Coq trusted kernel code size

vzaliva · August 10, 2020, 10:21pm

Hi! I am writing down an explanation about Coq’s trust model and need some info about the trusted codebase. In particular:

What is the size of the trusted code base?
What steps been taken to assure it is bug-free? Manual code reviews? Paper proofs? etc.
How many bugs were found in it?

This presentation is citing 18 KLOC and “1 critical bug per year”, but I would love to see more info.

I will appreciate any pointers and relevant information.

Thanks!

P.S. I am just interested in the kernel. Not parsing or extraction.

ppedrot · August 10, 2020, 11:14pm

Since the checker and the kernel have been merged, it’s harder to get an idea of what really constitutes the TCB. Any code used for the compilation of coqchk should probably go in there, so the TCB is made of pieces of the lib, clib and kernel folders.
Traditionally, any serious change to the kernel theory needs to be justified by a peer-reviewed paper. The implementation in itself is then regularly scrutinized by a few people including myself, but obviously this doesn’t prevent bugs both in the spec and in the implementation. Some parts are known to be fuzzy (modules) or outright broken (template polymorphism). This one of the reasons why the MetaCoq project was started, so that at least if we agree on the spec we can know for sure that the implementation is correct.
We are now trying to keep track of the soundness bugs following the style of critical security bug. An approximate list of such bugs can be found in the repo.

Topic		Replies	Views
Understanding the Coq kernel Using Coq	5	3786	May 24, 2019
Why is Coq consistent? What is the intended semantics? Miscellaneous faq	21	3495	September 27, 2019
Proof engineering survey published Announcements	3	1035	March 17, 2020
Coq Prove code security Using Coq software-foundations	1	620	July 26, 2021
CertiuCOS2 Using Coq	0	237	September 25, 2023