Upload
lyliem
View
213
Download
0
Embed Size (px)
Citation preview
CHECKING LANDAU'S "GRUNDLAGEN" IN THE
AUTOMATH SYSTEM
PROEFSCHRIFT
T E R V E R K R I J G I N G VAN DE GRAAD VAN DOCTOR I N DE
TECHNISCHE WETENSCHAPPEN AAN DE TECHNISCHE
HOGESCHOOL EINDHOVEN, O P GEZAG VAN DE RECTOR
MAGNIFICUS, PROF.DR. P. VAN DER LEEDEN, VOOR
EEN COMMISSIE AANGEWEZEN DOOR HET COLLEGEVAN
DEKANEN I N HET OPENBAAR T E VERDEDIGEN O P
DINSDAG 1 MAART 1977 T E 16.00 UUR.
door
L.S. VAN BENTH EM JUTTING
GEBOREN T E BUSSUM
Preface
This thesis contains an account of the translation and verification of
Landau's "Grundlagen der Analysis", a book on elementary mathematics [L],
in the formal language AUT-QE, a language of the AUTOMATH family.
AUTOMATH languages are intended to be used for formalizing mathematics
in such a precise way that correctness can be checked mechanically (e.g. by
a computer) . The translation itself is presented in L.S. Jutting, A translation of
Landau's "Grundlagen" in AUTOMATH CJI. It consists of about 500 pages, and
therefore it is not reproduced here, apart from two fragments (see appendi-
ces 4 and 7).
Acknowledgements
I want to thank all my fellow-workers in the AUTOMATH project for their
help, in the form of ideas and advice, of material assistance and moral sup-
port.
I want to thank my family for putting up with my preoccupation, in par-
ticular during this last half year.
I want to thank Mrs. Marese Wolfs and Mrs. Lieke Janson for typing
these pages.
Contents
0. INTRODUCTION
0.0. The AUTOMATH languages
0.1. The AUTQMATH project and its motivation
0.2. The book translated
0.3. The language of the translation
1. PREPARATION
1.0. The presupposed logic
1.2. The representation of logic in AUT-QE
1.3. Account of the PN-lines
1.4. Development of concepts and theorems in Landau's logic
2. TRANSLATION
2.0. An abstract of Landau's book
2.1. Deviations from Landau's text
2.2. The translation of "Kapitel 1"
2.3. The translation of "Kapitel 2"
2.4. The translation of "Kapitel 3"
2.5. The translation of "Kapitel 4"
2.6. The alternative version of chapter 4
2.7. The translation of "Kapitel 5"
3. VERIFICATION
3.0. Verification of the text
3.1. Controlling the strategy of the program
3.2. Shortcomings in the verifying program
3.3. Excerpting
4. CONCLUSIONS
4.0. Formalization of logic in AUTOMATH
4.1. The language
4.2. Comments on the translation
Appendix 1. A description of AUTOMATH and some aspects of its
language theory by D.T. van Daalen
1. Introductory remarks
2. Informal description of AUTOMATH
3. Mathematics in AUTOMATH: Propositions as types
4. Extension of AUT-68 to AUT-QE
5. A formai definition of AUT-QE
6. Some remarks on language theory
Appendix 2. The paragraph system
Appendix 3. PN-lines from the preliminaries
Appendix 4. Excerpt for "Satz 27"
Appendix 5. Two shortcomings of the verifying program
Appendix 6. Example of a text in AUT-68
Appendix 7. Excerpt for "Satz I", "Satz 2" and "Satz 3"
Appendix 8. Example of a text in AUT-68-SYNT
Appendix 9. AUT-SYNT
References
0. INTRODUCTION
I n t h i s chapter a b r i e f desc r ip t ion of the AUTOMATH p r o j e c t i s given,
and t h e place of the present work wi thin t h i s p r o j e c t is indicated.
0.0. The AUTOMATH languages
The laaguages of t h e AUTOMATH family a r e formal languages, i n which
l a r g e p a r t s of mathematics can be e f f i c i e n t l y formalized. Texts i n these
languages can be checked mechanically ( i . e . by a computer). A t e x t is ver i -
f i e d l i n e by l i n e , and t h e checking does not only cover syn tac t i ca l correct -
ness of t h e expressions occurring i n a l i n e , bu t a l s o i ts mathematical v a l i -
d i t y , which includes t h e correctness of references t o previous l i n e s . Correct
AUTOMATH t e x t s may the re forebe in terpreted*) t o represent cor rec t mathematics.
The s t r u c t u r e of these languages, based on na tu ra l deduction, i s close-
l y r e l a t e d t o t h e s t r u c t u r e of common i n t u i t i v e reasoning. Hence mathemati-
c a l d iscourses i n an informal language can be t r a n s l a t e d i n t o an AUTOMATH
language without too much trouble.
A t t h e moment a number of nu tua l ly r e l a t e d languages e x i s t s a t i s f y i n g
t h e above spec i f i ca t ions . For severa l of these languages, ver i fying computer
programs a r e cur ren t ly operat ional ; f o r o the rs , such programs a r e s t i l l i n
an experimental stage.
0.1. The AUTOMATH p r o j e c t and i ts motivation
The ob jec t of t h e AUTOMATH p r o j e c t has been t o develop languages a s
described above, and t o make ver i fy ing computer programs f o r these languages.
It was i n i t i a t e d some t e n years ago by N.G. de Bruijn, who a l s o conceived
t h e fundamentals of t h e AUTOMATH languages. Since t h e n . a number of mathema-
t i c i a n s have been working on the p r o j e c t , providing AUTOMATH with a language
theory, wri t ing ver i fying programs f o r AUTOMATH languages, producing t e x t s
i n these languages, and applying t h e ver i fying programs t o these t e x t s .
There were several reasons f o r h i t i a t i n g such a p ro jec t , of which we
mention t h e following:
*) I n discussing an AUTOMATH t e x t I w i l l c a l l t h e intended meaning ( i n for-
mal o r informal mathematics) of t h i s t e x t its interpretat ion, and I w i l l say
t h a t this meaning is represented i n t h e AUTOMATH t e x t .
2
i
ii)
Mechanical verification will increase the reliability of certain kinds
of proofs. A need for this may be felt where a proof is extremely long,
complicated and tedious, and where it is difficult to break it down in-
to intuitively plausible partial results; or where in proofs results of
others are used, so that misinterpretations become possible.
Mechanically verifiable languages set a standard by which informal lan-
guage may be measured, and may thereby have an influence on the use of
language in mathematics generally.
iii) The use of such languages gives an insight into the structure of mathe-
matical texts, and makes it possible to compare the complexity, in se-
veral respects, of mathematical concepts and proofs. As a consequence
projects of this kind may have in the long run a favourable influence
on the teaching of mathematics.
A further motive, for the author, was that the work involved in the
project appealed to him.
More information on the AUTOMATH project, its objectives, motivation
and history can be found in Cd~l.
0.2. The book translated
At an early stage of the AUTOMATH project the need was felt to trans-
late an existing mathematical text into an AUTOMATH language, first, in or-
der to acquire experience in the use of such a language, and secondly, to
investigate to what extent mathematics could be represented in AUTOMATE3 in
a natural way.
As a text tc be translated, the book "Grundlagen der Analysis" by
E. Landau [L] was chosen. This book seemed a good choice for a number of
reasons: it does not presuppose any mathematical theory, and it is written
clearly, with much detail and with a rather constant degree of precision.
For a short description of the contents of Landau's book see 2.0.
0.3. The language of the translation
he language into which Landau's book has been translated is AUT-QE. A detailed description and a formal definition of this language is given in
CVD]. As this paper is fundamental to the following monograph and not easi-
ly obtainable, it has been added as appendix . I . I will use the notations
introduced there whenever necessary. Where in the following text a concept
introduced in CVDI is used for the first time, it will be displayed in italics, with a reference to the section in CVDI where it occurs.
The language of the translation differs from the definition in [VD] in
one respect, viz. the division of the text into paragraphs CVD, 2.163. By
this device the strict rule that all con~ikmts CVD, 2.6, 5.4.11 in an AUT-QE
book CVD, 2.13.1, 5.4.43 should be different is weakened to the more liberal
rule that all constants in one paragraph have to differ. Now, in a line [VD,
2.13, 5.4.41, reference to constants defined in the paragraph containing
that line is as usual, while reference to constants defined in other para-
graphs is possible by a suitable reference system. For a more detailed des-
cription of the system of paragraphing, see appendix 2.
In contravention of the rules for the shape and use of names in AUT-QE,
we will in examples in the following text not restrict ourselves to alpha-
numeric symbols, and occasionally we use infix symbols. (Of course, in the
actual translation of Landau's book, these deviations from proper AUT-QE do
not occur.)
1. PREPARATION
I n t h i s chapter the log ic which Landau presupposes i s analysed and its
representa t ion i n AUT-QE is described.
1.0. The presupposed l o g i c
I n h i s "Vorwort fiir den Lernenden" Landau s t a t e s : "Ich s e t z e logisches
Denken und d i e deutsche Sprache a l s bekannt voraus". Clear ly , i n t h e t rans-
l a t i o n AUT-QE should be subs t i tu ted f o r "die deutsche Sprache". The proper
i n t e r p r e t a t i o n of "logisches denken" must be in fe r red from Landau's use of
log ic i n h i s t e x t .
This appears t o be a kind of informal second (or higher) order predi-
c a t e l o g i c with equal i ty . I n t h e following some c h a r a c t e r i s t i c s of Landau's
log ic w i l l be discussed, and i l l u s t r a t e d by quota t ions from h i s t e x t .
i) Variables have well defined ranges which a r e not too d i f f e r e n t from
types [VD, 2.21 i n AUT-QE. Cf . : - On t h e f i r s t page of "Kapitel 1": "Kleine l a t e i n i s c h e Buchstaben be-
deuten i n diesem Buch, wenn n ich t s anderes gesagt wird, durchweg na-
t i i r l i che Zahlen" . - I n "Kapitel 2 , 5": Grosze l a t e i n i s c h e Buchstaben bedeuten durchweg,
wenn n ich t s anderes gesagt wird, r a t i o n a l e Zahlen".
ii) Predicates have r e s t r i c t e d domains, which again can be in te rp re ted a s
types i n AUT-QE. Cf.:
- "Satz 9: Sind x und y gegeben, so l i e g t genau e ine der FBlle vor:
1) x = y.
2) E s g i b t e i n u m i t x = y + u ..." e t c .
It is c l e a r t h a t u (being a lower case l e t t e r ) i s a na tu ra l number,
o r u E nat. - - "Definit ion 28: Eine Menge von ra t iona len Zahlen h e i s z t e i n Schn i t t ,
wenn.. .". Here it i s apparent t h a t being aa 'Schn i t t " i s a predicate on the type
of s e t s of r a t i o n a l numbers.
iii) When, f o r a predicate P, it has been shown t h a t a unique x e x i s t s f o r
which P holds, then "the x such t h a t P" i s an object . Cf.:
- "Satz 4 , zugleich Def ini t ion 1: Auf genau e ine A r t l d s z t s i c h jedem
Zahlenpaar x ,y e ine nati ir l iche Zahl, x + y genannt, so zuordnen.
dasz.. . . x + y h e i s z t d i e Summe von x und y".
- "Satz 101: 1st X > Y so hat X + U = Y genau eine LBsung U.
Definition 23: Dies U heiszt X-Y".
iv) The theory of equivalence classes modulo a given equivalence relation,
whereby such classes are considered as new objects, is presupposed by
Landau. Cf.:
- The text preceding "Satz 40": "Auf Grund der Sdtze 37 bis 39 zerfal- x, Y,
len alle Briiche in Klassen, so dasz I- A d a n n und nur dann, wenn X2 y2 X
1 Y1 - und - derselben Klasse angehtiren". X 2 y2
- "Definition 16: Unter eine rationale Zahl versteht mann die Menge aller einem festen Bruch Bquivalenten Briiche (also eine Klasse im
Sinne des 5 1) ". v) The concepts "function" and "bijective function" are vaguely described.
Cf.:
- "Satz 4" (see iii) above). - "Satz 274: 1st x < y so kBnnen die m I x nicht auf die n I y einein-
deutig bezogen werden".
- "Satz 275: Es sei x fest, f(n) fiir n x definiert. Dann gibt es ge-
nau ein fiir n x definiertes g (n) mit folgenden Eigenschaften. .." X
followed by the "explanation": "Unter definiert verstehe ich: als
komplexe Zahl definiert". This explanation might be interpreted to
indicate the typing of the functions f and g.
vi) Landau defines and uses partial functions. Cf.:
- "Definition 14: Das beim Beweise des Satzes 67 konstruierte spezielle u 1 y1 - heiszt - - - ...". Here the construction, and therefore the de-
U 2 X2 y2 X1 y1 finition, only applies if - > - .
x, Y, L L -
- "Definition 56: Das Y des Satzes 204 heiszt" ". This definition de- H pends upon H # 0.
- "Definition 71", where Landau states explicitly: "Nicht definiert n
ist x also lediglich fiir x = 0, n I 0".
- "Satz 155: Beweis: 11) Aus X > Y folgt X = (X -Y) + Y". X - "Satz 240: 1st y # 0 so ist -. y = XI'. Y - - "Satz 291: Es sei n 0 oder xl # 0, x2 # 0. Dann ist (x1.x2)'' =
- - xn xn ,, 1' 2 '
I n these l a s t th ree examples we see r'generaZized implications": the
terms occurring i n t h e consequent a r e meaningful only i f t h e antece-
dent is taken t o be t rue . A s imi la r s i t u a t i o n w i l l be encountered i n
v i i ) . v i i ) Def ini t ions by cases, sometimes of a complicated nature , a r e used.
Cf.:
- "Definit ion 52:
- ( I : / + [ H I ) wenn B < 0, H < 0.
lzl - I H I J 0 wenn Z > 0, H < 0,
- ( ] H I - Iq) wenn 5 < 0, H > 0.
wenn f = 0.
wenn H = 0".
- "Definit ion 71:
x = (1 wenn x # 0, n = 0.
[& wenn x # 0, n < 0.
Notice t h a t i n these two d e f i n i t i o n s , i n some of t h e cases t h e defi-
niens is not defined when t h e corresponding condit ion does not hold,
("generaZized def in i t ion by cases" ) , and a l s o t h a t , i n some cases,
the re i s i n t h e de f in iens a reference t o the definiendum.
v i i i ) I n h i s t e x t Landau only occasionally mentions p red ica tes and r e l a t i o n s ;
usual ly he r e f e r s t o s e t s . Cf.:
- "Axiom 5: E s s e i M e ine Menge nat i i r l icher Zahlen m i t den Eigenschaf-
ten:
I) 1 gehdrt zu M.
11) Wenn x zu M gehdrt , so gehdr t x ' zu M.
Oann umfaszt M a l l e nati ir l ichen Zahlen".
- "Satz 2: x ' # x. Beweis: M s e i d i e Menge der x , fiir d i e d i e s g i l t . . " .
However, i n t h e t e x t preceding "Definit ion 26":
- "Da =, >, <, Summe und Produkt den a l t e n Begriffen entsprechen...".
i x ) Landau considers (ordered) p a i r s of ob jec t s . I n chapter 2 the compo-
nents of such p a i r s remain c l e a r l y v i s i b l e i n t h e i r names: he does not
r e f e r t o " the p a i r x with components xl and x2", b u t only t o " the p a i r
x ~ , x ~ " ~ Nevertheless it is c l e a r from h i s words t h a t he considers such
a p a i r a s one ob jec t . Cf.: x4
- "Def ini t ion 7 : Unter einem Bruch f - v e r s t e h t man das Paar de r natiir- X
2 l i chen Zahlen x1,x2 ( i n d iese r Reihenfolge)".
X1 y1 - "Def ini t ion 8: - - - wenn x1y2 = y1X2". X2 Y2
In chapter 5 however, va r i ab les f o r p a i r s are used. Cf.:
- "Def ini t ion 57: Eine komplexe Zahl i s t e i n Paar r e e l l e r Zahlen E1,E2
( i n bestirnmter Reihenfolge). W i r bezeichnen d i e komplexe Zahl m i t
CEl,E23".
This d e f i n i t i o n i s immediately followed by
- "~1einedeutscheBuchstaben bedeuten durchweg komplexe Zahlen".
The two no ta t ions a r e l inked i n the following way:
- "Def ini t ion 60: 1st x = [B1,E2] , y = [H ,H 1, s o ist 1 2 x + y = [ E l + = H + ~ ~ 1 " . -2' 1
X) F i n a l l y it should be pointed ou t t h a t some of Landau's proofs and re-
marks tend t o a kind of i n t u i t i v e reasoningwhich i s no teas i ly represen-
t ed i n a formal system.
A f i r s t example of t h i s i s t h e treatment of equa l i ty i n "Kapitel 1 ,
§ 1".
- " 1 s t x gegeben und y gegeben, s o s ind entweder x und y diese lbe Zahl;
das kann man aueh x = y schreiben; oder x und y n i c h t d iese lbe Zahl;
das kann men auch x f y schreiben.
Hiernach g i l t aus r e i n logischen Granden:
1) x = x fi ir jedes x.
2) Aus x = y f o l g t y = x.
3 ) Aus x = y, y = z f o l g t x = 2".
Here i.t seems t h a t Landau der ives the p roper t i e s of equa l i ty from re-
f l e c t i o n on t h e p roper t i e s of a mathematical s t r u c t u r e . They a r e not
theorems o r axioms but i n t u i t i v e l y t r u e statements. S u b s t i t u t i v i t y of
equal o b j e c t s , though used f requent ly i n t h e proofs of subsequent theo-
rems, i s never mentioned.
Other examples of proofs with i n t u i t i v e components may be found where
Landau, i n a glance, takes i n a complex l o g i c a l s i t u a t i o n . Cf.:
- "Satz 16: Aus x 5 y, y < z oder x < y, y 5 z folgt x,< z. Beweis:
Mit dem Gleichheitszeichen in der Voraussetzung klar; sonst durch
Satz I5 erledigt".
- "Satz 20: Aus x + z > y + z bzw. x + z = y + z bzw. x + z < y + z folgt x > y bzw. x = y bzw. x < y.
Beweis: Folgt aus Satz 19 da die drei Falle beide Male sich aus-
schlieszen und alle MBglichkeiten ersch8pfenW.
A somewhat different example, which involves what might be called
"metalogic", is the text preceding "Definition 26", where it is indi-
cated how a number of theorems might be proved, without actually pro-
ving them. I will return to this in 2.1 viii).
1.2. The representation of logic in AUT-QE
The logic considered by Landau to be "logisches Denken", as described
in the previous section, has been formalized in the first part of the
AUT-QE book, called "preliminaries", which, unlike the other parts, does
not correspond to an actual chapter of Landau's book.
A possible way of coding logic in AUT-QE has been described in CVD, 3,41. In addition to this description we stress a few points on the inter-
pretation of AUT-QE lines CVD, 2.13, 5.4.41. Adopting the terminology intro-
duced in [z] we shall call expressions of the form [x1,u1]...[xk,ak] (with k 2 0) (i.e. t-expressions of degree 1) It-~ressions and ex-
pressions of the form Ex u ]. . . [xk,ukl - (again with k 2 0) lp-wres- 1' 1 sions. Expressions having It- and lp-expressions as their types, will be
called 2t-expressions and 2p-ezp~essions, respectively. Finally, 3t-,and
3p-expressions have 2t- and 2p-expressions as their types.
Now a 2t-expression will be used to denote a type (or "class"). If
its type is an abstraction expression CVD, 2.8, 5.4.21 then it denotes a
type of functions. A 2p-expression denotes a proposition or a predicate. A
3t-expression denotes an object (of a certain type) and a 3p-expression a
proof (of a certain proposition).
The interpretation of an AUT-QE line having a certain shape (EB-line,
line or abbreviation line CVD, 2.13, 5.4.41) will depend on its catego-
ry part CVD, 2.13.11 being a It-, Ip-, 2t- or 2p-expression. So we arrive
at the following refinement of the scheme in CVD, 4.51.
Shape of the line: Category-part
Abbreviation
line
introduces
a type
variable
introduces
a primitive
type con-
stant
defines a
type in
terms of
known con-
cepts
introduces a
proposition
or predicate
variable
introduces an
object varia-
ble (of the
stated type)
--- -
introduces
the stated
proposition
as an axiom
introduces
the stated
proposition
as an assump
tion
introduces a
primitive
proposition
or predicate
constant
defines a
proposition
or predicate
in terms of
known con-
cepts
proves the
stated pro-
position as
a theorem
introduces a
primitive ob-
ject (of the
stated type)
defines an
object (of
the stated
type) in
terms of
known con-
cepts
In the above scheme it is apparent that, if the category part of a line is
a 2p-expression, then the interpretation of that line is an assertion. But
also if the category part is a 2t-expression a the interpretation has an
assertional aspect; the line does not only introduce a new name for an ob-
ject (as a variable, or a primitive or defined constant) but also asserts
that this object has the type a.
1.3. Account of the PN-lines
Here I will give a survey of the primitive concepts and axioms (PN-
lines) occurring in the preliminary AUT-QE text. A mechanically produced
list of these axioms appears as appendix3.Inthis list the PN-lines appear
numbered. References in parentheses below will refer to these numbers.
i) Axioms for contradiction.
Contradiction is postulated as a primitive proposition (I), the double
negation law as an axiom (2).
ii) Axioms f o r equal i ty .
Given a type S , equa l i ty is introduced a s a pr imit ive r e l a t i o n on S
( 3 ) , with axioms f o r r e f l e x i v i t y ( 4 ) and f o r s u b s t i t u t i v i t y (5) ( i . e .
i f X=y , and i f P i s a predicate on S which holds a t X , then P
holds a t Y ) . Moreover the re i s an axiom s t a t i n g extensional i ty f o r
functions (8) . The notion of equa l i ty so introduced is c a l l e d book-equality (c f . CVD,
3.61) i n con t ras t t o d e f i n i t i o m l equality of expressions. (CVD, 2.12,
5.5.61).
iii) Axioms f o r individuals .
Given a type S , a predicate P on S , and a proof t h a t P holds
a t a unique X S , the ob jec t i n d ( f o r individual) i s a p r imi t ive
o b j e c t (61, t o be in te rp re ted a s " the X f o r which P holds". An
axiom s t a t e s t h a t i n d s a t i s f i e s P (7) . i v ) Axioms f o r subtypes.
Given a type S and a predicate P on S , t h e type OT ( f o r own-
type, i . e . t h e subtype of s associa ted with P ) i s a pr imit ive type
(9 ) . For U - E OT we have a pr imit ive ob jec t i t l ( u ) E S ( l o ) , and an
axiom s t a t i n g t h a t t h e function [U ,OTlin(u) is i n j e c t i v e (12) . More-
over the re a r e axioms t o t h e e f f e c t t h a t the images under t h i s func-
t i o n a r e j u s t those X S f o r which P holds ( (11) and (12) ) . V ) Axioms f o r products (of types ) .
Given types S and T t h e type p a i r t y p e ( t h e type of p a i r s (X,y)
w i t h X S and y E T is introduced a s a pr imit ive type (14). For - p E p a i r t y p e we have t h e project ions f i r s t ( p ) - E S and second(p) E T - a s p r imi t ive ob jec t s ( (16) and (17) ) , and conversely, f o r X S and
y T we have pafr(x,y) a s a pr imit ive ob jec t i n p a i r t y p e (15).
Next the re a r e th ree axioms s t a t i n g t h a t pair(fir~t(p),se~~nd(p))=p,
f i r s t ( p a i r ( x , y ) ) = x and second(pair(x ,y))=y (where = r e f e r s t o book-
equa l i ty a s introduced i n ii) ) ( (191, (20) and (21) ) .
(Note: I f a type U containing j u s t two ob jec t s i s ava i l ab le , and i f
S is a type, the type of p a i r s (X,Y) with X E S and Y E S may
be defined a l t e r n a t i v e l y a s the function type [x,U]S . I n t h e t rans-
l a t i o n t h i s was done a t t h e end of chapter 1 , where we took f o r U
t h e subtype of t h e na tu ra l s I 2. Therefore the pa i r ing axioms a s des-
cribed above were no t used i n the a c t u a l t r ans la t ion . )
vi) Axioms for sets.
Given a type S , the type s e t (the type of sets of objects in S )
is introduced as a primtive type (21), and the element relation as a
primitive relation (22). Given a predicate P on S , there is a pri- mitive object seto f (P) s e t (denoting the set of X S satisfying
P ) (23), and there are two axioms to the effect that P holds at X
iff X is an element of s e t o f (P) ( (24) and (25) ) . These can be viewed as comprehension axioms for S . (As sets contain only objects of one type, such axioms will not give rise to Russell-
type paradoxes. )
Finally extensionality for sets is stated as an axiom (26).
The axioms for sets permit "higher-order" reasoning in AUT-QE, since
quantification over the type s e t is possible.
1.4. Development of concepts and theorems in Landau's logic
Here we give a sketch of the development of the logic in [L] from the
axioms described in the previous section.
Starting from the axioms for contradiction, the development of classi-
cal first order predicate calculus is straightforward. In this development
more then usual attention has been paid to mutual exclusion: l(A A B), and
trichotomy: (A V B V C) A (1 (A A B) A 1 (B A C) A 1 (C A A) ) , because these concepts are used frequently by Landau in discussing linear order.
The properties of equality, e.g. symmetry, transitivity, and substitu-
tivity for functions (i.e. if X=y and f if a function on S then
f ( x ) = f (y) ) , follow from the axioms for equality.
The development of the theory of equivalence classes (cf. 1.0 iv)) re-
quires the axioms for subtypes and for sets. It turns out here, when trans-
lating mathematics in AUT-QE, that Landau goes quite far in considering con-
cepts and statements about those concepts to belong to "logisches Denken".
We had to choose how to describe partial functionsinAUT-QE. As an
example let us consider the function f on the type r l of the reals, de-
fined for all X E r l for which x+O , and mapping X to I/x . There are (at least) four reasonable ways to represent f :
i) The range of f may be taken to be r l* , the "extended type" of reals, containing, apart from the reals, an object und representing "unde-
fined". In this case <O>f will be (book-equal to) und , and r l
may be defined as ~ ~ ( r l * ~ ~ x , r l * l ( x f u n d ) ) .
ii) An arbitrary fixed object in rl , 0 say, may replace und . Then <O>f will be taken to be 0 .
iii) f may be considered as a function on OT(r1 ,[x,rlIx#O) , the subtype of the nonzero reals.
iv) f may be represented as a function of kwo variables: an object X E r l and a proof p g x#O . So
f - E Cx,rllC~,x#Olrl . (Then, given an X such that x+O , i.e. given an X and a proof P
that x#O , we can use <p><x>f to represent I/x .)
It is clear that the representations i) and ii) have much in common.
