ebook img

Many-valued Logic in HOL PDF

15 Pages·0.244 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Many-valued Logic in HOL

Many-valued Logic in HOL Indra Polak Abstract Many-valued logic is formalized in the logic of the theorem prover HOL [GM93]. We follow an algebraic approach, starting from a Heyting alge- bra. Using this approach and some useful HOL machinery, we implemented a tautology-checker for a three-valued propositional logic. 1 Introduction Currently, a new speci(cid:12)cation language is under construction at the department of Computing Science in Groningen, called Almost Formal Speci(cid:12)cation Language, 1 AFSL [Saa]. The semantics of AFSL is based on a three-valued logic. We want to provide users of AFSL with a proper 'speci(cid:12)cation environment', analogous to a 'programming environment'. Since logic plays an important role in AFSL, a theorem prover might be the right medium to test di(cid:11)erent forms of tool- support for the language. A theorem prover is to assist the process of making valid proofs. Therefore, each theorem prover has a proof system or logic in which the theorems are proven. This impliesthat all proofs we want to make with the prover will be stated in the prover's logic eventually. If we start from a proof in a di(cid:11)erent logic, the proof has to be translated. The translation must preserve the correctness of the proof. In this paper we will show how the three-valued logic of AFSL can be formalized in the theorem prover HOL (Higher Order Logic) [GM93], in a correctness-preserving way. Some theorem provers (e.g. Isabelle, [Pau94]) allow the logic itself to be a pa- rameter. However, the usefulness of a theorem prover depends for a major part on the availability of many preproven theories and libraries, e.g. the theory of natural numbers, a library of tools for inductive proofs and so on. When the logic itself is a variable, these theories and libraries have to be made for each object logic anew. This is a major disconvenience. Also, one has to tell the generic theorem prover what the rules of logic are. This must be expressed in a certain meta-language. When using HOL, the meta-language consists of the logicof HOL. This is a form of Higher Order Logic, based on Church's 1 One of the main arguments for a three-valued logic is the ability to reason conveniently about partial functions and possible non-termination. Another speci(cid:12)cation language that has a three valued logic is VDM [Jon90]. Our logic is slightly di(cid:11)erent from the logic of VDM. 113 114 I. Polak SimpleTypeTheory[Chu40]. Nowtheavailabilityofmanytheorieswithinthismeta- logic, can not be an argument to choose for a system where these theories are not available, like Isabelle. We will follow an algebraic approach to implement the logic. Recently, when + formalizing a process algebra within HOL [GPU 95], we discovered that the poly- morphic equality of HOL can be used e(cid:14)ciently and elegantly to implement a proof assistant for constructing process algebra proofs. This approach is pursued in this paper as well. Therefore we start from a (cid:12)nite axiomatization of a many-valued logic, so-called Heyting algebra's, that form a general model for Intuitionistic Predi- cate Logic, see [TvD88]. Since the algebra might have more than two elements and still be Heyting, we can construct a model for many-valued logics by adding con- stants to the signature of the algebra. We will add one constant ? (unde(cid:12)ned) to the signature to obtain a model and an implementation for a three valued logic. Using the algebraic framework, we show how HOL can be used e(cid:14)ciently to create a proof-environment for the newly de(cid:12)ned logic. Then, we show how we implemented a tautology checker for this three-valued propositional logic using the proof-environment. The goal of the paper is to show how many-valued logic can be algebraically implemented in HOL, leading to easy to implement tools. As a further result we show that the availability of theories within the meta-language are useful to create those tools, and we will argue that the speci(cid:12)cation of a proof strategy is more important than the speci(cid:12)cation of a proof itself. A proof strategy can give us many proofs instead of just one, and is therefore more useful then a speci(cid:12)c proof. The outline of this paper is as follows: (cid:15) An introduction to HOL. (cid:15) The algebra used. (cid:15) Tactics that were created to reason conveniently. (cid:15) Example: a tautology checker for three-valued propositional logic. (cid:15) Conclusions and further work. 2 HOL In this section a short introduction to HOL is presented. For more information, see [GM93]. The HOL-88 system is built upon the functional programming language ML. There are a number of variants of ML available