Foundations of Higher-Order Logic

(1)

3. Foundations of Higher-Order Logic 3.0

Chapter 3

Foundations of Higher-Order Logic

©Arnd Poetzsch-Heffter et al. TU Kaiserslautern 136

Overview of Chapter

3. Foundations of Higher-Order Logic 3.1 Introduction

3.2 Foundation of HOL

3.3 Conservative Extension of Theories

Overview

1. Introduction to higher-order logic 2. Foundation of higher-order logic 3. Conservative extension of theories

Section 3.1

Introduction

(2)

A bit of history and context

• Gottlob Frege proposed a system on which (he thought) all

mathematics could be derived (in principle): Begriffssschrift (1879)

• Bertrand Russell found paradox in Frege’s system and proposed the Ramified Theory of Types

• Wrote Principia Mathematica with Whitehead, an attempt at developing basic mathematics completely formally

(“My intellect never recovered from the strain”)

Russel’s paradox

Theorem

Let S ={^x |^x <x}^{, then S} ∈S if and only if S <S Proof.

• IfS ∈^{S, then}^S <S.

• IfS <S, thenS ∈^S^.

Remark

• Thus, we found a mathematical contradiction.

• Logical point of view: we derivedF ↔ ¬^F ^where^F ≡(S ∈^S); thus, we can deriveFalse, and consequently, every formula.

• To solve the problem, it is not sufficient to

Approaches to avoid inconsistencies

• Type theory:

I Russel: Use a hierarchy of types to avoid self-referential expressions

I A. Church proposed a simple type theory (1940)

I many approaches extend Church’s type theory (HOL, Calculus of constructions, etc.)

• Set theoryis often seen asthebasis for mathematics.

I Zermelo-Fraenkel, Bernays-Goedel,. . .

I Set theories distinguish between sets and classes.

I Consistency maintained as some collections are „too big“ to be sets, e.g., class of all sets is not a set. A class cannot belong to another class (let alone a set)! Set theory

Remark

Web-page listing approaches to formalize mathematics and logics:

Aspects of HOL

• Higher-order logic (HOL) is anexpressive foundationfor

I mathematics: analysis, algebra,. . .

I computer science: program correctness, hardware verification,. . .

• Reasoning in HOL is classical.

• Still important:modelingof problems (now in HOL).

• Still important:derivingrelevant reasoning principles.

(3)

Aspects of HOL (2)

• HOL offerssafety through strength:

I small kernel of constants and axioms

I safety via conservative (definitional) extensions

• Contrast with

I weaker logics (e.g., propositional logic, FOL): can’t define much

I axiomatic extensions: can lead to inconsistency Bertrand Russell:

“The method of "postulating" what we want has many advantages;

they are the same as the advantages of theft over honest toil.”

(Introduction to Mathematical Philosophy, 1919)

Choice of Isabelle/HOL

Rationale for Isabelle/HOL

We useIsabelle/HOL, the HOL specialization of the generic proof assistant Isabelle:

• HOL vs. set theory:

I types are helpful for computer science applications

I HOL is sufficiently expressive for most applications (in general, ZF set theory is more expressive)

I “If you prefer ML to Lisp, you will probably prefer HOL to ZF” (quote by Larry Paulson)

• Isabelle/HOL vs. other HOL systems: pragmatic advantages overthe HOL systemorPVS

• Constructive alternatives for HOL:CoqorNuprl, classical reasoning not supported

About the term „higher-order logic“

1st-order: supports functions and predicates over individuals (0th-order objects) and quantification of individuals:

∀^x,y.R(x,y)−→^R(y,x)

2nd-order: supports functions and predicates that have first-order functions as arguments or results and allow quantification over first-order predicates and functions:

∀^P.∀^m.P0∧(∀ⁿ.Pn−→^P(Sucn))−→^Pm ...

„higher order“ ! union of all finite orders

3. Foundations of Higher-Order Logic 3.2 Foundation of HOL

Section 3.2

Foundation of HOL

(4)

Starting remarks

Simplification

In the rest of this chapter, we only consider

• a core syntax of HOL (not the rich syntax of Isabelle/HOL)

• a version of HOL without parameterized types (not the richer type system of Isabelle/HOL; cf. [GordonMelham93] for a version with parametric polymorphism)

Goals:

• Learn the semantics and axiomatic foundation of HOL

• Learn some meta-level properties about HOL

• Deepen the understanding of what verification is about

Basic HOL Syntax (1)

• Types:

τ::=bool |^ind|τ⇒τ

I boolandindare also calledoandiin the literature [Chu40, And86]

I no user-defined type constructors, e.g.,bool list

I no polymorphic type definitions, e.g.,αlist

• Terms: LetVbe a set of variables andCa set of constants:

T ::=V | C | (T T) | λV.T

I Terms are simply-typed.

