automated logic and programming · 2004. 3. 22. · 8 chapter 1. introduction [pau87]) and nuprl...

Automated Logic and Programming

Christoph Kreitz

Contents

1 Introduction 7

1.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2 References and further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Logic and computation 11

2.1 Formal Calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 First Order Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Meta and object languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Natural Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.4.1 Propositional Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.4.2 Predicate Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4.3 Mathematical Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.4.4 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.5 The Sequent Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.5.1 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.5.2 Backward proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.5.3 Additional rules for sequent calculi . . . . . . . . . . . . . . . . . . . . . 24

2.5.4 A sequent calculus for intuitionistic logic . . . . . . . . . . . . . . . . . . 24

2.5.5 Proof methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.6 The λ-calculus as a logic of computation . . . . . . . . . . . . . . . . . . . . . . 27

2.6.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.6.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.6.3 Reduction properties of the λ-calculus . . . . . . . . . . . . . . . . . . . 31

2.6.4 The expressive power of the λ-calculus . . . . . . . . . . . . . . . . . . . 33

2.6.5 Semantic questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

1

2 CONTENTS


3 Typed Theories 39

3.1 Simple Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.2 Properties of Simple Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.2.1 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.2.2 A type-checking algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.2.3 Weak Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.2.4 Strong Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.2.5 Confluence: the Church-Rosser Theorem . . . . . . . . . . . . . . . . . . 52

3.2.6 The strength of the calculus . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.3 The Mathematics of U∈U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.3.1 Dependent function types . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.3.2 Expressiveness of the theory of dependent types . . . . . . . . . . . . . . 57

3.3.3 Girards Paradox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

3.4 A systematic approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3.4.1 Martin Löfs constructive semantic theory . . . . . . . . . . . . . . . . . . 62

3.4.2 Semantics of type-theoretical expressions . . . . . . . . . . . . . . . . . . 63

3.4.3 Judgements in Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.4.4 Propositions as types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.4.5 Propositional equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.4.6 A cumulative hierarchy of universes . . . . . . . . . . . . . . . . . . . . . 67

3.4.7 A calculus for proof development . . . . . . . . . . . . . . . . . . . . . . 67

3.4.8 Formal proofs in Type Theory . . . . . . . . . . . . . . . . . . . . . . . . 68


4 The Type Theory of NuPRL 71

4.1 Basic constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.1.1 The semantic theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.1.2 The proof rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

4.2 Logic in Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

4.2.1 The empty type void . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4.2.2 Constructive logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.2.3 Classical logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4.3 Programming in Type Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

CONTENTS 3

4.3.1 Proofs as programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

4.3.2 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

4.3.3 The NuPRL type of finite lists . . . . . . . . . . . . . . . . . . . . . . . . 94

4.3.4 A programming example . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4.3.5 Set Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.4 Recursive Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

4.4.1 Inductive Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.4.2 Recursive functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

4.4.3 Infinite Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.5 Other types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.5.1 Quotients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.5.2 Atom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104


5 Implementing Automated Reasoning 107

5.1 Building systems for interactive proof development . . . . . . . . . . . . . . . . 108

5.1.1 ML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

5.1.2 Implementing the object language . . . . . . . . . . . . . . . . . . . . . . 110

5.1.3 The NuPRL system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

5.2 Decision procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5.2.1 arith: a decision procedure for elementary arithmetic . . . . . . . . . . . 117

5.2.2 Equality Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

5.2.3 Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

5.2.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

5.3 Metalevel Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

5.3.1 Tactical Theorem proving . . . . . . . . . . . . . . . . . . . . . . . . . . 126

5.3.2 Refinement tactics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

5.3.3 Transformation tactics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

5.3.4 Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

5.3.5 Writing tactics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

5.3.6 Experiences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131


6 Building Theories 133

6.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

4 CONTENTS

6.2 Simple Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.1 Elementary logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.2 Finite sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.3 Number Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.4 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.5 Finite Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.2.6 Real numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.3 Automated Theorem Proving . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

6.4 Application to Program Construction/Development and verification . . . . . . . 136

6.4.1 program synthesis, verification,... . . . . . . . . . . . . . . . . . . . . . . 136


7 Advanced Topics 137

7.1 Metamathematics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

7.1.1 Expressing meta-concepts in the object language . . . . . . . . . . . . . . 137

7.1.2 Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

7.2 Alternative theories (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

7.2.1 Girard’s Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

7.2.2 The calculus of constructions . . . . . . . . . . . . . . . . . . . . . . . . 139

7.2.3 Other Type theoretic calculi . . . . . . . . . . . . . . . . . . . . . . . . . 139

7.3 How to compute well? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139


8 Summary and future views 141

9 Glossar, Index, ToC 143

9.1 Natural deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

9.2 Details of the type system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

9.3 The rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

9.3.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.3 Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.4 Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.5 Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.6 Quotients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

CONTENTS 5

9.3.7 Atoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.8 Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.9 Void . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.10 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.11 Natural numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9.3.12 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.13 List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.14 Recursive types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.15 Partial functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.16 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.3.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9.4.1 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Bibliography 155

6 CONTENTS

Chapter 1

Introduction

The old dream of mathematicians is to create a system that can be used to automate mathe-matics such that all theorems have an exact formal proof which might easily be checked to becorrect by some by algorithm.

If taken in the rigid sense this means building machines that would decide whether a statementis provable or not, a task which can be achieved - at least in principle - for all and only thedecidable theories. For formal systems presented by recursive sets of axioms and of recursiverules one can - at least in principle - automatically generate the theorems.

Various experiments have been carried out since the advent of computers in both directions. Assuccessful examples apart from the flourishing trade of commercial expert systems one couldquote MACSYMA (a giant expert system based on rewrite rules implementing algorithmsof arithmetic, algebra, and calculus) in the field of computerized symbolic computation, andPROLOG in the field of automatic theorem provers for the Horn-Clause fragment of first-orderlogic.

Evidences for the success of computerized support can also be found in other mathematicalareas like careful explanation (program verifiers), proof checking and counterexample gener-ation ([WOLB84]), detailed case analysis in proofs (4-colours problem), structuring complexalgorithms, revealing hidden assumptions, or even “intelligent” text processing (TEX).

There is, however, a more heroic approach to automatization: to look for a system that wouldboth check and find proofs for all kinds of mathematics. In the words of the sixties, one triesto be realistic by asking the impossible.

Such a system, of course, needs a very expressive language that can be used for an “imple-mentation” of the whole bulk of mathematics within a computer. Unfortunately set theory,the basis for modern mathematics, is highly nonconstructive and therefore inappropriate forthis purpose. A first step towards the unreachable goal, therefore, is to develop suitable con-structive theories for mathematics, similar in scope and universality to classical set theory.Some proposals are: an intuitionistic predicative set theory by Martin-Löf [ML82, ML84], thecalculus of constructions by Coquand and Huet [CH85, CH88], and Platek and Scott’s Logicfor computable functions.

The next step is to turn these universal constructive theories into automatic generic proof-checkers. This has been done with good results starting with AUTOMATH [Bru80] and anumber of successive approximations like Edinburgh’s LCF [GMW79], PPλ (later described in

7

8 CHAPTER 1. INTRODUCTION

[Pau87]) and NuPRL [CAB+86], currently the most sophisticated of the existing systems.

One step further is to find automatic generic theorem provers that would not only checkbut also develop proofs, according to the families of logic that the system could both define anduse. Active work is currently going on in these areas and it seems to indicate that a systemlike NuPRL can be used directly for this purpose [CH90b].

The path towards the automation of mathematics described in this book begins with Martin-Löf’s intuitionistic predicative set theory. Today, this language is better known as Type The-ory because its structure resembles ideas from the development of data types in programminglanguages. As it turned out, Type Theory is even more expressive than set theory since itproperly explains the notion of “algorithm” while set theory has severe problems at that point.Thus Type Theory can be used not only to represent “ordinary” mathematical reasoning butalso for reasoning about the properties of algorithms, particularly the correctness of programs.

The theory will be described in the formulation used by the NuPRL system which not onlychecks formal proofs but can also be used for interactively developing them which in particularmeans that type theory can be used for program development. Implementation aspects suchas these, as we will see, have a major influence on the formulation of the theory itself.

Mechanisms for automating the proof development process will also be discussed. The conceptof tactics, which goes back to Edinburgh’s LCF system [GMW79], allows to program theapplication of inference rules in an otherwise fully interactive system. From a theoreticalpoint of view tactics are one means of representing the metalevel of type theory by algorithms.Although the metalevel can not be a part of the inference system itself large components ofit can be accessed by formalizing the metamathematics of Type Theory within Type Theory.Besides drastically reducing the size of proofs this will allow reasoning about proofs as humansoften do.

1.1 Outline

Chapter 2 begins with a general introduction to formal calculi for logic and computation. Inparticular we will present the sequent calculus for mathematical reasoning and the λ-calculus asa model of computation. Both should be considered as necessary prerequisites for understandingType Theory.