under the same name. The most + precise description of the version for HOL-88 can be found in [CGH 86] and in [GMW79]. See [L.C92] for its more popular descendant SML. We will make a distinction between two levels: (cid:12)rstly the ML-level and sec- ondly the HOL-level. On the ML-level, we have expressions like 2 :int. This denotes the expression 2 having type int. A function (cid:21)x:x + 1 is denoted as \x. x+1 :int -> int, a cartesian product as (e1:t1, e2:t2) :t1 # t2. We can make lists by using brackets: [2;3] :int list is a list of integers. Many-valued Logic in HOL 115 The world of HOL is generated by three ML-types named :term, :type, and :thm. All expressions of these three ML-types constitute the HOL-level. HOL-terms and types are denoted between quotes, as in"T", and ":bool". A theorem is written as h |- c. Thetype-checker ofHOLwillparseanyHOL-termandtryto(cid:12)ndthecorrespond- ing HOL-type. Only when the type of the term can be deduced, the type-checker will accept the term as valid input. Therefore when typing "2", the system will respond with "2" :term. The parser recognized 2 as a valid term, by deducing its type, being num, as can be inspected using the function type of :term -> type : #type of("2");; ":num" : type TherulestodeducethetypesarebasedonChurch's SimpleTypeTheory[Chu40]. Within this theory, a Higher Order Logic is de(cid:12)ned, hence the name HOL. Formulae are simply HOL-terms having HOL-type ":bool". ML-terms of type :thm represent theorems. This type is a so-called abstract type. This means that terms of the type can only be created using the constructors of the type. This is enforced by the ML-type system and guarantees the soundness of the HOL-system. An example of an abstract type is : #abstype complex = real # real # with Make Complex(r,i) = abs complex(r,i) and # Re(r) = fst(rep complex(r)) and # Im(r) = snd(rep complex(r));; The functions abs complex and rep complex are only accessible inside the type- de(cid:12)nition, and are automatically created by ML. They only serve to create the in- tended constructors and destructors for the abstract type. Now, after this de(cid:12)nition, the type :complex has one constructor, Make Complex :real # real -> complex, and two destructors, Re :complex -> real and Im :complex -> real. There is no other way to construct a term of type :complex other than using the function Make Complex. So the question that remains is: what are the constructors and destructors for type :thm? The primary destructor is dest thm :thm -> (term list # term). This yields a hypothesis list and a conclusion. The terms have HOL-type ":bool". The constructors form the heart of the logical system, here is a list. ASSUME :term -> thm REFL :term -> thm BETA CONV :term -> thm SUBST :(thm # term) list -> term -> thm -> thm ABS :term -> thm -> thm INST TYPE :(type # type) list -> thm -> thm DISCH :term -> thm -> thm MP :thm -> thm -> thm E.g., ASSUME t will return the theorem t ` t. Here t should have type ":bool", 116 I. Polak otherwise the function will fail. We will not discuss the other functions, more infor- mation can be found in [GM93]. The functions that create theorems without hypotheses are normally called ax- ioms. The other functions are called basic inferences. By composing the functions, new functions can be de(cid:12)ned which are called derived inferences. To prove theorems conveniently, a goal-directed environment is available. A goal has type :term list # term. This represents an intended assumption list and con- clusion, for a future theorem. The terms should have HOL-type ":bool". To transform goals into theorems, one uses tactics. A tactic has type :goal -> goal list # proof. So the tactic should transform the goal into subgoals and a proof. Finally, a proof transforms a list of theorems into a new theorem, so it has the following type: :thm list -> thm. The subgoal package lets the user reason easily with the tactics; it keeps track of the remaining subgoals and whether the tactics did actually solve any subgoals or not. If all subgoals are proven, a theorem results and the package greets the user with a Goal proved! message to inform him so. In specifying his tactic, the user has available a number of tacticals that combine tactics into new tactics. An in(cid:12)x t1 ORELSE t2 (cid:12)rst tries tactic t1; when this fails, t2 is tried. There are a number of tacticals that can be used to create complicated proof strategies. In the appendix, we have put a complete list of all HOL constructs that are used in the paper. Since allHOL-terms are also ML-terms, the user can in principle try to create his own tacticsbyprogrammingthemoutinML. Mostpeopledonotdothisbecause the available tactics are su(cid:14)cient to specify most proofs. In any case, the system gives the opportunity to obtain total control over the proof strategy. This is considered a major asset of the system. 