I Terms of typeboolare called(well-formed) formulas.

Basic HOL Syntax (2)

• Theconstantsof HOL are typed and include at least:

True,False :: bool

_=_ :: α⇒α⇒^bool (for all typesα∈τ) _−→^_ :: bool⇒^bool⇒^bool

ι_ :: (α⇒^bool)⇒α (for all typesα∈τ)

• ιis called thedescription operator:

ιp yields the unique elementx for which(p x)isTrue, if such a uniquex exists. Otherwise, it yields an arbitrary value (of typeα).

• Note that in Isabelle/HOL, the provisos „for all typesα∈τ“ can be expressed by type variables.

HOL Semantics

• Intuitively an extension of many-sorted semantics with functions

I FOL (w/o sorts): formulas are interpreted in a structure consisting of a domain/universe and functions/predicates

hD,(f_i)_i∈F,(p_i)_i∈Pi

I Many-sorted FOL: there is a domain for each sorts ∈^S^where^S^is finite; functions/predicates have a sorted signature:

h(Ds)s∈S,(fi)i∈F,(pi)i∈Pi

I HOL: domainDis indexed by (infinitely many) types

• Our presentation ignores polymorphism on the object-logical level, it is treated on the meta-level, though (for a version covering

object-level parametric polymorphism cf. [GordonMelham93]).

(5)

Universes are prerequisite for HOL models

Definition (Universe)

A collection of setsUis called auniverse, if it satisfies the following closure conditions:

Inhab: EachX ∈ Uis a nonempty set Sub: IfX ∈ U ^and^Y ,0⊆^X^{, then}^Y ∈ U Prod: IfX,Y ∈ U^then^X ×^Y ∈ U^where

X×^Y is the Cartesian product ({{^x},{^x,y}}^encodes(x,y)) Pow: IfX ∈ U ^thenP(X) ={^Y :Y ⊆^X} ∈ U

Infty:U contains an infinite set of individuals

Remarks on universes U

• Representation of function spaces in universes:

X ⇒^Y is the set of all (total) functions fromX toY where a function is represented by its graph

I ForXandYnonempty,X ⇒^Y is a nonempty subset ofP(X×^Y)

I From closure conditions: IfX,Y ∈ U^{, then}^X⇒^Y∈ U^.

• Universes have two distinguished sets:

Unit: A distinguished set{¹}with exactly one element

Bool: A distinguished set{^T,F}with exaclty two element sets (existence follows fromInftyandSub)

Frames

Definition (frame) LetU be a universe.

Aframeis a collection(D^α)α∈τwithD^α ∈ U^{for all}α∈τand

• Dbool ={^T,F}

• Dind =X whereX is some infinite set ofindividuals

• D^α⇒β ⊆ D^α ⇒ D^β^{, i.e.} ^somecollection of functions fromD^α ^toD^β Examples

Some of the subsetsD^α⇒β might contain, e.g.,

• the identity function, others do not

• only the computable functions

Interpretations

Definition (Interpretation)

Aninterpretationh(D^α)α∈τ,Jiconsists of a frame(D^α)α∈τ and a function J mapping the constants of typeαto elements ofD^α^:

• J(True) =T andJ(False) =F

• J(=α⇒α⇒^bool)is the identity onD^α

• J(−→bool⇒^bool⇒^bool)denotes the implication funtion overDbool, i.e., b −→^b⁰ =

( _F _if_b

=T andb⁰ =F T otherwise

(6)

Interpretations (2)

• J(ι_(α_⇒_bool₎_⇒_α)∈(D^α ⇒ Dbool)⇒ D^α denotes the function the(p) =

( a ifp= (λx.x =a)

y otherwise, wherey is some element ofD^α Remark

We have to make sure that

• the interpretations of the constants are elements of the frame

• all definable functions are elements of the frame

Generalized models

Definition (Generalized models)