We will begin the discussion of Type Theory in Chapter 3 with two historically importantpredecessors which contain the same basic principles and are much simpler than Martin-Löf’sfull theory of types. Unfortunately the first one is not expressive enough while the second onecontains a paradox. Section 3.4 therefore presents a systematic approach to the developmentof type theory which we will follow in the rest of this book. Chapter 4 explains the type theoryof NuPRL,....basic concepts, those coming from the desire to catch the notion of propositions,and inductively defined structures.

......

1.2. REFERENCES AND FURTHER READING 9

1.2 References and further reading

The book about the NuPRL System [CAB+86] will serve as a reference. Also Martin-Löf’sbook on Type Theory [ML84] ....

[And86, Bac89, BCM88a, Bis67, CAB+86, Con88, GLT89, vBJ77, Kle52, ML84, Pol45, Pra65,Sch85, Ste72, Tur84]

[CHS72], chapter 17

Set Theory [Ber68, Qui63, Sup72] How [Pol45, Sch85]

10 CHAPTER 1. INTRODUCTION

Chapter 2

Logic and computation

This chapter is intended to provide mathematical preliminaries which are needed or at leasthelpful to understand methods for machine support when dealing with mathematics and pro-gramming. We will give an introduction to formal proofs, first order logic, natural deduction,the sequent calculus, and - as a model of computation - the λ calculus. We will do so withincreasing levels of formality. The discussion of semantics is brief and informal; the emphasisis how to make use of formal systems.

2.1 Formal Calculi

A formal logic or calculus is a syntactic game for producing symbolic objects according to givenrules. Sometimes the motivation of the rules is vague but usually they are derived with respectto a well understood meaning or semantics.

Most (formal) mathematical theories are interpreted in set theory: each term corresponds toa set; each rule corresponds to a fact about sets. Set theory is taken to be the foundation ofeverything else. Its axioms are justified by informal but widely accepted intuitions like “setsexist; the union of two sets is a set”. However, when relying on intuition one must be extremelycareful. At the beginning of this century Russel’s Paradox demolished the prevailing notion ofset, together with years of Frege’s work.

Formal logics free logicians from the slippery ambiguities of human language.

A formal logic comprises assertions and inference rules. The assertions A, B, C, ... expressmeaningful statements while an inference rule has the form “from A1 and ... and An concludeB” for n ≥ 0. The usual convention is to write this as

A1, A2, ... , An

B

The assertions A1, A2, ... , An are the premises of the rule and B is the conclusion. Theoremsare those assertions theat can be proved by applying inference rules to other theorems. In orderto have any theorems ther must be at least one axiom, a rule with no premises. A proof can bewritten as a tree whose branches are the rules and whose leaves are axioms.

Inference rules allow formal proofs to be constructed without having to think about the meaningof a formula. Thus machines can prove theorems. But we must be aware of a difference between

11

12 CHAPTER 2. LOGIC AND COMPUTATION

provability and truth. Ideally every theorem should be true and every (semantically) true facta theorem. An inference rule is sound if its conclusion is true provided every premise is true. Ifevery inference rule is sound then every theorem of the calculus is true. Otherwise the calculusis of little value. A calculus is complete if every true assertion has a formal proof. Completenessis usually unattainable: Gödel demonstrated that no logic allowing nontrivial reasoning aboutarithmetic can be complete. 1

It should also be mentioned that a proof calculus explains only the rules how proofs have to beelaborated in order to make sure that they are correct. It is not by itself a method about howto find proofs.

2.2 First Order Logic

First Order Logic is the most familiar language for mathematics.

2.2.1 Syntax

Typically the set of assertions in a calculus is described by a grammar: each assertion isconstructed from atomic symbols using logical connectives.

Terms denote mathematical values such as sets, functions, or numbers. Let there be an infiniteset of variables and, for each n ≥ 0 a set of n-place function symbols. A term is a variable of afunction application f(t1, .., tn) where f is an n-place function symbol and t1, .., tn are terms.A 0-place function symbol is a constant symbol; the term c() is usually written c2.

The assertions of first order-logic, called formulae are built up from terms. Let there be a setof n-place predicate symbols for each n ≥ 0. An atomic formula has the form P (t1, .., tn) whereP is an n-place predicate symbol and t1, .., tn are terms. A formula is either an atomic formulaor one of ¬A, A � B, A � B, A ⇒ B, ∀x.A, ∃x.A or (A), where A and B are formulae andx is a variable. Every formula thus contains at least one predicate symbol.

There are some conventions for abbreviated writing of formulae.

The bi-implication A ⇔ B abbreviates (A⇒B) ∧(B ⇒A). Precedence conventions lessen theneed for parentheses in formulae. The symbol ¬ binds most tightly, followed by ∧ , ∨ , ⇒ , and⇔ in decreasing order. The scope of a quantifier extends as far to the right as possible. Onequantifier can bind several variables at once.

2.2.2 Semantics

The semantics of first order logic is usually expressed in set theory. An interpretation or modelassigns a mathematical value to each symbol. Variables, functions, and predicates are all definedwith respect to a fixed set (or universe). Each variable is assigned an element of the universe;

1The differential calculus is indeed a formal calculus. It has expressions like du/dx and rules like (d/dx)(uv)=udv/dx + vdu/dx. Each expression and rule has a complicated mathematical justification but the rules maybe used long after their justification has been forgotten

2This does not mean that the constant symbol c is to be identified with the term c. It is only an abbreviation.

2.3. META AND OBJECT LANGUAGES 13

each n-place function symbol is assigned a function on the universe; each n-place predicatesymbol is assigned an n-place relation over the universe.

Under an interpretation, each term has a value and each atomic formula is either true or false.The truth of the other formulae is determined as follows:

The negation ¬A is true if A is false.The conjunction A ∧B is true if both A and B are true.The disjunction A ∨B is true if either A or B is true.The implication A⇒B is true if B is true provided A is.The universal quantification ∀x.A is true if A is true for every xThe existential quantification ∃x.A is true if A is true for some x

Propositional logic is the logic of the connectives ¬, ∧ , ∨ , ⇒ . Adding quantifiers gives firstorder logic, sometimes called the predicate calculus. Adding quantifiers over formula variablesgives higher order logic.

2.3 Meta and object languages

Consider statements we might make about formulae like “The conjunction of a formula with theconjunction of two other formulae implies the conjunction of the first and the second formulawith the third”. While this is a perfectly legal statement it is hardly readable. Readablestatements must use symbols from the logic itself: “the formula A ∧ (B ∧C) implies (A ∧B) ∧C”.Clearly, this does not mean that the symbol “A” is itself a formula. A is just a name for aformula. We must not confuse an object (a formula) and its name (A) in a statement aboutformulae.

To clear up this confusion we have to distinguish the meta language from the object language.The formal language of terms and formulae is the object language while any statement aboutthe object language is made in the meta language. Here the meta language is English aug-mented with mathematical notation: symbols from the object language, proof trees, and namesfor object language expressions which we also call syntactic meta variables. We will use thefollowing conventions:

• names of formulae include A, B, C

• names of terms include r, s, t, u

• names of predicates symbols include P, Q, R

• names of function symbols include f, g, h

• names of object variables include x, y, z

A syntactic meta variable must never be used as an object language symbol. Object languageexpressions will therefore be written in typewriter font.

Inference rules are described as rule schemata using syntactic meta variables:


A B

A ∧BThis stands for the infinite set of inferences obtained by replacing A and B by actual formulaefrom the object language.

2.4 Natural Deduction

Natural Deduction is a proof calculus designed to mirror human patterns of reasoning. For eachlogical connective like ∧ there are two kinds of rules

• An introduction rule answers the question “what are the conditions for concluding A ∧B?”

• An elimination rule answers the question “what can we conclude from A ∧B?”

A ∧B is fully characterized by answering these two questions. Generally, elimination rules areinverses of the introduction rules: Introducing A ∧B then immediately eliminating it neithergains nor loses information.

Often one connective can be expressed in terms of others. In classical logic, for instance, all theconnectives can be expressed in terms of ∧ , ∀, and ¬. But the natural deduction rule for oneconnective does not mention others. In a proof, each inference involves only one connective.

In natural deduction certain rules discharge an assumption of a premise. The set of assumptionschanges during the proof: “to prove A⇒B assume A and prove B” The premise of a rule isnot a formula but a proof tree with a formula at the root and assumptions in the leaves.

There is a complete search procedure for first order logic. If an assertion can be proved then aproof for it will be found3. In propositional logic this method always terminates thus answeringthe question whether the assertion is true or not while it may fail to terminate for assertionsin full predicate logic. Essentially the method is to “break down” assumptions by eliminationrules and then “build up” conclusions from smaller ones via introduction rules.

Intuitionism is a school of the philosophy of mathematics that question principles of classicallogic. It demands a constructive interpretation of the quantifiers: to prove ∃x.A one mustbe able to construct a value x satisfying A. In Intuitionistic Type Theory proving ∃x.A evenconstructs a function which computes x. The potential applications to the specification andsynthesis of programs are attracting attention. See chapters 4.3 and 6 for further discussion.

