Coq 8.5 at workM. Sozeau, M. Denes – Inria

CoqPLJanuary 23rd 2016St Petersburg, FL

Announcement

Coq 8.5 is released (at last)!

coq.inria.fr/coq-85

Coq 8.5 at work – M. Sozeau, M. Denes 2

Coq 8.5

I A year of beta-testing (3 betas), due to cross-cutting, “deep”features.

I Many improvments in interaction, semantics of the new proofengine constructs and usability of universes.

I More external contributions than ever: pull requests arewelcome!

Next episode: code streamlining, tactics and interface accessibility.Expected deprecation of features and factoring of similarfunctionalities.

Coq 8.5 at work – M. Sozeau, M. Denes 3

Coq 8.5 at work

1 Coq 8.5 featuresIncremental development – E. TassiNew proof engine – A. SpiwackUniverse polymorphism – M. SozeauNative compilation – M. Denes & B. GregoireFast record projections – M. SozeauMisc – Coq dev team & contributorsopam

Performance

2 Coq future

3 Focus on universe polymorphism

Coq 8.5 at work – M. Sozeau, M. Denes 4

Incremental developmentEnrico Tassi

Coq 8.5 at work – M. Sozeau, M. Denes 5

Incremental development – E. Tassi

Asynchronous and parallel processing of definitions. Separatecompilation.

Huge gain in user productivity.

–/++ Not optional, backwards-compatible

+++ Faster interaction and parallel compilation

Coq 8.5 at work – M. Sozeau, M. Denes 6

New proof engineArnaud Spiwack

Coq 8.5 at work – M. Sozeau, M. Denes 7

New proof engine – A. Spiwack

Expressive and clear proof-search semantics, dependent subgoals,managment of subgoals.

–/++ Not optional, backwards-compatibility layer

–/+ 0-15% time overhead, unnoticeable as the rest of the systemgot faster/Opportunities to have faster primitive tactics

Coq 8.5 at work – M. Sozeau, M. Denes 8

Universe polymorphismMatthieu Sozeau

Coq 8.5 at work – M. Sozeau, M. Denes 9

Universe polymorphism – M. Sozeau

Truly polymorphic definitions and inductives, cleaner kernel.

=/++ Kernel change - impacts the ML hacker only.Backwards-compatibility layer.

=+/+ Comparable or better performance, more expressive

Coq 8.5 at work – M. Sozeau, M. Denes 10

Native compilationMaxime Denes & Benjamin Gregoire

Coq 8.5 at work – M. Sozeau, M. Denes 11

Native compilation – M. Denes & B. Gregoire

FourColor RecNoAllocLucas Cooper

20

40

60

80

100100 100100 100

25

7

38

20178

23

Rel

ativ

eti

me

(%)

VM Native Extracted

Coq 8.5 at work – M. Sozeau, M. Denes 12

Native compilation – M. Denes & B. Gregoire

Down to assembly through OCaml.Useful for large reflection proofs.

+ Optional

++/– Faster at runtime, compilation is slow

Coq 8.5 at work – M. Sozeau, M. Denes 13

Fast record projectionsMatthieu Sozeau

Coq 8.5 at work – M. Sozeau, M. Denes 14

Fast record projections – M. Sozeau

Faster conversion and type-checking, smaller memory footprint.

+/+– Optional, backwards-compatibility layer, small source-levelincompatibilities.

+ω Exponentially better performance

Coq 8.5 at work – M. Sozeau, M. Denes 15

Misc – Coq dev team & contributors

I Interfaces, documentation, and OCaml best practices (P.M.Pedrot, . . .).

I Tactics in terms (P.M. Pedrot)

I Module system simplifications (P. Letouzey)

I Tactic improvements (e.g. intro patterns) (H. Herbelin, P.Letouzey, . . . )

I More expressive guard condition (P. Boutillier, H.Herbelin)

I Rewriting with strategies (M. Sozeau)

Coq 8.5 at work – M. Sozeau, M. Denes 16

opam

I Coq, any version, git included

I Packages: Ssreflect, Mathematical Components,Containers, Coccinelle, Ergo, . . .

I Submit a pull request! Try! Test!

I Caution: recommended setup still in discussion.

opam.ocaml.org

https://github.com/coq/opam-coq-archive

Coq 8.5 at work – M. Sozeau, M. Denes 17

Performance

Through careful profiling, many hotspots identified and optimized(thanks to P.M. Pedrot).

