Complete Bidirectional Typing for the Calculus of Inductive Constructions

This article presents a bidirectional type system for the Calculus of Inductive Constructions (CIC). The key property of the system is its completeness with respect to the usual undirected one, which has been formally proven in Coq as a part of the MetaCoq project. Although it plays an important role in an ongoing completeness proof for a realistic typing algorithm, the interest of bidirectionality is wider, as it gives insights and structure when trying to prove properties on CIC or design variations and extensions. In particular, we put forward constrained inference, an intermediate between the usual inference and checking judgements, to handle the presence of computation in types

Definitional Functoriality for Dependent (Sub)Types

Dependently-typed proof assistant rely crucially on definitional equality, which relates types and terms that are automatically identified in the underlying type theory. This paper extends type theory with definitional functor laws, equations satisfied propositionally by a large class of container-like type constructors $F : \operatorname{Type} \to \operatorname{Type}$, equipped with a $\operatorname{map}_{F} : (A \to B) \to F\ A \to F\ B$, such as lists or trees. Promoting these equations to definitional ones strengthen the theory, enabling slicker proofs and more automation for functorial type constructors. This extension is used to modularly justify a structural form of coercive subtyping, propagating subtyping through type formers in a map-like fashion. We show that the resulting notion of coercive subtyping, thanks to the extra definitional equations, is equivalent to a natural and implicit form of subsumptive subtyping. The key result of decidability of type-checking in a dependent type system with functor laws for lists has been entirely mechanized in Coq

A Reasonably Gradual Type Theory

Gradualizing the Calculus of Inductive Constructions (CIC) involves dealing with subtle tensions between normalization, graduality, and conservativity with respect to CIC. Recently, GCIC has been proposed as a parametrized gradual type theory that admits three variants, each sacrificing one of these properties. For devising a gradual proof assistant based on CIC, normalization and conservativity with respect to CIC are key, but the tension with graduality needs to be addressed. Additionally, several challenges remain: (1) The presence of two wildcard terms at any type-the error and unknown terms-enables trivial proofs of any theorem, jeopardizing the use of a gradual type theory in a proof assistant; (2) Supporting general indexed inductive families, most prominently equality, is an open problem; (3) Theoretical accounts of gradual typing and graduality so far do not support handling type mismatches detected during reduction; (4) Precision and graduality are external notions not amenable to reasoning within a gradual type theory. All these issues manifest primally in CastCIC, the cast calculus used to define GCIC. In this work, we present an extension of CastCIC called GRIP. GRIP is a reasonably gradual type theory that addresses the issues above, featuring internal precision and general exception handling. GRIP features an impure (gradual) sort of types inhabited by errors and unknown terms, and a pure (non-gradual) sort of strict propositions for consistent reasoning about gradual terms. Internal precision supports reasoning about graduality within GRIP itself, for instance to characterize gradual exception-handling terms, and supports gradual subset types. We develop the metatheory of GRIP using a model formalized in Coq, and provide a prototype implementation of GRIP in Agda.Comment: 27pages + 2pages bibliograph

Martin-L\"of \`a la Coq

We present an extensive mechanization of the meta-theory of Martin-L\"of Type Theory (MLTT) in the Coq proof assistant. Our development builds on pre-existing work in Agda to show not only the decidability of conversion, but also the decidability of type checking, using an approach guided by bidirectional type checking. From our proof of decidability, we obtain a certified and executable type checker for a full-fledged version of MLTT with support for $\Pi$, $\Sigma$, $\mathbb{N}$, and identity types, and one universe. Furthermore, our development does not rely on impredicativity, induction-recursion or any axiom beyond MLTT with a schema for indexed inductive types and a handful of predicative universes, narrowing the gap between the object theory and the meta-theory to a mere difference in universes. Finally, we explain our formalization choices, geared towards a modular development relying on Coq's features, e.g. meta-programming facilities provided by tactics and universe polymorphism