Although dealing with classical logic as well natural deduction has an intuitionistic orientation.Classical deduction requires an additional rule and much additional thought.

2.4.1 Propositional Calculus

We will now briefly discuss the rules for connectives in propositional logic.

3See [Gal86]

2.4. NATURAL DEDUCTION 15

Conjunction

The conjunction A ∧B is true if both A and B are true. The introduction rule ( ∧ -intro) stateswhen A ∧B can be concluded

A B

A ∧B( ∧ -intro)

There are two elimination rules stating the consequences of A ∧B

A ∧B

A( ∧ -elim-1)

A ∧B

B( ∧ -elim-2)

It is not hard to see that these rules capture informal reasoning about conjunction.

Putting the rules together yields proof trees such as

A ∧B

B

A ∧B

A

B ∧A

which is a proof of

A ∧B

B ∧A( ∧ -commutativity)

This is a derived rule since the formula B ∧A has been proved under the assumption A ∧B.

Another derived rule is A ∧B[A, B]

C

C

( ∧ -elim-3)

∧ -elim-3 can be viewed as an alternative rule for conjunction elimination: If A ∧B is true, thenso are A and B. It is, therefore, sound to assume them when proving something else. Thesquare brackets around A and B indicate that these assumptions are discharged from the proofof C when the rule is applied. Given a proof of A ∧B, and one of C from A and B, the ruleconcludes C.

Exercise 2.4.1

1. Derive the rule ∧ -elim-3

2. Derive the ruleA

A(identity)

3. Derive the rule(A ∧B) ∧C

A ∧ (B ∧C)( ∧ -associativity)

Exercise 2.4.2 Show how to transform every proof that uses ∧ -elim-3 into one that uses only∧ -elim-1 and ∧ -elim-2, and conversely

Disjunction

The disjunction A ∨B is true if either A or B is true. Two introduction rules state that A ∨Bcan be concluded from either A or B

A

A ∨B( ∨ -intro-1)

B

A ∨B( ∨ -intro-2)


Eliminating A ∨B means to do a case analysis A ∨B[A]C

[B]C

C

( ∨ -elim)

If C follows from A and C follows from B4 and either A or B is true then C is true.

Exercise 2.4.3

1. State and derive the rule ∨ -commutativity

2. State and derive the rule ∨ -associativity

3. Derive the distributive laws(A ∨C) ∧ (B ∨C)

(A ∧B) ∨C

(A ∧B) ∨C

(A ∨C) ∧ (B ∨C)

(A ∧C) ∨ (B ∧C)

(A ∨B) ∧C

(A ∨B) ∧C

(A ∧C) ∨ (B ∧C)

Implication

The implication A⇒B is true if B is true provided A is.

The introduction rule states that if B follows from A then A⇒B can be concluded. It is calledthe discharge rule because it discharges the assumption A. The elimination rule is ModusPonens.

[A]B

A⇒B

(⇒ -intro)A⇒B A

B(⇒ -elim)

Example 2.4.1 Here is a proof for ((A ∧B)⇒C) ⇒ (A⇒ (B ⇒C))

(A ∧B)⇒C[A] [B]

A ∧B

C

B ⇒C

A⇒ (B ⇒C)

The assumptions A and B are discharged at different times: first B, then A. Some authorsuse therefore labels to keep track of which instance of a rule discharges each assumption. Aformalized method for that is the sequent calculus which we will introduce in section 2.5.

Exercise 2.4.4 Derive the following rules

A⇒ (B ⇒C)

(A ∧B)⇒C

(A⇒B) ∧ (A⇒C)

A⇒ (B ∧C)

(A ∨B)⇒C

(A⇒C) ∧ (B ⇒C)

(A⇒C) ∧ (B ⇒C)

(A ∨B)⇒C

Exercise 2.4.5 Explain why the introduction and elimination rules for ⇒ are sound.

4This is not the same as “C follows from A and B”


Negation

The negation ¬A is true if A is false. What could be simpler or more problematical thanfalsehood? Prawitz [Pra65] in his formulation of first order logic represents falsehood by a termΛ which stands for contradiction. ¬A then simply abbreviates A⇒Λ. This view of negation issound for both intuitionistic and classical logic.

The rules for negation thus are special cases of those for implication: if assuming A leads to acontradiction then ¬A can be concluded and, by ⇒ -elim, ¬A and A lead to a contradiction:

[A]Λ

¬A

(¬-intro)¬A A

Λ(¬-elim)

Contradiction

The rules so far yield minimal logic, where Λ is just another symbol. If we want Λ to expresscontradiction we have to give rules making Λ behave accordingly.

The essential property of contradiction are illustrated by the laws of arithmetic. The assumption0 = 1 implies every numeric equation. Thus a contradiction should imply every formula.

Depending on the mathematical philosophy there are two ways of expressing this in a contradic-tion rule: The classical interpretation is, if ¬A leads to a contradiction then we may concludeA.

[¬A]Λ

A

(ΛC-elim)

In intuitionistic logic contradiction is taken more literally which leads to a weaker contradictionrule. A can be concluded only if Λ can be derived directly:

Λ

A(ΛI-elim)

Obviously there can be no introduction rule for Λ since no set of premises (not involving Λ)can imply Λ.

The contradiction rule is the only difference between classical and intuitionistic natural deduc-tion logics. However, classical reasoning in natural deduction is not really natural unless somederived rules are used along with the primitive ones. To prove A it may be necessary to derivea contradiction from assuming ¬A.

¬¬A

A(¬¬-elim)

It is this double negation rule which - together with other derived deduction rules - causes thevast difference between classical and intuitionistic reasoning.

Exercise 2.4.6 Explain why “A implies contradiction” means the same as “not A”

Exercise 2.4.7 Once we have a symbol for contradiction we can define a symbol T for truth bystating formal theorems containing no meta variables and depending upon no assumptions. Give

three examples.


Exercise 2.4.8 Derive the following rules for classical logic

¬¬A

A(¬¬-elim)

¬(A ∨B)

¬A(¬ ∨ -elim-1)

¬(A ∨B)

¬B(¬ ∨ -elim-2)5

A ∨¬A (excluded middle)¬(A ∧B)

¬A ∨¬B

¬A ∨¬B

¬(A ∧B)

¬(A⇒B)

A

Exercise 2.4.9 Prove ¬¬(A ∨¬A) without using the classical contradiction rule.6

2.4.2 Predicate Logic

Analysis, the field of mathematics underlying the differential calculus, offers many examplesof quantification. “If � is arbitrary such that P (�) holds, then there exists some δ such thatQ(�, δ)”. Quantifiers are obviously indispensible but require great care. The semantics becomesmore complicated: what is an arbitrary value. New issues arise: substitution, free and boundvariables. Propositional logic is decidable but predicate logic is not.

Let P be a 1-place predicate symbol. In the semantics ∀x.P (x) is true whenever P can beinterpreted as a predicate that holds true for all values. In the formal calculus, if ∀x.P (x) is atheorem and t is a term then P (t) is a theorem. However, the correspondence between “∀x.P (x)holds” and “P (t) holds for every term t” is imperfect because the model may contain valuesthat are not expressed by any term. If, for instance, the universe is the set of all real numbers,and the function symbols are the ordinary decimal numerals and arithmetic operators, thenthere are only countably many terms but uncountably many real numbers. Also the semanticsof ∀x.P (x) may strongly depend on the universe. ∀x.∃y.x < y < x+1 is true when consideringrational numbers but false within the universe of natural numbers.7

Substitution

Let in the following A be a formula containg a variable x. The formula ∀x.A asserts that A istrue for every assignement of a value to x. Each theorem that follows from ∀x.A is obtainedby substituting a term t for x in A. We will need to be precise about what substituion means,but let us first introduce some notation:

If A is a formula, t a term, and x a variable, then A[t/x] is the formula that results fromsubstituting t for x in A8. Read A[t/x] as “A putting t for x”. If we simultaneously substitutet1 for x1, ... and tn for xn in A we write A[t1/x1, ..., tn/xn]. Observe that this is not the sameas iterated substitution. Substitution on terms is defined correspondingly.

The substitution notation belongs to the meta language, not to the object language of the logic.The formula A[t/x] does not literally contain the symbols [, /, ] or A. Rather it is the result ofsubstitution in a formula denoted by A.

5The ¬ ∨ -elim rules hold in intuitionistic logic as well6In fact, every propositional formula A can be proved in classical logic if and only if ¬¬A can be proved in

intuitionistic logic [Dum77].7Pure predicate logic cannot handle this properly. We need a typed logic for that8Unfortunately there is also a convention of writing A[x \ t] for the same


In ∀x.A the variable x is said to be bound. The name x is not significant: the bound variable canbe renamed provided that all its occurrences in A are correspondingly renamed. The formula∀x.A is logically equivalent to ∀y.A[y/x].