The representations iii) and iv) are also related: in fact, we may construct,
by the axioms for subtypes, for given X rl and p - E x#O an object
out(x,p) g OT(r1 ,Cx,rl lxf0) . Then, if f l E Cx,OT(rl,Cx,r1lx#O)lrl ,
then
Cx,rl l~p,x#Ol~out(x,p)~fl E Cx ,rl lCp,x#OIrl . On the other hand, if
(for brevity some obvious subexpressions in the formula above have been
omitted) . After a careful examination of Landau's language, I have decided that
the fourth representation is closest to his intention, and have therefore
adopted it. However this leads to the following difficulty:
Let, in our example, X rl and y - E rl be given, such that X=Y , and suppose we have proofs g (~$0) and q E (~$0) . Now it is not a pri- or; clear in AUT-QE (though it is clear to Landau), that the corresponding
values <p><x>f and <q><y>f will be equal. That is: it is not guaranteed
in the language that the function values for equal arguments will be inde-
pendent of the proofs P and q .
This property of partial functions, which is called irrezevance of
proofs, can be proved for all functions which Landau introduces. When dis-
cussing arbitrary partial functions however, irrelevance of proofs had to
be assumed in some places (ck. gi te below). For a further discussion we re- fer to 4.0.1.
AS a consequence of the chosen representation of partial functions,
terms may depend on proofs, and therefore certain propositions are meaning-
ful only if others are true. This gives rise to generalized implications
(cf. 1.0 vi)) and generalized conjunctions, such as:
and "X > 0 A & # 2" .
Logical connectives of this kind have been formalized in the paragraph "r" in the preliminary AUT-QE text.
The definition-by-cases operator j t e (short for if -then-else, cf . 1 .0
vii))) can be defined on the basis of the axioms for individuals. As we
have seen (1.0 vii)), Landau admits partial functions in such definitions.
For these cases a "generalized" version of the definition-by-cases operator
g i t e (for generalized if-then-else) is required, which has been defined on-
ly for partial functions satisfying the irrelevance of proofs condition.
~ l l set theoretical concepts used by Landau (cf. 1.0 viii)) may be de-
fined starting from our axioms for sets.
The passages in Landau's text which use more or less intuitive reason-
ing (cf. 1.0 x)) could not very well be translated. In the relevant places
straightforward logical proofs were given, which follow Landau's line of
thought as closely as possible.
2. TRANSLATION
In this chapter, we discuss the actual translation of Landau's book,
the difficulties encountered and the way they were overcome (or evaded).
First, in section 2.0, we give an abstract of Landau's book; then, in sec-
tion 2.1, a general survey is given of the various reasonsto deviate occa-
sionally from Landau's text. In the following sections we describe the trans-
lation of the chapters 1 to 5 of Landau's book.
2.0. An abstract of Landau's book
i) "Kapitel 1. Natiirliche Zahlen" . Peano's axioms for the natural numbers l,2,3, ... are stated. "+" is defined as the unique operation satisfying x+l = x' and
x +y' = (X +y) ' . Properties of + (associativity, commutativity) are derived.
Order is defined by x > y :: 3u [x = y + ul. It is proved to be a li- near order relation and its connections with + are derived. "Satz 27" states that it is a well-ordering. I # . I# (multiplication) is defined as the unique operation satisfying
x.1 = x and x.y' = x.y + x. Properties of ". ' I (commutativity, associa-
tivity) are derived, and also its connections with + (distributivity) and with order.
ii) "Kapitel 2. BrGche" . Fractions (i.e. positive fractions) are defined as pairs of natural
numbers. Equivalence of fractions is defined, and proved to be an equi-
valence relation.
Order is defined, it is shown to be preserved by equivalence, and to be
an order relation. Properties are derived (e.g. it is shown that nei-
ther maximal nor minimal fractions exist, and that the set of fractions
is dense in itself).
Addition and multiplication are defined, and proved to be consistent
with equivalence. Their basic properties and interconnections are de-
rived, and their connections with order are shown. Also subtraction and
division are defined.
Rationals (i.e. positive rational numbers) are defined as equivalence
classes of fractions. Order, addition and multiplication are carried
over to the rationals, and their various properties are proved. Final-
ly the natural numbers are embedded, and the order in the rationals is
shown to be archimedean.
iii) "Kapitel 3 . Schni t te" .
Cuts i n the p o s i t i v e r a t i o n a l s a r e defined.
For these cu t s , order , addi t ion (with s u b t r a c t i o n ) , and mul t ip l i ca t ion
(with d i v i s i o n ) , a r e defined, and again t h e var ious p roper t i e s and in-
terconnections of these concepts a r e proved.
The r a t i o n a l s a r e embedded, and t h e s e t of r a t i o n a l s i s proved t o be
dense i n t h e s e t of cu t s . F i n a l l y t h e ex i s t ence of i r r a t i o n a l numbers
is proved, by introducing I /Z a s an example.
i v ) "Kapitel 4. Reelle Zahlen".
The c u t s a r e now i d e n t i f i e d with t h e p o s i t i v e r e a l numbers, and t o
these t h e r e a l number 0 and the negat ive r e a l s a r e adjoined, i n such a
way t h a t t o every p o s i t i v e r e a l t h e r e corresponds a unique negative
r e a l .
The absolute value of a r e a l number is defined. Order is defined, i ts
p roper t i e s a r e derived, and the p red ica tes " ra t iona l " and " i n t e g r a l "
("ganz") a r e defined on the r e a l s .
Now addi t ion andmult ip l ica t ion a redef ined , a n d t h e i r proper t ies and t h e i r
connections with each o the r , with absolute value and with order a r e de-
r ived. I n p a r t i c u l a r the minus opera tor ( a ssoc ia t ing t o each r e a l i t s
add i t ive inverse) i s discussed, a s well a s subtract ion and d iv i s ion .
F i n a l l y , i n the "Dedekindsche Hauptsatz", Dedekind-completeness o f t h e
order i n t h e r e a l s i s proved.
v) "Kapitel 5. Komplexe Zahlen" . Complex numbers a r e defined a s p a i r s of r e a l s .
Addition, mul t ip l i ca t ion , sub t rac t ion and d iv i s ion , t h e i r p roper t i e s
and interconnections a r e discussed.
To each complex number i s associa ted i ts conjugate, and a l s o (follow-
ing t h e d e f i n i t i o n of the square r o o t of a nonnegative r e a l ) itsmodu-
l u s ( a s a r e a l number). The connections of these two concepts with each
o the r and with t h e previously introduced opera t ions a r e derived.
For an assoc ia t ive and commutative opera tor * (which may be in te rp re ted
a s e i t h e r + o r .) , and f o r an n-tuple of complex numbers f (1) , . . ,f (n) , Landau denotes
This concept i s defined a s the value a t n of t h e unique funct ion g
(with domain {1,2, ..., n)) f o r which g ( 1 ) = f ( 1 ) and g ( i l ) = g ( i ) * f ( i 1 )
for i < n. The properties of g are proved, in particular, for a permu-
tation s of {1,2, .... n) it is proved that
The definition of is extended to n-tuples f(y),f(y +l),..,f(y+n-1)
(where y is an integer), and its properties are carried over to this
situation. C is defined as the specialization of g to the operation +, and II as its specialization to . (multiplication). Some properties of C and II are proved.
n For a complex number x and an integer n, with x # 0 or n > 0, x is de-
fined, and its properties and connections with previously defined con-
cepts are discussed.
Finally the reals are embedded in the set of complex numbers, the num-
ber i is defined, it is proved that i2 = -1, and that each complex num-
ber may be uniquely represented as a+bi with a,b real.
2.1. Deviations from Landau's text
In our translation, deviations from Landau's text appear occasionally.
They may be classified as follows:
i) In some cases a direct translation of Landau's proofs seems a bit too
complicated. We list three reasons for this.
a) Sometimes it is due to the structure of AUT-QE which does not quite
agree with the proof Landau gives. E.g. in the proof of "Satz 6"
Landau applies, for fixed yr induction with respect to x. As
X - E nat, Jf E nat is a common context in the translation, it is - easier there to apply, for fixed X ,induction with respect to Y .
b) Sometimes the reason is that Landau uses a unifying argument. E.g.
in the proof of the "Dedekindsahe Hauptsatz" there are, at a certain
stage, two real numbers E and HI such that B > 0 and E > H. Here
Landau needs a rational number Z, such that E > Z > H. Now it has
been proved in "Satz 159" that between any two positive reals there
is a rational. If H > 0 this may be applied immediately. If H 5 0 - Landau defines H = - - and again applies "Satz 159", this time
1 1 + 1 with HI.
This argument however is complicated, because, to apply "Satz 159",
first 0 < H1 < B has to be proved (which Landau fails to do). And it
is superfluous because every Z i n the c u t 1 w i l l meet t h e condit ions
i n t h i s case.
c ) I n one ins tance ( t h e proof of "Satz 27") , Landau has given a com-
p lex proof , which may be s impl i f ied .
In a l l these cases I have, i n the t r a n s l a t i o n , given a proof which f o l -
lows Landau's l i n e of reasoning. However, i n some cases , I have a l s o
given s h o r t e r a l t e r n a t i v e proofs. This means t h a t the devia t ions a r e
op t iona l i n these cases.
ii) Some of Landau's "SBtze" r e a l l y cons i s t of two o r t h r e e theorems.
E.g. "Satz 16: Aus x 5 y, y < z oder x < y, y 5 z f o l g t x < z". I n such
cases t h e theorem has been s p l i t up: "Satz 16a: Aus x 5 y , y < z f o l g t
x < z " , "Satz 16b: Aus x < y , y 5 z f o l g t x < z".
iii) Very f requent ly Landau uses without not ice a number of more o r l e s s
t r i v i a l c o r o l l a r i e s of a theorem he has proved. E.g. bes ides "Satz 93:
( X + Y ) + Z = X + ( Y + Z ) " he uses "X + (Y + Z ) = ( X + Y ) + Z" without
quoting "Satz 79". Sometimes such a p r a c t i c e i s e x p l i c i t l y announced,
e.g. i n t h e "Vorbemerkung" t o "Satz 15", where it i s s t a t e d t h a t , with
any proper ty derived f o r <, the corresponding property f o r > s h a l l be
used. I n a l l such cases t h e c o r o l l a r i e s have been formulated and proved
af t e r t h e theorems.
i v ) Following t h e t r a n s l a t i o n of the d e f i n i t i o n of a concept, we o f t e n ad-
ded the s p e c i a l i z a t i o n t o t h i s concept of c e r t a i n genera l p roper t i e s .
E.g. a f t e r t h e in t roduct ion of +, s u b s t i t u t i v i t v of equa l i ty
was applied: " I f x = y then x + z = y + z and z + x = z + y. I f x = y
and z = u then x + z = y + u". This was done i n order t o make l a t e r ap-
p l i c a t i o n s e a s i e r .
v ) I n a few proofs of t h e l a s t th ree chapters minor changes were made.
E.g. i n t h e proof of "Satz 145", where Landau s t a t e s : "Aus 5 > f o l g t
nach Satz 140 b e i passendem u 5 = n + u " b u t where, by "Def ini t ion
35" u can be defined e x p l i c i t l y by i~ := 5 - n. This has been done i n
t h e t r a n s l a t i o n , thus avoiding t h e superfluous exis tence el imination.
Another devia t ion occurs i n the proof of "Satz 284". Here Landau wr i t e s
the following chain of e q u a l i t i e s :
A s i n t h e proof t h e equa l i ty
was needed, the following chain of equations was preferred in the
translation:
vi) As we have seen in 1.0 vii) Landau formulates Peano's fifth axiom in
terms of sets, and, when applying it, always represents a predicate as
a set. In the translation this extra step has been avoided. The induc-
tion axiom is indeed introduced for sets, but then immediately a lemma,
called i nduc t i on , which applies to predicates is proved. This lemma has been used systematically in all proofs by induction.
Also "Satz 27: In jeder nicht leeren Menge natiirlicher Zahlen gibt es
eine kleinste" has been reworded and proved in terms of predicates and
not of "Mengen" . vii) "Intuitive arguments" of Landau were translated in various ways. E.g.
"Satz 20: Aus x + z > y + z bzw. x + z = y + z bzw. x + z < y + z folgt X'Y bzw. x = y bzw. x < y.
Beweis: Folgt aus Satz 19 da die drie Fiille beide Male sich ausschlies-
zen und alle MBglichkeiten erschbpfen" (where "Satz 19" asserts the
inverse implications).
Considering the fact that Landau regards this proof as belonging to
"logisches Denken", I have proved in the preliminaries three "logical"
theorems to the effect that:
If A V B V C, l ( D A E), l(E A F), l(F A D) and A *Dl B *El C *F,
then D *A, E * B and F * C. These theorems were used in the translation.
A second example: "Satz 17: Aus x 5 y, y I z folgt x I z.
Beweis: Mit zwei Gleichheitszeichen in der Voraussetzung klar; sonst
durch Satz 16 erledigt" ("Satz 16" is quoted above under ii)). Here the
AUT-QE text, when translated back into German, might read:
"Beweis: Es sei x = y. Dann ist, wenn y = z, auch x = z also x I z.
Wenn aber y < z so ist x < z nach Satz 16a, also ebenfalls x I z.
Nehme jetzt an x < y. Dann folgt aus Satz 16b x < z, also auch in die-
sem Fall x I z. Deshalb ist jedenfalls x I z".
Another argument which is difficult to translate faithfully occurs in
"Kapitel 5, 5 8" where sums and products are introduced. Landau uses
here a symbol which he intends to represent either "+" or n . , and in this way defines "C" and "JL" simultaneously. In our translation we de-
f i n e d i t e r a t i o n f o r a r b i t r a r y commutative and assoc ia t ive opera tors ,
and consequently our concept and t h e re levan t theorems a r e e s s e n t i a l -
l y s t ronger than Landau's. This g e n e r a l i t y is much e a s i e r t o descr ibe
i n AUT-QE then a theory which app l i e s only t o "+" and 'I . I' . v i i i ) Landau uses metatheorems whenever he embeds one s t r u c t u r e i n t o anoth-
e r , t o show t h a t the p roper t i e s proved f o r t h e o l d s t r u c t u r e "carry
over" t o t h e new. A s an example I c i t e h i s treatment i n chapter 2 of
t h e embedding of t h e n a t u r a l numbers i n t o the (pos i t ive ) r a t i o n a l s . X X
"Satz 111: Aus - > f bzw. -" bzw. < 1 1 1 1 1
f o l g t x > y bzw. x = y bzw. x < y".
"Definit ion 25: Eine r a t i o n a l e Zahl h e i s z t ganz, wenn unter den Brii- X
chen, deren Gesamtheit s i e i s t , e i n Bruch - vorkommt". 1 "Dies x ist nach Satz 111 e indeut ig bestimmt, und umgekehrt e n t s p r i c h t
jedem x genau e ine ganze Zahl".
"Satz 113: Die ganzen Zahlen geniigen den fiinf Axiomen der nati ir l ichen 1
Zahlen, wenn d i e Klasse von - a n S t e l l e von 1 genommen wird, und a l s X
1 X '
Nachfolger de r Klasse von - d i e Klasse von - angesehen wird". 1 1
Landau adds the following comment:
"Da =, >, < , Summe und Produkt (nach Satz 11 1 und 112) den a l t e n Be-
g r i f f e n entsprechen, haben d i e ganzen Zahlen a l l e Eigenschaften d i e
w i r i n Kapitel 1 fiir d i e nati ir l ichen Zahlen bewiesen haben".
I t was d i f f i c u l t t o t r a n s l a t e t h i s t e x t . The t r a n s l a t i o n requ i res
f i r s t a c a r e f u l ana lys i s of t h e i n t e r p r e t a t i o n of Peano's axioms i n
chapter 1. There a r e two p o s s i b i l i t i e s :
I n the f i r s t i n t e r p r e t a t i o n , the axioms descr ibe fundamental proper-
t i e s of the given system of n a t u r a l s (na t , 1 , s u c ) , which cannot be
proved from more p r imi t ive p roper t i e s , and from which a l l o t h e r prop-
e r t i e s of the system can be derived. I n t h i s conception the re is an
i n t e n t i o n t o charac te r i ze t h e s t r u c t u r e by t h e axioms.
I n t h e second i n t e r p r e t a t i o n , t h e axioms a r e simply assumptions under-
ly ing a c e r t a i n theory. The theorems of t h e theory a r e v a l i d i n any
s t r u c t u r e i n which these assumptions hold. I n t h i s view, no claim i s
made t h a t the axioms charac te r i ze t h e system. . . T h e d i f fe rence between these two conceptions can be i l l u s t r a t e d by
comparing the r61e of t h e axioms i n Euc l id ' s geometry t o the r61e of
t h e axioms f o r groups i n group theory.
The i n t e r p r e t a t i o n of "Satz 113" and Landau's comment v a r i e s according
t o t h e i n t e r p r e t a t i o n of the Peano axioms. I n t h e f i r s t i n t e r p r e t a t i o n * * *
t h e "ganzen kationalen Zahleh" form a s t r u c t u r e ( n a t , 1 , suc ) which
"happens to" have t h e same fundamental p roper t i e s a s t h e o r i g i n a l s t ruc-
t u r e (na t , 1 , s u c ) . Hence, by a s u i t a b l e metatheorem, we see t h a t t h e
reasoning of chapter 1 may be repeated f o r t h i s new s t r u c t u r e , extend- * * * * * *
ing it t o ( n a t , 1 , suc , + , . , < ) and proving t h e various proper-
t i e s of t h i s extended system.
I n t h e second i n t e r p r e t a t i o n "Satz 113" j u s t proves t h a t t h e s t r u c t u r e * * *
(na t , 1 , suc ) s a t i s f i e s t h e assumptions. After t h i s the theory of
chapter 1 can be appl ied immediately.
However the re is a f u r t h e r problem (under e i t h e r i n t e r p r e t a t i o n ) : ad- *
d i t i o n on n a t defined according t o t h e method of chapter 1 i s not (de- *
f i n i t i o n a l l y ) the same thing a s t h e r e s t r i c t i o n ( t o n a t ) of t h e addi-
t i o n on t h e r a t i o n a l s and these two functions must s t i l l be proved t o
be (extensional ly) equal. Similar remarks can be made about mul t ip l i -
ca t ion and order.
I t follows t h a t the re levan t t e x t cannot be rendered d i r e c t l y i n AUT-QE
under e i t h e r i n t e r p r e t a t i o n of Peano's axioms. There is, therefore , no
t echn ica l reason t o p re fe r one of these i n t e r p r e t a t i o n s t o the other .
Landau's ideas on t h e r61e of t h e axioms a r e not q u i t e c l e a r from h i s
t e x t . We c i t e some of h i s statements:
- I n h i s "Vorwort fiir den Kenner" he mentions c e r t a i n laws on t h e r e a l s
which can be " a l s Axiome p o s t u l i e r t " .
- He thinks it r i g h t , t h a t t h e s tudent should l e a r n "auf welchen a l s
Axiomen angenornmenen Grundtatsachen s i c h liickenlos d i e Analysis auf-
baut" . - Moreover: " In d i e s e r (Vorlesung) gelange i ch , von den Peanoschen
Axiomen der aati ir l ichen Zahlen ausgehend, b i s zur Theorie der r e e l -
l e n Zahlen".
- I n chapter 1: "Wir nehmen a l s gegeben an:
Eine Menge, d.h. Gesamtheit, von Dingen, nati ir l iche Zahlen genannt,
m i t den nachher aufzuzZhlenden Eigenschaften, Axiome genannt".
- "Von d e r Menge der natiirlichen Zahlen nehmen w i r nun an, dasz s i e
d i e Eigenschaften hat . . ." .
- A re levan t passage is a l s o "Satz 113'' quoted above.
- Landau never mentions "a system of natura ls" , l i k e i n group theory
one would discuss "a group", but always "die nati ir l ichen Zahlen".
Most of t h e sentences quoted above po in t t o t h e second i n t e r p r e t a t i o n ,
some of them however could be in te rp re ted b e t t e r o r equally wel l i n
the f i r s t way.
Now, a s n e i t h e r t echn ica l reasons nor Landau's t e x t indicated d e f i n i t e -
l y how Peano's axioms should be i n t e r p r e t e d , I decided t o i n t e r p r e t
them a s p o s t u l a t e s (PN-lines) r a t h e r then assumptions (EB-lines) be-
cause it s u i t e d my own conception of t h e na tu ra l s . Moreover t h i s i n t e r -
p r e t a t i o n reduces t h e context and thereby s i m p l i f i e s v e r i f i c a t i o n . .
The meta-reasoning sketched above has b e e n t r e a t e d a s follows. After
t h e proof of "Satz 113" the proofs of "Satz 1" and "Satz 4" (where ad-
d i t i o n i s introduced) were copied f o r the "ganzen Zahlen". However ad-
d i t i o n on t h e "ganzen Zahlen" has been defined a s t h e r e s t r i c t i o n of
add i t ion on t h e r a t i o n a l s . Then a number of theorems from "Kapitel 1"
where proved using "Satz 112". Order and mul t ip l i ca t ion were t r e a t e d
i n , a s imi la r way. These t e x t s have been i n s e r t e d a s a matter of
p r e s t i g e because we claimed t h a t we were a b l e t o say everything Landau
says. The inse r t ionswere never used however ( c f . i x ) below).
I n "Kapitel 3, 5 5" and "Kapitel 5, 5 10" s i m i l a r arguments occur,
when the r a t i o n a l s a r e embedded i n the r e a l s , and t h e r e a l s i n t h e
complex numbers. These arguments were " t r ans la ted" j u s t by construct-
ing t h e re levan t isomorphisms. This s u f f i c e s f o r a l l appl ica t ions .
i x ) A consequence of the d i f f i c u l t i e s described i n v i i i ) i s a divergence
between t h e t r a n s l a t i o n and Landau's book with respec t t o t h e use of
n a t u r a l numbers i n t h e chapters 3, 4 and 5. After h i s comment (follow-
ing "Satz 113") t h a t t h e "ganze Zahlen" have t h e same p roper t i e s a s
t h e "nati ir l iche Zahlen" Landau continues:
"Daher werfen w i r d i e nati ir l ichen Zahl.en weg, e r se tzen s i e durch d i e
entsprechenden ganzen Zahlen, und haben f o r t a n (da auch d i e Briiche
i iberfl i issig werden) i n bezug auf das Bisherige nur von ra t ionalen Zah-
l e n zu reden".
I n t h e t r a n s l a t i o n I have not followed t h i s course, because, a s pointed
o u t , it would have been a cumbersome t a s k t o prove the p roper t i e s of
t h e "nati ir l iche Zahlen" f o r the "ganze Zahlen", and a l s o because it
would have been i n e v i t a b l e t o repeat t h i s procedure with every fu r the r
extension of t h e number system. Therefore 1-have stuck t o t h e "natiir-
l i c h e Zahlen" throughout the t r a n s l a t i o n .
X) Another important devia t ion of Landau's t e x t was caused by
"Defini t ion 43: W i r erschaffen e ine neue, von den posi t iven Zahlen ver-
schiedene ~ a h l 0. W i r erschaffen fe rner Zahlen d i e von den posi t iven
und 0 verschieden s ind, negative genannt, d e r a r t , dasz w i r jedem 5
(d.h. jeder pos i t iven Zahl) e ine negative Zahl zucrdnen, d i e w i r -5
nennen" . I doubt wether t h i s c rea t ive a c t may be c a l l e d a "def ini t ion" . Landau
considers it a p a r t of "logisches Denken" t o form, given s e t s (o r types)
a and 8, t h e Cartesian product a x 8, a s i s c l e a r from chapter 2. I t
might be a l s o considered " logical" t o form t h e d i s j o i n t u n i o n a e 6 . B u t
Landau does no t mention t h i s , he j u s t "creates" 0 and t h e negative
numbers from nothing.
Moreover I do n o t see a formal d i f fe rence between t h e a s s e r t i o n "1 i s t
e ine nati ir l iche Zahl" (which Landau c a l l s an axiom) and t h e a s s e r t i o n
"0 i s t e ine r e e l l e Zahl" (which he c a l l s a d e f i n i t i o n ) . Neither do I
see a formal d i f fe rence between "x' # 1" and "-5 # 0". I n my opinion
t h e l i m i t s of "logisches Denken" a r e exceeded here.
I n agreement with t h i s c r i t i c i s m I have t r a n s l a t e d t h i s "def in i t ion"
by introducing a number of pr imit ive concepts and axioms (PN-lines).
The type of r e a l numbers rl is a p r imi t ive type. To any c u t 5 r e a l
numbers p ( S ) and n(5) a r e associated. 0 is a pr imit ive r e a l num-
ber,. Next t h e r e a r e axioms t o the e f f e c t t h a t t h e functions
[x,cu~]~(x) and [x,cut]n(x) a r e i n j e c t i v e . Now X rl has the
property POS (o r neg ) i f it is i n t h e range of t h e f i r s t (.or the
second) of these functions. Then the re a r e axioms s t a t i n g t h a t , f o r
X - E r? , pos(x) , neg(x) and X=O a r e mutually exclusive, and t h a t
each X rl has one of these p roper t i e s . ( I n f a c t Landau does not
s t a t e t h e l a t t e r axiom e x p l i c i t l y . ) S t a r t i n g from these axioms "Kapi-
t e l 4" was t r ans la ted .
However, a s I thought it unsa t i s fac to ry t o develop t h e theory of r e a l
and complex numbers using more than Peano's w i a m s alone, I have added
an a l t e r n a t i v e AUT-QE vers ion of chapter 4, c a l l e d chapter 4a, where
t h e r e a l numbers a r e defined a s equivalence c lasses of p a i r s of c u t s ,
and where a l l theorems of Landau's "Kapitel 4" a r e proved f o r these a l -
t e r n a t i v e r e a l s . The AUT-QE t r a n s l a t i o n of chapter 5 has been checked
r e l a t i v e t o t h e AUT-QE book consis t ing of the chapters 1 , 2, 3 and 4a.
2.2. The t r a n s l a t i o n of "Kapitel 1"
§ 1. Equali ty was introduced i n t h e p re l iminar ies ( c f . 1.3 ii) and
1 .4 ) . n a t is introduced a s a p r imi t ive type, the Peano axioms a s PN-lines
( c f . 2.1 v i i i ) ) . Induction is formulated i n terms of s e t s , bu t immediately
a lemma on induction, which app l i e s t o p red ica tes i s proved. This lemma i s
used i n t h e sequel (cf . 2.1 v i ) ) . § 2. "Satz 4: Auf genau e ine A r t l d s z t s i c h jedem Zahlenpaar x ,y e ine
nat i i r l iche Zahl, x + y genannt, s o zuordnen, dasz..." has been t r a n s l a t e d
t h e way it is proved by Landau, v iz . " for each X n a t the re e x i s t s a uni-
que funct ion f [ t , n a t l n a t such t h a t . . . 'I. ( I n f a c t t h i s theorem might
have been proved without using extensional equa l i ty of funct ions . )
After t h e proof of "Satz 4" we have i n the t r a n s l a t i o n 11 c o r o l l a r i e s
and lemma's ( c f . 2.1 iii) and 2.1 i v ) ) . To some of these Landau r e f e r s ex-
p l i c i t l y ( i n t h e proof of "Satz 6": "nach dem Konstruktion beim Beweise des
Satzes 4") bu t more o f t e n they a r e used i m p l i c i t l y (e.g. i n t h e proofs of
"Satz 9" and "Satz 24").
