a Coq retrospective at the heart of Coq architecture the genesis - - PowerPoint PPT Presentation

a coq retrospective at the heart of coq architecture the
SMART_READER_LITE
LIVE PREVIEW

a Coq retrospective at the heart of Coq architecture the genesis - - PowerPoint PPT Presentation

Feb 01, 2023 134 likes •565 views

a Coq retrospective at the heart of Coq architecture the genesis of version 7.0 Jean-Christophe Filli atre CNRS The Coq Workshop 2020 July 6, 2020 35 years of history 1994 2000 2020 1984 first version 7.0 release March 2001

slide-1
SLIDE 1

a Coq retrospective — at the heart of Coq architecture the genesis of version 7.0

Jean-Christophe Filliˆ atre CNRS

The Coq Workshop 2020 July 6, 2020

slide-2
SLIDE 2

35 years of history

1984 first release 1.10 version 7.0 March 2001 1994 2000 2020

slide-3
SLIDE 3

a closer look

. . . . . .

Fall 1992

slide-4
SLIDE 4

a closer look

. . . . . .

Fall 1992 Chet Murthy works on 5.8

slide-5
SLIDE 5

a closer look

. . . . . .

Spring 1994 Chet makes version 5.10

slide-6
SLIDE 6

a closer look

. . . . . .

Spring 1994 Dec 1996 release

  • f 6.1
slide-7
SLIDE 7

a closer look

. . . . . .

Spring 1994 May 1998 release

  • f 6.2
slide-8
SLIDE 8

a closer look

. . . . . .

Spring 1994 Dec 1999 release

  • f 6.3
slide-9
SLIDE 9

a closer look

. . . . . .

Spring 1994 Fall 1999 building the V7 architecture

slide-10
SLIDE 10

what was in Chet’s 5.10

slide-11
SLIDE 11

what was in Chet’s 5.10

  • efficiency
  • de Bruijn indices, space-efficient terms
  • hash-consed identifiers
  • efficient rollback mechanism (more later)
  • extensibility
  • user-extensible grammar (parser, pretty-printer)
  • mechanisms to declare new tables/operations
  • separate compilation
  • a Coq file is a separate module
  • it is compiled to a .vo file
slide-12
SLIDE 12

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

slide-13
SLIDE 13

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • p1

. . .

slide-14
SLIDE 14

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • p1
  • p2

. . .

slide-15
SLIDE 15

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • p1
  • p2
  • p3

. . .

slide-16
SLIDE 16

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1 . . .

slide-17
SLIDE 17

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5

. . .

slide-18
SLIDE 18

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5
  • p6

. . .

slide-19
SLIDE 19

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5
  • p6
  • p7

. . .

slide-20
SLIDE 20

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5
  • p6
  • p7
  • p8

snapshot 2 . . .

slide-21
SLIDE 21

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5
  • p6
  • p7
  • p8

snapshot 2

  • p9

. . .

slide-22
SLIDE 22

rollback mechanism

  • 1. when declaring a table, provide

freeze/unfreeze operations

  • 2. a single stack of all operations

(with a little bit of dynamic typing under the hood)

  • 3. from time to time, take snapshots
  • f all tables using freeze
  • 4. to move back in time, roll back to

the previous snapshot and redo some operations

  • p1
  • p2
  • p3
  • p4

snapshot 1

  • p5
  • p6

. . .

slide-23
SLIDE 23

a pure beauty

let table = ref ...purely functional data structure... let freeze () = !table (* O(1) *) let unfreeze v = table := v (* O(1) *) assuming some flavor of balanced trees, this is only a O(log N) overhead factor (time and space) may even be less than that for space (depends on snapshot frequency)

slide-24
SLIDE 24

why changing something that works fine?

despite all its marvels, 5.10 had no such thing as a kernel of trust (and subsequently the versions 6) the trusted computing base was a little bit everywhere in particular,

  • the rollback mechanism comes first
  • CIC declarations are operations like any others
slide-25
SLIDE 25