I Performance closer to 8.3, despite the many new features:checking of universes, STM layer, more expressive proofengine.

I Hash-consing is used more pervasively: smaller memoryfootprint and proof objects.

Faster universe algorithm scheduled for next version (J.H.Jourdan).

Coq 8.5 at work – M. Sozeau, M. Denes 18

Coq future

1 Coq 8.5 features

2 Coq futureImproving the developmentCoq consortium

3 Focus on universe polymorphism

Coq 8.5 at work – M. Sozeau, M. Denes 19

Improving the development

Coq 8.5 showed the limits of the current development model.

We are working on improving the development process:

I Predictible short release cycles

I Opening up to external contributions

I Communicating on forthcoming evolutions

Coq 8.5 at work – M. Sozeau, M. Denes 20

Coq consortium

A consortium of academic and industrial users of Coq is beingbuilt. Its role will be:

I Coordinating the engineering effort on Coq

I Sharing resources

I Providing premium support to members

I Collecting annual membership fees and allocating resourcesthrough a steering committee of members

Contact us!maxime.denes@inria.fr

yves.bertot@inria.fr

Coq 8.5 at work – M. Sozeau, M. Denes 21

Universe Polymorphism

1 Coq 8.5 features

2 Coq future

3 Focus on universe polymorphismPolymorphic UniversesUniverse polymorphic definitionsUnificationMinimizationDealing with Prop

Coq 8.5 at work – M. Sozeau, M. Denes 22

Polymorphic Universes

I Allow generic developments over universe levels.

I As with typical ambiguity, can be made entirely implicit.

I Explicit mode for careful control of universe instances.

I Compatible with asynchronous checking of proofs and fastconversion algorithms (vm compute and native compute).

Coq 8.5 at work – M. Sozeau, M. Denes 23

Typical ambiguity

Working with explicit universe indices is cumbersome, annotationspervade definitions and proofs.

⇒ Allow typical ambiguity (first used by Russell in Principia).

Idea: write Type to mean any type that “fits” (keeps the systemconsistent).

I On paper: let the reader infer levels for universes and checkconsistency.

I On computer: let the computer infer levels and checkconsistency in the background.

Coq 8.5 at work – M. Sozeau, M. Denes 24

Floating universes

Formally, translate from anonymous Types to explicit Typeis.But in general many i’s can work!

Definition id (A : Type) (a : A) := a.

` id : Π(A : Type0), A→ A : Type1

or

` id : Π(A : Type1), A→ A : Type2

or . . . ?

⇒ universe variables

Coq 8.5 at work – M. Sozeau, M. Denes 25

Floating universes and constraints

Consistency ensured by giving an assignment of natural numbers touniverse variables, satisfying constraints. New judgment `float

Type-intro`float Γ (i, j ∈ L)

Γ `float Typei : Typej i < j

Type-prodΓ `float A : Typei Γ, x : A ` B : Typej

Γ `float Πx : A.B : Typek max(i, j) ≤ k

Coq 8.5 at work – M. Sozeau, M. Denes 26

Without polymorphism

Floating levels + cumulativity give a restricted form ofpolymorphism:

Definition id (A : Type) (a : A) := a

` id : Π(A : Typel), A→ A : Typel+1

⇒ l is not quantified at the definition level here, it is global:

6` id (Π(A : Typel), A→ A) id : τ

Because l + 1 6≤ l. However l can go “up” as far as required.

Coq 8.5 at work – M. Sozeau, M. Denes 27

With polymorphism

Real, bounded polymorphism:

Polymorphic Definition id (A : Type) (a : A) := a

idl : Π(A : Typel), A→ A

⇒ l is quantified at the definition level now and we can instantiateit at each application:

l < k `poly idk idl : Π(A : Typel), A→ A

Coq 8.5 at work – M. Sozeau, M. Denes 28

Constraint checking

Constraints are generated once at refinement time outside thekernel. The kernel just checks that the constraints are consistentand sufficient to typecheck the terms.

universe context Ψ ::=−→i � Θ

Elaboration in bidirectionl fashion:

I Inference: Γ; Ψ ` t ⇑ Ψ′ ` t′ : TI Checking: Γ; Ψ ` t ⇓ T Ψ′ ` t′ : T

Check-Typeθ ` Typei+1 ≤ T θ′

Γ;us � θ ` Type ⇓ T us, i � θ′ ` Typei : T

Coq 8.5 at work – M. Sozeau, M. Denes 29

Constraint checking

Constraints are generated once at refinement time outside thekernel. The kernel just checks that the constraints are consistentand sufficient to typecheck the terms.