§ 3. Landau's "Def ini t ion 2: 1st x = y + u s o i s t x > y" i s a b i t loose
and requ i res of course a b e t t e r formalization. H i s proof of "Satz 27" i s not
very wel l organized, and uses i n d i r e c t reasoning twice. After t h e t r ans la -
t i o n of t h i s proof i n AUT-QE (36 l i n e s , 458 i d e n t i f i e r occurrences) a more
s t ra ightforward proof was given (reducing t h e length t o 23 l i n e s , 264 iden-
t i f i e r occurrences). This a l t e r n a t i v e proof, t r a n s l a t e d back i n t o German
(with "Mengen" ins tead of p red ica tes , c f . 2.1 v i ) ) , might read a s follows:
"Satz 27: I n jeder n i c h t leeren Menge nat i i r l icher Zahlen g i b t e s e ine kle in-
stet!.
Beweis: N s e i d i e gegebene Menge, M d i e Menge de r x d i e I jeder Zahl aus N
s ind. Nehme an e s g i b t i n N keine k l e i n s t e .
1 gehdr t zu M nach Satz 24.
1st x zu M gehdrig s o i s t x < jeder Zahl aus N. x gehdr t n i c h t zu N ,
den sonnst wdre x k l e i n s t e Zahl aus N. Nach Satz 25 i s t a l s o jeder ZahlausN
2 x + 1, und daher gehtjrt x + 1 zu M.
M e n t h d l t somit jede nat i i r l iche Zahl.
Wenn aber y zu N gehtjrt, so gehdrt , wegen y + 1 > y , y + l n i c h t zu M I
gegen des obige.
N e n t h d l t a l s o e ine k l e i n s t e Zahl".
(The German proofs do not d i f fe r toomuch i n length: they contain 139 resp .
116 words.)
5 4. The theorems on multiplication and their proofs are very similar
to those on addition. The remarks made above concerning the translation of
5 2 apply here too.
After the translation of "Kapitel I", in our AUT-QE text, for each
X - E n a t , the type I ~ Q ( x ) of the natural numbers I x is defined. Then,
for an arbitrary type S , the type p a i r l t y p e ( S ) is defined to be
[ t . , l t0(2)1S . ~t represents the type of pairs (a,b) with a E S , b - E S . Its various properties are then derived (cf. 1.3 v)).
2.3. The translation of "Kapitel 2"
5 1. Landau defines fractions as ordered pairs. However he does not
use variables for pairs, but indicates them by their components:
I1 , _ I1 X1 , etc. In the translation X is a variable for fractions, with X2 y2
numerator ~ U M ( X ) and denominator den(x) . And to XI - E n a t , ~2 - E n a t
is associated the fraction f r ( x l , x 2 ) . 5 5. The rationals are defined as equivalence classes of fractions.
The subsequent proofs have all the same structure: in the equivalence clas-
ses representatives are chosen, and the theorems proved for these represen-
tatives are carried over to their classes. (Landau rather summarily des-
cribes this course of reasoning. E.g.: "Satz 81: ... . Beweis: Satz 41".) In order to translate this practice, four lemmas were proved, cover-
ing the cases where 1, 2, 3 or 4 rationals are involved, and which are used
throughout the translation of 8 5.
After the proof of "Satz 112" it is proved (as an extra theorem) that
for two "ganzen Zahlen" x and y, such that x > y, the difference x - y is also "ganz". Landau uses this (without proof) in his proofs of "Satz 162"
and "Satz 285".
The translation of "Satz ill", "Definition 25", "Satz 112" and "Satz
113", with the ensuing text on "throwing away" the naturals, has been exten-
sively discussed already in 2.1 viii).
2.4. The translation of "Kapitel 3"
5 1. The definition of the concept "Schnitt" did not give rise to dif-
ficulties. The type C U ~ is defined as the type of those sets of rationals
which are cuts. Now, in this definition, there are three properties of cuts
5 which involve existential quantification:
i) 5 is not empty: 3x [x E 51.
ii) the complement of 5 is not empty: 3x [x f 51.
iii) 5 contains no maximal element: if x E 5 then 3y Cy E 5 A y > x].
Therefore, if 5 is a cut, then there are three ways to apply existence eli-
mination. Three lemmas to that effect (which Landau uses without notice)
are stated and proved in the AUT-QE text immediately after the introduction
of the concept Cut . Also in other paragraphs in this chapter, when existential quantifica-
tion was used in defining relations (> in 2) or objects (5 + 0 in S 3,
5.n in 5 41, a corresponding existence elimination rule was stated and
proved as a lemma immediately afterwards.
5 3. "Satz 132. Bei jedern Schnitt gibt es, wenn A gegeben ist, eine
Unterzahl X und eine Oberzahl U mit U - X = A" is an example of the use of
"generalized" logic as described in 1.4. In fact, as U and X are positive
rationals, the term U - X is only defined if U > X. That this is the case
is a consequence of the assumption that U and X are "Oberzahl" resp. "Unter-
zahl" of the same cut 5 (i.e. U 6 5 and X E 5). In the proof of "Satz 140" there is a reference to the "Anfang des Be-
weises des Satzes 134". In Landau's Satz-Beweis style this is slightly un-
orthodox. In AUT-QE there is no such objection. The translation of this re-
ference is given in a single AUT-QE line referring to a line in the proof
of "Satz 140".
5 4. Preceding the proof of "Satz 141" there is in the AUT-QE transla- 1
tion a lemma stating that for rationals X and Z we have y . Z = - . This is X
used without proof by Landau in the proofs of "Satz 141" and "Satz 145".
§ 5. Embedding the (positive) rationals in the (positive) reals, (i.e.
in the type cut), gives rise to difficulties as described in 2.1 viii).
Finally, it is proved in the translation (as a corollary of "Satz 112")
that, for cuts 5 and n which are (embedded) naturals, 5 + q, x.n and (if 5 > n) 5 - 0 are (embedded) naturals too. These results are used in "Kapi- tel 5, § 8".
2.5. The translation of "Kapitel 4"
§ 1. The first definition of this chapter and its translation have
been discussed in 2.1 x): Contrary to Landau's intentions, in the transla-
tion the cuts from chapter 3 are not identified with positive reals. This
is because we want to collect the reals in a single type rl , and because
types i n AUT-QE a r e unique. (Accordingly the re a r e i n AUT-QE no f a c i l i t i e s
f o r extending types; we always have t o use embeddings ins tead . ) Some proofs
i n t h i s chapter a r e complicated by t h i s d i s t i n c t i o n between c u t s and posi-
t i v e r e a l s .
5 2. The very complicated d e f i n i t i o n s by cases i n t h i s chapter were
occas ional ly s l i g h t l y modified. E.g.:
"Def ini t ion 44 :
I 5 wenn E = 5
1 = 0 w e n n B = O
5 wenn B = -5".
was t r a n s l a t e d a s
i f E = n(5) 1 B 1 =
otherwise
(here p ( 5 ) and n ( 5 ) denote the p o s i t i v e and negative r e a l s associa ted with
t h e c u t 5) . 5 3. The t r a n s l a t i o n of "Def ini t ion 52" (quoted i n 1.0 v i i ) ) was t i r e -
some ( i t t o o k about 180 AUT-QE l i n e s ) . Equally t ed ious t o t r a n s l a t e were the
proofs of t h e theorems following t h i s d e f i n i t i o n ("Satz 175", "Satz 180".
"Satz 185"). I n t h e proof of "Satz 182" it i s l e f t t o t h e reader t o check
t h e theorem i n a number of cases. This t a sk could no t be l e f t t o a non-hu-
man reader without f u r t h e r ins t ruc t ions .
I n t h e proof of "Satz 185" t h e order i n which the 11 d i f f e r e n t cases
a r e t r e a t e d has been a l t e r e d i n t h e t r a n s l a t i o n . The essence of the proof
has not been changed, however.
5 4. The d e f i n i t i o n of mul t ip l i ca t ion , where 6 cases a r e discerned,
gave r i s e t o s i m i l a r d i f f i c u l t i e s a s the d e f i n i t i o n of add i t ion (it took
about 110 AUT-QE l i n e s ) . I had some doubts how t o i n t e r p r e t
"Satz 196: 1st E # 0, H # 0, so i s t
je nachdem keine oder zwei, bzw. genau e ine de r Zahlen E , H negativ sind".
A t f i r s t s i g h t t h i s seems t o mean:
a ) I f B and H a r e no t negative then E.H = I B l . I H I .
b ) I f E and H a r e negative then E .H = I E 1 . I H I . c ) I f B not negative, H negative then E.H = - ( l E l . / H I ) .
d) I f B negative, H not-negative then E.H = - ( l E l . I H I ) .
However, i f t h i s meaning i s intended the condit ion E # 0, H # 0 is super-
f luous . Therefore, poss ibly , the statement i s meant t o include a l s o
e ) I f B . H = I B 1 . I H I then ne i the r o r both of 5 and H a r e negative.
f ) I f E . H = - (151 . ] H I ) then E i s negative and H is not, o r H i s negative
and B is not.
Landau's proof ("Beweis: Def ini t ion 55") does no t g ive a c lue , and i n l a t e r
references t o t h e theorem he only uses a ) , b ) , c ) o r d ) . Nevertheless I have .
formalized proofs of e ) and f ) i n the t r a n s l a t i o n .
"Satz 194" and "Satz 199" have complicated proofs by cases , which were
no t easy t o formalize.
5 5. The "Vorbemerkung" t o "Satz 205" requ i res two proofs. Some lemmas
a r e needed f o r t h e proof of t h e "Hauptsatz" i t s e l f , e.g. it is used t h a t 1 - H - . - H = - - ( c f . 2.4). No spec ia l d i f f i c u l t i e s arose i n proving t h i s important - - theorem.
2.6. The a l t e r n a t i v e vers ion of chapter 4
Our motivation t o w r i t e another vers ion of chapter 4, ca l l edchap te r 4a,
was discussed i n 2.1 x ) . I n t h i s chapter the theorems of chapter 4 a r e
proved f o r r e a l s which a r e d e f i n e d i n a way d i f f e r e n t from Landau's. Also
t h e order i n which these theorems appear d i f f e r s from Landau's order .
A t t h e end of t h i s chapter the square roo t of a nonnegative r e a l i s
defined using "Satz 161", and i ts proper t i e s a r e derived. (This has been
done by Landau i n "Kapitel 5, 5 7") .
The lengths of t h e AUT-QE t e x t s of chapter 4 and chapter 4a a r e about
equal.
2.7. The t r a n s l a t i o n of "Kapitel 9"
The a c t u a l t r a n s l a t i o n of t h i s chapter i s preceded by a number of lem-
mas. Some of these g ive p roper t i e s of d iv i s ion on t h e r e a l s , i m p l i c i t l y
used by Landau i n t h e sequel . Further the re a r e lemmas descr ib ing t h e s h i f t
of a segment of i n t e g e r s yly+l,y+2,. . . , x t o an i n i t i a l segment of t h e natu-
r a l s 1 ,2 ,..., (x+1) - y , which serve the t r a n s l a t i o n of 5 8.
The t r a n s l a t i o n of t h e f i r s t seven paragraphs of t h i s chapter was
s t ra ightforward. Preceding the proof of "Satz 221'' some lemmas appear, des-
c r ib ing , f o r a complex number x , the p roper t i e s of Re(x) + Im(x) 2. These
p r o p e r t i e s a r e used by Landau without no t i ce i n t h e proofs of "Satz 221"
and "Satz 229" and i n the d e f i n i t i o n of 1x1 ( ' 'Definit ion 66"). ( ~ n my opi-
nion, a t l e a s t a remark should have been made i n t h i s d e f i n i t i o n , t o t h e e f -
f e c t t h a t Re(xl2 + Im(x) 2 O f o r complex x ) .
5 8. The t r a n s l a t i o n of t h i s paragraph was d i f f i c u l t . Landau d i scusses
x-tuples of complex numbers i n order t o def ine t h e i r sums and products. H e
introduces the concept of an x-tuple a s follows: "Es s e i f ( n ) f i ir n 5 x de-
f i n i e r t " , and expla ins t h i s l a t e r on: "Unter " d e f i n i e r t " ve r s t ehe i c h " a l s
komplexe Zahl d e f i n i e r t " . Af ter proving some theorems he extends t h e concept .
t o x-tuples indexed by segments of (poss ibly negative) in tegers : " In Defini-
t i o n 70 und Satz 284 b i s Satz 286 bezeichnen ausnahmsweise l a t e i n i s c h e Buch-
stabenganze ( n i c h t notwendig p o s i t i v e ) Zahlen.
E s s e i y 5 x , f (n) f a r y n 5 x d e f i n i e r t . . . ." . There a r e ( a t l e a s t ) th ree na tu ra l ways t o represent i n AUT-QE t h e con-
cep t of x-tuple indexed by an i n i t i a l segment of the na tu ra l s :
i) f might be considered a s a funct ion from the type n a t t o t h e type
CX of complex numbers, of which only the f i r s t x values a r e taken in-
t o account. I f we t ake t h i s a t t i t u d e it should be proved t h a t i f f and
g coincide f o r n 5 x then t h e i r sums (and products) up t o x a r e equal.
ii) f might be represented a s a funct ion of type [ t , t l a t l [ l J , t l X ] ~ ~ , i . e .
a s a p a r t i a l funct ion l i k e those discussed i n 1.4.
iii) f might be considered a s a funct ion having a s i ts domain t h e type
I ~ o ( x ) , t h e subtype of those n a t u r a l s which a r e I x.
A l l these p o s s i b i l i t i e s have c e r t a i n advantages. The f i r s t one i s pro-
bably t h e e a s i e s t one, t h e second is i n b e t t e r harmony with the r e s t of our
AUT-QE t r a n s l a t i o n , t h e t h i r d maybe corresponds b e t t e r with Landau's in ten-
t i o n s .
The t h i r d formal iza t ion was f i n a l l y chosen, but caused q u i t e some trou-
b l e because (on account of t h e u n i c i t y of types) numbers of type I ~ o ( x ) do
not have a l s o type I ~ o ( x + ~ ) . A s t o t h e formal iza t ion of x-tuples indexed by segments of t h e in te -
ge r s , t h e r e was the ex t ra d i f f i c u l t y t h a t t h e p red ica te "ganze Zahl" on t h e
r e a l s i s not thoroughly discussed by Landau. E.g. he does not prove t h a t
t h e i n t e g e r s a r e closed under add i t ion and subtract ion, though he uses t h i s
i n t h e t e x t .
For t h i s reason it seemed inappropr ia te t o de f ine the type of i n t e -
ge r s a s a subtype of t h e r e a l s , and t o de f ine f a s a ( p a r t i a l ) funct ion on
t h i s type i n one of t h e ways discussed above.
Therefore we defined f, for fixed integers x and y, as a function of
type [t,reallCU,int(t)]CU,YStlXl~~ i.e. as a partial function on the
reals. (rather like [ t , t la t ] [U , t~x ]cx , see ii) above). With this formalization of x-tuples (resp. (x+i) -y-tuples) the trans-
lation of § 8 turned out to be laborious. Many rather meaningless embedding
and lifting functions appear in the proofs. In particular the proof of
"Satz 283" where it is shown that sums (products) are invariant under per-
mutations of their terns (factors) turned out to be long and tedious. (It
should be remarked that Landau's proof is long too: 4 pages, 87 lines of
German text, while the translation needs 365.lines of AUT-QE text.)
The last two paragraphs did not present difficulties in translating.
3. VERIFICATION
I n t h i s chapter t h e v e r i f i c a t i o n of t h e AUT-QE t e x t i s described. Some
f e a t u r e s of t h e program and t h e p o s s i b i l i t y of excerpting a r e discussed.
3.0. Ver i f i ca t ion of t h e t e x t
The v e r i f i c a t i o n of the AUT-QE t r a n s l a t i o n of Landau's book was execut-
ed on t h e Burroughs B6700 computer a t the Technological Universi ty of Eind-
hoven. The l a s t page of the book was checked i n September 1975. The whole
book was checked i n a f i n a l run on October 18, 1975. The ve r i fy ing program
was conceived by N.G. de Bruijn and implemented by I. Zandleven. For a des-
c r i p t i o n of t h i s program we r e f e r t o [ ~ l ] . Zandleven a l s o provided tha pro-
gram with inpu t and output f a c i l i t i e s , and extended i t with a conversatio-
n a l mode f o r on-l ine checking and cor rec t ing of t e x t s .
The v e r i f i c a t i o n took place i n th ree s tages :
i) F i r s t t h e AUT-QE t e x t was fed i n t o the system on a t e l e p r i n t e r . A t
this s t a g e t h e main s y n t a c t i c a l s t r u c t u r e of t h e t e x t was analyzed. I t
was checked, f o r example, t h a t t h e format of t h e l i n e s was a s it should
be, t h a t the bracketing of the expressions was c o r r e c t , and t h a t no un-
known i d e n t i f i e r s occurred.
ii) Secondly the AUT-QE t e x t was coded. A t this s t a g e t h e c o r r e c t use of
the context s t r u c t u r e , the v a l i d i t y of va r i ab les , t h e c o r r e c t use of
t h e shorthand facility CVD, 2.151 and of t h e paragraph reference sys-
tem (cf . appendix 2 ) , were checked.
iii) F i n a l l y t h e t e x t was checked with respec t t o a l l c lauses of t h e langua-
ge d e f i n i t i o n . A t t h i s s t age the degrees CVD, 2.31 and types of expres-
s ions were ca lcu la ted , and the correctness of app l i ca t ion expressions
and constant expressions was checked. V i t a l f o r t h i s i s t h e v e r i f i c a -
t i o n of t h e d e f i n i t i o n a l equa l i ty of c e r t a i n types (c f . CVD, 2.101,
C Z l l ) .
Runs of t h e s t ages ii) and iii) general ly claimed much of t h e compu-
t e r s ( v i r t u a l ) memory capaci ty (over 600K bytes was needed f o r the program
together w i t h t h e coded t e x t ) . I n order t o avoid congestion i n t h e mult i-
programming system it was therefore necessary t o have the program executed
a t n igh t (and o f f - l ine ) . A s AUMMATHtexts arechecked r e l a t i v e t o correctbooks,
amechanicalprovisionaldebuggingdevice f o r o f f - l ine checking was implemen-
t ed , by which l i n e s which were found incor rec t could be t e n t a t i v e l y repaired.
E.g., when t h e middle par t CVD, 2.13.11 of a l i n e was found i n c o r r e c t , t h e
debugging device changed it temporarily i n t o P N , thus turning an abbrevia-
t i o n l i n e i n t o a PN-line. The l i n e s o "corrected" was then again checked,
and, i f i t w a s foundcor rec t , t h e l i n e s following couldthenbechecked r e l a t i v e t o
the "corrected" book. By t h i s device it was not necessary t o s t o p t h e check-
ing immediately a f t e r t h e f i r s t e r r o r had been found.
Another f e a t u r e of t h e ve r i fy ing program was added because of t h e f a c t
t h a t proving expressions t o be incor rec t (especia l ly proving expressions t o
be not d e f i n i t i o n a l l y equal) i s o f ten more d i f f i c u l t and more time-consum-
ing then proving correctness . Therefore during o f f - l i n e runs a parameter i n
the program iviz . t h e number of decis ion po in t s , t o be explained i n 3.1) has
been l imi ted, and l i n e s were considered provis ional ly incor rec t when t h i s
l i m i t was exceeded.
When the l a t e r chapters were checked, w e reduced t h e demands on t h e
computers memory capacity by abridging the book r e l a t i v e t o which t h e t e x t
was checked, i n t h e following way: I n the chapters which had already been
found cor rec t , the proofs of theorems and lemmas were omitted, a n d t h e f i n a l
l i n e s of these proofs (where the theorems and lemmas a r e asser ted) were
changed i n t o PN-lines. Each time a chapter was completely checked ( r e l a t i v e
t o t h e book so abridged) it was abridged i n i t s turn .
Text which a r e c o r r e c t r e l a t i v e t o the abridged book w i l l be c o r r e c t
with respect t o t h e unabridged book too. On the other hand, a s i n c l a s s i c a l
mathematics the re i s no reference t o proofs but only t o asse r t ions , it i s
unl ikely t h a t t e x t s w h i c h a r e c o r r e c t r e l a t i v e t o the unabridged book w i l l
be re jec ted r e l a t i v e t o t h e abridged book. I n ac tua l f a c t t h i s d id not
occur.
When a chapter , a f t e r several o f f - l i n e runs of t h e program,wasfound
t o be "nearly cor rec t " , the f i n a l v e r i f i c a t i o n of t h a t chapter took place
on-line. I n suchanon-l ine run t h e remaining e r r o r s could be i m e d i a t e l y
corrected. Moreover c o r r e c t l i n e s could be v e r i f i e d , which had been provi-
s iona l ly re jec ted because t h e n b b e r of decis ion po in t s during v e r i f i c a t i o n
i n o f f - l ine runs had exceeded the chosen l i m i t . The v e r i f i c a t i o n of such
complicated l i n e s could be shortened by d i rec t ing ( i n conversational mode)
the s t ra tegy f o r es tab l i sh ing d e f i n i t i o n a l equal i ty .
After a l l chapters were v e r i f i e d i n t h i s way, t h e i n t e g r a l AUT-QE
t e x t (complete and unabridged) was checked during a f i n a l on-line run,
which took 2 hours ( r e a l t ime) . Of t h i s time 42 min was spent on v e r i f i c a -
t i o n (not including t h e time needed f o r coding).
32
I n a t a b l e we l i s t some da ta on t h i s f i n a l run, concerning v e r i f i c a t i o n
time, number of performed reductions and memory occupied
verification time
in seconds
a-reductiorrs
8-reductions
6-reductions
q-reductions
nr. of lines
nr. of expressions
preliminarl
text
chapter
1
143.1
752
832
1111
- 886
12155
complete
text
2519.7
10485
6014
20063
2
13433
215138
Since one coded expression occupies about 30 bytes (mainly used f o r referen-
ces t o subexpressions), the t o t a l memory required f o r t h e coded book is
about 6500 K bytes (= 52000 K b i t s ) .
3.1. Control l ing the s t r a t e g y of t h e program
I n order t o e s t a b l i s h d e f i n i t i o n a l equa l i ty of two expressions, t h e
v e r i f i c a t i o n system t r i e s t o f i n d another expression t o which both reduce.
The choice of e f f i c i e n t reduction s t e p s f o r t h i s purpose is a mat ter of
s t r a t e g y ( C V D , 6.4.11) . The programmed s t r a t e g y is described i n [~l].
Under t h i s s t r a t e g y i t is poss ib le t h a t intermediate r e s u l t s a r e ob-
ta ined which s t rong ly suggest a negative answer t o t h e quest ion of de f in i -
t i o n a l equa l i ty , without d e f i n i t e l y s e t t l i n g it. Suppose, f o r example, t h a t
a(p)=a(q) has t o be es tabl ished. The programs s t r a t e g y is t o a s c e r t a i n
t h a t t h e constants a and a a r e i d e n t i c a l and t o v e r i f y whether p=q . I f t h i s i s not t h e case , the re i s a s t rong suggestion t h a t a (p ) and a ( q )
a r e no t d e f i n i t i o n a l l y equal e i t h e r , bu t t h i s i s y e t uncer ta in . For example,
they a r e d e f i n i t i o n a l l y equal r e l a t i v e t o t h e book
* n := P N E type -- * p := P N E n - * q := P N E n - * x := - E n -
~ * a : = P - E n
~t is a matter of s t r a t e g y how t o proceed i n such cases. We may e i t h e r
apply 6-reduction ( i n which case t h e i s s u e w i l l be eventual ly s e t t l e d ) o r
we may t r y t o continue t h e v e r i f i c a t i o n process without using a(p)=a(q) .
Such a situation is called a decision point. In on-line runs the veri-
fication may be controlled here by the human operator. (Actually, in the
situation sketched above, information will be supplied, and the question
will appear whether 6-reduction should be tried.) In off-line runs 6-reduc-
tion will be applied in order to get a definite answer to the question, and
it will be checked that the total number of decision points passed during
the checking of a line does not exceed the chosen limit (cf. 3.0).
3.2. Shortcomings in the verifying program
In appendix 5, two shortcomings in the verifying program are indicated.
Due to these shortcomings there is, at this moment no complete (mechanical-
ly sustained) certainty that the verified AUT-QE text is correct.
It is hard to believe, however, that any incorrect AUT-QE lines have
been accepted by the machine during verification. We mention the following ,
rather intuitive considerations in support of this opinion:
i) Given a correct AUT-QE expression, we can consider all possible ways to
change it into an incorrect one by replacing, somewhere, a bound varia-
ble by an other one. Only a very small fraction of these possibilities
will give rise to incorrect expressions which the program (unjustly) ac-
cepts. For most expressions this fraction will even be 0. As the writer
intended to produce correct AUT-QE expressions, and as he did not make
many mistakes using wrong variables, it is improbable that incorrect ex-
pressions have been accepted.
ii) No correct expressions have ever been refused during the verification,
though the number of correct expressions presented exceeded considera-
bly the number of incorrect ones.
Before long the text will be verified by anentirely new program, in
which clash of variables is impossible because the coding system uses name-
less variabZes ( Cd~2 1 ) .
3.3. Excerpting,
Let B be an AUT-QE book, i.e. a finite sequence of lines. A subbook of
B is a subsequence of this sequence. A program, called excerpt, is availa-
ble which, given a correct book B and a line R of B, produces the minimal
correct subbook of B containing R. (It is possible to have the line provi-
sionally changed into a PN-line before the subbook is produced.)
This program w i l l d isplay a l l concepts re levan t t o t h e d e f i n i t i o n of a
given concept, and a l l theorems (with t h e i r proofs) used ( e x p l i c i t l y o r i m -
p l i c i t l y ) i n t h e proof of a given theorem. (If the l i n e is f i r s t changed in-
t o a PN-line, the program w i l l j u s t g ive t h e assumptions under which the
theorem holds, and t h e concepts necessary t o understand i ts contents.)
AS an example, we give i n appendix 4 an excerpted t e x t f o r "Satz 27".
4. CONCLUSIONS
Inthi~~hapter~ediscuss some possibilities to represent logic in
AUTOMATH. We indicate some desirable extensions of AUT-68 and AUT-QE, and
we discuss some aspects (positive as well as negative) of our translation.
4.0. Formalization of logic in AUTOMATH
In this section we shall describe various possibilities to represent
systems of natural deduction in AUT-68 (CVD, 2]), in AUT-QE and in some
closely related languages. First we discuss two main decisions which have
to be made when choosing between these possibilities. Then we indicate ex-
plicitly two possibilities to represent logic.
4.0.0. First order V. higher order
In most AUTOMATH languages there are certain restrictions on abstrac-
tion. E.g. in AUT-68 as well as in AUT-QE correct abstraction expressions
have the form Cx,al~ where a is a 2-expression (and hence x, having type a,
is a 3-variable, i.e. a variable which is a 3-expression).