A bound variable must sometimes be renamed prior to substitution. If x and y range overthe natural numbers then ∀x.∃y.x 6= y is a true formula. Substituting y for x, it is wrong toconclude ∃y.y 6= y. The problem is the capture of a free variable: the free variable y comesinto the scope of ∀y and turns into a bound variable. The cure is to define what it means fora variable to occur free or bound in a term and to restrict substitution accordingly.

In section 2.6 and in the chapters about Type Theory we will give precise definitions of freeand bound variables and substitution. The corresponding definitions for first order logic followthe same pattern and we will not discuss them here.

The semantics of quantifiers

In order to understand the rules for a symbol it is essential to know its meaning. We haveommitted discussing the semantics of the familiar connectives ∧ , ∨ , ⇒ ,¬. But a brief lookat the semantics of quantifiers will make the rules easier to understand. See a logic textbook[Gal86, MW85] for a rigorous treatment.

A formula A is valid if it is true in every interpretation and for every assignement of valuesto its free variables. So A is valid if and only if ∀x.A is valid, regardles of whether x is freein A. Thus A should count as a proof of ∀x.A. Proofs depending upon assumptions requiresomething stronger:

Theorem 2.4.2 If the variable x is not free in B, then B ⇒A is valid if and only ifB ⇒ (∀x.A) is valid.

Given assumptions A1, ..., An where x is free in no assumption, let B be A1 ∧ ... ∧An in the abovetheorem. If the assumptions A1, ..., An imply A then they imply ∀x.A.

To frame a rule of existential elimination, we need to characterize the logical consequences ofan existential formual:

Theorem 2.4.3 If the variable x is not free in B, then A⇒B is valid if and only if(∃x.A)⇒B is valid.

Given a formula C and assumptions A1, ..., An where x is free in no assumption nor C, let Bbe A1 ∧ ... ∧An in the above theorem. If A and the assumptions A1, ..., An imply C then ∃x.Aand those assumptions imply C.

Exercise 2.4.10 Prove the theorems 2.4.2 and 2.4.3

The universal quantifier

The universal quantification ∀x.A means that A is true for every x. The introduction rule(generalization), justified by theorem 2.4.2 states that if A is a theorem and x is an arbitraryvariable then ∀x.A is a theorem:


Provided x is not free in the assumptions of AA

∀x.A(∀-intro)

The rule is subject to a proviso: the conclusion holds if the proviso is satisfied.

The elimination rule (specialization) states that if ∀x.A is a theorem an t is a term then A[t/x]is a theorem.

∀x.A

A[t/x](∀-elim)

Exercise 2.4.11

1. Prove (∀x.A ∧B)⇔ (∀x.A) ∧ (∀x.B)

2. Prove (∀x.A⇒B)⇔A⇒ (∀x.B) provided x is not free in A

3. Prove (∀x.A) ∨ (∀x.B)⇒ (∀x.A ∨B)

4. Show that (∀x.A) ∨ (∀x.B) does not follow from (∀x.A ∨B)

The existential quantifier

The existential quantification ∃x.A means that A is true for soem x. The existential introductiontakes this value from a term t

A[t/x]

∃x.A(∃-intro)

The elimination rule is justified by theorem 2.4.3:

∃x.A[A]B

B

(∃-elim)

provided x is not free in B nor in the assumptions of B apart from A

Exercise 2.4.12

1. Prove (∃xy.A)⇔ (∃yx.A)

2. ProveA⇒B

(∃z.A)⇒ (∃z.B)provided z is not free in the assumptions of A⇒B

3. Prove (∃x.A) ∧B ⇔ (∃x.A ∧B) provided x is not free in B

4. Prove in classical logic (∃x.A⇒B)⇔ (∀x.A)⇒B provided x is not free in B

2.4.3 Mathematical Induction

Many parts of mathematics deal with inductively defined objects like natural numbers. Rea-soning about these involves mathematical induction:

If P (0) is true and if P (x) implies P (x + 1) for every natural number x then P (x) istrue for for every natural number x.


Within the universe (c.f. section 2.2.1) of natural numbers this principle is expressed by thefollowing formal rule:

A[0/x] ∀x.(A⇒A[x + 1/x])

∀x.AHowever, this rule involves quantifiers in addition to the induction principle. Following the phi-losophy of natural deduction, a rule should mention as few constructs as possible. Fortunately,the rule

A[0/x][A]

A[x + 1/x]

A[t/x]

(IN-induction)

is as powerful as the previous one and often allows shorter proofs.

Mathematical induction is not restricted to natural numbers. For other recursive structureslike lists and trees there is a similar principle structural induction. We will discuss both in moredetail in Section 4.4.

2.4.4 Equality

Dealing with equality is essential for reasoning about mathematical objects and their values.Equal terms can be substituted for each other in terms and predicates and term rewriting couldnot properly be defined without a notion of equality.

The equality predicate, usually denoted by “=”, is an equivalence relation because it satisfiesthree fundamental laws. It is reflexive, symmetric, and transitive. The corresponding rules are:

t = t (Reflexivity)t = u

u = t(Symmetry)

s = t t = u

s = u(Transitivity)9

The congruence law of a function states that equal arguments give equal results. Addingequality to a logic thus requires a congruence axiom for every function symbol. If f is ann-place function symbol then

t1 = u1 . . . tn = un

f(t1, .., tn) = f(u1, .., un)(Congruence rule for f)

needs to be added as a rule. This can lead to a huge set of rules. A way of asserting thecongruence laws for all functions at once is by adding substitution rules for terms:

t = u

s[t/x] = s[u/x](Substitution on terms)

It states that if t equal u then any term constructed from t equals the term constructed similarlyfrom u. The term s serves as a template for substitution of terms at occurrences of the variablex.

Exercise 2.4.13 Prove the congruence rule for a 3-place function symbol f from the substitutionrule

9Actually this is a redundant rule system since symmetry and transitivity follow from reflexivity and sub-stitution. Consider, for instance, P [x] ≡ x = s. Then P [s/x] follows from reflexivity and symmetry fromsubstitution s = t⇒ t = s ≡ P [t/x]


Note that the substitution rule can not be derived once and for all from all the congruencerules since each term s requires a different proof tree.

On formulae the bi-implication ⇔ assumes the same role as equality on terms. ⇔ is anequivalence relation and for all the logical connectives one can prove congruence laws like

A⇔B C ⇔D

A ∧C ⇔B ∧DFor predicates, as well as functions, equal arguments should yield equal results. Similarly, wemust add a congruence law for every n-place predicate symbol P :

t1 = u1 . . . tn = un

P (t1, .., tn)⇔P (u1, .., un)(Congruence rule for P )

A rule for substituting equal terms in formulae reduces the set of necessary rules. We mayconclude A[u/x] from A[t/x] and t = u

t = u A[t/x]

A[u/x](Substitution on formulae)

Exercise 2.4.14

1. State and prove the equivalence rules for ⇔

2. Prove the congruence laws of the logical connectives with respect to ⇔

3. = itself is a predicate symbol. Prove the congruence axiom for =

2.5 The Sequent Calculus

Reasoning in natural deduction requires to be precise about assumptions and discharging them.Writing an assumption above a proof and later crossing it off again is in fact natural but it iseasy to get confused about which assumptions are still in force.

In a sequent calculus, the current set of assumptions is listed at every line of the proof. Asequent A1, ..., A � ` C means that C depends upon the set of assumptions {A1, ..., An}. Thesequent A ` A represents the assumption of A.

Each proof in natural deduction can be reworked using sequents. Example 2.4.1 becomes

(A ∧B)⇒CA ` A B ` B

A, B ` A ∧B

A, B ` C

A ` B ⇒C

A⇒ (B ⇒C)

Sequents require a notation for sets. Let Γ, ∆ and Θ be syntactic meta-variables for sets offormulae. The union of sets is written with a comma, set brackets are omitted: write A1, ..., Aninstead of {A1, ..., An} and Γ, A instead of Γ∪{A}. The conjunction introduction rule ( ∧ -intro)becomes:

Γ ` A ∆ ` B

Γ, ∆ ` A ∧B

2.5. THE SEQUENT CALCULUS 23

i.e., the conclusion depends upon every assumption fo A and B.

To express the discharge of an assumption A it is conventional to partition the assumptionsinto A and a set ∆ not containing A. ∨ -elim thus becomes:

Γ ` A ∨B ∆, A ` C Θ, B ` C

Γ, ∆, Θ ` C

2.5.1 Semantics

There is an obvious correspondence between a natural deduction proof tree with root C andleaves A, B and the sequent proof with root A, B ` C and leaves A ` A and B ` B. However,the sequent calculus is more than just a different notation for natural deduction, since anysequent can be the premise or conclusion of a proof. Thus a sequent must be an assertion inits own right.

Let Γ be a set of formulae and A be an individual formula. The sequent Γ ` A means that Ais true provided every member of Γ is true. When there are no assumptions then ` A meansthat A is true.

Many authors view the sequent calculus as a meta logic about provability: Γ ` A then meansthat A can be formally derived from Γ, and ` A means that A is a theorem. ` belongs to themeta language of the calculus. In this book, Γ ` A is an object language assertion which, likeany assertion, maybe false. ` A is false if A is false.

