1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
|
\chapter[The \Coq~commands]{The \Coq~commands\label{Addoc-coqc}
\ttindex{coqtop}
\ttindex{coqc}
\ttindex{coqchk}}
There are three \Coq~commands:
\begin{itemize}
\item {\tt coqtop}: The \Coq\ toplevel (interactive mode) ;
\item {\tt coqc} : The \Coq\ compiler (batch compilation).
\item {\tt coqchk} : The \Coq\ checker (validation of compiled libraries)
\end{itemize}
The options are (basically) the same for the first two commands, and
roughly described below. You can also look at the \verb!man! pages of
\verb!coqtop! and \verb!coqc! for more details.
\section{Interactive use ({\tt coqtop})}
In the interactive mode, also known as the \Coq~toplevel, the user can
develop his theories and proofs step by step. The \Coq~toplevel is
run by the command {\tt coqtop}.
\index{byte-code}
\index{native code}
\label{binary-images}
They are two different binary images of \Coq: the byte-code one and
the native-code one (if {\ocaml} provides a native-code compiler
for your platform, which is supposed in the following). By default,
\verb!coqc! executes the native-code version; this can be overridden
using the \verb!-byte! option.
The byte-code toplevel is based on an {\ocaml}
toplevel (to allow the dynamic link of tactics). You can switch to
the {\ocaml} toplevel with the command \verb!Drop.!, and come back to the
\Coq~toplevel with the command \verb!Toplevel.loop();;!.
\section{Batch compilation ({\tt coqc})}
The {\tt coqc} command takes a name {\em file} as argument. Then it
looks for a vernacular file named {\em file}{\tt .v}, and tries to
compile it into a {\em file}{\tt .vo} file (See ~\ref{compiled}).
\Warning The name {\em file} must be a regular {\Coq} identifier, as
defined in the Section~\ref{lexical}. It
must only contain letters, digits or underscores
(\_). Thus it can be \verb+/bar/foo/toto.v+ but cannot be
\verb+/bar/foo/to-to.v+.
\section[Customization]{Customization at launch time}
\subsection{By resource file\index{Resource file}}
When \Coq\ is launched, with either {\tt coqtop} or {\tt coqc}, the
resource file \verb:$XDG_CONFIG_HOME/coq/coqrc.xxx: is loaded, where
\verb:$XDG_CONFIG_HOME: is the configuration directory of the user (by
default its home directory \verb!/.config! and \verb:xxx: is the version
number (e.g. 8.3). If this file is not found, then the file
\verb:$XDG_CONFIG_HOME/coqrc: is searched. You can also specify an
arbitrary name for the resource file (see option \verb:-init-file:
below).
This file may contain, for instance, \verb:Add LoadPath: commands to add
directories to the load path of \Coq.
It is possible to skip the loading of the resource file with the
option \verb:-q:.
\section{By environment variables\label{EnvVariables}
\index{Environment variables}\label{envars}}
Load path can be specified to the \Coq\ system by setting up
\verb:$COQPATH: environment variable. It is a list of directories
separated by \verb|:| (\verb|;| on windows). {\Coq} will also honor
\verb:$XDG_DATA_HOME: and \verb:$XDG_DATA_DIRS: (see Section
\ref{loadpath}).
Some {\Coq} commands call other {\Coq} commands. In this case, they
look for the commands in directory specified by \verb:$COQBIN:. If
this variable is not set, they look for the commands in the executable
path.
The \verb:$COQ_COLORS: environment variable can be used to specify the set of
colors used by {\tt coqtop} to highlight its output. It uses the same syntax as
the \verb:$LS_COLORS: variable from GNU's {\tt ls}, that is, a colon-separated
list of assignments of the form \verb:name=attr1;...;attrn: where {\tt name} is
the name of the corresponding highlight tag and {\tt attri} is an ANSI escape
code. The list of highlight tags can be retrieved with the {\tt -list-tags}
command-line option of {\tt coqtop}.
\subsection{By command line options\index{Options of the command line}
\label{vmoption}
\label{coqoptions}}
The following command-line options are recognized by the commands {\tt
coqc} and {\tt coqtop}, unless stated otherwise:
\begin{description}
\item[{\tt -I} {\em directory}, {\tt -include} {\em directory}]\
Add physical path {\em directory} to the {\ocaml} loadpath.