Such restrictions allow a faithful representation of first order logic
(in the sense of excluding higher order formulas and inferences). In AUT-68
as well as in AUT-QE this can be done by representing propositions and pre-
dicates as 2-expressions (as described in CVD, 31). Then proposition varia-
bles and (in AUT-QE) predicate variables will be 2-variables and abstrac-
tion (or quantification) with respect to such variables is impossible in
the language. If, in such a setting, we want to discern between proposition
variables and predicate variables then it is necessary to have abstraction
expressions of degree 1 in the language, i.e. to use AUT-QE (and not
AUT-68) . In order to represent higher order logic we should require the possi-
bility of abstraction with respect to proposition and predicate variables.
Therefore, if we stick to the abstraction restrictions of AUT-68 or AUT-QE,
we should represent propositions and predicates by 3-expressions. We may
proceed in two ways:
i) we can associate to each proposition a (primitive) type (which we will
call the assertion type of the proposition). Objects of this type will
be considered as proofs of the proposition. In other words: we consider
the proposition as asserted iff its assertion type contains some object.
This possibility will be elaborated in 4.0.2.
( In e a r l i e r publ icat ion on AUT-68, boo1 and TRUE were used ins tead of
PROP and 1 ) . If S i s a type, an ob jec t P - E [X ,SIPROP has t o be i n t e r -
pre ted a s a predicate . Objects of type C X , S I ~ ( < X > P ) must then be i n t e r -
pre ted a s proving t h a t P holds f o r every X s . So we want t o introduce
t h e proposi t ion V ( S , P ) which has the property t h a t i t s a s s e r t i o n type con-
t a i n s elements i f f t h e type C X , S I ~ ( < X > P ) contains elements. This is ex-
pressed i n the following l i n e s :
S t a r t i n g from these pr imit ive concepts and axioms, higher order log ic can
be developed. An ind ica t ion of h3w t h i s can be done, is given i n appendix 6 ,
where t h e f i r s t t h r e e theorems from Landau's book a r e derived on t h e b a s i s
of t h e l o g i c so developed.
This log ic represents a const ruct ive system of na tu ra l deduction.
Axioms could be added f o r extensional equa l i ty of functions and extensional
equality of propositions ( i . e . i f a ++ b then a = b ) .
C lass ica l l o g i c could be represented t h i s way by adding axioms f o r ir-
relevance of proofs:
and f o r t h e double negation law:
4.0.3. A representa t ion of log ic i n AUT-QE
How log ic can be represented i n AUT-QE is described i n CVD, 31 . This
system, a f i r s t order system of na tu ra l deduction, has been used i n our
t r a n s l a t i o n . An ind ica t ion of the development of log ic i n it can be found
i n t h e excerpted t e x t i n appendix 7 , which covers t h e proofs of t h e f i r s t
th ree theorems of Landau's book and t h e l o g i c used i n these proofs.
The system i s a b i t ambivalent, because it is c l a s s i c a l ( c o n t a i n i n g t h e
double negation law a s an axiom) but does not s a t i s f y i r re levance of proofs.
There a r e two obvious ways t o implement i r re levance of proofs:
i) by adding an axiom:
That is: i f t o every proof of A an ob jec t of type S i s associa ted,
then t h i s ob jec t i s independent of t h e nature of t h e proof. I t has been
indicated by J. Zucker t h a t t h i s axiom implies i r re levance of proofs i n
p a r t i a l funct ions a s mentioned i n 1.4:
ii) by extending, in the language, the relation of definitional equality,
in such a way that two 3p-expressions (cf. 1.2) are definitionally equal
iff their types are definitionally equal. This has been done in the lan-
guage AUT-Jl (cf. [z]), but could be done in a variant of AUT-QE as well.
If we want to formalize intuitionistic logic in AUT-QE we should have
the absurdity rule (i.e. contradiction implies any proposition) instead of
the double negation law. The logical connectives (apart from implication)
and the existential quantifier could be added as primitive constants, and
their elimination- and introduction rules as axioms.
4.1. The language
In this section we discuss some features of AUTOMATH languages, and
the value of these features for the formalization of mathematics.
4.1.0. AUT-SYNT
Consider the following AUT-QE text, representing the introduction rule
for conjunction:
* a . - . - - E p r o p - a * b := - - Eprop b * u . - . - - E a - U * V . - . - - E b - v * andi := ----- E and(a,b) -
(where the dots indicate some proof which is irrelevant for the present dis-
cussion). We will call the variables a,b,u,v the parameters of andi . If we want to apply this rule for propositions A and B, we need two proofs p and q
of the propositions, thus getting the proof andi(A,B,p,q) E and(A,B). Suppose we are given the proof p, then we can compute mechanically its
type (Cf . , CVD, 6.4.2.3 1 ) which is (def initionally equal to) the proposition A it proves. A similar observation holds for q and B. Hence we could say
that the expression andi(A,B,p,q) contains redundant information. If the
"mechanicaZ type" function CAT (CVD, 6.4.2.31) were incorporated in the lan-
guage, we could write, instead of the expression above, andi(CAT(p),CAT(q),
p,q), .which only contains p and q. We will call the parameters U and V
(for which p and q are substituted) the essentiaz parameters of andi , while a and b (for which the redundant expressions A and B are substituted)
are called redundant parameters. There are many other examples of expres-
sions with redundant parameters.
It is worth while to extend the language in such a way that redundant
parameters can be avoided, because the expressions which have to be substi-
tuted for them might be long. A system of extensions of this kind has been
proposed by I. Zandleven. It is called AUT-SYNT since it admits syntactic
variabtes for expressions. Thus we have the languages AUT-68-SYNT, AUT-QE-
SYNT etc.
For a description of AUT-SYNT we refer to appendix 9, a text in AUT-
68-SYNT may be found in appendix 8.
Our experiences with translating Landau's book have been a stimulus
for developing AUT-SYNT, and have indicated the way this could be done. As
no verifying program for SYNT languages was available until after the trans-
lation was finished, the SYNT-facility could not be used in the translation.
This may be considered unfortunate, because the presence of this facility
would have simplified both the writing and the reading of our text.
4.1.1. n-reduction in AUTOMATH
In AUT-68 and AUT-QE one of the possible ways to establish definitional
equality is by n-reduction (CVD, 6.2.21): If x is not free in A then
[x,a]<x>A >,, A. As can be seen in the list in 3, 17 reduction was applied
only twice during the verification of our translation. We give the lines
which required these n-reductions, together with their relevant contexts.
The following lines from the text on propositional logic are presup-
posed :
* con := PN - E p r o p * a . - . - - Eprop -
a * n o t := Cx,alcon - E p r o p a * u . - . - - E n o t ( n o t ( a ) ) - u * e t := PN E a - a * u . - . - - E con - u * cone := et(a,Cx,not(a)lu) - E a
The first line where n-reduction is required occurs in the text on pre-
dicate logic. In this text the following lines appear:
* S := - S * P := - P * all := P
P * non := Cx,Slnot(<x>P)
P * u := - u * v := - v * s := - s * tl := et(<s>P,<s>v)
v * t 2 := <Cx,Sltl(x)>u
Etype - E [xsslprop - Eprop - E Cx,Slprop - E not(al1 (SSP)) - E non(non(P)) - E S - E <s>P - E con -
In order to verify that the middle part of this last line is a correct ex-
pression, it should be established that
We have
The question is to establish
This obviously requires 0-reduction.
The second case in which 0-reduction is used occurs in the text on ge-
neralized implication:
* a := - E p r o p - a * b := - - E Cx,alprop
b * imp := b - Eprop b * u := - - E not(a) u * th2 := C x , a l c o n e ( ~ x ~ b , ~ x ~ u ) - E imp(a,b)
Here, in order to verify the last line, it is asked whether the category of
the middle part definitionally equals the category part, i.e. whether
Now
and therefore n-reduction must be used for establishing
I t has been observed by v. Daalen t h a t n-reduction might have
avoided i n both cases by a s l i g h t modification of the d e f i n i t i o n s :
( i n t h e f i r s t case) and f o r imp ( i n the second c a s e ) . I n f a c t a
have been defined by
P * a l l := [x,Sl<x>P - E prop
and imp by
'b * imp := Cx,sl<x>b - E prpp
been
f o r a l l
11 might
This would have made no di f ference t o t h e r e s t of the book, a p a r t from t h e
f a c t t h a t i n some places an e x t r a 8-reduction would have been necessary. In
f a c t , i f a p red ica te P is defined e x p l i c i t l y ( a s opposed t o being a predica- D
t e va r iab le o r a pr imit ive predicate constant) then P = [y,S]m(y) , say,
and we have, without n-reduction
We conclude the re fore t h a t q-reduction does not add considerably t o
t h e expressive power of AUTOMATH.
4.1.2. prOp v. type
I n the s tage of exploration of the p o s s i b i l i t i e s t o represent l o g i c i n
ATJT-QE, i n i t i a l l y a v a r i a n t of t h i s language was used which d id not contain
t h e 1-expression prOp . I t was therefore impossible t o p resc r ibe whether
types had t o be in te rp re ted a s asse r t ion types (containing proofs) o r "or-
dinary" types (containing "ordinary" ob jec t s ) . Contradiction was represented a s a p r i m i t i v e t y p e , negation and t h e dou-
b l e negation law were formalized i n terms of t h i s type a s follows:
* con . - . - PN - E t y p e * a . - . - - E t y p e -
a * no t := Cx ,alcon - E t y p e a * u . - . - - E n o t ( n o t ( a ) ) - u * d.n.1. := P N E a -
I f i n t h i s t e x t a is in te rp re ted a s an "ordinary" type, n a t say, then
expressions of type n o t ( a ) ( o r [X , ~ I c o ~ ) could be in te rp re ted a s proofs t h a t
a i s empty ( i n f a c t , i f we have p n o t ( a ) , then f o r an ob jec t X a we
have <X>p t o prove con t rad ic t ion) . Hence expressions of type n o t ( n o t ( a ) )
have to be interpreted as proofs that a is (in a weak sense) nonempty.
Given such a proof q we have an object d . n. 1 (a ,q) E a . Or, in other words: d.n .1 acts as a Hilbert operator, selecting an object from any non-
empty type. In particular this induces a form of the axiom of choice.
As we did not want the double negation law to have such far-reaching
consequences, we extended the language by admitting prOp as a basic 1-
expression. Thus we obtained the language AUT-QE (as defined in CVD, 511,
in which it is possible to distinguish between assertion types and ordinary
types.
The distinction of prop and type not onlyunlinkedthe double negation
law from the axiom of choice, but also made it possible to implement irrele-
vance of proofs (cf. 4.0.1, 1.4). This opportunity was not seized in the lo-
gic underlying our translation (though this would have been natural). For
an explanation we refer to 4.2.1.
We may conclude that the distinction between proofs and "ordinary" ob-
jects is an essential feature when representing classical logic in AUTOMATH.
For representing constructive logic the version with only keeps its
value.
4.1.3. Strings and telescopes
In chapter 2 of his book Landau uses pairs (x x ) of natural numbers. 1' 2 He considers such a pair as a single object and yet he describes it by two
variables. A faithful translation of this practice could have been given if
the concept of a string of expressions would have been present in our lan-
guage.
Another use strings of expressions might have is as arguments of par-
tial functions (as described in 1.4). In fact such functions are applied to
pairs (a,p) where a is an object of a certain type S , and p a proof
that a satisfies some predicate P on S (which describes the range of
the function) . As a further example we consider the concept of a group, which might
be considered as a string (S,op,iv,e,p) where S E type, Op [x,S][y,S]S,
iv - E [x,S]S, e E S and p - E groupaxioms(S,op,iv,e) . We usually want the types of the expressions of such a string to satis-
fy certain conditions. In the case of the argument (a,p) of partial func- tion we want a - E S, p E <a>P . In other words we want the argument (a,p)
to be consistent with the "abstractor part" of the function: X S ;
y <x>P . In the case of the group we want a group (SY0p ,iv ,e,p) to be
consistent with
x - E type; y E CS,XlCt,xlx; z E Cs,xlx; u - E X;
There is a strong analogy with the case where expressions All ..., A are re- n quired to be suitable candidates for substitution for the variables xl,..,x
n of a certain context x E a ,x E a2,.. .,x E a (~f. CVD, 2.51). 1 - 1 2 n n
To describe such conditions on strings we introduce the following ter-
minology. A finite sequence of E formulas xl g a l , ..., x E a is called a n - n teZescope, The string of expressions (al,...,an) is said to fit into the
telescope xl E all ..., x E an if al E al,a2 E @x /a Da n - 1 1 21""
a E Uxl,. . . ,x /al ,.. . ,a Dan. n - n- 1 n- 1
Extension of the language with constants and variables for strings
and defined constants for telescopeshasbeen proposed by de Bruijn. This is
especially helpful, when formalizing abstract structures such as groups,
vector spaces or categories, andhas been applied on a large scale by
J. Zucker (Cf. [z]).
4.2. Comments on the translation
In this section we first give a chronological survey of the different
representations of logic which have been tried, and we state the motives
for finally choosing AUT-QE as a language for our translation. Furthermore
we mention some aspects which are (in our opinion) shortcomings of the
translation and we add some positive conditions which can be drawn from our
work.
4.2.0. Choice of the language
In our first attempts to translate Landau's "Grundlagen" in AUTOMATH,
we used the language AUT-68. The representation of logic was similar to the
one described in 4.0.2 and presented in appendix 6. Elimination and intro-
duction of V were effected by the axioms Ve (with parameters S E type,
p [x,S]PROP, a L S, U ~(v(S,P)) ) and Vi (with parameters S E type, P - E [x,S]PROP, u - E [x,S]~(<X>P) ) . These axioms were used frequently in de- veloping logic, because the logical connectives and the existential quanti-
fier were defined in terms of V . On the basis of this logic chapter 1 of Landau's book was translated in AUT-68.
At that stage of our work we started trying to represent logic in
AUT-QE, initially using a variant of that language which did not contain
prop. In AUT-QE the axioms Vi and Ve were superfluous: if P - E [ X ,S!*
(i.e. P represents a predicate on S ) then objects of type P can be
interpreted as proofs of v(S,P) . Conversely, given such an object U P
and an object a S we have <a>U - E <a>P (i.e. <a>U proves that P holds at a ) . As a consequence the text on logic in AUT-QE was considera-
bly shorter then the earlier text in AUT-68. (It was not observed at that
time, that this was caused essentially by the redundant parameters and
P of both constants ve and b'i .) So AUT-QE seemed to be a much better
language, and therefore a fresh start was made with the translation of
Landau's book into that language. In 4.1.2 we have reported that in this
system (AUT-QE without prop) the double negation law induces a Hilbert ope-
rator. This led us to add - as a basic 1-expression to our language, thus extending it to proper AUT-QE.
At the time we finally fixed the language we did not appreciate the
fundamental importance of incorporating a form of irrelevance of proofs.
This was due mainly to two reasons:
i) Partial functions are not frequently used in the first three chapters
of Landau's book, and for those partial functions which are defined
there, irrelevance ofproofscould be derived. Therefore no need was
felt for an axiom.
ii) As Landau, being a classical mathematician, does not discuss proofs at
all, we thought we should try to follow this practice. Consequently we
did not want to have an axiom declaring proofs equal.
4.2.1. Shortcomings of the translation
Here I list those features of the translation which I would change if
I were to redo the work.
i) In my opinion the SYNT-facility should be present in any AUTOMATH lan-
guage. It will bring texts in AUTOMATH closer to mathematical practice.
The middle parts of many lines in the present Landau translation are
unnecessarily complex and tedious (both to the reader and to the wri-
ter), because this facility is absent in the language I used.
ii) I regret that I have not implemented irrelevance of proofs as an axiom.
As I see it now, for representing classical reasoning a language should
be chosen which even contains irrelevance of proofs by definitional
46
iii)
iv)
equality (Cf. 4.0.2).
Some of the names I have used lack expressive power. This is partly
due to the fact that AUT-QE admits only alphanumeric identifiers, but
mainly to my excessive preference for short names.
I am not content with the translation of chapter 5, 5 8. This text is
overloaded with irrelevant embedding and lifting functions which ham-
per a clear understanding of the argument. I think it is better to de- n n
fine 1 f (i) and f(i) for functions f defined for all natural num- i=l i= 1
bers (and not just on an initial part of the naturals), although this
procedure deviates slightly from Landau's intentions.
4.3.2. Final remarks
The main positive comment we can make on the translation is that it
has been succesfully finished (in spite of some inconveniences in the lan-
guage) . An aspect which has not been mentioned so far is the ratio between the
length of pieces of AUT-QE text and the length of the corresponding German
texts. Our claim at the outset was that this ratio can be kept constant. We
give a few data. As pieces of text we have chosen the chapters of Landau's
book, and as a measure of the lengths the number of stored AUT-QE expres-
sions (storing expressions requires storing all subexpressions too) and
(rough estimates of) the number of German words (where "x" and "+" were counted as words). We give the following list:
chapter 1 chapter 2 chapter 3 chapter 4 chapter 5
nr. of expressions 12200 25800 30300 35000 60500
nr. of words 3200 4900 5300 5500 11000
nr. of expressions nr. of words 3,8
The high ratio in chapter 4 might be attributed to the complicated defini-
tions by cases in this chapter, while the low ratio in chapter 1 is possi-
bly caused by the absence of calculations.
Another notable aspect of the work is the comparatively small place
taken by th.e preliminaries. It appears that a formal treatment of the logic
underlying mathematics (if we disregard metalogic) is much easier than a
formal treatment of mathematics itself.
I t has no t been the purpose of t h i s e n t e r p r i s e t o const ruct a formal
system which s u i t s my own fancy and t o develop i n t h i s system the theory of
n a t u r a l s , r e a l s and complex numbers. I have r a t h e r t r i e d t o represent i n a
language which was e s s e n t i a l l y given beforehand, a wide v a r i e t y of concepts
and ideas a s expressed i n a book l i k e Landau's. The success of t h i s under-
t ak ing is due t o t h e f l e x i b i l i t y of AUTOMATH languages, and t o t h e c l o s e
connection which can be made between these languages and i n t u i t i v e human
reasoning.
4 8
Appendix 1. REPRINT. Published i n t h e
Proceedings of t h e Symposium
on APL (Par i s , December 1973) , ed. P. Braffor t .
A desc r ip t ion of AUTOMATH and some aspects of
its language theory
D.T. van Daalen *)
0. Summary
This note presents a self-contained in t roduct ion i n t o AUTOMATH, a formal
d e f i n i t i o n and an overview of t h e language theory. Thus it can serve a s an
in t roduct ion t o the papers of L.S. J u t t i n g [ 71 and I. Zandleven [ I l l i n t h i s
volume. Among the var ious AUTOMATH languages t h i s paper concentra tes on the
o r i g i n a l vers ion AUT-68 (because of i t s r e l a t i v e s impl ic i ty ) and one exten-
s ion AUT-QE ( i n which most t e x t s have been wr i t t en thus f a r ) .
The contents a re :
1. Introductory remarks.
2. Informal desc r ip t ion of AUT-68.
3. Mathematics i n AUTOMATH: proposi t ions and types.
4. Extension of AUT-68 t o AUT-QE.
5. A formal d e f i n i t i o n of AUT-QE.
6. Some remarks on language theory.
For a desc r ip t ion of the AUTOMATH p r o j e c t and f o r i ts motivation we r e f e r
t o Prof . D e B r u i j n ' s paper a l s o i n t h i s volume C41.
*) The author i s employed i n the AUTOMATH p r o j e c t and is supported by the
Netherlands Organization f o r the Advancement of Pure Science ( Z . W . 0 ) .
1. Introductory remarks
1.1. According t o t h e claims f o r the formal system AUTOMATH one should be
ab le t o formalizemanymathematical f i e l d s i n it i n such a p rec i se and com-
p l e t e fashion t h a t machine v e r i f i c a t i o n becomes poss ible . The f l e x i b i l i t y
required t o meet the indicated un ive r sa l i ty is provided by having a r a t h e r
meagre basic system. The AUTOMATH user himself has t o add appropr ia te p r i m i -
t i v e notions t o t h e b a s i c system i n order t o introduce the concepts and
axioms s p e c i f i c t o the p a r t of mathematics he l i k e s t o consider. In this
respec t , the b a s i c system may be compared with some usual system of log ic
(e.g. f i r s t order p red ica te ca lculus) t o which one adds mathematical axioms
i n order t o form mathematical theor ies .
1 .2 . In s p i t e of this analogy however the bas ic system i t s e l f does no t con-
t a i n any log ic i n the usual sense. Basic f o r the system a r e the concept of
type and function ( ins tead o f , e .g., t he concept of s e t or of n a t u r a l num-
b e r ) , which a r e formalized by a c e r t a i n typed A-calculus.
When represent ing mathematics i n AUTOMATH one has t o d e a l with the
question of coding: HOW t o formalize general mathematical concepts i n the
form of types and functions (see sec t ion 2 . 2 ) . Clear ly an appropr ia te
formalization w i l l incorporate a s much a s poss ible of the bas ic type-and-
function framework. Section 3 discusses t h i s coding problem and i n pa r t i cu -
l a r proposes a s u i t a b l e way of represent ing proposi t ions , p red ica tes and
proofs ( a functional interpretation of l o g i c ) .
1.3. In order t o s a t i s f y the claim of autamatic v e r i f i c a t i o n of correctness
the system c e r t a i n l y has t o be decidable (and even feasibly decidable on now-
e x i s t i n g computing machines). Since many common mathematical t h e o r i e s pro-
duce undecidable s e t s of theorems we must conclude t h a t we cannot expect
the computer t o do a l l our work. Indeed theorems have t o be given together
with the ir proofs i n order t o allow v e r i f i c a t i o n .
Thus the cor rec tness produced by the machine v e r i f i c a t i o n covers the
arguments leading from axioms t o conclusions only. The AUTOMATH user him-
s e l f i s responsible f o r h i s choice of pr imi t ive notions and a l l the coding
(and decoding) involved.
2. Informal desc r ip t ion of AUTOMATH
2.1. In t roduct ion
Here we t r e a t the o r i g i n a l vers ion of AUTOMATH, now named AUT-68. We
chose t h i s system a s an example because of i ts r e l a t i v e s impl ic i ty . The
discuss ion w i l l be informal and i n t u i t i v e and i n f a c t r e s t r i c t e d t o the
object-and-type fragment of t h e language ( thus leaving the proof-and-pro-
pos i t ion fragment t o sec t ion 3 ) .
2.2. I n t u i t i v e framework
(This sec t ion may be skipped by f o r m a l i s t s ) .
The mathematical e n t i t i e s discussed i n the language f a l l i n t o two s o r t s :
objects and types. The types may be considered a s c l a s s e s or s e t s of a cer-
t a i n kind, which may have ob jec t s a s t h e i r elements. A l l types a r e supposed
t o be d i s j o i n t , f o r each ob jec t belongs t o j u s t one type. This uniqueness
of types permits one t o speak about the type of an object .
The types t ruc tu re is b u i l t up by s t a r t i n g from ground types and forming
firnetion types from these . Each mathematician may choose the ground types
himself ( a s p r imi t ive not ions) , e .g. the type of n a t u r a l numbers.
An example of a funct ion type is the type a -t 6 (where a and 6 a r e
types) of the funct ions from a t o 8 . More general ly , the funct ion types a r e
formed by taking products, a s follows: The language allows one t o express
dependence of types on ob jec t s (of some given type) . That is , one can des-
c r i b e c e r t a i n fami l i e s of types 6 indexed by t h e ob jec t s x of a given type X
u. NOW every funct ion type is formed a s the generazized Cartesian product
of such 6 usual ly denoted .Bx, and containing a s ob jec t s j u s t these X I XEa
funct ions t h a t a s soc ia te t o any ob jec t x of type ct an o b j e c t of type 8,. The
type a + 6 i s the s p e c i a l case where a l l a r e a f ixed type 6 . X
2.3. Expressions, degrees and formulas; correctness
The language a s such only expresses t h e const ruct ions of types and ob-
j e c t s and the typing r e l a t i o n s between ob jec t s and types.
The express;ons of t h e language have degree 1, 2 or 3. Types and ob jec t s
a r e denoted by expressions of degree 2 and 3 respec t ive ly ( f o r s h o r t 2-expres-
s ions , 3-expressions). For convenience we introduce t h e 1-expressions type
t o provide a type f o r t h e types . Further I-expressions w i l l be introduced
i n sec t ions 3 and 4 .
The symbol E expresses the typing r e l a t i o n : ... has type ... . So i f A
denotes an o b j e c t then we have the formulas A E a and a E type. The 2-ex-
press ions and 3-expressions a r e b c i l t up from variabzes and constant-ex-
pressions by means o f :
i) the s u b s t i t u t i o n mechanism ( sec t ion 2.5)
ii) func t i cna l abs t rac t ion and app l i ca t ion ( sec t ions 2.8 and 2.10).
The constant-exprsssions have the form c (x l , . . .,x, ) where x l , . . . ,xk a r e IC
v a r i a b l e s and c i s e i t h e r a primitive constant introduced a s a p r imi t ive
notion ( sec t ion 2.6) o r a defined constant ( sec t ion 2.7) . Expressions and formulas a r e correct i f they a r e constructed according
t o t h e r u l e s of t h e language, which a r e informally discussed i n the sequel .
2.4. Variables and contexts
A mathematical statement genera l ly presupposes c e r t a i n assumptions on
the va r i ab les used. For example: " l e t x be a n a t u r a l and y a r e a l number".
In AUTOMATH, i n accordance whis t h i s usage, each va r i ab le of degree 3 fobject-
variable) ranges over a c e r t a i n type, c a l l e d the type of t h e va r i ab le . The
2-variables (type-variables) a r e supposed t o range through the types and
have ype a s t h e i r type.
Expressions and formulas containing free object - o r type-variables, say
x l r . . . , x k r can only be correct r e l a t i v e t o a c e r t a i n context: 1.e . a f i n i t e
sequence of E-formulas x E a l l ..., x E a ca l l ed a s s q t i o n s , i n which the 1 - k - k t
f r e e v a r i a b l e s have t o be e x p l i c i t l y introduced with t h e i r types.
Some of the types a may depend on the v a r i a b l e s given e a r l i e r i n the i
sequence. For ins tance , a may contain both x and x a s f r e e va r i ab les . I t 3 1 2
i s understood t h a t a l l a a r e c o r r e c t expressions themselves: a l r e l a t i v e i
t o t h e w?lpty context , a 2 r e l a t i v e t o x E a l l e t c . 1
2.5. Subs t i tu t ion mechanism
Let us, i n informal d iscuss ion, e x h i b i t the poss ible dependence of an
expression 1 on va r iab les x i , ..., xk by wr i t ing Clxl , ..., xk] f o r C . Then we
wr i t e C [ A ~ , . . . ,Ak] f o r the r e s u l t of sinncZtaneousZy substituting A f o r x i i
( f o r i = 1, ..., k) i n C.