The semantic justification of a sequent follows that of the corresponding natural deduction rule.

Exercise 2.5.1 Give semantical justifications for the above ∧ -intro and ∨ -elim rules

2.5.2 Backward proofs

Inference rules given so far are designed for forward proofs: working from known theorems tonew ones. The ( ∧ -intro) rule, for instance, given A and B concludes A ∧B, forming the unionof the assumptions.

In normal mathematics we often proceed in the opposite way: starting with a desired conclusion,or goal, we work backwards from goals to subgoals. For instance, to prove A ∧B, we have toprove A and B. Since we cannot predict which assumptions are necessary to prove A or toprove B we use the same assumptions for the premises and the conclusion:

Γ ` A Γ ` B

Γ ` A ∧BFrom now on we are concerned with backwards proofs exclusively. Proof trees are constructedstarting from the root working towards the leaves. A rule takes a goal and produces subgoalsrather than taking premises and producing a conclusion. The logical meaning of “rule” and“proof” is the same as before; we are merely changing perspective, emphasizing the process ofconstructing a proof.

The above form of rules is somewhat misleading. It still suggests forward inferences. We willtherefore use a graphical form which represents the top down style of proof construction better:


Γ ` A ∧B by ∧-intro

· Γ ` A

· Γ ` B

This is also a form which can easily be represented on a computer.

2.5.3 Additional rules for sequent calculi

The cut rule allows a proof to be structured into lemmata. When trying to prove C, the lemmaL can be added to C’s assumptions, provided it can be proved

Γ ` C by cut L

· Γ ` L

· Γ,L ` C

The cut rule can be derived from the ∨ -elim and ∨ -intro rules given below.

A thinning or weakening rule allows to get rid of a set Θ superfluous assumptions:

Γ ` C by thinning Θ

· ∆ ` C

where ∆ = Γ \ Θ

A rule derived from thinning is a general assumption rule

Γ ` C by assumption where C ∈ Γ

In a typical sequent calculus introduction rules operate on the right hand side of the assertionsign (`) where elimination rules operate on the left hand side. The formula being eliminated isassumed in the conclusion and the elimination rules illustrate how to handle the assumptions,especially, when to delete an assumption. Sometimes the rules are called left or right rule insteadof elimination or introduction rule.

2.5.4 A sequent calculus for intuitionistic logic

We give the rules only.

Conjunction

Γ ` A ∧B by ∧-intro

· Γ ` A

· Γ ` B

Γ,A ∧B ` C by ∧-elim

· Γ,A,B ` C

The ∧ -elim rule is based on the natural deduction rule ∧ -elim-3: to prove C from A ∧B, proveit from A and B instead.

2.5. THE SEQUENT CALCULUS 25

Disjunction

Γ ` A ∨B by ∨-intro-1

· Γ ` A

Γ ` A ∨B by ∨-intro-2

· Γ ` B

Γ,A ∨B ` C by ∨-elim

· Γ,A ` C

· Γ,B ` C

Implication

Γ ` A⇒B by ⇒ -intro

· Γ,A ` B

Γ,A⇒B ` C by ⇒ -elim

· Γ,A⇒B ` A

· Γ,B ` C

⇒ -elim has little resemblance to modus ponens: to prove C from A⇒B first prove A then Cfrom B. The assumption A⇒B is redundant in the second subgoal but not in the first.

Negation and Intuitionistic Contradiction

Γ,Λ ` C by Λ-elim Γ ` ¬A by ¬-intro

· Γ,A ` Λ

Γ,¬A ` C by ¬-elim

· Γ,¬A ` A

· Γ,Λ ` C

The rules for negation are instances of the corresponding rules for ⇒ and Λ.

Universal Quantifier

Γ ` ∀x.A by ∀-intro

· Γ ` A

provided x is not free in Γ Γ,∀x.A ` C by ∀-elim t

· Γ,∀x.A, A[t/x] ` C

∀x.A is retained in the subgoal beacause it may be needed again.

Existential Quantifier

Γ ` ∃x.A by ∃-intro t

· Γ ` A[t/x]

Γ,∃x.A ` C by ∃-elim

· Γ,A ` C

provided x is not free in Γ or C

Mathematical Induction

Mathematical induction is the same as before

Γ ` A[t/x] by IN-induction

· Γ ` A[0/x]

· Γ,A ` A[x + 1/x]

provided x is not free in Γ


Equality

As we have seen before, equality is best described by the rules for substituing equal terms andthe reflexivity, symmetry, and transitivity rules

Γ ` A[t/x] by substitute t=u in A

· Γ ` A[u/x]

· Γ ` t=u

Γ ` t=t by reflexivity Γ, s=t ` t=s by symmetry

Γ, t=u, u=s ` t=s by transitivity

Exercise 2.5.2 Give semantical justifications for the rules of the intuitionistic sequent calculus

Exercise 2.5.3 Derive the rule Γ,A,¬A ` C by Λ¬-elim

Exercise 2.5.4 Adding the classical contradiction rule to the intuitionistic sequent calculus wouldmake it classical. State this rule and derive laws for classical logic corresponding to those in exercise

2.4.8

Exercise 2.5.5 Derive Pierce’s law ((A⇒B)⇒A)⇒A in classical logic

2.5.5 Proof methodology

A proof calculus consists only of rules which can ensure the correctness of a mathematical proof.There are, however, some general guidelines on how to find a formal proof for a given problem.We give a few hints about proofs in the sequent calculus. Most of these are incorporated in theproof tactics which we will discuss in section 5.3.1.

Work backwards from the goal building a proof tree top down. Use elimination rules to breakdown formulae on the left; use introduction rules to break down the formula on the right.Assumption and contradiction rules terminate branches of the proof tree.

If more than one rule applies, it rarely matters which one applies first. For intuitionisticdeduction avoid using ∨ -intro rules before ∨ -elim rules. Otherwise one may end up with falsesubgoals.

In backward proofs the rules ∃-intro and all-elim should never be used before ∃-elim and ∀-intro.The former may put free variable into the goal, violating the provisos of the latter.

When the above constraints leave a choice of rules, choose the one that produces the fewestsubgoals.

Quantifier reasoning involves the correct choice of a term t to be substituted for a variable x.The value of t can be determined only by completing the proof, yet the proof cannot proceeduntil a value for t is supplied. This situation can only be resolved by user interaction. In general,a full automation of the proof is not possible without making use of meta-logical techniquesbefore executing the proof10

10Resolution theorem provers can determine t by unification during the proof. Using resolution-like techniquesto analyze the goal a term t to be supplied in quantifier rules can be determined beforehand

2.6. THE λ-CALCULUS AS A LOGIC OF COMPUTATION 27

The use of induction requires real intelligence. An induction rule can be applied to any goalbut rarely leads to a proof. Often a proof of a formula requires induction on some strongerformula: the induction step requires the stronger induction hypothesis.

2.6 The λ-calculus as a logic of computation

Among the existing calculi for formal reasoning about programs the λ-calculus is the mostsimple one. It has very few constructs and thus it is easy to prove theorems about the calculusitself. Nevertheless it is rich enough to express all the computable functions. This means thatall the programming languages we might be interested in can be expressed in terms of theλ-calculus.

As a formal system, the λ-calculus can be used for studying ways in which functions can beformed (defined), combined (applied) and used for computation. Unlike set-theoretic accountsof functions, the λ-calculus takes an intensional view of functions. Functions are understoodas computation rules for establishing a correspondence between an object, the argument ofthe function, and another object, the value or result. The process of using the rule to obtainthe correspondence is called function application. Arguments and results of functions can bearbitrary expressions, including other functions, which makes the λ-calculus a calculus forhigher order functions. The basic objects in λ-calculus are λ-terms and the notation for theseobjects reflects the above viewpoint.

2.6.1 Syntax

Let there be a countable set of symbols called variables11

Definition 2.6.1 λ-terms are defined inductively by the following clauses

1. If x is a variable then x is a λ-term.

2. λ-abstraction: If b is a λ-term and x is a variable then λx.b is a λ-term.

3. Application: If f and t are λ-terms then so is f(t)

λ-abstraction allows us to express a function without having to give it a name. In λx.b the xis the formal argument to the function and b represents its body.

Example 2.6.2 In mathematical textbooks we often find definitions like “let f(x) = 2x”.What is really intended was to say “define a function f by f(x) = 2x”. Using λ-calculus weexpress this in a brief and mathematical correct form as “let f = λx.2x”.

The name f is rather unimportant. It is the behaviour of f which really counts and λx.2x isall we need to express it.

11In pure λ-calculus there is no need for constants. In practical applications, however, it may be convenientto have them available.


Note that the functions defined in the λ-calculus are one-place functions. This is not reallya restriction because functions which take several arguments can be expressed in terms offunctions of a single argument: Suppose f is a function of two arguments x and y, then wemay think of f as a function of a single argument x which returns as a value another functiontaking y as its single argument. Thus, instead of writing f(x, y) we simply write f(x)(y).This representation is called currying12 and f is called a curried function. In the λ-calculus allfunctions are written in curried form unless we use abbreviations.