A Reasonably Gradual Type Theory

International audienceGradualizing the Calculus of Inductive Constructions (CIC) involves dealing with subtle tensions between normalization, graduality, and conservativity with respect to CIC. Recently, GCIC has been proposed as a parametrized gradual type theory that admits three variants, each sacrificing one of these properties. For devising a gradual proof assistant based on CIC, normalization and conservativity with respect to CIC are key, but the tension with graduality needs to be addressed. Additionally, several challenges remain: (1) The presence of two wildcard terms at any type-the error and unknown terms-enables trivial proofs of any theorem, jeopardizing the use of a gradual type theory in a proof assistant; (2) Supporting general indexed inductive families, most prominently equality, is an open problem; (3) Theoretical accounts of gradual typing and graduality so far do not support handling type mismatches detected during reduction; (4) Precision and graduality are external notions not amenable to reasoning within a gradual type theory. All these issues manifest primally in CastCIC, the cast calculus used to define GCIC. In this work, we present an alternative to CastCIC called GRIP. GRIP is a reasonably gradual type theory that addresses the issues above, featuring internal precision and general exception handling. For consistent reasoning about gradual terms, GRIP features an impure sort of types inhabited by errors and unknown terms, and a pure sort of strict propositions. By adopting a novel interpretation of the unknown term that carefully accounts for universe levels, GRIP satisfies graduality for a large and well-defined class of terms, in addition to being normalizing and a conservative extension of CIC. Internal precision supports reasoning about graduality within GRIP itself, for instance to characterize gradual exception-handling terms, and supports gradual subset types. We develop the metatheory of GRIP using a model formalized in Coq, and provide a prototype implementation of GRIP in Agda

Typage Bidirectionnel pour le Calcul des Constructions Inductives

Over their more than 50 years of existence, proof assistants have established themselves as tools guaranteeing high trust levels in many applications.Yet, due to their increasing complexity, the historical solution of relying on a small, trusted kernel is not enough any more to avoid critical bugs while moving forward. But proof assistants have been used for decades to certify program correctness, so why not their own? This is the ambition of the MetaCoq project, which aims at providing the first realistic kernel for a proof assistant – Coq –to be formally proven correct, in Coq itself. Don't trust the program any more, only its proof! This thesis studies the bidirectional structure on which the typing algorithm implemented by the kernel of Coq relies, in the context of the Calculus ofInductive Constructions on which it is founded. This is formalized as a part of MetaCoq, and is a key step to reach the project’s goal, by giving an intermediate layer between the implementation and its specification. Moreover, the increased control over computation offered by bidirectional typingis a necessary piece in designing a gradual extension of CIC, which aims at bringing to development in Coq the flexibility of dynamic typing, and forms the last part of the thesis.Durant leurs plus de 50 ans d'existence, les assistants à la preuve se sont établis comme des outils permettant un haut niveau de fiabilité dans de nombreuses applications. Cependant, du fait de leur complexité grandissante, la solution historique de faire confiance à un petit noyau stable n'est plus suffisante pour avancer en évitant des bugs critiques. Mais les assistants à la preuve sont utilisés depuis des décennies pour certifier lacorrection de programmes, pourquoi pas la leur ? C'est l'ambition du projet MetaCoq, visant à construire le premier noyau réaliste à la correction formellement prouvée, pour l'assistant à la preuve Coq. Ne faites plus confiance au programme, seulement à sa preuve !Cette thèse étudie la structure bidirectionnelle qui sous-tend l'algorithme de typage implémenté par le noyau de Coq, dans le contexte du Calcul des Constructions Inductives (CIC) qui fonde celui-ci. Le tout est formalisé dans le cadre de MetaCoq, et constitue un passage obligé pour atteindre l'objectif du projet, fournissant un intermédiaire entre l’implémentation et sa spécification. Enfin, le contrôle renforcé sur le calcul offert par le typage bidirectionnel est une pièce nécessaire à la conception d'une extension graduelle de CIC, qui vise à apporter au développement en Coq la flexibilitédu typage dynamique et constitue la dernière partie de la thèse