3 Starting Point: a Heyting Algebra It is assumed that the reader is familiar with the notions of partially ordered set (poset), least upper bound (lub) and greatest lower bound (glb). We also assume known some knowledge of rewrite systems, for more detail see [HO89]. 3.1. Definition. A lattice is a poset P any two of whose elements have a glb and a lub. A lattice L is complete when each of its subsets has a lub and glb in L. 3.2. Definition. A Heyting algebra is a structure (A;^;_;?;!) such that (A;^;_) is a lattice with bottom ?, and ! a binary operation on A such that (a^b (cid:20) c) , (a (cid:20) b ! c): Let C = fB;H;(cid:3)g. C denotes a set of sort names. The B stands for Boole, the H for Heyting, the (cid:3) denotes 'any type'. We next de(cid:12)ne F, the set of opera- tors of the algebra. F contains the normal operators of (cid:12)rst order predicate logic Many-valued Logic in HOL 117 with equality fTrue;False;=;_;^;:;!;8;9g on B. Furthermore, F contains the following operators on H: >;? : H _h;^h;!h : H ! H ! H =h : H ! H ! B 8h;9h : ((cid:3) ! H) ! H (cid:20) : H ! H ! B Consider the following axiomatization of a Heyting algebra. We omitted the su(cid:14)x = True as usual. x (cid:20) x x (cid:20) (y^h z) = (x (cid:20) y)^(x (cid:20) z) x (cid:20) > (x^h y) (cid:20) z = y (cid:20) (x !h z) ? (cid:20) x (x_h y) (cid:20) z = (x (cid:20) z)^(y (cid:20) z) (x (cid:20) y)^(y (cid:20) x) ! x =h y x (cid:20) (8hP) = 8y:x (cid:20) (Py) (x (cid:20) y)^(y (cid:20) z) ! x (cid:20) z (9hP) (cid:20) x = 8y:(Py) (cid:20) x Thisyieldsthefollowingcharacterizationof`h, derivabilityinIntuitionisticPred- icate Logic (IPL), [TvD88]: (`h (cid:30)) = ((cid:30) =h >) Since we do not pose any restrictions on the number of elements in the algebra, we see in fact that this axiomatizationcan form a model for a many valued logicas well, by adding elements to the algebra in between the top and bottom elements. This will not hinder the existing truths about top and bottom, so the new algebra still forms a model for IPL. In order to make the many-valued logic a three-valued one, it is extended with a constant ?. Since we do not want that ? equals > or ?, we add the following (de(cid:12)ning) axiom to our system. (x =h ?) = :((x =h >)_(x =h ?)) This makes the following theorem derivable. 8x : H:(x =h >)_(x =h ?)_(x =h ?) We will use this theorem later when de(cid:12)ning a tactic that performs structural induc- tion. The language does not contain a negation operator. The normal approach in intuitionistic logic is to de(cid:12)ne negation as :ip = p ! ?. We will use a slightly di(cid:11)erent variant for a number of reasons. Our negation :h is axiomatized by adding the operator and the following laws to the axiomatization: :h:hx =h x x (cid:20) :hy = y (cid:20) :hx :h is an involution which reverses the order. It cannot be de(cid:12)ned using the existing operators since these are all monotonic. We will conclude with truth-tables to summarize the logic. 118 I. Polak : ^ > ? ? _ > ? ? ! > ? ? > ? > > ? ? > > > > > > ? ? ? ? ? ? ? ? ? > ? ? ? > > ? ? > ? ? ? ? ? > ? ? ? > > > Note that we still have to prove that these truth-tables indeed follow from the ax- iomatization. We will show in the next sections how we implemented the algebra in HOL and how we proved the truth-tables. 4 Tactics for Proof Support In order to reason conveniently in HOL about many-valued logic, many tactics were created. In this section we willpay attention to some of those tactics, show why they were needed and how they were implemented. We will also show some ingredients of the HOL system that were of particular interest for us. 4.1 Rewriting In this section the tactic that implements rewriting in HOL is discussed. This tactic will be used very often in the sequel, and therefore deserves some attention. Suppose we have entered a goal in the goal-directed environment of HOL, and suppose we have proven the following theorem Th. 0 Th =8x0:::xi:t = t We now may rewrite all terms in the goal that match t (in the normal sense of 0 pattern matching) to t with the tactic PURE_REWRITE_TAC[Th]. If new terms arise that again match t, then these terms will be changed recursively, until t does not match with any subterm of the result. Note that [Th] stands for a list with Th as its only element. If more equational theorems are present in the list, HOL will rewrite with all theorems in the list in the same way until no match occurs with any left-hand side of the theorems in the list. This powerful tactic is used to implement a term rewriting system. Given the axiomatization in section 3, a tactic is constructed that rewrites a given goal using a given list of axioms. Now whenever we have rewritten a goal to the form 8x0:::xi:t = t we solve it by using an instance of the primitive inference REFL that given a term t creates the theorem t = t: In thisway we created aproof-environmentwithinHOLtosolveequationalgoals. Given a many-valued formula (cid:30), we attempt to prove (cid:30) by proving in HOL the theorem (cid:30) = >: Many-valued Logic in HOL 119 Given the assumption that the earlier axiomatization is a sound axiomatization of many-valued logic, this translation preserves correctness. 