Suppose t h a t under assumptions x l E a l r . . . , x E a we have a c o r r e c t k - k
E-formula ~ [ x ~ , . . . , x ~ D E aCxl,. . . ,x 1. Then t h e substitution mechanism - k y i e l d s the s u b s t i t u t i o n instance A B A ~ , ..., A 1 E a [ A l r . . . , ~ D f o r any sequence k -
A l l . . . , % of s u i t a b l e candidates f o r x i , ..., x 1 .e . these A k ' l, . . . ,% have
t o be of the appropr ia te types where, however, i n view of the poss ib le de-
pendence of types on v a r i a b l e s , the s u b s t i t u t i o n has t o t ake p lace i n the
types too. So we requ i re
2.6. Pr imi t ive not ions
AS mentioned before , one has t o add pr imi t ive notions t o t h e b a s i c system
i n order t o in t roduce t h e s p e c i f i c concepts of the p iece of mathematics one
wants t o study . For example, i n order t o w r i t e about the n a t u r a l numbers, one might
introduce the pr imi t ive type-cons tant n a t and t h e ob ject-cons tan t 1 by axio-
ma t ica l ly s t a t i n g :
n a t E*
1 E n a t . I n genera l , p r imi t ive notions a r e introduced by s t a t i n g an axiomatic - E-for-
mula p(x1, . . . ,xk) E a [ x l , . . . , ~ ] under c e r t a i n assumptions xl E a l l ... x E ak. k -
Here e i t h e r a i s (and p is a type-constant) o r i n t h e c u r r e n t context
we have a E type a l ready (p being an object-constant) . A l l c o r r e c t s u b s t i t u t i o n ins tances p(A1, ...,% ) of such a constant-ex-
press ion p ( x l , ..., x can be produced by the s u b s t i t u t i o n mechanism, des- k cr ibed above.
For example, t h e concept of successo2- i n the n a t u r a l number system can
be introduced under t h e assumption x E n a t by s t a t i n g : successor(x) E na t .
Using the s u b s t i t u t i o n mechanism we g e t
successor (1 ) E n a t - successor (successor (1) ) E n a t , e t c .
Notice t h a t p r imi t ive constant-expressions may n o t only contain object-
va r i ab les ( l i k e the x i n successor (x ) )bu t a l s o type-variables.
2.7. Abbreviations
In mathematics one o f t en introduces abbrevia t ions , i . e . new names f o r
poss ibly long and complicated expressions. In AUTOMATH t h i s abbrevia t ion
f a c i l i t y i s a l s o present ; indeed, it w i l l appear t h a t by the p a r t i c u l a r
format of the language every derBved statement g ives r i s e t o the in t roduct ion
of a new defined constant . Although t h i s kind of e x p l i c i t d e f i n i t i o n i s of-
t en considered t h e o r e t i c a l l y uninteres t ing, we f e e l t h a t it is e s s e n t i a l i n
p r a c t i c e f o r t h e a c t u a l formal iza t ion and v e r i f i c a t i o n of complicated theor ies .
J u s t like pr imi t ive notions, abbrevia t ions a r e introduced under c e r t a i n
assumptions and s o may conta in f r e e va r i ab les i n genera l . Thus new constant-
expressions d ( x l , . . . , x ) a r e introduced, abbrevia t ing expressions D which k a r e c o r r e c t i n the c u r r e n t context . Clear ly the type of d ( x l , ..., xk) must be
the same a s t h a t of D.
Example: 2,3, ... can be introduced by
2 : = successor (1)
3 := successor (21, e t c .
Fur ther , the notion of "successor of successor" might be abbreviated by
s t a t i n g (under assumption x E n a t ) t h a t
plustwo (x) := successor (successor (x) ) . Again, a l l c o r r e c t s u b s t i t u t i o n ins tances with t h e i r types can be produced
by t h e s u b s t i t u t i o n mechanism.
2.8. Functional abs t rac t ion : A-calculus
We have mentioned func t iona l abs t rac t ion and app l i ca t ion a s f u r t h e r t o o l s
f o r const ruct ing expressions. By these devices a form of typed A-calculus
is incorporated i n t o the bas ic system. In A-calculus, i n t u i t i v e l y speaking,
Ax.B denotes the funct ion which t o any ob jec t x a s s o c i a t e s t h e o b j e c t B.
O r (exhibi t ing the dependence on x) AX.B[XD i s the map which, with any A,
a s soc ia tes B C A D . I n AUTWTH (where a l l funct ions have a domain) such e x p l i c i t l y given
funct ions a r e denoted by abstraction expressions CX,~IB, where B may contain
x a s a f r e e va r i ab le ; a i s the type of x and the domain of the funct ion. In
case B i s a 3-expression, C x , a ] ~ a t t aches ob jec t s t o the o b j e c t s of type a
and i s ca l l ed an object-valued fmction. I f B i s a 2-expression, [ x , a ] ~
a t t aches types t o the ob jec t s of type a and i s c a l l e d a type-valued fmction.
I n AUT-68 no abs t rac t ion expressions of degree 1 a r e formed ( i n c o n t r a s t
with AUT-QE) . Notice t h a t poss ib le f r e e Occurences of x i n B a r e bound by the abs t rac to r
[x , a l and a r e no t f r e e i n CX,CXIB any more. An important r e s t r i c t i o n on ab-
s t r a c t i n g is t h a t such a bound va r iab le must be a 3-variable. Thus we only
q~U?l.tify (c f . sec t ion 3.4) over ( t h e ob jec t s o f ) a given type and quant i f ica-
t i o n over _type is not poss ible .
2.9. Type of abs t rac t ion expressions
suppose t h a t under the assumption x E a we have B E f3. I f f3 i s n o t a
l-expression then we may form both the abs t rac t ion expressions [x,a]B and
[x,a]B. According t o sec t ion 2.8 [x,afBdenotes an object-valued funct ion
and [x,alB denotes a type-valued function.
The l a t t e r abs t rac t ion expression [xra]f3[x] however is a l s o used with
a d i f f e r e n t meaning i n AUTOPl?iTH, t h a t is , t o denote the corresponding function
type T'I *f3[x] (which i s the type of [xra]B[x] by sec t ion 2.2). Xga So we obta in C x , a l ~ E [x,a]@ and [xra lB E type.
Example: t h e successor function can be introduced ( i n t h e empty context) by
succfun := [x,nat]successor(x) g Cx,nat]nat . The doub leuseof 2-expressions mentioned above d o e s , n o t cause ambiguity,
because it i s always c l e a r whether an expression a c t s a s a funct ion or a s a
type i n a formula. I n f a c t i n AUT-68 abs t rac t ion expressions of degree 2 a r e
exclus ively used with the second meaning, i . e . a s funct ion types.
2.10. Functional app l i ca t ion
In f u l l ( i . e . type-free) A-calculus any expression - a s a funct ion - may be appl ied t o any expression - even i t s e l f - a s an argument.
I n AUTOMATH, a s a typed A-calculus, a l l funct ions have domains and any
form of se l f -app l i ca t ion i s ruled o u t by t h e appzication restr ict ions: The
appZication expression <A>B (denoting t h e r e s u l t of applying B a s a funct ion
t o A a s an argument) i s c o r r e c t only i f :
i) B i s a funct ion and so has a domain, say a .
ii) A i s an o b j e c t of type a .
The no ta t ion <A>B, with the argument i n f r o n t , i s somewhat unusual; it is
convenient however s ince abs t rac t ions axe w r i t t e n i n f r o n t too.
2.11. Type of app l i ca t ion expressions
Assume t h a t B E [x,a]f3. Here [x,a]B[x]is a 2-expression a c t i n g a s a type
and s o denotes .f3[x]. Hence B must be considered a s a funct ion with domain a . X F
Now i f A E a we a r e allowed t o form the app l i ca t ion expression <A>B having - B E A D a s i t s type.
Note t h a t B need n o t be of t h e form [x,a]C i t s e l f . I t may, e.g. , be a
s i n g l e ob jec t v a r i a b l e o r o b j e c t constant with type [x,cc]B.
Example: A s an a l t e r n a t i v e expression f o r t h e number 3 we might introduce
3 a l t := <2>succfun E n a t .
2.12. Equali ty
We w i l l def ine a r e l a t i o n of de f in i t iona l equa l i ty among t h e c o r r e c t
expressions, appropr ia te t o the i n t e r p r e t a t i o n of expressions suggested - above. The r e l a t i o n i s denoted ... - ... and generated by:
i) abbrevia t ional o r 6-equality, = 6
ii) A-equality.
The l a t t e r i s generated i n tu rn by 6-equality, = , and q-equali ty = . 6 11
Usually i n A-calculus t h e A-equality a l s o e x p l i c i t l y embodies a-equali ty
(renaming of bound v a r i a b l e s ) . In t h i s note however we take the p o i n t of
view of simply ignoring the names of t h e bound va r iab les . So a-equal ex-
p ress ions a r e i d e n t i f i e d and. a r e a f o r t i o r i d e f i n i t i o n a l l y equal by t h e re-
f l e x i v i t y of t h e = - r e l a t i o n (c f . a l s o sec t ion 5.3.2).
Assume t h e defined constant d has been introduced i n s u i t a b l e context
Then d ( x l , . . . ,x ) abbrevia tes D and we wr i t e d ( x l , . . . ,xk) =& D. And f u r t h e r k f o r the s u b s t i t u t i o n ins tances :
Assume <A>CX,~IBBXD i s a c o r r e c t expression (so A E a ) . Now 6-equality
e x p l o i t s the i n t e r p r e t a t i o n of Cx,alB a s a funct ion with domain u and simply
amounts t o evaluat ing the r e s u l t of the appl ica t ion:
< A > [ x , a l ~ =B B B A B .
2.12.3. q-equali ty
In mathematics one usual ly considers funct ions a s extensionaz ob jec t s ,
i n the sense t h a t funct ions wi th the same domain and which a r e pointwise
equal a r e i s e n t i f i e d . In AUTOMATH t h i s extensional equa l i ty is partly covered
by the rl-equality: I f x does not occur free i n B then [x,a]<x>B = B ( f o r n
c o r r e c t expressions on ly ) . This is i n t u i t i v e l y sound only i f domain B = a ,
which indeed is the case by the correctness of [x,a]<x>B.
2.12.4. Def in i t iona l equa l i ty
NOW d e f i n i t i o n a l equa l i ty = i s defined t o be t h e equivalence relat ion
on the c o r r e c t expressions, generated by = - = and by monoton<city: 6 ' - B 1 11
I f A = A ' and B ' i s produced from B by replacing one specificoccurrence of
A i n B by (an occurrenceof) A ' then B = B ' .
or,usingsuggestive dots f o r t h e unchanged p a r t of the expression B: If
A = A ' then ... A.. . = ... A ' . .. . Example of t h e monotonicity r u l e : I f A = A ' then <C><A>D =<C><A1>D ( i f both
expressions a r e c o r r e c t ) .
2.13. The format: books and l i n e s
2.13.1. Actual AUTOMATH t e x t s a r e wr i t t en i n the form of books. A book con-
sists of a f i n i t e sequence of l ines. Each l i n e must be placed i n a c e r t a i n
context ( t h e context of t h e l i n e ) and introduces a new i d e n t i f i e r of a cer-
t a i n type. A l l l i n e s c o n s i s t of four consecutive p a r t s , separa ted by s u i t a b l e
marks or spaces:
i) context part, ind ica t ing the context of the l i n e . In genera l t h e con-
t e x t p a r t c o n s i s t s of the context indicator, i . e . t h e l a s t v a r i a b l e of
t h e cur ren t context . From t h i s the complete context can e a s i l y be re-
covered. I f t h e context of t h e l i n e i s xl g a l , . . . , ~ E ak , the sequence k - of va r i ab les x l , ..., x i s ca l l ed the indicator s tr ing of t h e l i n e . The k empty context can be indicated by an empty context p a r t .
ii) i den t i f i e r part, cons i s t ing of the new i den t i f i e r .
iii) middle part, containing t h e symbol EB (cf. 2.13.2) , the symbol PN (cf . 2.13.3) o r the def in i t ion of the new i d e n t i f i e r (cf . 2.13.4) .
i v ) category p a r t , containing the type of t h e new i d e n t i f i e r .
Assume an AUTOIQTH book is given, inwhich the v a r i a b l e xk has been in t ro -
duced with type a i n t h e context x l E a l , . . . l ~ k - l Eak-l. Thenwemay add l i n e s k
w i t h context ind ica to r xk, s o having xl E a l l . . . ,x E a a s t h e i r context . k - k
Below we d i scuss the th ree d i f f e r e n t kinds of l i n e s .
2.13.2. The block opening lines have middle p a r t g ( f o r empty block opener)
or , i n a l t e r n a t i v e nota t ion, a bar - . An g - l i n e ' introduces a new varicLbZe
and thus allows extension of the current context by one assumption.
Example: xk * y := EB E a ( " l e t y be of type a") introduces a new var iab le
y of type a . Lines having y a s t h e i r context p a r t - which may appear l a t e r
i n the book - then have x E C . ~ , . . . ~ X E ak , y E a a s t h e i r context. 1 - k -
2.13.3. The primitive notion lines have middle p a r t PN and introduce t h e
pr imit ive notions. For example:
introduces the p r imi t ive constant expression p ( x l l . . . , x ) and conta ins the k axiomatic E-statement p ( x l , . . . ,x ) E a . k
2.13.4. The abbreviation lines look l i k e :
where the middle p a r t D i s t h e de f in i t ion of d , i . e . t h e expression t o be
abbreviated. This l i n e contains, r e l a t i v e t o the preceding book and the cur-
r e n t context, both t h e derived E-statement D E a and t h e def ining axiom f o r
the new defined constant d:
2.14. Correctness of l i n e s ; v a l i d i t y
A l i n e is correct i f both the middle p a r t ( i f no t g or E) and the
category p a r t a re c o r r e c t expressions with respec t t o the preceding book
and the cur ren t context, and the category p a r t i s t h e type of t h e middle
p a r t ( i f not EB o r PJ). For the correctness of the expressions, a l l iden t i -
f i e r s used have t o be valid. Constants a r e v a l i d i n a book from t h e l i n e on
i n which they a r e introduced. Free va r iab les a re v a l i d i n a l i n e i f they
occur i n i ts context. We speak about the block of l i n e s i n which a f r e e
var iable i s v a l i d (whence block opener).
2.15. Shorthand f a c i l i t y
Assume t h a t a pr imit ive or defined constant c was introduced i n a cer-
t a i n context x E all.. . ,\ E ak. Then i f l a t e r i n the book c occurs with 1 - fewer than k arguments, the argument l i s t i s completed by adding a s u i t a b l e
i n i t i a l segment of the o r i g i n a l ind ica to r s t r i n g (c f . 2 . 1 3 . l i i ) ) x l , ..., x k ' I n o the r words t h e expression c(A . . . ,Ak) i s shorthand f o r i + l ' c ( g l , ..., x i rAi+l , . . . , A ) and the s i n g l e constant c i s shorthand f o r k c (xl , . . . r x k ) . Clear ly the completing va r i ab les have t o be v a l i d , t h a t is ,
t h e i n i t i a l segments of the o r i g i n a l and the cur ren t context have t o coin-
c ide . The shorthand f a c i l i t y accords with usual mathematical p r a c t i c e where
f r e e v a r i a b l e s a r e of ten considered a s f ixed throughout an argument and a r e
n o t mentioned e x p l i c i t l y .
2.16. Paragraph system
For each va r iab le and constant i t must be poss ib le t o r e t r a c e from which
l i n e it or ig ina tes . This condit ion i s c l e a r l y s a t i s f i e d when a l l names a r e
unique. A more l i b e r a l method of naming however is allowed by t h e soca l l ed
paragraph system, f o r a desc r ip t ion of which we r e f e r t o Zandleven [ I l l
s e c t i o n 11 1. Both shorthand f a c i l i t y and paragraph system do no t r e a l l y
concern the language d e f i n i t i o n bu t a r e p resen t f o r convenience only.
2.17. Example
In the following AUT-68 booklet t h e examples of t h e preceding sec t ions
a r e now wr i t t en i n t h e proper format.
* n a t
* 1
* X x * successor
* 2
* 3
x * plustwo
* succfun
* 3 a l t
: = PN - * - . - PN - := - : = PN - := successor (1 )
:= successor(2)
:= successor(successor)
:= [xrnat]successor (XI
:= <2>succfun
type n a t
n a t
n a t
n a t
n a t
n a t
[x, n a t l n a t
n a t
Here t h e middle p a r t of plustwo uses t h e shorthand f a c i l i t y . I t is l e f t t o
t h e reader t o e s t a b l i s h 3 = 3 a l t .
3. Mathematics i n AUTOMATH: Proposi t ions a s types
3.1. Functional i n t e r p r e t a t i o n of log ic
Up till now we have described AUTOMATH a s a ca lculus of ob jec t s and
t h e i r types only. A major p a r t of mathematics however cons i s t s of making s t a t e -
ments and reasoning with them, i . e . dea l s with log ic .
Now the re a r e d i f f e r e n t ways of coding some log ic i n t o t h e objects-and-
types framework. Here we only mention a socal led functimaZ interpretation
of log ic , which gives r i s e t o thepropositions-as-types notion. This idea of
i n t e r p r e t i n g l o g i c was developed independently by de Bruijn and c e r t a i n
o t h e r s , of whom we mention Howard [6], Prawitz [ l o ] , Girard [5] and Martin-
Lijf [8].
3.2. Proposi t ions a s types
So f a r we have introduced type a s t h e only 1-expression. We had C E type and r E C f o r the types C and the ob jec t s r of type C respect ively . Now we
introduce another 1-expression, the bas ic symbol e. Orig ina l ly i n AUT-68
no d i s t i n c t i o n was made between and prop. The l a t t e r 1-expression a c t s
j u s t l i k e and was introduced l a t e r t o allow dif ference of treatment be-
tween types which a r e t o be considered a s proposi t ions and types which a r e
j u s t types of ob jec t s .
I f C E prop we consider C a s a proposi t ion. I f f u r t h e r r E C , we con-
s i d e r r a s some const ruct ion es tab l i sh ing the t r u t h of C (a "proof" of C ) .
Thus t h e formula r E C is conceived a s asserting the proposi t ion C.
3.3. In te rp re t ing implication
Le t a E prop and 6 E prop. Now we may say we have a "proof" of the im-
p l i c a t i o n a -+ 6 i f from an assumption of t h e t r u t h of a we can argue and
conclude t h e t r u t h of 6 , That is , i f f o r any const ruct ion es tab l i sh ing the
t r u t h of a we can produce a construction f o r the t r u t h of 6 o r , equivalent ly ,
i f we have a map from "proofs" of a t o "proofs" of 6.
Now i n AUTOMATH terminology: we say we "prove" a -+ i f f o r any x E a
we can produce some B E 6. 1.e. i f we have some C i n the funct ion type
[x,alB. So we l e t [x,alB denote the implication a -t f3 and have [x,alB E prop.
This corresponds t o the second i n t e r p r e t a t i o n of abs t rac t ion expressions i n
sec t ion 2.9.
NOW by t h i s interpretat ion we obtain the modus, panens (from a and a -+ f3
i n f e r f3) by simple functional application. For l e t A E a and C E[x,a]B
(A and C thus being "proofs" of a and a + f3 respect ively) . Then by the appli-
cation ru l e we construct <A>C establishing the t ru th of 6.
3 . 4 . Universal quant if icat ion; negation
In exactly the same manner a function interpretat ion of universal s ta te -
ments can be given. Namely i f a 5 = and for x E a we have f3 E - then
we ident i fy the function type [x,alB with the universal statement Y 6 . xga
Here functional application corresponds t o the " instant iat ianu r u l e i n logic.
Thus by t h i s interpretat ion of logic i n AUTOMATH one ge ts the ( 'dl+)-
fragment of f i r s t order predicate logic for f ree . However i n AUTOMATH only
posi t ive statements a re made and statements l ike: "C i s not of type r" cannot
be expressed. In order t o i n t e rp re t negation we introduce as a primitive no-
t ion the proposition con ( fo r "contradiction") together with some su i tab le
axiom (primitive notion) . Here are d i f fe ren t poss ib i l i t i e s , e .g. the intu-
i t i o n i s t i c absurdity ru l e (for any proposition a , from con in fer a ) or the
c lass ica l double negation law. Then an XUTOMATH theory ( i . e . book) i s con-
s i s t e n t i f , i n the empty context, it does not produce some C g con.
For a E prop we define non(a) a s a -+ can o r , i n AUTOMATH notation,
[x,alcon. Now the double negation law can be s tated by introducing the pr i -
mitive notion dnZ as follows: I£ a E prop, x E non(nan(a)) then dnl (a,x) g a .
By a l so choosing su i tab le def ini t ions fo r the other connectives ( A , v )
and the ex is ten t ia l quant if ier we can smoothly obtain f u l l c l a s s i ca l f i r s t
order predicate calculus.
3 .5 . Assumptions, axioms, theorems
In AUTOMATH-books the g-formula r g C fo r apropositionZ can occur i n
the usual three kinds of l ines again:
i) =-lines: 0 * x : = EB E C .
These must be interpreted a s asswnptians: " l e t C hold" or " l e t x be a
proof of C". Now i n a l i ne where x is val id we may r e fe r t o x whenever
we want t o use the assumed t ru th of C .
ii) =-lines: U * p := PNg C. These serve a s axioms, or rather a s axiom schemes (by the dependence
on the variables contained i n the context o) . iii) abbreviation l ines: a * d := r E C must be considered as derived s ta te -
ments, i . e . theorems, lemmas e t c . Here the middle p a r t r "prcves" the pro-
pos i t ion C from t h e assumptions i n the context a .
The d e f i n i t i o n a l equa l i ty ( c f . sec t ion 2.12) of AUTOMATH only covers
a small p a r t of the usual mathematical equa l i ty . Fur ther a statement of
d e f i n i t i o n a l e q u a l i t y cannot be handled a s an a c t u a l proposi t ion; e.g. it
cannot be negated o r even assumed ( a s in : l e t A = B ) . A s t h e AUTOMATH-counter-
p a r t of the usual mathematical . . .equals.. . the book-equality I S ( ~ , A , B )
- where A and B a r e ob jec t s of type a - can be introduced by s u i t a b l e p r i -
mi t ive notions, some of which a r e shown i n the example below.
* a := - type a * x := - a
X * Y .= - a
y * IS := PN - prop x * REFL := PN - IS (x,x)
y * i := - 1s (x, y)
i * SYM := PN - 1s (Y 1x1
e t c .
arid a lso:
By the axiom of r e f l e x i v i t y (REFL) above, d e f i n i t i o n a l e q u a l i t y implies book-
equal i ty : i f A E a , B E a , A = B then REFL(a,A) E IS(cr,A,B).
4. Extension of AUT-68 t o AUT-QE
4.1. Function-l ike expressions
Expressions C such t h a t C E [x,a]B o r C = [x,a]B a r e c a l l e d function-like
expressions. Whereas i n AUT-68 funct ion- l ike 3-expressions may have any form,
e.g. they can be v a r i a b l e s or pr imi t ive constant expressions, t h e only func-
t ion- l ike 2-expressions a r e (poss ibly abbreviated) abs t rac t ion expressions.
This i s because funct ion- l ike 1-expressions a r e absent i n AUT-68.
Thus we can d i scuss e x p l i c i t l y constructed f a m i l i e s of types Bx where x
ranges over some type a (namely by forming the abs t rac t ion expression
Cx,alBBxD) b u t we cannot d i scuss arb<trary fami l i e s of types indexed by
x E a . Indeed, we cannot intrbduce a family of types a s a p r imi t ive notion
o r a s a va r i ab le .
4.2. Supertypes o r quasi-expressions
I n AUT-QE such a r b i t r a r y type-valued funct ions a r e admitted however, by
extending the c l a s s of 1-expressions. The new 1-expressions, quasi-exp~ess<~ns
(whence AUT-QE) or supertypes, have the form [x , a 1 ... [xk,akl type or 1 1 [x l , a l l ... [xk,ak1 =, where a l , ..., a a r e 2-expressions, i . e . proposi t ions
k o r types.
For example, an a r b i t r a r y type-valued funct ion on a can be introduced by
an =-line:
u + f :=- Cx,al= . I f f o r a we take the type of n a t u r a l numbers, then f i s an a r b i t r a r y sequence
of types.
4.3. The use of AUT-QE.
S imi la r ly we have a r b i t r a r y prop-vazued functions i n AUT-QE. These a r e
e spec ia l ly use fu l i n our i n t e r p r e t a t i o n of l o g i c , f o r a prop-valuedfunction
with domain a i s nothing bu t a predicate over a . For example, by an =-line
an a r b i t r a r y binary p red ica te ( r a the r : r e l a t i o n ) on t h e n a t u r a l numbers is
introduced. The presence of p red ica te and r e l a t i o n v a r i a b l e s i n AUT-QE a l -
lows us t o wr i t e axiom schemes with such v a r i a b l e s , e .g. t o introduce a fur-
the r e q u a l i t y axiom (c f . sec t ion 3.6) we can wri te :
We emphasize however t h a t abs t rac t ion over such 2-variables (e.g. type-
va r iab les , prop-variables, predicate-variables) i n AUT-QE is s t i l l forbidden,
s o both AUT-68 and AUT-QE may s t i l l be c a l l e d first-order systems.
4.4. Type-inclusion and prop-inclusion
J u s t a s i n AUT-68 the funct ion- l ike 2-expression f ( c f . sec t ion 4.2)
a l s o codes i ts corresponding function space, i . e . the type of those g with
domain a such t h a t f o r A E a we have <A>g E <A>f. A s prop behaves j u s t l i k e
Qx, the predicate P ( c f . sect ion 4.3) a l s o denotes the proposit ion V .P(x) . XE_a
AS a consequence, we allow the t r a n s i t i o n from C E [ x , a ] ~ t o C E type.
This t r a n s i t i o n o r , i n general , from
i s ca l l ed type-inclusion. The s imilar t r a n s i t i o n with prop ins tead of
i s ca l l ed prop-inclusion. BY t h i s type-incZusion and prop-inclusion AUT-QE
contains AUT-68 a s a proper subsystem. Notice t h a t f o r 2-expressions uni-
queness of types - i f A E a, A E t? then a = t? - is l o s t .
4.5. Let us f i n i s h with a t a b l e i n which some AUTOMATH notions a r e l i s t e d
with t h e i r poss ible meanings i n t h e propositions-as-types i n t e r p r e t a t i o n .
object-and-type
interpretat ion
proof -and- proposi-
t ion interpretat ion
2-expressions
3-expressions
... E ... - f unction-like
2-expressions
abbreviation l i nes
types
objects
propositions
proofs
. . . has type . . . . . . proves . . . type-valued functions predicates I If unction types implications
universal statements
variable introductions assumptions
primitive object axioms
introductions
defini t ions or
abbreviations
theorems
5.1. The language, t o be defined formally now, i s the one accepted by the
cur ren t checker ( c f . [ I l l ) except f o r two points :
i) Paragraph f a c i l i t i e s a re no t present here s o a l l constant names have
t o be d i s t i n c t ( c f . sec t ion 2.16).
ii) There i s no shorthand f a c i l i t y ( i . e . a l l expressions a r e w r i t t e n o u t
i n f u l l ( c f . s e c t i o n 2.15).