An interpretationM=h(D^α)α∈τ,Ji^{is a}(general) model for HOLiff there is a binary functionV^M such that for all type-indexed families of variable assignmentsρ= (ρα)α∈τ:

• (a) V^M(ρ,x_α) =ρ_α(x_α)

(b) V^M(ρ,c) =J(c), for constantsc (c) V^M(ρ,sα⇒βtα) =V^M(ρ,s)V^M(ρ,t)

i.e., the value of the functionV^M(ρ,s)at the argumentV^M(ρ,t) (d) V^M(λxα.tβ) =“the function fromD^α^intoD^βwhose value

for eachz ∈ DαisV^M(ρ[x ←^z],t)”

• Ift is a term of typeα, thenV^M(ρ,t)∈ D^α^.

Generalized Models - Facts (1)

• IfMis a general model andρa variable assignment, thenV^M(ρ,t)is uniquely determined, for every termt.

V^M(ρ,t)is thevalueoft inMw.r.t. ρ.

• Gives rise to the standard notion ofsatisfiability/validity:

I We writeV^M, ρ|=φforV^M(ρ, φ) =T.

I φissatisfiableinMifV^M, ρ|=φfor some variable assignmentρ.

I φisvalidinMifV^M, ρ|=φ, for every variable assignmentρ.

I φisvalid(in the general sense) ifφis valid in every general modelM.

Generalized Models - Facts (2)

• Not all interpretations are general models.

• Closure conditions guarantee that every well-formed term has a value under every assignment, e.g.,

closure under functions: identity function fromD^α^toD^α ^must belong toD^α⇒αso thatV^M(ρ, λxα.x)is defined.

closure under application:

I ifDNis set of natural numbers and

I DN⇒N⇒N contains addition functionpwherep x y =x+y

I thenDN⇒N must containk x=2x+5

sincek =V^M(ρ, λx.f (f x x)y)whereρ(f) =pandρ(y) =5.

(7)

Standard models

Definition (Standard Models:)

Ageneral modelis astandard modeliff for allα, β∈τ,D^α⇒βis the set of allfunctions fromD^α^toD^β

Remarks

• A standard model is a general model, but not necessarily vice versa.

• Analogous definitions for satisfiability and validity w.r.t. standard models.

• We can now re-introduce HOL in Isabelle’s meta-logic.

Isabelle/HOL

The syntax of the core language is introduced by:

consts

True :: bool False :: bool

Not :: bool⇒^bool ^("‘¬_"’ [40] 40)

If :: [bool, ’a, ’a ]⇒^’a ("‘if _ then _ else _)"’) The :: (’a⇒^bool)⇒^’a ^(binder"‘THE"’ 10) All :: (’a⇒^bool)⇒bool (binder"‘∀^{"’ 10)} Ex :: (’a⇒^bool)⇒bool (binder"‘∃^{"’ 10)}

= :: [’a,’a]⇒^bool ^(infixl⁵⁰⁾

∧ :: [bool, bool]⇒bool (infixr 35)

∨ :: [bool, bool]⇒bool (infixr 30)

−→ :: [bool, bool]⇒bool (infixr 25)

Core definitions of HOL

defs

True_def: True ≡((λx ::bool.x) = (λx.x)) All_def: All(P) ≡(P = (λx.True))

Ex_def: Ex(P) ≡ ∀^Q.(∀^x.Px −→^Q)−→^Q False_def: False ≡(∀^P.P)

not_def: ¬^P ≡^P −→^False

and_def: P∧^Q ≡ ∀^R.(P −→^Q −→^R)−→^R

or_def: P∨^Q ≡ ∀^R.(P −→^R)−→(Q −→^R)−→^R if_def: IfP×^y ≡^THE^z :: ⁰a.(P =True−→^z=x)∧ (P =False−→^z =y)

The axioms and rules of HOL

axioms/rules

refl: "t=t"

subst: "~s =t; P(s)=⇒^P(t)"

ext: "(V_x.f x =g x) =⇒(λx.f x) = (λx.g x)"

impl: "(P =⇒^Q) =⇒^P −→^Q"

mp: "~P −→^Q;P =⇒ ^Q"

iff: "(P −→^Q)−→(Q −→^P)−→(P =Q)"

True_or_False: "(P =True)∨(P=False)"

the_eq_trivial: "(THEx.x =b) = (b :: ⁰a)"