4.2 Smart Tactics In this subsection we will describe two tactics that were very important for us, since they made the proving of all equational theorems a lot easier. 2 Within the lattice, the following two theorems hold: 8pq: (p =h q) = (8r:r (cid:20) p = r (cid:20) q) 8pq: (p =h q) = (8r:p (cid:20) r = q (cid:20) r) These two theorems form the basic ingredient of two tactics that we created to solve many goals with a textually short tactic. As the reader might have noticed, all the axiomsabouttheoperatorsoftypeH areexpressedintermsofthelatticeordering(cid:20). Therefore, each timewe want to prove agoalofthe formt =h u, fortwo syntactically di(cid:11)erent terms t;u, we must use the law of asymmetry. To automate this reasoning, we created two tactics that try to solve an equational goal automatically using the above theorems. The idea is that every operator has a favorite side within an inequality. E.g., we can rewrite a_hb (cid:20) c to a (cid:20) b^a (cid:20) c. However, a (cid:20) b_hc is not so easily simpli(cid:12)ed. When we have rewritten all operators in terms of (cid:20), the result is a goal that we can solve more easily, since the only way to prove it is using ordinary two-valued logic, e.g. when a term results of the form a (cid:20) a = a (cid:20) a, or using the lattice postulates. This is an easier subproblem since we only need to know how to reason within a lattice and do not need to know anymore how to reason within this speci(cid:12)c many-valued logic. Now we will show the two tactics we created to automate a lot of work when solving equational goals. let NORM LEFT TAC = REPEAT GEN TAC THEN REPEAT (CHANGED TAC (REWRITE TAC ([IND EQ LEFT] @ NORM LEFT LIST) THEN BETA TAC)) THEN (TAUT TAC ORELSE ALL TAC);; The other tactic is similar. The IND_EQ_LEFT becomes IND_EQ_RIGHT and the NORM_LEFT_LIST becomes NORM_RIGHT_LIST. 0 This tactic tries to solve an equational goal of the form 8x1:::xn:t =h t. It (cid:12)rst strips away the possible quanti(cid:12)ers and then applies one of the above two theorems, here IND_EQ_LEFT, to simplify the equational term. Hereafter, we rewrite with a list oftheoremsthatrewritemany-valuedoperatorsontheleft-handsideofaninequation to a simpler form. For an example see the axiom about _h earlier. The BETA_TAC simpli(cid:12)es beta-reductions. E.g. ((cid:21)x:y)x becomes y after an applicationof BETA_TAC. 2 As suggested by R.M.Dijkstra. 120 I. Polak Thisissometimesnecessarywhenwerewritetermsthathavemany-valuedquanti(cid:12)ers as subterms. Now, as long as the rewriting has e(cid:11)ect (it changes the subgoals), we keep on doing it. Note that this only terminates if we do not rewrite in circles. The rewrite- system we use is clearly terminating, so this will not happen. After rewriting, we try to solve the propositional goal using the two-valued tautology-checker that is available within HOL called TAUT_TAC. If that fails, we come back with the result of the previous work. Now many goals can be automatically proven. The tactic solves the goal 8xyz:(x_h y)_h z =h x_h (y_h z) in one stroke. This is due to the fact that we only have one operator in the term, and therefore we can use the theorem that rewrites _h on the left-hand side of the inequality. If we have more than one operator in a term, a choice has to be made which tactictoapply. Youcantry both, andsee which resultyoulikebesttoproceed from. Using the tactic, we were able to reduce the length of the proofs considerably, when compared to proofs we did without the tactic. Nearly all theorems we proved now used four lines of tactics at most, each line containing an available HOL tactic or the above one. All proofs reduced in lexical length with the help of this tactic. This formed a major time gain in the project. We can learn here that trying to (cid:12)nd general proof strategies pays o(cid:11). We will see another more extreme example of thisstrategywhenweformalizeatautologychecker forthethreevaluedpropositional logic. Then the minimalization of the proof length leads to its optimum, i.e., one tactic to solve any goal of a speci(cid:12)c form. We want to stress however, that this strategy can be useful too when the logic is undecidable, as in the present section. Thealgebraicformulationhelpsin(cid:12)ndinganappropriatestrategy,sincethestructure of the proof is so very simple: equational rewriting until x = x has been deduced. The merits of HOL are indispensable here, it allows such a proof strategy to be speci(cid:12)ed conveniently with reasonably limited means. 