The a c t u a l formalism has been chosen i n t h i s way i n order t o keep a s c lose
a s poss ib le t o t h e preceding informal book-and-line desc r ip t ion . A def in i -
t i o n along more usual natural deduction l i n e s may poss ibly be more e legant .
For t echn ica l reasons we p re fe r red t o avoid redundancy almost completely
i n our d e f i n i t i o n . A s a consequence of t h i s , some use fu l e x t r a r u l e s follow
a s derived rules i n the sec t ion on language theory.
5.2. Our aim i s t o de f ine formally what co r rec t AUT-QE books a r e .
The desc r ip t ion cons i s t s of:
i) Prel iminar ies , mainly devoted t o the context f r e e p a r t of the language
( sec t ion 5.4).
ii) Simultaneous d e f i n i t i o n of correctness of books, contexts , l i n e s , ex-
press ions , E-formulas and =-formulas ( sec t ion 5 .5 ) .
The =-formulas only serve a s a help i n our d e f i n i t i o n ; they do no t appear
i n the book. The kernel of ii) i s the d e f i n i t i o n of correctness of expres-
s ions and formulas r e l a t i v e t o a c e r t a i n book and context . Here the book
serves t o determine the s e t of pr imi t ive notions and abbrevia t ions , and the
context serves t o determine the s e t of v a l i d f r e e va r i ab les .
Most concepts a r e introduced by ordinary inductive def ini t ions. Thesecon-
sist of a f i n i t e s e t of r u l e s of the form: " i f . . . then . . .". Here only such
conclusions may be drawn which follow from a f i n i t e number of app l i ca t ions
of t h e r u l e s .
5.3. Notational conventions
5.3.1. An extensive use is made of syntactic variabZes throughout the d e f i n i t i o n .
Often c e r t a i n assumptions on these va r i ab les a r e i m p l i c i t by t h e i r s p e c i f i c
choice, e .g . a and 6 always run over contexts. Syn tac t i c va r i ab les may a l -
ways be indexed o r primed.
5.3 .2 . A s f o r s u b s t i t u t i o n and a-con~ersimz (renaming of bound va r iab les )
we adopt the following po in t of view: expressions with bound v a r i a b l e s a r e
considered a s named vers ions - named t o f a c i l i t a t e reading - of some a c t u a l l y
namefree skele ton (cf . [ 3 1) . Thus we i d e n t i f y a-equal expressions and assume
t h a t a-conversion is appl ied whenever necessary t o avoid clash of variabZes.
We use . . . . . . t o denote syntactic ident i ty (symbol-for-symbol equa l i ty )
modulo a-equality. E.g. [x,C] ... x...E[y,C]...y...y... .
5.3.3. Correctness of expressions A and formulas cp r e l a t i v e t o a book 8 and
a context u a r e abbreviated by 8; a 1 A and 8; a 1- cp respect ively . Sometimes
we wr i t e 1 A or a A f o r 8; a 1 A and 1 cp o r a 1 cp f o r 8; a cp when the re
i s no p a r t i c u l a r need t o emphasize the cur ren t book o r context . The no ta t ions
t ( i ) A and t ( i ) A p B a r e used t o express t h a t A is an i-expression and 1 A ( respec t ive ly 1 A g B) .
5.4. Prel iminar ies
5.4.1. Alphabet
1 ) AS variabZes and constants we allow any aZphcmwneric s tr ing. such a s t r i n g
is considered atomic and i s thus counted a s one s i n g l e symbol. Syntact ic
va r i ab les f o r v a r i a b l e s a r e x ,y ,z , . . . . Among the constants ( syn tac t i c va-
r i a b l e c ) we d i s t ingu i sh primitive ( syn tac t i c va r i ab les p ,q) and defined
o r abbreviationaZ constants ( s y n t a c t i c va r i ab le d ) . 2 ) Improper symbols
i) some b~*acksts and braces: [ , I , ( , ) , < , >.
ii) Some separation marks: ! , *, 1, E, :=, =, sernicoZon and coma.
iii) Some reserved symbob: g, z.
5.4.2. Expressions ( s y n t a c t i c va r i ab les A,B ,C ,D , . . ., C , A , r , ...)
i) VariabZes: x
ii) Abstraction expressions : [x, C I A
iii) AppZication expressions : < C > A
i v ) Constant-expression instances : c (C1, . . . , Ck) v ) Bas5c constants: type, prop.
AS s p e c i a l s y n t a c t i c v a r i a b l e s f o r 2-expressions we take a r e , . . . .
5.4.3. Formulas ( syn tac t i c v a r i a b l e q )
i) E-formuLas: C E A
ii) =-formuzas: C = A .
5.4.4. Addit ional concepts
1 ) Contexts ( syn tac t i c va r i ab les a , 6 ) : Any f in i t e (possibly empty) sequence
of E-formulas x E C separated by commas, where a22 xi are d i f ferent . i - if
2) Lines ( syn tac t i c va r i ab le A )
i) =-Lines : a * x := j3BEC ii) =-lines : u * p : = = E X iii) Abbreviation l ines: a * d := A - E C
3 ) Books ( syn tac t i c va r i ab le 8) : Any f in i t e (possibly empty) sequence of
l ines, separated from one another by e x c h a t i o n signs ( 1 ) .
5.4.5. Free va r i ab les
We def ine the free variabLe s e t Fv(C) of expressions C by induct ion on
the s t r u c t u r e of C ( c f . sec t ion 5.4.2) :
5.4.6. Subs t i tu t ion
1) The r e s u l t of simuZtaneous substitution of A l l . . . ,A f o r the f r e e va r i a - k
b l e s xl . ... ,xk i n an expression C i s denoted by t x l , ...., x /A . . . ,%DC * k 1'
and l o c a l l y abbreviated by C :
* - i) x i = A i
ii) y* = - y i f y not among x l , ..., x * * * k
iii) (Cy,CllC2) = C y I C 1 1 C 2 i f y not among xl,. . . ,xk and
x E FV(C2) * y d FV(Ai)) f o r i = I , . . . , k (otherwise rename y i n i Cy1C11C2).
* * * i v ) ( < C 1 > C 2 ) E <C > C
1 2
* * v i ) prop =prop, type E-.
2) Substitution of A f o r x i s denoted by [x/A] and amounts t o t h e case k = 1
above.
5.5. Correctness
5.5.1. Correct books
i) the empty book i s correct
ii) if 8 i s correct and X i s correct with respect t o B then B ! X correct.
5.5.2. Correct context with respec t t o B:
i) the empty context i s correct
ii) i f o*x := EB - E A i s a t ine i n the book 8 then a, x - E A i s a correct
context with respect t o 8.
5.5.3. Correct l i n e s with r e s p e c t t o 8:
1) =-lines: I f 8; o i- ("A or B; 3 ( 2 ) ~ , a z x E C l , . . . ,x E C k , and y k - not among xl , . . . ,x then a * y : = EBE A i s a correct l ine with respect t o 8.
k 2) - PN-lines: I f 8; o ("A or B; a 1- ( 2 ) ~ and p does not occur i n 8 then
a * p := PN E A i s a correct Zine with respect t o 13.
3 Abbreviation l i n e s : I f 8; a I- C E A and a does not occur i n 8 then
o * d := C - E A i s a correct l ine with respect t o B.
5.5.4. Correct E-formulas r e l a t i v e t o a c o r r e c t book 8 and a context a which
is c o r r e c t w . r . t . 8
1 ) Repet i t ion r u l e : I f o 5 x E C . . . ,xk E C k and C . i s an i-expression 1 -
(iWx E C 3 then B; a f ( f o r j = l , . . . , k ) . j - j
2) Abstraction ru le : I f 8" : 8!o * x := E E i E a and 8* i s correct and (i) (i) B*; o,x E a I- C E A then 8; a I- Cx,alC E [x,a]A .
3) Application ru les :
i) I f )- A E a and ( i ) ~ E C X , ~ ] C then I- (')<ZPB - E [x/A]c.
ii) I f I- A E a , 1 " ) ~ - E c and 1- c - E C x , a l ~ then I- ( i ) < ~ > ~ - E <A>C
( c l e a r l y i w i l l be 3 h e r e ) .
4) Subs t i tu t ion r u l e : I f C i s an i-expression and ei ther
x E C1, ..., x k ~ C k * c : = = E C 0r x1 - E E l , . . . ,xk E Ck * C : = A E C 1 - -
i s a t ine i n the book B and B; a t A . E [x i , . ..,\/n1,.. .,%I" for ( i + l ) J -
j = l , ..., k t h e n 8 ; o t C ( A ~ ,..., A ~ ) E [ X ~ ,..., ,..., A D Z . k
5) Rule of type-conversion: If I- A - E C and I- C = r then I- A E r . 6) Rules of type- and prop-inclusion:
i) If 1-9 E Cxl,al l ... Cxk.ak1Cy161 (possibly k = 0) then
I-r E C X ~ , ~ ~ I ... C X ~ ~ C X ~ I ~ .
ii) If & - E Cxl.all . . . [ x k ~ q l C ~ . B 1 - ipossibZy k = 0) then
5.5.5. Correct expressions with respec t t o 8 and a
1) Correct 1-expressions:
(1) i) If B i s correct and a i s correct with respect t o B then B; a I- ~JJ=
(1) and 6 ; a I- prop.
ii) If B* B!a * x := E E a and B*; a ,x E a k( ' ) A then B;a c ( ~ ) [ x , ~ ] L I . (i) (i) 2) Correct 2- and 3-expressions: If I- C E A then I- C . -
Remark: I t is intended t h a t B; a 1 A o r 8 ; a 1 q only i f i s cor rec t and a
i s c o r r e c t with r e s p e c t t o 8 . This condit ion i s e x p l i c i t l y imposed i n 5.5.4
and 5.5.5.1 i) and propagated a l l through the d e f i n i t i o n .
5.5.6. Correct,=-formulas with respec t t o 8 and o
1 ) 6-equality: If I- < A > [ x , ~ ] B and ~ [ X / A ] B then ~<A>[x,a]B = [x/A]B.
2) n-equality: If I f x , B l < x > ~ , md x e' FV(C) and kc then ~ C X , B I < X > C = C.
3) b e q u a i i t y : If xl E C 1 , . . . , Xk E Ck * d := A E C i s a line i n 8, and - B; a ] - A . E [xi. ..., x /A ..., A l i . for j = 1. .... k, and
3 k 1' k I 8; a 1- IX . . . , xk/A1 , . . . ,Ak]A then B; 1- d (Al ,.. . 1) = [x,, + . . , \/Al , . . . ,A ]A k
4) Monotonicity r u l e s : *
i) If B z B : a * x : = E B E O ~ ~ -- B*; a , x g a C B ~ = B ~ then
8; o 1- C X ~ O I B ~ = C X , ~ I B ~ . ii) If a1 = a2. ~ C X , ~ ~ I B , and 1- Cx,a21B then 1- Cx,irl1e = Cx.a21s.
iii) If t A~ = B~ , t A~ = B~ , I- < A ~ > A ~ , m d 1 c B l > ~ 2 then I- <nlsn2 = <B >a 1 2'
i v ) If F A . = B . ( f o r j = 1 ,... ,k), and ~ - C ( A ~ , . . . ~ A ~ ) ~ and I 3
I- c ( B ~ . . . . , B ~ ) then 1- c A . . . , 1 = c ( B ~ , . . . , B ~ ) . 5) Ref lex iv i ty , symmetry and t r a n s i t i v i t y r u l e s
i) If ]-A, t and A E B then / - A = B
ii) If / -A = B then 1 B = A
iii) If [-A = B, and 1 B = c then /-A = C.
Remark: It i s intended t h a t 8; a A = B only i f both 8; a 1 A and 8; a 1 B. In most cases above, though sometimes unnecessary, such conditions have been
expl ic i t ly s ta ted. Where they have been omitted it w i l l be immediate t h a t
they hold by some other conditions.
6. Some remarks on language theory
The language theory is mainly concerned with the inves t iga t ion of the
bas ic system. A major aim i s t o prove the decidability of t h e AUTOMATH
languages. That i s , t o prove t h e existence of an e f f e c t i v e procedure which
f o r any given t e x t i n a f i n i t e amount of time decides whether it i s c o r r e c t
o r no t ( i n AUT-QE, s a y ) . The ke rne l of such a checker dea l s with the veri-
f ication of correctness of expressions and formulas (both E- and =-formulas),
r e l a t i v e t o a given book and context (which a r e assumed t o be c o r r e c t a l -
ready) . I n t h i s sec t ion we s h a l l sketch a c e r t a i n checking procedure, c lose ly
r e l a t e d t o t h e a c t u a l l y running ver i fy ing program of Zandleven ( c f . [ I l l ) . We s h a l l a l s o roughly ind ica te t h e proof of correspondence between t h e pro-
posed checking procedure and the language d e f i n i t i o n of the preceding sec t ion .
6.2. Reduction
6.2.1. I n order t o study the =-re la t ion i n more d e t a i l we in t roduce t h e re-
duction relat ion 2, a p a r t i a l order among the expressions. For an explanation
of the suggestive do t s i n our d e f i n i t i o n we r e f e r t o sec t ion 2.12.4.
6.2.2. Def ini t ion:
1 ) One-step reduction (with respec t t o a book B)
i) one-step 6-reduction: ... <A>[x,ak ... > ... BX/A]C ... 6
ii) one-step q-reduction: I f x # FV (C) then . . . [ x , a ] < x > ~ . . . > . . .c.. . iii) one-step &-reduction: If d was introduced by cm abbreviation line
x1 E al , .. . ,x k E ak
* d := D E C i n B then - . . .d ( C , . . . , zk) . . . >6 .. . [xl I .. . , x ~ / c ~ , . . . I c ~ D D . . .
i v ) a l s o > is allowed with any embination of the ind ices such as : I f
A > B O ~ A > then^> B B rl 6 rl
v) one-step reduct ion i n general: I f A > B then A > B . 6116
2 ) Mmy-step reduction (with respec t t o 8)
i) I f ~ ~ ~ t h e n ~ t ~
I f A 2 B cmd B > c (with respect t o 8) then A 2 c. So 2 i s t h e r e f l e x i v e and t r a n s i t i v e c losure of >. Likewise 2 denotes
6 6 the r e f l e x i v e and t r a n s i t i v e c losure of > e t c . For A 2 B we a l s o wr i t e
6 6 B I A.
3) i) Reduction sequence: A sequence E l , C 2 , . . . of expressions is c a l l e d a
reduction sequence of C1 i f f o r a l l i we have .Ci Ci+l o r C i ' 'i+l* ii) Proper reduction sequence: A reduction sequence C 1 , C 2 , ... is c a l l e d
proper i f f o r a l l i we have Ci > Ci+l.
6.2.3. C lea r ly the =- r e l a t i o n is t h e equivalence r e l a t i o n generated by t h e
r e s t r i c t i o n of > t o c o r r e c t expressions. So we can conclude: A = B i f f
A E C - > D~ 5 c2 2 D~ 5 . . . 1 D ~ - ~ I c s B (possibly k = 11, where aZZ ex- k
pressions i n the respective reduction sequences are correct.
6.2.4. A s an example of a reduction sequence consider:
3 a l t > <2>succfun > <2>[x,nat]successor(x) > successor(2) > 6 6 B 6
successor(successor(1)) (see sec t ion 2.16). So each reduction s t e p seems t o
b r ing us c l o s e r t o some poss ible "outcome". Here 8- and &-reduction amount
t o evaluat ion and q-reduction t o a c e r t a i n s impl i f i ca t ion of expressions.
6.3. The th ree problems: normalization, Church-Rosser and c losure
6.3.1. I t w i l l appear t h a t the decis ion procedure f o r equations (=-formulas)
p lays a c e n t r a l r o l e i n the checker. A t f i r s t we s t a t e - i n terms of the re -
mark i n sec t ion 6.2.4 - two hipor tant ques t ions around reduction and d e f i n i -
t i o n a l equal i ty :
i) (Normazization) Do c o r r e c t expressions always have a f i n a l outcome,
i . e . do they always reduce t o an expression which does not reduce fu r the r?
ii) (Church-Rosser property) Do d e f i n i t i o n a l l y equal expressions have a
common outcome, i . e . an expression t o which they both reduce?
A t h i r d c e n t r a l question concerns the so-called cZosure property ( t h i s term
was introduced by R.P. Nederpelt i n the in t roduct ion t o C91):
iii) Is t h e system closed under reduct ions , i . e . do c o r r e c t expressions re -
main c o r r e c t under reduction?
6.3.2. Normalization and s t rong normalization
Let us def ine
1 ) A i s n0rmaZ i f no one-step reduction A > B can be applied.
2 ) A is s a i d t o normazize i f A reduces t o some normal B (which is then c a l l -
ed a nomaz form of A ) .
3) A i s s a i d t o strongzy normaZize i f a l l proper reduction sequences of A
terminate.
We say t h a t normaZizatim ( resp . strong normaZization) holds i f a l l
c o r r e c t expressions normalize ( resp . s t rong ly normalize). Normalization (and
a f o r t i o r i s t rong normalization) does no t hold i n the f u l l 1-calculus ( t ake
a s a counter-example the expression < A X . <x>x>Ax.<x>x) . In typed systems such
a s AUTOMATH however, s t rong normalization (and hence normalization) does hold.
Much work concerning (s t rong) normalization has been done by log ic ians study-
ing systems of natural deduction and func t iona l i n t e r p r e t a t i o n s ( c f . f o r
ins tance C51, C81, ClCI) . Their methods o f t en apply t o AUTOMATH a l s o . S m e
new proofs of normalization have been given by members of the AUTOMATH-project
( c f . C91).
6.3.3. Church-Rosser theorem; uniqueness of normal forms
Question 6 . 3 . l i i ) above amounts t o the Church-Rosser theorem: I f A = B then
A 2 C I B for s m e C. An a l t e r n a t i v e formulation of t h i s i s the Diamond
property fo r 2 : I f A 2 B and A 2 c then B r D I c for some D ( c f . f i g u r e ) .
B A Diamond property 1 ' \ /
A s a co ro l l a ry of the Church-Rosser theorem we mention the uniqueness
of normal forms: I f B and C are normal forms of A then B 5 C. This property
t o ~ e t h e r with the normalization theorem allows us t o speak of the normal
form W(A) - computable by an e f f e c t i v e procedure NF - of c o r r e c t expressions
A. The Church-Rosser theorem holds i n t h e f u l l 1-calculus a s we l l a s i n typed
systems. In AUTOMATH languages without q-reduction the standard 1-calculus
proofs simply ca r ry over ( c f . C91). I n f a c t , i n view of s t rong normalization,
a s l i g h t l y e a s i e r proof can be given here . For, e .g. , AUT-QE, where we have
q-reduction the proof is sanewhat more complicated and dependsheavilyon the
c losure theorem. The author in tends t o publ ish t h i s proof and t h e o t h e r p r o o f s
omitted i n t h i s sect ion i n h i s doc to ra l d i s s e r t a t i o n .
6.3.4. Closure property
Let us f i r s t formulate the closure theorem: I f B; a I- A (respectively
8; a 1- A - E B) and A 2 c (with respect t o B ) then 8; a I- c (respectively
8 ; a 1 C E B) . I n connection with the c losure theorem, which holds f o r
AUT-QE, we have two important derived r u l e s :
1) General subst i tut ion principle (as mentioned i n 2.5) : I f *
xl E X I , . . .,11( E Zk IB ( resp. /- B - E C) and u k~~ 5 Xi ( f o r i = I , . . . ,k) * *
then 0 I- B* (resp. 1 B E c*) , where 1 stands f o r Ux1,. . . ,xk/A1 , . . . ,Ak]Z.
2) The "left-hand equality mZe" (canpare with t h e r u l e of type-conversion,
which i s the "right-hand equa l i ty ru le" ) :
If 1 1 3 ) ~ - E B and F A = C then 1-c - E B.
For 2-expression A we only have a weaker vers ion i n view of type-inclu-
s ion: If I- ( 2 ) ~ - E B a d ]-A = c d ( 2 ) ~ - E D then I - c - E B or F A - E D.
6.4. A decis ion procedure
6.4.1. Deciding =-formulas
Suppose A and B a r e c o r r e c t expressions. The normal form procedure NF
(sect ion 6.3.2) e a s i l y y i e l d s a decis ion method f o r the equation A = B,
namely A = B i f f NF (A) E NF (B) . Often, however, it i s no t necessary t o com-
pute normal forms f o r deciding A = B. For example, when A and B have d i f fe ren t
degrees one can e a s i l y draw a negative conclusion. O r more important, it ge-
ne ra l ly happens t h a t a few well-chosen reduction s teps i n A o r B w i l l r e s u l t
i n a non-normal common reduct. The choice of e f f i c i e n t reduction s teps here
is a matter of strategy; the termination of a procedure which successively
appl ies reduction r u l e s t o A or B i s anyhow guaranteed by the s t rong normali-
za t ion property, no matter i n what order the reduction s teps a r e applied.
I n order t o prove t h e correspondence between decis ion procedure and
language d e f i n i t i o n we must know t h a t a l l the expressions i n the reduction
sequences from A and B t o some common reduct a r e c o r r e c t again. This is
indeed t h e case by the c losure theorem.
6.4.2. Deciding E-formulas and epxressions
6.4.2.1. Assume ?3 i s a cor rec t book and u a cor rec t context; we must def ine
a decis ion procedure f o r the correctness of E-formulas and expressions. It
w i l l appear t h a t t h i s problem can be reduced t o the decis ion problem f o r
=-formulas (but f o r t h e straightforward task of checking the v a l i d i t y of
the i d e n t i f i e r s used) .
6.4.2.2. Uniqueness of types
We know (by the r u l e of type conversion) t h a t f o r a l l B' with 1 B = B'
we have IA g B o I A E B ' . *
For 3-expressions A the converse (uniqueness of types ) holds too:
For 2-expressions A we must be somewhat more p rec i se i n view of type-in-
c lus ion. We def ine among the c o r r e c t expressions t h e r e l a t i o n 5 by:
i) Cx1,a11 . . . C x k r a k 1 C y I B l ~ c Cx1,a11 . . . C x k r a k l ~
ii) Cxl ,a l l . . . CxkraklCy,Blprop c CxlralI . . . C x k r a k l ~
iii) f i s the t r a n s i t i v e c losure of = and c.
Then ins tead of (*) f o r 2-expressions A we can prove
6.4.2.3. Now assume t h a t A i s cor rec t . Then we can de f ine a "mechanicaZ type"
fwzction CAT, such t h a t :
So CAT computes some canonical representa t ive of t h e c l a s s of B ' with
1- A E B' ; furthermore, t h i s B ' i s minimal with r e s p e c t t o c. For the a c t u a l
d e f i n i t i o n of CAT we r e f e r t o C11, sect ion 71. Since t h e decis ion procedure
f o r equations i n the cur ren t checker a l s o conta ins the p o s s i b i l i t y of D
type-inclusion - i . e . A = B i f f A 5 B - the type funct ion CAT reduces
t h e v e r i f i c a t i o n of - f o r m u l a s t o the v e r i f i c a t i o n of equations.
6.4.2.4. F ina l ly we po in t ou t a decision procedure f o r correctness of ex-
press ions . Here we proceed by induction on the length of expressions. A s an
example we t r e a t the case of appl ica t ion expressions <A>B where A and B a r e
a l ready supposed t o be cor rec t .
6.4.2.5. Uniqueness of domains
For funct ion- l ike expressions A we de f ine a t o be t h e domain of A i f
* ) Here we mean uniqueness with respec t t o d e f i n i t i o n a l equa l i ty ( = I , i n con-
t r a s t with sec t ion 6.3.3, where we mean uniqueness with r e s p e c t t o syntac-
t i c equa l i ty ( r ) .
For domains we have uniqueness a lso (by the closure theorem and the
Church-Rosser theorem): If a and f3 are domains of A then a = 6. This f a c t
allows us t o speak about the domain of function-like expressions. Now we
are able t o define a %echmicaZ dmainr1 function DOM (for which we re fer
t o [ l l , section 71) , which for function-like A picks out a canonical repre-
sentat ive of the domain of A. The termination of DOM(A) follows by induction
on the degree of A, using strong normalization.
6.4.2.6. By CAT and DOM the ver i f ica t ion of correctness of <A>B reduces t o
the ver i f ica t ion of some su i tab le equation: ~ < A > B t A rmd B and
A E DOM (B) o r , equivalently, by 6.4.2.3i) ,
~ < A > B w t A and t B and I- CAT (A) = DOM (B) .
6.4.2.7. For the other cases of correctness of expressions we r e fe r t o Zand-
leven again. The correspondence of the current ve r i f i e r with the actual
language def in i t ion is e i ther immediate or follows from the above f ac t s
about CAT and DOM.
77
7. References
De Bruijn, N.G. ; The mathematical language AUTOMATH, i t s usage and
some of i t s extensions. Symposium on Automatic Demonstration
(Versai l les December 19681, Lecture Notes i n Mathematics, Vol. 125,
pp. 29-61, Springer-Verlag, Ber l in , 1970.
De Brui jn, N .G; Automath, a language for mathematics; notes (prepared
by B. Fawcett) of a s e r i e s of l e c t u r e s i n the S h i n a i r e de Math&
matiques SupBrieures, ~ n i v e r s i t e de Montreal, 1971.
De Brui jn, N.G. ; Lambda calculus notation with nameless dwmnies, a
tool for automatic formula manipulation, with application t o the
Church-Rosser theorem, Indag. Math., 34, no. 5. 1972.
De Brui jn , N .G . ; The AUTOMATH Mathematics Checking Project, t h i s volume.
Girard, J. Y. ; Interpretation fonctionezle e t e'limination des coupures
de l 'arithrnetique d'ordre supe'rieur, Doctoral d i s s e r t a t i o n , Uni-
v e r s i t 6 P a r i s V I I , 1972.
Howard, W .A. ; The formulae-as-types notion of construction, unpublished
1969.
J u t t i n g , L.S. van Benthem; The development of a t e x t i n AUT-QE, this
volume.
Martin-LBf , P . ; An i n h i o n i s t i c theory of types, unpublished 1972.
Nederpelt, R .P . ; Strung normalization i n a typed lambda-calculus with
lambda-structured types, Doctoral d i s s e r t a t i o n , Technological
Universi ty, Eindhoven, 1972.
Prawitz, D . ; Ideas and re su l t s i n proof theory, i n : Proc. 2nd. Scan-
dinavian Logic Symp. North-Holland Publ. Comp., Amsterdam, 1971.
Zandleven, I. ; Verifying program for AUTOMATH, t h i s volume.
Appendix 2. The paragraph system
In t h e d e f i n i t i o n of AUT-QE ( C V D , 51) it is required t h a t constants
which a r e i d e n t i f i e r p a r t s of d i f f e r e n t l i n e s a r e d i f f e r e n t . In t h i s appen-
d ix we desc r ibe a v a r i a n t of AUTOMATH languages i n which t h i s r u l e i s wea-
kened. The AUT-QE vers ion of t h i s v a r i a n t has a c t u a l l y been used f o r t r ans -
l a t i n g Landau's book. I t is i r r e l e v a n t f o r t h e following discuss ion, which
p a r t i c u l a r AUTOMATH language i s considered. We s h a l l the re fo re presuppose
unspecified language AUT, andwe s h a l l c a l l i t sparagraphed v a r i a n t AUT-PAR.