Terms in the formal syntax are unambiguous but lengthy. The convention is to omit bracketswhen the meaning is clear and to write fxy for (f(x))(y) assuming associativity to the left.Also a sequence of λ’s can be abbreviated with a single one, writing λxy.t instead of λx.λy.t.

2.6.2 Evaluation

To use the λ-calculus as a computation formalism we need to describe what happens whena λ-term is applied to an argument. Roughly speaking, when the λ-term λx.t is applied toan argument a the occurrences of x in t are replaced by a. In the previous sections we haveaccepted this informal description. We will now make it more precise by defining the conceptof free and bound occurrences of variables in expressions:

Definition 2.6.3 Bound and free occurrences of variables are defined inductively by the fol-lowing rules:

1. In x, x occurs free, no other variables occur at all.

2. In λx.f all the free occurrences of x in f become bound. Free occurrences of variables ydifferent from x remain free in λx.f .

“λx.” is called a binding occurrence of x with scope f .

3. Any variable which occurs free in f or in t remains free in f(t).

A term a with free variables among x1, .., xn is denoted by a[x1, ...x � ].

A term without any free variables is called a closed term (or combinator )

Note that a variable may occur both free and bound in a given λ-term. For instance, inλx.y(λy.xy) the first occurrence of y is free while the second one is bound.

Bound variables establish a correspondence between the argument of a function and positionswithin the body of a λ-term where the argument is to be substituted. The actual symbol usedas a bound variable is, of course, irrelevant. This notion of bound variables corresponds closelyto the notion of bound variables in predicate calculus or to parameters appearing in functiondeclarations in programming languages. Typically free variables only arise in subterms of somelarger (closed) λ-term. The following diagram illustrates the concept of free and bound variablesin a λ-term.

λf. λx.

x free︷︸︸︷

(λz.fxz)x︸︷︷︸

x bound

12though it is due to Schönfinkel and not to Curry


The process of substitution of terms for variables is the key computational mechanism in theλ-calculus.

Definition 2.6.4 Substitution

The term derived from b by substituting every free occurrence of x in b by a is denoted byb[a/x]. It is defined inductively by the following clauses:

1. x[a/x] ≡ a 13

2. y[a/x] ≡ y where x 6≡ y

3. (λx.t)[a/x] ≡ (λx.t)

4. (λy.t)[a/x] ≡ λy.(t[a/x]) where x 6≡ y and y does not occur free in a or x does not occurfree in t

5. (λy.t)[a/x] ≡ (λz.(t[z/y]))[a/x] where x 6≡ y, z is a new variable different from both xand y not occurring in either t of a, y does occur free in a and x does occur free in t.

6. f(t)[a/x] ≡ (f [a/x])(t[a/x])

The reason why clause 5 is so complicated is that we need to make sure when substituting aλ-term for a variable that a free variable does not become bound. This phenomenon is calledcapture. Consider the λ-term λx.y which returns y when applied to a λ-term. Suppose weperformed the substitution (λx.y)[w/y]. If w 6≡ x clause 4 would apply and we would get λx.was expected. If, however, w ≡ x and clause 5 were not included in the definition we would getλx.x, a function returning the λ-term it is applied to. The trick of renaming a bound variableto avoid the capture of free variables is sufficiently useful to deserve its own formal definition.

Definition 2.6.5 α-conversionA change of bound variables in a λ-term t is the replacement of a subterm of the form λx.bwith x not bound in b by a term of the form λz.b[z/x] where z is a variable that does not atall occur in b.

A λ-term t is said to be congruent to another λ-term u if u is the result of applying a seriesof changes of bound variables to t.

For all practical purposes congruent terms are regarded as being the same. We will often say“identical” when we should be saying “congruent” if the difference does not matter. A changeof bound variables is often called α-conversion or α-reduction.

We are now ready to define the important concept of reduction which is the key to formalizingthe process of “computing with λ-terms”.

Definition 2.6.6 Reduction between λ-terms is a binary relation −→ which is inductivelydefined by the following rules:

Provided z does not occur or bound in b λx.b−→λz.b[z/x] (α-reduction)

13≡ stands for identity of λ-terms as syntactical constructs.


(λx.b)(a)−→ b[a/x] (β-reduction)t−→ u

λx.t−→λx.u(ξ-reduction) 14

t−→u

f(t)−→ f(u)(µ-reduction)

t−→u

t(a)−→ u(a)(ν-reduction)

t−→ t (ρ-reduction)t−→ u u−→w

t−→w(τ -reduction)

Example 2.6.7 Reducing a λ-term: (λxyz.x(yz))fgβ

−→ (λyz.f(yz))gβ

−→ (λz.f(gz))

The original λ-term performs function composition

Exercise 2.6.1 Show that (λx1..xn.t)u1..un is equivalent to simultaneous substitution t[u1/x1..un/xn](see section 2.4.2)

The only rule with nontrivial computational content is the β-reduction from (λx.b)(a) to b[a/x].The basic expectation, as in any computational system, is that this computational process“simplifies” a term producing another term of “equal” value. So far, we have defined thecomputational process but do not yet have a notion of equality. Congruence or identity of λ-terms will not serve since β-reduction does not preserve them. Equality of values will thereforebe defined in terms of the reduction relation, adding a rule for symmetry.

Definition 2.6.8 Equality of λ-terms, written =, is defined by the following rules:

Provided z does not occur free or bound in b λx.b = λz.b[z/x] (α-conversion)

(λx.b)(a) = b[a/x] (β-conversion)t = u

λx.t = λx.u(ξ-conversion)

t = u

f(t) = f(u)(µ-conversion)

t = u

t(a) = u(a)(ν-conversion)

t = t (ρ)t = u

u = t(σ)

t = u u = w

t = w(τ)

Equality is often called convertibility. We shall say that two λ-terms are equal if we can provethat they are equal using the above rules. But how do we establish that two terms t and u arenot equal? Assuming that in λ-calculus there is more than one function which can be definedwe can approach this problem by showing that from t = u we could conclude that any twoλ-terms are equal.

Example 2.6.9 Define T := λu.λv.u and F := λu.λv.vAssuming T = F we can show that t = u for all λ-terms t and u.

14Note that capture can occure when using the ξ rule. Indeed it should occur if this rule is to make anynontrivial statement.


T = F Assumption

T (t) = F (t) ν

T (t)(u) = F (t)(u) T (t)(u) = t ν, β

t = F (t)(u) F (t)(u) = u τ, β

t = u τ

Thus we could “prove” two terms unequal if we can show that assuming their equality leadsto the equation T = F .

So far we have shown how the single steps of a computation in the λ-calculus proceed. Normallywe think of a computation as proceeding until a “result” is obtained. What is the result ofa computation in the λ-calculus? That is, how do we know when we may stop the reductionprocess? A straightforward answer to this question is to stop when no more reduction withcomputational content is possible. These considerations lead us to single out a special class ofλ-terms which serve as the results of computations in the λ-calculus.

Definition 2.6.10A term of the form (λx.b)(a) is called a redex and b[a/x] is called its contractum.

Definition 2.6.11 Let t be a λ-term

1. t is in normal form (or normal) if it contains no redices.

2. t is normalizable iff there is some normal s such that t−→ s. s is said to be a normalfrom of t.

The appearance of a normal form in a sequence of reductions signals the end of our computationand the normal form is the resulting value.

Note that the definition of redex refers to the possibility of β-reduction only. Clearly we couldperform α-reductions indefinitely if we wished but this does not lead anywhere. Essentially therules which come in addition to β-reduction are nothing but a formal justification for applyingβ-reductions to any redex within a term t in order to deduce that t reduces to some term t′.

Our interest will therefore be focused on β-reductions and we write t�

−→ s to denote the factthat s is the result of reducing a single redex in t to its contractum.

2.6.3 Reduction properties of the λ-calculus

The definition of normal forms raises some interesting questions.

1. Does every λ-term have a normal form? Clearly not, as the following example shows

Example 2.6.12 Consider the expression (λx.x(x))(λx.x(x)).There is exactly one opportunity for β-reduction. If we carry out this reduction we getexactly the same term as before and have again an opportunity for β-reduction.


Terms without normal forms are the analogues of non-terminating programs.

2. If a λ-term has a normal form does any choice of reductions lead to that normal form?Again the answer is “no”:

Example 2.6.13 Define W := λx.xxx and I := λx.x.Consider the term F (WW )I with F as in example 2.6.9.

There are two opportunities for β-reduction. Choosing the leftmost one we would get Iimmediately. If we would choose to reduce the subterm WW first the result would beF (WWW )I and applying leftmost reduction we would get I again. Thus there are infinitelymany sequences starting with F (WW )I and ending in I but there is also the infinite sequenceF (WW )I −→F (WWW )I −→F (WWW )I −→ . . . which never reaches normal form.

3. How do we know that we will find the normal form if there is one?

This is a fairly subtle question and we will not try to justify the answer formally.