Typage Bidirectionnel pour le Calcul des Constructions Inductives

Durant leurs plus de 50 ans d’existence, les assistants à la preuve se sont établis comme des outils permettant un haut niveau de fiabilité dans de nombreuses applications. Cependant, du fait de leur complexité grandissante, la solution historique de faire confiance à un petit noyau stable n’est plus suffisante pour avancer en évitant des bugs critiques. Mais les assistants à la preuve sont utilisés depuis des décennies pour certifier la correction de programmes, pourquoi pas la leur ? C’est l’ambition du projet METACOQ, visant à construire le premier noyau réaliste à la correction formellement prouvée, pour l’assistant à la preuve COQ. Ne faites plus confiance au programme, seulement à sa preuve! Cette thèse étudie la structure bidirectionnelle qui sous-tend l’algorithme de typage implémenté par le noyau de COQ, dans le contexte du Calcul des Constructions Inductives (CIC) qui fonde celui-ci. Le tout est formalisé dans le cadre de METACOQ, et constitue un passage obligé pour atteindre l’objectif du projet, fournissant un intermédiaire entre limplémentation et sa spécification. Enfin, le contrôle renforcé sur le calcul offert par le typage bidirectionnel est une pièce nécessaire à la conception d’une extension graduelle de CIC, qui vise à apporter au développement en COQ la flexibilité du typage dynamique et constitue la dernière partie de la thèse.Over their more than 50 years of existence, proof assistants have established themselves as tools guaranteeing high trust levels in many applications. Yet, due to their increasing complexity, the historical solution of relying on a small, trusted kernel is not enough anymore to avoid critical bugs while moving forward. But proof assistants have been used for decades to certify program correctness, so why not their own? This is the ambition of the METACOQ project, which aims at providing the first realistic kernel for a proof assistant COQ to be formally proven correct, in COQ itself. Don’t trust the program anymore, only its proof! This thesis studies the bidirectional structure on which the typing algorithm implemented by the kernel of COQ relies, in the context of the Calculus of Inductive Constructions on which it is founded. This is formalized as a part of METACOQ, and is a key step to reach the projects goal, by giving an intermediate layer between the implementation and its specification. Moreover, the increased control over computation offered by bidirectional typing is a necessary piece in designing a gradual extension of CIC, which aims at bringing to development in COQ the flexibility of dynamic typing, and forms the last part of the thesis

Bidirectional Typing for the Calculus of Inductive Constructions

Over their more than 50 years of existence, proof assistants have established themselves as tools guaranteeing high trust levels in many applications. Yet, due to their increasing complexity, the historical solution of relying on a small, trusted kernel is not enough anymore to avoid critical bugs while moving forward. But proof assistants have been used for decades to certify program correctness, so why not their own? This is the ambition of the METACOQ project, which aims at providing the first realistic kernel for a proof assistant COQ to be formally proven correct, in COQ itself. Don’t trust the program anymore, only its proof! This thesis studies the bidirectional structure on which the typing algorithm implemented by the kernel of COQ relies, in the context of the Calculus of Inductive Constructions on which it is founded. This is formalized as a part of METACOQ, and is a key step to reach the projects goal, by giving an intermediate layer between the implementation and its specification. Moreover, the increased control over computation offered by bidirectional typing is a necessary piece in designing a gradual extension of CIC, which aims at bringing to development in COQ the flexibility of dynamic typing, and forms the last part of the thesis.Durant leurs plus de 50 ans d’existence, les assistants à la preuve se sont établis comme des outils permettant un haut niveau de fiabilité dans de nombreuses applications. Cependant, du fait de leur complexité grandissante, la solution historique de faire confiance à un petit noyau stable n’est plus suffisante pour avancer en évitant des bugs critiques. Mais les assistants à la preuve sont utilisés depuis des décennies pour certifier la correction de programmes, pourquoi pas la leur ? C’est l’ambition du projet METACOQ, visant à construire le premier noyau réaliste à la correction formellement prouvée, pour l’assistant à la preuve COQ. Ne faites plus confiance au programme, seulement à sa preuve! Cette thèse étudie la structure bidirectionnelle qui sous-tend l’algorithme de typage implémenté par le noyau de COQ, dans le contexte du Calcul des Constructions Inductives (CIC) qui fonde celui-ci. Le tout est formalisé dans le cadre de METACOQ, et constitue un passage obligé pour atteindre l’objectif du projet, fournissant un intermédiaire entre limplémentation et sa spécification. Enfin, le contrôle renforcé sur le calcul offert par le typage bidirectionnel est une pièce nécessaire à la conception d’une extension graduelle de CIC, qui vise à apporter au développement en COQ la flexibilité du typage dynamique et constitue la dernière partie de la thèse