1. Paragraph l i n e s
A bookinAUT-PARcanbe s p l i t u p i n t o paragraphs. In t h e language
we have th ree spec ia l symbols +, - and -, and a countable s e t of para-
graph i d e n t i f i e r s (which we s h a l l denote here by syi l tac t ic va r i ab les
s,sl,~2,...,t,tl,t2,...). There is a bas ic paragraph i d e n t i f i e r cover . This w i l l p lay t h e rBle of the empty environment; the word "cover" i s meant
t o suggest "bookjacket". Besides ordinary AUTQMATH l i n e s (which we w i l l c a l l
here proper l i n e s ) , we have a s p e c i a l s o r t of l i n e s ( ca l l ed paragraph l i n e s ) ,
which a r e used t o ind ica te t h e paragraphs. There a r e two kinds of paragraph
l i n e s : opening l i n e s which have t h e form + s f and c los ing l i n e s which c o n s i s t
of the s i n g l e symbol -.
2. F i r s t r u l e f o r paragraph l i n e s
For t h i s desc r ip t ion we s h a l l number the l i n e s of our book (proper
l i n e s a s well a s paragraph l i n e s ) i n t h e i r proper order , and we w i l l indi -
c a t e l i n e s by t h e i r numbers. For each l i n e n we def ine o ( n ) ( c ( n ) r e spec t i -
ve ly) t o be the number of opening l i n e s (c los ing l i n e s respect ively) prece-
ding it.
The f i r s t r u l e f o r paragraph l i n e s is:
o ( n ) 1 c (n) f o r a l l n.
It follows t h a t the paragraph l i n e s provide the book with a kind of nested
s t r u c t u r e .
The paragraph l e v e l of a l i n e n i s defined by p l ( n ) = o ( n ) - c ( n ) . For
a l i n e n with p l ( n ) > 0 we def ine i t s paragraph opening by
po(n) = max{m I m < n and pl(rn) < p l (n) 1 . I t i s easy t o see t h a t p l ( 1 ) = 0,
t h a t f o r each n with p l ( n ) > 0 the l i n e po(n) is an opening l i n e , and t h a t
p l (po(n) = p l ( n ) - 1.
3. An example
AS an example we represent schematically a book with paragraphs. The
numbering of the lines in the book appears to the left. It only serves our
(metalingual) discussion, and does not belong to the schematically indica-
ted AUTOMATH text. The proper lines are indicated by their identifiers (con-
stants or variables) and their contexts. The dots indicate middle parts and
category parts.
In this example we have indeed o (n) > c (n) for- aLl n, and e. g.
o(4) = 1, c(4) = 0 hence pl(4) = 1
o (16) = 3, c(16) = 3 hence pl(16) = 0
po(4) = 3
po (IS) = 13
po(20) = 17 .
4. Indices and paragraphs
For references to paragraphs we use indices. An index has the form
s1 - s2 -...- s (with u 2 1). The sign - is used as a separator, and has U
nothing to do with the - of closing lines. As a syntactic variable for in- - - -
dices we use s. If s - sl - s2 -...- s then s - s denotes s - s2 -. . .- s - s. U U
For each line n we define an index ind(n) as follows:
if pl (n) = 0 then ind(n) = cover.
if pl (n) > 0 and po (n) - +s then ind(n) = ind(po (n) ) - s. Note that, by this definition, for each n the first paragraph identifier in
ind(n) is Cover . Indices of the form cover-s2 -...- s are called compzete U
indices. So, for all n, ind(n) is complete.
In the example we have:
ind(3) = cover
ind(4) = cover - s
ind(9) = cover - s - t ind(l5) = cover - t .
Given a book 8 and an index i , the subsequence of 8 consisting of those
lines n for which ind(n) = s is called the paragraph of s. Note that para- graphs are mutually disjoint.
In our example the paragraphs are:
- for s r cover : 1,2,3,12,13,16
- for s - cover - s : 4,5,6,7,11,17
- for s r cover - s - t : 8,9,10,18,19,20
- for s z cover - t : 14,15.
If n is a line in a paragraph, and pl (n) > 0 then the line po(n) is
called an opener.ofthe paragraph. Note that the openers of a paragraph are
not lines of that paragraph. The first opener of a paragraph is called the
paragraph opener of that paragraph, the other openers are called reopeners.
The closing lines in a paragraph are called the closers of that paragraph.
In our example we see:
- for s : Cover - S the paragraph opener is 3, a reopener is 16 and a clo-
ser is 11. - for s = cover - S - t the paragraph opener is 7, a reopener is 17 and
closers are 10 and 20. - for s = cover - t the paragraph opener is 13 and a closer is 15.
5. The r u l e f o r cons tan t s
The r u l e i n AUTOMATH languages requir ing t h a t constants introduced i n
d i f f e r e n t l i n e s a r e d i f f e r e n t , i s weakened i n t h e p resen t language a s f o l -
lows :
Constants introduced i n d i f f e r e n t proper l i n e s i n the same paragraph
must be d i f f e r e n t .
Note t h a t i n our example t h i s r u l e is observed.
For reference t o a constant c introduced i n the l i n e n we use t h e con-
s t a n t indexed, i. e . we w r i t e c";" where s = ind (n) . Note t h a t f o r an index-
ed constant c":" the index ; is always complete. In our example t h e con-
s t a n t s a introduced i n t h e l i n e s 1 , 5 and 9 appear indexed a s a " ~ 0 ~ e r " , auc0ver - s" and aUcover - s - tl' respect ively .
By t h e r u l e f o r constants t h e indexed forms of constants introduced i n
d i f f e r e n t l i n e s a r e d i f f e r e n t . So i f we would replace each constant by i t s
indexed form we would g e t a book where the s t r i c t r u l e f o r constants i s ob-
served.
6. The second r u l e f o r paragraph l i n e s
It is an e s s e n t i a l f e a t u r e of our language t h a t ind ices i n indexed con-
s t a n t s can be abbreviated, even ( i n some cases) t o t h e point of omitt ing
them e n t i r e l y . For t h i s purpose t h e r e i s a second r u l e f o r paragraph l i n e s :
I f +s i s a l i n e with number n, then s may no t occur i n i n d ( n ) .
I t follows t h a t the paragraph i d e n t i f i e r s o f i n d ( n ) a r e mutually d i f f e r e n t .
We s h a l l now descr ibe t h e i n t e r p r e t a t i o n of a constant c with abbre-
v i a t e d (or without) index. We assume t h a t such a constant occurs i n t h e mid-
d l e p a r t o r category p a r t of a proper l i n e n wi th ind(n) = ; = sl - s2 -. . .- s k' We d i s t ingu i sh th ree cases f o r t h e form of the abbreviated index.
i
ii)
c l ' t l - t2 -. . . - t " where t f cover. In t h i s case tl must be one (and R 1
the re fo re , by t h e second r u l e , exact ly one) of s 1 , ~ 2 1 . . . , ~ k . Suppose
tl - s then c M t l - t 2 - ...- tkl' should be in te rp re ted a s i
cl 's l - s2 -. . .- s - t2 -. . .- t ' I . I n our example, i f at's" occurs i n t h e i R
dots of l i n e 19, it should be in te rp re ted a s ~ " C O V W - S". c" - t - t2 -...- t " should be in te rp re ted a s
1 R c"s l - s2 -. . .- s k - t l -t2 -...- t ".
R In our example, i n t h e d o t s of l i n e 1 2 a" - S" should be in te rp re ted
a s allcover - s " and a" - s - t" a s ancover - s - t".
iii) c appears without index. Then c should be in te rp re ted a s c":" where t is t h e " longest poss ible i n i t i a l p a r t of s". 1.e. : I f c i s i d e n t i f i e r
of a l i n e preceding n i n t h e paragraph of s then c should be in te rp re -
t e d a s c";", e l s e i f c i s i d e n t i f i e r of a l i n e preceding n i n t h e para-
graph of s -s2 -...- s then c should be in te rp re ted a s k- 1
c"s l - s2 -. . .- s " e t c . k- 1
I n our example, i n t h e do t s of l i n e 4 , a should be i n t e r p r e t e d a s
aflC0Ver" , while i n l i n e 6 a should be in te rp re ted a s a"C0Ver - S " . Note t h a t i n the middle p a r t o r category p a r t of l i n e 9 a should
again be in te rp re ted a s a"c0Ver - S " ( i . e . t h e i d e n t i f i e r introduced
i n l i n e 5 ) .
We see t h a t the i n t e r p r e t a t i o n of a constant with abbreviated index
depends on the place i n the book where it occurs.
7. Reference t o va r i ab les
According t o t h e d e f i n i t i o n of AUT-QE, va r i ab les x l , ...,xk of a context
x1 E a l , . . . , xk E a must be mutually d i f f e r e n t i d e n t i f i e r s . W e maintain t h i s k r u l e i n AUT-PAR. Thus f r e e va r i ab les occurring i n t h e middle p a r t o r catego-
r y p a r t of a l i n e always r e f e r t o a (unique) va r i ab le of t h e context (Cf.
CVD, 2.4, 2.13.2, 5.5.2, 5.5.31). Therefore such va r iab les a r e never indexed.
For va r i ab les the re a r e i n AUTOMATH no r e s t r i c t i o n s t o t h e i r use a s
i d e n t i f i e r p a r t s of d i f f e r e n t l i n e s . I f a va r i ab le x appears a s a context
ind ica tor ( C V D , 2.13.1 i)]) of a l i n e n it always r e f e r s t o t h e l a t e s t EB-
l i n e introducing x which precedes n. I n AUT-PAR a context i n d i c a t o r must be
indexed and f o r t h e indexed va r iab les we allow the same abbrevia t ion r u l e s
a s i n sec t ion 6. Hence t h e context ind ica to r X i n l i n e 5 of our example
should be in te rp re ted (according t o 6 iii) above) a s X"COVW - S " , i . e .
t h e v a r i a b l e introduced i n l i n e 5. The context ind ica to r X i n l i n e 8 should
a l s o be in te rp re ted a s X " C O V ~ ~ - S" , but it r e f e r s t o t h e va r i ab le i n t r o -
duced i n l i n e 6. In f a c t i n l i n e s n with n > 6 the re is no p o s s i b i l i t y t o
use t h e va r i ab le X introduced i n l i n e 4 a s a context ind ica to r . The con-
t e x t ind ica to r X i n l i n e 19 should be in te rp re ted a s X " C O V ~ ~ - S - t" , thus r e f e r r i n g t o t h e va r i ab le introduced i n l i n e 18.
I f we want t o wr i t e l i n e 19 on t h e context introduced i n l i n e 6 we
should wri te :
o r , with a complete index:
19 xMcover - s " * d := ..... I t is allowed t o introduce a new variable i n l i n e 19 by
X"S" * y := -E .... - However
X"S" * x := - E .... - would not be allowed, because t h i s would give two variables X i n one con-
tex t .
8. Remarks on notation
Deviating from the notations fo r paragraph l i nes described above, we
denote reopeners of a paragraph not by +s but by +*s, and closers of the
paragraph of s 1 - ~ 2 -...- sk by -sk. Thus the l i n e s 16 and
should be written +*S and +*t , and the l i nes 11 and 15
respectively. This redundant notation i s preferred fo r the
l i t y .
17 i n our example
a s -S and -t
sake of readabi-
Appendix 3. The PN-lines from the preliminaries
LAYOUT FROM F I L E : EXCERPTOUTPUT/PREPNS JANUARY 25, 1977 lO:48:41
* A A * B B 1: I M P * CON A * NOT A * WEL A * W W * E T R * EC B * AND * SIGMA
SIGMA * P P * A L L P * NON P * SOME
SIGMA * S S * T T * I S S * R E F I S P * S S * T T * SP
SP * I I * I S P P * AMONE
P * ONE
P * 0 1 0 1 * I N D 0 1 * ONEAX
SIGMA * TAU TAU X F
F * I N J E C T I V E
F * TO TO * IMAGE
TAU * F F S G G * I I * F I S I P * OT P * 01
0 1 S I N 01 * I N P
P * O T A X I
P 8 S S * SP
SP * OTAX2 TAU $ PAIRTYPE TAU S
S * T T * P A I R
TAU * P 1 P i * F I R S T P 1 * SECOND P 1 * P A I R I S 1
T * F I R S T I S I T * SECONDIS1
i PROP i PROP i PROP i PROP i PROP i PROP i WEL(A) i A i PROP i PROP i TYPE i CXvSIGMA3PROP i PROP i CXvSIGMAJPROP i PROP
i SIGMA i SIGMA i PROP i I S ( S v S ) i SIGMA i SIGMA 5 <S>P i I S ( S r T ) i <T>P
i PROP
i PROP i ONE(S1GKAtP) i SIGMA i <IND>P i TYPE i CXrSIGMA3TAU
IMP(IS(TAU~<X>FP<Y>F)~IS(X~Y)) 1 ) i PROP --- i TAU SOME(CX~SIGMAIIS(TAUITOI<X>F)) i PROP --- i CXvSIGMAlTAU --- i CXvSIGMA3TAU --- i CXISIGMAIIS(TAUI<X>F~<X>G)
i IS(CXvSIGMA1TAUvFvG) i TYPE i OT i SIGMA i <IN>P C INJECTIVE(OTvSIGMAtCXIDT3
I N ( X ) l i SIGMA i <S>P i IMAGE(OTrSIGMArCXrOTlIN(X)vS) i TYPE i SIGMA i TAU i PAIRTYPE i PAIRTYPL? 5 SIGMA i TAU i I S ( P A I R T Y P E v P A I R ( F 1 R S T I
S E C 0 N D ) v P l ) i I S ( S I G M A v F f R S T ( P A 1 R ) r S ) i IS (TAUvSECOND(PA1R) r f )
21 SIGMA * SET SIGMA * S
S * SO 22 SO * EST1 2 3 P 1: SETOF
P * S S * SP
2 4 SP * EST11 S * E
25 E ESTXE SIGMA * SO
SO * TO TO * INCL TO * I I n J
26 J $ ISSETI
TYPE SIGMA SET PROP SET SIGMA <S>P ESTI(SvSETOF(P)) ESTI(S9SETOFCP)) <S>P SET SET
PROP INCL(SOvT0) INCL(TOvS0) IS(SET~SOPTO)
86
Appendix 4. Excerpt for "Satz 27"
LAYOUT FKOH FILE : EXCERPTOUTPUT/SATZ27 JANUARY 251 1977 10:58:22
* A A * B B $: IMP B t A1
A1 * I I * HP B * C C * I I * J J $ TRIHP
$ CON A * NOT A * WEL A * A1
A1 $ WELI A * W W * ET A * Cl
Cl * CONE
i PROP i PROP i PROP i A i II.IP(AIB~ i B i PROP i IHP(ArB) i IHP(BrC) i IHP(AvC) i PROP i PROP i PROP i A i WEL(A) i WEL(A) i A 8 CON i A
B * EC := IHP(ArNOT(B)) i PROP
* SIGMA SIGMA * P
P * ALL i TYPE i EXrSIGMAIPROP i PROP
P * S S * N N * THl
: --- i SIGMA : = --- i NOT(<S>P) := CXrALL(SIGMArP)I<<S>X>N i NOT(ALL(S1GMArP))
P 1: NON P * SOME P * S S * SP SP * SOME1
:= CXvSIGMAINOT(<X>P) i CXrSIGMAIPROP := NOT(NON(P)) i PROP : = --- i SIGMA : = --- i <S>P := THIS-ALLg(NON(P)rSrWELI(<S>Pr
SF)) i SOME(S1GMAvP)
i SOME(S1GMArP) i PROP i CYrSIGMAIIt+P(<Y>PrX)
I * SOMEAPP
PROP AND3(ArBrC) A B C A B C
C * A1 A1 * THl
SIGMA S S S * T T * IS S * REFIS P * S S * T T * SP
SP * I I * ISP
SIGH6 * S S * T
' T * I I * sYnIs T * U U * I I * J J * TRIS U * I I * J J * TRISZ T * N N S SYMNOTIS
i SIGMA i SIGMA i PROP i IS(S*S) i SIGMA i SIGMA i <S>P i IS(SrT) i <T>P i SIGMA 5 SIGMA i IS(SrT)
i IS(TrS) i SIGMA i IS(SrT) i IS(T*U)
U * V V Y I I * J J * K K * TR3IS V * W W * I I * J J * K K * L L * TR4IS P * AMONE P ONE
P * 01 01 Y IND 01 * ONEAX
SIGMA TAU TAU F F * S S Y T T * I I ISF
TAU * F F * G G * I I * S S * FISE G * I 1 * FISI
SIGMA * SET SIGMA * S
S * SO SO * EST1 P * SETOF P * S S * SP
SP * EST11 S * E E * ESTIE
P PROP
? PROP i AMONE(S1GMAvP) i SOME(S1GMArP)
i ONE(S1GMAvP) i ONE(S1GMAvP) i SIGHA i <IND>P i TYPE i CXvSIGMAITAU i SIGMA I SIGHA i IS(SvT)
IS(TAUv<S>Fv<T>F) CXrSIGMA3TAU CXvSIGMAJTAU IS(CXvSIGMA3TAUvFvG) SIGMA
3 TYPE 8 SIGMA 8 SET i PROP i SET 8 SIGHA 8 <S>P 8 ESTI(SvSETOF(P)) i ESTI(SvSETOF(P)) i <S>P
* NAT * X X * Y Y * IS Y $ NIS X * S S * IN * P P * SOME P * ALL * 1 * SUC * X X * Y Y * I I I AX2 * AX3 * AX4
* P P * 1P 1P * XSP
XSP * X
X t S X * T1 X * Y Y * YES
YES % T2 YES * T3 X Sr T4
X * INDUCTION * X X * Y Y * N
TYPE NAT NAT PROP PROP SET (NAT) PROP CXvNAT3PROP PROP PROP NAT CXvNAT3NAT NAT NAT IS(X?Y) IS(<X>SUC?<Y>SUC) CXINAT~NIS(<X>SUC~~) CX~NAT~CYINATICUPIS(<X>SUCP <Y>SUC)3IS(XvY) SET (NAT ) PROP
PROP CSvSET(NAT)3CUvCONDl(S)3 CVvCOND2(S)3CXvNAT3IN(XvS) CXvNAT3PROP <1>P CXvNATJCYv<X>P3<<X>SUC>P NAT
:= SETOF(NATvP) i SET(NAT) := ESTII(NATvPvlv1P) 5 CONDl(S) : = --- i NAT : = --- i IN(YvS) := ESTIE(NATvPvYvYES) i <Y>P := ESTII(NATPPI<Y>SUCI<T~><Y>XSP) i IN(<Y>SUCvS) := <X><CYvNAT3CUvIN(YvS)lT3(YvU)>
<Tl><S>AX5 5 IN(XvS)
Y * TlO PB S TI1
X * AA
:= OR(IS(Xv1)vSOHE(CUvNATIIS~Xr <U>SUC) ) ? i PROP.
:= ORI1(IS(lrl)vSOME(CLLvNATJIS(lr <U>SUC))vREFIS(NATvl)) i PROPl(1)
:= SOMEI(NATrCU?NATlIS(<X>SUCv<U> SUC)~XIREFIS(MAT~<X>SUC)~ 5 SOHE(CU~NATIIS(<X>SUCP<U>SUC)
2 := ORI2(IS(<X>SUCvl)vSOME(CUrNATl
IS( <X:>SUC r ':U>SUC) ) rT2) i PROPl(<X>SUC) := INDUCTION(CYvNATlFROPl(Y)rTir
CYvNATJCUvPROPl(Y)lT3(Y),X) 6 PROPl(X)
5 PROP 5 PROP i CYtNATINAT i CYvNATINAT i PRQPP(A) i PROPP(B) I NAP i PROP
i PROP i PROPl(1vSUC)
PROP4 ( X) CYPNATJNAT PROP2 ( F ) CY rNAT3NAT NAT IS(<Y>Gv<<Y>F>SUC)
X * PLUS
Y * PL
+*24
X * T26
X * SAT24 := ONEI(CYINATINATPCZ?CY?NATJNAT~ PR0P2 ' -24 ' (Z )~AA ' -24 ' rBB ' -24 ' ) i ONEmE'(CY?NAT3NAT?CZ~EYrNAT3
NATIAND(IS(<l>Z?<X>SUC)r ALL(CY?NAT3IS(<<Y>SUC>Z?<<Y> Z>SUC)) ) )
:= IND(CYINATJNAT?CZ?CY?NAT~NAT~ PROP2'-24'(Z)rSATZ4) i CYPNATJNAT
:= <Y>PLUS i NAT
PLUS)
X?<Y>SUC)?<PL
X * SATZ4E Y 8 SATZ4F
X * SATZ4G Z * I I * ISPLl I * ISPL2
-25
Z * SATZS
Y * COMPL
PROP IS(PL(Y?l)r<Y>SUC) IS(PL(lrY)r<Y>SUC)
Z * DIFFPROP
Y S I Y * I1 Y S 111 Y * ONEl
ONEl * U U * T1
Y * T4 ONE1 * T5
Y * T6 Y * TWOl
TWOl * THREE1 THREE1 * U
U * DU DU S V V * DV
DV * T6A
TWO1 * TlO Y * TI1 Y * A
Y * MORE Y * LESS Y * SATZlOB Y * M M * SATZll Y * MOREIS Y * LESSIS, Y * M M * SATZl3
:= NIS(YrPL(XrY)) i PROP := SYMNOTIS(NATr.<X>SUCrlr<X>AX3) i NIS(lr<X>SUC) := TH4*E-NOTIS*(NATrlr<X>SUCr
PL(Xrl)rTlrSATZ4A) i FROPl(1) : = --- i PROPl(Y) := SATZl(YvPL(XrY)rP) i NIS(<Y>SUCr<PL(XrY)>SUC) := TH4.E-NOTISm(NATr<Y>SUCI(PL
(XrY)>SUCrPL(Xr<Y>SUC).TJ, SATZ4B) i PROPl(<Y>SUC)
:= 1NDUCTION(CZrNAT3PROPlm-27*(Z) rT2'-27'rCZrNAT3CUrPROP1.-27' (Z)lT4'-27'(ZrU)rY) i NIS(YrPL(XrY))
:= IS(XrPL(Y*Z)) i PROP
:= IS(XrY) i PROP := SOHE(CUrNAT3DIFFPROP(XIYIU)) i PROP := SOHE(CVrNATJDIFFPROP(YrXrV)) i PROP . - . - --- i I : = --- i NAT := TRIS(NATrPL(UrX)rPL(XrU)v
PL(YrU)rCOMPL(UvX)r ISPLl(UrONE1)) i IS(PL(UrX)rPL(YrU))
:= TH3gE-NOTISm(NATrXrPL(UIX)r PL(YrU)rSATZ7(UrX)rTl) i NIS(X~PL(YPU))
:= TH5.L-SOMEm(NATrCUrNAT3 DIFFFROP(U)rCUrNATlT2(U)) i NOT(I1)
:= THl'L-EC'(IrIIrCZr13T3(Z)) i EC(IrI1) := T3(YvXrSYMIS(NATrXrYrONEl)) i NOT(II1) := TH~'L-EC*(III~I~CZII~T~(Z)) i EC(IIIr1) 1 - . - --- i I1 : = --- i I11 : = --- i NAT : = --- i DIFFPROP(XrYrU) : = --- i NAT : = --- i DIFFPROP(YvXvV) := TR4IS(NATrXrPL(YrU)rPL(PL(XrV)
rU)rPL(XrPL(VrU))rPL(PL(VIU)r X)rDUrISPLl(YrPL(XrV)rUrDV)* ASSPL~(XIV~U)~COHPL(XIPL(V~U)) ) i IS(XrPL(PL(VrU)rX))
:= MP(IS(X~PL(PL(VIU)~X))ICON~ T6ArSATZ7(FL(VrU)rX)) 8 CON
:= SOMEAPP(NAT~CV~NATIDIFFPROP(YP x ~ V ) ~ T H R E E I ~ C O N ~ C V T N A T I C D V ~ D I F F F R O P ( Y ~ X I V ) ~ T ~ ( V ~ D V ) ) 5 CON
Li SOHEAPP(NATrCUrNAT3DIFFFROP(U) rTWOlrCONrCUrNAT3CDUrDIFFPROP (U)3TB(UrDU)) 5 CON
:= CZrIIIIT9(Z) i NOT(II1) := THl'L-EC.'(IIrIIIrCZvIIJTlO(Z)) i EC(IIrII1) $1 TH6'L-EC3'(IrIIrIIIrT4rTllrT6) i EC3(IrIIrIII)
- .- -. DIFFPROP(XrYrU))rSOME(CVrNATJ DIFFPROP(YrXrV)))
:= SOHE(EUrNATIDIFFPROP(XrYrU)) i PROP PROP EC~(IS(X~Y)FMORE(XPY)~ LESS(XrY)) MORE(XPY) LESS(YIX) PROP PROP MOREIS(XrY)
i MOREIS(ZrY) i IS(X9Y) i MOREIS(XrY) i MORE(XrY) i MOREIS(XrY) i NAT i IS(X?Y) i IS(ZrU) i HOREIS(XrZ)
N * M M * LBPROP
N * LB N * MIN P * S
i LESSIS(PL(Yv1)rX) i CXINAT~PROP i NAT
i NCIT := IHP(<M>PvLESSIS(NvM)) i PROP
:= ALL(CXrNAT3LBPROPm-327'tX)) i PROP := AND(LBr<N>P) i PROP : = --- i SOME(P)
NAT LBPROPClrN) LB(1) CXrNAT3LB(X> NAT <Y>P MORE(PL(Yr1)vY) NOT(LESSIS(PL(Yr1)rY))
NOT(LB(PL(Yr1)))
CON
CON
NP Ti9 NMP * T20 NnP * ~ 2 1
A * T22 A * T23
: = --- i NON(NATICX?NATIAND~LB(X) F
. - NOT(LB(PL(Xr1))))) . - --- 5 NAT : = --- i LB(M) := <M>N i NOT(AND(LB(M)rNOT(LR(PL(Mrl))
) ) ) := ET(LB(PL(nv1))r
TH3'L-AND'(LB(M)r NOT(LB(PL(Mrl)))rT9rL)) i LB(PL(Mr1))
:= ISP(NATrCXrNATILB(X)rPL~Mvl)r <H>SUCPTIOPSATZ~A(H)) i LB(<M>SUC)
:= CXrNAT3INDUCTION(CYrNATILB(Y)r T2rCYrNATlCZrLB(Y)lTll(YrZ)rX) i CXrNATJLB(X)
:= CXrNON(NATrCXrNATIAND(LB(X)r NOT(LB(PL(Xrl)))))IT8(T12(X)) i SOME(EXrNATJAND(LB(X)r
NOT(LB(FL(Xr1))))) 1 = --- i NAT : = --- i AND(LB(M)rNOT(LB(PL(Mrl)))) := ANDEl(LBIM)rNOT(LB(PL(flrl)))r
A) 5 LB(H) := ANDE2(LB(M)rNOT(LB(PL(Mrl)))r
A ) . - 5 NOT(LB(PL(Mr1))) . - --- i NOT(<M>P) := --- i NAT - . - --- i <N>P := MP(<N>PrLESSIS(MrN)rNPr<N>T14) i LESSIS(MrN) := TH3.L-IMPg(IS(MrN)r<M>PrNMPr
C X I I S ( M ~ N ) I I S P ( N A T ~ P I N P M ~ N P ~
Appendix 5. Two shortcomings of the verifying program
The verifying program was conceived at the time when the language theo-
ry of AUTOMATH was still in its infancy. Actually the first satisfactory de-
finition of AUT-QE only appeared afterwards. The program can therefore be
seen as a formalization of an informal concept of the language in the pro-
grammer'smind.This concept, though informal, was quite clear; in fact it
was proved afterwards that the main procedure is adequate and terminates
( CVDI, CvD21) . Besides being correct, the program had to be efficient: verifying a
text should be actually feasible (and not only theoretically possible). This
requirement led the programmer to economize on substitution, as by substitu-
tion expressions tend to become longer, and also because in substitution an
expression has to be scanned and completely rebuilt. Even after the program
had been operational for a year, simplifications by avoiding substitution
shortened the processtimeconsiderably.
