CHECKING LANDAU'S GRUNDLAGEN IN … · Preface This thesis contains an account of the translation...

CHECKING LANDAU'S "GRUNDLAGEN" IN THE

AUTOMATH SYSTEM

CHECKING LANDAU'S "GRUNDLAGEN" IN THE

AUTOMATH SYSTEM

PROEFSCHRIFT

T E R V E R K R I J G I N G VAN DE GRAAD VAN DOCTOR I N DE

TECHNISCHE WETENSCHAPPEN AAN DE TECHNISCHE

HOGESCHOOL EINDHOVEN, O P GEZAG VAN DE RECTOR

MAGNIFICUS, PROF.DR. P. VAN DER LEEDEN, VOOR

EEN COMMISSIE AANGEWEZEN DOOR HET COLLEGEVAN

DEKANEN I N HET OPENBAAR T E VERDEDIGEN O P

DINSDAG 1 MAART 1977 T E 16.00 UUR.

door

L.S. VAN BENTH EM JUTTING

GEBOREN T E BUSSUM

Dit proefschrift is goedgekeurd

door de promotoren

Prof.dr. N.G. de Bruijn

en

Prof.dr. W. Peremans

Preface

This thesis contains an account of the translation and verification of

Landau's "Grundlagen der Analysis", a book on elementary mathematics [L],

in the formal language AUT-QE, a language of the AUTOMATH family.

AUTOMATH languages are intended to be used for formalizing mathematics

in such a precise way that correctness can be checked mechanically (e.g. by

a computer) . The translation itself is presented in L.S. Jutting, A translation of

Landau's "Grundlagen" in AUTOMATH CJI. It consists of about 500 pages, and

therefore it is not reproduced here, apart from two fragments (see appendi-

ces 4 and 7).

Acknowledgements

I want to thank all my fellow-workers in the AUTOMATH project for their

help, in the form of ideas and advice, of material assistance and moral sup-

port.

I want to thank my family for putting up with my preoccupation, in par-

ticular during this last half year.

I want to thank Mrs. Marese Wolfs and Mrs. Lieke Janson for typing

these pages.

Contents

0. INTRODUCTION

0.0. The AUTOMATH languages

0.1. The AUTQMATH project and its motivation

0.2. The book translated

0.3. The language of the translation

1. PREPARATION

1.0. The presupposed logic

1.2. The representation of logic in AUT-QE

1.3. Account of the PN-lines

1.4. Development of concepts and theorems in Landau's logic

2. TRANSLATION

2.0. An abstract of Landau's book

2.1. Deviations from Landau's text

2.2. The translation of "Kapitel 1"




2.6. The alternative version of chapter 4


3. VERIFICATION

3.0. Verification of the text

3.1. Controlling the strategy of the program

3.2. Shortcomings in the verifying program

3.3. Excerpting

4. CONCLUSIONS

4.0. Formalization of logic in AUTOMATH

4.1. The language

4.2. Comments on the translation

Appendix 1. A description of AUTOMATH and some aspects of its

language theory by D.T. van Daalen

1. Introductory remarks

2. Informal description of AUTOMATH

3. Mathematics in AUTOMATH: Propositions as types

4. Extension of AUT-68 to AUT-QE

5. A formai definition of AUT-QE

6. Some remarks on language theory

Appendix 2. The paragraph system

Appendix 3. PN-lines from the preliminaries

Appendix 4. Excerpt for "Satz 27"

Appendix 5. Two shortcomings of the verifying program

Appendix 6. Example of a text in AUT-68

Appendix 7. Excerpt for "Satz I", "Satz 2" and "Satz 3"

Appendix 8. Example of a text in AUT-68-SYNT

Appendix 9. AUT-SYNT

References

0. INTRODUCTION

I n t h i s chapter a b r i e f desc r ip t ion of the AUTOMATH p r o j e c t i s given,

and t h e place of the present work wi thin t h i s p r o j e c t is indicated.

0.0. The AUTOMATH languages

The laaguages of t h e AUTOMATH family a r e formal languages, i n which

l a r g e p a r t s of mathematics can be e f f i c i e n t l y formalized. Texts i n these

languages can be checked mechanically ( i . e . by a computer). A t e x t is ver i -

f i e d l i n e by l i n e , and t h e checking does not only cover syn tac t i ca l correct -

ness of t h e expressions occurring i n a l i n e , bu t a l s o i ts mathematical v a l i -

d i t y , which includes t h e correctness of references t o previous l i n e s . Correct

AUTOMATH t e x t s may the re forebe in terpreted*) t o represent cor rec t mathematics.

The s t r u c t u r e of these languages, based on na tu ra l deduction, i s close-

l y r e l a t e d t o t h e s t r u c t u r e of common i n t u i t i v e reasoning. Hence mathemati-

c a l d iscourses i n an informal language can be t r a n s l a t e d i n t o an AUTOMATH

language without too much trouble.

A t t h e moment a number of nu tua l ly r e l a t e d languages e x i s t s a t i s f y i n g

t h e above spec i f i ca t ions . For severa l of these languages, ver i fying computer

programs a r e cur ren t ly operat ional ; f o r o the rs , such programs a r e s t i l l i n

an experimental stage.

0.1. The AUTOMATH p r o j e c t and i ts motivation

The ob jec t of t h e AUTOMATH p r o j e c t has been t o develop languages a s

described above, and t o make ver i fy ing computer programs f o r these languages.

It was i n i t i a t e d some t e n years ago by N.G. de Bruijn, who a l s o conceived

t h e fundamentals of t h e AUTOMATH languages. Since t h e n . a number of mathema-

t i c i a n s have been working on the p r o j e c t , providing AUTOMATH with a language

theory, wri t ing ver i fying programs f o r AUTOMATH languages, producing t e x t s

i n these languages, and applying t h e ver i fying programs t o these t e x t s .

There were several reasons f o r h i t i a t i n g such a p ro jec t , of which we

mention t h e following:

*) I n discussing an AUTOMATH t e x t I w i l l c a l l t h e intended meaning ( i n for-

mal o r informal mathematics) of t h i s t e x t its interpretat ion, and I w i l l say

t h a t this meaning is represented i n t h e AUTOMATH t e x t .

2

i

ii)

Mechanical verification will increase the reliability of certain kinds

of proofs. A need for this may be felt where a proof is extremely long,

complicated and tedious, and where it is difficult to break it down in-

to intuitively plausible partial results; or where in proofs results of

others are used, so that misinterpretations become possible.

Mechanically verifiable languages set a standard by which informal lan-

guage may be measured, and may thereby have an influence on the use of

language in mathematics generally.

iii) The use of such languages gives an insight into the structure of mathe-

matical texts, and makes it possible to compare the complexity, in se-

veral respects, of mathematical concepts and proofs. As a consequence

projects of this kind may have in the long run a favourable influence

on the teaching of mathematics.

A further motive, for the author, was that the work involved in the

project appealed to him.

More information on the AUTOMATH project, its objectives, motivation

and history can be found in Cd~l.

0.2. The book translated

At an early stage of the AUTOMATH project the need was felt to trans-

late an existing mathematical text into an AUTOMATH language, first, in or-

der to acquire experience in the use of such a language, and secondly, to

investigate to what extent mathematics could be represented in AUTOMATE3 in

a natural way.

As a text tc be translated, the book "Grundlagen der Analysis" by

E. Landau [L] was chosen. This book seemed a good choice for a number of

reasons: it does not presuppose any mathematical theory, and it is written

clearly, with much detail and with a rather constant degree of precision.

For a short description of the contents of Landau's book see 2.0.

0.3. The language of the translation

he language into which Landau's book has been translated is AUT-QE. A detailed description and a formal definition of this language is given in

CVD]. As this paper is fundamental to the following monograph and not easi-

ly obtainable, it has been added as appendix . I . I will use the notations

introduced there whenever necessary. Where in the following text a concept

introduced in CVDI is used for the first time, it will be displayed in italics, with a reference to the section in CVDI where it occurs.

The language of the translation differs from the definition in [VD] in

one respect, viz. the division of the text into paragraphs CVD, 2.163. By

this device the strict rule that all con~ikmts CVD, 2.6, 5.4.11 in an AUT-QE

book CVD, 2.13.1, 5.4.43 should be different is weakened to the more liberal

rule that all constants in one paragraph have to differ. Now, in a line [VD,

2.13, 5.4.41, reference to constants defined in the paragraph containing

that line is as usual, while reference to constants defined in other para-

graphs is possible by a suitable reference system. For a more detailed des-

cription of the system of paragraphing, see appendix 2.

In contravention of the rules for the shape and use of names in AUT-QE,

we will in examples in the following text not restrict ourselves to alpha-

numeric symbols, and occasionally we use infix symbols. (Of course, in the

actual translation of Landau's book, these deviations from proper AUT-QE do

not occur.)

1. PREPARATION

I n t h i s chapter the log ic which Landau presupposes i s analysed and its

representa t ion i n AUT-QE is described.

1.0. The presupposed l o g i c

I n h i s "Vorwort fiir den Lernenden" Landau s t a t e s : "Ich s e t z e logisches

Denken und d i e deutsche Sprache a l s bekannt voraus". Clear ly , i n t h e t rans-

l a t i o n AUT-QE should be subs t i tu ted f o r "die deutsche Sprache". The proper

i n t e r p r e t a t i o n of "logisches denken" must be in fe r red from Landau's use of

log ic i n h i s t e x t .

This appears t o be a kind of informal second (or higher) order predi-

c a t e l o g i c with equal i ty . I n t h e following some c h a r a c t e r i s t i c s of Landau's

log ic w i l l be discussed, and i l l u s t r a t e d by quota t ions from h i s t e x t .

i) Variables have well defined ranges which a r e not too d i f f e r e n t from

types [VD, 2.21 i n AUT-QE. Cf . : - On t h e f i r s t page of "Kapitel 1": "Kleine l a t e i n i s c h e Buchstaben be-

deuten i n diesem Buch, wenn n ich t s anderes gesagt wird, durchweg na-

t i i r l i che Zahlen" . - I n "Kapitel 2 , 5": Grosze l a t e i n i s c h e Buchstaben bedeuten durchweg,

wenn n ich t s anderes gesagt wird, r a t i o n a l e Zahlen".

ii) Predicates have r e s t r i c t e d domains, which again can be in te rp re ted a s

types i n AUT-QE. Cf.:

- "Satz 9: Sind x und y gegeben, so l i e g t genau e ine der FBlle vor:

1) x = y.

2) E s g i b t e i n u m i t x = y + u ..." e t c .

It is c l e a r t h a t u (being a lower case l e t t e r ) i s a na tu ra l number,

o r u E nat. - - "Definit ion 28: Eine Menge von ra t iona len Zahlen h e i s z t e i n Schn i t t ,

wenn.. .". Here it i s apparent t h a t being aa 'Schn i t t " i s a predicate on the type

of s e t s of r a t i o n a l numbers.

iii) When, f o r a predicate P, it has been shown t h a t a unique x e x i s t s f o r

which P holds, then "the x such t h a t P" i s an object . Cf.:

- "Satz 4 , zugleich Def ini t ion 1: Auf genau e ine A r t l d s z t s i c h jedem

Zahlenpaar x ,y e ine nati ir l iche Zahl, x + y genannt, so zuordnen.

dasz.. . . x + y h e i s z t d i e Summe von x und y".

- "Satz 101: 1st X > Y so hat X + U = Y genau eine LBsung U.

Definition 23: Dies U heiszt X-Y".

iv) The theory of equivalence classes modulo a given equivalence relation,

whereby such classes are considered as new objects, is presupposed by

Landau. Cf.:

- The text preceding "Satz 40": "Auf Grund der Sdtze 37 bis 39 zerfal- x, Y,

len alle Briiche in Klassen, so dasz I- A d a n n und nur dann, wenn X2 y2 X

1 Y1 - und - derselben Klasse angehtiren". X 2 y2

- "Definition 16: Unter eine rationale Zahl versteht mann die Menge aller einem festen Bruch Bquivalenten Briiche (also eine Klasse im

Sinne des 5 1) ". v) The concepts "function" and "bijective function" are vaguely described.

Cf.:

- "Satz 4" (see iii) above). - "Satz 274: 1st x < y so kBnnen die m I x nicht auf die n I y einein-

deutig bezogen werden".

- "Satz 275: Es sei x fest, f(n) fiir n x definiert. Dann gibt es ge-

nau ein fiir n x definiertes g (n) mit folgenden Eigenschaften. .." X

followed by the "explanation": "Unter definiert verstehe ich: als

komplexe Zahl definiert". This explanation might be interpreted to

indicate the typing of the functions f and g.

vi) Landau defines and uses partial functions. Cf.:

- "Definition 14: Das beim Beweise des Satzes 67 konstruierte spezielle u 1 y1 - heiszt - - - ...". Here the construction, and therefore the de-

U 2 X2 y2 X1 y1 finition, only applies if - > - .

x, Y, L L -

- "Definition 56: Das Y des Satzes 204 heiszt" ". This definition de- H pends upon H # 0.

- "Definition 71", where Landau states explicitly: "Nicht definiert n

ist x also lediglich fiir x = 0, n I 0".

- "Satz 155: Beweis: 11) Aus X > Y folgt X = (X -Y) + Y". X - "Satz 240: 1st y # 0 so ist -. y = XI'. Y - - "Satz 291: Es sei n 0 oder xl # 0, x2 # 0. Dann ist (x1.x2)'' =

- - xn xn ,, 1' 2 '

I n these l a s t th ree examples we see r'generaZized implications": the

terms occurring i n t h e consequent a r e meaningful only i f t h e antece-

dent is taken t o be t rue . A s imi la r s i t u a t i o n w i l l be encountered i n

v i i ) . v i i ) Def ini t ions by cases, sometimes of a complicated nature , a r e used.

Cf.:

- "Definit ion 52:

- ( I : / + [ H I ) wenn B < 0, H < 0.

lzl - I H I J 0 wenn Z > 0, H < 0,

- ( ] H I - Iq) wenn 5 < 0, H > 0.

wenn f = 0.

wenn H = 0".

- "Definit ion 71:

x = (1 wenn x # 0, n = 0.

[& wenn x # 0, n < 0.

Notice t h a t i n these two d e f i n i t i o n s , i n some of t h e cases t h e defi-

niens is not defined when t h e corresponding condit ion does not hold,

("generaZized def in i t ion by cases" ) , and a l s o t h a t , i n some cases,

the re i s i n t h e de f in iens a reference t o the definiendum.

v i i i ) I n h i s t e x t Landau only occasionally mentions p red ica tes and r e l a t i o n s ;

usual ly he r e f e r s t o s e t s . Cf.:

- "Axiom 5: E s s e i M e ine Menge nat i i r l icher Zahlen m i t den Eigenschaf-

ten:

I) 1 gehdrt zu M.

11) Wenn x zu M gehdrt , so gehdr t x ' zu M.

Oann umfaszt M a l l e nati ir l ichen Zahlen".

- "Satz 2: x ' # x. Beweis: M s e i d i e Menge der x , fiir d i e d i e s g i l t . . " .

However, i n t h e t e x t preceding "Definit ion 26":

- "Da =, >, <, Summe und Produkt den a l t e n Begriffen entsprechen...".

i x ) Landau considers (ordered) p a i r s of ob jec t s . I n chapter 2 the compo-

nents of such p a i r s remain c l e a r l y v i s i b l e i n t h e i r names: he does not

r e f e r t o " the p a i r x with components xl and x2", b u t only t o " the p a i r

x ~ , x ~ " ~ Nevertheless it is c l e a r from h i s words t h a t he considers such

a p a i r a s one ob jec t . Cf.: x4

- "Def ini t ion 7 : Unter einem Bruch f - v e r s t e h t man das Paar de r natiir- X

2 l i chen Zahlen x1,x2 ( i n d iese r Reihenfolge)".

X1 y1 - "Def ini t ion 8: - - - wenn x1y2 = y1X2". X2 Y2

In chapter 5 however, va r i ab les f o r p a i r s are used. Cf.:

- "Def ini t ion 57: Eine komplexe Zahl i s t e i n Paar r e e l l e r Zahlen E1,E2

( i n bestirnmter Reihenfolge). W i r bezeichnen d i e komplexe Zahl m i t

CEl,E23".

This d e f i n i t i o n i s immediately followed by

- "~1einedeutscheBuchstaben bedeuten durchweg komplexe Zahlen".

The two no ta t ions a r e l inked i n the following way:

- "Def ini t ion 60: 1st x = [B1,E2] , y = [H ,H 1, s o ist 1 2 x + y = [ E l + = H + ~ ~ 1 " . -2' 1

X) F i n a l l y it should be pointed ou t t h a t some of Landau's proofs and re-

marks tend t o a kind of i n t u i t i v e reasoningwhich i s no teas i ly represen-

t ed i n a formal system.

A f i r s t example of t h i s i s t h e treatment of equa l i ty i n "Kapitel 1 ,

§ 1".

- " 1 s t x gegeben und y gegeben, s o s ind entweder x und y diese lbe Zahl;

das kann man aueh x = y schreiben; oder x und y n i c h t d iese lbe Zahl;

das kann men auch x f y schreiben.

Hiernach g i l t aus r e i n logischen Granden:

1) x = x fi ir jedes x.

2) Aus x = y f o l g t y = x.

3 ) Aus x = y, y = z f o l g t x = 2".

Here i.t seems t h a t Landau der ives the p roper t i e s of equa l i ty from re-

f l e c t i o n on t h e p roper t i e s of a mathematical s t r u c t u r e . They a r e not

theorems o r axioms but i n t u i t i v e l y t r u e statements. S u b s t i t u t i v i t y of

equal o b j e c t s , though used f requent ly i n t h e proofs of subsequent theo-

rems, i s never mentioned.

Other examples of proofs with i n t u i t i v e components may be found where

Landau, i n a glance, takes i n a complex l o g i c a l s i t u a t i o n . Cf.:

- "Satz 16: Aus x 5 y, y < z oder x < y, y 5 z folgt x,< z. Beweis:

Mit dem Gleichheitszeichen in der Voraussetzung klar; sonst durch

Satz I5 erledigt".

- "Satz 20: Aus x + z > y + z bzw. x + z = y + z bzw. x + z < y + z folgt x > y bzw. x = y bzw. x < y.

Beweis: Folgt aus Satz 19 da die drei Falle beide Male sich aus-

schlieszen und alle MBglichkeiten ersch8pfenW.

A somewhat different example, which involves what might be called

"metalogic", is the text preceding "Definition 26", where it is indi-

cated how a number of theorems might be proved, without actually pro-

ving them. I will return to this in 2.1 viii).

1.2. The representation of logic in AUT-QE

The logic considered by Landau to be "logisches Denken", as described

in the previous section, has been formalized in the first part of the

AUT-QE book, called "preliminaries", which, unlike the other parts, does

not correspond to an actual chapter of Landau's book.

A possible way of coding logic in AUT-QE has been described in CVD, 3,41. In addition to this description we stress a few points on the inter-

pretation of AUT-QE lines CVD, 2.13, 5.4.41. Adopting the terminology intro-

duced in [z] we shall call expressions of the form [x1,u1]...[xk,ak] (with k 2 0) (i.e. t-expressions of degree 1) It-~ressions and ex-

pressions of the form Ex u ]. . . [xk,ukl - (again with k 2 0) lp-wres- 1' 1 sions. Expressions having It- and lp-expressions as their types, will be

called 2t-expressions and 2p-ezp~essions, respectively. Finally, 3t-,and

3p-expressions have 2t- and 2p-expressions as their types.

Now a 2t-expression will be used to denote a type (or "class"). If

its type is an abstraction expression CVD, 2.8, 5.4.21 then it denotes a

type of functions. A 2p-expression denotes a proposition or a predicate. A

3t-expression denotes an object (of a certain type) and a 3p-expression a

proof (of a certain proposition).

The interpretation of an AUT-QE line having a certain shape (EB-line,

line or abbreviation line CVD, 2.13, 5.4.41) will depend on its catego-

ry part CVD, 2.13.11 being a It-, Ip-, 2t- or 2p-expression. So we arrive

at the following refinement of the scheme in CVD, 4.51.

Shape of the line: Category-part

Abbreviation

line

introduces

a type

variable

introduces

a primitive

type con-

stant

defines a

type in

terms of

known con-

cepts

introduces a

proposition

or predicate

variable

introduces an

object varia-

ble (of the

stated type)

--- -

introduces

the stated

proposition

as an axiom

introduces

the stated

proposition

as an assump

tion

introduces a

primitive

proposition

or predicate

constant

defines a

proposition

or predicate

in terms of

known con-

cepts

proves the

stated pro-

position as

a theorem

introduces a

primitive ob-

ject (of the

stated type)

defines an

object (of

the stated

type) in

terms of

known con-

cepts

In the above scheme it is apparent that, if the category part of a line is

a 2p-expression, then the interpretation of that line is an assertion. But

also if the category part is a 2t-expression a the interpretation has an

assertional aspect; the line does not only introduce a new name for an ob-

ject (as a variable, or a primitive or defined constant) but also asserts

that this object has the type a.

1.3. Account of the PN-lines

Here I will give a survey of the primitive concepts and axioms (PN-

lines) occurring in the preliminary AUT-QE text. A mechanically produced

list of these axioms appears as appendix3.Inthis list the PN-lines appear

numbered. References in parentheses below will refer to these numbers.

i) Axioms for contradiction.

Contradiction is postulated as a primitive proposition (I), the double

negation law as an axiom (2).

ii) Axioms f o r equal i ty .

Given a type S , equa l i ty is introduced a s a pr imit ive r e l a t i o n on S

( 3 ) , with axioms f o r r e f l e x i v i t y ( 4 ) and f o r s u b s t i t u t i v i t y (5) ( i . e .

i f X=y , and i f P i s a predicate on S which holds a t X , then P

holds a t Y ) . Moreover the re i s an axiom s t a t i n g extensional i ty f o r

functions (8) . The notion of equa l i ty so introduced is c a l l e d book-equality (c f . CVD,

3.61) i n con t ras t t o d e f i n i t i o m l equality of expressions. (CVD, 2.12,

5.5.61).

iii) Axioms f o r individuals .

Given a type S , a predicate P on S , and a proof t h a t P holds

a t a unique X S , the ob jec t i n d ( f o r individual) i s a p r imi t ive

o b j e c t (61, t o be in te rp re ted a s " the X f o r which P holds". An

axiom s t a t e s t h a t i n d s a t i s f i e s P (7) . i v ) Axioms f o r subtypes.

Given a type S and a predicate P on S , t h e type OT ( f o r own-

type, i . e . t h e subtype of s associa ted with P ) i s a pr imit ive type

(9 ) . For U - E OT we have a pr imit ive ob jec t i t l ( u ) E S ( l o ) , and an

axiom s t a t i n g t h a t t h e function [U ,OTlin(u) is i n j e c t i v e (12) . More-

over the re a r e axioms t o t h e e f f e c t t h a t the images under t h i s func-

t i o n a r e j u s t those X S f o r which P holds ( (11) and (12) ) . V ) Axioms f o r products (of types ) .

Given types S and T t h e type p a i r t y p e ( t h e type of p a i r s (X,y)

w i t h X S and y E T is introduced a s a pr imit ive type (14). For - p E p a i r t y p e we have t h e project ions f i r s t ( p ) - E S and second(p) E T - a s p r imi t ive ob jec t s ( (16) and (17) ) , and conversely, f o r X S and

y T we have pafr(x,y) a s a pr imit ive ob jec t i n p a i r t y p e (15).

Next the re a r e th ree axioms s t a t i n g t h a t pair(fir~t(p),se~~nd(p))=p,

f i r s t ( p a i r ( x , y ) ) = x and second(pair(x ,y))=y (where = r e f e r s t o book-

equa l i ty a s introduced i n ii) ) ( (191, (20) and (21) ) .

(Note: I f a type U containing j u s t two ob jec t s i s ava i l ab le , and i f

S is a type, the type of p a i r s (X,Y) with X E S and Y E S may

be defined a l t e r n a t i v e l y a s the function type [x,U]S . I n t h e t rans-

l a t i o n t h i s was done a t t h e end of chapter 1 , where we took f o r U

t h e subtype of t h e na tu ra l s I 2. Therefore the pa i r ing axioms a s des-

cribed above were no t used i n the a c t u a l t r ans la t ion . )

vi) Axioms for sets.

Given a type S , the type s e t (the type of sets of objects in S )

is introduced as a primtive type (21), and the element relation as a

primitive relation (22). Given a predicate P on S , there is a primitive object seto f (P) s e t (denoting the set of X S satisfying

P ) (23), and there are two axioms to the effect that P holds at X

iff X is an element of s e t o f (P) ( (24) and (25) ) . These can be viewed as comprehension axioms for S . (As sets contain only objects of one type, such axioms will not give rise to Russell-

type paradoxes. )

Finally extensionality for sets is stated as an axiom (26).

The axioms for sets permit "higher-order" reasoning in AUT-QE, since

quantification over the type s e t is possible.

1.4. Development of concepts and theorems in Landau's logic

Here we give a sketch of the development of the logic in [L] from the

axioms described in the previous section.

Starting from the axioms for contradiction, the development of classi-

cal first order predicate calculus is straightforward. In this development

more then usual attention has been paid to mutual exclusion: l(A A B), and

trichotomy: (A V B V C) A (1 (A A B) A 1 (B A C) A 1 (C A A) ) , because these concepts are used frequently by Landau in discussing linear order.

The properties of equality, e.g. symmetry, transitivity, and substitu-

tivity for functions (i.e. if X=y and f if a function on S then

f ( x ) = f (y) ) , follow from the axioms for equality.

The development of the theory of equivalence classes (cf. 1.0 iv)) re-

quires the axioms for subtypes and for sets. It turns out here, when trans-

lating mathematics in AUT-QE, that Landau goes quite far in considering con-

cepts and statements about those concepts to belong to "logisches Denken".

We had to choose how to describe partial functionsinAUT-QE. As an

example let us consider the function f on the type r l of the reals, de-

fined for all X E r l for which x+O , and mapping X to I/x . There are (at least) four reasonable ways to represent f :

i) The range of f may be taken to be r l* , the "extended type" of reals, containing, apart from the reals, an object und representing "unde-

fined". In this case <O>f will be (book-equal to) und , and r l

may be defined as ~ ~ ( r l * ~ ~ x , r l * l ( x f u n d ) ) .

ii) An arbitrary fixed object in rl , 0 say, may replace und . Then <O>f will be taken to be 0 .

iii) f may be considered as a function on OT(r1 ,[x,rlIx#O) , the subtype of the nonzero reals.

iv) f may be represented as a function of kwo variables: an object X E r l and a proof p g x#O . So

f - E Cx,rllC~,x#Olrl . (Then, given an X such that x+O , i.e. given an X and a proof P

that x#O , we can use <x>f to represent I/x .)

It is clear that the representations i) and ii) have much in common.

