guarded_by_destructors on steroids

[helm.git] / helm / software / components / ng_kernel / nCicTypeChecker.ml

(*
    ||M||  This file is part of HELM, an Hypertextual, Electronic        
    ||A||  Library of Mathematics, developed at the Computer Science     
    ||T||  Department, University of Bologna, Italy.                     
    ||I||                                                                
    ||T||  HELM is free software; you can redistribute it and/or         
    ||A||  modify it under the terms of the GNU General Public License   
    \   /  version 2 or (at your option) any later version.      
     \ /   This software is distributed as is, NO WARRANTY.     
      V_______________________________________________________________ *)

(* $Id: nCicReduction.ml 8250 2008-03-25 17:56:20Z tassi $ *)

(* web interface stuff *)

let logger = 
  ref (function (`Start_type_checking _|`Type_checking_completed _) -> ())
;;

let set_logger f = logger := f;;

exception TypeCheckerFailure of string Lazy.t
exception AssertFailure of string Lazy.t

type recf_entry = 
  | Evil of int (* rno *) 
  | UnfFix of bool list (* fixed arguments *) 
  | Safe
;;

let is_dangerous i l = 
  List.exists (function (j,Evil _) when j=i -> true | _ -> false) l
;;

let is_unfolded i l = 
  List.exists (function (j,UnfFix _) when j=i -> true | _ -> false) l
;;

let is_safe i l =
  List.exists (function (j,Safe) when j=i -> true | _ -> false) l
;;

let get_recno i l = 
  try match List.assoc i l with Evil rno -> rno | _ -> assert false
  with Not_found -> assert false
;;

let get_fixed_args i l = 
  try match List.assoc i l with UnfFix fa -> fa | _ -> assert false
  with Not_found -> assert false
;;

let shift_k e (c,rf,x) = e::c,List.map (fun (k,v) -> k+1,v) rf,x+1;;

let string_of_recfuns ~subst ~metasenv ~context l = 
  let pp = NCicPp.ppterm ~subst ~metasenv ~context in
  let safe, rest = List.partition (function (_,Safe) -> true | _ -> false) l in
  let dang, unf = List.partition (function (_,UnfFix _) -> false | _->true)rest in
  "\n\tsafes: "^String.concat "," (List.map (fun (i,_)->pp (NCic.Rel i)) safe) ^
  "\n\tfix  : "^String.concat "," 
   (List.map 
     (function (i,UnfFix l)-> pp(NCic.Rel i)^"/"^String.concat "," (List.map
       string_of_bool l)
     | _ ->assert false) unf) ^
  "\n\trec  : "^String.concat "," 
   (List.map 
     (function (i,Evil rno)->pp(NCic.Rel i)^"/"^string_of_int rno
     | _ -> assert false) dang)
;;

let fixed_args bo j n nn =
 let rec aux k acc = function
  | NCic.Appl (NCic.Rel i::args) when i+k > n && i+k <= nn ->
      let lefts, _ = HExtlib.split_nth j args in
      List.map (fun ((b,x),i) -> b && x = NCic.Rel (k+(j-i))) 
        (HExtlib.list_mapi (fun x i -> x,i) (List.combine acc lefts))
  | t -> NCicUtils.fold (fun _ k -> k+1) k aux acc t    
 in
   aux 0 (let rec f = function 0 -> [] | n -> true :: f (n-1) in f j) bo
;;

let rec list_iter_default2 f l1 def l2 = 
  match l1,l2 with
    | [], _ -> ()
    | a::ta, b::tb -> f a b; list_iter_default2 f ta def tb 
    | a::ta, [] -> f a def; list_iter_default2 f ta def [] 
;;


(*
(* the boolean h means already protected *)
(* args is the list of arguments the type of the constructor that may be *)
(* found in head position must be applied to.                            *)
and guarded_by_constructors ~subst context n nn h te args coInductiveTypeURI =
 let module C = Cic in
  (*CSC: There is a lot of code replication between the cases X and    *)
  (*CSC: (C.Appl X tl). Maybe it will be better to define a function   *)
  (*CSC: that maps X into (C.Appl X []) when X is not already a C.Appl *)
  match CicReduction.whd ~subst context te with
     C.Rel m when m > n && m <= nn -> h
   | C.Rel _ -> true
   | C.Meta _
   | C.Sort _
   | C.Implicit _
   | C.Cast _
   | C.Prod _
   | C.LetIn _ ->
      (* the term has just been type-checked *)
      raise (AssertFailure (lazy "17"))
   | C.Lambda (name,so,de) ->
      does_not_occur ~subst context n nn so &&
       guarded_by_constructors ~subst ((Some (name,(C.Decl so)))::context)
        (n + 1) (nn + 1) h de args coInductiveTypeURI
   | C.Appl ((C.Rel m)::tl) when m > n && m <= nn ->
      h &&
       List.fold_right (fun x i -> i && does_not_occur ~subst context n nn x) tl true
   | C.Appl ((C.MutConstruct (uri,i,j,exp_named_subst))::tl) ->
      let consty =
        let obj,_ = 
          try 
            CicEnvironment.get_cooked_obj ~trust:false CicUniv.empty_ugraph uri
          with Not_found -> assert false
        in
       match obj with
          C.InductiveDefinition (itl,_,_,_) ->
           let (_,_,_,cl) = List.nth itl i in
            let (_,cons) = List.nth cl (j - 1) in
             CicSubstitution.subst_vars exp_named_subst cons
        | _ ->
            raise (TypeCheckerFailure
             (lazy ("Unknown mutual inductive definition:" ^ UriManager.string_of_uri uri)))
      in
       let rec analyse_branch context ty te =
        match CicReduction.whd ~subst context ty with
           C.Meta _ -> raise (AssertFailure (lazy "34"))
         | C.Rel _
         | C.Var _
         | C.Sort _ ->
            does_not_occur ~subst context n nn te
         | C.Implicit _
         | C.Cast _ ->
            raise (AssertFailure (lazy "24"))(* due to type-checking *)
         | C.Prod (name,so,de) ->
            analyse_branch ((Some (name,(C.Decl so)))::context) de te
         | C.Lambda _
         | C.LetIn _ ->
            raise (AssertFailure (lazy "25"))(* due to type-checking *)
         | C.Appl ((C.MutInd (uri,_,_))::_) when uri == coInductiveTypeURI -> 
             guarded_by_constructors ~subst context n nn true te []
              coInductiveTypeURI
         | C.Appl ((C.MutInd (uri,_,_))::_) -> 
            guarded_by_constructors ~subst context n nn true te tl
             coInductiveTypeURI
         | C.Appl _ ->
            does_not_occur ~subst context n nn te
         | C.Const _ -> raise (AssertFailure (lazy "26"))
         | C.MutInd (uri,_,_) when uri == coInductiveTypeURI ->
            guarded_by_constructors ~subst context n nn true te []
             coInductiveTypeURI
         | C.MutInd _ ->
            does_not_occur ~subst context n nn te
         | C.MutConstruct _ -> raise (AssertFailure (lazy "27"))
         (*CSC: we do not consider backbones with a MutCase, Fix, Cofix *)
         (*CSC: in head position.                                       *)
         | C.MutCase _
         | C.Fix _
         | C.CoFix _ ->
            raise (AssertFailure (lazy "28"))(* due to type-checking *)
       in
       let rec analyse_instantiated_type context ty l =
        match CicReduction.whd ~subst context ty with
           C.Rel _
         | C.Var _
         | C.Meta _
         | C.Sort _
         | C.Implicit _
         | C.Cast _ -> raise (AssertFailure (lazy "29"))(* due to type-checking *)
         | C.Prod (name,so,de) ->
            begin
             match l with
                [] -> true
              | he::tl ->
                 analyse_branch context so he &&
                  analyse_instantiated_type
                   ((Some (name,(C.Decl so)))::context) de tl
            end
         | C.Lambda _
         | C.LetIn _ ->
            raise (AssertFailure (lazy "30"))(* due to type-checking *)
         | C.Appl _ -> 
            List.fold_left
             (fun i x -> i && does_not_occur ~subst context n nn x) true l
         | C.Const _ -> raise (AssertFailure (lazy "31"))
         | C.MutInd _ ->
            List.fold_left
             (fun i x -> i && does_not_occur ~subst context n nn x) true l
         | C.MutConstruct _ -> raise (AssertFailure (lazy "32"))
         (*CSC: we do not consider backbones with a MutCase, Fix, Cofix *)
         (*CSC: in head position.                                       *)
         | C.MutCase _
         | C.Fix _
         | C.CoFix _ ->
            raise (AssertFailure (lazy "33"))(* due to type-checking *)
       in
        let rec instantiate_type args consty =
         function
            [] -> true
          | tlhe::tltl as l ->
             let consty' = CicReduction.whd ~subst context consty in
              match args with 
                 he::tl ->
                  begin
                   match consty' with
                      C.Prod (_,_,de) ->
                       let instantiated_de = CicSubstitution.subst he de in
                        (*CSC: siamo sicuri che non sia troppo forte? *)
                        does_not_occur ~subst context n nn tlhe &
                         instantiate_type tl instantiated_de tltl
                    | _ ->
                      (*CSC:We do not consider backbones with a MutCase, a    *)
                      (*CSC:FixPoint, a CoFixPoint and so on in head position.*)
                      raise (AssertFailure (lazy "23"))
                  end
               | [] -> analyse_instantiated_type context consty' l
                  (* These are all the other cases *)
       in
        instantiate_type args consty tl
   | C.Appl ((C.CoFix (_,fl))::tl) ->
      List.fold_left (fun i x -> i && does_not_occur ~subst context n nn x) true tl &&
       let len = List.length fl in
        let n_plus_len = n + len
        and nn_plus_len = nn + len
        (*CSC: Is a Decl of the ty ok or should I use Def of a Fix? *)
        and tys,_ =
          List.fold_left
            (fun (types,len) (n,ty,_) ->
               (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
                len+1)
            ) ([],0) fl
        in
         List.fold_right
          (fun (_,ty,bo) i ->
            i && does_not_occur ~subst context n nn ty &&
             guarded_by_constructors ~subst (tys@context) n_plus_len nn_plus_len
              h bo args coInductiveTypeURI
          ) fl true
   | C.Appl ((C.MutCase (_,_,out,te,pl))::tl) ->
       List.fold_left (fun i x -> i && does_not_occur ~subst context n nn x) true tl &&
        does_not_occur ~subst context n nn out &&
         does_not_occur ~subst context n nn te &&
          List.fold_right
           (fun x i ->
             i &&
             guarded_by_constructors ~subst context n nn h x args
              coInductiveTypeURI
           ) pl true
   | C.Appl l ->
      List.fold_right (fun x i -> i && does_not_occur ~subst context n nn x) l true
   | C.Var (_,exp_named_subst)
   | C.Const (_,exp_named_subst) ->
      List.fold_right
       (fun (_,x) i -> i && does_not_occur ~subst context n nn x) exp_named_subst true
   | C.MutInd _ -> assert false
   | C.MutConstruct (_,_,_,exp_named_subst) ->
      List.fold_right
       (fun (_,x) i -> i && does_not_occur ~subst context n nn x) exp_named_subst true
   | C.MutCase (_,_,out,te,pl) ->
       does_not_occur ~subst context n nn out &&
        does_not_occur ~subst context n nn te &&
         List.fold_right
          (fun x i ->
            i &&
             guarded_by_constructors ~subst context n nn h x args
              coInductiveTypeURI
          ) pl true
   | C.Fix (_,fl) ->
      let len = List.length fl in
       let n_plus_len = n + len
       and nn_plus_len = nn + len
       (*CSC: Is a Decl of the ty ok or should I use Def of a Fix? *)
       and tys,_ =
        List.fold_left
          (fun (types,len) (n,_,ty,_) ->
             (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
              len+1)
          ) ([],0) fl
       in
        List.fold_right
         (fun (_,_,ty,bo) i ->
           i && does_not_occur ~subst context n nn ty &&
            does_not_occur ~subst (tys@context) n_plus_len nn_plus_len bo
         ) fl true
   | C.CoFix (_,fl) ->
      let len = List.length fl in
       let n_plus_len = n + len
       and nn_plus_len = nn + len
       (*CSC: Is a Decl of the ty ok or should I use Def of a Fix? *)
       and tys,_ =
        List.fold_left
          (fun (types,len) (n,ty,_) ->
             (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
              len+1)
          ) ([],0) fl
       in
        List.fold_right
         (fun (_,ty,bo) i ->
           i && does_not_occur ~subst context n nn ty &&
            guarded_by_constructors ~subst (tys@context) n_plus_len nn_plus_len
             h bo
             args coInductiveTypeURI
         ) fl true

 in
  type_of_aux ~logger context t ugraph

;;

(** wrappers which instantiate fresh loggers *)

(* check_allowed_sort_elimination uri i s1 s2
   This function is used outside the kernel to determine in advance whether
   a MutCase will be allowed or not.
   [uri,i] is the type of the term to match
   [s1] is the sort of the term to eliminate (i.e. the head of the arity
        of the inductive type [uri,i])
   [s2] is the sort of the goal (i.e. the head of the type of the outtype
        of the MutCase) *)
let check_allowed_sort_elimination uri i s1 s2 =
 fst (check_allowed_sort_elimination ~subst:[] ~metasenv:[]
  ~logger:(new CicLogger.logger) [] uri i true
  (Cic.Implicit None) (* never used *) (Cic.Sort s1) (Cic.Sort s2)
  CicUniv.empty_ugraph)
;;

Deannotate.type_of_aux' := fun context t -> fst (type_of_aux' [] context t CicUniv.oblivion_ugraph);;

*)

module C = NCic 
module R = NCicReduction
module Ref = NReference
module S = NCicSubstitution 
module U = NCicUtils
module E = NCicEnvironment

let rec split_prods ~subst context n te =
  match (n, R.whd ~subst context te) with
   | (0, _) -> context,te
   | (n, C.Prod (name,so,ta)) when n > 0 ->
       split_prods ~subst ((name,(C.Decl so))::context) (n - 1) ta
   | (_, _) -> raise (AssertFailure (lazy "split_prods"))
;;

let debruijn ?(cb=fun _ _ -> ()) uri number_of_types context = 
 let rec aux k t =
  let res =
   match t with
    | C.Meta (i,(s,C.Ctx l)) ->
       let l1 = NCicUtils.sharing_map (aux (k-s)) l in
       if l1 == l then t else C.Meta (i,(s,C.Ctx l1))
    | C.Meta _ -> t
    | C.Const (Ref.Ref (_,uri1,(Ref.Fix (no,_) | Ref.CoFix no))) 
    | C.Const (Ref.Ref (_,uri1,Ref.Ind no)) when NUri.eq uri uri1 ->
       C.Rel (k + number_of_types - no)
    | t -> NCicUtils.map (fun _ k -> k+1) k aux t
  in
   cb t res; res
 in
  aux (List.length context)
;;

let sort_of_prod ~metasenv ~subst context (name,s) (t1, t2) =
   let t1 = R.whd ~subst context t1 in
   let t2 = R.whd ~subst ((name,C.Decl s)::context) t2 in
   match t1, t2 with
   | C.Sort s1, C.Sort C.Prop -> t2
   | C.Sort (C.Type u1), C.Sort (C.Type u2) -> C.Sort (C.Type (max u1 u2)) 
   | C.Sort _,C.Sort (C.Type _) -> t2
   | C.Sort (C.Type _) , C.Sort C.CProp -> t1
   | C.Sort _, C.Sort C.CProp -> t2
   | C.Meta _, C.Sort _
   | C.Meta _, C.Meta _
   | C.Sort _, C.Meta _ when U.is_closed t2 -> t2
   | _ -> 
      raise (TypeCheckerFailure (lazy (Printf.sprintf
        "Prod: expected two sorts, found = %s, %s" 
         (NCicPp.ppterm ~subst ~metasenv ~context t1) 
         (NCicPp.ppterm ~subst ~metasenv ~context t2))))
;;

let eat_prods ~subst ~metasenv context he ty_he args_with_ty = 
  let rec aux ty_he = function 
  | [] -> ty_he
  | (arg, ty_arg)::tl ->
      match R.whd ~subst context ty_he with 
      | C.Prod (n,s,t) ->
(*
          prerr_endline (NCicPp.ppterm ~subst ~metasenv ~context s ^ " - Vs - "
          ^ NCicPp.ppterm ~subst ~metasenv
          ~context ty_arg);
          prerr_endline (NCicPp.ppterm ~subst ~metasenv ~context (S.subst ~avoid_beta_redexes:true arg t));
*)
          if R.are_convertible ~subst ~metasenv context ty_arg s then
            aux (S.subst ~avoid_beta_redexes:true arg t) tl
          else
            raise 
              (TypeCheckerFailure 
                (lazy (Printf.sprintf
                  ("Appl: wrong application of %s: the parameter %s has type"^^
                   "\n%s\nbut it should have type \n%s\nContext:\n%s\n")
                  (NCicPp.ppterm ~subst ~metasenv ~context he)
                  (NCicPp.ppterm ~subst ~metasenv ~context arg)
                  (NCicPp.ppterm ~subst ~metasenv ~context ty_arg)
                  (NCicPp.ppterm ~subst ~metasenv ~context s)
                  (NCicPp.ppcontext ~subst ~metasenv context))))
       | _ ->
          raise 
            (TypeCheckerFailure
              (lazy (Printf.sprintf
                "Appl: %s is not a function, it cannot be applied"
                (NCicPp.ppterm ~subst ~metasenv ~context
                 (let res = List.length tl in
                  let eaten = List.length args_with_ty - res in
                   (NCic.Appl
                    (he::List.map fst
                     (fst (HExtlib.split_nth eaten args_with_ty)))))))))
  in
    aux ty_he args_with_ty
;;

(* instantiate_parameters ps (x1:T1)...(xn:Tn)C                             *)
(* returns ((x_|ps|:T_|ps|)...(xn:Tn)C){ps_1 / x1 ; ... ; ps_|ps| / x_|ps|} *)
let rec instantiate_parameters params c =
  match c, params with
  | c,[] -> c
  | C.Prod (_,_,ta), he::tl -> instantiate_parameters tl (S.subst he ta)
  | t,l -> raise (AssertFailure (lazy "1"))
;;

let specialize_inductive_type ~subst context ty_term =
  match R.whd ~subst context ty_term with
  | C.Const (Ref.Ref (_,uri,Ref.Ind i) as ref)  
  | C.Appl (C.Const (Ref.Ref (_,uri,Ref.Ind i) as ref) :: _ ) as ty ->
      let args = match ty with C.Appl (_::tl) -> tl | _ -> [] in
      let is_ind, leftno, itl, attrs, i = E.get_checked_indtys ref in
      let left_args,_ = HExtlib.split_nth leftno args in
      let itl =
        List.map (fun (rel, name, arity, cl) ->
          let arity = instantiate_parameters left_args arity in
          let cl = 
            List.map (fun (rel, name, ty) -> 
              rel, name, instantiate_parameters left_args ty)
              cl
          in
            rel, name, arity, cl)
          itl
      in
        is_ind, leftno, itl, attrs, i
  | _ -> assert false
;;

let fix_lefts_in_constrs ~subst r_uri r_len context ty_term =
  let _,_,itl,_,i = specialize_inductive_type ~subst context ty_term in
  let _,_,_,cl = List.nth itl i in  
  let cl =
    List.map (fun (_,id,ty) -> id, debruijn r_uri r_len context ty) cl 
  in
  List.map (fun (_,name,arity,_) -> name, C.Decl arity) itl, cl
;;

exception DoesOccur;;

let does_not_occur ~subst context n nn t = 
  let rec aux (context,n,nn as k) _ = function
    | C.Rel m when m > n && m <= nn -> raise DoesOccur
    | C.Rel m ->
        (try (match List.nth context (m-1) with
          | _,C.Def (bo,_) -> aux k () (S.lift m bo)
          | _ -> ())
         with Failure _ -> assert false)
    | C.Meta (_,(_,(C.Irl 0 | C.Ctx []))) -> (* closed meta *) ()
    | C.Meta (mno,(s,l)) ->
         (try
           let _,_,term,_ = U.lookup_subst mno subst in
           aux (context,n+s,nn+s) () (S.subst_meta (0,l) term)
          with CicUtil.Subst_not_found _ -> match l with
          | C.Irl len -> if not (n >= s+len || s > nn) then raise DoesOccur
          | C.Ctx lc -> List.iter (aux (context,n+s,nn+s) ()) lc)
    | t -> U.fold (fun e (ctx,n,nn) -> (e::ctx,n+1,nn+1)) k aux () t
  in
   try aux (context,n,nn) () t; true
   with DoesOccur -> false
;;

(*CSC l'indice x dei tipi induttivi e' t.c. n < x <= nn *)
(*CSC questa funzione e' simile alla are_all_occurrences_positive, ma fa *)
(*CSC dei controlli leggermente diversi. Viene invocata solamente dalla  *)
(*CSC strictly_positive                                                  *)
(*CSC definizione (giusta???) tratta dalla mail di Hugo ;-)              *)
let rec weakly_positive ~subst context n nn uri te =
(*CSC: Che schifo! Bisogna capire meglio e trovare una soluzione ragionevole!*)
  let dummy = C.Sort (C.Type ~-1) in
  (*CSC: mettere in cicSubstitution *)
  let rec subst_inductive_type_with_dummy _ = function
    | C.Const (Ref.Ref (_,uri',Ref.Ind 0)) when NUri.eq uri' uri -> dummy
    | C.Appl ((C.Const (Ref.Ref (_,uri',Ref.Ind 0)))::tl) 
        when NUri.eq uri' uri -> dummy
    | t -> U.map (fun _ x->x) () subst_inductive_type_with_dummy t
  in
  match R.whd context te with
   | C.Const (Ref.Ref (_,uri',Ref.Ind _))
   | C.Appl ((C.Const (Ref.Ref (_,uri',Ref.Ind _)))::_) 
      when NUri.eq uri' uri -> true
   | C.Prod (name,source,dest) when
      does_not_occur ~subst ((name,C.Decl source)::context) 0 1 dest ->
       (* dummy abstraction, so we behave as in the anonimous case *)
       strictly_positive ~subst context n nn
        (subst_inductive_type_with_dummy () source) &&
       weakly_positive ~subst ((name,C.Decl source)::context)
        (n + 1) (nn + 1) uri dest
   | C.Prod (name,source,dest) ->
       does_not_occur ~subst context n nn
        (subst_inductive_type_with_dummy () source)&&
       weakly_positive ~subst ((name,C.Decl source)::context)
        (n + 1) (nn + 1) uri dest
   | _ ->
     raise (TypeCheckerFailure (lazy "Malformed inductive constructor type"))

and strictly_positive ~subst context n nn te =
  match R.whd context te with
   | t when does_not_occur ~subst context n nn t -> true
   | C.Rel _ -> true
   | C.Prod (name,so,ta) ->
      does_not_occur ~subst context n nn so &&
       strictly_positive ~subst ((name,C.Decl so)::context) (n+1) (nn+1) ta
   | C.Appl ((C.Rel m)::tl) when m > n && m <= nn ->
      List.for_all (does_not_occur ~subst context n nn) tl
   | C.Appl (C.Const (Ref.Ref (_,uri,Ref.Ind i) as r)::tl) -> 
      let _,paramsno,tyl,_,i = E.get_checked_indtys r in
      let _,name,ity,cl = List.nth tyl i in
      let ok = List.length tyl = 1 in
      let params, arguments = HExtlib.split_nth paramsno tl in
      let lifted_params = List.map (S.lift 1) params in
      let cl =
        List.map (fun (_,_,te) -> instantiate_parameters lifted_params te) cl 
      in
      ok &&
      List.for_all (does_not_occur ~subst context n nn) arguments &&
      List.for_all 
        (weakly_positive ~subst ((name,C.Decl ity)::context) (n+1) (nn+1) uri) cl
   | _ -> false
       
(* the inductive type indexes are s.t. n < x <= nn *)
and are_all_occurrences_positive ~subst context uri indparamsno i n nn te =
  match R.whd context te with
  |  C.Appl ((C.Rel m)::tl) as reduct when m = i ->
      let last =
       List.fold_left
        (fun k x ->
          if k = 0 then 0
          else
           match R.whd context x with
           |  C.Rel m when m = n - (indparamsno - k) -> k - 1
           | y -> raise (TypeCheckerFailure (lazy 
              ("Argument "^string_of_int (indparamsno - k + 1) ^ " (of " ^
              string_of_int indparamsno ^ " fixed) is not homogeneous in "^
              "appl:\n"^ NCicPp.ppterm ~context ~subst ~metasenv:[] reduct))))
        indparamsno tl
      in
       if last = 0 then
        List.for_all (does_not_occur ~subst context n nn) tl
       else
        raise (TypeCheckerFailure
         (lazy ("Non-positive occurence in mutual inductive definition(s) [2]"^
          NUri.string_of_uri uri)))
  | C.Rel m when m = i ->
      if indparamsno = 0 then
       true
      else
        raise (TypeCheckerFailure
         (lazy ("Non-positive occurence in mutual inductive definition(s) [3]"^
          NUri.string_of_uri uri)))
  | C.Prod (name,source,dest) when
      does_not_occur ~subst ((name,C.Decl source)::context) 0 1 dest ->
      strictly_positive ~subst context n nn source &&
       are_all_occurrences_positive ~subst 
        ((name,C.Decl source)::context) uri indparamsno
        (i+1) (n + 1) (nn + 1) dest
   | C.Prod (name,source,dest) ->
       if not (does_not_occur ~subst context n nn source) then
         raise (TypeCheckerFailure (lazy ("Non-positive occurrence in "^
         NCicPp.ppterm ~context ~metasenv:[] ~subst te)));
       are_all_occurrences_positive ~subst ((name,C.Decl source)::context)
        uri indparamsno (i+1) (n + 1) (nn + 1) dest
   | _ ->
     raise
      (TypeCheckerFailure (lazy ("Malformed inductive constructor type " ^
        (NUri.string_of_uri uri))))
;;

exception NotGuarded of string Lazy.t;;

let rec typeof ~subst ~metasenv context term =
  let rec typeof_aux context = 
    fun t -> (*prerr_endline (NCicPp.ppterm ~context t); *)
    match t with
    | C.Rel n ->
       (try
         match List.nth context (n - 1) with
         | (_,C.Decl ty) -> S.lift n ty
         | (_,C.Def (_,ty)) -> S.lift n ty
        with Failure _ -> raise (TypeCheckerFailure (lazy "unbound variable")))
    | C.Sort (C.Type i) -> C.Sort (C.Type (i+1))
    | C.Sort s -> C.Sort (C.Type 0)
    | C.Implicit _ -> raise (AssertFailure (lazy "Implicit found"))
    | C.Meta (n,l) as t -> 
       let canonical_ctx,ty =
        try
         let _,c,_,ty = U.lookup_subst n subst in c,ty
        with U.Subst_not_found _ -> try
         let _,_,c,ty = U.lookup_meta n metasenv in c,ty
        with U.Meta_not_found _ ->
         raise (AssertFailure (lazy (Printf.sprintf
          "%s not found" (NCicPp.ppterm ~subst ~metasenv ~context t))))
       in
        check_metasenv_consistency t ~subst ~metasenv context canonical_ctx l;
        S.subst_meta l ty
    | C.Const ref -> type_of_constant ref
    | C.Prod (name,s,t) ->
       let sort1 = typeof_aux context s in
       let sort2 = typeof_aux ((name,(C.Decl s))::context) t in
       sort_of_prod ~metasenv ~subst context (name,s) (sort1,sort2)
    | C.Lambda (n,s,t) ->
       let sort = typeof_aux context s in
       (match R.whd ~subst context sort with
       | C.Meta _ | C.Sort _ -> ()
       | _ ->
         raise
           (TypeCheckerFailure (lazy (Printf.sprintf
             ("Not well-typed lambda-abstraction: " ^^
             "the source %s should be a type; instead it is a term " ^^ 
             "of type %s") (NCicPp.ppterm ~subst ~metasenv ~context s)
             (NCicPp.ppterm ~subst ~metasenv ~context sort)))));
       let ty = typeof_aux ((n,(C.Decl s))::context) t in
         C.Prod (n,s,ty)
    | C.LetIn (n,ty,t,bo) ->
       let ty_t = typeof_aux context t in
       let _ = typeof_aux context ty in
       if not (R.are_convertible ~subst ~metasenv context ty ty_t) then
         raise 
          (TypeCheckerFailure 
            (lazy (Printf.sprintf
              "The type of %s is %s but it is expected to be %s" 
                (NCicPp.ppterm ~subst ~metasenv ~context t) 
                (NCicPp.ppterm ~subst ~metasenv ~context ty_t) 
                (NCicPp.ppterm ~subst ~metasenv ~context ty))))
       else
         let ty_bo = typeof_aux  ((n,C.Def (t,ty))::context) bo in
         S.subst ~avoid_beta_redexes:true t ty_bo
    | C.Appl (he::(_::_ as args)) ->
       let ty_he = typeof_aux context he in
       let args_with_ty = List.map (fun t -> t, typeof_aux context t) args in
(*
       prerr_endline ("HEAD: " ^ NCicPp.ppterm ~subst ~metasenv ~context ty_he);
       prerr_endline ("TARGS: " ^ String.concat " | " (List.map (NCicPp.ppterm
       ~subst ~metasenv ~context) (List.map snd args_with_ty)));
       prerr_endline ("ARGS: " ^ String.concat " | " (List.map (NCicPp.ppterm
       ~subst ~metasenv ~context) (List.map fst args_with_ty)));
*)
       eat_prods ~subst ~metasenv context he ty_he args_with_ty
   | C.Appl _ -> raise (AssertFailure (lazy "Appl of length < 2"))
   | C.Match (Ref.Ref (_,_,Ref.Ind tyno) as r,outtype,term,pl) ->
      let outsort = typeof_aux context outtype in
      let inductive,leftno,itl,_,_ = E.get_checked_indtys r in
      let constructorsno =
        let _,_,_,cl = List.nth itl tyno in List.length cl
      in
      let parameters, arguments =
        let ty = R.whd ~subst context (typeof_aux context term) in
        let r',tl =
         match ty with
            C.Const (Ref.Ref (_,_,Ref.Ind _) as r') -> r',[]
          | C.Appl (C.Const (Ref.Ref (_,_,Ref.Ind _) as r') :: tl) -> r',tl
          | _ ->
             raise 
               (TypeCheckerFailure (lazy (Printf.sprintf
                 "Case analysis: analysed term %s is not an inductive one"
                 (NCicPp.ppterm ~subst ~metasenv ~context term)))) in
        if not (Ref.eq r r') then
         raise
          (TypeCheckerFailure (lazy (Printf.sprintf
            ("Case analysys: analysed term type is %s, but is expected " ^^
             "to be (an application of) %s")
            (NCicPp.ppterm ~subst ~metasenv ~context ty) 
            (NCicPp.ppterm ~subst ~metasenv ~context (C.Const r')))))
        else
         try HExtlib.split_nth leftno tl
         with
          Failure _ ->
           raise (TypeCheckerFailure (lazy (Printf.sprintf 
           "%s is partially applied" 
           (NCicPp.ppterm  ~subst ~metasenv ~context ty)))) in
      (* let's control if the sort elimination is allowed: [(I q1 ... qr)|B] *)
      let sort_of_ind_type =
        if parameters = [] then C.Const r
        else C.Appl ((C.Const r)::parameters) in
      let type_of_sort_of_ind_ty = typeof_aux context sort_of_ind_type in
      check_allowed_sort_elimination ~subst ~metasenv r context
       sort_of_ind_type type_of_sort_of_ind_ty outsort;
      (* let's check if the type of branches are right *)
      if List.length pl <> constructorsno then
       raise (TypeCheckerFailure (lazy ("Wrong number of cases in a match")));
      let j,branches_ok,p_ty, exp_p_ty =
        List.fold_left
          (fun (j,b,old_p_ty,old_exp_p_ty) p ->
            if b then
              let cons = 
                let cons = Ref.mk_constructor j r in
                if parameters = [] then C.Const cons
                else C.Appl (C.Const cons::parameters)
              in
              let ty_p = typeof_aux context p in
              let ty_cons = typeof_aux context cons in
              let ty_branch = 
                type_of_branch ~subst context leftno outtype cons ty_cons 0 
              in
              j+1, R.are_convertible ~subst ~metasenv context ty_p ty_branch,
              ty_p, ty_branch
            else
              j,false,old_p_ty,old_exp_p_ty
          ) (1,true,C.Sort C.Prop,C.Sort C.Prop) pl
      in
      if not branches_ok then
        raise
         (TypeCheckerFailure 
          (lazy (Printf.sprintf ("Branch for constructor %s :=\n%s\n"^^
          "has type %s\nnot convertible with %s") 
          (NCicPp.ppterm  ~subst ~metasenv ~context
            (C.Const (Ref.mk_constructor (j-1) r)))
          (NCicPp.ppterm ~metasenv ~subst ~context (List.nth pl (j-2)))
          (NCicPp.ppterm ~metasenv ~subst ~context p_ty) 
          (NCicPp.ppterm ~metasenv ~subst ~context exp_p_ty)))); 
      let res = outtype::arguments@[term] in
      R.head_beta_reduce (C.Appl res)
    | C.Match _ -> assert false

  and type_of_branch ~subst context leftno outty cons tycons liftno = 
    match R.whd ~subst context tycons with
    | C.Const (Ref.Ref (_,_,Ref.Ind _)) -> C.Appl [S.lift liftno outty ; cons]
    | C.Appl (C.Const (Ref.Ref (_,_,Ref.Ind _))::tl) ->
        let _,arguments = HExtlib.split_nth leftno tl in
        C.Appl (S.lift liftno outty::arguments@[cons])
    | C.Prod (name,so,de) ->
        let cons =
         match S.lift 1 cons with
         | C.Appl l -> C.Appl (l@[C.Rel 1])
         | t -> C.Appl [t ; C.Rel 1]
        in
         C.Prod (name,so,
           type_of_branch ~subst ((name,(C.Decl so))::context) 
            leftno outty cons de (liftno+1))
    | _ -> raise (AssertFailure (lazy "type_of_branch"))

  (* check_metasenv_consistency checks that the "canonical" context of a
     metavariable is consitent - up to relocation via the relocation list l -
     with the actual context *)
  and check_metasenv_consistency 
    ~subst ~metasenv term context canonical_context l 
  =
   match l with
    | shift, NCic.Irl n ->
       let context = snd (HExtlib.split_nth shift context) in
        let rec compare = function
         | 0,_,[] -> ()
         | 0,_,_::_
         | _,_,[] ->
            raise (AssertFailure (lazy (Printf.sprintf
             "Local and canonical context %s have different lengths"
             (NCicPp.ppterm ~subst ~context ~metasenv term))))
         | m,[],_::_ ->
            raise (TypeCheckerFailure (lazy (Printf.sprintf
             "Unbound variable -%d in %s" m 
             (NCicPp.ppterm ~subst ~metasenv ~context term))))
         | m,t::tl,ct::ctl ->
            (match t,ct with
                (_,C.Decl t1), (_,C.Decl t2)
              | (_,C.Def (t1,_)), (_,C.Def (t2,_))
              | (_,C.Def (_,t1)), (_,C.Decl t2) ->
                 if not (R.are_convertible ~subst ~metasenv tl t1 t2) then
                  raise 
                      (TypeCheckerFailure 
                        (lazy (Printf.sprintf 
                      ("Not well typed metavariable local context for %s: " ^^ 
                       "%s expected, which is not convertible with %s")
                      (NCicPp.ppterm ~subst ~metasenv ~context term) 
                      (NCicPp.ppterm ~subst ~metasenv ~context t2) 
                      (NCicPp.ppterm ~subst ~metasenv ~context t1))))
              | _,_ ->
               raise 
                   (TypeCheckerFailure (lazy (Printf.sprintf 
                    ("Not well typed metavariable local context for %s: " ^^ 
                     "a definition expected, but a declaration found")
                    (NCicPp.ppterm ~subst ~metasenv ~context term)))));
            compare (m - 1,tl,ctl)
        in
         compare (n,context,canonical_context)
    | shift, lc_kind ->
       (* we avoid useless lifting by shortening the context*)
       let l,context = (0,lc_kind), snd (HExtlib.split_nth shift context) in
       let lifted_canonical_context = 
         let rec lift_metas i = function
           | [] -> []
           | (n,C.Decl t)::tl ->
               (n,C.Decl (S.subst_meta l (S.lift i t)))::(lift_metas (i+1) tl)
           | (n,C.Def (t,ty))::tl ->
               (n,C.Def ((S.subst_meta l (S.lift i t)),
                          S.subst_meta l (S.lift i ty)))::(lift_metas (i+1) tl)
         in
          lift_metas 1 canonical_context in
       let l = U.expand_local_context lc_kind in
       try
        List.iter2 
        (fun t ct -> 
          match (t,ct) with
          | t, (_,C.Def (ct,_)) ->
             (*CSC: the following optimization is to avoid a possibly expensive
                    reduction that can be easily avoided and that is quite
                    frequent. However, this is better handled using levels to
                    control reduction *)
             let optimized_t =
              match t with
              | C.Rel n ->
                  (try
                    match List.nth context (n - 1) with
                    | (_,C.Def (te,_)) -> S.lift n te
                    | _ -> t
                    with Failure _ -> t)
              | _ -> t
             in
             if not (R.are_convertible ~subst ~metasenv context optimized_t ct)
             then
               raise 
                 (TypeCheckerFailure 
                   (lazy (Printf.sprintf 
                     ("Not well typed metavariable local context: " ^^ 
                      "expected a term convertible with %s, found %s")
                     (NCicPp.ppterm ~subst ~metasenv ~context ct) 
                     (NCicPp.ppterm ~subst ~metasenv ~context t))))
          | t, (_,C.Decl ct) ->
              let type_t = typeof_aux context t in
              if not (R.are_convertible ~subst ~metasenv context type_t ct) then
                raise (TypeCheckerFailure 
                 (lazy (Printf.sprintf 
                  ("Not well typed metavariable local context: "^^
                  "expected a term of type %s, found %s of type %s") 
                  (NCicPp.ppterm ~subst ~metasenv ~context ct) 
                  (NCicPp.ppterm ~subst ~metasenv ~context t) 
                  (NCicPp.ppterm ~subst ~metasenv ~context type_t))))
        ) l lifted_canonical_context 
       with
        Invalid_argument _ ->
          raise (AssertFailure (lazy (Printf.sprintf
           "Local and canonical context %s have different lengths"
           (NCicPp.ppterm ~subst ~metasenv ~context term))))

  and is_non_informative context paramsno c =
   let rec aux context c =
     match R.whd context c with
      | C.Prod (n,so,de) ->
         let s = typeof_aux context so in
         s = C.Sort C.Prop && aux ((n,(C.Decl so))::context) de
      | _ -> true in
   let context',dx = split_prods ~subst:[] context paramsno c in
    aux context' dx

  and check_allowed_sort_elimination ~subst ~metasenv r =
   let mkapp he arg =
     match he with
     | C.Appl l -> C.Appl (l @ [arg])
     | t -> C.Appl [t;arg] in
   let rec aux context ind arity1 arity2 =
    let arity1 = R.whd ~subst context arity1 in
    let arity2 = R.whd ~subst context arity2 in
      match arity1,arity2 with
       | C.Prod (name,so1,de1), C.Prod (_,so2,de2) ->
          if not (R.are_convertible ~subst ~metasenv context so1 so2) then
           raise (TypeCheckerFailure (lazy (Printf.sprintf
            "In outtype: expected %s, found %s"
            (NCicPp.ppterm ~subst ~metasenv ~context so1)
            (NCicPp.ppterm ~subst ~metasenv ~context so2)
            )));
          aux ((name, C.Decl so1)::context)
           (mkapp (S.lift 1 ind) (C.Rel 1)) de1 de2
       | C.Sort _, C.Prod (name,so,ta) ->
          if not (R.are_convertible ~subst ~metasenv context so ind) then
           raise (TypeCheckerFailure (lazy (Printf.sprintf
            "In outtype: expected %s, found %s"
            (NCicPp.ppterm ~subst ~metasenv ~context ind)
            (NCicPp.ppterm ~subst ~metasenv ~context so)
            )));
          (match arity1,ta with
            | (C.Sort (C.CProp | C.Type _), C.Sort _)
            | (C.Sort C.Prop, C.Sort C.Prop) -> ()
            | (C.Sort C.Prop, C.Sort (C.CProp | C.Type _)) ->
        (* TODO: we should pass all these parameters since we
         * have them already *)
                let inductive,leftno,itl,_,i = E.get_checked_indtys r in
                let itl_len = List.length itl in
                let _,name,ty,cl = List.nth itl i in
                let cl_len = List.length cl in
                 (* is it a singleton or empty non recursive and non informative
                    definition? *)
                 if not
                  (cl_len = 0 ||
                   (itl_len = 1 && cl_len = 1 &&
                    is_non_informative [name,C.Decl ty] leftno
                     (let _,_,x = List.nth cl 0 in x)))
                 then
                  raise (TypeCheckerFailure (lazy
                   ("Sort elimination not allowed")));
          | _,_ -> ())
       | _,_ -> ()
   in
    aux 

 in 
   typeof_aux context term

and check_mutual_inductive_defs uri ~metasenv ~subst is_ind leftno tyl = 
  (* let's check if the arity of the inductive types are well formed *)
  List.iter (fun (_,_,x,_) -> ignore (typeof ~subst ~metasenv [] x)) tyl;
  (* let's check if the types of the inductive constructors are well formed. *)
  let len = List.length tyl in
  let tys = List.rev (List.map (fun (_,n,ty,_) -> (n,(C.Decl ty))) tyl) in
  ignore
   (List.fold_right
    (fun (_,_,_,cl) i ->
       List.iter
         (fun (_,name,te) -> 
           let debruijnedte = debruijn uri len [] te in
           ignore (typeof ~subst ~metasenv tys debruijnedte);
           (* let's check also the positivity conditions *)
           if 
             not
               (are_all_occurrences_positive ~subst tys uri leftno i 0 len
                  debruijnedte) 
           then
             raise
               (TypeCheckerFailure
                 (lazy ("Non positive occurence in "^NUri.string_of_uri uri))))
         cl;
        i + 1)
    tyl 1)

and eat_lambdas ~subst ~metasenv context n te =
  match (n, R.whd ~subst context te) with
  | (0, _) -> (te, context)
  | (n, C.Lambda (name,so,ta)) when n > 0 ->
      eat_lambdas ~subst ~metasenv ((name,(C.Decl so))::context) (n - 1) ta
   | (n, te) ->
      raise (AssertFailure (lazy (Printf.sprintf "eat_lambdas (%d, %s)" n 
        (NCicPp.ppterm ~subst ~metasenv ~context te))))

and eat_or_subst_lambdas 
 ~subst ~metasenv n te to_be_subst args (context, recfuns, x as k) 
=
  match n, R.whd ~subst context te, to_be_subst, args with
  | (0, _,_,[]) -> te, k
  | (0, _,_,_::_) -> C.Appl (te::args), k
  | (n, C.Lambda (name,so,ta),true::to_be_subst,arg::args) when n > 0 ->
      eat_or_subst_lambdas ~subst ~metasenv 
       (n - 1) (S.subst arg ta) to_be_subst args k
  | (n, C.Lambda (name,so,ta),false::to_be_subst,arg::args) when n > 0 ->
      eat_or_subst_lambdas ~subst ~metasenv 
       (n - 1) ta to_be_subst args (shift_k (name,(C.Decl so)) k)
  | (n, te, _, []) -> te, k
  | (n, te, _, _::_) -> C.Appl (te::args), k

and guarded_by_destructors r_uri r_len ~subst ~metasenv context recfuns t = 
 let recursor f k t = NCicUtils.fold shift_k k (fun k () -> f k) () t in
 let rec aux (context, recfuns, x as k) t = 
  let t = R.whd ~delta:max_int ~subst context t in
(*
   prerr_endline ("GB:\n" ^ 
     NCicPp.ppcontext ~subst ~metasenv context^
     NCicPp.ppterm ~metasenv ~subst ~context t^
       string_of_recfuns ~subst ~metasenv ~context recfuns);
*)
  try
  match t with
  | C.Rel m as t when is_dangerous m recfuns -> 
      raise (NotGuarded (lazy 
        (NCicPp.ppterm ~subst ~metasenv ~context t ^ " passed around")))
  | C.Rel m ->
     (match List.nth context (m-1) with 
     | _,C.Decl _ -> ()
     | _,C.Def (bo,_) -> aux k (S.lift m bo))
  | C.Meta _ -> ()
  | C.Appl ((C.Rel m)::tl) as t when is_dangerous m recfuns ->
     let rec_no = get_recno m recfuns in
     if not (List.length tl > rec_no) then 
       raise (NotGuarded (lazy 
         (NCicPp.ppterm ~context ~subst ~metasenv t ^ 
         " is a partial application of a fix")))
     else
       let rec_arg = List.nth tl rec_no in
       if not (is_really_smaller r_uri r_len ~subst ~metasenv k rec_arg) then 
         raise (NotGuarded (lazy (Printf.sprintf ("Recursive call %s, %s is not"
          ^^ " smaller.\ncontext:\n%s") (NCicPp.ppterm ~context ~subst ~metasenv
          t) (NCicPp.ppterm ~context ~subst ~metasenv rec_arg)
          (NCicPp.ppcontext ~subst ~metasenv context))));
       List.iter (aux k) tl
  | C.Appl ((C.Rel m)::tl) when is_unfolded m recfuns ->
       let fixed_args = get_fixed_args m recfuns in
       list_iter_default2 (fun x b -> if not b then aux k x) tl false fixed_args
  | C.Appl (C.Const ((Ref.Ref (_,uri,Ref.Fix (i,j))) as r)::args) 
    when List.exists (fun t->try aux k t;false with NotGuarded _->true) args ->
      let fl,_,_ = E.get_checked_fixes r in
      let ctx_tys, bos = 
        List.split (List.map (fun (_,name,_,ty,bo) -> (name, C.Decl ty), bo) fl)
      in
      let bo = List.nth bos i in
      let fl_len = List.length fl in
      let bo = debruijn uri fl_len context bo in
      let ctx_len = List.length context in
        (* cerco i parametri fissi solo fino a j, un po aleatorio *)
      let fa = fixed_args bo j ctx_len (ctx_len + fl_len) in
      list_iter_default2 (fun x b -> if not b then aux k x) args false fa; 
      let context = context@ctx_tys in
      let k = context, recfuns, x in
      let bo, k = 
        (* potrebbe anche aggiungere un arg di cui fa push alle safe *)
        eat_or_subst_lambdas ~subst ~metasenv j bo fa args k
      in
      let k = context, (List.length context - i,UnfFix fa) :: recfuns, x in
       aux k bo
  | C.Match (Ref.Ref (_,uri,_) as ref,outtype,term,pl) as t ->
     (match R.whd ~subst context term with
     | C.Rel m | C.Appl (C.Rel m :: _ ) as t when is_safe m recfuns || m = x ->
        (* TODO: add CoInd to references so that this call is useless *)
        let isinductive, _, _, _, _ = E.get_checked_indtys ref in
        if not isinductive then recursor aux k t
        else
         let ty = typeof ~subst ~metasenv context term in
         let itl_ctx,dcl = fix_lefts_in_constrs ~subst r_uri r_len context ty in
         let args = match t with C.Appl (_::tl) -> tl | _ -> [] in
         let dc_ctx = context @ itl_ctx in
         let start, stop = List.length context, List.length context + r_len in
         aux k outtype; 
         List.iter (aux k) args; 
         List.iter2
           (fun p (_,dc) ->
             let rl = recursive_args ~subst ~metasenv dc_ctx start stop dc in
             let p, k = get_new_safes ~subst k p rl in
             aux k p) 
           pl dcl
     | _ -> recursor aux k t)
  | t -> recursor aux k t
  with
   NotGuarded _ as exc ->
    let t' = R.whd ~delta:0 ~subst context t in
    if t = t' then raise exc
    else aux k t'
 in
  try aux (context, recfuns, 1) t
  with NotGuarded s -> raise (TypeCheckerFailure s)

(*
 | C.Fix (_, fl) ->
    let len = List.length fl in
     let n_plus_len = n + len
     and nn_plus_len = nn + len
     and x_plus_len = x + len
     and tys,_ =
      List.fold_left
        (fun (types,len) (n,_,ty,_) ->
           (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
            len+1)
        ) ([],0) fl
     and safes' = List.map (fun x -> x + len) safes in
      List.fold_right
       (fun (_,_,ty,bo) i ->
         i && guarded_by_destructors ~subst context n nn kl x_plus_len safes' ty &&
          guarded_by_destructors ~subst (tys@context) n_plus_len nn_plus_len kl
           x_plus_len safes' bo
       ) fl true
 | C.CoFix (_, fl) ->
    let len = List.length fl in
     let n_plus_len = n + len
     and nn_plus_len = nn + len
     and x_plus_len = x + len
     and tys,_ =
      List.fold_left
        (fun (types,len) (n,ty,_) ->
           (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
            len+1)
        ) ([],0) fl
     and safes' = List.map (fun x -> x + len) safes in
      List.fold_right
       (fun (_,ty,bo) i ->
         i &&
          guarded_by_destructors ~subst context n nn kl x_plus_len safes' ty &&
          guarded_by_destructors ~subst (tys@context) n_plus_len nn_plus_len kl
           x_plus_len safes' bo
       ) fl true
*)

and guarded_by_constructors ~subst ~metasenv _ _ _ _ _ _ _ = true

and recursive_args ~subst ~metasenv context n nn te =
  match R.whd context te with
  | C.Rel _ | C.Appl _ | C.Const _ -> []
  | C.Prod (name,so,de) ->
     (not (does_not_occur ~subst context n nn so)) ::
      (recursive_args ~subst ~metasenv 
        ((name,(C.Decl so))::context) (n+1) (nn + 1) de)
  | t -> 
     raise (AssertFailure (lazy ("recursive_args:" ^ NCicPp.ppterm ~subst
     ~metasenv ~context:[] t)))

and get_new_safes ~subst (context, recfuns, x as k) p rl =
  match R.whd ~subst context p, rl with
  | C.Lambda (name,so,ta), b::tl ->
      let recfuns = (if b then [0,Safe] else []) @ recfuns in
      get_new_safes ~subst 
        (shift_k (name,(C.Decl so)) (context, recfuns, x)) ta tl
  | C.Meta _ as e, _ | e, [] -> e, k
  | _ -> raise (AssertFailure (lazy "Ill formed pattern"))

and split_prods ~subst context n te =
  match n, R.whd ~subst context te with
  | 0, _ -> context,te
  | n, C.Prod (name,so,ta) when n > 0 ->
       split_prods ~subst ((name,(C.Decl so))::context) (n - 1) ta
  | _ -> raise (AssertFailure (lazy "split_prods"))

and is_really_smaller 
  r_uri r_len ~subst ~metasenv (context, recfuns, x as k) te 
=
 match R.whd ~subst context te with
 | C.Rel m when is_safe m recfuns -> true
 | C.Lambda (name, s, t) ->
    is_really_smaller r_uri r_len ~subst ~metasenv (shift_k (name,C.Decl s) k) t
 | C.Appl (he::_) ->
    is_really_smaller r_uri r_len ~subst ~metasenv k he
 | C.Appl _
 | C.Rel _ 
 | C.Const (Ref.Ref (_,_,Ref.Con _)) -> false
 | C.Const (Ref.Ref (_,_,Ref.Fix _)) -> assert false
   (*| C.Fix (_, fl) ->
      let len = List.length fl in
       let n_plus_len = n + len
       and nn_plus_len = nn + len
       and x_plus_len = x + len
       and tys,_ =
        List.fold_left
          (fun (types,len) (n,_,ty,_) ->
             (Some (C.Name n,(C.Decl (CicSubstitution.lift len ty)))::types,
              len+1)
          ) ([],0) fl
       and safes' = List.map (fun x -> x + len) safes in
        List.fold_right
         (fun (_,_,ty,bo) i ->
           i &&
            is_really_smaller ~subst (tys@context) n_plus_len nn_plus_len kl
             x_plus_len safes' bo
         ) fl true*)
 | C.Meta _ -> true 
 | C.Match (Ref.Ref (_,uri,_) as ref,outtype,term,pl) ->
    (match term with
    | C.Rel m | C.Appl (C.Rel m :: _ ) when is_safe m recfuns || m = x ->
        (* TODO: add CoInd to references so that this call is useless *)
        let isinductive, _, _, _, _ = E.get_checked_indtys ref in
        if not isinductive then
          List.for_all (is_really_smaller r_uri r_len ~subst ~metasenv k) pl
        else
          let ty = typeof ~subst ~metasenv context term in
          let itl_ctx,dcl= fix_lefts_in_constrs ~subst r_uri r_len context ty in
          let start, stop = List.length context, List.length context + r_len in
          let dc_ctx = context @ itl_ctx in
          List.for_all2
           (fun p (_,dc) -> 
             let rl = recursive_args ~subst ~metasenv dc_ctx start stop dc in
             let e, k = get_new_safes ~subst k p rl in
             is_really_smaller r_uri r_len ~subst ~metasenv k e)
           pl dcl
    | _ -> List.for_all (is_really_smaller r_uri r_len ~subst ~metasenv k) pl)
 | _ -> assert false

and returns_a_coinductive ~subst context ty =
  match R.whd ~subst context ty with
  | C.Const (Ref.Ref (_,uri,Ref.Ind _) as ref) 
  | C.Appl (C.Const (Ref.Ref (_,uri,Ref.Ind _) as ref)::_) ->
     let isinductive, _, _, _, _ = E.get_checked_indtys ref in
     if isinductive then None else (Some uri)
  | C.Prod (n,so,de) ->
     returns_a_coinductive ~subst ((n,C.Decl so)::context) de
  | _ -> None

and type_of_constant ((Ref.Ref (_,uri,_)) as ref) = 
  let cobj =
    match E.get_obj uri with
    | true, cobj -> cobj
    | false, uobj ->
       !logger (`Start_type_checking uri);
       check_obj_well_typed uobj;
       E.add_obj uobj;
       !logger (`Type_checking_completed uri);
       uobj
  in
  match cobj, ref with
  | (_,_,_,_,C.Inductive (_,_,tl,_)), Ref.Ref (_,_,Ref.Ind i)  ->
      let _,_,arity,_ = List.nth tl i in arity
  | (_,_,_,_,C.Inductive (_,_,tl,_)), Ref.Ref (_,_,Ref.Con (i,j))  ->
      let _,_,_,cl = List.nth tl i in 
      let _,_,arity = List.nth cl (j-1) in 
      arity
  | (_,_,_,_,C.Fixpoint (_,fl,_)), Ref.Ref (_,_,(Ref.Fix (i,_)|Ref.CoFix i)) ->
      let _,_,_,arity,_ = List.nth fl i in
      arity
  | (_,_,_,_,C.Constant (_,_,_,ty,_)), Ref.Ref (_,_,(Ref.Def |Ref.Decl)) -> ty
  | _ -> raise (AssertFailure (lazy "type_of_constant: environment/reference"))

and check_obj_well_typed (uri,height,metasenv,subst,kind) =
 (* CSC: here we should typecheck the metasenv and the subst *)
 assert (metasenv = [] && subst = []);
 match kind with
   | C.Constant (_,_,Some te,ty,_) ->
      let _ = typeof ~subst ~metasenv [] ty in
      let ty_te = typeof ~subst ~metasenv [] te in
      if not (R.are_convertible ~subst ~metasenv [] ty_te ty) then
       raise (TypeCheckerFailure (lazy (Printf.sprintf (
        "the type of the body is not convertible with the declared one.\n"^^
        "inferred type:\n%s\nexpected type:\n%s")
        (NCicPp.ppterm ~subst ~metasenv ~context:[] ty_te) 
        (NCicPp.ppterm ~subst ~metasenv ~context:[] ty))))
   | C.Constant (_,_,None,ty,_) -> ignore (typeof ~subst ~metasenv [] ty)
   | C.Inductive (is_ind, leftno, tyl, _) -> 
       check_mutual_inductive_defs uri ~metasenv ~subst is_ind leftno tyl
   | C.Fixpoint (inductive,fl,_) ->
      let types, kl, len =
        List.fold_left
         (fun (types,kl,len) (_,name,k,ty,_) ->
           let _ = typeof ~subst ~metasenv [] ty in
            ((name,(C.Decl (S.lift len ty)))::types, k::kl,len+1)
         ) ([],[],0) fl
      in
      let dfl, kl =   
        List.split (List.map2 
          (fun (_,_,_,_,bo) rno -> 
             let dbo = debruijn uri len [] bo in
             dbo, Evil rno)
          fl kl)
      in
      List.iter2 (fun (_,name,x,ty,_) bo ->
       let ty_bo = typeof ~subst ~metasenv types bo in
       if not (R.are_convertible ~subst ~metasenv types ty_bo (S.lift len ty))
       then raise (TypeCheckerFailure (lazy ("(Co)Fix: ill-typed bodies")))
       else
        if inductive then begin
          let m, context = eat_lambdas ~subst ~metasenv types (x + 1) bo in
          let r_uri, r_len =
            let he =
             match List.hd context with _,C.Decl t -> t | _ -> assert false
            in
            match R.whd ~subst (List.tl context) he with
            | C.Const (Ref.Ref (_,uri,Ref.Ind _) as ref)
            | C.Appl (C.Const (Ref.Ref (_,uri,Ref.Ind _) as ref) :: _) ->
                let _,_,itl,_,_ = E.get_checked_indtys ref in
                  uri, List.length itl
            | _ -> assert false
          in
          (* guarded by destructors conditions D{f,k,x,M} *)
          let rec enum_from k = 
            function [] -> [] | v::tl -> (k,v)::enum_from (k+1) tl 
          in
          guarded_by_destructors r_uri r_len 
           ~subst ~metasenv context (enum_from (x+2) kl) m
        end else
         match returns_a_coinductive ~subst [] ty with
          | None ->
              raise (TypeCheckerFailure
                (lazy "CoFix: does not return a coinductive type"))
          | Some uri ->
              (* guarded by constructors conditions C{f,M} *)
              if not (guarded_by_constructors ~subst ~metasenv
                  types 0 len false bo [] uri)
              then
                raise (TypeCheckerFailure
                 (lazy "CoFix: not guarded by constructors"))
        ) fl dfl

let typecheck_obj = check_obj_well_typed;;

(* EOF *)