\SeeAlso Section~\ref{Libraries} and the command {\tt Declare ML Module} Section \ref{compiled}.
\item[\texttt{-Q} \emph{directory} {\dirpath}]\
Add physical path \emph{directory} to the list of directories where
{\Coq} looks for a file and bind it to the the logical directory
\emph{dirpath}. The subdirectory structure of \emph{directory} is
recursively available from {\Coq} using absolute names (extending
the {\dirpath} prefix) (see Section~\ref{LongNames}).
\SeeAlso Section~\ref{Libraries}.
\item[{\tt -R} {\em directory} {\dirpath}]\
Do as \texttt{-Q} \emph{directory} {\dirpath} but make the
subdirectory structure of \emph{directory} recursively visible so
that the recursive contents of physical \emph{directory} is available
from {\Coq} using short or partially qualified names.
\SeeAlso Section~\ref{Libraries}.
\item[{\tt -top} {\dirpath}, {\tt -notop}]\
This sets the toplevel module name to {\dirpath}/the empty logical path instead
of {\tt Top}. Not valid for {\tt coqc}.
\item[{\tt -exclude-dir} {\em subdirectory}]\
This tells to exclude any subdirectory named {\em subdirectory}
while processing option {\tt -R}. Without this option only the
conventional version control management subdirectories named {\tt
CVS} and {\tt \_darcs} are excluded.
\item[{\tt -nois}]\
Cause \Coq~to begin with an empty state.
\item[{\tt -init-file} {\em file}, {\tt -q}]\
Take {\em file} as the resource file. /
Cause \Coq~not to load the resource file.
\item[{\tt -load-ml-source} {\em file}]\
Load the {\ocaml} source file {\em file}.
\item[{\tt -load-ml-object} {\em file}]\
Load the {\ocaml} object file {\em file}.
\item[{\tt -l[v]} {\em file}, {\tt -load-vernac-source[-verbose]} {\em file}]\
Load \Coq~file {\em file}{\tt .v} optionally with copy it contents on the
standard input.
\item[{\tt -load-vernac-object} {\em path}]\
Load \Coq~compiled library {\em path} (equivalent to {\tt Require} {\em path}).
\item[{\tt -require} {\em path}]\
Load \Coq~compiled library {\em path} and import it (equivalent to {\tt
Require Import} {\em path}).
\item[{\tt -compile} {\em file.v},{\tt -compile-verbose} {\em file.v}, {\tt -batch}]\
{\tt coqtop} options only used internally by {\tt coqc}.
This compiles file {\em file.v} into {\em file}{\tt .vo} without/with a
copy of the contents of the file on standard input. This option implies options
{\tt -batch} (exit just after arguments parsing). It is only
available for {\tt coqtop}.
\item[{\tt -verbose}]\
This option is only for {\tt coqc}. It tells to compile the file with
a copy of its contents on standard input.
%Mostly unused in the code
%\item[{\tt -debug}]\
%
% Switch on the debug flag.
\item[{\tt -with-geoproof} (yes|no)]\
Activate or not special functions for Geoproof within {\CoqIDE} (default is yes).
\item[{\tt -color} (on|off|auto)]\
Activate or not the coloring of output of {\tt coqtop}. The default, auto,
means that {\tt coqtop} will dynamically decide whether to activate it
depending if the output channels of {\tt coqtop} can handle ANSI styles.
\item[{\tt -beautify}]\
While compiling {\em file}, pretty prints each command just after having parsing
it in {\em file}{\tt .beautified} in order to get old-fashion
syntax/definitions/notations.
\item[{\tt -emacs}, {\tt -ide-slave}]\
Start a special main loop to communicate with ide.
\item[{\tt -impredicative-set}]\
Change the logical theory of {\Coq} by declaring the sort {\tt Set}
impredicative; warning: this is known to be inconsistent with
some standard axioms of classical mathematics such as the functional
axiom of choice or the principle of description
\item[{\tt -type-in-type}]\
This collapses the universe hierarchy of {\Coq} making the logic inconsistent.
\item[{\tt -compat} {\em version}] \mbox{}
Attempt to maintain some of the incompatible changes in their {\em version}
behavior.