The representations iii) and iv) are also related: in fact, we may construct,

by the axioms for subtypes, for given X rl and p - E x#O an object

out(x,p) g OT(r1 ,Cx,rl lxf0) . Then, if f l E Cx,OT(rl,Cx,r1lx#O)lrl ,

then

Cx,rl l~p,x#Ol~out(x,p)~fl E Cx ,rl lCp,x#OIrl . On the other hand, if

(for brevity some obvious subexpressions in the formula above have been

omitted) . After a careful examination of Landau's language, I have decided that

the fourth representation is closest to his intention, and have therefore

adopted it. However this leads to the following difficulty:

Let, in our example, X rl and y - E rl be given, such that X=Y , and suppose we have proofs g (~$0) and q E (~$0) . Now it is not a pri- or; clear in AUT-QE (though it is clear to Landau), that the corresponding

values <x>f and <q><y>f will be equal. That is: it is not guaranteed

in the language that the function values for equal arguments will be inde-

pendent of the proofs P and q .

This property of partial functions, which is called irrezevance of

proofs, can be proved for all functions which Landau introduces. When dis-

cussing arbitrary partial functions however, irrelevance of proofs had to

be assumed in some places (ck. gi te below). For a further discussion we refer to 4.0.1.

AS a consequence of the chosen representation of partial functions,

terms may depend on proofs, and therefore certain propositions are meaning-

ful only if others are true. This gives rise to generalized implications

(cf. 1.0 vi)) and generalized conjunctions, such as:

and "X > 0 A & # 2" .

Logical connectives of this kind have been formalized in the paragraph "r" in the preliminary AUT-QE text.

The definition-by-cases operator j t e (short for if -then-else, cf . 1 .0

vii))) can be defined on the basis of the axioms for individuals. As we

have seen (1.0 vii)), Landau admits partial functions in such definitions.

For these cases a "generalized" version of the definition-by-cases operator

g i t e (for generalized if-then-else) is required, which has been defined on-

ly for partial functions satisfying the irrelevance of proofs condition.

~ l l set theoretical concepts used by Landau (cf. 1.0 viii)) may be de-

fined starting from our axioms for sets.

The passages in Landau's text which use more or less intuitive reason-

ing (cf. 1.0 x)) could not very well be translated. In the relevant places

straightforward logical proofs were given, which follow Landau's line of

thought as closely as possible.

2. TRANSLATION

In this chapter, we discuss the actual translation of Landau's book,

the difficulties encountered and the way they were overcome (or evaded).

First, in section 2.0, we give an abstract of Landau's book; then, in sec-

tion 2.1, a general survey is given of the various reasonsto deviate occa-

sionally from Landau's text. In the following sections we describe the trans-

lation of the chapters 1 to 5 of Landau's book.

2.0. An abstract of Landau's book

i) "Kapitel 1. Natiirliche Zahlen" . Peano's axioms for the natural numbers l,2,3, ... are stated. "+" is defined as the unique operation satisfying x+l = x' and

x +y' = (X +y) ' . Properties of + (associativity, commutativity) are derived.

Order is defined by x > y :: 3u [x = y + ul. It is proved to be a linear order relation and its connections with + are derived. "Satz 27" states that it is a well-ordering. I # . I# (multiplication) is defined as the unique operation satisfying

x.1 = x and x.y' = x.y + x. Properties of ". ' I (commutativity, associa-

tivity) are derived, and also its connections with + (distributivity) and with order.

ii) "Kapitel 2. BrGche" . Fractions (i.e. positive fractions) are defined as pairs of natural

numbers. Equivalence of fractions is defined, and proved to be an equi-

valence relation.

Order is defined, it is shown to be preserved by equivalence, and to be

an order relation. Properties are derived (e.g. it is shown that nei-

ther maximal nor minimal fractions exist, and that the set of fractions

is dense in itself).

Addition and multiplication are defined, and proved to be consistent

with equivalence. Their basic properties and interconnections are de-

rived, and their connections with order are shown. Also subtraction and

division are defined.

Rationals (i.e. positive rational numbers) are defined as equivalence

classes of fractions. Order, addition and multiplication are carried

over to the rationals, and their various properties are proved. Final-

ly the natural numbers are embedded, and the order in the rationals is

shown to be archimedean.

iii) "Kapitel 3 . Schni t te" .

Cuts i n the p o s i t i v e r a t i o n a l s a r e defined.

For these cu t s , order , addi t ion (with s u b t r a c t i o n ) , and mul t ip l i ca t ion

(with d i v i s i o n ) , a r e defined, and again t h e var ious p roper t i e s and in-

terconnections of these concepts a r e proved.

The r a t i o n a l s a r e embedded, and t h e s e t of r a t i o n a l s i s proved t o be

dense i n t h e s e t of cu t s . F i n a l l y t h e ex i s t ence of i r r a t i o n a l numbers

is proved, by introducing I /Z a s an example.

i v ) "Kapitel 4. Reelle Zahlen".

The c u t s a r e now i d e n t i f i e d with t h e p o s i t i v e r e a l numbers, and t o

these t h e r e a l number 0 and the negat ive r e a l s a r e adjoined, i n such a

way t h a t t o every p o s i t i v e r e a l t h e r e corresponds a unique negative

r e a l .

The absolute value of a r e a l number is defined. Order is defined, i ts

p roper t i e s a r e derived, and the p red ica tes " ra t iona l " and " i n t e g r a l "

("ganz") a r e defined on the r e a l s .

Now addi t ion andmult ip l ica t ion a redef ined , a n d t h e i r proper t ies and t h e i r

connections with each o the r , with absolute value and with order a r e de-

r ived. I n p a r t i c u l a r the minus opera tor ( a ssoc ia t ing t o each r e a l i t s

add i t ive inverse) i s discussed, a s well a s subtract ion and d iv i s ion .

F i n a l l y , i n the "Dedekindsche Hauptsatz", Dedekind-completeness o f t h e

order i n t h e r e a l s i s proved.

v) "Kapitel 5. Komplexe Zahlen" . Complex numbers a r e defined a s p a i r s of r e a l s .

Addition, mul t ip l i ca t ion , sub t rac t ion and d iv i s ion , t h e i r p roper t i e s

and interconnections a r e discussed.

To each complex number i s associa ted i ts conjugate, and a l s o (follow-

ing t h e d e f i n i t i o n of the square r o o t of a nonnegative r e a l ) itsmodu-

l u s ( a s a r e a l number). The connections of these two concepts with each

o the r and with t h e previously introduced opera t ions a r e derived.

For an assoc ia t ive and commutative opera tor * (which may be in te rp re ted

a s e i t h e r + o r .) , and f o r an n-tuple of complex numbers f (1) , . . ,f (n) , Landau denotes

This concept i s defined a s the value a t n of t h e unique funct ion g

(with domain {1,2, ..., n)) f o r which g ( 1 ) = f ( 1 ) and g ( i l ) = g ( i ) * f ( i 1 )

for i < n. The properties of g are proved, in particular, for a permu-

tation s of {1,2, .... n) it is proved that

The definition of is extended to n-tuples f(y),f(y +l),..,f(y+n-1)

(where y is an integer), and its properties are carried over to this

situation. C is defined as the specialization of g to the operation +, and II as its specialization to . (multiplication). Some properties of C and II are proved.

n For a complex number x and an integer n, with x # 0 or n > 0, x is de-

fined, and its properties and connections with previously defined con-

cepts are discussed.

Finally the reals are embedded in the set of complex numbers, the num-

ber i is defined, it is proved that i2 = -1, and that each complex num-

ber may be uniquely represented as a+bi with a,b real.

2.1. Deviations from Landau's text

In our translation, deviations from Landau's text appear occasionally.

They may be classified as follows:

i) In some cases a direct translation of Landau's proofs seems a bit too

complicated. We list three reasons for this.

a) Sometimes it is due to the structure of AUT-QE which does not quite

agree with the proof Landau gives. E.g. in the proof of "Satz 6"

Landau applies, for fixed yr induction with respect to x. As

X - E nat, Jf E nat is a common context in the translation, it is - easier there to apply, for fixed X ,induction with respect to Y .

b) Sometimes the reason is that Landau uses a unifying argument. E.g.

in the proof of the "Dedekindsahe Hauptsatz" there are, at a certain

stage, two real numbers E and HI such that B > 0 and E > H. Here

Landau needs a rational number Z, such that E > Z > H. Now it has

been proved in "Satz 159" that between any two positive reals there

is a rational. If H > 0 this may be applied immediately. If H 5 0 - Landau defines H = - - and again applies "Satz 159", this time

1 1 + 1 with HI.

This argument however is complicated, because, to apply "Satz 159",

first 0 < H1 < B has to be proved (which Landau fails to do). And it

is superfluous because every Z i n the c u t 1 w i l l meet t h e condit ions

i n t h i s case.

c ) I n one ins tance ( t h e proof of "Satz 27") , Landau has given a com-

p lex proof , which may be s impl i f ied .

In a l l these cases I have, i n the t r a n s l a t i o n , given a proof which f o l -

lows Landau's l i n e of reasoning. However, i n some cases , I have a l s o

given s h o r t e r a l t e r n a t i v e proofs. This means t h a t the devia t ions a r e

op t iona l i n these cases.

ii) Some of Landau's "SBtze" r e a l l y cons i s t of two o r t h r e e theorems.

E.g. "Satz 16: Aus x 5 y, y < z oder x < y, y 5 z f o l g t x < z". I n such

cases t h e theorem has been s p l i t up: "Satz 16a: Aus x 5 y , y < z f o l g t

x < z " , "Satz 16b: Aus x < y , y 5 z f o l g t x < z".

iii) Very f requent ly Landau uses without not ice a number of more o r l e s s

t r i v i a l c o r o l l a r i e s of a theorem he has proved. E.g. bes ides "Satz 93:

( X + Y ) + Z = X + ( Y + Z ) " he uses "X + (Y + Z ) = ( X + Y ) + Z" without

quoting "Satz 79". Sometimes such a p r a c t i c e i s e x p l i c i t l y announced,

e.g. i n t h e "Vorbemerkung" t o "Satz 15", where it i s s t a t e d t h a t , with

any proper ty derived f o r <, the corresponding property f o r > s h a l l be

used. I n a l l such cases t h e c o r o l l a r i e s have been formulated and proved

af t e r t h e theorems.

i v ) Following t h e t r a n s l a t i o n of the d e f i n i t i o n of a concept, we o f t e n ad-

ded the s p e c i a l i z a t i o n t o t h i s concept of c e r t a i n genera l p roper t i e s .

E.g. a f t e r t h e in t roduct ion of +, s u b s t i t u t i v i t v of equa l i ty

was applied: " I f x = y then x + z = y + z and z + x = z + y. I f x = y

and z = u then x + z = y + u". This was done i n order t o make l a t e r ap-

p l i c a t i o n s e a s i e r .

v ) I n a few proofs of t h e l a s t th ree chapters minor changes were made.

E.g. i n t h e proof of "Satz 145", where Landau s t a t e s : "Aus 5 > f o l g t

nach Satz 140 b e i passendem u 5 = n + u " b u t where, by "Def ini t ion

35" u can be defined e x p l i c i t l y by i~ := 5 - n. This has been done i n

t h e t r a n s l a t i o n , thus avoiding t h e superfluous exis tence el imination.

Another devia t ion occurs i n the proof of "Satz 284". Here Landau wr i t e s

the following chain of e q u a l i t i e s :

A s i n t h e proof t h e equa l i ty

was needed, the following chain of equations was preferred in the

translation:

vi) As we have seen in 1.0 vii) Landau formulates Peano's fifth axiom in

terms of sets, and, when applying it, always represents a predicate as

a set. In the translation this extra step has been avoided. The induc-

tion axiom is indeed introduced for sets, but then immediately a lemma,

called i nduc t i on , which applies to predicates is proved. This lemma has been used systematically in all proofs by induction.

Also "Satz 27: In jeder nicht leeren Menge natiirlicher Zahlen gibt es

eine kleinste" has been reworded and proved in terms of predicates and

not of "Mengen" . vii) "Intuitive arguments" of Landau were translated in various ways. E.g.

"Satz 20: Aus x + z > y + z bzw. x + z = y + z bzw. x + z < y + z folgt X'Y bzw. x = y bzw. x < y.

Beweis: Folgt aus Satz 19 da die drie Fiille beide Male sich ausschlies-

zen und alle MBglichkeiten erschbpfen" (where "Satz 19" asserts the

inverse implications).

Considering the fact that Landau regards this proof as belonging to

"logisches Denken", I have proved in the preliminaries three "logical"

theorems to the effect that:

If A V B V C, l ( D A E), l(E A F), l(F A D) and A *Dl B *El C *F,

then D *A, E * B and F * C. These theorems were used in the translation.

A second example: "Satz 17: Aus x 5 y, y I z folgt x I z.

Beweis: Mit zwei Gleichheitszeichen in der Voraussetzung klar; sonst

durch Satz 16 erledigt" ("Satz 16" is quoted above under ii)). Here the

AUT-QE text, when translated back into German, might read:

"Beweis: Es sei x = y. Dann ist, wenn y = z, auch x = z also x I z.

Wenn aber y < z so ist x < z nach Satz 16a, also ebenfalls x I z.

Nehme jetzt an x < y. Dann folgt aus Satz 16b x < z, also auch in die-

sem Fall x I z. Deshalb ist jedenfalls x I z".

Another argument which is difficult to translate faithfully occurs in

"Kapitel 5, 5 8" where sums and products are introduced. Landau uses

here a symbol which he intends to represent either "+" or n . , and in this way defines "C" and "JL" simultaneously. In our translation we de-

f i n e d i t e r a t i o n f o r a r b i t r a r y commutative and assoc ia t ive opera tors ,

and consequently our concept and t h e re levan t theorems a r e e s s e n t i a l -

l y s t ronger than Landau's. This g e n e r a l i t y is much e a s i e r t o descr ibe

i n AUT-QE then a theory which app l i e s only t o "+" and 'I . I' . v i i i ) Landau uses metatheorems whenever he embeds one s t r u c t u r e i n t o anoth-

e r , t o show t h a t the p roper t i e s proved f o r t h e o l d s t r u c t u r e "carry

over" t o t h e new. A s an example I c i t e h i s treatment i n chapter 2 of

t h e embedding of t h e n a t u r a l numbers i n t o the (pos i t ive ) r a t i o n a l s . X X

"Satz 111: Aus - > f bzw. -" bzw. < 1 1 1 1 1

f o l g t x > y bzw. x = y bzw. x < y".

"Definit ion 25: Eine r a t i o n a l e Zahl h e i s z t ganz, wenn unter den Brii- X

chen, deren Gesamtheit s i e i s t , e i n Bruch - vorkommt". 1 "Dies x ist nach Satz 111 e indeut ig bestimmt, und umgekehrt e n t s p r i c h t

jedem x genau e ine ganze Zahl".

"Satz 113: Die ganzen Zahlen geniigen den fiinf Axiomen der nati ir l ichen 1

Zahlen, wenn d i e Klasse von - a n S t e l l e von 1 genommen wird, und a l s X

1 X '

Nachfolger de r Klasse von - d i e Klasse von - angesehen wird". 1 1

Landau adds the following comment:

"Da =, >, < , Summe und Produkt (nach Satz 11 1 und 112) den a l t e n Be-

g r i f f e n entsprechen, haben d i e ganzen Zahlen a l l e Eigenschaften d i e

w i r i n Kapitel 1 fiir d i e nati ir l ichen Zahlen bewiesen haben".

I t was d i f f i c u l t t o t r a n s l a t e t h i s t e x t . The t r a n s l a t i o n requ i res

f i r s t a c a r e f u l ana lys i s of t h e i n t e r p r e t a t i o n of Peano's axioms i n

chapter 1. There a r e two p o s s i b i l i t i e s :

I n the f i r s t i n t e r p r e t a t i o n , the axioms descr ibe fundamental proper-

t i e s of the given system of n a t u r a l s (na t , 1 , s u c ) , which cannot be

proved from more p r imi t ive p roper t i e s , and from which a l l o t h e r prop-

e r t i e s of the system can be derived. I n t h i s conception the re is an

i n t e n t i o n t o charac te r i ze t h e s t r u c t u r e by t h e axioms.

I n t h e second i n t e r p r e t a t i o n , t h e axioms a r e simply assumptions under-

ly ing a c e r t a i n theory. The theorems of t h e theory a r e v a l i d i n any

s t r u c t u r e i n which these assumptions hold. I n t h i s view, no claim i s

made t h a t the axioms charac te r i ze t h e system. . . T h e d i f fe rence between these two conceptions can be i l l u s t r a t e d by

comparing the r61e of t h e axioms i n Euc l id ' s geometry t o the r61e of

t h e axioms f o r groups i n group theory.

The i n t e r p r e t a t i o n of "Satz 113" and Landau's comment v a r i e s according

t o t h e i n t e r p r e t a t i o n of the Peano axioms. I n t h e f i r s t i n t e r p r e t a t i o n * * *

t h e "ganzen kationalen Zahleh" form a s t r u c t u r e ( n a t , 1 , suc ) which

"happens to" have t h e same fundamental p roper t i e s a s t h e o r i g i n a l s t ruc-

t u r e (na t , 1 , s u c ) . Hence, by a s u i t a b l e metatheorem, we see t h a t t h e

reasoning of chapter 1 may be repeated f o r t h i s new s t r u c t u r e , extend- * * * * * *

ing it t o ( n a t , 1 , suc , + , . , < ) and proving t h e various proper-

t i e s of t h i s extended system.

I n t h e second i n t e r p r e t a t i o n "Satz 113" j u s t proves t h a t t h e s t r u c t u r e * * *

(na t , 1 , suc ) s a t i s f i e s t h e assumptions. After t h i s the theory of

chapter 1 can be appl ied immediately.

However the re is a f u r t h e r problem (under e i t h e r i n t e r p r e t a t i o n ) : ad- *

d i t i o n on n a t defined according t o t h e method of chapter 1 i s not (de- *

f i n i t i o n a l l y ) the same thing a s t h e r e s t r i c t i o n ( t o n a t ) of t h e addi-

t i o n on t h e r a t i o n a l s and these two functions must s t i l l be proved t o

be (extensional ly) equal. Similar remarks can be made about mul t ip l i -

ca t ion and order.

I t follows t h a t the re levan t t e x t cannot be rendered d i r e c t l y i n AUT-QE

under e i t h e r i n t e r p r e t a t i o n of Peano's axioms. There is, therefore , no

t echn ica l reason t o p re fe r one of these i n t e r p r e t a t i o n s t o the other .

Landau's ideas on t h e r61e of t h e axioms a r e not q u i t e c l e a r from h i s

t e x t . We c i t e some of h i s statements:

- I n h i s "Vorwort fiir den Kenner" he mentions c e r t a i n laws on t h e r e a l s

which can be " a l s Axiome p o s t u l i e r t " .

- He thinks it r i g h t , t h a t t h e s tudent should l e a r n "auf welchen a l s

Axiomen angenornmenen Grundtatsachen s i c h liickenlos d i e Analysis auf-

baut" . - Moreover: " In d i e s e r (Vorlesung) gelange i ch , von den Peanoschen

Axiomen der aati ir l ichen Zahlen ausgehend, b i s zur Theorie der r e e l -

l e n Zahlen".

- I n chapter 1: "Wir nehmen a l s gegeben an:

Eine Menge, d.h. Gesamtheit, von Dingen, nati ir l iche Zahlen genannt,

m i t den nachher aufzuzZhlenden Eigenschaften, Axiome genannt".

- "Von d e r Menge der natiirlichen Zahlen nehmen w i r nun an, dasz s i e

d i e Eigenschaften hat . . ." .

- A re levan t passage is a l s o "Satz 113'' quoted above.

- Landau never mentions "a system of natura ls" , l i k e i n group theory

one would discuss "a group", but always "die nati ir l ichen Zahlen".

Most of t h e sentences quoted above po in t t o t h e second i n t e r p r e t a t i o n ,

some of them however could be in te rp re ted b e t t e r o r equally wel l i n

the f i r s t way.

Now, a s n e i t h e r t echn ica l reasons nor Landau's t e x t indicated d e f i n i t e -

l y how Peano's axioms should be i n t e r p r e t e d , I decided t o i n t e r p r e t

them a s p o s t u l a t e s (PN-lines) r a t h e r then assumptions (EB-lines) be-

cause it s u i t e d my own conception of t h e na tu ra l s . Moreover t h i s i n t e r -

p r e t a t i o n reduces t h e context and thereby s i m p l i f i e s v e r i f i c a t i o n . .

The meta-reasoning sketched above has b e e n t r e a t e d a s follows. After

t h e proof of "Satz 113" the proofs of "Satz 1" and "Satz 4" (where ad-

d i t i o n i s introduced) were copied f o r the "ganzen Zahlen". However ad-

d i t i o n on t h e "ganzen Zahlen" has been defined a s t h e r e s t r i c t i o n of

add i t ion on t h e r a t i o n a l s . Then a number of theorems from "Kapitel 1"

where proved using "Satz 112". Order and mul t ip l i ca t ion were t r e a t e d

i n , a s imi la r way. These t e x t s have been i n s e r t e d a s a matter of

p r e s t i g e because we claimed t h a t we were a b l e t o say everything Landau

says. The inse r t ionswere never used however ( c f . i x ) below).

I n "Kapitel 3, 5 5" and "Kapitel 5, 5 10" s i m i l a r arguments occur,

when the r a t i o n a l s a r e embedded i n the r e a l s , and t h e r e a l s i n t h e

complex numbers. These arguments were " t r ans la ted" j u s t by construct-

ing t h e re levan t isomorphisms. This s u f f i c e s f o r a l l appl ica t ions .

i x ) A consequence of the d i f f i c u l t i e s described i n v i i i ) i s a divergence

between t h e t r a n s l a t i o n and Landau's book with respec t t o t h e use of

n a t u r a l numbers i n t h e chapters 3, 4 and 5. After h i s comment (follow-

ing "Satz 113") t h a t t h e "ganze Zahlen" have t h e same p roper t i e s a s

t h e "nati ir l iche Zahlen" Landau continues:

"Daher werfen w i r d i e nati ir l ichen Zahl.en weg, e r se tzen s i e durch d i e

entsprechenden ganzen Zahlen, und haben f o r t a n (da auch d i e Briiche

i iberfl i issig werden) i n bezug auf das Bisherige nur von ra t ionalen Zah-

l e n zu reden".

I n t h e t r a n s l a t i o n I have not followed t h i s course, because, a s pointed

o u t , it would have been a cumbersome t a s k t o prove the p roper t i e s of

t h e "nati ir l iche Zahlen" f o r the "ganze Zahlen", and a l s o because it

would have been i n e v i t a b l e t o repeat t h i s procedure with every fu r the r

extension of t h e number system. Therefore 1-have stuck t o t h e "natiir-

l i c h e Zahlen" throughout the t r a n s l a t i o n .

X) Another important devia t ion of Landau's t e x t was caused by

"Defini t ion 43: W i r erschaffen e ine neue, von den posi t iven Zahlen ver-

schiedene ~ a h l 0. W i r erschaffen fe rner Zahlen d i e von den posi t iven

und 0 verschieden s ind, negative genannt, d e r a r t , dasz w i r jedem 5

(d.h. jeder pos i t iven Zahl) e ine negative Zahl zucrdnen, d i e w i r -5

nennen" . I doubt wether t h i s c rea t ive a c t may be c a l l e d a "def ini t ion" . Landau

considers it a p a r t of "logisches Denken" t o form, given s e t s (o r types)

a and 8, t h e Cartesian product a x 8, a s i s c l e a r from chapter 2. I t

might be a l s o considered " logical" t o form t h e d i s j o i n t u n i o n a e 6 . B u t

Landau does no t mention t h i s , he j u s t "creates" 0 and t h e negative

numbers from nothing.

Moreover I do n o t see a formal d i f fe rence between t h e a s s e r t i o n "1 i s t

e ine nati ir l iche Zahl" (which Landau c a l l s an axiom) and t h e a s s e r t i o n

"0 i s t e ine r e e l l e Zahl" (which he c a l l s a d e f i n i t i o n ) . Neither do I

see a formal d i f fe rence between "x' # 1" and "-5 # 0". I n my opinion

t h e l i m i t s of "logisches Denken" a r e exceeded here.

I n agreement with t h i s c r i t i c i s m I have t r a n s l a t e d t h i s "def in i t ion"

by introducing a number of pr imit ive concepts and axioms (PN-lines).

The type of r e a l numbers rl is a p r imi t ive type. To any c u t 5 r e a l

numbers p ( S ) and n(5) a r e associated. 0 is a pr imit ive r e a l num-

ber,. Next t h e r e a r e axioms t o the e f f e c t t h a t t h e functions

[x,cu~]~(x) and [x,cut]n(x) a r e i n j e c t i v e . Now X rl has the

property POS (o r neg ) i f it is i n t h e range of t h e f i r s t (.or the

second) of these functions. Then the re a r e axioms s t a t i n g t h a t , f o r

X - E r? , pos(x) , neg(x) and X=O a r e mutually exclusive, and t h a t

each X rl has one of these p roper t i e s . ( I n f a c t Landau does not

s t a t e t h e l a t t e r axiom e x p l i c i t l y . ) S t a r t i n g from these axioms "Kapi-

t e l 4" was t r ans la ted .

However, a s I thought it unsa t i s fac to ry t o develop t h e theory of r e a l

and complex numbers using more than Peano's w i a m s alone, I have added

an a l t e r n a t i v e AUT-QE vers ion of chapter 4, c a l l e d chapter 4a, where

t h e r e a l numbers a r e defined a s equivalence c lasses of p a i r s of c u t s ,

and where a l l theorems of Landau's "Kapitel 4" a r e proved f o r these a l -

t e r n a t i v e r e a l s . The AUT-QE t r a n s l a t i o n of chapter 5 has been checked

r e l a t i v e t o t h e AUT-QE book consis t ing of the chapters 1 , 2, 3 and 4a.

2.2. The t r a n s l a t i o n of "Kapitel 1"

§ 1. Equali ty was introduced i n t h e p re l iminar ies ( c f . 1.3 ii) and

1 .4 ) . n a t is introduced a s a p r imi t ive type, the Peano axioms a s PN-lines

( c f . 2.1 v i i i ) ) . Induction is formulated i n terms of s e t s , bu t immediately

a lemma on induction, which app l i e s t o p red ica tes i s proved. This lemma i s

used i n t h e sequel (cf . 2.1 v i ) ) . § 2. "Satz 4: Auf genau e ine A r t l d s z t s i c h jedem Zahlenpaar x ,y e ine

nat i i r l iche Zahl, x + y genannt, s o zuordnen, dasz..." has been t r a n s l a t e d

t h e way it is proved by Landau, v iz . " for each X n a t the re e x i s t s a uni-

que funct ion f [ t , n a t l n a t such t h a t . . . 'I. ( I n f a c t t h i s theorem might

have been proved without using extensional equa l i ty of funct ions . )

After t h e proof of "Satz 4" we have i n the t r a n s l a t i o n 11 c o r o l l a r i e s

and lemma's ( c f . 2.1 iii) and 2.1 i v ) ) . To some of these Landau r e f e r s ex-

p l i c i t l y ( i n t h e proof of "Satz 6": "nach dem Konstruktion beim Beweise des

Satzes 4") bu t more o f t e n they a r e used i m p l i c i t l y (e.g. i n t h e proofs of

"Satz 9" and "Satz 24").

§ 3. Landau's "Def ini t ion 2: 1st x = y + u s o i s t x > y" i s a b i t loose

and requ i res of course a b e t t e r formalization. H i s proof of "Satz 27" i s not

very wel l organized, and uses i n d i r e c t reasoning twice. After t h e t r ans la -

t i o n of t h i s proof i n AUT-QE (36 l i n e s , 458 i d e n t i f i e r occurrences) a more

s t ra ightforward proof was given (reducing t h e length t o 23 l i n e s , 264 iden-

t i f i e r occurrences). This a l t e r n a t i v e proof, t r a n s l a t e d back i n t o German

(with "Mengen" ins tead of p red ica tes , c f . 2.1 v i ) ) , might read a s follows:

"Satz 27: I n jeder n i c h t leeren Menge nat i i r l icher Zahlen g i b t e s e ine kle in-

stet!.

Beweis: N s e i d i e gegebene Menge, M d i e Menge de r x d i e I jeder Zahl aus N

s ind. Nehme an e s g i b t i n N keine k l e i n s t e .

1 gehdr t zu M nach Satz 24.

1st x zu M gehdrig s o i s t x < jeder Zahl aus N. x gehdr t n i c h t zu N ,

den sonnst wdre x k l e i n s t e Zahl aus N. Nach Satz 25 i s t a l s o jeder ZahlausN

2 x + 1, und daher gehtjrt x + 1 zu M.

M e n t h d l t somit jede nat i i r l iche Zahl.

Wenn aber y zu N gehtjrt, so gehdrt , wegen y + 1 > y , y + l n i c h t zu M I

gegen des obige.

N e n t h d l t a l s o e ine k l e i n s t e Zahl".

(The German proofs do not d i f fe r toomuch i n length: they contain 139 resp .

116 words.)

5 4. The theorems on multiplication and their proofs are very similar

to those on addition. The remarks made above concerning the translation of

5 2 apply here too.

After the translation of "Kapitel I", in our AUT-QE text, for each

X - E n a t , the type I ~ Q ( x ) of the natural numbers I x is defined. Then,

for an arbitrary type S , the type p a i r l t y p e ( S ) is defined to be

[ t . , l t0(2)1S . ~t represents the type of pairs (a,b) with a E S , b - E S . Its various properties are then derived (cf. 1.3 v)).


5 1. Landau defines fractions as ordered pairs. However he does not

use variables for pairs, but indicates them by their components:

I1 , _ I1 X1 , etc. In the translation X is a variable for fractions, with X2 y2

numerator ~ U M ( X ) and denominator den(x) . And to XI - E n a t , ~2 - E n a t

is associated the fraction f r ( x l , x 2 ) . 5 5. The rationals are defined as equivalence classes of fractions.

The subsequent proofs have all the same structure: in the equivalence clas-

ses representatives are chosen, and the theorems proved for these represen-

tatives are carried over to their classes. (Landau rather summarily des-

cribes this course of reasoning. E.g.: "Satz 81: ... . Beweis: Satz 41".) In order to translate this practice, four lemmas were proved, cover-

ing the cases where 1, 2, 3 or 4 rationals are involved, and which are used

throughout the translation of 8 5.

After the proof of "Satz 112" it is proved (as an extra theorem) that

for two "ganzen Zahlen" x and y, such that x > y, the difference x - y is also "ganz". Landau uses this (without proof) in his proofs of "Satz 162"

and "Satz 285".

The translation of "Satz ill", "Definition 25", "Satz 112" and "Satz

113", with the ensuing text on "throwing away" the naturals, has been exten-

sively discussed already in 2.1 viii).


5 1. The definition of the concept "Schnitt" did not give rise to dif-

ficulties. The type C U ~ is defined as the type of those sets of rationals

which are cuts. Now, in this definition, there are three properties of cuts

5 which involve existential quantification:

i) 5 is not empty: 3x [x E 51.

ii) the complement of 5 is not empty: 3x [x f 51.

iii) 5 contains no maximal element: if x E 5 then 3y Cy E 5 A y > x].

Therefore, if 5 is a cut, then there are three ways to apply existence eli-

mination. Three lemmas to that effect (which Landau uses without notice)

are stated and proved in the AUT-QE text immediately after the introduction

of the concept Cut . Also in other paragraphs in this chapter, when existential quantifica-

tion was used in defining relations (> in 2) or objects (5 + 0 in S 3,

5.n in 5 41, a corresponding existence elimination rule was stated and

proved as a lemma immediately afterwards.

5 3. "Satz 132. Bei jedern Schnitt gibt es, wenn A gegeben ist, eine

Unterzahl X und eine Oberzahl U mit U - X = A" is an example of the use of

"generalized" logic as described in 1.4. In fact, as U and X are positive

rationals, the term U - X is only defined if U > X. That this is the case

is a consequence of the assumption that U and X are "Oberzahl" resp. "Unter-

zahl" of the same cut 5 (i.e. U 6 5 and X E 5). In the proof of "Satz 140" there is a reference to the "Anfang des Be-

weises des Satzes 134". In Landau's Satz-Beweis style this is slightly un-

orthodox. In AUT-QE there is no such objection. The translation of this re-

ference is given in a single AUT-QE line referring to a line in the proof

of "Satz 140".

5 4. Preceding the proof of "Satz 141" there is in the AUT-QE transla- 1

tion a lemma stating that for rationals X and Z we have y . Z = - . This is X

used without proof by Landau in the proofs of "Satz 141" and "Satz 145".

§ 5. Embedding the (positive) rationals in the (positive) reals, (i.e.

in the type cut), gives rise to difficulties as described in 2.1 viii).

Finally, it is proved in the translation (as a corollary of "Satz 112")

that, for cuts 5 and n which are (embedded) naturals, 5 + q, x.n and (if 5 > n) 5 - 0 are (embedded) naturals too. These results are used in "Kapi- tel 5, § 8".


§ 1. The first definition of this chapter and its translation have

been discussed in 2.1 x): Contrary to Landau's intentions, in the transla-

tion the cuts from chapter 3 are not identified with positive reals. This

is because we want to collect the reals in a single type rl , and because

types i n AUT-QE a r e unique. (Accordingly the re a r e i n AUT-QE no f a c i l i t i e s

f o r extending types; we always have t o use embeddings ins tead . ) Some proofs

i n t h i s chapter a r e complicated by t h i s d i s t i n c t i o n between c u t s and posi-

t i v e r e a l s .

5 2. The very complicated d e f i n i t i o n s by cases i n t h i s chapter were

occas ional ly s l i g h t l y modified. E.g.:

"Def ini t ion 44 :

I 5 wenn E = 5

1 = 0 w e n n B = O

5 wenn B = -5".

was t r a n s l a t e d a s

i f E = n(5) 1 B 1 =

otherwise

(here p ( 5 ) and n ( 5 ) denote the p o s i t i v e and negative r e a l s associa ted with

t h e c u t 5) . 5 3. The t r a n s l a t i o n of "Def ini t ion 52" (quoted i n 1.0 v i i ) ) was t i r e -

some ( i t t o o k about 180 AUT-QE l i n e s ) . Equally t ed ious t o t r a n s l a t e were the

proofs of t h e theorems following t h i s d e f i n i t i o n ("Satz 175", "Satz 180".

"Satz 185"). I n t h e proof of "Satz 182" it i s l e f t t o t h e reader t o check

t h e theorem i n a number of cases. This t a sk could no t be l e f t t o a non-hu-

man reader without f u r t h e r ins t ruc t ions .

I n t h e proof of "Satz 185" t h e order i n which the 11 d i f f e r e n t cases

a r e t r e a t e d has been a l t e r e d i n t h e t r a n s l a t i o n . The essence of the proof

has not been changed, however.

5 4. The d e f i n i t i o n of mul t ip l i ca t ion , where 6 cases a r e discerned,

gave r i s e t o s i m i l a r d i f f i c u l t i e s a s the d e f i n i t i o n of add i t ion (it took

about 110 AUT-QE l i n e s ) . I had some doubts how t o i n t e r p r e t

"Satz 196: 1st E # 0, H # 0, so i s t

je nachdem keine oder zwei, bzw. genau e ine de r Zahlen E , H negativ sind".

A t f i r s t s i g h t t h i s seems t o mean:

a ) I f B and H a r e no t negative then E.H = I B l . I H I .

b ) I f E and H a r e negative then E .H = I E 1 . I H I . c ) I f B not negative, H negative then E.H = - ( l E l . / H I ) .

d) I f B negative, H not-negative then E.H = - ( l E l . I H I ) .

However, i f t h i s meaning i s intended the condit ion E # 0, H # 0 is super-

f luous . Therefore, poss ibly , the statement i s meant t o include a l s o

e ) I f B . H = I B 1 . I H I then ne i the r o r both of 5 and H a r e negative.

f ) I f E . H = - (151 . ] H I ) then E i s negative and H is not, o r H i s negative

and B is not.

Landau's proof ("Beweis: Def ini t ion 55") does no t g ive a c lue , and i n l a t e r

references t o t h e theorem he only uses a ) , b ) , c ) o r d ) . Nevertheless I have .

formalized proofs of e ) and f ) i n the t r a n s l a t i o n .

"Satz 194" and "Satz 199" have complicated proofs by cases , which were

no t easy t o formalize.

5 5. The "Vorbemerkung" t o "Satz 205" requ i res two proofs. Some lemmas

a r e needed f o r t h e proof of t h e "Hauptsatz" i t s e l f , e.g. it is used t h a t 1 - H - . - H = - - ( c f . 2.4). No spec ia l d i f f i c u l t i e s arose i n proving t h i s important - - theorem.

2.6. The a l t e r n a t i v e vers ion of chapter 4

Our motivation t o w r i t e another vers ion of chapter 4, ca l l edchap te r 4a,

was discussed i n 2.1 x ) . I n t h i s chapter the theorems of chapter 4 a r e

proved f o r r e a l s which a r e d e f i n e d i n a way d i f f e r e n t from Landau's. Also

t h e order i n which these theorems appear d i f f e r s from Landau's order .

A t t h e end of t h i s chapter the square roo t of a nonnegative r e a l i s

defined using "Satz 161", and i ts proper t i e s a r e derived. (This has been

done by Landau i n "Kapitel 5, 5 7") .

The lengths of t h e AUT-QE t e x t s of chapter 4 and chapter 4a a r e about

equal.

2.7. The t r a n s l a t i o n of "Kapitel 9"

The a c t u a l t r a n s l a t i o n of t h i s chapter i s preceded by a number of lem-

mas. Some of these g ive p roper t i e s of d iv i s ion on t h e r e a l s , i m p l i c i t l y

used by Landau i n t h e sequel . Further the re a r e lemmas descr ib ing t h e s h i f t

of a segment of i n t e g e r s yly+l,y+2,. . . , x t o an i n i t i a l segment of t h e natu-

r a l s 1 ,2 ,..., (x+1) - y , which serve the t r a n s l a t i o n of 5 8.

The t r a n s l a t i o n of t h e f i r s t seven paragraphs of t h i s chapter was

s t ra ightforward. Preceding the proof of "Satz 221'' some lemmas appear, des-

c r ib ing , f o r a complex number x , the p roper t i e s of Re(x) + Im(x) 2. These

p r o p e r t i e s a r e used by Landau without no t i ce i n t h e proofs of "Satz 221"

and "Satz 229" and i n the d e f i n i t i o n of 1x1 ( ' 'Definit ion 66"). ( ~ n my opi-

nion, a t l e a s t a remark should have been made i n t h i s d e f i n i t i o n , t o t h e e f -

f e c t t h a t Re(xl2 + Im(x) 2 O f o r complex x ) .

5 8. The t r a n s l a t i o n of t h i s paragraph was d i f f i c u l t . Landau d i scusses

x-tuples of complex numbers i n order t o def ine t h e i r sums and products. H e

introduces the concept of an x-tuple a s follows: "Es s e i f ( n ) f i ir n 5 x de-

f i n i e r t " , and expla ins t h i s l a t e r on: "Unter " d e f i n i e r t " ve r s t ehe i c h " a l s

komplexe Zahl d e f i n i e r t " . Af ter proving some theorems he extends t h e concept .

t o x-tuples indexed by segments of (poss ibly negative) in tegers : " In Defini-

t i o n 70 und Satz 284 b i s Satz 286 bezeichnen ausnahmsweise l a t e i n i s c h e Buch-

stabenganze ( n i c h t notwendig p o s i t i v e ) Zahlen.

E s s e i y 5 x , f (n) f a r y n 5 x d e f i n i e r t . . . ." . There a r e ( a t l e a s t ) th ree na tu ra l ways t o represent i n AUT-QE t h e con-

cep t of x-tuple indexed by an i n i t i a l segment of the na tu ra l s :

i) f might be considered a s a funct ion from the type n a t t o t h e type

CX of complex numbers, of which only the f i r s t x values a r e taken in-

t o account. I f we t ake t h i s a t t i t u d e it should be proved t h a t i f f and

g coincide f o r n 5 x then t h e i r sums (and products) up t o x a r e equal.

ii) f might be represented a s a funct ion of type [ t , t l a t l [ l J , t l X ] ~ ~ , i . e .

a s a p a r t i a l funct ion l i k e those discussed i n 1.4.

iii) f might be considered a s a funct ion having a s i ts domain t h e type

I ~ o ( x ) , t h e subtype of those n a t u r a l s which a r e I x.

A l l these p o s s i b i l i t i e s have c e r t a i n advantages. The f i r s t one i s pro-

bably t h e e a s i e s t one, t h e second is i n b e t t e r harmony with the r e s t of our

AUT-QE t r a n s l a t i o n , t h e t h i r d maybe corresponds b e t t e r with Landau's in ten-

t i o n s .

The t h i r d formal iza t ion was f i n a l l y chosen, but caused q u i t e some trou-

b l e because (on account of t h e u n i c i t y of types) numbers of type I ~ o ( x ) do

not have a l s o type I ~ o ( x + ~ ) . A s t o t h e formal iza t ion of x-tuples indexed by segments of t h e in te -

ge r s , t h e r e was the ex t ra d i f f i c u l t y t h a t t h e p red ica te "ganze Zahl" on t h e

r e a l s i s not thoroughly discussed by Landau. E.g. he does not prove t h a t

t h e i n t e g e r s a r e closed under add i t ion and subtract ion, though he uses t h i s

i n t h e t e x t .

For t h i s reason it seemed inappropr ia te t o de f ine the type of i n t e -

ge r s a s a subtype of t h e r e a l s , and t o de f ine f a s a ( p a r t i a l ) funct ion on

t h i s type i n one of t h e ways discussed above.

Therefore we defined f, for fixed integers x and y, as a function of

type [t,reallCU,int(t)]CU,YStlXl~~ i.e. as a partial function on the

reals. (rather like [ t , t la t ] [U , t~x ]cx , see ii) above). With this formalization of x-tuples (resp. (x+i) -y-tuples) the trans-

lation of § 8 turned out to be laborious. Many rather meaningless embedding

and lifting functions appear in the proofs. In particular the proof of

"Satz 283" where it is shown that sums (products) are invariant under per-

mutations of their terns (factors) turned out to be long and tedious. (It

should be remarked that Landau's proof is long too: 4 pages, 87 lines of

German text, while the translation needs 365.lines of AUT-QE text.)

The last two paragraphs did not present difficulties in translating.

3. VERIFICATION

I n t h i s chapter t h e v e r i f i c a t i o n of t h e AUT-QE t e x t i s described. Some

f e a t u r e s of t h e program and t h e p o s s i b i l i t y of excerpting a r e discussed.

3.0. Ver i f i ca t ion of t h e t e x t

The v e r i f i c a t i o n of the AUT-QE t r a n s l a t i o n of Landau's book was execut-

ed on t h e Burroughs B6700 computer a t the Technological Universi ty of Eind-

hoven. The l a s t page of the book was checked i n September 1975. The whole

book was checked i n a f i n a l run on October 18, 1975. The ve r i fy ing program

was conceived by N.G. de Bruijn and implemented by I. Zandleven. For a des-

c r i p t i o n of t h i s program we r e f e r t o [ ~ l ] . Zandleven a l s o provided tha pro-

gram with inpu t and output f a c i l i t i e s , and extended i t with a conversatio-

n a l mode f o r on-l ine checking and cor rec t ing of t e x t s .

The v e r i f i c a t i o n took place i n th ree s tages :

i) F i r s t t h e AUT-QE t e x t was fed i n t o the system on a t e l e p r i n t e r . A t

this s t a g e t h e main s y n t a c t i c a l s t r u c t u r e of t h e t e x t was analyzed. I t

was checked, f o r example, t h a t t h e format of t h e l i n e s was a s it should

be, t h a t the bracketing of the expressions was c o r r e c t , and t h a t no un-

known i d e n t i f i e r s occurred.

ii) Secondly the AUT-QE t e x t was coded. A t this s t a g e t h e c o r r e c t use of

the context s t r u c t u r e , the v a l i d i t y of va r i ab les , t h e c o r r e c t use of

t h e shorthand facility CVD, 2.151 and of t h e paragraph reference sys-

tem (cf . appendix 2 ) , were checked.

iii) F i n a l l y t h e t e x t was checked with respec t t o a l l c lauses of t h e langua-

ge d e f i n i t i o n . A t t h i s s t age the degrees CVD, 2.31 and types of expres-

s ions were ca lcu la ted , and the correctness of app l i ca t ion expressions

and constant expressions was checked. V i t a l f o r t h i s i s t h e v e r i f i c a -

t i o n of t h e d e f i n i t i o n a l equa l i ty of c e r t a i n types (c f . CVD, 2.101,

C Z l l ) .

Runs of t h e s t ages ii) and iii) general ly claimed much of t h e compu-

t e r s ( v i r t u a l ) memory capaci ty (over 600K bytes was needed f o r the program

together w i t h t h e coded t e x t ) . I n order t o avoid congestion i n t h e mult i-

programming system it was therefore necessary t o have the program executed

a t n igh t (and o f f - l ine ) . A s AUMMATHtexts arechecked r e l a t i v e t o correctbooks,

amechanicalprovisionaldebuggingdevice f o r o f f - l ine checking was implemen-

t ed , by which l i n e s which were found incor rec t could be t e n t a t i v e l y repaired.

E.g., when t h e middle par t CVD, 2.13.11 of a l i n e was found i n c o r r e c t , t h e

debugging device changed it temporarily i n t o P N , thus turning an abbrevia-

t i o n l i n e i n t o a PN-line. The l i n e s o "corrected" was then again checked,

and, i f i t w a s foundcor rec t , t h e l i n e s following couldthenbechecked r e l a t i v e t o

the "corrected" book. By t h i s device it was not necessary t o s t o p t h e check-

ing immediately a f t e r t h e f i r s t e r r o r had been found.

Another f e a t u r e of t h e ve r i fy ing program was added because of t h e f a c t

t h a t proving expressions t o be incor rec t (especia l ly proving expressions t o

be not d e f i n i t i o n a l l y equal) i s o f ten more d i f f i c u l t and more time-consum-

ing then proving correctness . Therefore during o f f - l i n e runs a parameter i n

the program iviz . t h e number of decis ion po in t s , t o be explained i n 3.1) has

been l imi ted, and l i n e s were considered provis ional ly incor rec t when t h i s

l i m i t was exceeded.

When the l a t e r chapters were checked, w e reduced t h e demands on t h e

computers memory capacity by abridging the book r e l a t i v e t o which t h e t e x t

was checked, i n t h e following way: I n the chapters which had already been

found cor rec t , the proofs of theorems and lemmas were omitted, a n d t h e f i n a l

l i n e s of these proofs (where the theorems and lemmas a r e asser ted) were

changed i n t o PN-lines. Each time a chapter was completely checked ( r e l a t i v e

t o t h e book so abridged) it was abridged i n i t s turn .

Text which a r e c o r r e c t r e l a t i v e t o the abridged book w i l l be c o r r e c t

with respect t o t h e unabridged book too. On the other hand, a s i n c l a s s i c a l

mathematics the re i s no reference t o proofs but only t o asse r t ions , it i s

unl ikely t h a t t e x t s w h i c h a r e c o r r e c t r e l a t i v e t o the unabridged book w i l l

be re jec ted r e l a t i v e t o t h e abridged book. I n ac tua l f a c t t h i s d id not

occur.

When a chapter , a f t e r several o f f - l i n e runs of t h e program,wasfound

t o be "nearly cor rec t " , the f i n a l v e r i f i c a t i o n of t h a t chapter took place

on-line. I n suchanon-l ine run t h e remaining e r r o r s could be i m e d i a t e l y

corrected. Moreover c o r r e c t l i n e s could be v e r i f i e d , which had been provi-

s iona l ly re jec ted because t h e n b b e r of decis ion po in t s during v e r i f i c a t i o n

i n o f f - l ine runs had exceeded the chosen l i m i t . The v e r i f i c a t i o n of such

complicated l i n e s could be shortened by d i rec t ing ( i n conversational mode)

the s t ra tegy f o r es tab l i sh ing d e f i n i t i o n a l equal i ty .

After a l l chapters were v e r i f i e d i n t h i s way, t h e i n t e g r a l AUT-QE

t e x t (complete and unabridged) was checked during a f i n a l on-line run,

which took 2 hours ( r e a l t ime) . Of t h i s time 42 min was spent on v e r i f i c a -

t i o n (not including t h e time needed f o r coding).

32

I n a t a b l e we l i s t some da ta on t h i s f i n a l run, concerning v e r i f i c a t i o n

time, number of performed reductions and memory occupied

verification time

in seconds

a-reductiorrs

8-reductions

6-reductions

q-reductions

nr. of lines

nr. of expressions

preliminarl

text

chapter

1

143.1

752

832

1111

- 886

12155

complete

text

2519.7

10485

6014

20063

2

13433

215138

Since one coded expression occupies about 30 bytes (mainly used f o r referen-

ces t o subexpressions), the t o t a l memory required f o r t h e coded book is

about 6500 K bytes (= 52000 K b i t s ) .

3.1. Control l ing the s t r a t e g y of t h e program

I n order t o e s t a b l i s h d e f i n i t i o n a l equa l i ty of two expressions, t h e

v e r i f i c a t i o n system t r i e s t o f i n d another expression t o which both reduce.

The choice of e f f i c i e n t reduction s t e p s f o r t h i s purpose is a mat ter of

s t r a t e g y ( C V D , 6.4.11) . The programmed s t r a t e g y is described i n [~l].

Under t h i s s t r a t e g y i t is poss ib le t h a t intermediate r e s u l t s a r e ob-

ta ined which s t rong ly suggest a negative answer t o t h e quest ion of de f in i -

t i o n a l equa l i ty , without d e f i n i t e l y s e t t l i n g it. Suppose, f o r example, t h a t

a(p)=a(q) has t o be es tabl ished. The programs s t r a t e g y is t o a s c e r t a i n

t h a t t h e constants a and a a r e i d e n t i c a l and t o v e r i f y whether p=q . I f t h i s i s not t h e case , the re i s a s t rong suggestion t h a t a (p ) and a ( q )

a r e no t d e f i n i t i o n a l l y equal e i t h e r , bu t t h i s i s y e t uncer ta in . For example,

they a r e d e f i n i t i o n a l l y equal r e l a t i v e t o t h e book

* n := P N E type -- * p := P N E n - * q := P N E n - * x := - E n -

~ * a : = P - E n

~t is a matter of s t r a t e g y how t o proceed i n such cases. We may e i t h e r

apply 6-reduction ( i n which case t h e i s s u e w i l l be eventual ly s e t t l e d ) o r

we may t r y t o continue t h e v e r i f i c a t i o n process without using a(p)=a(q) .

Such a situation is called a decision point. In on-line runs the veri-

fication may be controlled here by the human operator. (Actually, in the

situation sketched above, information will be supplied, and the question

will appear whether 6-reduction should be tried.) In off-line runs 6-reduc-

tion will be applied in order to get a definite answer to the question, and

it will be checked that the total number of decision points passed during

the checking of a line does not exceed the chosen limit (cf. 3.0).

3.2. Shortcomings in the verifying program

In appendix 5, two shortcomings in the verifying program are indicated.

Due to these shortcomings there is, at this moment no complete (mechanical-

ly sustained) certainty that the verified AUT-QE text is correct.

It is hard to believe, however, that any incorrect AUT-QE lines have

been accepted by the machine during verification. We mention the following ,

rather intuitive considerations in support of this opinion:

i) Given a correct AUT-QE expression, we can consider all possible ways to

change it into an incorrect one by replacing, somewhere, a bound varia-

ble by an other one. Only a very small fraction of these possibilities

will give rise to incorrect expressions which the program (unjustly) ac-

cepts. For most expressions this fraction will even be 0. As the writer

intended to produce correct AUT-QE expressions, and as he did not make

many mistakes using wrong variables, it is improbable that incorrect ex-

pressions have been accepted.

ii) No correct expressions have ever been refused during the verification,

though the number of correct expressions presented exceeded considera-

bly the number of incorrect ones.

Before long the text will be verified by anentirely new program, in

which clash of variables is impossible because the coding system uses name-

less variabZes ( Cd~2 1 ) .

3.3. Excerpting,

Let B be an AUT-QE book, i.e. a finite sequence of lines. A subbook of

B is a subsequence of this sequence. A program, called excerpt, is availa-

ble which, given a correct book B and a line R of B, produces the minimal

correct subbook of B containing R. (It is possible to have the line provi-

sionally changed into a PN-line before the subbook is produced.)

This program w i l l d isplay a l l concepts re levan t t o t h e d e f i n i t i o n of a

given concept, and a l l theorems (with t h e i r proofs) used ( e x p l i c i t l y o r i m -

p l i c i t l y ) i n t h e proof of a given theorem. (If the l i n e is f i r s t changed in-

t o a PN-line, the program w i l l j u s t g ive t h e assumptions under which the

theorem holds, and t h e concepts necessary t o understand i ts contents.)

AS an example, we give i n appendix 4 an excerpted t e x t f o r "Satz 27".

4. CONCLUSIONS

Inthi~~hapter~ediscuss some possibilities to represent logic in

AUTOMATH. We indicate some desirable extensions of AUT-68 and AUT-QE, and

we discuss some aspects (positive as well as negative) of our translation.

4.0. Formalization of logic in AUTOMATH

In this section we shall describe various possibilities to represent

systems of natural deduction in AUT-68 (CVD, 2]), in AUT-QE and in some

closely related languages. First we discuss two main decisions which have

to be made when choosing between these possibilities. Then we indicate ex-

plicitly two possibilities to represent logic.

4.0.0. First order V. higher order

In most AUTOMATH languages there are certain restrictions on abstrac-

tion. E.g. in AUT-68 as well as in AUT-QE correct abstraction expressions

have the form Cx,al~ where a is a 2-expression (and hence x, having type a,

is a 3-variable, i.e. a variable which is a 3-expression).

Such restrictions allow a faithful representation of first order logic

(in the sense of excluding higher order formulas and inferences). In AUT-68

as well as in AUT-QE this can be done by representing propositions and pre-

dicates as 2-expressions (as described in CVD, 31). Then proposition varia-

bles and (in AUT-QE) predicate variables will be 2-variables and abstrac-

tion (or quantification) with respect to such variables is impossible in

the language. If, in such a setting, we want to discern between proposition

variables and predicate variables then it is necessary to have abstraction

expressions of degree 1 in the language, i.e. to use AUT-QE (and not

AUT-68) . In order to represent higher order logic we should require the possi-

bility of abstraction with respect to proposition and predicate variables.

Therefore, if we stick to the abstraction restrictions of AUT-68 or AUT-QE,

we should represent propositions and predicates by 3-expressions. We may

proceed in two ways:

i) we can associate to each proposition a (primitive) type (which we will

call the assertion type of the proposition). Objects of this type will

be considered as proofs of the proposition. In other words: we consider

the proposition as asserted iff its assertion type contains some object.

This possibility will be elaborated in 4.0.2.

( In e a r l i e r publ icat ion on AUT-68, boo1 and TRUE were used ins tead of

PROP and 1 ) . If S i s a type, an ob jec t P - E [X ,SIPROP has t o be i n t e r -

pre ted a s a predicate . Objects of type C X , S I ~ ( < X > P ) must then be i n t e r -

pre ted a s proving t h a t P holds f o r every X s . So we want t o introduce

t h e proposi t ion V ( S , P ) which has the property t h a t i t s a s s e r t i o n type con-

t a i n s elements i f f t h e type C X , S I ~ ( < X > P ) contains elements. This is ex-

pressed i n the following l i n e s :

S t a r t i n g from these pr imit ive concepts and axioms, higher order log ic can

be developed. An ind ica t ion of h3w t h i s can be done, is given i n appendix 6 ,

where t h e f i r s t t h r e e theorems from Landau's book a r e derived on t h e b a s i s

of t h e l o g i c so developed.

This log ic represents a const ruct ive system of na tu ra l deduction.

Axioms could be added f o r extensional equa l i ty of functions and extensional

equality of propositions ( i . e . i f a ++ b then a = b ) .

C lass ica l l o g i c could be represented t h i s way by adding axioms f o r ir-

relevance of proofs:

and f o r t h e double negation law:

4.0.3. A representa t ion of log ic i n AUT-QE

How log ic can be represented i n AUT-QE is described i n CVD, 31 . This

system, a f i r s t order system of na tu ra l deduction, has been used i n our

t r a n s l a t i o n . An ind ica t ion of the development of log ic i n it can be found

i n t h e excerpted t e x t i n appendix 7 , which covers t h e proofs of t h e f i r s t

th ree theorems of Landau's book and t h e l o g i c used i n these proofs.

The system i s a b i t ambivalent, because it is c l a s s i c a l ( c o n t a i n i n g t h e

double negation law a s an axiom) but does not s a t i s f y i r re levance of proofs.

There a r e two obvious ways t o implement i r re levance of proofs:

i) by adding an axiom:

That is: i f t o every proof of A an ob jec t of type S i s associa ted,

then t h i s ob jec t i s independent of t h e nature of t h e proof. I t has been

indicated by J. Zucker t h a t t h i s axiom implies i r re levance of proofs i n

p a r t i a l funct ions a s mentioned i n 1.4:

ii) by extending, in the language, the relation of definitional equality,

in such a way that two 3p-expressions (cf. 1.2) are definitionally equal

iff their types are definitionally equal. This has been done in the lan-

guage AUT-Jl (cf. [z]), but could be done in a variant of AUT-QE as well.

If we want to formalize intuitionistic logic in AUT-QE we should have

the absurdity rule (i.e. contradiction implies any proposition) instead of

the double negation law. The logical connectives (apart from implication)

and the existential quantifier could be added as primitive constants, and

their elimination- and introduction rules as axioms.

4.1. The language

In this section we discuss some features of AUTOMATH languages, and

the value of these features for the formalization of mathematics.

4.1.0. AUT-SYNT

Consider the following AUT-QE text, representing the introduction rule

for conjunction:

* a . - . - - E p r o p - a * b := - - Eprop b * u . - . - - E a - U * V . - . - - E b - v * andi := ----- E and(a,b) -

(where the dots indicate some proof which is irrelevant for the present dis-

cussion). We will call the variables a,b,u,v the parameters of andi . If we want to apply this rule for propositions A and B, we need two proofs p and q

of the propositions, thus getting the proof andi(A,B,p,q) E and(A,B). Suppose we are given the proof p, then we can compute mechanically its

type (Cf . , CVD, 6.4.2.3 1 ) which is (def initionally equal to) the proposition A it proves. A similar observation holds for q and B. Hence we could say

that the expression andi(A,B,p,q) contains redundant information. If the

"mechanicaZ type" function CAT (CVD, 6.4.2.31) were incorporated in the lan-

guage, we could write, instead of the expression above, andi(CAT(p),CAT(q),

p,q), .which only contains p and q. We will call the parameters U and V

(for which p and q are substituted) the essentiaz parameters of andi , while a and b (for which the redundant expressions A and B are substituted)

are called redundant parameters. There are many other examples of expres-

sions with redundant parameters.

It is worth while to extend the language in such a way that redundant

parameters can be avoided, because the expressions which have to be substi-

tuted for them might be long. A system of extensions of this kind has been

proposed by I. Zandleven. It is called AUT-SYNT since it admits syntactic

variabtes for expressions. Thus we have the languages AUT-68-SYNT, AUT-QE-

SYNT etc.

For a description of AUT-SYNT we refer to appendix 9, a text in AUT-

68-SYNT may be found in appendix 8.

Our experiences with translating Landau's book have been a stimulus

for developing AUT-SYNT, and have indicated the way this could be done. As

no verifying program for SYNT languages was available until after the trans-

lation was finished, the SYNT-facility could not be used in the translation.

This may be considered unfortunate, because the presence of this facility

would have simplified both the writing and the reading of our text.

4.1.1. n-reduction in AUTOMATH

In AUT-68 and AUT-QE one of the possible ways to establish definitional

equality is by n-reduction (CVD, 6.2.21): If x is not free in A then

[x,a]<x>A >,, A. As can be seen in the list in 3, 17 reduction was applied

only twice during the verification of our translation. We give the lines

which required these n-reductions, together with their relevant contexts.

The following lines from the text on propositional logic are presup-

posed :

* con := PN - E p r o p * a . - . - - Eprop -

a * n o t := Cx,alcon - E p r o p a * u . - . - - E n o t ( n o t ( a ) ) - u * e t := PN E a - a * u . - . - - E con - u * cone := et(a,Cx,not(a)lu) - E a

The first line where n-reduction is required occurs in the text on pre-

dicate logic. In this text the following lines appear:

* S := - S * P := - P * all := P

P * non := Cx,Slnot(<x>P)

P * u := - u * v := - v * s := - s * tl := et(<s>P,<s>v)

v * t 2 := <Cx,Sltl(x)>u

Etype - E [xsslprop - Eprop - E Cx,Slprop - E not(al1 (SSP)) - E non(non(P)) - E S - E <s>P - E con -

In order to verify that the middle part of this last line is a correct ex-

pression, it should be established that

We have

The question is to establish

This obviously requires 0-reduction.

The second case in which 0-reduction is used occurs in the text on ge-

neralized implication:

* a := - E p r o p - a * b := - - E Cx,alprop

b * imp := b - Eprop b * u := - - E not(a) u * th2 := C x , a l c o n e ( ~ x ~ b , ~ x ~ u ) - E imp(a,b)

Here, in order to verify the last line, it is asked whether the category of

the middle part definitionally equals the category part, i.e. whether

Now

and therefore n-reduction must be used for establishing

I t has been observed by v. Daalen t h a t n-reduction might have

avoided i n both cases by a s l i g h t modification of the d e f i n i t i o n s :

( i n t h e f i r s t case) and f o r imp ( i n the second c a s e ) . I n f a c t a

have been defined by

P * a l l := [x,Sl<x>P - E prop

and imp by

'b * imp := Cx,sl<x>b - E prpp

been

f o r a l l

11 might

This would have made no di f ference t o t h e r e s t of the book, a p a r t from t h e

f a c t t h a t i n some places an e x t r a 8-reduction would have been necessary. In

f a c t , i f a p red ica te P is defined e x p l i c i t l y ( a s opposed t o being a predica- D

t e va r iab le o r a pr imit ive predicate constant) then P = [y,S]m(y) , say,

and we have, without n-reduction

We conclude the re fore t h a t q-reduction does not add considerably t o

t h e expressive power of AUTOMATH.

4.1.2. prOp v. type

I n the s tage of exploration of the p o s s i b i l i t i e s t o represent l o g i c i n

ATJT-QE, i n i t i a l l y a v a r i a n t of t h i s language was used which d id not contain

t h e 1-expression prOp . I t was therefore impossible t o p resc r ibe whether

types had t o be in te rp re ted a s asse r t ion types (containing proofs) o r "or-

dinary" types (containing "ordinary" ob jec t s ) . Contradiction was represented a s a p r i m i t i v e t y p e , negation and t h e dou-

b l e negation law were formalized i n terms of t h i s type a s follows:

* con . - . - PN - E t y p e * a . - . - - E t y p e -

a * no t := Cx ,alcon - E t y p e a * u . - . - - E n o t ( n o t ( a ) ) - u * d.n.1. := P N E a -

I f i n t h i s t e x t a is in te rp re ted a s an "ordinary" type, n a t say, then

expressions of type n o t ( a ) ( o r [X , ~ I c o ~ ) could be in te rp re ted a s proofs t h a t

a i s empty ( i n f a c t , i f we have p n o t ( a ) , then f o r an ob jec t X a we

have <X>p t o prove con t rad ic t ion) . Hence expressions of type n o t ( n o t ( a ) )

have to be interpreted as proofs that a is (in a weak sense) nonempty.

Given such a proof q we have an object d . n. 1 (a ,q) E a . Or, in other words: d.n .1 acts as a Hilbert operator, selecting an object from any non-

empty type. In particular this induces a form of the axiom of choice.

As we did not want the double negation law to have such far-reaching

consequences, we extended the language by admitting prOp as a basic 1-

expression. Thus we obtained the language AUT-QE (as defined in CVD, 511,

in which it is possible to distinguish between assertion types and ordinary

types.

The distinction of prop and type not onlyunlinkedthe double negation

law from the axiom of choice, but also made it possible to implement irrele-

vance of proofs (cf. 4.0.1, 1.4). This opportunity was not seized in the lo-

gic underlying our translation (though this would have been natural). For

an explanation we refer to 4.2.1.

We may conclude that the distinction between proofs and "ordinary" ob-

jects is an essential feature when representing classical logic in AUTOMATH.

For representing constructive logic the version with only keeps its

value.

4.1.3. Strings and telescopes

In chapter 2 of his book Landau uses pairs (x x ) of natural numbers. 1' 2 He considers such a pair as a single object and yet he describes it by two

variables. A faithful translation of this practice could have been given if

the concept of a string of expressions would have been present in our lan-

guage.

Another use strings of expressions might have is as arguments of par-

tial functions (as described in 1.4). In fact such functions are applied to

pairs (a,p) where a is an object of a certain type S , and p a proof

that a satisfies some predicate P on S (which describes the range of

the function) . As a further example we consider the concept of a group, which might

be considered as a string (S,op,iv,e,p) where S E type, Op [x,S][y,S]S,

iv - E [x,S]S, e E S and p - E groupaxioms(S,op,iv,e) . We usually want the types of the expressions of such a string to satis-

fy certain conditions. In the case of the argument (a,p) of partial function we want a - E S, p E <a>P . In other words we want the argument (a,p)

to be consistent with the "abstractor part" of the function: X S ;

y <x>P . In the case of the group we want a group (SY0p ,iv ,e,p) to be

consistent with

x - E type; y E CS,XlCt,xlx; z E Cs,xlx; u - E X;

There is a strong analogy with the case where expressions All ..., A are re- n quired to be suitable candidates for substitution for the variables xl,..,x

n of a certain context x E a ,x E a2,.. .,x E a (~f. CVD, 2.51). 1 - 1 2 n n

To describe such conditions on strings we introduce the following ter-

minology. A finite sequence of E formulas xl g a l , ..., x E a is called a n - n teZescope, The string of expressions (al,...,an) is said to fit into the

telescope xl E all ..., x E an if al E al,a2 E @x /a Da n - 1 1 21""

a E Uxl,. . . ,x /al ,.. . ,a Dan. n - n- 1 n- 1

Extension of the language with constants and variables for strings

and defined constants for telescopeshasbeen proposed by de Bruijn. This is

especially helpful, when formalizing abstract structures such as groups,

vector spaces or categories, andhas been applied on a large scale by

J. Zucker (Cf. [z]).

4.2. Comments on the translation

In this section we first give a chronological survey of the different

representations of logic which have been tried, and we state the motives

for finally choosing AUT-QE as a language for our translation. Furthermore

we mention some aspects which are (in our opinion) shortcomings of the

translation and we add some positive conditions which can be drawn from our

work.

4.2.0. Choice of the language

In our first attempts to translate Landau's "Grundlagen" in AUTOMATH,

we used the language AUT-68. The representation of logic was similar to the

one described in 4.0.2 and presented in appendix 6. Elimination and intro-

duction of V were effected by the axioms Ve (with parameters S E type,

p [x,S]PROP, a L S, U ~(v(S,P)) ) and Vi (with parameters S E type, P - E [x,S]PROP, u - E [x,S]~(<X>P) ) . These axioms were used frequently in developing logic, because the logical connectives and the existential quanti-

fier were defined in terms of V . On the basis of this logic chapter 1 of Landau's book was translated in AUT-68.

At that stage of our work we started trying to represent logic in

AUT-QE, initially using a variant of that language which did not contain

prop. In AUT-QE the axioms Vi and Ve were superfluous: if P - E [ X ,S!*

(i.e. P represents a predicate on S ) then objects of type P can be

interpreted as proofs of v(S,P) . Conversely, given such an object U P

and an object a S we have <a>U - E <a>P (i.e. <a>U proves that P holds at a ) . As a consequence the text on logic in AUT-QE was considera-

bly shorter then the earlier text in AUT-68. (It was not observed at that

time, that this was caused essentially by the redundant parameters and

P of both constants ve and b'i .) So AUT-QE seemed to be a much better

language, and therefore a fresh start was made with the translation of

Landau's book into that language. In 4.1.2 we have reported that in this

system (AUT-QE without prop) the double negation law induces a Hilbert ope-

rator. This led us to add - as a basic 1-expression to our language, thus extending it to proper AUT-QE.

At the time we finally fixed the language we did not appreciate the

fundamental importance of incorporating a form of irrelevance of proofs.

This was due mainly to two reasons:

i) Partial functions are not frequently used in the first three chapters

of Landau's book, and for those partial functions which are defined

there, irrelevance ofproofscould be derived. Therefore no need was

felt for an axiom.

ii) As Landau, being a classical mathematician, does not discuss proofs at

all, we thought we should try to follow this practice. Consequently we

did not want to have an axiom declaring proofs equal.

4.2.1. Shortcomings of the translation

Here I list those features of the translation which I would change if

I were to redo the work.

i) In my opinion the SYNT-facility should be present in any AUTOMATH lan-

guage. It will bring texts in AUTOMATH closer to mathematical practice.

The middle parts of many lines in the present Landau translation are

unnecessarily complex and tedious (both to the reader and to the wri-

ter), because this facility is absent in the language I used.

ii) I regret that I have not implemented irrelevance of proofs as an axiom.

As I see it now, for representing classical reasoning a language should

be chosen which even contains irrelevance of proofs by definitional

46

iii)

iv)

equality (Cf. 4.0.2).

Some of the names I have used lack expressive power. This is partly

due to the fact that AUT-QE admits only alphanumeric identifiers, but

mainly to my excessive preference for short names.

I am not content with the translation of chapter 5, 5 8. This text is

overloaded with irrelevant embedding and lifting functions which ham-

per a clear understanding of the argument. I think it is better to de- n n

fine 1 f (i) and f(i) for functions f defined for all natural num- i=l i= 1

bers (and not just on an initial part of the naturals), although this

procedure deviates slightly from Landau's intentions.

4.3.2. Final remarks

The main positive comment we can make on the translation is that it

has been succesfully finished (in spite of some inconveniences in the lan-

guage) . An aspect which has not been mentioned so far is the ratio between the

length of pieces of AUT-QE text and the length of the corresponding German

texts. Our claim at the outset was that this ratio can be kept constant. We

give a few data. As pieces of text we have chosen the chapters of Landau's

book, and as a measure of the lengths the number of stored AUT-QE expres-

sions (storing expressions requires storing all subexpressions too) and

(rough estimates of) the number of German words (where "x" and "+" were counted as words). We give the following list:

chapter 1 chapter 2 chapter 3 chapter 4 chapter 5

nr. of expressions 12200 25800 30300 35000 60500

nr. of words 3200 4900 5300 5500 11000

nr. of expressions nr. of words 3,8

The high ratio in chapter 4 might be attributed to the complicated defini-

tions by cases in this chapter, while the low ratio in chapter 1 is possi-

bly caused by the absence of calculations.

Another notable aspect of the work is the comparatively small place

taken by th.e preliminaries. It appears that a formal treatment of the logic

underlying mathematics (if we disregard metalogic) is much easier than a

formal treatment of mathematics itself.

I t has no t been the purpose of t h i s e n t e r p r i s e t o const ruct a formal

system which s u i t s my own fancy and t o develop i n t h i s system the theory of

n a t u r a l s , r e a l s and complex numbers. I have r a t h e r t r i e d t o represent i n a

language which was e s s e n t i a l l y given beforehand, a wide v a r i e t y of concepts

and ideas a s expressed i n a book l i k e Landau's. The success of t h i s under-

t ak ing is due t o t h e f l e x i b i l i t y of AUTOMATH languages, and t o t h e c l o s e

connection which can be made between these languages and i n t u i t i v e human

reasoning.

4 8

Appendix 1. REPRINT. Published i n t h e

Proceedings of t h e Symposium

on APL (Par i s , December 1973) , ed. P. Braffor t .

A desc r ip t ion of AUTOMATH and some aspects of

its language theory

D.T. van Daalen *)

0. Summary

This note presents a self-contained in t roduct ion i n t o AUTOMATH, a formal

d e f i n i t i o n and an overview of t h e language theory. Thus it can serve a s an

in t roduct ion t o the papers of L.S. J u t t i n g [ 71 and I. Zandleven [ I l l i n t h i s

volume. Among the var ious AUTOMATH languages t h i s paper concentra tes on the

o r i g i n a l vers ion AUT-68 (because of i t s r e l a t i v e s impl ic i ty ) and one exten-

s ion AUT-QE ( i n which most t e x t s have been wr i t t en thus f a r ) .

The contents a re :

1. Introductory remarks.

2. Informal desc r ip t ion of AUT-68.

3. Mathematics i n AUTOMATH: proposi t ions and types.

4. Extension of AUT-68 t o AUT-QE.

5. A formal d e f i n i t i o n of AUT-QE.

6. Some remarks on language theory.

For a desc r ip t ion of the AUTOMATH p r o j e c t and f o r i ts motivation we r e f e r

t o Prof . D e B r u i j n ' s paper a l s o i n t h i s volume C41.

*) The author i s employed i n the AUTOMATH p r o j e c t and is supported by the

Netherlands Organization f o r the Advancement of Pure Science ( Z . W . 0 ) .

1. Introductory remarks

1.1. According t o t h e claims f o r the formal system AUTOMATH one should be

ab le t o formalizemanymathematical f i e l d s i n it i n such a p rec i se and com-

p l e t e fashion t h a t machine v e r i f i c a t i o n becomes poss ible . The f l e x i b i l i t y

required t o meet the indicated un ive r sa l i ty is provided by having a r a t h e r

meagre basic system. The AUTOMATH user himself has t o add appropr ia te p r i m i -

t i v e notions t o t h e b a s i c system i n order t o introduce the concepts and

axioms s p e c i f i c t o the p a r t of mathematics he l i k e s t o consider. In this

respec t , the b a s i c system may be compared with some usual system of log ic

(e.g. f i r s t order p red ica te ca lculus) t o which one adds mathematical axioms

i n order t o form mathematical theor ies .

1 .2 . In s p i t e of this analogy however the bas ic system i t s e l f does no t con-

t a i n any log ic i n the usual sense. Basic f o r the system a r e the concept of

type and function ( ins tead o f , e .g., t he concept of s e t or of n a t u r a l num-

b e r ) , which a r e formalized by a c e r t a i n typed A-calculus.

When represent ing mathematics i n AUTOMATH one has t o d e a l with the

question of coding: HOW t o formalize general mathematical concepts i n the

form of types and functions (see sec t ion 2 . 2 ) . Clear ly an appropr ia te

formalization w i l l incorporate a s much a s poss ible of the bas ic type-and-

function framework. Section 3 discusses t h i s coding problem and i n pa r t i cu -

l a r proposes a s u i t a b l e way of represent ing proposi t ions , p red ica tes and

proofs ( a functional interpretation of l o g i c ) .

1.3. In order t o s a t i s f y the claim of autamatic v e r i f i c a t i o n of correctness

the system c e r t a i n l y has t o be decidable (and even feasibly decidable on now-

e x i s t i n g computing machines). Since many common mathematical t h e o r i e s pro-

duce undecidable s e t s of theorems we must conclude t h a t we cannot expect

the computer t o do a l l our work. Indeed theorems have t o be given together

with the ir proofs i n order t o allow v e r i f i c a t i o n .

Thus the cor rec tness produced by the machine v e r i f i c a t i o n covers the

arguments leading from axioms t o conclusions only. The AUTOMATH user him-

s e l f i s responsible f o r h i s choice of pr imi t ive notions and a l l the coding

(and decoding) involved.

2. Informal desc r ip t ion of AUTOMATH

2.1. In t roduct ion

Here we t r e a t the o r i g i n a l vers ion of AUTOMATH, now named AUT-68. We

chose t h i s system a s an example because of i ts r e l a t i v e s impl ic i ty . The

discuss ion w i l l be informal and i n t u i t i v e and i n f a c t r e s t r i c t e d t o the

object-and-type fragment of t h e language ( thus leaving the proof-and-pro-

pos i t ion fragment t o sec t ion 3 ) .

2.2. I n t u i t i v e framework

(This sec t ion may be skipped by f o r m a l i s t s ) .

The mathematical e n t i t i e s discussed i n the language f a l l i n t o two s o r t s :

objects and types. The types may be considered a s c l a s s e s or s e t s of a cer-

t a i n kind, which may have ob jec t s a s t h e i r elements. A l l types a r e supposed

t o be d i s j o i n t , f o r each ob jec t belongs t o j u s t one type. This uniqueness

of types permits one t o speak about the type of an object .

The types t ruc tu re is b u i l t up by s t a r t i n g from ground types and forming

firnetion types from these . Each mathematician may choose the ground types

himself ( a s p r imi t ive not ions) , e .g. the type of n a t u r a l numbers.

An example of a funct ion type is the type a -t 6 (where a and 6 a r e

types) of the funct ions from a t o 8 . More general ly , the funct ion types a r e

formed by taking products, a s follows: The language allows one t o express

dependence of types on ob jec t s (of some given type) . That is , one can des-

c r i b e c e r t a i n fami l i e s of types 6 indexed by t h e ob jec t s x of a given type X

u. NOW every funct ion type is formed a s the generazized Cartesian product

of such 6 usual ly denoted .Bx, and containing a s ob jec t s j u s t these X I XEa

funct ions t h a t a s soc ia te t o any ob jec t x of type ct an o b j e c t of type 8,. The

type a + 6 i s the s p e c i a l case where a l l a r e a f ixed type 6 . X

2.3. Expressions, degrees and formulas; correctness

The language a s such only expresses t h e const ruct ions of types and ob-

j e c t s and the typing r e l a t i o n s between ob jec t s and types.

The express;ons of t h e language have degree 1, 2 or 3. Types and ob jec t s

a r e denoted by expressions of degree 2 and 3 respec t ive ly ( f o r s h o r t 2-expres-

s ions , 3-expressions). For convenience we introduce t h e 1-expressions type

t o provide a type f o r t h e types . Further I-expressions w i l l be introduced

i n sec t ions 3 and 4 .

The symbol E expresses the typing r e l a t i o n : ... has type ... . So i f A

denotes an o b j e c t then we have the formulas A E a and a E type. The 2-ex-

press ions and 3-expressions a r e b c i l t up from variabzes and constant-ex-

pressions by means o f :

i) the s u b s t i t u t i o n mechanism ( sec t ion 2.5)

ii) func t i cna l abs t rac t ion and app l i ca t ion ( sec t ions 2.8 and 2.10).

The constant-exprsssions have the form c (x l , . . .,x, ) where x l , . . . ,xk a r e IC

v a r i a b l e s and c i s e i t h e r a primitive constant introduced a s a p r imi t ive

notion ( sec t ion 2.6) o r a defined constant ( sec t ion 2.7) . Expressions and formulas a r e correct i f they a r e constructed according

t o t h e r u l e s of t h e language, which a r e informally discussed i n the sequel .

2.4. Variables and contexts

A mathematical statement genera l ly presupposes c e r t a i n assumptions on

the va r i ab les used. For example: " l e t x be a n a t u r a l and y a r e a l number".

In AUTOMATH, i n accordance whis t h i s usage, each va r i ab le of degree 3 fobject-

variable) ranges over a c e r t a i n type, c a l l e d the type of t h e va r i ab le . The

2-variables (type-variables) a r e supposed t o range through the types and

have ype a s t h e i r type.

Expressions and formulas containing free object - o r type-variables, say

x l r . . . , x k r can only be correct r e l a t i v e t o a c e r t a i n context: 1.e . a f i n i t e

sequence of E-formulas x E a l l ..., x E a ca l l ed a s s q t i o n s , i n which the 1 - k - k t

f r e e v a r i a b l e s have t o be e x p l i c i t l y introduced with t h e i r types.

Some of the types a may depend on the v a r i a b l e s given e a r l i e r i n the i

sequence. For ins tance , a may contain both x and x a s f r e e va r i ab les . I t 3 1 2

i s understood t h a t a l l a a r e c o r r e c t expressions themselves: a l r e l a t i v e i

t o t h e w?lpty context , a 2 r e l a t i v e t o x E a l l e t c . 1

2.5. Subs t i tu t ion mechanism

Let us, i n informal d iscuss ion, e x h i b i t the poss ible dependence of an

expression 1 on va r iab les x i , ..., xk by wr i t ing Clxl , ..., xk] f o r C . Then we

wr i t e C [ A ~ , . . . ,Ak] f o r the r e s u l t of sinncZtaneousZy substituting A f o r x i i

( f o r i = 1, ..., k) i n C.

Suppose t h a t under assumptions x l E a l r . . . , x E a we have a c o r r e c t k - k

E-formula ~ [ x ~ , . . . , x ~ D E aCxl,. . . ,x 1. Then t h e substitution mechanism - k y i e l d s the s u b s t i t u t i o n instance A B A ~ , ..., A 1 E a [ A l r . . . , ~ D f o r any sequence k -

A l l . . . , % of s u i t a b l e candidates f o r x i , ..., x 1 .e . these A k ' l, . . . ,% have

t o be of the appropr ia te types where, however, i n view of the poss ib le de-

pendence of types on v a r i a b l e s , the s u b s t i t u t i o n has t o t ake p lace i n the

types too. So we requ i re

2.6. Pr imi t ive not ions

AS mentioned before , one has t o add pr imi t ive notions t o t h e b a s i c system

i n order t o in t roduce t h e s p e c i f i c concepts of the p iece of mathematics one

wants t o study . For example, i n order t o w r i t e about the n a t u r a l numbers, one might

introduce the pr imi t ive type-cons tant n a t and t h e ob ject-cons tan t 1 by axio-

ma t ica l ly s t a t i n g :

n a t E*

1 E n a t . I n genera l , p r imi t ive notions a r e introduced by s t a t i n g an axiomatic - E-for-

mula p(x1, . . . ,xk) E a [ x l , . . . , ~ ] under c e r t a i n assumptions xl E a l l ... x E ak. k -

Here e i t h e r a i s (and p is a type-constant) o r i n t h e c u r r e n t context

we have a E type a l ready (p being an object-constant) . A l l c o r r e c t s u b s t i t u t i o n ins tances p(A1, ...,% ) of such a constant-ex-

press ion p ( x l , ..., x can be produced by the s u b s t i t u t i o n mechanism, des- k cr ibed above.

For example, t h e concept of successo2- i n the n a t u r a l number system can

be introduced under t h e assumption x E n a t by s t a t i n g : successor(x) E na t .

Using the s u b s t i t u t i o n mechanism we g e t

successor (1 ) E n a t - successor (successor (1) ) E n a t , e t c .

Notice t h a t p r imi t ive constant-expressions may n o t only contain object-

va r i ab les ( l i k e the x i n successor (x ) )bu t a l s o type-variables.

2.7. Abbreviations

In mathematics one o f t en introduces abbrevia t ions , i . e . new names f o r

poss ibly long and complicated expressions. In AUTOMATH t h i s abbrevia t ion

f a c i l i t y i s a l s o present ; indeed, it w i l l appear t h a t by the p a r t i c u l a r

format of the language every derBved statement g ives r i s e t o the in t roduct ion

of a new defined constant . Although t h i s kind of e x p l i c i t d e f i n i t i o n i s of-

t en considered t h e o r e t i c a l l y uninteres t ing, we f e e l t h a t it is e s s e n t i a l i n

p r a c t i c e f o r t h e a c t u a l formal iza t ion and v e r i f i c a t i o n of complicated theor ies .

J u s t like pr imi t ive notions, abbrevia t ions a r e introduced under c e r t a i n

assumptions and s o may conta in f r e e va r i ab les i n genera l . Thus new constant-

expressions d ( x l , . . . , x ) a r e introduced, abbrevia t ing expressions D which k a r e c o r r e c t i n the c u r r e n t context . Clear ly the type of d ( x l , ..., xk) must be

the same a s t h a t of D.

Example: 2,3, ... can be introduced by

2 : = successor (1)

3 := successor (21, e t c .

Fur ther , the notion of "successor of successor" might be abbreviated by

s t a t i n g (under assumption x E n a t ) t h a t

plustwo (x) := successor (successor (x) ) . Again, a l l c o r r e c t s u b s t i t u t i o n ins tances with t h e i r types can be produced

by t h e s u b s t i t u t i o n mechanism.

2.8. Functional abs t rac t ion : A-calculus

We have mentioned func t iona l abs t rac t ion and app l i ca t ion a s f u r t h e r t o o l s

f o r const ruct ing expressions. By these devices a form of typed A-calculus

is incorporated i n t o the bas ic system. In A-calculus, i n t u i t i v e l y speaking,

Ax.B denotes the funct ion which t o any ob jec t x a s s o c i a t e s t h e o b j e c t B.

O r (exhibi t ing the dependence on x) AX.B[XD i s the map which, with any A,

a s soc ia tes B C A D . I n AUTWTH (where a l l funct ions have a domain) such e x p l i c i t l y given

funct ions a r e denoted by abstraction expressions CX,~IB, where B may contain

x a s a f r e e va r i ab le ; a i s the type of x and the domain of the funct ion. In

case B i s a 3-expression, C x , a ] ~ a t t aches ob jec t s t o the o b j e c t s of type a

and i s ca l l ed an object-valued fmction. I f B i s a 2-expression, [ x , a ] ~

a t t aches types t o the ob jec t s of type a and i s c a l l e d a type-valued fmction.

I n AUT-68 no abs t rac t ion expressions of degree 1 a r e formed ( i n c o n t r a s t

with AUT-QE) . Notice t h a t poss ib le f r e e Occurences of x i n B a r e bound by the abs t rac to r

[x , a l and a r e no t f r e e i n CX,CXIB any more. An important r e s t r i c t i o n on ab-

s t r a c t i n g is t h a t such a bound va r iab le must be a 3-variable. Thus we only

q~U?l.tify (c f . sec t ion 3.4) over ( t h e ob jec t s o f ) a given type and quant i f ica-

t i o n over _type is not poss ible .

2.9. Type of abs t rac t ion expressions

suppose t h a t under the assumption x E a we have B E f3. I f f3 i s n o t a

l-expression then we may form both the abs t rac t ion expressions [x,a]B and

[x,a]B. According t o sec t ion 2.8 [x,afBdenotes an object-valued funct ion

and [x,alB denotes a type-valued function.

The l a t t e r abs t rac t ion expression [xra]f3[x] however is a l s o used with

a d i f f e r e n t meaning i n AUTOPl?iTH, t h a t is , t o denote the corresponding function

type T'I *f3[x] (which i s the type of [xra]B[x] by sec t ion 2.2). Xga So we obta in C x , a l ~ E [x,a]@ and [xra lB E type.

Example: t h e successor function can be introduced ( i n t h e empty context) by

succfun := [x,nat]successor(x) g Cx,nat]nat . The doub leuseof 2-expressions mentioned above d o e s , n o t cause ambiguity,

because it i s always c l e a r whether an expression a c t s a s a funct ion or a s a

type i n a formula. I n f a c t i n AUT-68 abs t rac t ion expressions of degree 2 a r e

exclus ively used with the second meaning, i . e . a s funct ion types.

2.10. Functional app l i ca t ion

In f u l l ( i . e . type-free) A-calculus any expression - a s a funct ion - may be appl ied t o any expression - even i t s e l f - a s an argument.

I n AUTOMATH, a s a typed A-calculus, a l l funct ions have domains and any

form of se l f -app l i ca t ion i s ruled o u t by t h e appzication restr ict ions: The

appZication expression <A>B (denoting t h e r e s u l t of applying B a s a funct ion

t o A a s an argument) i s c o r r e c t only i f :

i) B i s a funct ion and so has a domain, say a .

ii) A i s an o b j e c t of type a .

The no ta t ion <A>B, with the argument i n f r o n t , i s somewhat unusual; it is

convenient however s ince abs t rac t ions axe w r i t t e n i n f r o n t too.

2.11. Type of app l i ca t ion expressions

Assume t h a t B E [x,a]f3. Here [x,a]B[x]is a 2-expression a c t i n g a s a type

and s o denotes .f3[x]. Hence B must be considered a s a funct ion with domain a . X F

Now i f A E a we a r e allowed t o form the app l i ca t ion expression <A>B having - B E A D a s i t s type.

Note t h a t B need n o t be of t h e form [x,a]C i t s e l f . I t may, e.g. , be a

s i n g l e ob jec t v a r i a b l e o r o b j e c t constant with type [x,cc]B.

Example: A s an a l t e r n a t i v e expression f o r t h e number 3 we might introduce

3 a l t := <2>succfun E n a t .

2.12. Equali ty

We w i l l def ine a r e l a t i o n of de f in i t iona l equa l i ty among t h e c o r r e c t

expressions, appropr ia te t o the i n t e r p r e t a t i o n of expressions suggested - above. The r e l a t i o n i s denoted ... - ... and generated by:

i) abbrevia t ional o r 6-equality, = 6

ii) A-equality.

The l a t t e r i s generated i n tu rn by 6-equality, = , and q-equali ty = . 6 11

Usually i n A-calculus t h e A-equality a l s o e x p l i c i t l y embodies a-equali ty

(renaming of bound v a r i a b l e s ) . In t h i s note however we take the p o i n t of

view of simply ignoring the names of t h e bound va r iab les . So a-equal ex-

p ress ions a r e i d e n t i f i e d and. a r e a f o r t i o r i d e f i n i t i o n a l l y equal by t h e re-

f l e x i v i t y of t h e = - r e l a t i o n (c f . a l s o sec t ion 5.3.2).

Assume t h e defined constant d has been introduced i n s u i t a b l e context

Then d ( x l , . . . ,x ) abbrevia tes D and we wr i t e d ( x l , . . . ,xk) =& D. And f u r t h e r k f o r the s u b s t i t u t i o n ins tances :

Assume <A>CX,~IBBXD i s a c o r r e c t expression (so A E a ) . Now 6-equality

e x p l o i t s the i n t e r p r e t a t i o n of Cx,alB a s a funct ion with domain u and simply

amounts t o evaluat ing the r e s u l t of the appl ica t ion:

< A > [ x , a l ~ =B B B A B .

2.12.3. q-equali ty

In mathematics one usual ly considers funct ions a s extensionaz ob jec t s ,

i n the sense t h a t funct ions wi th the same domain and which a r e pointwise

equal a r e i s e n t i f i e d . In AUTOMATH t h i s extensional equa l i ty is partly covered

by the rl-equality: I f x does not occur free i n B then [x,a]<x>B = B ( f o r n

c o r r e c t expressions on ly ) . This is i n t u i t i v e l y sound only i f domain B = a ,

which indeed is the case by the correctness of [x,a]<x>B.

2.12.4. Def in i t iona l equa l i ty

NOW d e f i n i t i o n a l equa l i ty = i s defined t o be t h e equivalence relat ion

on the c o r r e c t expressions, generated by = - = and by monoton<city: 6 ' - B 1 11

I f A = A ' and B ' i s produced from B by replacing one specificoccurrence of

A i n B by (an occurrenceof) A ' then B = B ' .

or,usingsuggestive dots f o r t h e unchanged p a r t of the expression B: If

A = A ' then ... A.. . = ... A ' . .. . Example of t h e monotonicity r u l e : I f A = A ' then <C><A>D =<C><A1>D ( i f both

expressions a r e c o r r e c t ) .

2.13. The format: books and l i n e s

2.13.1. Actual AUTOMATH t e x t s a r e wr i t t en i n the form of books. A book con-

sists of a f i n i t e sequence of l ines. Each l i n e must be placed i n a c e r t a i n

context ( t h e context of t h e l i n e ) and introduces a new i d e n t i f i e r of a cer-

t a i n type. A l l l i n e s c o n s i s t of four consecutive p a r t s , separa ted by s u i t a b l e

marks or spaces:

i) context part, ind ica t ing the context of the l i n e . In genera l t h e con-

t e x t p a r t c o n s i s t s of the context indicator, i . e . t h e l a s t v a r i a b l e of

t h e cur ren t context . From t h i s the complete context can e a s i l y be re-

covered. I f t h e context of t h e l i n e i s xl g a l , . . . , ~ E ak , the sequence k - of va r i ab les x l , ..., x i s ca l l ed the indicator s tr ing of t h e l i n e . The k empty context can be indicated by an empty context p a r t .

ii) i den t i f i e r part, cons i s t ing of the new i den t i f i e r .

iii) middle part, containing t h e symbol EB (cf. 2.13.2) , the symbol PN (cf . 2.13.3) o r the def in i t ion of the new i d e n t i f i e r (cf . 2.13.4) .

i v ) category p a r t , containing the type of t h e new i d e n t i f i e r .

Assume an AUTOIQTH book is given, inwhich the v a r i a b l e xk has been in t ro -

duced with type a i n t h e context x l E a l , . . . l ~ k - l Eak-l. Thenwemay add l i n e s k

w i t h context ind ica to r xk, s o having xl E a l l . . . ,x E a a s t h e i r context . k - k

Below we d i scuss the th ree d i f f e r e n t kinds of l i n e s .

2.13.2. The block opening lines have middle p a r t g ( f o r empty block opener)

or , i n a l t e r n a t i v e nota t ion, a bar - . An g - l i n e ' introduces a new varicLbZe

and thus allows extension of the current context by one assumption.

Example: xk * y := EB E a ( " l e t y be of type a") introduces a new var iab le

y of type a . Lines having y a s t h e i r context p a r t - which may appear l a t e r

i n the book - then have x E C . ~ , . . . ~ X E ak , y E a a s t h e i r context. 1 - k -

2.13.3. The primitive notion lines have middle p a r t PN and introduce t h e

pr imit ive notions. For example:

introduces the p r imi t ive constant expression p ( x l l . . . , x ) and conta ins the k axiomatic E-statement p ( x l , . . . ,x ) E a . k

2.13.4. The abbreviation lines look l i k e :

where the middle p a r t D i s t h e de f in i t ion of d , i . e . t h e expression t o be

abbreviated. This l i n e contains, r e l a t i v e t o the preceding book and the cur-

r e n t context, both t h e derived E-statement D E a and t h e def ining axiom f o r

the new defined constant d:

2.14. Correctness of l i n e s ; v a l i d i t y

A l i n e is correct i f both the middle p a r t ( i f no t g or E) and the

category p a r t a re c o r r e c t expressions with respec t t o the preceding book

and the cur ren t context, and the category p a r t i s t h e type of t h e middle

p a r t ( i f not EB o r PJ). For the correctness of the expressions, a l l iden t i -

f i e r s used have t o be valid. Constants a r e v a l i d i n a book from t h e l i n e on

i n which they a r e introduced. Free va r iab les a re v a l i d i n a l i n e i f they

occur i n i ts context. We speak about the block of l i n e s i n which a f r e e

var iable i s v a l i d (whence block opener).

2.15. Shorthand f a c i l i t y

Assume t h a t a pr imit ive or defined constant c was introduced i n a cer-

t a i n context x E all.. . ,\ E ak. Then i f l a t e r i n the book c occurs with 1 - fewer than k arguments, the argument l i s t i s completed by adding a s u i t a b l e

i n i t i a l segment of the o r i g i n a l ind ica to r s t r i n g (c f . 2 . 1 3 . l i i ) ) x l , ..., x k ' I n o the r words t h e expression c(A . . . ,Ak) i s shorthand f o r i + l ' c ( g l , ..., x i rAi+l , . . . , A ) and the s i n g l e constant c i s shorthand f o r k c (xl , . . . r x k ) . Clear ly the completing va r i ab les have t o be v a l i d , t h a t is ,

t h e i n i t i a l segments of the o r i g i n a l and the cur ren t context have t o coin-

c ide . The shorthand f a c i l i t y accords with usual mathematical p r a c t i c e where

f r e e v a r i a b l e s a r e of ten considered a s f ixed throughout an argument and a r e

n o t mentioned e x p l i c i t l y .

2.16. Paragraph system

For each va r iab le and constant i t must be poss ib le t o r e t r a c e from which

l i n e it or ig ina tes . This condit ion i s c l e a r l y s a t i s f i e d when a l l names a r e

unique. A more l i b e r a l method of naming however is allowed by t h e soca l l ed

paragraph system, f o r a desc r ip t ion of which we r e f e r t o Zandleven [ I l l

s e c t i o n 11 1. Both shorthand f a c i l i t y and paragraph system do no t r e a l l y

concern the language d e f i n i t i o n bu t a r e p resen t f o r convenience only.

2.17. Example

In the following AUT-68 booklet t h e examples of t h e preceding sec t ions

a r e now wr i t t en i n t h e proper format.

* n a t

* 1

* X x * successor

* 2

* 3

x * plustwo

* succfun

* 3 a l t

: = PN - * - . - PN - := - : = PN - := successor (1 )

:= successor(2)

:= successor(successor)

:= [xrnat]successor (XI

:= <2>succfun

type n a t

n a t

n a t

n a t

n a t

n a t

[x, n a t l n a t

n a t

Here t h e middle p a r t of plustwo uses t h e shorthand f a c i l i t y . I t is l e f t t o

t h e reader t o e s t a b l i s h 3 = 3 a l t .

3. Mathematics i n AUTOMATH: Proposi t ions a s types

3.1. Functional i n t e r p r e t a t i o n of log ic

Up till now we have described AUTOMATH a s a ca lculus of ob jec t s and

t h e i r types only. A major p a r t of mathematics however cons i s t s of making s t a t e -

ments and reasoning with them, i . e . dea l s with log ic .

Now the re a r e d i f f e r e n t ways of coding some log ic i n t o t h e objects-and-

types framework. Here we only mention a socal led functimaZ interpretation

of log ic , which gives r i s e t o thepropositions-as-types notion. This idea of

i n t e r p r e t i n g l o g i c was developed independently by de Bruijn and c e r t a i n

o t h e r s , of whom we mention Howard [6], Prawitz [ l o ] , Girard [5] and Martin-

Lijf [8].

3.2. Proposi t ions a s types

So f a r we have introduced type a s t h e only 1-expression. We had C E type and r E C f o r the types C and the ob jec t s r of type C respect ively . Now we

introduce another 1-expression, the bas ic symbol e. Orig ina l ly i n AUT-68

no d i s t i n c t i o n was made between and prop. The l a t t e r 1-expression a c t s

j u s t l i k e and was introduced l a t e r t o allow dif ference of treatment be-

tween types which a r e t o be considered a s proposi t ions and types which a r e

j u s t types of ob jec t s .

I f C E prop we consider C a s a proposi t ion. I f f u r t h e r r E C , we con-

s i d e r r a s some const ruct ion es tab l i sh ing the t r u t h of C (a "proof" of C ) .

Thus t h e formula r E C is conceived a s asserting the proposi t ion C.

3.3. In te rp re t ing implication

Le t a E prop and 6 E prop. Now we may say we have a "proof" of the im-

p l i c a t i o n a -+ 6 i f from an assumption of t h e t r u t h of a we can argue and

conclude t h e t r u t h of 6 , That is , i f f o r any const ruct ion es tab l i sh ing the

t r u t h of a we can produce a construction f o r the t r u t h of 6 o r , equivalent ly ,

i f we have a map from "proofs" of a t o "proofs" of 6.

Now i n AUTOMATH terminology: we say we "prove" a -+ i f f o r any x E a

we can produce some B E 6. 1.e. i f we have some C i n the funct ion type

[x,alB. So we l e t [x,alB denote the implication a -t f3 and have [x,alB E prop.

This corresponds t o the second i n t e r p r e t a t i o n of abs t rac t ion expressions i n

sec t ion 2.9.

NOW by t h i s interpretat ion we obtain the modus, panens (from a and a -+ f3

i n f e r f3) by simple functional application. For l e t A E a and C E[x,a]B

(A and C thus being "proofs" of a and a + f3 respect ively) . Then by the appli-

cation ru l e we construct <A>C establishing the t ru th of 6.

3 . 4 . Universal quant if icat ion; negation

In exactly the same manner a function interpretat ion of universal s ta te -

ments can be given. Namely i f a 5 = and for x E a we have f3 E - then

we ident i fy the function type [x,alB with the universal statement Y 6 . xga

Here functional application corresponds t o the " instant iat ianu r u l e i n logic.

Thus by t h i s interpretat ion of logic i n AUTOMATH one ge ts the ( 'dl+)-

fragment of f i r s t order predicate logic for f ree . However i n AUTOMATH only

posi t ive statements a re made and statements l ike: "C i s not of type r" cannot

be expressed. In order t o i n t e rp re t negation we introduce as a primitive no-

t ion the proposition con ( fo r "contradiction") together with some su i tab le

axiom (primitive notion) . Here are d i f fe ren t poss ib i l i t i e s , e .g. the intu-

i t i o n i s t i c absurdity ru l e (for any proposition a , from con in fer a ) or the

c lass ica l double negation law. Then an XUTOMATH theory ( i . e . book) i s con-

s i s t e n t i f , i n the empty context, it does not produce some C g con.

For a E prop we define non(a) a s a -+ can o r , i n AUTOMATH notation,

[x,alcon. Now the double negation law can be s tated by introducing the pr i -

mitive notion dnZ as follows: I£ a E prop, x E non(nan(a)) then dnl (a,x) g a .

By a l so choosing su i tab le def ini t ions fo r the other connectives ( A , v )

and the ex is ten t ia l quant if ier we can smoothly obtain f u l l c l a s s i ca l f i r s t

order predicate calculus.

3 .5 . Assumptions, axioms, theorems

In AUTOMATH-books the g-formula r g C fo r apropositionZ can occur i n

the usual three kinds of l ines again:

i) =-lines: 0 * x : = EB E C .

These must be interpreted a s asswnptians: " l e t C hold" or " l e t x be a

proof of C". Now i n a l i ne where x is val id we may r e fe r t o x whenever

we want t o use the assumed t ru th of C .

ii) =-lines: U * p := PNg C. These serve a s axioms, or rather a s axiom schemes (by the dependence

on the variables contained i n the context o) . iii) abbreviation l ines: a * d := r E C must be considered as derived s ta te -

ments, i . e . theorems, lemmas e t c . Here the middle p a r t r "prcves" the pro-

pos i t ion C from t h e assumptions i n the context a .

The d e f i n i t i o n a l equa l i ty ( c f . sec t ion 2.12) of AUTOMATH only covers

a small p a r t of the usual mathematical equa l i ty . Fur ther a statement of

d e f i n i t i o n a l e q u a l i t y cannot be handled a s an a c t u a l proposi t ion; e.g. it

cannot be negated o r even assumed ( a s in : l e t A = B ) . A s t h e AUTOMATH-counter-

p a r t of the usual mathematical . . .equals.. . the book-equality I S ( ~ , A , B )

- where A and B a r e ob jec t s of type a - can be introduced by s u i t a b l e p r i -

mi t ive notions, some of which a r e shown i n the example below.

* a := - type a * x := - a

X * Y .= - a

y * IS := PN - prop x * REFL := PN - IS (x,x)

y * i := - 1s (x, y)

i * SYM := PN - 1s (Y 1x1

e t c .

arid a lso:

By the axiom of r e f l e x i v i t y (REFL) above, d e f i n i t i o n a l e q u a l i t y implies book-

equal i ty : i f A E a , B E a , A = B then REFL(a,A) E IS(cr,A,B).

4. Extension of AUT-68 t o AUT-QE

4.1. Function-l ike expressions

Expressions C such t h a t C E [x,a]B o r C = [x,a]B a r e c a l l e d function-like

expressions. Whereas i n AUT-68 funct ion- l ike 3-expressions may have any form,

e.g. they can be v a r i a b l e s or pr imi t ive constant expressions, t h e only func-

t ion- l ike 2-expressions a r e (poss ibly abbreviated) abs t rac t ion expressions.

This i s because funct ion- l ike 1-expressions a r e absent i n AUT-68.

Thus we can d i scuss e x p l i c i t l y constructed f a m i l i e s of types Bx where x

ranges over some type a (namely by forming the abs t rac t ion expression

Cx,alBBxD) b u t we cannot d i scuss arb<trary fami l i e s of types indexed by

x E a . Indeed, we cannot intrbduce a family of types a s a p r imi t ive notion

o r a s a va r i ab le .

4.2. Supertypes o r quasi-expressions

I n AUT-QE such a r b i t r a r y type-valued funct ions a r e admitted however, by

extending the c l a s s of 1-expressions. The new 1-expressions, quasi-exp~ess<~ns

(whence AUT-QE) or supertypes, have the form [x , a 1 ... [xk,akl type or 1 1 [x l , a l l ... [xk,ak1 =, where a l , ..., a a r e 2-expressions, i . e . proposi t ions

k o r types.

For example, an a r b i t r a r y type-valued funct ion on a can be introduced by

an =-line:

u + f :=- Cx,al= . I f f o r a we take the type of n a t u r a l numbers, then f i s an a r b i t r a r y sequence

of types.

4.3. The use of AUT-QE.

S imi la r ly we have a r b i t r a r y prop-vazued functions i n AUT-QE. These a r e

e spec ia l ly use fu l i n our i n t e r p r e t a t i o n of l o g i c , f o r a prop-valuedfunction

with domain a i s nothing bu t a predicate over a . For example, by an =-line

an a r b i t r a r y binary p red ica te ( r a the r : r e l a t i o n ) on t h e n a t u r a l numbers is

introduced. The presence of p red ica te and r e l a t i o n v a r i a b l e s i n AUT-QE a l -

lows us t o wr i t e axiom schemes with such v a r i a b l e s , e .g. t o introduce a fur-

the r e q u a l i t y axiom (c f . sec t ion 3.6) we can wri te :

We emphasize however t h a t abs t rac t ion over such 2-variables (e.g. type-

va r iab les , prop-variables, predicate-variables) i n AUT-QE is s t i l l forbidden,

s o both AUT-68 and AUT-QE may s t i l l be c a l l e d first-order systems.

4.4. Type-inclusion and prop-inclusion

J u s t a s i n AUT-68 the funct ion- l ike 2-expression f ( c f . sec t ion 4.2)

a l s o codes i ts corresponding function space, i . e . the type of those g with

domain a such t h a t f o r A E a we have <A>g E <A>f. A s prop behaves j u s t l i k e

Qx, the predicate P ( c f . sect ion 4.3) a l s o denotes the proposit ion V .P(x) . XE_a

AS a consequence, we allow the t r a n s i t i o n from C E [ x , a ] ~ t o C E type.

This t r a n s i t i o n o r , i n general , from

i s ca l l ed type-inclusion. The s imilar t r a n s i t i o n with prop ins tead of

i s ca l l ed prop-inclusion. BY t h i s type-incZusion and prop-inclusion AUT-QE

contains AUT-68 a s a proper subsystem. Notice t h a t f o r 2-expressions uni-

queness of types - i f A E a, A E t? then a = t? - is l o s t .

4.5. Let us f i n i s h with a t a b l e i n which some AUTOMATH notions a r e l i s t e d

with t h e i r poss ible meanings i n t h e propositions-as-types i n t e r p r e t a t i o n .

object-and-type

interpretat ion

proof -and- proposi-

t ion interpretat ion

2-expressions

3-expressions

... E ... - f unction-like

2-expressions

abbreviation l i nes

types

objects

propositions

proofs

. . . has type . . . . . . proves . . . type-valued functions predicates I If unction types implications

universal statements

variable introductions assumptions

primitive object axioms

introductions

defini t ions or

abbreviations

theorems

5.1. The language, t o be defined formally now, i s the one accepted by the

cur ren t checker ( c f . [ I l l ) except f o r two points :

i) Paragraph f a c i l i t i e s a re no t present here s o a l l constant names have

t o be d i s t i n c t ( c f . sec t ion 2.16).

ii) There i s no shorthand f a c i l i t y ( i . e . a l l expressions a r e w r i t t e n o u t

i n f u l l ( c f . s e c t i o n 2.15).

The a c t u a l formalism has been chosen i n t h i s way i n order t o keep a s c lose

a s poss ib le t o t h e preceding informal book-and-line desc r ip t ion . A def in i -

t i o n along more usual natural deduction l i n e s may poss ibly be more e legant .

For t echn ica l reasons we p re fe r red t o avoid redundancy almost completely

i n our d e f i n i t i o n . A s a consequence of t h i s , some use fu l e x t r a r u l e s follow

a s derived rules i n the sec t ion on language theory.

5.2. Our aim i s t o de f ine formally what co r rec t AUT-QE books a r e .

The desc r ip t ion cons i s t s of:

i) Prel iminar ies , mainly devoted t o the context f r e e p a r t of the language

( sec t ion 5.4).

ii) Simultaneous d e f i n i t i o n of correctness of books, contexts , l i n e s , ex-

press ions , E-formulas and =-formulas ( sec t ion 5 .5 ) .

The =-formulas only serve a s a help i n our d e f i n i t i o n ; they do no t appear

i n the book. The kernel of ii) i s the d e f i n i t i o n of correctness of expres-

s ions and formulas r e l a t i v e t o a c e r t a i n book and context . Here the book

serves t o determine the s e t of pr imi t ive notions and abbrevia t ions , and the

context serves t o determine the s e t of v a l i d f r e e va r i ab les .

Most concepts a r e introduced by ordinary inductive def ini t ions. Thesecon-

sist of a f i n i t e s e t of r u l e s of the form: " i f . . . then . . .". Here only such

conclusions may be drawn which follow from a f i n i t e number of app l i ca t ions

of t h e r u l e s .

5.3. Notational conventions

5.3.1. An extensive use is made of syntactic variabZes throughout the d e f i n i t i o n .

Often c e r t a i n assumptions on these va r i ab les a r e i m p l i c i t by t h e i r s p e c i f i c

choice, e .g . a and 6 always run over contexts. Syn tac t i c va r i ab les may a l -

ways be indexed o r primed.

5.3 .2 . A s f o r s u b s t i t u t i o n and a-con~ersimz (renaming of bound va r iab les )

we adopt the following po in t of view: expressions with bound v a r i a b l e s a r e

considered a s named vers ions - named t o f a c i l i t a t e reading - of some a c t u a l l y

namefree skele ton (cf . [ 3 1) . Thus we i d e n t i f y a-equal expressions and assume

t h a t a-conversion is appl ied whenever necessary t o avoid clash of variabZes.

We use . . . . . . t o denote syntactic ident i ty (symbol-for-symbol equa l i ty )

modulo a-equality. E.g. [x,C] ... x...E[y,C]...y...y... .

5.3.3. Correctness of expressions A and formulas cp r e l a t i v e t o a book 8 and

a context u a r e abbreviated by 8; a 1 A and 8; a 1- cp respect ively . Sometimes

we wr i t e 1 A or a A f o r 8; a 1 A and 1 cp o r a 1 cp f o r 8; a cp when the re

i s no p a r t i c u l a r need t o emphasize the cur ren t book o r context . The no ta t ions

t ( i ) A and t ( i ) A p B a r e used t o express t h a t A is an i-expression and 1 A ( respec t ive ly 1 A g B) .

5.4. Prel iminar ies

5.4.1. Alphabet

1 ) AS variabZes and constants we allow any aZphcmwneric s tr ing. such a s t r i n g

is considered atomic and i s thus counted a s one s i n g l e symbol. Syntact ic

va r i ab les f o r v a r i a b l e s a r e x ,y ,z , . . . . Among the constants ( syn tac t i c va-

r i a b l e c ) we d i s t ingu i sh primitive ( syn tac t i c va r i ab les p ,q) and defined

o r abbreviationaZ constants ( s y n t a c t i c va r i ab le d ) . 2 ) Improper symbols

i) some b~*acksts and braces: [ , I , ( , ) , < , >.

ii) Some separation marks: ! , *, 1, E, :=, =, sernicoZon and coma.

iii) Some reserved symbob: g, z.

5.4.2. Expressions ( s y n t a c t i c va r i ab les A,B ,C ,D , . . ., C , A , r , ...)

i) VariabZes: x

ii) Abstraction expressions : [x, C I A

iii) AppZication expressions : < C > A

i v ) Constant-expression instances : c (C1, . . . , Ck) v ) Bas5c constants: type, prop.

AS s p e c i a l s y n t a c t i c v a r i a b l e s f o r 2-expressions we take a r e , . . . .

5.4.3. Formulas ( syn tac t i c v a r i a b l e q )

i) E-formuLas: C E A

ii) =-formuzas: C = A .

5.4.4. Addit ional concepts

1 ) Contexts ( syn tac t i c va r i ab les a , 6 ) : Any f in i t e (possibly empty) sequence

of E-formulas x E C separated by commas, where a22 xi are d i f ferent . i - if

2) Lines ( syn tac t i c va r i ab le A )

i) =-Lines : a * x := j3BEC ii) =-lines : u * p : = = E X iii) Abbreviation l ines: a * d := A - E C

3 ) Books ( syn tac t i c va r i ab le 8) : Any f in i t e (possibly empty) sequence of

l ines, separated from one another by e x c h a t i o n signs ( 1 ) .

5.4.5. Free va r i ab les

We def ine the free variabLe s e t Fv(C) of expressions C by induct ion on

the s t r u c t u r e of C ( c f . sec t ion 5.4.2) :

5.4.6. Subs t i tu t ion

1) The r e s u l t of simuZtaneous substitution of A l l . . . ,A f o r the f r e e va r i a - k

b l e s xl . ... ,xk i n an expression C i s denoted by t x l , ...., x /A . . . ,%DC * k 1'

and l o c a l l y abbreviated by C :

* - i) x i = A i

ii) y* = - y i f y not among x l , ..., x * * * k

iii) (Cy,CllC2) = C y I C 1 1 C 2 i f y not among xl,. . . ,xk and

x E FV(C2) * y d FV(Ai)) f o r i = I , . . . , k (otherwise rename y i n i Cy1C11C2).

* * * i v ) ( < C 1 > C 2 ) E <C > C

1 2

* * v i ) prop =prop, type E-.

2) Substitution of A f o r x i s denoted by [x/A] and amounts t o t h e case k = 1

above.

5.5. Correctness

5.5.1. Correct books

i) the empty book i s correct

ii) if 8 i s correct and X i s correct with respect t o B then B ! X correct.

5.5.2. Correct context with respec t t o B:

i) the empty context i s correct

ii) i f o*x := EB - E A i s a t ine i n the book 8 then a, x - E A i s a correct

context with respect t o 8.

5.5.3. Correct l i n e s with r e s p e c t t o 8:

1) =-lines: I f 8; o i- ("A or B; 3 ( 2 ) ~ , a z x E C l , . . . ,x E C k , and y k - not among xl , . . . ,x then a * y : = EBE A i s a correct l ine with respect t o 8.

k 2) - PN-lines: I f 8; o ("A or B; a 1- ( 2 ) ~ and p does not occur i n 8 then

a * p := PN E A i s a correct Zine with respect t o 13.

3 Abbreviation l i n e s : I f 8; a I- C E A and a does not occur i n 8 then

o * d := C - E A i s a correct l ine with respect t o B.

5.5.4. Correct E-formulas r e l a t i v e t o a c o r r e c t book 8 and a context a which

is c o r r e c t w . r . t . 8

1 ) Repet i t ion r u l e : I f o 5 x E C . . . ,xk E C k and C . i s an i-expression 1 -

(iWx E C 3 then B; a f ( f o r j = l , . . . , k ) . j - j

2) Abstraction ru le : I f 8" : 8!o * x := E E i E a and 8* i s correct and (i) (i) B*; o,x E a I- C E A then 8; a I- Cx,alC E [x,a]A .

3) Application ru les :

i) I f )- A E a and ( i ) ~ E C X , ~ ] C then I- (')<ZPB - E [x/A]c.

ii) I f I- A E a , 1 " ) ~ - E c and 1- c - E C x , a l ~ then I- ( i ) < ~ > ~ - E <A>C

( c l e a r l y i w i l l be 3 h e r e ) .

4) Subs t i tu t ion r u l e : I f C i s an i-expression and ei ther

x E C1, ..., x k ~ C k * c : = = E C 0r x1 - E E l , . . . ,xk E Ck * C : = A E C 1 - -

i s a t ine i n the book B and B; a t A . E [x i , . ..,\/n1,.. .,%I" for ( i + l ) J -

j = l , ..., k t h e n 8 ; o t C ( A ~ ,..., A ~ ) E [ X ~ ,..., ,..., A D Z . k

5) Rule of type-conversion: If I- A - E C and I- C = r then I- A E r . 6) Rules of type- and prop-inclusion:

i) If 1-9 E Cxl,al l ... Cxk.ak1Cy161 (possibly k = 0) then

I-r E C X ~ , ~ ~ I ... C X ~ ~ C X ~ I ~ .

ii) If & - E Cxl.all . . . [ x k ~ q l C ~ . B 1 - ipossibZy k = 0) then

5.5.5. Correct expressions with respec t t o 8 and a

1) Correct 1-expressions:

(1) i) If B i s correct and a i s correct with respect t o B then B; a I- ~JJ=

(1) and 6 ; a I- prop.

ii) If B* B!a * x := E E a and B*; a ,x E a k( ' ) A then B;a c ( ~ ) [ x , ~ ] L I . (i) (i) 2) Correct 2- and 3-expressions: If I- C E A then I- C . -

Remark: I t is intended t h a t B; a 1 A o r 8 ; a 1 q only i f i s cor rec t and a

i s c o r r e c t with r e s p e c t t o 8 . This condit ion i s e x p l i c i t l y imposed i n 5.5.4

and 5.5.5.1 i) and propagated a l l through the d e f i n i t i o n .

5.5.6. Correct,=-formulas with respec t t o 8 and o

1 ) 6-equality: If I- < A > [ x , ~ ] B and ~ [ X / A ] B then ~<A>[x,a]B = [x/A]B.

2) n-equality: If I f x , B l < x > ~ , md x e' FV(C) and kc then ~ C X , B I < X > C = C.

3) b e q u a i i t y : If xl E C 1 , . . . , Xk E Ck * d := A E C i s a line i n 8, and - B; a ] - A . E [xi. ..., x /A ..., A l i . for j = 1. .... k, and

3 k 1' k I 8; a 1- IX . . . , xk/A1 , . . . ,Ak]A then B; 1- d (Al ,.. . 1) = [x,, + . . , \/Al , . . . ,A ]A k

4) Monotonicity r u l e s : *

i) If B z B : a * x : = E B E O ~ ~ -- B*; a , x g a C B ~ = B ~ then

8; o 1- C X ~ O I B ~ = C X , ~ I B ~ . ii) If a1 = a2. ~ C X , ~ ~ I B , and 1- Cx,a21B then 1- Cx,irl1e = Cx.a21s.

iii) If t A~ = B~ , t A~ = B~ , I- < A ~ > A ~ , m d 1 c B l > ~ 2 then I- <nlsn2 = a 1 2'

i v ) If F A . = B . ( f o r j = 1 ,... ,k), and ~ - C ( A ~ , . . . ~ A ~ ) ~ and I 3

I- c ( B ~ . . . . , B ~ ) then 1- c A . . . , 1 = c ( B ~ , . . . , B ~ ) . 5) Ref lex iv i ty , symmetry and t r a n s i t i v i t y r u l e s

i) If ]-A, t and A E B then / - A = B

ii) If / -A = B then 1 B = A

iii) If [-A = B, and 1 B = c then /-A = C.

Remark: It i s intended t h a t 8; a A = B only i f both 8; a 1 A and 8; a 1 B. In most cases above, though sometimes unnecessary, such conditions have been

expl ic i t ly s ta ted. Where they have been omitted it w i l l be immediate t h a t

they hold by some other conditions.

6. Some remarks on language theory

The language theory is mainly concerned with the inves t iga t ion of the

bas ic system. A major aim i s t o prove the decidability of t h e AUTOMATH

languages. That i s , t o prove t h e existence of an e f f e c t i v e procedure which

f o r any given t e x t i n a f i n i t e amount of time decides whether it i s c o r r e c t

o r no t ( i n AUT-QE, s a y ) . The ke rne l of such a checker dea l s with the veri-

f ication of correctness of expressions and formulas (both E- and =-formulas),

r e l a t i v e t o a given book and context (which a r e assumed t o be c o r r e c t a l -

ready) . I n t h i s sec t ion we s h a l l sketch a c e r t a i n checking procedure, c lose ly

r e l a t e d t o t h e a c t u a l l y running ver i fy ing program of Zandleven ( c f . [ I l l ) . We s h a l l a l s o roughly ind ica te t h e proof of correspondence between t h e pro-

posed checking procedure and the language d e f i n i t i o n of the preceding sec t ion .

6.2. Reduction

6.2.1. I n order t o study the =-re la t ion i n more d e t a i l we in t roduce t h e re-

duction relat ion 2, a p a r t i a l order among the expressions. For an explanation

of the suggestive do t s i n our d e f i n i t i o n we r e f e r t o sec t ion 2.12.4.

6.2.2. Def ini t ion:

1 ) One-step reduction (with respec t t o a book B)

i) one-step 6-reduction: ... <A>[x,ak ... > ... BX/A]C ... 6

ii) one-step q-reduction: I f x # FV (C) then . . . [ x , a ] < x > ~ . . . > . . .c.. . iii) one-step &-reduction: If d was introduced by cm abbreviation line

x1 E al , .. . ,x k E ak

* d := D E C i n B then - . . .d ( C , . . . , zk) . . . >6 .. . [xl I .. . , x ~ / c ~ , . . . I c ~ D D . . .

i v ) a l s o > is allowed with any embination of the ind ices such as : I f

A > B O ~ A > then^> B B rl 6 rl

v) one-step reduct ion i n general: I f A > B then A > B . 6116

2 ) Mmy-step reduction (with respec t t o 8)

i) I f ~ ~ ~ t h e n ~ t ~

I f A 2 B cmd B > c (with respect t o 8) then A 2 c. So 2 i s t h e r e f l e x i v e and t r a n s i t i v e c losure of >. Likewise 2 denotes

6 6 the r e f l e x i v e and t r a n s i t i v e c losure of > e t c . For A 2 B we a l s o wr i t e

6 6 B I A.

3) i) Reduction sequence: A sequence E l , C 2 , . . . of expressions is c a l l e d a

reduction sequence of C1 i f f o r a l l i we have .Ci Ci+l o r C i ' 'i+l* ii) Proper reduction sequence: A reduction sequence C 1 , C 2 , ... is c a l l e d

proper i f f o r a l l i we have Ci > Ci+l.

6.2.3. C lea r ly the =- r e l a t i o n is t h e equivalence r e l a t i o n generated by t h e

r e s t r i c t i o n of > t o c o r r e c t expressions. So we can conclude: A = B i f f

A E C - > D~ 5 c2 2 D~ 5 . . . 1 D ~ - ~ I c s B (possibly k = 11, where aZZ ex- k

pressions i n the respective reduction sequences are correct.

6.2.4. A s an example of a reduction sequence consider:

3 a l t > <2>succfun > <2>[x,nat]successor(x) > successor(2) > 6 6 B 6

successor(successor(1)) (see sec t ion 2.16). So each reduction s t e p seems t o

b r ing us c l o s e r t o some poss ible "outcome". Here 8- and &-reduction amount

t o evaluat ion and q-reduction t o a c e r t a i n s impl i f i ca t ion of expressions.

6.3. The th ree problems: normalization, Church-Rosser and c losure

6.3.1. I t w i l l appear t h a t the decis ion procedure f o r equations (=-formulas)

p lays a c e n t r a l r o l e i n the checker. A t f i r s t we s t a t e - i n terms of the re -

mark i n sec t ion 6.2.4 - two hipor tant ques t ions around reduction and d e f i n i -

t i o n a l equal i ty :

i) (Normazization) Do c o r r e c t expressions always have a f i n a l outcome,

i . e . do they always reduce t o an expression which does not reduce fu r the r?

ii) (Church-Rosser property) Do d e f i n i t i o n a l l y equal expressions have a

common outcome, i . e . an expression t o which they both reduce?

A t h i r d c e n t r a l question concerns the so-called cZosure property ( t h i s term

was introduced by R.P. Nederpelt i n the in t roduct ion t o C91):

iii) Is t h e system closed under reduct ions , i . e . do c o r r e c t expressions re -

main c o r r e c t under reduction?

6.3.2. Normalization and s t rong normalization

Let us def ine

1 ) A i s n0rmaZ i f no one-step reduction A > B can be applied.

2 ) A is s a i d t o normazize i f A reduces t o some normal B (which is then c a l l -

ed a nomaz form of A ) .

3) A i s s a i d t o strongzy normaZize i f a l l proper reduction sequences of A

terminate.

We say t h a t normaZizatim ( resp . strong normaZization) holds i f a l l

c o r r e c t expressions normalize ( resp . s t rong ly normalize). Normalization (and

a f o r t i o r i s t rong normalization) does no t hold i n the f u l l 1-calculus ( t ake

a s a counter-example the expression < A X . <x>x>Ax.<x>x) . In typed systems such

a s AUTOMATH however, s t rong normalization (and hence normalization) does hold.

Much work concerning (s t rong) normalization has been done by log ic ians study-

ing systems of natural deduction and func t iona l i n t e r p r e t a t i o n s ( c f . f o r

ins tance C51, C81, ClCI) . Their methods o f t en apply t o AUTOMATH a l s o . S m e

new proofs of normalization have been given by members of the AUTOMATH-project

( c f . C91).

6.3.3. Church-Rosser theorem; uniqueness of normal forms

Question 6 . 3 . l i i ) above amounts t o the Church-Rosser theorem: I f A = B then

A 2 C I B for s m e C. An a l t e r n a t i v e formulation of t h i s i s the Diamond

property fo r 2 : I f A 2 B and A 2 c then B r D I c for some D ( c f . f i g u r e ) .

B A Diamond property 1 ' \ /

A s a co ro l l a ry of the Church-Rosser theorem we mention the uniqueness

of normal forms: I f B and C are normal forms of A then B 5 C. This property

t o ~ e t h e r with the normalization theorem allows us t o speak of the normal

form W(A) - computable by an e f f e c t i v e procedure NF - of c o r r e c t expressions

A. The Church-Rosser theorem holds i n t h e f u l l 1-calculus a s we l l a s i n typed

systems. In AUTOMATH languages without q-reduction the standard 1-calculus

proofs simply ca r ry over ( c f . C91). I n f a c t , i n view of s t rong normalization,

a s l i g h t l y e a s i e r proof can be given here . For, e .g. , AUT-QE, where we have

q-reduction the proof is sanewhat more complicated and dependsheavilyon the

c losure theorem. The author in tends t o publ ish t h i s proof and t h e o t h e r p r o o f s

omitted i n t h i s sect ion i n h i s doc to ra l d i s s e r t a t i o n .

6.3.4. Closure property

Let us f i r s t formulate the closure theorem: I f B; a I- A (respectively

8; a 1- A - E B) and A 2 c (with respect t o B ) then 8; a I- c (respectively

8 ; a 1 C E B) . I n connection with the c losure theorem, which holds f o r

AUT-QE, we have two important derived r u l e s :

1) General subst i tut ion principle (as mentioned i n 2.5) : I f *

xl E X I , . . .,11( E Zk IB ( resp. /- B - E C) and u k~~ 5 Xi ( f o r i = I , . . . ,k) * *

then 0 I- B* (resp. 1 B E c*) , where 1 stands f o r Ux1,. . . ,xk/A1 , . . . ,Ak]Z.

2) The "left-hand equality mZe" (canpare with t h e r u l e of type-conversion,

which i s the "right-hand equa l i ty ru le" ) :

If 1 1 3 ) ~ - E B and F A = C then 1-c - E B.

For 2-expression A we only have a weaker vers ion i n view of type-inclu-

s ion: If I- ( 2 ) ~ - E B a d ]-A = c d ( 2 ) ~ - E D then I - c - E B or F A - E D.

6.4. A decis ion procedure

6.4.1. Deciding =-formulas

Suppose A and B a r e c o r r e c t expressions. The normal form procedure NF

(sect ion 6.3.2) e a s i l y y i e l d s a decis ion method f o r the equation A = B,

namely A = B i f f NF (A) E NF (B) . Often, however, it i s no t necessary t o com-

pute normal forms f o r deciding A = B. For example, when A and B have d i f fe ren t

degrees one can e a s i l y draw a negative conclusion. O r more important, it ge-

ne ra l ly happens t h a t a few well-chosen reduction s teps i n A o r B w i l l r e s u l t

i n a non-normal common reduct. The choice of e f f i c i e n t reduction s teps here

is a matter of strategy; the termination of a procedure which successively

appl ies reduction r u l e s t o A or B i s anyhow guaranteed by the s t rong normali-

za t ion property, no matter i n what order the reduction s teps a r e applied.

I n order t o prove t h e correspondence between decis ion procedure and

language d e f i n i t i o n we must know t h a t a l l the expressions i n the reduction

sequences from A and B t o some common reduct a r e c o r r e c t again. This is

indeed t h e case by the c losure theorem.

6.4.2. Deciding E-formulas and epxressions

6.4.2.1. Assume ?3 i s a cor rec t book and u a cor rec t context; we must def ine

a decis ion procedure f o r the correctness of E-formulas and expressions. It

w i l l appear t h a t t h i s problem can be reduced t o the decis ion problem f o r

=-formulas (but f o r t h e straightforward task of checking the v a l i d i t y of

the i d e n t i f i e r s used) .

6.4.2.2. Uniqueness of types

We know (by the r u l e of type conversion) t h a t f o r a l l B' with 1 B = B'

we have IA g B o I A E B ' . *

For 3-expressions A the converse (uniqueness of types ) holds too:

For 2-expressions A we must be somewhat more p rec i se i n view of type-in-

c lus ion. We def ine among the c o r r e c t expressions t h e r e l a t i o n 5 by:

i) Cx1,a11 . . . C x k r a k 1 C y I B l ~ c Cx1,a11 . . . C x k r a k l ~

ii) Cxl ,a l l . . . CxkraklCy,Blprop c CxlralI . . . C x k r a k l ~

iii) f i s the t r a n s i t i v e c losure of = and c.

Then ins tead of (*) f o r 2-expressions A we can prove

6.4.2.3. Now assume t h a t A i s cor rec t . Then we can de f ine a "mechanicaZ type"

fwzction CAT, such t h a t :

So CAT computes some canonical representa t ive of t h e c l a s s of B ' with

1- A E B' ; furthermore, t h i s B ' i s minimal with r e s p e c t t o c. For the a c t u a l

d e f i n i t i o n of CAT we r e f e r t o C11, sect ion 71. Since t h e decis ion procedure

f o r equations i n the cur ren t checker a l s o conta ins the p o s s i b i l i t y of D

type-inclusion - i . e . A = B i f f A 5 B - the type funct ion CAT reduces

t h e v e r i f i c a t i o n of - f o r m u l a s t o the v e r i f i c a t i o n of equations.

6.4.2.4. F ina l ly we po in t ou t a decision procedure f o r correctness of ex-

press ions . Here we proceed by induction on the length of expressions. A s an

example we t r e a t the case of appl ica t ion expressions <A>B where A and B a r e

a l ready supposed t o be cor rec t .

6.4.2.5. Uniqueness of domains

For funct ion- l ike expressions A we de f ine a t o be t h e domain of A i f

* ) Here we mean uniqueness with respec t t o d e f i n i t i o n a l equa l i ty ( = I , i n con-

t r a s t with sec t ion 6.3.3, where we mean uniqueness with r e s p e c t t o syntac-

t i c equa l i ty ( r ) .

For domains we have uniqueness a lso (by the closure theorem and the

Church-Rosser theorem): If a and f3 are domains of A then a = 6. This f a c t

allows us t o speak about the domain of function-like expressions. Now we

are able t o define a %echmicaZ dmainr1 function DOM (for which we re fer

t o [ l l , section 71) , which for function-like A picks out a canonical repre-

sentat ive of the domain of A. The termination of DOM(A) follows by induction

on the degree of A, using strong normalization.

6.4.2.6. By CAT and DOM the ver i f ica t ion of correctness of <A>B reduces t o

the ver i f ica t ion of some su i tab le equation: ~ < A > B t A rmd B and

A E DOM (B) o r , equivalently, by 6.4.2.3i) ,

~ < A > B w t A and t B and I- CAT (A) = DOM (B) .

6.4.2.7. For the other cases of correctness of expressions we r e fe r t o Zand-

leven again. The correspondence of the current ve r i f i e r with the actual

language def in i t ion is e i ther immediate or follows from the above f ac t s

about CAT and DOM.

77

7. References

De Bruijn, N.G. ; The mathematical language AUTOMATH, i t s usage and

some of i t s extensions. Symposium on Automatic Demonstration

(Versai l les December 19681, Lecture Notes i n Mathematics, Vol. 125,

pp. 29-61, Springer-Verlag, Ber l in , 1970.

De Brui jn, N .G; Automath, a language for mathematics; notes (prepared

by B. Fawcett) of a s e r i e s of l e c t u r e s i n the S h i n a i r e de Math&

matiques SupBrieures, ~ n i v e r s i t e de Montreal, 1971.

De Brui jn, N.G. ; Lambda calculus notation with nameless dwmnies, a

tool for automatic formula manipulation, with application t o the

Church-Rosser theorem, Indag. Math., 34, no. 5. 1972.

De Brui jn , N .G . ; The AUTOMATH Mathematics Checking Project, t h i s volume.

Girard, J. Y. ; Interpretation fonctionezle e t e'limination des coupures

de l 'arithrnetique d'ordre supe'rieur, Doctoral d i s s e r t a t i o n , Uni-

v e r s i t 6 P a r i s V I I , 1972.

Howard, W .A. ; The formulae-as-types notion of construction, unpublished

1969.

J u t t i n g , L.S. van Benthem; The development of a t e x t i n AUT-QE, this

volume.

Martin-LBf , P . ; An i n h i o n i s t i c theory of types, unpublished 1972.

Nederpelt, R .P . ; Strung normalization i n a typed lambda-calculus with

lambda-structured types, Doctoral d i s s e r t a t i o n , Technological

Universi ty, Eindhoven, 1972.

Prawitz, D . ; Ideas and re su l t s i n proof theory, i n : Proc. 2nd. Scan-

dinavian Logic Symp. North-Holland Publ. Comp., Amsterdam, 1971.

Zandleven, I. ; Verifying program for AUTOMATH, t h i s volume.

Appendix 2. The paragraph system

In t h e d e f i n i t i o n of AUT-QE ( C V D , 51) it is required t h a t constants

which a r e i d e n t i f i e r p a r t s of d i f f e r e n t l i n e s a r e d i f f e r e n t . In t h i s appen-

d ix we desc r ibe a v a r i a n t of AUTOMATH languages i n which t h i s r u l e i s wea-

kened. The AUT-QE vers ion of t h i s v a r i a n t has a c t u a l l y been used f o r t r ans -

l a t i n g Landau's book. I t is i r r e l e v a n t f o r t h e following discuss ion, which

p a r t i c u l a r AUTOMATH language i s considered. We s h a l l the re fo re presuppose

unspecified language AUT, andwe s h a l l c a l l i t sparagraphed v a r i a n t AUT-PAR.

1. Paragraph l i n e s

A bookinAUT-PARcanbe s p l i t u p i n t o paragraphs. In t h e language

we have th ree spec ia l symbols +, - and -, and a countable s e t of para-

graph i d e n t i f i e r s (which we s h a l l denote here by syi l tac t ic va r i ab les

s,sl,~2,...,t,tl,t2,...). There is a bas ic paragraph i d e n t i f i e r cover . This w i l l p lay t h e rBle of the empty environment; the word "cover" i s meant

t o suggest "bookjacket". Besides ordinary AUTQMATH l i n e s (which we w i l l c a l l

here proper l i n e s ) , we have a s p e c i a l s o r t of l i n e s ( ca l l ed paragraph l i n e s ) ,

which a r e used t o ind ica te t h e paragraphs. There a r e two kinds of paragraph

l i n e s : opening l i n e s which have t h e form + s f and c los ing l i n e s which c o n s i s t

of the s i n g l e symbol -.

2. F i r s t r u l e f o r paragraph l i n e s

For t h i s desc r ip t ion we s h a l l number the l i n e s of our book (proper

l i n e s a s well a s paragraph l i n e s ) i n t h e i r proper order , and we w i l l indi -

c a t e l i n e s by t h e i r numbers. For each l i n e n we def ine o ( n ) ( c ( n ) r e spec t i -

ve ly) t o be the number of opening l i n e s (c los ing l i n e s respect ively) prece-

ding it.

The f i r s t r u l e f o r paragraph l i n e s is:

o ( n ) 1 c (n) f o r a l l n.

It follows t h a t the paragraph l i n e s provide the book with a kind of nested

s t r u c t u r e .

The paragraph l e v e l of a l i n e n i s defined by p l ( n ) = o ( n ) - c ( n ) . For

a l i n e n with p l ( n ) > 0 we def ine i t s paragraph opening by

po(n) = max{m I m < n and pl(rn) 0 the l i n e po(n) is an opening l i n e , and t h a t

p l (po(n) = p l ( n ) - 1.

3. An example

AS an example we represent schematically a book with paragraphs. The

numbering of the lines in the book appears to the left. It only serves our

(metalingual) discussion, and does not belong to the schematically indica-

ted AUTOMATH text. The proper lines are indicated by their identifiers (con-

stants or variables) and their contexts. The dots indicate middle parts and

category parts.

In this example we have indeed o (n) > c (n) for- aLl n, and e. g.

o(4) = 1, c(4) = 0 hence pl(4) = 1

o (16) = 3, c(16) = 3 hence pl(16) = 0

po(4) = 3

po (IS) = 13

po(20) = 17 .

4. Indices and paragraphs

For references to paragraphs we use indices. An index has the form

s1 - s2 -...- s (with u 2 1). The sign - is used as a separator, and has U

nothing to do with the - of closing lines. As a syntactic variable for in- - - -

dices we use s. If s - sl - s2 -...- s then s - s denotes s - s2 -. . .- s - s. U U

For each line n we define an index ind(n) as follows:

if pl (n) = 0 then ind(n) = cover.

if pl (n) > 0 and po (n) - +s then ind(n) = ind(po (n) ) - s. Note that, by this definition, for each n the first paragraph identifier in

ind(n) is Cover . Indices of the form cover-s2 -...- s are called compzete U

indices. So, for all n, ind(n) is complete.

In the example we have:

ind(3) = cover

ind(4) = cover - s

ind(9) = cover - s - t ind(l5) = cover - t .

Given a book 8 and an index i , the subsequence of 8 consisting of those

lines n for which ind(n) = s is called the paragraph of s. Note that paragraphs are mutually disjoint.

In our example the paragraphs are:

- for s r cover : 1,2,3,12,13,16

- for s - cover - s : 4,5,6,7,11,17

- for s r cover - s - t : 8,9,10,18,19,20

- for s z cover - t : 14,15.

If n is a line in a paragraph, and pl (n) > 0 then the line po(n) is

called an opener.ofthe paragraph. Note that the openers of a paragraph are

not lines of that paragraph. The first opener of a paragraph is called the

paragraph opener of that paragraph, the other openers are called reopeners.

The closing lines in a paragraph are called the closers of that paragraph.

In our example we see:

- for s : Cover - S the paragraph opener is 3, a reopener is 16 and a clo-

ser is 11. - for s = cover - S - t the paragraph opener is 7, a reopener is 17 and

closers are 10 and 20. - for s = cover - t the paragraph opener is 13 and a closer is 15.

5. The r u l e f o r cons tan t s

The r u l e i n AUTOMATH languages requir ing t h a t constants introduced i n

d i f f e r e n t l i n e s a r e d i f f e r e n t , i s weakened i n t h e p resen t language a s f o l -

lows :

Constants introduced i n d i f f e r e n t proper l i n e s i n the same paragraph

must be d i f f e r e n t .

Note t h a t i n our example t h i s r u l e is observed.

For reference t o a constant c introduced i n the l i n e n we use t h e con-

s t a n t indexed, i. e . we w r i t e c";" where s = ind (n) . Note t h a t f o r an index-

ed constant c":" the index ; is always complete. In our example t h e con-

s t a n t s a introduced i n t h e l i n e s 1 , 5 and 9 appear indexed a s a " ~ 0 ~ e r " , auc0ver - s" and aUcover - s - tl' respect ively .

By t h e r u l e f o r constants t h e indexed forms of constants introduced i n

d i f f e r e n t l i n e s a r e d i f f e r e n t . So i f we would replace each constant by i t s

indexed form we would g e t a book where the s t r i c t r u l e f o r constants i s ob-

served.

6. The second r u l e f o r paragraph l i n e s

It is an e s s e n t i a l f e a t u r e of our language t h a t ind ices i n indexed con-

s t a n t s can be abbreviated, even ( i n some cases) t o t h e point of omitt ing

them e n t i r e l y . For t h i s purpose t h e r e i s a second r u l e f o r paragraph l i n e s :

I f +s i s a l i n e with number n, then s may no t occur i n i n d ( n ) .

I t follows t h a t the paragraph i d e n t i f i e r s o f i n d ( n ) a r e mutually d i f f e r e n t .

We s h a l l now descr ibe t h e i n t e r p r e t a t i o n of a constant c with abbre-

v i a t e d (or without) index. We assume t h a t such a constant occurs i n t h e mid-

d l e p a r t o r category p a r t of a proper l i n e n wi th ind(n) = ; = sl - s2 -. . .- s k' We d i s t ingu i sh th ree cases f o r t h e form of the abbreviated index.

i

ii)

c l ' t l - t2 -. . . - t " where t f cover. In t h i s case tl must be one (and R 1

the re fo re , by t h e second r u l e , exact ly one) of s 1 , ~ 2 1 . . . , ~ k . Suppose

tl - s then c M t l - t 2 - ...- tkl' should be in te rp re ted a s i

cl 's l - s2 -. . .- s - t2 -. . .- t ' I . I n our example, i f at's" occurs i n t h e i R

dots of l i n e 19, it should be in te rp re ted a s ~ " C O V W - S". c" - t - t2 -...- t " should be in te rp re ted a s

1 R c"s l - s2 -. . .- s k - t l -t2 -...- t ".

R In our example, i n t h e d o t s of l i n e 1 2 a" - S" should be in te rp re ted

a s allcover - s " and a" - s - t" a s ancover - s - t".

iii) c appears without index. Then c should be in te rp re ted a s c":" where t is t h e " longest poss ible i n i t i a l p a r t of s". 1.e. : I f c i s i d e n t i f i e r

of a l i n e preceding n i n t h e paragraph of s then c should be in te rp re -

t e d a s c";", e l s e i f c i s i d e n t i f i e r of a l i n e preceding n i n t h e para-

graph of s -s2 -...- s then c should be in te rp re ted a s k- 1

c"s l - s2 -. . .- s " e t c . k- 1

I n our example, i n t h e do t s of l i n e 4 , a should be i n t e r p r e t e d a s

aflC0Ver" , while i n l i n e 6 a should be in te rp re ted a s a"C0Ver - S " . Note t h a t i n the middle p a r t o r category p a r t of l i n e 9 a should

again be in te rp re ted a s a"c0Ver - S " ( i . e . t h e i d e n t i f i e r introduced

i n l i n e 5 ) .

We see t h a t the i n t e r p r e t a t i o n of a constant with abbreviated index

depends on the place i n the book where it occurs.

7. Reference t o va r i ab les

According t o t h e d e f i n i t i o n of AUT-QE, va r i ab les x l , ...,xk of a context

x1 E a l , . . . , xk E a must be mutually d i f f e r e n t i d e n t i f i e r s . W e maintain t h i s k r u l e i n AUT-PAR. Thus f r e e va r i ab les occurring i n t h e middle p a r t o r catego-

r y p a r t of a l i n e always r e f e r t o a (unique) va r i ab le of t h e context (Cf.

CVD, 2.4, 2.13.2, 5.5.2, 5.5.31). Therefore such va r iab les a r e never indexed.

For va r i ab les the re a r e i n AUTOMATH no r e s t r i c t i o n s t o t h e i r use a s

i d e n t i f i e r p a r t s of d i f f e r e n t l i n e s . I f a va r i ab le x appears a s a context

ind ica tor ( C V D , 2.13.1 i)]) of a l i n e n it always r e f e r s t o t h e l a t e s t EB-

l i n e introducing x which precedes n. I n AUT-PAR a context i n d i c a t o r must be

indexed and f o r t h e indexed va r iab les we allow the same abbrevia t ion r u l e s

a s i n sec t ion 6. Hence t h e context ind ica to r X i n l i n e 5 of our example

should be in te rp re ted (according t o 6 iii) above) a s X"COVW - S " , i . e .

t h e v a r i a b l e introduced i n l i n e 5. The context ind ica to r X i n l i n e 8 should

a l s o be in te rp re ted a s X " C O V ~ ~ - S" , but it r e f e r s t o t h e va r i ab le i n t r o -

duced i n l i n e 6. In f a c t i n l i n e s n with n > 6 the re is no p o s s i b i l i t y t o

use t h e va r i ab le X introduced i n l i n e 4 a s a context ind ica to r . The con-

t e x t ind ica to r X i n l i n e 19 should be in te rp re ted a s X " C O V ~ ~ - S - t" , thus r e f e r r i n g t o t h e va r i ab le introduced i n l i n e 18.

I f we want t o wr i t e l i n e 19 on t h e context introduced i n l i n e 6 we

should wri te :

o r , with a complete index:

19 xMcover - s " * d := ..... I t is allowed t o introduce a new variable i n l i n e 19 by

X"S" * y := -E .... - However

X"S" * x := - E .... - would not be allowed, because t h i s would give two variables X i n one con-

tex t .

8. Remarks on notation

Deviating from the notations fo r paragraph l i nes described above, we

denote reopeners of a paragraph not by +s but by +*s, and closers of the

paragraph of s 1 - ~ 2 -...- sk by -sk. Thus the l i n e s 16 and

should be written +*S and +*t , and the l i nes 11 and 15

respectively. This redundant notation i s preferred fo r the

l i t y .

17 i n our example

a s -S and -t

sake of readabi-

Appendix 3. The PN-lines from the preliminaries

LAYOUT FROM F I L E : EXCERPTOUTPUT/PREPNS JANUARY 25, 1977 lO:48:41

* A A * B B 1: I M P * CON A * NOT A * WEL A * W W * E T R * EC B * AND * SIGMA

SIGMA * P P * A L L P * NON P * SOME

SIGMA * S S * T T * I S S * R E F I S P * S S * T T * SP

SP * I I * I S P P * AMONE

P * ONE

P * 0 1 0 1 * I N D 0 1 * ONEAX

SIGMA * TAU TAU X F

F * I N J E C T I V E

F * TO TO * IMAGE

TAU * F F S G G * I I * F I S I P * OT P * 01

0 1 S I N 01 * I N P

P * O T A X I

P 8 S S * SP

SP * OTAX2 TAU $ PAIRTYPE TAU S

S * T T * P A I R

TAU * P 1 P i * F I R S T P 1 * SECOND P 1 * P A I R I S 1

T * F I R S T I S I T * SECONDIS1

i PROP i PROP i PROP i PROP i PROP i PROP i WEL(A) i A i PROP i PROP i TYPE i CXvSIGMA3PROP i PROP i CXvSIGMAJPROP i PROP

i SIGMA i SIGMA i PROP i I S ( S v S ) i SIGMA i SIGMA 5 <S>P i I S ( S r T ) i <T>P

i PROP

i PROP i ONE(S1GKAtP) i SIGMA i <IND>P i TYPE i CXrSIGMA3TAU

IMP(IS(TAU~<X>FP<Y>F)~IS(X~Y)) 1 ) i PROP --- i TAU SOME(CX~SIGMAIIS(TAUITOI<X>F)) i PROP --- i CXvSIGMAlTAU --- i CXvSIGMA3TAU --- i CXISIGMAIIS(TAUI<X>F~<X>G)

i IS(CXvSIGMA1TAUvFvG) i TYPE i OT i SIGMA i <IN>P C INJECTIVE(OTvSIGMAtCXIDT3

I N ( X ) l i SIGMA i <S>P i IMAGE(OTrSIGMArCXrOTlIN(X)vS) i TYPE i SIGMA i TAU i PAIRTYPE i PAIRTYPL? 5 SIGMA i TAU i I S ( P A I R T Y P E v P A I R ( F 1 R S T I

S E C 0 N D ) v P l ) i I S ( S I G M A v F f R S T ( P A 1 R ) r S ) i IS (TAUvSECOND(PA1R) r f )

21 SIGMA * SET SIGMA * S

S * SO 22 SO * EST1 2 3 P 1: SETOF

P * S S * SP

2 4 SP * EST11 S * E

25 E ESTXE SIGMA * SO

SO * TO TO * INCL TO * I I n J

26 J $ ISSETI

TYPE SIGMA SET PROP SET SIGMA <S>P ESTI(SvSETOF(P)) ESTI(S9SETOFCP)) <S>P SET SET

PROP INCL(SOvT0) INCL(TOvS0) IS(SET~SOPTO)

86

Appendix 4. Excerpt for "Satz 27"

LAYOUT FKOH FILE : EXCERPTOUTPUT/SATZ27 JANUARY 251 1977 10:58:22

* A A * B B $: IMP B t A1

A1 * I I * HP B * C C * I I * J J $ TRIHP

$ CON A * NOT A * WEL A * A1

A1 $ WELI A * W W * ET A * Cl

Cl * CONE

i PROP i PROP i PROP i A i II.IP(AIB~ i B i PROP i IHP(ArB) i IHP(BrC) i IHP(AvC) i PROP i PROP i PROP i A i WEL(A) i WEL(A) i A 8 CON i A

B * EC := IHP(ArNOT(B)) i PROP

B * AND B * A1

A1 * B1 B1 * AND1 B * A1

A1 * ANDE1 A1 * ANDEZ

0 * 1 I * J J * ORAPP

* SIGMA SIGMA * P

P * ALL i TYPE i EXrSIGMAIPROP i PROP

P * S S * N N * THl

: --- i SIGMA : = --- i NOT(<S>P) := CXrALL(SIGMArP)I<<S>X>N i NOT(ALL(S1GMArP))

P 1: NON P * SOME P * S S * SP SP * SOME1

:= CXvSIGMAINOT(<X>P) i CXrSIGMAIPROP := NOT(NON(P)) i PROP : = --- i SIGMA : = --- i <S>P := THIS-ALLg(NON(P)rSrWELI(<S>Pr

SF)) i SOME(S1GMAvP)

i SOME(S1GMArP) i PROP i CYrSIGMAIIt+P(<Y>PrX)

I * SOMEAPP

PROP AND3(ArBrC) A B C A B C

C * A1 A1 * THl

SIGMA S S S * T T * IS S * REFIS P * S S * T T * SP

SP * I I * ISP

SIGH6 * S S * T

' T * I I * sYnIs T * U U * I I * J J * TRIS U * I I * J J * TRISZ T * N N S SYMNOTIS

i SIGMA i SIGMA i PROP i IS(S*S) i SIGMA i SIGMA i <S>P i IS(SrT) i <T>P i SIGMA 5 SIGMA i IS(SrT)

i IS(TrS) i SIGMA i IS(SrT) i IS(T*U)

U * V V Y I I * J J * K K * TR3IS V * W W * I I * J J * K K * L L * TR4IS P * AMONE P ONE

P * 01 01 Y IND 01 * ONEAX

SIGMA TAU TAU F F * S S Y T T * I I ISF

TAU * F F * G G * I I * S S * FISE G * I 1 * FISI

SIGMA * SET SIGMA * S

S * SO SO * EST1 P * SETOF P * S S * SP

SP * EST11 S * E E * ESTIE

P PROP

? PROP i AMONE(S1GMAvP) i SOME(S1GMArP)

i ONE(S1GMAvP) i ONE(S1GMAvP) i SIGHA i <IND>P i TYPE i CXvSIGMAITAU i SIGMA I SIGHA i IS(SvT)

IS(TAUv<S>Fv<T>F) CXrSIGMA3TAU CXvSIGMAJTAU IS(CXvSIGMA3TAUvFvG) SIGMA

3 TYPE 8 SIGMA 8 SET i PROP i SET 8 SIGHA 8 <S>P 8 ESTI(SvSETOF(P)) i ESTI(SvSETOF(P)) i <S>P

* NAT * X X * Y Y * IS Y $ NIS X * S S * IN * P P * SOME P * ALL * 1 * SUC * X X * Y Y * I I I AX2 * AX3 * AX4

* P P * 1P 1P * XSP

XSP * X

X t S X * T1 X * Y Y * YES

YES % T2 YES * T3 X Sr T4

X * INDUCTION * X X * Y Y * N

TYPE NAT NAT PROP PROP SET (NAT) PROP CXvNAT3PROP PROP PROP NAT CXvNAT3NAT NAT NAT IS(X?Y) IS(<X>SUC?<Y>SUC) CXINAT~NIS(<X>SUC~~) CX~NAT~CYINATICUPIS(<X>SUCP <Y>SUC)3IS(XvY) SET (NAT ) PROP

PROP CSvSET(NAT)3CUvCONDl(S)3 CVvCOND2(S)3CXvNAT3IN(XvS) CXvNAT3PROP <1>P CXvNATJCYv<X>P3<<X>SUC>P NAT

:= SETOF(NATvP) i SET(NAT) := ESTII(NATvPvlv1P) 5 CONDl(S) : = --- i NAT : = --- i IN(YvS) := ESTIE(NATvPvYvYES) i <Y>P := ESTII(NATPPI<Y>SUCI<T~><Y>XSP) i IN(<Y>SUCvS) := <X><CYvNAT3CUvIN(YvS)lT3(YvU)>

<Tl><S>AX5 5 IN(XvS)

Y * TlO PB S TI1

X * AA

:= OR(IS(Xv1)vSOHE(CUvNATIIS~Xr SUC) ) ? i PROP.

:= ORI1(IS(lrl)vSOME(CLLvNATJIS(lr SUC))vREFIS(NATvl)) i PROPl(1)

:= SOMEI(NATrCU?NATlIS(<X>SUCv SUC)~XIREFIS(MAT~<X>SUC)~ 5 SOHE(CU~NATIIS(<X>SUCPSUC)

2 := ORI2(IS(<X>SUCvl)vSOME(CUrNATl

IS( <X:>SUC r ':U>SUC) ) rT2) i PROPl(<X>SUC) := INDUCTION(CYvNATlFROPl(Y)rTir

CYvNATJCUvPROPl(Y)lT3(Y),X) 6 PROPl(X)

5 PROP 5 PROP i CYtNATINAT i CYvNATINAT i PRQPP(A) i PROPP(B) I NAP i PROP

i PROP i PROPl(1vSUC)

PROP4 ( X) CYPNATJNAT PROP2 ( F ) CY rNAT3NAT NAT IS(<Y>Gv<<Y>F>SUC)

X * PLUS

Y * PL

+*24

X * T26

X * SAT24 := ONEI(CYINATINATPCZ?CY?NATJNAT~ PR0P2 ' -24 ' (Z )~AA ' -24 ' rBB ' -24 ' ) i ONEmE'(CY?NAT3NAT?CZ~EYrNAT3

NATIAND(IS(<l>Z?<X>SUC)r ALL(CY?NAT3IS(<<Y>SUC>Z?<<Y> Z>SUC)) ) )

:= IND(CYINATJNAT?CZ?CY?NAT~NAT~ PROP2'-24'(Z)rSATZ4) i CYPNATJNAT

:= <Y>PLUS i NAT

PLUS)

X?<Y>SUC)?<PL

X * SATZ4E Y 8 SATZ4F

X * SATZ4G Z * I I * ISPLl I * ISPL2

-25

Z * SATZS

Y * COMPL

PROP IS(PL(Y?l)r<Y>SUC) IS(PL(lrY)r<Y>SUC)

Z * DIFFPROP

Y S I Y * I1 Y S 111 Y * ONEl

ONEl * U U * T1

Y * T4 ONE1 * T5

Y * T6 Y * TWOl

TWOl * THREE1 THREE1 * U

U * DU DU S V V * DV

DV * T6A

TWO1 * TlO Y * TI1 Y * A

Y * MORE Y * LESS Y * SATZlOB Y * M M * SATZll Y * MOREIS Y * LESSIS, Y * M M * SATZl3

:= NIS(YrPL(XrY)) i PROP := SYMNOTIS(NATr.<X>SUCrlr<X>AX3) i NIS(lr<X>SUC) := TH4*E-NOTIS*(NATrlr<X>SUCr

PL(Xrl)rTlrSATZ4A) i FROPl(1) : = --- i PROPl(Y) := SATZl(YvPL(XrY)rP) i NIS(<Y>SUCr<PL(XrY)>SUC) := TH4.E-NOTISm(NATr<Y>SUCI(PL

(XrY)>SUCrPL(Xr<Y>SUC).TJ, SATZ4B) i PROPl(<Y>SUC)

:= 1NDUCTION(CZrNAT3PROPlm-27*(Z) rT2'-27'rCZrNAT3CUrPROP1.-27' (Z)lT4'-27'(ZrU)rY) i NIS(YrPL(XrY))

:= IS(XrPL(Y*Z)) i PROP

:= IS(XrY) i PROP := SOHE(CUrNAT3DIFFPROP(XIYIU)) i PROP := SOHE(CVrNATJDIFFPROP(YrXrV)) i PROP . - . - --- i I : = --- i NAT := TRIS(NATrPL(UrX)rPL(XrU)v

PL(YrU)rCOMPL(UvX)r ISPLl(UrONE1)) i IS(PL(UrX)rPL(YrU))

:= TH3gE-NOTISm(NATrXrPL(UIX)r PL(YrU)rSATZ7(UrX)rTl) i NIS(X~PL(YPU))

:= TH5.L-SOMEm(NATrCUrNAT3 DIFFFROP(U)rCUrNATlT2(U)) i NOT(I1)

:= THl'L-EC'(IrIIrCZr13T3(Z)) i EC(IrI1) := T3(YvXrSYMIS(NATrXrYrONEl)) i NOT(II1) := TH~'L-EC*(III~I~CZII~T~(Z)) i EC(IIIr1) 1 - . - --- i I1 : = --- i I11 : = --- i NAT : = --- i DIFFPROP(XrYrU) : = --- i NAT : = --- i DIFFPROP(YvXvV) := TR4IS(NATrXrPL(YrU)rPL(PL(XrV)

rU)rPL(XrPL(VrU))rPL(PL(VIU)r X)rDUrISPLl(YrPL(XrV)rUrDV)* ASSPL~(XIV~U)~COHPL(XIPL(V~U)) ) i IS(XrPL(PL(VrU)rX))

:= MP(IS(X~PL(PL(VIU)~X))ICON~ T6ArSATZ7(FL(VrU)rX)) 8 CON

:= SOMEAPP(NAT~CV~NATIDIFFPROP(YP x ~ V ) ~ T H R E E I ~ C O N ~ C V T N A T I C D V ~ D I F F F R O P ( Y ~ X I V ) ~ T ~ ( V ~ D V ) ) 5 CON

Li SOHEAPP(NATrCUrNAT3DIFFFROP(U) rTWOlrCONrCUrNAT3CDUrDIFFPROP (U)3TB(UrDU)) 5 CON

:= CZrIIIIT9(Z) i NOT(II1) := THl'L-EC.'(IIrIIIrCZvIIJTlO(Z)) i EC(IIrII1) $1 TH6'L-EC3'(IrIIrIIIrT4rTllrT6) i EC3(IrIIrIII)

- .- -. DIFFPROP(XrYrU))rSOME(CVrNATJ DIFFPROP(YrXrV)))

:= SOHE(EUrNATIDIFFPROP(XrYrU)) i PROP PROP EC~(IS(X~Y)FMORE(XPY)~ LESS(XrY)) MORE(XPY) LESS(YIX) PROP PROP MOREIS(XrY)

i MOREIS(ZrY) i IS(X9Y) i MOREIS(XrY) i MORE(XrY) i MOREIS(XrY) i NAT i IS(X?Y) i IS(ZrU) i HOREIS(XrZ)

N * M M * LBPROP

N * LB N * MIN P * S

i LESSIS(PL(Yv1)rX) i CXINAT~PROP i NAT

i NCIT := IHP(<M>PvLESSIS(NvM)) i PROP

:= ALL(CXrNAT3LBPROPm-327'tX)) i PROP := AND(LBr<N>P) i PROP : = --- i SOME(P)

NAT LBPROPClrN) LB(1) CXrNAT3LB(X> NAT <Y>P MORE(PL(Yr1)vY) NOT(LESSIS(PL(Yr1)rY))

NOT(LB(PL(Yr1)))

CON

CON

NP Ti9 NMP * T20 NnP * ~ 2 1

A * T22 A * T23

: = --- i NON(NATICX?NATIAND~LB(X) F

. - NOT(LB(PL(Xr1))))) . - --- 5 NAT : = --- i LB(M) := <M>N i NOT(AND(LB(M)rNOT(LR(PL(Mrl))

) ) ) := ET(LB(PL(nv1))r

TH3'L-AND'(LB(M)r NOT(LB(PL(Mrl)))rT9rL)) i LB(PL(Mr1))

:= ISP(NATrCXrNATILB(X)rPL~Mvl)r <H>SUCPTIOPSATZ~A(H)) i LB(<M>SUC)

:= CXrNAT3INDUCTION(CYrNATILB(Y)r T2rCYrNATlCZrLB(Y)lTll(YrZ)rX) i CXrNATJLB(X)

:= CXrNON(NATrCXrNATIAND(LB(X)r NOT(LB(PL(Xrl)))))IT8(T12(X)) i SOME(EXrNATJAND(LB(X)r

NOT(LB(FL(Xr1))))) 1 = --- i NAT : = --- i AND(LB(M)rNOT(LB(PL(Mrl)))) := ANDEl(LBIM)rNOT(LB(PL(flrl)))r

A) 5 LB(H) := ANDE2(LB(M)rNOT(LB(PL(Mrl)))r

A ) . - 5 NOT(LB(PL(Mr1))) . - --- i NOT(<M>P) := --- i NAT - . - --- i <N>P := MP(<N>PrLESSIS(MrN)rNPr<N>T14) i LESSIS(MrN) := TH3.L-IMPg(IS(MrN)r<M>PrNMPr

C X I I S ( M ~ N ) I I S P ( N A T ~ P I N P M ~ N P ~

Appendix 5. Two shortcomings of the verifying program

The verifying program was conceived at the time when the language theo-

ry of AUTOMATH was still in its infancy. Actually the first satisfactory de-

finition of AUT-QE only appeared afterwards. The program can therefore be

seen as a formalization of an informal concept of the language in the pro-

grammer'smind.This concept, though informal, was quite clear; in fact it

was proved afterwards that the main procedure is adequate and terminates

( CVDI, CvD21) . Besides being correct, the program had to be efficient: verifying a

text should be actually feasible (and not only theoretically possible). This

requirement led the programmer to economize on substitution, as by substitu-

tion expressions tend to become longer, and also because in substitution an

expression has to be scanned and completely rebuilt. Even after the program

had been operational for a year, simplifications by avoiding substitution

shortened the processtimeconsiderably.