Performing always the leftmost reduction will lead to a normal form if there is one15.

Intuitively the reason why this works is that a term which does have a normal form mayhave a subterm which does not normalize. However, this subterm may never be needed so weshould apply the “outermost” function to see if a particular subterm is actually needed beforetrying to reduce potentially nonterminating subterms. This particular strategy is called normalorder reduction and corresponds to “call-by-name” evaluation. The price we have to pay forguaranteed termination is a lack of efficiency. Calling by name means that we may have tonormalize the same expression twice if it is doubled by the calling function. If we would knowit to terminate it would be better to reduce it beforehand (“call-by-value”). There is, of courseno way of looking at a generic λ-term and deciding wether a normal form exists or not16

4. If a λ-term has a normal form, is it unique? The answer to this question follows from theso-called “Church Rosser”or “confluence” theorem.

Theorem 2.6.14 Church RosserFor all λ-terms t, u, v if t−→u and t−→ v then there is a λ-term z such that u−→ z andv −→ z.

In section 3.2.5 will will sketch a proof of the confluence theorem for the typed λ-calculus.For the unrestricted λ-calculus a proof is quite complicated. Again we refer to textbooks like[Bar81, HS86, Ste72].

As an immediate consequence we get

Corollary 2.6.15 Let t, u, v be λ-terms

1. If t has normal forms u and v then u and v are related by α-conversion.

15See a textbook on the λ-calculus (e.g. [Bar81, Ste72]) for a proof.16The halting problem not decidable - see Section 2.6.5


2. If u = v (can be proved) then there is a λ-term z such that u−→ z and v−→ z.

(i.e. the calculus defined by Definition 2.6.8 is consistent)

3. If u = v and u is in normal form then v−→u.

4. If u = v then either u and v have no normal forms at all or the same ones.

5. If u and v are in normal form then they are either α-convertible or not equal.

Thus normal forms are unique which justifies viewing λ-terms as functions.

2.6.4 The expressive power of the λ-calculus

So far we have looked at the λ-calculus as a purely formal system for playing around with terms.We will now show how to compute with it and that its computational power is equivalent to thatof recursion theory17. Because of its simplicity there is no doubt that all the constructs fromthe λ-calculus are in fact computable. It is, however, this simplicity which makes it awkwardto prove the reverse. Recall that the λ-calculus is a formalism where computation is expressedvia the successive application of reduction rules. Thus expressing computations involves takingterms that mimic familiar constructs and reducing them to their normal form.

Before investigating recursion theory we will examine a few standard constructs. The pureλ-calculus provides only one mechanism for making “programs” and “data” interact, namelyapplication. Quite frequently, however, we would like to have a part of a program execute onlywhen certain conditions are met. In short, we would like to have a conditional construct. Forthat, we need a notion of boolean expressions which can evaluate to “true” or “false”, and aconstruct “cond(b; s; t)” that takes a boolean expression b, evaluates it, and depending on theresult either evaluates s or t

Example 2.6.16 Boolean expressions and conditionals

As discussed in Example 2.6.9 the combinators T := λu.λv.u and F := λu.λv.v perform verywell as representatives of “true” and “false”.

Now consider the λ-term b(s)(t) where b evaluates either to T of F . If b evaluates to T thenb(s)(t) = s; otherwise b(s)(t) = t. Thus the conditional is well represented by cond(b; s; t):= b(s)(t)

18

Besides structuring the program we need to be able to structure the data as well. The mostbasic construct is “pairing” two terms a and b into 〈〈a, b〉〉. For this to really qualify as a “datastructure” we need also a means of recovering the original terms a and b from the pair.

Example 2.6.17 Pairing and projections

17According to Church’s thesis this means that all the effectively computable functions can be expressed inthe λ-calculus.

18Note that for the sake of readability we have introduced a shorthand notations adopted from programminglanguages which does not follow the syntax of the pure λ-calculus.


Define 〈〈a, b〉〉 := λpair.(pair(a))(b) 1 �� := λp.p(λa.λb.a) 2 �� := λp.p(λa.λb.b)

Pairing keeps a and b separate as long as the variable pair remains uninstantiated. 1of〈〈a, b〉〉instantiates pair with λa.λb.a thus projecting the first component a. 2of〈〈a, b〉〉 returns b.

A uniform way to recover both components for usage in another term t is the “spread”operator spread(pair; a, b.t) := pair(λa.λb.t) which should be read as “In t instantiatea, b such that pair = 〈〈a, b〉〉”

Exercise 2.6.2 Prove that 1of 〈〈a, b〉〉 = a, 2of 〈〈a, b〉〉 = b and spread(〈〈a, b〉〉;u, v.t) = t[a, b/u, v]

One way of characterizing the class of computable functions in recursion theory is by µ-recursivefunctions19. For studying computable functions it is sufficient to consider functions over theset IN of natural numbers.

Definition 2.6.18 The class of µ-recursive functions is defined inductively by the followingrules:

1. All constant functions λx1x2...xk.m where m, k ∈ IN are µ-recursive.

2. The successor function S := λx.x + 1 is µ-recursive.

3. The projections λx1x2...xn.xi are µ-recursive.

4. If f = λx1...xk.tf is µ-recursive and the functions gi = λx1...xm.tgi where 1 ≤ i ≤ k areµ-recursive then the function λx1...xm.f (g1(x1)...(xm))...(gk(x1)...(xm)) is µ-recursive.

5. Primitive recursion:If h = λx1...xkxk+1.th and g = λx1...xk−1.tg with k ≥ 1 are µ-recursive then the functionf which is uniquely defined byf(0)(x2)...(xk) = g(x2)...(xk) and f(x + 1)(x2)...(xk) = h(x) (f(x)(x2)...(xk)) (x2)...(xk)is µ-recursive.

6. µ-operator:If f = λx1...xkxk+1.tf is µ-recursive then the function λx1...xk.µx[f(x1)...(xk)(x) = 0] isµ-recursive. 20

There are many ways to represent natural numbers and operations on them in the λ-calculus.We shall use a representation due to Church which basically encodes a number n by a λ-termwhich takes two arguments and applies the first argument to the second n times. To distinguishnumbers n, m from their representation we will denote the corresponding λ-terms by n̄, m̄.

Definition 2.6.19 Church numerals

For every n ∈ IN the Church numeral n̄ is defined by n̄ := λf.λx. f(f(...f(x))...)︸︷︷︸

��

.

19See a textbook like [HR67] for details on recursion theory20A function of 0 variables represents a constant.

If P is a predicate on IN then µx[P (x)] denotes the minimum of the set {x : IN|P (x)}. µx[P (x)] is undefined ifthis set is empty.


In particular, the Church numeral for 0 is λf.λx.x, for 1 it is λf.λx.f(x) and for 2 it isλf.λx.f(f(x)). A shorthand notation the representation of n is by λf.λx. f

�(x). We will

need this in proofs.

Exercise 2.6.3 Show that n = m iff and only if n̄ = m̄.

Constant functions (Clause 1 of Definition 2.6.18), Projections (Clause 3) and functions definedby composition (Clause 4) are now directly representable. We are left with the successorfunction, primitive recursion, and µ-recursion.

Now we are ready to do some basic arithmetic within the λ-calculus keeping in mind that thechurch numeral for n applied to two arguments applies the first argument n times to the second.

The very first thing we need is the sucessor function.

Example 2.6.20 Successor function

Keeping in mind that the Church numeral for n applied to two arguments applies the firstargument n times to the second, the successor function can be represented by

S := λn.λf.λx. (n(f))(f(x))

If applied to n̄ the inner term of this operation applies f to f(x) altogether n imes , resultingin ¯n + 1. This is easy to check as the following calculation shows:

(λy.λf.λx. (y(f))(f(x))) (λg.λu.gn(u)))∗

−→ λf.λx. (λg.λu.gn(u))(f)(f(x))∗

−→ λf.λx. (λu.fn(u))(f(x))∗

−→ λf.λx. fn(f(x)) = λf.λx. fn+1(x)

The other basic arithmetic functions can be encoded fairly easily.

Example 2.6.21 Define plus := λu.λv.λf.λx. (u(f))(v(f)(x)). Then plus(n̄)(m̄) = ¯n + m

λu.λv.λf.λx. (u(f))(v(f)(x)) (n̄)(m̄)∗

−→ λf.λx. (n̄(f))(m̄(f)(x))∗

−→ λf.λx. (fn)(fm(x))∗

−→ λf.λx. (fn+m)(x)

Exercise 2.6.4 Show that mult := λu.λv.λf.λx. (u(v(f)))(x) represents multiplication.

Show that exp := λu.λv.λf.λx. ((u(v)(f))(x)) represents exponentiation.

Show that t0 := λn.(n(λu.F ))(T ) represents a test for zero.

Encoding the predecessor function P with P (0) = 0 and P (s(n)) = n is a rather complicatedexercise but the key for the representation of primitive recursion. We have to build a functionwhich on input n̄ applies the successor function s to 0̄ n − 1 times. This can be achieved bycausing s to be applied with a delay of one step. The pairing operation is helpful for dooingso. The actual definition is hard to be justified intuitively but can be proved to be correct.

