, Journal of Automated Reasoning.

[13]  Yannick Forster,et al.  A certifying extraction with time bounds from Coq to call-by-value $λ$-calculus , 2019, ArXiv.

[14]  Bruno Barras,et al.  The Implicit Calculus of Constructions as a Programming Language with Dependent Types , 2008, FoSSaCS.

[15]  Gert Smolka,et al.  Autosubst: Reasoning with de Bruijn Terms and Parallel Substitutions , 2015, ITP.

[16]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[17]  Arthur Charguéraud,et al.  Formal Proof and Analysis of an Incremental Cycle Detection Algorithm , 2019, ITP.

[18]  Nicolas Tabareau,et al.  Definitional proof-irrelevance without K , 2019, Proc. ACM Program. Lang..

[19]  G. Smolka Confluence and Normalization in Reduction Systems Lecture Notes , 2015 .

[20]  Juan Chen,et al.  Self-certification: bootstrapping certified typecheckers in F* with Coq , 2012, POPL '12.

[21]  Simon Boulier,et al.  Towards Certified Meta-Programming with Typed Template-Coq , 2018, ITP.

[22]  Per Martin-Löf,et al.  An intuitionistic theory of types , 1972 .

[23]  P. Medawar A view from the left , 1984, Nature.

[24]  Martín Abadi,et al.  Explicit substitutions , 1989, POPL '90.

[25]  Tobias Nipkow,et al.  A Verified Compiler from Isabelle/HOL to CakeML , 2018, ESOP.

[26]  Claudio V. Russo,et al.  F-ing modules , 2010, TLDI '10.

[27]  Dan Grossman,et al.  Œuf: minimizing the Coq extraction TCB , 2018, CPP.

[28]  Magnus O. Myreen,et al.  Proof-producing translation of higher-order logic into pure and stateful ML , 2014, Journal of Functional Programming.

[29]  Robert E. Tarjan,et al.  A New Approach to Incremental Cycle Detection and Related Problems , 2011, ACM Trans. Algorithms.