4.3 Induction Another very useful aspect of the basic machinery of HOL can be seen when consid- ering inductive proofs. We might be interested in attempting to prove the following goal. 8x:x_h x =h x Suppose we are, and want to use structural induction, using the following theorem EXCL4TH. 8x : H:(x =h >)_(x =h ?)_(x =h ?) Then we can do this by de(cid:12)ning the following tactic. let BOOL3_INDUCT_TAC = INDUCT_THEN EXCL4TH ASSUME_TAC Many-valued Logic in HOL 121 Here INDUCT_THEN is a tactic generator function available within HOL. It takes a theorem and a tactic and produces a new tactic that handles the case induction. So this tactic will rewrite the goal to the three cases corresponding with substituting for the variable x the possible values, giving as subgoals the following goals. >_h > =h > ?_h ? =h ? ?_h ? =h ? These subgoals can then be solved using other tactics. 4.4 General comments The above three aspects of the basic machinery of HOL serve to illustrate the im- portance of an expressive tactical language to express powerful proof-strategies, and the great practical use of pre-de(cid:12)ned tactic-generators that can be used to create powerful user-de(cid:12)ned tactics. They (cid:12)t into two important categories: (cid:15) Expressivity; (cid:15) Usability. Within any interactive computer program, these two notions are extremely impor- tant. We must be able to tell the program what we want it to do. Therefore the language in which to communicate with the program is very important. Secondly, we want to make use of things that are done before; we do not want to re-invent the wheel each time. The existence of powerful tools to start from is necessary to create large applications within a limited amount of time. In HOL these two notions were found to be well taken care of. Using them, we were ableto implementareliabletautologychecker withinareasonably short period, i.e., three to four weeks. 5 Example: A Tautology Checker for Three Val- ued Propositional Logic In thissection we present atautologychecker forthe three valuedpropositionallogic. It uses the now available tools of the last sections to construct the tactic. We start with a mathematical description. Let ,!1 be a relationonthe terms ofa languageL. The intuitionisthatitde(cid:12)nes the one-step rewrite relation on the terms of L. Then ! is the re(cid:13)exive, transitive 0 closure of ,!1. We say a term t is in normal form when there is no term t such that 0 t ,!1 t. In terms of a rewrite system, a tautology-checker can be de(cid:12)ned as follows. Sup- pose the object language of the logic equals L, and L has equality, say =h, among its operators, satisfying the normal rules for an equivalence relation and substitution. 122 I. Polak Given a set V (cid:18) L of truth-values, a tautology-checker is a terminating rewrite- system on the terms of L, where the set N of normal forms is a non-empty subset of V, and the rewrite-system when interpreted in the logic by substituting for the ! the =h, should consist of theorems only. In this section we will present such a rewrite-system for V = f>;?;?g, and L consists of all closed terms over the following signature: >;?;? : H :h : H ! H _h;^h;!h : H ! H ! H =h : H ! H ! B (cid:0) Note that L does not contain any variables. Let L denote Lnf>;?;?g. Assume the axiomatization of section 3. With this axiomatization, and the con- structed machinery, we have proven in HOL the following theorems, where all theo- rems are implicitly quanti(cid:12)ed over their free variables: x^h x =h x x_h x =h x x !h x =h > >^h x =h x x^h > =h x ?^h x =h ? x^h ? =h ? >_h x =h > x_h > =h > ?_h x =h x x_h ? =h x :> =h ? :? =h > :? =h ? ? !h x =h > > !h x =h x x !h > =h > ? !h ? =h ? Viewing an equation in this list as having a direction, we obtain the rewrite system TRSh by substituting the symbol ! for the symbol =h. Now we have the following results. 5.1. Lemma. TRSh is terminating. Proof Standard. 2 (cid:0) Next we show that any term t 2 L matches with some rewrite rule of TRSh. Let (cid:17) mean syntactical equality. Then we have the following (cid:0) 0 0 0 5.2. Lemma. 8t 2 L :9t 2 L:t ,!1 t ^(t 6(cid:17) t) Proof With induction on the structure of t. 2 Now the remaining thing to prove is that the set of normal forms N is a subset of f>;?;?g. 5.3. Lemma. N = f>;?;?g Proof First recognize that if t 2 f>;?;?g, then it is in normal form. So t 2 f>;?;?g ) t 2 N. Now suppose t 2= f>;?;?g, and t in normal form. Then with lemma 5.2 we have a contradiction. So t 2 N ) t 2 f>;?;?g. By de(cid:12)nition, N = f>;?;?g. 2 Combining the results, we have now the 5.4. Theorem. TRSh is a tautology checker for L.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.