universe context Ψ ::=−→i � Θ

Elaboration in bidirectionl fashion:

I Inference: Γ; Ψ ` t ⇑ Ψ′ ` t′ : TI Checking: Γ; Ψ ` t ⇓ T Ψ′ ` t′ : T

Check-Typeθ ` Typei+1 ≤ T θ′

Γ;us � θ ` Type ⇓ T us, i � θ′ ` Typei : T

Coq 8.5 at work – M. Sozeau, M. Denes 29

Constraint checking

Constraints are generated once at refinement time outside thekernel. The kernel just checks that the constraints are consistentand sufficient to typecheck the terms.

universe context Ψ ::=−→i � Θ

Elaboration in bidirectionl fashion:

I Inference: Γ; Ψ ` t ⇑ Ψ′ ` t′ : TI Checking: Γ; Ψ ` t ⇓ T Ψ′ ` t′ : T

Check-Typeθ ` Typei+1 ≤ T θ′

Γ;us � θ ` Type ⇓ T us, i � θ′ ` Typei : T

Coq 8.5 at work – M. Sozeau, M. Denes 29

Introducing universe polymorphic definitions

Suppose a top-level Definition c : T := t.

1 Γ;` T ⇑ Ψ ` T ′ : s2 Γ; Ψ ` t ⇓ T ′ Ψ′ ` t′ : T ′

3 Add c : ∀ Ψ′, T ′ := t′ to the environment.

4 Each use of c carries a universe instance: c−→l

: T ′[−→l/i]

Guiding principle and main difficulty:Constants are transparent, indistinguishable from their bodies.

Coq 8.5 at work – M. Sozeau, M. Denes 30

Introducing universe polymorphic definitions

Suppose a top-level Definition c : T := t.

1 Γ;` T ⇑ Ψ ` T ′ : s

2 Γ; Ψ ` t ⇓ T ′ Ψ′ ` t′ : T ′

3 Add c : ∀ Ψ′, T ′ := t′ to the environment.

4 Each use of c carries a universe instance: c−→l

: T ′[−→l/i]

Guiding principle and main difficulty:Constants are transparent, indistinguishable from their bodies.

Coq 8.5 at work – M. Sozeau, M. Denes 30

Introducing universe polymorphic definitions

Suppose a top-level Definition c : T := t.

1 Γ;` T ⇑ Ψ ` T ′ : s2 Γ; Ψ ` t ⇓ T ′ Ψ′ ` t′ : T ′

3 Add c : ∀ Ψ′, T ′ := t′ to the environment.

4 Each use of c carries a universe instance: c−→l

: T ′[−→l/i]

Guiding principle and main difficulty:Constants are transparent, indistinguishable from their bodies.

Coq 8.5 at work – M. Sozeau, M. Denes 30

Introducing universe polymorphic definitions

Suppose a top-level Definition c : T := t.

1 Γ;` T ⇑ Ψ ` T ′ : s2 Γ; Ψ ` t ⇓ T ′ Ψ′ ` t′ : T ′

3 Add c : ∀ Ψ′, T ′ := t′ to the environment.

4 Each use of c carries a universe instance: c−→l

: T ′[−→l/i]

Guiding principle and main difficulty:Constants are transparent, indistinguishable from their bodies.

Coq 8.5 at work – M. Sozeau, M. Denes 30

Unification

Unification of idi and idj :Definition U2 := Typei.Definition U1 : U2 := Typej j < iDefinition U0 : U1 := Typek k < jDefinition U02 : U2 := U0 k < i

idi U02 ∼ idj U0 i = j

But:idi U02→∗ (U0→ U0)←∗ idj U0

Coq 8.5 at work – M. Sozeau, M. Denes 31

Unification and Conversion

Conv-FO−→as ==

ψ

−→bs ψ |= −→u = −→v

c−→u−→as =R

ψ c−→v−→bs

Uses backtracking (Ziliani & Sozeau, ICFP’15).

Coq 8.5 at work – M. Sozeau, M. Denes 32

Least-commitment principle

Use two kinds of universe level variables during elaboration:

I Polymorphic constants get elaborated with fresh flexibleargument levels that can be unified.