Exercise 2.6.5 Show that P := λn.2of (n(λfx.〈〈S, spread(fx; f, x.f(x))〉〉)(〈〈λz.0̄, 0̄〉〉)) represents thepredecessor function


To express primitive recursion, and µ-recursion we need a concept that allows us to definefunctions recursively via equations of the form f = t[f ] i.e. equations containg f on both sides.In the λ-calculus, such an equation does not define a term. It merely states a condition that theterm has to satisfy. Fortunately, there is a way to construct such a term from a given recursiveequation. If we rewrite the above equation into f = T (f) were T := λx.t[x/f ] then solving theequation means finding a fixed point of the function T .

Definition 2.6.22 A fixed point combinator is a λ-term R such that for all λ-terms t theequation R(t) = t( R(t) ) holds.

Example 2.6.23 The most commonly used fixed point combinator is Y := λf.(λx.f(xx))(λx.f(xx)).The following calculation shows that Y is indeed a fixed point combinator.

Y (t) = (λf.(λx.f(xx))(λx.f(xx)))(t)−→ (λx.t(xx))(λx.t(xx))−→ t(λx.t(xx))(λx.t(xx)) = t( Y (t) )

It is important to note that Y (t) does not β-reduce to t( Y (t) ). We have merely provenequality of the two terms.

Exercise 2.6.6 Show that (λx.λy.y(x x y))(λx.λy.y(x x y)) is a fixed point combinator that actuallyβ-reduces a λ-term to its fixed point.

We can now represent recursively defined numeric operations in the λ-calculus.

Example 2.6.24 An operator for primitive recursion can be defined as

PRK := λg.λh.Y (λf.λx1...xk.cond(t0 x1; g x2...xk; h (P x1) (f (P x1) x2...xk) x2...xk))

On input g and h it creates a fixed point of

λf.λx1...xk.cond(t0 x1; g x2...xk; h (P x1) (f (P x1) x2...xk) x2...xk)

which is exactly the function defined in Clause 5. of Definition 2.6.18

Example 2.6.25 The µ-operator can be represented by a fixed point of unlimited searchstarting at x. If f x1...xk x = 0 then the search terminates. Otherwise it continues startingfrom x + 1. We begin the search at x := 0.

Thus µ := λf.λx1...xk.(Y (λMIN.λx.cond(t0(f x1...xk x); x; MIN(x + 1)))(0̄))

is a representation of the µ-operator

2.6.5 Semantic questions

Since the λ-calculus is intended to be about functions there must be some model in which aterm λx.t can be regarded as a mathematical function. It is not difficult to construct a termmodel (see [CR36]): each term t denotes the set ‖t‖ of terms equal to it21, and ‖λx.t‖ is thefunction that maps ‖u‖ to ‖t[u/x]‖. But this leads us nowhere. What we are really interestedin is a connection between functions in the λ-calculus and functions in ordinary mathematics.

21In the sense of Definition 2.6.8

2.7. REFERENCES AND FURTHER READING 37

Simple mathematical models, with λ-terms interpreted as plain functions over some functionspace can be ruled out by cardinality considerations. Since λ-terms have to play the doublerole of functions and arguments we can construct λ-functions that can be applied to themselvesin a meaningful way.

Example 2.6.26 Consider twice := λf.λx.f(f(x)). Applied to terms f and u, it producesthe twofold application of f to u: twice f u−→ f(f(u)).

It is perfectly legal to apply twice to itself: (twice twice) f u−→ f(f(f(f(u))))

Self-application of functions, however, violates a basic axiom of ordinary set theory. Thus wecannot expect “natural” models for the λ-calculus as long as we do not put restrictions on theterms as we will do in the next chapter22.

Besides the problem of finding a model the general λ-calculus has some severe drawbacks whichmake it hardly acceptable as a calculus for reasoning about programs and their properties.The price we have to pay for its computational power being equivalent to that of recursiontheory is the consideration of partial functions on the one side and undecidability on the other.The former follows from the fact that not every λ-term has a normal form. A formulation ofthe latter is Rice’s Theorem (see e.g.[HR67]) saying that no nontrivial extensional property ofλ-programs is decidable. In particular we cannot decide whether

• the application f(x) of a function f to an argument x terminates (Halting Problem),

• a function f is total,

• a value y is in the range of a function f ,

• for given values x and y f(x) = y is true,

• two functions f and g are equal.

Many more questions occurring in reality are not decidable within a theory as powerful asthe unrestricted λ-calculus. Our search for a calculus for reasoning about programs and theirproperties must therefore be directed towards weaker models of computation which providemore reasoning power and are sufficient for handling all practical problems.

2.7 References and further reading

Introductions to logic for computer scientists can be found in [BM79, Gal86, MW85, Tur84].

The reader interested in mathematical accounts of logical calculi should refer to books like[Ric78, Sch77, Tak75] where many aspects are worked out in detail.

The beginning chapters of various textbooks on logic and computation [And86, Bib87, GLT89,Lak76, Pau87] contain many more examples and are also worth looking up.

22In Section 3.2 we will see that this can be resolved by viewing the definition of twice as a generic name fora series of functions which in reality are all different because they operate on different spaces.


The classical account of natural deduction has been written by Prawitz [Pra65]. It is notintended for beginners.

Dummet [Dum77] describes the philosophy, inference systems, and semantics of intuitionisticlogic. Further books worth reading are [Cur70, Hey71].

Hindley and Seldin [HS86] wrote a good introduction to the λ-calculus while Barendregt [Bar81]has written the comprehensive reference. A gentle introduction is also the article of Huet[Hue86]. The book of Stenlund [Ste72] is also a valuable book in many details.

Chapter 3

Typed Theories

In the previous chapter we have seen that the λ-calculus is both a simple and powerful math-ematical model of computation. Because of its expressive power, however, no extensionalproperty of λ-terms is decidable and therefore it is extremely difficult to automate reasoningabout programs which are defined by unrestricted λ-terms.

Undecidability of program properties, as it turned out, is strongly related to Russels paradoxin early set theory. As the capability of impredicatively forming a set {X|X 6∈ X} leads toparadoxical situations in set theory1 so the presence of a general fixed point operator Y withY (f) = f(Y (f)) in λ-calculus allows diagonalization arguments proving the undecidability ofextensional properties.

Russel [Rus08] isolated the essence of the paradoxes in the lack of predicativity and restrictedset theory by introducing a type discipline on the objects. Types represent the universes ofmathematical reasoning which do have a meaning in reality. Thus sets like {X|X 6∈ X} cannotbe formed anymore since “∈” relates objects of different types (or cardinality).

In the same way a type discipline can be added to the λ-calculus in order to increase itsreasoning power. In the typed λ-calculus [Chu40] types are both syntactical restrictions anda representation of natural models for the function spaces where the λ-terms belong to. Thetype discipline will help to banish many of the strange constructions in the untyped λ-calculus.

Before we discuss the typed λ-calculus let us approach two questions.

• What is a type or what are the characteristics of a type?

• Which types need to be considered?

To answer the first one, let us consider an example.

Example 3.0.1 Natural numbersThe set IN of natural numbers has elements 0,1,2,3,4. . . and operations between elementslike + - * / etc. An expression like 2*3 uniquely denotes an element of IN and should thusbe considered as a name for it. On the other hand we can reduce 2*3 to the value 6 which is

1Consider the set S̄ := {X |X 6∈ X} and try to determine whether S̄ is an element of S̄ or it is not.If we assume S̄ ∈ S̄ then as any other element of S̄ the set S̄ is not contained in itself, i.e. S̄ 6∈ S̄. From

S̄ 6∈ S̄, however we have to conclude S̄ ∈ S̄ since S̄ consists of all the sets not contained in themselves. Thusboth assumptions lead to contradictions.

39

40 CHAPTER 3. TYPED THEORIES

the normal form of the expression. Therefore we distinguish between canonical members ofthe type IN, i.e. names denoting normal forms like 0,1,2,3,4. . . , and noncanonical members,i.e. expressions which can be reduced.

So rule number one for constructing a type is:

A type is defined by defining its canonical members and operations on the members.

As to the second question, the types we need to consider shall allow interpreting λ-terms asfunctions. Therefore we obviously we need a type A→B representing the type of all functionsfrom some type A into the type B. λ-abstractions λx.b will be the canonical objects of thistype and applications f(a) the noncanonical ones. No other types are necessary for typingλ-terms. As in the untyped λ-calculus there is no need for concrete types like natural numbersor booleans.

We will now formalize how types can be assigned to terms and how to formally prove that anassignment is correct. For this, the untyped λ-calculus will be extended by another abstractformalism about handling type informations.

Following the course of history we will first present a very simple calculus which incorporatesall the basic principles but later turned out to be too weak i

automated logic and programming · 2004. 3. 22. · 8 chapter 1. introduction [pau87]) and nuprl...

Documents