Bidirectional Typing for the Calculus of Inductive Constructions

Over their more than 50 years of existence, proof assistants have established themselves as tools guaranteeing high trust levels in many applications. Yet, due to their increasing complexity, the historical solution of relying on a small, trusted kernel is not enough anymore to avoid critical bugs while moving forward. But proof assistants have been used for decades to certify program correctness, so why not their own? This is the ambition of the METACOQ project, which aims at providing the first realistic kernel for a proof assistant COQ to be formally proven correct, in COQ itself. Don’t trust the program anymore, only its proof! This thesis studies the bidirectional structure on which the typing algorithm implemented by the kernel of COQ relies, in the context of the Calculus of Inductive Constructions on which it is founded. This is formalized as a part of METACOQ, and is a key step to reach the projects goal, by giving an intermediate layer between the implementation and its specification. Moreover, the increased control over computation offered by bidirectional typing is a necessary piece in designing a gradual extension of CIC, which aims at bringing to development in COQ the flexibility of dynamic typing, and forms the last part of the thesis.Durant leurs plus de 50 ans d’existence, les assistants à la preuve se sont établis comme des outils permettant un haut niveau de fiabilité dans de nombreuses applications. Cependant, du fait de leur complexité grandissante, la solution historique de faire confiance à un petit noyau stable n’est plus suffisante pour avancer en évitant des bugs critiques. Mais les assistants à la preuve sont utilisés depuis des décennies pour certifier la correction de programmes, pourquoi pas la leur ? C’est l’ambition du projet METACOQ, visant à construire le premier noyau réaliste à la correction formellement prouvée, pour l’assistant à la preuve COQ. Ne faites plus confiance au programme, seulement à sa preuve! Cette thèse étudie la structure bidirectionnelle qui sous-tend l’algorithme de typage implémenté par le noyau de COQ, dans le contexte du Calcul des Constructions Inductives (CIC) qui fonde celui-ci. Le tout est formalisé dans le cadre de METACOQ, et constitue un passage obligé pour atteindre l’objectif du projet, fournissant un intermédiaire entre limplémentation et sa spécification. Enfin, le contrôle renforcé sur le calcul offert par le typage bidirectionnel est une pièce nécessaire à la conception d’une extension graduelle de CIC, qui vise à apporter au développement en COQ la flexibilité du typage dynamique et constitue la dernière partie de la thèse

Definitional Functoriality for Dependent (Sub)Types

Dependently-typed proof assistant rely crucially on definitional equality,which relates types and terms that are automatically identified inthe underlying type theory.This paper extends type theory with definitional functor laws,equations satisfied propositionally by a large class of container-like typeconstructors F : Type → Type, equipped with a mapF : (A → B) → F A → F B$, such as lists or trees.Promoting these equations to definitional ones strengthen the theory, enablingslicker proofs and more automation for functorial type constructors.This extension is used to modularly justify a structural form of coercivesubtyping, propagating subtyping through type formers in a map-like fashion.We show that the resulting notion of coercive subtyping, thanks to the extradefinitional equations, is equivalent to a natural and implicit form ofsubsumptive subtyping.The key result of decidability of type-checking in a dependent type systemwith functor laws for lists has been entirely mechanized in Coq