I Typical ambiguity (e.g. Type) creates rigid variables.

I User-given levels are rigid

Coq 8.5 at work – M. Sozeau, M. Denes 33

Design choice

Universe instances are levels: Suppose

id : ∀i,ΠA : Typei, A→ A

Levels only, adding constraint if an algebraic would appear:

Γ;` id Type ⇑ i j � i < j ` idj Typei : Typei → Typei

and not:

Γ;` id Type ⇑ i ` idi+1 Typei : Typei → Typei

Coq 8.5 at work – M. Sozeau, M. Denes 34

Minimization

That’s a lot of fresh universe variables!!

Typical example:

Γ;` id true ⇑ if � Set ≤ i ` @idi bool true : bool

We’d want: @idSet bool true : bool, no new universe, no additionalconstraint, just as general.

⇒ Minimization: compute a minimal set of universe variables.

See Cardelli’s greedy algorithm for F≤ inference, local typeinference (Pierce & Turner).

I Only applies to flexible variables.

Coq 8.5 at work – M. Sozeau, M. Denes 35

Minimization

That’s a lot of fresh universe variables!!

Typical example:

Γ;` id true ⇑ if � Set ≤ i ` @idi bool true : bool

We’d want: @idSet bool true : bool, no new universe, no additionalconstraint, just as general.

⇒ Minimization: compute a minimal set of universe variables.

See Cardelli’s greedy algorithm for F≤ inference, local typeinference (Pierce & Turner).

I Only applies to flexible variables.

Coq 8.5 at work – M. Sozeau, M. Denes 35

Minimization

That’s a lot of fresh universe variables!!

Typical example:

Γ;` id true ⇑ if � Set ≤ i ` @idi bool true : bool

We’d want: @idSet bool true : bool, no new universe, no additionalconstraint, just as general.

⇒ Minimization: compute a minimal set of universe variables.

See Cardelli’s greedy algorithm for F≤ inference, local typeinference (Pierce & Turner).

I Only applies to flexible variables.

Coq 8.5 at work – M. Sozeau, M. Denes 35

Minimization, results

Correctness proof: easy, preservation of local solutions.

Of course this is not endangering the consistency of Coq!

Theorem (Conservativity)

Unfolding universe polymorphic definitions gives correct typings inthe original system. Might just not be the most general ones ifminimization did anything. For inductives, each instantiation is anew copy.

Coq 8.5 at work – M. Sozeau, M. Denes 36

Dealing with Prop

Let falsei : Typei+1 , (ΠA : Typei, A : Typemax(i+1,i)).

But falseProp →∗ ΠA : Prop, A, of type Prop by impredicativity(and TypeProp+1 still).

Fact: Cannot handle the implicit Prop ≤ Type rule andimpredicativity precisely and efficiently (models of proof-irrelevancehave a similar issue).

Ideal Solution: Use an explicit coercion.Current Solution: Forbid instantiation of a polymorphic level withProp. Compatible with an explicit coercion.

Coq 8.5 at work – M. Sozeau, M. Denes 37

Dealing with Prop

Let falsei : Typei+1 , (ΠA : Typei, A : Typemax(i+1,i)).

But falseProp →∗ ΠA : Prop, A, of type Prop by impredicativity(and TypeProp+1 still).

Fact: Cannot handle the implicit Prop ≤ Type rule andimpredicativity precisely and efficiently (models of proof-irrelevancehave a similar issue).

Ideal Solution: Use an explicit coercion.Current Solution: Forbid instantiation of a polymorphic level withProp. Compatible with an explicit coercion.

Coq 8.5 at work – M. Sozeau, M. Denes 37

Universe declarations

This restriction gives clear semantics for universe declarations:

I A toplevel, global universe i is always > Set.

I A local universe in a polymorphic definition is always ≥ Set.It can get collapsed to Set during type inference.

I Naturally enforces the invariant that there is no universebetween Prop and Set (or below Prop!).

Coq 8.5 at work – M. Sozeau, M. Denes 38

Explicit Universes

DEMO

Coq 8.5 at work – M. Sozeau, M. Denes 39

Summary

I More functional, trustable implementation.

I User-level control on generated universes and constraints(simplification, declaration...).

I Elaboration/tactics become universe aware (earlier errormessages).

Coq 8.5 at work – M. Sozeau, M. Denes 40

The End

Coq 8.5 at work – M. Sozeau, M. Denes 41