A Machine Checked Model of Idempotent MGU Axioms For Lists of Equational Constraints

We present formalized proofs verifying that the first-order unification algorithm defined over lists of satisfiable constraints generates a most general unifier (MGU), which also happens to be idempotent. All of our proofs have been formalized in the Coq theorem prover. Our proofs show that finite maps produced by the unification algorithm provide a model of the axioms characterizing idempotent MGUs of lists of constraints. The axioms that serve as the basis for our verification are derived from a standard set by extending them to lists of constraints. For us, constraints are equalities between terms in the language of simple types. Substitutions are formally modeled as finite maps using the Coq library Coq.FSets.FMapInterface. Coq’s method of functional induction is the main proof technique used in proving many of the axioms.

💡 Research Summary

The paper presents a fully mechanized verification, carried out in the Coq proof assistant, that a first‑order unification algorithm operating on lists of equational constraints produces a most general unifier (MGU) which is also idempotent. The authors begin by extending the classic set of axioms that characterize idempotent MGUs (typically formulated for unordered sets of equations) to the setting of ordered lists of constraints. These axioms (often labelled A1–A7) capture the essential properties of a substitution that is a solution to the constraints, is most general among all solutions, composes associatively, has an identity element, and satisfies σ ∘ σ = σ (idempotence).

In the formal development, terms are built from variables and function symbols of a simple type language. A constraint is simply an equality between two terms, and a list of constraints is the primary data structure fed to the algorithm. Substitutions are modeled as finite maps using Coq’s Coq.FSets.FMapInterface library. The authors define the usual operations on substitutions—application to a term, composition, domain, and range—by means of map look‑ups and updates, ensuring that all operations are total and well‑typed within Coq’s logic.

The unification algorithm itself is a recursive function unify_list. It proceeds by pattern‑matching on the head of the constraint list. If the head is of the form X = t where X is a variable not occurring in t, the algorithm produces a binding X ↦ t, applies this binding to the remaining constraints, and recurses. If the head is of the form f(s₁,…,sₙ) = f(t₁,…,tₙ), the algorithm replaces the head with the n new constraints sᵢ = tᵢ and recurses. Any other pattern causes immediate failure. The function is equipped with a well‑founded measure (the size of the constraint list) to guarantee termination, a fact that is proved inside Coq.

The core of the paper is a suite of proofs showing that the substitution returned by unify_list satisfies each of the extended axioms. The authors rely heavily on Coq’s functional induction principle, which allows them to perform induction directly on the recursive definition of unify_list. This technique makes it possible to reason about the substitution produced at each recursive call, to track how composition with earlier bindings evolves, and to establish properties such as:

• A1 & A2 (Solution) – The final substitution indeed makes every constraint in the original list true. This follows by induction on the list, using the fact that each recursive step applies the current substitution to the rest of the constraints.
• A3 & A4 (Associativity & Identity) – Composition of substitutions is associative and there exists an identity substitution (the empty map). The proofs lift the standard map lemmas to the list setting, again by functional induction.
• A5 (Idempotence) – The algorithm never introduces a binding that could later be altered; consequently, composing the resulting substitution with itself yields the same substitution. The proof shows that after a variable is bound, it never appears on the left‑hand side of any later constraint.
• A6 (Most Generality) – For any other unifier τ of the original list, there exists a substitution θ such that τ = σ ∘ θ, where σ is the algorithm’s output. The authors construct θ by “undoing” the bindings of σ inside τ, a construction that is formalized using map restrictions and proved correct by induction.
• A7 (Failure Consistency) – If unify_list fails, the original set of constraints is unsatisfiable. This is shown by contraposition: assuming a unifier exists leads to a contradiction with the failure case analysis.

Throughout these proofs, the authors make extensive use of Coq’s FMapFacts module to obtain lemmas about map lookup, update, and composition, and they develop custom tactics to automate repetitive reasoning steps. The combination of automated tactics and manual, human‑guided proof scripts yields a concise yet rigorous development.

In the related‑work discussion, the paper contrasts its approach with earlier mechanizations of unification that either dealt only with single equations, omitted idempotence, or used set‑based rather than list‑based representations. By handling ordered lists, the authors enable a direct correspondence with practical implementations of type inference engines, where constraints are generated and solved in a specific order.

The conclusion emphasizes that the mechanized model not only validates the correctness of the algorithm but also provides a reusable Coq library for reasoning about substitutions and unification in more complex settings (e.g., polymorphic or dependent type systems). Future work is suggested in extending the framework to richer term languages, integrating inequality constraints, and exploring performance‑oriented extraction of the verified algorithm to executable code.