Coq version 7 a new architecture, with a kernel

slide-26
SLIDE 26

sketch

  • 1. implement a purely functional type checker for the CIC

(the kernel)

  • 2. then the rollback mechanism

(outside the kernel)

  • 3. last, declare a table holding the current typing environment

(in a reference)

slide-27
SLIDE 27

a safe kernel

even like this, the kernel is not small (7,800 loc at that time) not convenient to put all that behind a single abstraction barrier (and no such thing as OCaml -pack back in 1999)

slide-28
SLIDE 28

a multistage kernel

files for CIC terms type constr = ... ... can be ill-formed/ill-typed

slide-29
SLIDE 29

a multistage kernel

files for CIC terms type constr = ... ... can be ill-formed/ill-typed files for CIC environments type env = ... val add_constant: env -> constant -> env ... just a data structure environments can be ill-formed

slide-30
SLIDE 30

a multistage kernel

files for CIC terms type constr = ... ... can be ill-formed/ill-typed files for CIC environments type env = ... val add_constant: env -> constant -> env ... just a data structure environments can be ill-formed files for typing rules val type_constr: env -> constr -> constr ... can be misused

slide-31
SLIDE 31

abstraction barrier

finally, wrap everything behind an abstraction barrier type safe_env val empty: safe_env val add_constant: safe_env -> constant -> safe_env ...

slide-32
SLIDE 32

abstraction barrier

finally, wrap everything behind an abstraction barrier type safe_env val empty: safe_env val add_constant: safe_env -> constant -> safe_env ... whose implementation is trivial type safe_env = env let empty = Env.empty let add_constant env c = let c = type_constant env c in Env.add_constant env c ...

slide-33
SLIDE 33

global environment

  • utside the kernel, declare a global, mutable environment

let global_env = ref Kernel.empty let add_constant c = global_env := Kernel.add_constant !global_env c ... and declare it as a table let freeze () = !global_env let unfreeze v = global_env := v let _ = declare_table "typing env" freeze unfreeze

slide-34
SLIDE 34

how to trust the disk?

  • ne more issue: Coq’s Require loads declarations from .vo files

and all this machinery is outside of the kernel

slide-35
SLIDE 35

how to trust the disk?

  • ne more issue: Coq’s Require loads declarations from .vo files

and all this machinery is outside of the kernel the solution is borrowed from OCaml’s compiler

  • when writing a file to the disk,
  • include MD5 checksums of loaded modules
  • include its own checksum
  • when loading a file,
  • verify that assumptions and reality coincide
slide-36
SLIDE 36

if I had to do it again

slide-37
SLIDE 37

if I had to do it again

  • I would consider hash-consing+memoisation seriously
  • I would consider a more defensive API for the kernel,

with terms that are always well-typed

slide-38
SLIDE 38

conclusion

slide-39
SLIDE 39

many, many thanks

deep thanks to

  • Chet, for his code, for inspiring me
  • Christine, for a one-in-a-lifetime opportunity

and to all the other Coq developers in 1994–1999

  • Bruno Barras
  • Cristina Cornes
  • Yann Coscoy
  • Judica¨

el Courant

  • David Delahaye
  • Daniel de Rauglaudre
  • Eduardo Gim´

enez

  • Hugo Herbelin

erard Huet

  • Patrick Loiseleur

esar Mu˜ noz

  • Catherine Parent-Vigouroux
  • Amokrane Sa¨

ıbi

  • Benjamin Werner
slide-40
SLIDE 40

takeaway

  • if you see young interns who like coding and who are willing

to contribute, give them a chance

slide-41
SLIDE 41

takeaway

  • if you see young interns who like coding and who are willing

to contribute, give them a chance

  • your code won’t be the best cathedral ever;

accept this idea and make the best compromise you can

slide-42
SLIDE 42

takeaway

  • if you see young interns who like coding and who are willing

to contribute, give them a chance

  • your code won’t be the best cathedral ever;

accept this idea and make the best compromise you can

  • postdoc is a sweet spot,

where you can combine experience with time