\item[{\tt -dump-glob} {\em file}]\
This dumps references for global names in file {\em file}
(to be used by coqdoc, see~\ref{coqdoc})
\item[{\tt -no-hash-consing}] \mbox{}
\item[{\tt -vm}]\
This activates the use of the bytecode-based conversion algorithm
for the current session (see Section~\ref{SetVirtualMachine}).
\item[{\tt -image} {\em file}]\
This option sets the binary image to be used by {\tt coqc} to be {\em file}
instead of the standard one. Not of general use.
\item[{\tt -bindir} {\em directory}]\
Set for {\tt coqc} the directory containing \Coq\ binaries.
It is equivalent to do \texttt{export COQBIN=}{\em directory}
before launching {\tt coqc}.
\item[{\tt -where}, {\tt -config}, {\tt -filteropts}]\
Print the \Coq's standard library location or \Coq's binaries, dependencies,
libraries locations or the list of command line arguments that {\tt coqtop} has
recognize as options and exit.
\item[{\tt -v}]\
Print the \Coq's version and exit.
\item[{\tt -list-tags}]\
Print the highlight tags known by \Coq as well as their currently associated
color.
\item[{\tt -h}, {\tt --help}]\
Print a short usage and exit.
\end{description}
\section{Compiled libraries checker ({\tt coqchk})}
The {\tt coqchk} command takes a list of library paths as argument.
The corresponding compiled libraries (.vo files) are searched in the
path, recursively processing the libraries they depend on. The content
of all these libraries is then type-checked. The effect of {\tt
coqchk} is only to return with normal exit code in case of success,
and with positive exit code if an error has been found. Error messages
are not deemed to help the user understand what is wrong. In the
current version, it does not modify the compiled libraries to mark
them as successfully checked.
Note that non-logical information is not checked. By logical
information, we mean the type and optional body associated to names.
It excludes for instance anything related to the concrete syntax of
objects (customized syntax rules, association between short and long
names), implicit arguments, etc.
This tool can be used for several purposes. One is to check that a
compiled library provided by a third-party has not been forged and
that loading it cannot introduce inconsistencies.\footnote{Ill-formed
non-logical information might for instance bind {\tt
Coq.Init.Logic.True} to short name {\tt False}, so apparently {\tt
False} is inhabited, but using fully qualified names, {\tt
Coq.Init.Logic.False} will always refer to the absurd proposition,
what we guarantee is that there is no proof of this latter
constant.}
Another point is to get an even higher level of security. Since {\tt
coqtop} can be extended with custom tactics, possibly ill-typed
code, it cannot be guaranteed that the produced compiled libraries are
correct. {\tt coqchk} is a standalone verifier, and thus it cannot be
tainted by such malicious code.
Command-line options {\tt -I}, {\tt -R}, {\tt -where} and
{\tt -impredicative-set} are supported by {\tt coqchk} and have the
same meaning as for {\tt coqtop}. Extra options are:
\begin{description}
\item[{\tt -norec} $module$]\
Check $module$ but do not force check of its dependencies.
\item[{\tt -admit} $module$] \
Do not check $module$ and any of its dependencies, unless
explicitly required.
\item[{\tt -o}]\
At exit, print a summary about the context. List the names of all
assumptions and variables (constants without body).
\item[{\tt -silent}]\
Do not write progress information in standard output.
\end{description}
Environment variable \verb:$COQLIB: can be set to override the
location of the standard library.
The algorithm for deciding which modules are checked or admitted is
the following: assuming that {\tt coqchk} is called with argument $M$,
option {\tt -norec} $N$, and {\tt -admit} $A$. Let us write
$\overline{S}$ the set of reflexive transitive dependencies of set
$S$. Then:
\begin{itemize}
\item Modules $C=\overline{M}\backslash\overline{A}\cup M\cup N$ are
loaded and type-checked before being added to the context.
\item And $\overline{M}\cup\overline{N}\backslash C$ is the set of
modules that are loaded and added to the context without
type-checking. Basic integrity checks (checksums) are nonetheless
performed.
\end{itemize}
As a rule of thumb, the {\tt -admit} can be used to tell that some
libraries have already been checked. So {\tt coqchk A B} can be split
in {\tt coqchk A \&\& coqchk B -admit A} without type-checking any
definition twice. Of course, the latter is slightly slower since it
makes more disk access. It is also less secure since an attacker might
have replaced the compiled library $A$ after it has been read by the
first command, but before it has been read by the second command.
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "Reference-Manual"
%%% End:
|