Type-Based Methods for Termination and Productivity in Coq

Coq is a total dependently-typed programming language: recursive functions must be terminating and co-recursive functions must be productive. The requirement of totality is essential to ensure logical consistency, since a non-terminating function can be easily used to encode a proof of falsity. Systems based on dependent type theories, such as Coq and Agda, typically use syntactic methods, called guard predicates in Coq, to ensure termination (and productivity). A guard predicate is a form of static analysis, performed on the body of recursive functions, that checks that recursive functions are placed on structurally smaller arguments. Guard predicates were initially implemented in Coq over 15 years ago by Eduardo Giménez. Throughout the years, the guard predicate implementation has been relaxed and extended, in order to accept more recursion patterns as terminating (the most recent addition involves commutative cuts [6]). As a result, the implementation is large and difficult to maintain, making the termination checker one of the weakest point in the Coq kernel. This is highly undesirable, since any bug at this level jeopardizes logical consistency. Furthermore, the metatheoretical properties of the implemented extensions have not been studied (in particular, logical consistency). From the user point of view, the limitations of syntactic-based termination appear often in practice. Let us illustrate with a typical example. Consider the following definitions of subtraction and division on natural numbers, where divx y computes d x y+1e by repeated subtraction: