Foundations of Higher-Order Logic

(1)

3. Foundations of Higher-Order Logic 3.0

Chapter 3

Foundations of Higher-Order Logic

©Arnd Poetzsch-Heffter et al. TU Kaiserslautern 136

Overview of Chapter

3. Foundations of Higher-Order Logic 3.1 Introduction

3.2 Foundation of HOL

3.3 Conservative Extension of Theories

Overview

1. Introduction to higher-order logic 2. Foundation of higher-order logic 3. Conservative extension of theories

Section 3.1

Introduction

(2)

A bit of history and context

• Gottlob Frege proposed a system on which (he thought) all

mathematics could be derived (in principle): Begriffssschrift (1879)

• Bertrand Russell found paradox in Frege’s system and proposed the Ramified Theory of Types

• Wrote Principia Mathematica with Whitehead, an attempt at developing basic mathematics completely formally

(“My intellect never recovered from the strain”)

Russel’s paradox

Theorem

Let S ={^x |^x <x}^{, then S} ∈S if and only if S <S Proof.

• IfS ∈^{S, then}^S <S.

• IfS <^{S, then}^S ∈^S^.

Remark

• Thus, we found a mathematical contradiction.

• Logical point of view: we derivedF ↔ ¬^F ^where^F ≡(S ∈^S); thus, we can deriveFalse, and consequently, every formula.

Approaches to avoid inconsistencies

• Type theory:

I Russel: Use a hierarchy of types to avoid self-referential expressions

I A. Church proposed a simple type theory (1940)

I many approaches extend Church’s type theory (HOL, Calculus of constructions, etc.)

• Set theoryis often seen asthebasis for mathematics.

I Zermelo-Fraenkel, Bernays-Goedel,. . .

I Set theories distinguish between sets and classes.

I Consistency maintained as some collections are „too big“ to be sets, e.g., class of all sets is not a set. A class cannot belong to another class (let alone a set)! Set theory

Remark

Web-page listing approaches to formalize mathematics and logics:

http://www.cs.ru.nl/~freek/digimath/index.html

Aspects of HOL

• Higher-order logic (HOL) is anexpressive foundationfor

I mathematics: analysis, algebra,. . .

I computer science: program correctness, hardware verification,. . .

• Reasoning in HOL is classical.

• Still important:modelingof problems (now in HOL).

• Still important:derivingrelevant reasoning principles.

(3)

Aspects of HOL (2)

• HOL offerssafety through strength:

I small kernel of constants and axioms

I safety via conservative (definitional) extensions

• Contrast with

I weaker logics (e.g., propositional logic, FOL): can’t define much

I axiomatic extensions: can lead to inconsistency Bertrand Russell:

“The method of "postulating" what we want has many advantages;

they are the same as the advantages of theft over honest toil.”

(Introduction to Mathematical Philosophy, 1919)

Choice of Isabelle/HOL

Rationale for Isabelle/HOL

We useIsabelle/HOL, the HOL specialization of the generic proof assistant Isabelle:

• HOL vs. set theory:

I types are helpful for computer science applications

I HOL is sufficiently expressive for most applications (in general, ZF set theory is more expressive)

I “If you prefer ML to Lisp, you will probably prefer HOL to ZF” (quote by Larry Paulson)

• Isabelle/HOL vs. other HOL systems: pragmatic advantages overthe HOL systemorPVS

• Constructive alternatives for HOL:CoqorNuprl, classical reasoning not supported

About the term „higher-order logic“

1st-order: supports functions and predicates over individuals (0th-order objects) and quantification of individuals:

∀^x,y.R(x,y)−→^R(y,x)

2nd-order: supports functions and predicates that have first-order functions as arguments or results and allow quantification over first-order predicates and functions:

∀^P.∀^m.P(0)∧(∀ⁿ.P(n)−→^P(Suc(n)))−→^P(m) ...

„higher order“ ! union of all finite orders

3. Foundations of Higher-Order Logic 3.2 Foundation of HOL

Section 3.2

Foundation of HOL

(4)

Starting remarks

Simplification

In the rest of this chapter, we only consider

• a core syntax of HOL (not the rich syntax of Isabelle/HOL)

• a version of HOL without parameterized types (not the richer type system of Isabelle/HOL; cf. [GordonMelham93] for a version with parametric polymorphism)

Goals:

• Learn the semantics and axiomatic foundation of HOL

• Learn some meta-level properties about HOL

• Deepen the understanding of what verification is about

Basic HOL Syntax (1)

• Types:

τ::=bool |^ind|τ⇒τ

I boolandindare also calledoandiin the literature [Chu40, And86]

I no user-defined type constructors, e.g.,bool list

I no polymorphic type definitions, e.g.,αlist

• Terms: LetVbe a set of variables andCa set of constants:

T ::=V | C | (T T) | λV.T

I Terms are simply typed(no type parameters)

I Terms of typeboolare called(well-formed) formulas.

Basic HOL Syntax (2)

• Theconstantsof HOL are typed and include at least:

True,False :: bool

_=_ :: α⇒α⇒^bool (for all typesα∈τ) _−→^_ :: bool⇒^bool⇒^bool

ι_ :: (α⇒^bool)⇒α (for all typesα∈τ)

• ιis called thedescription operator:

ιp yields the unique elementx for which(p x)isTrue, if such a uniquex exists. Otherwise, it yields an arbitrary value (of typeα).

• Note that in Isabelle/HOL, the provisos „for all typesα∈τ“ can be expressed by type variables.

HOL Semantics

• Intuitively an extension of many-sorted semantics with functions

I FOL (w/o sorts): formulas are interpreted in a structure consisting of a domain/universe and functions/predicates

hD,(f_i)_i∈F,(p_i)_i∈Pi

I Many-sorted FOL: there is a domain for each sorts ∈^S^where^S^is finite; functions/predicates have a sorted signature:

h(Ds)s∈S,(fi)i∈F,(pi)i∈Pi

I HOL: domainDis indexed by (infinitely many) types

• Our presentation ignores polymorphism on the object-logical level, it is treated on the meta-level, though (for a version covering

object-level parametric polymorphism cf. [GordonMelham93]).

(5)

Universes are prerequisite for HOL models

Definition (Universe)

A collection of setsUis called auniverse, if it satisfies the following closure conditions:

Inhab: EachX ∈ Uis a nonempty set Sub: IfX ∈ U ^and^Y ,0⊆^X^{, then}^Y ∈ U Prod: IfX,Y ∈ U^then^X ×^Y ∈ U^where

X×^Y is the Cartesian product ({{^x},{^x,y}}^encodes(x,y)) Pow: IfX ∈ U ^thenP(X) ={^Y :Y ⊆^X} ∈ U

Infty:U contains an infinite set of individuals

Remarks on universes U

• Representation of function spaces in universes:

X ⇒^Y is the set of all (total) functions fromX toY where a function is represented by its graph

I ForXandYnonempty,X ⇒^Y is a nonempty subset ofP(X×^Y)

I From closure conditions: IfX,Y ∈ U^{, then}^X⇒^Y∈ U^.

• Universes have two distinguished sets:

Unit: A distinguished set{¹}with exactly one element

Bool: A distinguished set{^T,F}with exaclty two element sets (existence follows fromInftyandSub)

Frames

Definition (frame) LetU be a universe.

Aframeis a collection(D^α)α∈τwithD^α ∈ U^{for all}α∈τand

• Dbool ={^T,F}

• Dind =X whereX is someinfiniteset ofindividuals

• D^α⇒β ⊆ D^α ⇒ D^β^{, i.e.} ^somecollection of functions fromD^α ^toD^β Examples

Some of the subsetsD^α⇒β might contain, e.g.,

• the identity function, others do not

• only the computable functions

Interpretations

Definition (Interpretation)

Aninterpretationh(D^α)α∈τ,Jiconsists of a frame(D^α)α∈τ and a function J mapping the constants of typeαto elements ofD^α^:

• J(True) =T andJ(False) =F

• J(=α⇒α⇒^bool)is the identity onD^α

• J(−→bool⇒^bool⇒^bool)denotes the implication function overDbool, i.e., b −→^b⁰ =

( _F _if_b

=T andb⁰ =F T otherwise

(6)

Interpretations (2)

• J(ι_(α_⇒_bool₎_⇒_α)∈(D^α ⇒ Dbool)⇒ D^α denotes the function the(p) =

( a ifp= (λx.x =a)

y otherwise, wherey is some element ofD^α Remark

We have to make sure that

• the interpretations of the constants are elements of the frame

• all definable functions are elements of the frame

Generalized models

Definition (Generalized models)

An interpretationM=h(D^α)α∈τ,Ji^{is a}(general) model for HOLiff there is a binary functionV^M such that for all type-indexed families of variable assignmentsρ= (ρα)α∈τ:

• (a) V^M(ρ,x_α) =ρ_α(x_α)

(b) V^M(ρ,c) =J(c), for constantsc (c) V^M(ρ,sα⇒βtα) =V^M(ρ,s)V^M(ρ,t)

i.e., the value of the functionV^M(ρ,s)at the argumentV^M(ρ,t) (d) V^M(λxα.tβ) =“the function fromD^α^intoD^βwhose value

for eachz ∈ DαisV^M(ρ[x ←^z],t)”

• Ift is a term of typeα, thenV^M(ρ,t)∈ D^α^.

Generalized Models - Facts (1)

• IfMis a general model andρa variable assignment, thenV^M(ρ,t)is uniquely determined, for every termt.

V^M(ρ,t)is thevalueoft inMw.r.t. ρ.

• Gives rise to the standard notion ofsatisfiability/validity:

I We writeV^M, ρ|=φforV^M(ρ, φ) =T.

I φissatisfiableinMifV^M, ρ|=φfor some variable assignmentρ.

I φisvalidinMifV^M, ρ|=φ, for every variable assignmentρ.

I φisvalid(in the general sense) ifφis valid in every general modelM.

Generalized Models - Facts (2)

• Not all interpretations are general models.

• Closure conditions guarantee that every well-formed term has a value under every assignment, e.g.,

closure under functions: identity function fromD^α^toD^α ^must belong toD^α⇒αso thatV^M(ρ, λxα.x)is defined.

closure under application:

I ifDNis set of natural numbers and

I DN⇒N⇒N contains addition functionpwherep x y =x+y

I thenDN⇒N must containk x=2x+5

sincek =V^M(ρ, λx.f (f x x)y)whereρ(f) =pandρ(y) =5.

(7)

Standard models

Definition (Standard Models:)

Ageneral modelis astandard modeliff for allα, β∈τ,D^α⇒βis the set of allfunctions fromD^α^toD^β

Remarks

• A standard model is a general model, but not necessarily vice versa.

• Analogous definitions for satisfiability and validity w.r.t. standard models.

Isabelle/HOL

We introduce HOL in Isabelle’s meta-logic:

consts

True :: bool False :: bool

Not :: bool⇒^bool ^("‘¬_"’ [40] 40)

If :: [bool, ’a, ’a ]⇒^’a ("‘if _ then _ else _)"’) The :: (’a⇒^bool)⇒^’a ^(binder"‘THE"’ 10) All :: (’a⇒^bool)⇒bool (binder"‘∀^{"’ 10)} Ex :: (’a⇒^bool)⇒bool (binder"‘∃^{"’ 10)}

= :: [’a,’a]⇒^bool ^(infixl⁵⁰⁾

∧ :: [bool, bool]⇒bool (infixr 35)

∨ :: [bool, bool]⇒bool (infixr 30)

−→ :: [bool, bool]⇒bool (infixr 25)

Core definitions of HOL

defs

True_def: True ≡((λx ::bool.x) = (λx.x)) All_def: All(P) ≡(P = (λx.True))

Ex_def: Ex(P) ≡ ∀^Q.(∀^x.Px −→^Q)−→^Q False_def: False ≡(∀^P.P)

not_def: ¬^P ≡^P −→^False

and_def: P∧^Q ≡ ∀^R.(P −→^Q −→^R)−→^R

or_def: P∨^Q ≡ ∀^R.(P −→^R)−→(Q −→^R)−→^R if_def: IfP×^y ≡^THE^z :: ⁰a.(P =True−→^z=x)∧ (P =False−→^z =y)

The axioms and rules of HOL

axioms/rules

refl: "t=t"

subst: "~s =t; P(s)=⇒^P(t)"

ext: "(V_x.f x =g x) =⇒(λx.f x) = (λx.g x)"

impl: "(P =⇒^Q) =⇒^P −→^Q"

mp: "~P −→^Q;P =⇒ ^Q"

iff: "(P −→^Q)−→(Q −→^P)−→(P =Q)"

True_or_False: "(P =True)∨(P=False)"

the_eq_trivial: "(THEx.x =b) = (b :: ⁰a)"

(8)

The axioms and rules of HOL (2)

Additionally, there is:

• universalα, β, andηcongruence on terms (implicitly),

• theaxiom of infinity, and

• the axiom of choice (Hilbert operator).

• This is the entire basis!

Properties of HOL

Theorem 1 (Soundness of HOL) HOL is sound:

`φ implies φis valid in the general/standard sense

Theorem 2 (Incompleteness of HOL) HOL is incomplete w.r.t. standard models:

There existφthat are valid in the standard sense, but 0φ

Remark

[And86, Chap. 5-7] presents proofs for these theorems. Note, however, that [And86] does not restrict the semantics to models whereDind is infinite.

3. Foundations of Higher-Order Logic 3.3 Conservative Extension of Theories

Section 3.3

Conservative Extension of Theories

Basic ideas

• Theories are stepwise extension of the core theory of HOL

• Extensions may introduce new constants and new types

• Inconsistencies are avoided by construction

• Syntactical mechanisms are used to make extensions more convenient

Remark

Extensions only introduce names for “things” that already exist in the core theory.

(9)

Basic definitions

Terminology and basic definitions (cf. [GordonMelham93]):

Definition (Theory)

A (syntactic)theoryT is a triple(χ,Σ,A)where

• χis a set of type names

• Σis a set of typed function/constant names using types ofχ

• A is a set of axioms overΣ Definition (Consistent)

A theory T isconsistentiffFalseis not provable in T: A 0 _False Definition (Theory extension)

A theoryT⁰ = (χ⁰,Σ⁰,A⁰)is an extension of a theoryT = (χ,Σ,A)iff χ⊆χ⁰ andΣ⊆Σ⁰ andA ⊆^A⁰^.

Basic definitions (cont.)

Definition (Conservative extension) LetT = (χ,Σ,A)andTh(T) ={φ|^A `φ}^;

a theory extensionT⁰ = (χ⁰,Σ⁰,A⁰)ofT isconservativeiff Th(T) = (Th(T⁰)|Σ)

where|Σrestricts sets of formulas to those containing only names inΣ. Lemma (Consistency)

If T⁰is a conservative extension of a consistent theory T, then False<Th(T⁰)

Syntactic schemata for conservative extensions

Not every extension is conservative:

Counterexample

LetT = (χ,Σ,A)such thatA includes the axioms of HOL andT is consistent.

T⁰ = (χ,Σ,A∪ { ∀^fbool⇒^bool.x =f x})isnota conservative extension ofT.

We consider conservative extensions by:

• constant definitions

• type definitions Remark

Cf. [GordonMelham93] for other extension schemata

Constant definitions

Definition (Constant definition)

A theory extensionT⁰ = (χ⁰,Σ⁰,A⁰)ofT = (χ,Σ,A)is called aconstant definitioniff

• χ⁰ =χandΣ⁰ = Σ∪ {^c ::α}^withα∈χandc <Σ

• A⁰ =A∪ {^c =E}

• Edoes not containc (no recursion)

• Eis closed (no free variables)

• (no subterm ofEhas a type containing a type variable that is not contained in the type of c)

(10)

Why side conditions?

• no recursion and closedness guarantee well-definedness

• Consider the following definition with a free type variable:

c = (∃^x :: ⁰a.∃^y :: ⁰a.x ,y) If the language allows to instantiate the type variables:

c =c (by refl)

=⇒ (∃^x ::bool.∃^y ::bool.x ,y) = (∃^x ::Unit.∃^y ::Unit.x ,y)

=⇒ ^True=False

=⇒ ^False

Constant definitions are conservative

Lemma (Constant definition)

A constant definition is a conservative extension.

Proof.

Proof sketch:

• Th(T)⊆(Th(T⁰)|Σ) : from definition ofTh

• (Th(T⁰)|Σ)⊆^Th(T) : letπ⁰ be a proof forφ∈(Th(T⁰)|Σ). We unfold any subterm inπ⁰that containsc byc =Eintoπ. πis a proof inT, i.e.,φ∈^Th(T).

Constant definitions in Isabelle/HOL

Definitions ofTrue,False,All,Ex,¬^,∧^,∨^,^if,^let^: True :: bool

False :: bool

Not :: bool⇒^bool ^("‘¬_"’ [40] 40) If :: [bool, ’a, ’a ]⇒^’a ("‘if _ then _ else _)"’) Let :: [’a, ’a⇒^’b]⇒^’b

The :: (’a⇒^bool)⇒^’a ^(binder"‘THE"’ 10) All :: (’a⇒^bool)⇒bool (binder"‘∀^{"’ 10)} Ex :: (’a⇒^bool)⇒bool (binder"‘∃^{"’ 10)}

= :: [’a,’a]⇒^bool ^(infixl⁵⁰⁾

∧ :: [bool, bool]⇒bool (infixr 35)

∨ :: [bool, bool]⇒bool (infixr 30)

−→ :: [bool, bool]⇒bool (infixr 25)

Constant definitions in Isabelle/HOL (2)

True_def: True ≡ ((λx ::bool.x) = (λx.x)) All_def: All(P) ≡ (P = (λx.True))

Ex_def: Ex(P) ≡ ∀^Q.(∀^x.Px −→^Q)−→^Q False_def: False ≡ (∀^P.P)

not_def: ¬^P ≡ ^P −→^False

and_def: P∧^Q ≡ ∀^R.(P −→^Q−→^R)−→^R

or_def: P∨^Q ≡ ∀^R.(P −→^R)−→(Q −→^R)−→^R if_def: IfP×^y ≡ ^THE^z :: ⁰a.(P =True−→^z=x)∧ (P =False−→^z =y) Let_def: Lets f ≡ ^f(s)

(11)

Approaching type definitions

Idea

• Specify a subset of the elements of an existing typer

• “Copy” the subset and use the copy as value set of the new typet

• Link old and new type by two functions

More precisely, the definition of a new typetis based on:

• an existing typer

• a predicateS ::r ⇒ bool, defining anon-empty“subset” ofr;

• an abstraction functionAbs_t :: r ⇒^t

• a representation functionRep_t ::t ⇒^r

• axioms stating a bijection between the set characterized byS and the new typet.

Type definitions as theory extensions

Definition (Type definition)

LetT = (χ,Σ,A)be a theory andr ∈χandSa term of typer ⇒^bool.

A theory extensionT⁰ = (χ⁰,Σ⁰,A⁰)ofT is atype definitionfort witht <χ iff

• χ⁰ =χ∪ {^t}

• Σ⁰ = Σ∪ {^Abst ::r ⇒ ^t, Rept ::t ⇒^r }

• A⁰ =A∪ { ∀^x.Abst(Rept x) =x, ∀^y.S y−→^Rept(Abst y) =y }

• One has to proveT ` ∃^x.S x (using Isabelle/HOL) Lemma (Type definition)

A type definition is a conservative extension.

For a proof see [GordonMelham93]

The nature of extensions

Remark

This may seem strange: if a new type is always isomorphic to a subset of an existing type, how is this construction going to lead to a “rich” collection of types for large-scale applications?

• But in fact, due toindand⇒, the types in HOL are already very rich.

• Thus, extensions essentially give names to values and types that have already been “expressible” in the “old” theory.

• Extensions allow to formulate theorems in a more compact and readable way.

We now give two examples revealing the power of type definitions:

• Typed sets

• Pairs

Types for sets

We define the new typenatset containing all sets of natural numbers:

• existing type:(nat ⇒^bool)

• predicateS:: (nat ⇒^bool)⇒^bool,S ≡ λf.True

• χ⁰ =χ∪ {^natset}

• Σ⁰ = Σ∪ {^Absnatset :: (nat ⇒^bool)⇒^natset, Rep_natset ::natset ⇒(nat⇒^bool)}

• A⁰ =A∪ { ∀^x.Abs_natset(Rep_natset x) =x,

∀^y.True−→^Repnatset(Absnatset y) =y }

• One has to proveT ` ∃^x.(λf.True)x (using Isabelle/HOL)

(12)

Remarks on the set type

Remarks

• Isabelle/HOL allows to define a parametric type αset whereαis a type variable.

• Functions of typeα⇒^boolare used to represent sets, i.e., sets are represented by theircharacteristic function.

• In(Absαset f), the abstraction functionAbsαset can thus be read as

“interpretf as a set”.

• Here, sets are just an example to demonstrate type definitions.

Later we study them for their own sake.

Approaching the types for pairs

Given some typesαandβ.

How can we represent pairs, i.e., define the typeα×β? Idea:

• Existing type:α⇒ β⇒^bool

• Represent pairs as functions of typeα⇒ β⇒^bool)

• Use functionλx ::α. λy ::β.x =a∧^y =b to represent the pair(a,b)

• It is clear that there is exactly one function for each pair.

• There are also functions of typeα⇒β⇒ ^boolthat do not represent a pair, i.e., we have to define a nontrivialS.

Types for pairs

We define the new typeα×β:

• existing type: α⇒β⇒^bool

• predicateS ≡ λf ::α⇒β⇒^bool.

∃^a.∃^b.f =λx ::α. λy :: β.x =a∧^y =b

• χ⁰=χ∪ {α×β} Remark

Isabelle/HOL provides a special syntax for type definitions.

Type definitions in Isabelle/HOL

Syntax for type definitions

typedef (typevars) T’ = "{x. A(x)}"

Relation with explained schema:

• The new type isT⁰

• r is the type ofx (inferred)

• Sisλx.A x

• ConstantsAbsT⁰ andRepT⁰ are automatically generated.

(13)

Conservative extensions: Summary

• We have presented a method tosafelybuild up larger theories:

I Constant definitions

I Type definitions

• Subtle side conditions

• New types must be isomorphic to a “subset” of an existing type.

• Isabelle/HOL uses these conservative extensions to

I build up the theoryMainfrom the core definitions of HOL (cf. Tutorials and manuals for Isabelle2011-1)

I provide more convenient specialized syntax for conservative extensions (datatype, primrec, function, ...)

Conclusions of Chap. 3

• HOL generalizes semantics of FOL

I boolserves as type of propositions

I Syntax/semantics allows for higher-order functions

• Logic is rather minimal: 8 rules, more-or-less obvious

• Logic is very powerful in terms of what we can represent/derive.

I Other “logical” syntax

I Rich theories via conservative extensions

Questions

1. What is the foundational reason that HOL is typed? Are there other reasons w.r.t. an application in computer science?

2. What does “higher-order” mean?

3. Why is predicate logic not sufficient? Give an example?

4. What are the types in HOL?

5. What are the terms in HOL? Give examples of constants.

6. Explain the description operator.

7. What is a frame? What is an interpretation?

8. How is satisfiability defined?

Questions (2)

9. What is a standard model?

10. Give and explain one of the axioms of HOL?

11. Can the constants True and False be defined in HOL?

12. What does it mean that HOL+infinity is incomplete wrt. standard models?

13. What is a conservative extension?

14. What is the advantage of conservative extensions over axiomatic definitions?

15. Which syntactic schemata for conservative extensions were treated in the lecture?

16. Give examples of constant definitions.

17. Explain the definitions of new types?

18. Does a data type definition in Isabelle/HOL lead to a new type?