However, in two places economy went a bit too far. It is well known
that a-reduction, i.e. renaming of bound variables (which is a special case
of substitution) is sometimes necessary in order to avoid cZash of variables.
It has been assumed by the programmer that a-reduction is superfluous if all
binding variables of input expressions get different codes (see CZ~]).
Unfortunately, as has been shown by v. Daalen, this is not the case.
Clash of variables may still occur in the following two ways:
D D i) When it is tried to establish CX,AIB = CY,CID this is done by A = C and
D B = Uy/xD~ (see [zl], 8.4.1). This gives wrong results when x is
D D free in D. It would be correct to try A = C and UX/ZDB = UY/ZDD, where
z is a fresh variable.
The fact that clash of variables may actually occur in this way is shown
by the following example. We consider the (correct) book:
Suppose it has to be established, relative to this book, whether
It is easily seen that both expressions are correct, and that the first
expression reduces by 6-reductions to
where, as it should be, in the subexpression [x,nla(x,b) the second x
is bound. Hence the expressions are not definitionally equal. The pro-
gram will not discover this, because it will proceed to check
D D and then a E a x = X and Cx,nla(x,b) = Cx,nla(x,b).
ii) The claim (in [Zll, 5.1) that by 6-reductions on expressions with dis-
tinct binding variables eventually no clash of variables can arise is
not justified, as we show by another example: Consider the following
(correct) book:
Now
4zSi ,nlCj ,nlnlCy,n1Cx,nla(~x~z,y)~ Cu,Ck,C l ,nlCm,nlnlCp,nlCq,nlnl~~b>u>u
reduces by @-reductions to
If we reduce this further, the x indicated by (21, which is bound by
the abstraction indicated by (I), will be bound by the abstraction in-
dicated by (3), since the expression reduces (in the verifying program)
while it should reduce to
(where v is a new variable).
Appendix 6 . Example of a text in AUT-68
* PROP := PN
a * u . - . - u * ALLe :=
u * V e :=
P * u . - . - u * ALLi :=
u * V i :=
P N
ALL - - PN
ALLe - P N
ALLi
Etype - E PROP - Etype -
Etype - E Cx,SIPROP - E PROP - E PROP - E S - E t ( V ( P ) ) - E k(<a>P) - E I-(<a>Pf - E Cx ,SIC (<x>P) - E t - (V(P)) -
B * u . - . - - E H A ) - u * v i l := ALLi(PROP,Cx,PROP1((A-tx)-t((B+x)-tx)),
Cx,PROPl-ti (A-tx,(B+x)+x,
Cy ,t (A-tx) l+i (B+x ,x,
Cz ,k(B+x)l+e(A,x,y,u)))) - E I-(AvB)
E * u . - . - - E k ( B ) - u * v i 2 := ALLi (PROP,Cx,PROPl((A-tx)-t((B+x)+x)),
Cx ,PROPl-ti (A-tx, (B+x)+x,
Cy,t(A+x)l+i (B+x,x,
Cz,F(B-tx) l - te(B,x,z ,u)))) - E ~ ( A v B )
P * SOME := ALL(PROP,Cx,PROPl(V(Cy,Sl(~y~P+x))-tx)) - E PROP
P * 3 . - 1 - SOME - E PROP
P * X . - . - - E PROP - X * u . - . - - E t ( 3 ( P ) ) - U * V . - . - - E Cx,SICy,k(<x>P)lk (X) - v * SOMEe := +e(V(Cy,Sl(<y>P+X)) ,XI
ALLe(PROP,Cx,PROPl(v(Cy,Sl(~y~P+x))
+x) ,X,u) ,vi (Cy,Sl(<y>P+X),
Cy,Sl+i (<y>P,X,<y>v))) - E k ( X )
v * 3 e := SOMEe - E k (X )
a * u . - . - - E k(<a>P) - u * SOMEi := ALLi (PROP,Cx,PROPl(v(Cy,Sl(~y~P+x))+x),
Cx,PROPI+i (v(Cy,SI(<y>P+x)) ,x,
Cz,t (V(Cy,Sl(<y>P-tx)))l+e(<a>P,x,
'Je(C~,sl(<y>P+x),a,z),u))) - E W P ) ) u * 3 i . - . - SOMEi - E k(g(P) )
S * a . - . - - E S - . - a * b . - - E S - b * IS := ALL(CX,SIPROP,C~,CX,S~PROI~](<~>~-~<~>~)) - E PROP b * a=b := I S - E PROP
a * I S i := ALLi(Cx,S1PROP,Cp,Cx,SlPROPl(~a~p+~a~p), Cp,Cx,SlPROPl+i (<a>p,<a>p ,Cy,l-(<a>p)ly)) - E C(a=a)
a * REFIS := I S i - E t (a=a) a * = i . - . - I S i - E t (a=a)
a * r e f = := I S i - E t (a=a)
b * u . - . - - E I-(a=b) - U * V
. - . - - E t (<a>P) - v * ISe := +e(<a>P,<b>P,ALLe(Cx,SlPROP,
[p,~x,SlPROPI(<a>pt<b>p) ,P,u) ,v) E k(<b>P)
v x SUBST.PRED := I Se - E t ( < t > P )
v * =e . - . - I Se - E t (<b>P)
S * a
a * b
b * u
u * SYM. IS
u * sym= b * c
e * u
u * v
v * TR.IS
v * tr=
. - . - - := =e(Cx,Sl(x=a) ,a,b,u,=i(a)) . - . - SYM. IS . - . - -
. - . - - := =e(Cx,SI(a=x),b,c,v,u) . - . - TR. I S
b * a#b . - . - i ( a = b ) - E PROP
+N
* n a t . - . - PN
* P . - . - - P * V . - . - ALL(nat,P)
P * n . - . - - n * u . - . - - u * ve . - . - ALLe(nat,P,n,u)
E PROP - E PROP - E t ( 3 ( P ) ) - E ~x,nai lCy,k(<x>P)Ik(X) - E I-(X) - E I-(<n>P) - E I-(W) - E na t - E na t - E PROP - E PROP -
REF. IS(nat,n) - E I-(n=n) - E I-(n=m) -
SYM. IS(nat,n ,m,u) - E I-(m=n) - E na t - - E I-(n=m) - - E C(m=l) -
TR. IS(nat,n,m,l ,u,v) - E C(n=l)
- E na t - - E na t - - E I-(n=m) - - E t (<n>P) -
SUBST.PRED(nat,P,n,m,u,v) - E k(<m>P)
- E Cx,natlS - - E na t - - E n a t - - E k(n=m) -
SUBST.FN(nat,S,f ,n,m,u) - E I-(IS(S,<n>P,<m>f))
v * i nduc t i on := ve(P,n,axiom5(P,u,v))
* n
n * m
m * u
u * S a t z l
* P2 n * Sa t z2
* P3
* 1 1
n * 12
n * 13
E n a t - E n a t - E n a t -
E I-(n'B1) - E n a t - E t ( n ' = m l ) - E I-(n=m) -
E n a t - E I - (< l>P) - E Cx,nat lCy, t (<x>P) lk (<x '>P) - E I-(<n>P) -
Appendix 7. Excerpt for "Satz I", "Satz 2" and "Satz 3".
LAYOUT FROM FILE : EXCERPTOUTPUT/SATZlEN2EN3 JANUARY 251 1977 10352335
* A A * B B * IMP B * C C * I I * J J % TRIMP
% CON A * NOT A % WEL 4 * A1 A1 * WELI A * W W % ET A * C1 C1 % CONE
B * OR B * A1 A1 * OR11 B * B1 B1 % OR12 B * a O * N N % ORE2
% SIGMA SIGMA % P
P * ALL
P * S S * N N % THl
P % NON P % SOME P * S S * SP
SP * SOME1
PROP PROP PROP PROP IHP(AIB) IHP(BvC1 IMP(AvC) PROP PROP PROP A WEL(A) WEL(A) A CON A
PROP A ORCAvB) B ORCArB) OR(AvB) NOTCA) B TYPE CXvSIGHAJPROP PROP
: = --- i SIGMA 8 - --- i NOT(<S>P) := CXvALL(SIGMAvP)J<<S>X>N i NOT(ALL(S1GHAvP))
SIGMA S 8 : 6
S * T t = T % IS :a
S S REFIS t =
:= CXvSIGMAJNOT(<X>P) i CXPSIGMAJPROP := NOT(NON(P)) i PROP : = --- 5 SIGH6 : = --- 9 <S>P := THle-ALLm(NON(P)*S~WELI(<S>Pv
SP)) i SOME(S1GMAvP)
i SIGMA 5 SIGMA i PROP i IS(S1S)
SIGMA SET SIGMA * S
S * SO SO * EST1 P 1( SETOF P * S S * SP
SP * ESJII S * E E * ESTIE
X NAT * X X * Y Y * IS Y 1: NIS X * S S * IN * P P * SOME P * ALL * 1 * SUC * AX3 * AX4
* P P * 1P 1P * XSP
XSP * X
X S S X * T1 X * Y Y 1: YES
YES * T2 YES * T3 X S T4
TYPE SIGMA SET PROP SET SIGMA <S>P ESTI(SvSETOF(P)) ESTI(SvSETOF(P))
; <S>P
t = PN 6 TYPE t = --- i NAT . - . - --- i NAT := ISgEg(NATrXvY) i PROP := NOT(IS(XvY)) i PROP . - . - --- i SETtNAT) := ESTI(NATrXvS) i PROP . - . - --- i CXvNAT3PROP := SOHEmL'(NATrP) # PROP := ALLmL'(NATrP) i PROP . - . - PN i NAT . - + - PN i CXvNAT3NAT . - + - PN i CXvNAT3NIS(<X>SUCrl) : = PN i CXrNAT3CY?NAT3CUvIS(<X>SUCv
<Y>SUC)3IS(XvY) : = --- i SET(NAT) := IN(lrS) 5 PROP := ALL(CXvNAT3IMP(IN(XvS)tIN(<X>
SUCvS) 1 ) i PROP t = PN i CSvSET(NAT)3CUvCONDl(S)3
C V ~ C O N D ~ ( S ) ~ C X I N A T ~ I N ( X I S ) : = --- i CXvNAT3PROP := --- i <1>P :a --- i CXvNAT3CYr<X>P3<<X>SUC)P : = --- 3 NAT
:= SETOF(NATvP) i SETtNAT) := ESTII(NAT?PvlrlP) i CONDl(S) : = --- i NAT . - . - --- i IN(YvS) - := ESTIE(NATvPvYvYES) i <Y>P := ESTII(NATvPr<Y>SUC?<T2><Y>XSP) i IN(<Y>SUCvS) := <X><CYvNAT3CUvIN(YvS)3T3(YvU)>
<Tl><S>AXS i IN(XvS)
X * INDUCTION := ESTIE(NATrPvXvT4'-11.1 5 <X>P * X : = --- D NAT X * Y : = --- 8 NAT
Y * N := --- i NIS(XvY)
Appendix 8. Example of a text in AUT-68-SYNT
t PROP . - . - * A . - . -
A * k . - . -
* z l . - . - - z l * ass.prop := l a s t e l t ( t a i 1 (k , c a t ( z l ) ) )
D SO: if u - E k ( A ) then ass.prop(u) = A - E PROP
* S . - . - S * P . - . - P * ALL . - . -
so: if P - E Cx,SlPROP then V(P) ALL(S,P) - E PROP
p * a . - . - a * u . - . - u * A l l e . - . -
so: if a S , u - E k ( V ( P ) ) then Ve(a,u) - E k(<a>P)
u * ALLi . - . - PM
zl * v i := ALLi (dom(z1) ,Cx,dom(zl)lass . p rop (<x>z l ) ,211
So: if U - E [x,S]k(<x>P) then v i (u) k ( v ( P ) )
E s y n t -
so: if a E S , b - E T (a ) , u - E k (VZ(P2) ) t h e n VZe(a,b,u) - E C(<b><a>P2)
SO: if u - E Cx,SlCy,T(x)It-(<y><x>P2) t hen VZ i (u ) E k(VZ(P2) )
E s y n t -
so: if a - E S , b - E T(a) , c E U(a,b) , u C(V3(P3)) then
v3e(a,b,c,u) - E l-(<c><b><a>P3)
SO: if u - E [ X , S ] [ ~ , T ( X ) I C Z , U ( X , Y ) I ~ ( <z><y><~>P3) t hen v 3 i ( u ) - E 1 ( ~ 3 ( P 3 ) )
E PROP - E PROP -
so: if u - E t(A+B), v - E t ( A ) then +e(u,v) - E k(B) , mod.pon(u,v) - E k ( B ) .
* I := V(Cx,PROPlx) - E PROP
E PROP -
E PROP -
B * X . - . - - E PROP - X * u . - . - - E l ( A v B ) - u * v . - . - - E Cx,k(A)Ik(X) - V * W . - . - - E Cx,l-(B)It-(X) - w * ORe := V3e(X,Yi(v),Vi(w),u) - E k (X )
z3
z3 * ve := ORe(LFE(v,ass.prop(zl)) ,RFE(v ,ass .p rop(z l ) ) ,
l a s t e l t ( t a i 1 (I- ,val ( c a t ( z 2 ) ) ) ) , z l ,z2,z3)
so: if u - E ~ ( A v B ) , v - E Cx,C(A)IC(X), w - E Cx,k(B)lk(X) then v~(u ,v ,w) EC(X)
z2 * v i 1 := ORi l ( a s s .prop(z2) , z l ,z2)
z2 * v i 2 := OR i2 (z l ,ass .prop(z2) ,z2)
so: if B - E PROP , u E k (A ) then v i l ( B , u ) - E ~ ( A v B )
if A - E PROP , u - E C(B) then viP(A,u) - E C(AvB)
P * SOME := V(Cx,PROPl(V(Cy,Sl(~y~P+x))+x)) - E PROP
z l * 3 := SOME(dom(z1) , z l )
D So: if P - E Cx,SIPROP then 3(P) = SOME(S,P) - E PROP
P * X . - . - - E PROP - X * 1: . - . - - E l ( 3 P ) ) - U * V . - . - - E Cx,SlCy,C(<x~P)Ik(X) - v * SOMEe := VZe(X,V2i(v) ,u) - E k (X )
z2 * 3e := SOMEe(dom(z2) , l a s t e l t ( t a i l ( 3 , a s s . p r o p ( z ) ) ) ,
l a s t e l t ( t a i 1 (C,val (Cx,dom(z2)lval ( < x > c a t ( z 2 ) ) ) ) ) ,zl,z2)
SO: if u E (3(P) ) , v - E CX,SI[~,C(<X>P)IC(X) t hen 3e(u ,v) E C(X)
a * u . - . - - u * SOMEi := v 2 i (Cx,PROP1Cz,~(V(Cy,Sl(~y~P+x)))l
vZe(a,u,z))
23 * 3 i := SOMEi (dom(z1) , z l ,z2 ,z3)
SO: if P - E Cx,SlPROP, a - E S, u C-(<a>P) then 3 i (P,a,u) E k ( 3 ( P ) )
so: if a - E S, b - E S then a=b IS(S,a,b) - E PROP
D D SO: if u - E I-(a=b) then l e f t = ( u ) = a, r i g h t = ( u ) = b
a * I S i := V2 i (Cp,Cx,SlPROPICy,l-(<a>p)ly)
z l * = i := I S i ( c a t ( z 1 ) , z l )
z 1 * r e f = := = i
so: if a - E S then = i ( a ) - E k (a=a) , r e f = ( a ) - E t-(a=a)
P * a . - . - - a * b . - . - - b * u . - . - - U * V . - . - - v * ISe := v2e(P,v,u)
E S - E S - E PROP -
SO: if P - E Cx,SIPROP, u - E t ( a = b ) , v - E k(<a>P) then =e(P,u,v) - E I-(<b>P),
subst.pred(P,u ,v) E k(<b>P)
S * a . - . - - E S - a * b . - . - - E S - b * u . - . - - E b(a=b) - u * SYM. IS := =e(Cx,Sl(x=a) ,u,=i ( a ) ) - E b(b=a)
z 1 * sym := SYM. I S ( c a t ( l e f t = ( z l ) ) , l e f t = ( z l ) , r i g h t = ( z l ) , z l )
so: if u E I-(a=b) then sym=(u) - E I-(b=a)
U * V . - . - - v * TR. IS := =e(Cx,Sl(a=x),v,u)
so: if u - E I-(a=b), v - E b(b=c) then t r= (u ,v ) E 1 (a=c)
D So: if - a E S, b - E S then afb = l ( a = b ) - E PROP
so: if f - E Cx,SlT, u - E I-(a=b) then subst . fn( f ,u) E I-(<a>f = i b > f )
* n a t . - . - PN
* 1 . - . - PN
* n . - . - - n * n ' . - . - PN
E t y p e - E n a t - E na t - E n a t -
E I - ( n ' f l ) - E na t - E I-(nl=m') - E I-(n=m) -
so: if u - E I-(n'=ml) then axiom4(u) - E \(n=m)
P * n . - . - - E na t - n * u . - . - - E I-(<l>P) - U * v . - . - - E Cx,natlCy,I-(<x>P)lI-(<x'>P) - v * induc t ion := ~e(n,axiom5(P,u,v)) - E I-(<n>P)
* n . - . - - E n a t - n * m . - . - - E na t - m * u . - . - - E I-(nfm) - u * SATZ1 := vi(Cx,I-(n'=m1)1
+e(u ,axiom4(x))) - E I-(n'lcm")
z l * S a t z l := S A T Z ~ ( L F E ( # , ~ S S . p r o p ( z l ) ) ,RFE(f,ass .p rop (z l ) ) , z l )
so: if u - E b(n#m) t hen Satz l (u) E-I-(n'fm')
Appendix 9. AUT-SYNT
In 4.1.0 we have indicated that for andi the parameters U and V
are essential, while a and b are redundant parameters. If A, B, p and q
can be correctly substituted for a , b , U and V , then A and B can be cal- culated (up to definitional equality) from p and q, because A is definitio-
nally equal to CAT(p) and B to CAT(q).
Here we introduce an extension of AUTOMATH languages, called AUT-SYNT,
in which it is possible to suppress redundant parameters. In this language,
CAT is incorporated as a predefined flnction. For any 2- or 3-expression E,
CAT(E) is the mechanically calculated type of E. It follows that
andi (CAT (p) ,CAT (q) ,p, q) equals andi (A,B ,p ,q) . The extended language moreover contains var<abZes for expressions. A basic symbol synt (which has no de-
gree) is added to the language. Variables of type synt (or synt variables)
are to be interpreted as syntactic variables for expressions. There are
no typing restrictions on substitution for such a variable.
Following the AUT-QE text in 4.1.1 we can write in AUT-SYNT:
* z1 := - Esynt - zl*z2 := - - E s y n t z2 * AND1 : = andi (CAT(z1) ,CAT(z2) ,zl ,z2)
Now, if A g el B E prop, p E A, q E B then AND1 (p,q) = andi (CAT (p) , CAT(q1 ,p,q) = andi (A,B,p,q) E and(a,b) .
Besides CAT we have other predefined functions in AUT-SYNT.. They are
defined for certain classes of expressions (just as CAT is defined for 2-
expressions and 3-expressions). We list these functions here with their
semantics. In the description of the semantics we will frequently use the
clause: "if E reduces to ...". We will say e.g. "if E reduces to [x,A]B,..". This is intended to mean: "if CX,AIB is the first abstraction expression in
the reduction sequence, obtained by reducing E according to the strategy of
the verifying program". Similar meanings are intended in other cases. Every-
where in the description E and E1,E2, ..., En will denote correct AUT-expres- sions.
predefined function semantics
CAT CAT(E) is the "mechanical type" of the 2- or %ex-
DOM
pression E
If E reduces to [X,AIB or CAT(E) reduces to CX,AIB
or CAT(CAT(E) 1 . = [X,AIB then DOM(E) = A.
VAL
ARG
FUN
TAIL
LASTELT
PREPART
If E reduces to CX,AIB and B does not contain x then
VAL(E) = B.
If E reduces to <A>B then ARG(E) = A.
If E reduces to <A>B then FUN(E) = B.
If E reduces to c(A1,. . . ,An) then TAIL(c,E) is the string of expressions A1, ..., A no If El, ..., En is a nonempty string of expressions then LASTELT(E1, ..., E n ) = E n'
If E1,...,E is a nonempty string of expressions then n
PREPART(E1, ..., E ) is the string of expressions n
E1~...,E,-l.
Remarks :
1) Expressions containing -variables do not have a type. Lines having
such an expression as their middle part do not have a category part.
2) EB-lines which have synt variables in their context can only have
as their category part. In other words: on a context only synt va-
riables may be introduced.
3) The identifiers CAT, DOM, VAL, ARG, FUN, TALL, PREPART and LASTELT, and
the identifiers defined in terms of these should not be treated as ordi-
nary identifiers. In particular bhe monotonicity of definitional equali-
ty (in this case: if A = B then c(A) = c(B) where c is one of these spe-
cial identifiers) does not generally apply here. E.g. if f = [x,natll D
then <l>f = <<l>suc>f, while ARG(<l>f) = 1 9 <l>suc = ARG(<<l>suc>f).
Similar examples can be found for FUN and TAIL.
4) For languages admitting infix expressions there are functions LFE (for
left fixed expression) . and W E (for right fixed expression) with seman-
tics :
If E reduces to A c B then. LFE(c,E) = A and WE(c,E) = B.
Examples :
1) The first elimination rule for conjunction can be represented in AUT-QE
by adding, on the context a .E prop ; b E prop ; introduced in 4.1 .O:
b * u . - . - - E and(a,b) - u * andel. := .... - E a
Then a and b are redundant parameters, for andel and U is an es-
sential parameter. In fact, ifpisa substitutioninstance for U , then the type of p can be expected to redme to and (A,B) for some A and B, and these
A and B should the be substituted for a and b . Therefore, keeping the context ~1 - E @ introduced above, we can add
the AUT-SYNT line
zl * ANDEl := andel(LASTELT(PREPART(TAIL(and,CAT(zl)))), LASTELT(TAIL(and(CAT(zl))),zl)
Then p E and (A,B) implies ANDEl (p) E A. we can now indicate a complication which must be kept in mind when using
AUT-SYNT, and which is connected with remark 3 above. Suppose and has
been defined by and := not(imp(a,not(b))) . We may have p, A and B such that CAT (p) E not (imp (A, not (B) ) ) and then we have andel (A, B,p) E A, but ANDEl (p) will be incorrect, since CAT(p) does not reduce to and(A,B).
Even worse complications may occur when using ARG and FUN.
2) In CVD, 3.61 book-equality is introduced. In AUT-SYNT we could add to
this text, on the context ~1 - E synt ; ~2 - E fi ; z 2 * is := IS(CAT(zl),zl,z2)
zl * refis := REFIS(CAT(zl),zl)
zl symis := SYMIS(CAT(LASTELT(TAIL(is,zl))),
LASTELT(PREPART(TAIL(is ,zl) ) ) , LASTELT(TAIL(is ,zl)) ,zl)
Then for any type S , if X E S and Y S , equality of X and Y could be expressed by !S(X ,Y) instead of IS(S,x,y) . Moreover, if X E S we have refis(X) - E ~s(x,x) and if p is(X,y) we have
symis(p) E is(y,x). 3) A text in AUT-68-SYNT, in which the first three theorems of Landau's
book are proved, appears in appendix 8.
120
References
N.G.
N.G.
D.T.
D.T.
L.S.
de Bruijn, AUTOMATH, a language for mathematics, Notes (pre-
pared by B. Fowcatt) of a series of lectures in the Sgminaire
de Mathematiques Superieures.
Universitg de Montrgal, 1971.
de Bruijn, Lambda calculus notation with nameless dummies,
a tool for automatic formula manipulation, with application
to the Church-Rosser theorem.
Indag. Math., 34, - 5, 1972. van Daalen, A description of AUTOMATH and some aspects of
its language theory.
Proceedings of the Symposium on APL. ed. P. Braffort. Paris,
1974.
Appendix 1 in this thesis.
van Daalen, The language theory of AUTOMATH.
Thesis, Eindhoven University of Technology, to appear 1977.
Jutting, A translation of Landau's "Grundlagen" in AUTOMATH.
Eindhoven University of Technology, Dept. of Math., 1976.
E. Landau, Grundlagen der Analysis.
3rd ed., Chelsea Publ. Comp., New York, 1960.
R. de Vrijer, Big Trees in a h-calculus with A-expressions as
types.
A-calculus and Computer Science, ed. C. Bbhrn.
Springer, Berlin-Heidelberg -New Ycrk, 1975.
I. Zandleven, A verifying program for AUTOMATH.
Proceedings of the Symposium on APL. ed. P. Braffort. Paris
1974.
J. Zucker, Formalization of classical mathematics in AUTOMATH.
To appear in: Actes du colloque international de logique,
Clermont-Ferrand, July 1975, ed. M. Guillaume.
Preprint: Eindhoven University of Technology, Dept. of Math.
Samenvatting
Dit proefschrift bevat een verslag van de vertaling en verificatie van
Landau's "Grundlagen der Analysis", in AUT-QE, een van de AUTOMATH-talen.
Deze talen zijn geconstrueerd met het doe1 er wiskundige redeneringen in
uit te drukken, met behoud van de herkenbaarheid van de gedachtengang, en
we1 zo precies dat mechanische controle (b.v. door een computer) van de
correctheid mogelijk is.
De vertaling werd ondernomen om na te gaan in hoeverre de taal AUT-QE aan
bovenvermelde specificatie voldoet.
In het proefschrift vindt men onder meer een overzicht van de gebruikte
logische axioma's, een verslag van de bij de vertaling ondervonden moeilijk-
heden, en een aantal suggesties voor het gebruik van AUTOMATH-talen.
De appendices 4 en 7 bevatten fragmenten uit de vertaling.
De belangrijkste conclusie is dat AUT-QE en andere AUTOMATH-talen in prin-
cipe geschikt zijn voor het gestelde doel.