However, in two places economy went a bit too far. It is well known

that a-reduction, i.e. renaming of bound variables (which is a special case

of substitution) is sometimes necessary in order to avoid cZash of variables.

It has been assumed by the programmer that a-reduction is superfluous if all

binding variables of input expressions get different codes (see CZ~]).

Unfortunately, as has been shown by v. Daalen, this is not the case.

Clash of variables may still occur in the following two ways:

D D i) When it is tried to establish CX,AIB = CY,CID this is done by A = C and

D B = Uy/xD~ (see [zl], 8.4.1). This gives wrong results when x is

D D free in D. It would be correct to try A = C and UX/ZDB = UY/ZDD, where

z is a fresh variable.

The fact that clash of variables may actually occur in this way is shown

by the following example. We consider the (correct) book:

Suppose it has to be established, relative to this book, whether

It is easily seen that both expressions are correct, and that the first

expression reduces by 6-reductions to

where, as it should be, in the subexpression [x,nla(x,b) the second x

is bound. Hence the expressions are not definitionally equal. The pro-

gram will not discover this, because it will proceed to check

D D and then a E a x = X and Cx,nla(x,b) = Cx,nla(x,b).

ii) The claim (in [Zll, 5.1) that by 6-reductions on expressions with dis-

tinct binding variables eventually no clash of variables can arise is

not justified, as we show by another example: Consider the following

(correct) book:

Now

4zSi ,nlCj ,nlnlCy,n1Cx,nla(~x~z,y)~ Cu,Ck,C l ,nlCm,nlnlCp,nlCq,nlnl~~b>u>u

reduces by @-reductions to

If we reduce this further, the x indicated by (21, which is bound by

the abstraction indicated by (I), will be bound by the abstraction in-

dicated by (3), since the expression reduces (in the verifying program)

while it should reduce to

(where v is a new variable).

Appendix 6 . Example of a text in AUT-68

* PROP := PN

a * u . - . - u * ALLe :=

u * V e :=

P * u . - . - u * ALLi :=

u * V i :=

P N

ALL - - PN

ALLe - P N

ALLi

Etype - E PROP - Etype -

Etype - E Cx,SIPROP - E PROP - E PROP - E S - E t ( V ( P ) ) - E k(<a>P) - E I-(<a>Pf - E Cx ,SIC (<x>P) - E t - (V(P)) -

B * u . - . - - E H A ) - u * v i l := ALLi(PROP,Cx,PROP1((A-tx)-t((B+x)-tx)),

Cx,PROPl-ti (A-tx,(B+x)+x,

Cy ,t (A-tx) l+i (B+x ,x,

Cz ,k(B+x)l+e(A,x,y,u)))) - E I-(AvB)

E * u . - . - - E k ( B ) - u * v i 2 := ALLi (PROP,Cx,PROPl((A-tx)-t((B+x)+x)),

Cx ,PROPl-ti (A-tx, (B+x)+x,

Cy,t(A+x)l+i (B+x,x,

Cz,F(B-tx) l - te(B,x,z ,u)))) - E ~ ( A v B )

P * SOME := ALL(PROP,Cx,PROPl(V(Cy,Sl(~y~P+x))-tx)) - E PROP

P * 3 . - 1 - SOME - E PROP

P * X . - . - - E PROP - X * u . - . - - E t ( 3 ( P ) ) - U * V . - . - - E Cx,SICy,k(<x>P)lk (X) - v * SOMEe := +e(V(Cy,Sl(<y>P+X)) ,XI

ALLe(PROP,Cx,PROPl(v(Cy,Sl(~y~P+x))

+x) ,X,u) ,vi (Cy,Sl(<y>P+X),

Cy,Sl+i (<y>P,X,<y>v))) - E k ( X )

v * 3 e := SOMEe - E k (X )

a * u . - . - - E k(<a>P) - u * SOMEi := ALLi (PROP,Cx,PROPl(v(Cy,Sl(~y~P+x))+x),

Cx,PROPI+i (v(Cy,SI(<y>P+x)) ,x,

Cz,t (V(Cy,Sl(<y>P-tx)))l+e(<a>P,x,

'Je(C~,sl(<y>P+x),a,z),u))) - E W P ) ) u * 3 i . - . - SOMEi - E k(g(P) )

S * a . - . - - E S - . - a * b . - - E S - b * IS := ALL(CX,SIPROP,C~,CX,S~PROI~](<~>~-~<~>~)) - E PROP b * a=b := I S - E PROP

a * I S i := ALLi(Cx,S1PROP,Cp,Cx,SlPROPl(~a~p+~a~p), Cp,Cx,SlPROPl+i (<a>p,<a>p ,Cy,l-(<a>p)ly)) - E C(a=a)

a * REFIS := I S i - E t (a=a) a * = i . - . - I S i - E t (a=a)

a * r e f = := I S i - E t (a=a)

b * u . - . - - E I-(a=b) - U * V

. - . - - E t (<a>P) - v * ISe := +e(<a>P,P,ALLe(Cx,SlPROP,

[p,~x,SlPROPI(<a>ptp) ,P,u) ,v) E k(P)

v x SUBST.PRED := I Se - E t ( < t > P )

v * =e . - . - I Se - E t (P)

S * a

a * b

b * u

u * SYM. IS

u * sym= b * c

e * u

u * v

v * TR.IS

v * tr=

. - . - - := =e(Cx,Sl(x=a) ,a,b,u,=i(a)) . - . - SYM. IS . - . - -

. - . - - := =e(Cx,SI(a=x),b,c,v,u) . - . - TR. I S

b * a#b . - . - i ( a = b ) - E PROP

+N

* n a t . - . - PN

* P . - . - - P * V . - . - ALL(nat,P)

P * n . - . - - n * u . - . - - u * ve . - . - ALLe(nat,P,n,u)

E PROP - E PROP - E t ( 3 ( P ) ) - E ~x,nai lCy,k(<x>P)Ik(X) - E I-(X) - E I-(<n>P) - E I-(W) - E na t - E na t - E PROP - E PROP -

REF. IS(nat,n) - E I-(n=n) - E I-(n=m) -

SYM. IS(nat,n ,m,u) - E I-(m=n) - E na t - - E I-(n=m) - - E C(m=l) -

TR. IS(nat,n,m,l ,u,v) - E C(n=l)

- E na t - - E na t - - E I-(n=m) - - E t (<n>P) -

SUBST.PRED(nat,P,n,m,u,v) - E k(<m>P)

- E Cx,natlS - - E na t - - E n a t - - E k(n=m) -

SUBST.FN(nat,S,f ,n,m,u) - E I-(IS(S,<n>P,<m>f))

v * i nduc t i on := ve(P,n,axiom5(P,u,v))

* n

n * m

m * u

u * S a t z l

* P2 n * Sa t z2

* P3

* 1 1

n * 12

n * 13

E n a t - E n a t - E n a t -

E I-(n'B1) - E n a t - E t ( n ' = m l ) - E I-(n=m) -

E n a t - E I - (< l>P) - E Cx,nat lCy, t (<x>P) lk (<x '>P) - E I-(<n>P) -

Appendix 7. Excerpt for "Satz I", "Satz 2" and "Satz 3".

LAYOUT FROM FILE : EXCERPTOUTPUT/SATZlEN2EN3 JANUARY 251 1977 10352335

* A A * B B * IMP B * C C * I I * J J % TRIMP

% CON A * NOT A % WEL 4 * A1 A1 * WELI A * W W % ET A * C1 C1 % CONE

B * OR B * A1 A1 * OR11 B * B1 B1 % OR12 B * a O * N N % ORE2

% SIGMA SIGMA % P

P * ALL

P * S S * N N % THl

P % NON P % SOME P * S S * SP

SP * SOME1

PROP PROP PROP PROP IHP(AIB) IHP(BvC1 IMP(AvC) PROP PROP PROP A WEL(A) WEL(A) A CON A

PROP A ORCAvB) B ORCArB) OR(AvB) NOTCA) B TYPE CXvSIGHAJPROP PROP

: = --- i SIGMA 8 - --- i NOT(<S>P) := CXvALL(SIGMAvP)J<<S>X>N i NOT(ALL(S1GHAvP))

SIGMA S 8 : 6

S * T t = T % IS :a

S S REFIS t =

:= CXvSIGMAJNOT(<X>P) i CXPSIGMAJPROP := NOT(NON(P)) i PROP : = --- 5 SIGH6 : = --- 9 <S>P := THle-ALLm(NON(P)*S~WELI(<S>Pv

SP)) i SOME(S1GMAvP)

i SIGMA 5 SIGMA i PROP i IS(S1S)

SIGMA SET SIGMA * S

S * SO SO * EST1 P 1( SETOF P * S S * SP

SP * ESJII S * E E * ESTIE

X NAT * X X * Y Y * IS Y 1: NIS X * S S * IN * P P * SOME P * ALL * 1 * SUC * AX3 * AX4

* P P * 1P 1P * XSP

XSP * X

X S S X * T1 X * Y Y 1: YES

YES * T2 YES * T3 X S T4

TYPE SIGMA SET PROP SET SIGMA <S>P ESTI(SvSETOF(P)) ESTI(SvSETOF(P))

; <S>P

t = PN 6 TYPE t = --- i NAT . - . - --- i NAT := ISgEg(NATrXvY) i PROP := NOT(IS(XvY)) i PROP . - . - --- i SETtNAT) := ESTI(NATrXvS) i PROP . - . - --- i CXvNAT3PROP := SOHEmL'(NATrP) # PROP := ALLmL'(NATrP) i PROP . - . - PN i NAT . - + - PN i CXvNAT3NAT . - + - PN i CXvNAT3NIS(<X>SUCrl) : = PN i CXrNAT3CY?NAT3CUvIS(<X>SUCv

<Y>SUC)3IS(XvY) : = --- i SET(NAT) := IN(lrS) 5 PROP := ALL(CXvNAT3IMP(IN(XvS)tIN(<X>

SUCvS) 1 ) i PROP t = PN i CSvSET(NAT)3CUvCONDl(S)3

C V ~ C O N D ~ ( S ) ~ C X I N A T ~ I N ( X I S ) : = --- i CXvNAT3PROP := --- i <1>P :a --- i CXvNAT3CYr<X>P3<<X>SUC)P : = --- 3 NAT

:= SETOF(NATvP) i SETtNAT) := ESTII(NAT?PvlrlP) i CONDl(S) : = --- i NAT . - . - --- i IN(YvS) - := ESTIE(NATvPvYvYES) i <Y>P := ESTII(NATvPr<Y>SUC?<T2><Y>XSP) i IN(<Y>SUCvS) := <X><CYvNAT3CUvIN(YvS)3T3(YvU)>

<Tl><S>AXS i IN(XvS)

X * INDUCTION := ESTIE(NATrPvXvT4'-11.1 5 <X>P * X : = --- D NAT X * Y : = --- 8 NAT

Y * N := --- i NIS(XvY)

5 PROP i PROPl(1) i PROPl(X) 5 PROPl(<X>SUC)

Appendix 8. Example of a text in AUT-68-SYNT

t PROP . - . - * A . - . -

A * k . - . -

* z l . - . - - z l * ass.prop := l a s t e l t ( t a i 1 (k , c a t ( z l ) ) )

D SO: if u - E k ( A ) then ass.prop(u) = A - E PROP

* S . - . - S * P . - . - P * ALL . - . -

so: if P - E Cx,SlPROP then V(P) ALL(S,P) - E PROP

p * a . - . - a * u . - . - u * A l l e . - . -

so: if a S , u - E k ( V ( P ) ) then Ve(a,u) - E k(<a>P)

u * ALLi . - . - PM

zl * v i := ALLi (dom(z1) ,Cx,dom(zl)lass . p rop (<x>z l ) ,211

So: if U - E [x,S]k(<x>P) then v i (u) k ( v ( P ) )

E s y n t -

so: if a E S , b - E T (a ) , u - E k (VZ(P2) ) t h e n VZe(a,b,u) - E C(<a>P2)

SO: if u - E Cx,SlCy,T(x)It-(<y><x>P2) t hen VZ i (u ) E k(VZ(P2) )

E s y n t -

so: if a - E S , b - E T(a) , c E U(a,b) , u C(V3(P3)) then

v3e(a,b,c,u) - E l-(<c><a>P3)

SO: if u - E [ X , S ] [ ~ , T ( X ) I C Z , U ( X , Y ) I ~ ( <z><y><~>P3) t hen v 3 i ( u ) - E 1 ( ~ 3 ( P 3 ) )

E PROP - E PROP -

so: if u - E t(A+B), v - E t ( A ) then +e(u,v) - E k(B) , mod.pon(u,v) - E k ( B ) .

* I := V(Cx,PROPlx) - E PROP

E PROP -

E PROP -

B * X . - . - - E PROP - X * u . - . - - E l ( A v B ) - u * v . - . - - E Cx,k(A)Ik(X) - V * W . - . - - E Cx,l-(B)It-(X) - w * ORe := V3e(X,Yi(v),Vi(w),u) - E k (X )

z3

z3 * ve := ORe(LFE(v,ass.prop(zl)) ,RFE(v ,ass .p rop(z l ) ) ,

l a s t e l t ( t a i 1 (I- ,val ( c a t ( z 2 ) ) ) ) , z l ,z2,z3)

so: if u - E ~ ( A v B ) , v - E Cx,C(A)IC(X), w - E Cx,k(B)lk(X) then v~(u ,v ,w) EC(X)

z2 * v i 1 := ORi l ( a s s .prop(z2) , z l ,z2)

z2 * v i 2 := OR i2 (z l ,ass .prop(z2) ,z2)

so: if B - E PROP , u E k (A ) then v i l ( B , u ) - E ~ ( A v B )

if A - E PROP , u - E C(B) then viP(A,u) - E C(AvB)

P * SOME := V(Cx,PROPl(V(Cy,Sl(~y~P+x))+x)) - E PROP

z l * 3 := SOME(dom(z1) , z l )

D So: if P - E Cx,SIPROP then 3(P) = SOME(S,P) - E PROP

P * X . - . - - E PROP - X * 1: . - . - - E l ( 3 P ) ) - U * V . - . - - E Cx,SlCy,C(<x~P)Ik(X) - v * SOMEe := VZe(X,V2i(v) ,u) - E k (X )

z2 * 3e := SOMEe(dom(z2) , l a s t e l t ( t a i l ( 3 , a s s . p r o p ( z ) ) ) ,

l a s t e l t ( t a i 1 (C,val (Cx,dom(z2)lval ( < x > c a t ( z 2 ) ) ) ) ) ,zl,z2)

SO: if u E (3(P) ) , v - E CX,SI[~,C(<X>P)IC(X) t hen 3e(u ,v) E C(X)

a * u . - . - - u * SOMEi := v 2 i (Cx,PROP1Cz,~(V(Cy,Sl(~y~P+x)))l

vZe(a,u,z))

23 * 3 i := SOMEi (dom(z1) , z l ,z2 ,z3)

SO: if P - E Cx,SlPROP, a - E S, u C-(<a>P) then 3 i (P,a,u) E k ( 3 ( P ) )

so: if a - E S, b - E S then a=b IS(S,a,b) - E PROP

D D SO: if u - E I-(a=b) then l e f t = ( u ) = a, r i g h t = ( u ) = b

a * I S i := V2 i (Cp,Cx,SlPROPICy,l-(<a>p)ly)

z l * = i := I S i ( c a t ( z 1 ) , z l )

z 1 * r e f = := = i

so: if a - E S then = i ( a ) - E k (a=a) , r e f = ( a ) - E t-(a=a)

P * a . - . - - a * b . - . - - b * u . - . - - U * V . - . - - v * ISe := v2e(P,v,u)

E S - E S - E PROP -

SO: if P - E Cx,SIPROP, u - E t ( a = b ) , v - E k(<a>P) then =e(P,u,v) - E I-(P),

subst.pred(P,u ,v) E k(P)

S * a . - . - - E S - a * b . - . - - E S - b * u . - . - - E b(a=b) - u * SYM. IS := =e(Cx,Sl(x=a) ,u,=i ( a ) ) - E b(b=a)

z 1 * sym := SYM. I S ( c a t ( l e f t = ( z l ) ) , l e f t = ( z l ) , r i g h t = ( z l ) , z l )

so: if u E I-(a=b) then sym=(u) - E I-(b=a)

U * V . - . - - v * TR. IS := =e(Cx,Sl(a=x),v,u)

so: if u - E I-(a=b), v - E b(b=c) then t r= (u ,v ) E 1 (a=c)

D So: if - a E S, b - E S then afb = l ( a = b ) - E PROP

so: if f - E Cx,SlT, u - E I-(a=b) then subst . fn( f ,u) E I-(<a>f = i b > f )

* n a t . - . - PN

* 1 . - . - PN

* n . - . - - n * n ' . - . - PN

E t y p e - E n a t - E na t - E n a t -

E I - ( n ' f l ) - E na t - E I-(nl=m') - E I-(n=m) -

so: if u - E I-(n'=ml) then axiom4(u) - E \(n=m)

P * n . - . - - E na t - n * u . - . - - E I-(<l>P) - U * v . - . - - E Cx,natlCy,I-(<x>P)lI-(<x'>P) - v * induc t ion := ~e(n,axiom5(P,u,v)) - E I-(<n>P)

* n . - . - - E n a t - n * m . - . - - E na t - m * u . - . - - E I-(nfm) - u * SATZ1 := vi(Cx,I-(n'=m1)1

+e(u ,axiom4(x))) - E I-(n'lcm")

z l * S a t z l := S A T Z ~ ( L F E ( # , ~ S S . p r o p ( z l ) ) ,RFE(f,ass .p rop (z l ) ) , z l )

so: if u - E b(n#m) t hen Satz l (u) E-I-(n'fm')

So: if U E i-(n#l) then Satz3(u) F(3([y,natl(n=y1)))

Appendix 9. AUT-SYNT

In 4.1.0 we have indicated that for andi the parameters U and V

are essential, while a and b are redundant parameters. If A, B, p and q

can be correctly substituted for a , b , U and V , then A and B can be calculated (up to definitional equality) from p and q, because A is definitio-

nally equal to CAT(p) and B to CAT(q).

Here we introduce an extension of AUTOMATH languages, called AUT-SYNT,

in which it is possible to suppress redundant parameters. In this language,

CAT is incorporated as a predefined flnction. For any 2- or 3-expression E,

CAT(E) is the mechanically calculated type of E. It follows that

andi (CAT (p) ,CAT (q) ,p, q) equals andi (A,B ,p ,q) . The extended language moreover contains var<abZes for expressions. A basic symbol synt (which has no de-

gree) is added to the language. Variables of type synt (or synt variables)

are to be interpreted as syntactic variables for expressions. There are

no typing restrictions on substitution for such a variable.

Following the AUT-QE text in 4.1.1 we can write in AUT-SYNT:

* z1 := - Esynt - zl*z2 := - - E s y n t z2 * AND1 : = andi (CAT(z1) ,CAT(z2) ,zl ,z2)

Now, if A g el B E prop, p E A, q E B then AND1 (p,q) = andi (CAT (p) , CAT(q1 ,p,q) = andi (A,B,p,q) E and(a,b) .

Besides CAT we have other predefined functions in AUT-SYNT.. They are

defined for certain classes of expressions (just as CAT is defined for 2-

expressions and 3-expressions). We list these functions here with their

semantics. In the description of the semantics we will frequently use the

clause: "if E reduces to ...". We will say e.g. "if E reduces to [x,A]B,..". This is intended to mean: "if CX,AIB is the first abstraction expression in

the reduction sequence, obtained by reducing E according to the strategy of

the verifying program". Similar meanings are intended in other cases. Every-

where in the description E and E1,E2, ..., En will denote correct AUT-expressions.

predefined function semantics

CAT CAT(E) is the "mechanical type" of the 2- or %ex-

DOM

pression E

If E reduces to [X,AIB or CAT(E) reduces to CX,AIB

or CAT(CAT(E) 1 . = [X,AIB then DOM(E) = A.

VAL

ARG

FUN

TAIL

LASTELT

PREPART

If E reduces to CX,AIB and B does not contain x then

VAL(E) = B.

If E reduces to <A>B then ARG(E) = A.

If E reduces to <A>B then FUN(E) = B.

If E reduces to c(A1,. . . ,An) then TAIL(c,E) is the string of expressions A1, ..., A no If El, ..., En is a nonempty string of expressions then LASTELT(E1, ..., E n ) = E n'

If E1,...,E is a nonempty string of expressions then n

PREPART(E1, ..., E ) is the string of expressions n

E1~...,E,-l.

Remarks :

1) Expressions containing -variables do not have a type. Lines having

such an expression as their middle part do not have a category part.

2) EB-lines which have synt variables in their context can only have

as their category part. In other words: on a context only synt va-

riables may be introduced.

3) The identifiers CAT, DOM, VAL, ARG, FUN, TALL, PREPART and LASTELT, and

the identifiers defined in terms of these should not be treated as ordi-

nary identifiers. In particular bhe monotonicity of definitional equali-

ty (in this case: if A = B then c(A) = c(B) where c is one of these spe-

cial identifiers) does not generally apply here. E.g. if f = [x,natll D

then <l>f = <<l>suc>f, while ARG(<l>f) = 1 9 <l>suc = ARG(<<l>suc>f).

Similar examples can be found for FUN and TAIL.

4) For languages admitting infix expressions there are functions LFE (for

left fixed expression) . and W E (for right fixed expression) with seman-

tics :

If E reduces to A c B then. LFE(c,E) = A and WE(c,E) = B.

Examples :

1) The first elimination rule for conjunction can be represented in AUT-QE

by adding, on the context a .E prop ; b E prop ; introduced in 4.1 .O:

b * u . - . - - E and(a,b) - u * andel. := .... - E a

Then a and b are redundant parameters, for andel and U is an es-

sential parameter. In fact, ifpisa substitutioninstance for U , then the type of p can be expected to redme to and (A,B) for some A and B, and these

A and B should the be substituted for a and b . Therefore, keeping the context ~1 - E @ introduced above, we can add

the AUT-SYNT line

zl * ANDEl := andel(LASTELT(PREPART(TAIL(and,CAT(zl)))), LASTELT(TAIL(and(CAT(zl))),zl)

Then p E and (A,B) implies ANDEl (p) E A. we can now indicate a complication which must be kept in mind when using

AUT-SYNT, and which is connected with remark 3 above. Suppose and has

been defined by and := not(imp(a,not(b))) . We may have p, A and B such that CAT (p) E not (imp (A, not (B) ) ) and then we have andel (A, B,p) E A, but ANDEl (p) will be incorrect, since CAT(p) does not reduce to and(A,B).

Even worse complications may occur when using ARG and FUN.

2) In CVD, 3.61 book-equality is introduced. In AUT-SYNT we could add to

this text, on the context ~1 - E synt ; ~2 - E fi ; z 2 * is := IS(CAT(zl),zl,z2)

zl * refis := REFIS(CAT(zl),zl)

zl symis := SYMIS(CAT(LASTELT(TAIL(is,zl))),

LASTELT(PREPART(TAIL(is ,zl) ) ) , LASTELT(TAIL(is ,zl)) ,zl)

Then for any type S , if X E S and Y S , equality of X and Y could be expressed by !S(X ,Y) instead of IS(S,x,y) . Moreover, if X E S we have refis(X) - E ~s(x,x) and if p is(X,y) we have

symis(p) E is(y,x). 3) A text in AUT-68-SYNT, in which the first three theorems of Landau's

book are proved, appears in appendix 8.

120

References

N.G.

N.G.

D.T.

D.T.

L.S.

de Bruijn, AUTOMATH, a language for mathematics, Notes (pre-

pared by B. Fowcatt) of a series of lectures in the Sgminaire

de Mathematiques Superieures.

Universitg de Montrgal, 1971.

de Bruijn, Lambda calculus notation with nameless dummies,

a tool for automatic formula manipulation, with application

to the Church-Rosser theorem.

Indag. Math., 34, - 5, 1972. van Daalen, A description of AUTOMATH and some aspects of

its language theory.

Proceedings of the Symposium on APL. ed. P. Braffort. Paris,

1974.

Appendix 1 in this thesis.

van Daalen, The language theory of AUTOMATH.

Thesis, Eindhoven University of Technology, to appear 1977.

Jutting, A translation of Landau's "Grundlagen" in AUTOMATH.

Eindhoven University of Technology, Dept. of Math., 1976.

E. Landau, Grundlagen der Analysis.

3rd ed., Chelsea Publ. Comp., New York, 1960.

R. de Vrijer, Big Trees in a h-calculus with A-expressions as

types.

A-calculus and Computer Science, ed. C. Bbhrn.

Springer, Berlin-Heidelberg -New Ycrk, 1975.

I. Zandleven, A verifying program for AUTOMATH.

Proceedings of the Symposium on APL. ed. P. Braffort. Paris

1974.

J. Zucker, Formalization of classical mathematics in AUTOMATH.

To appear in: Actes du colloque international de logique,

Clermont-Ferrand, July 1975, ed. M. Guillaume.

Preprint: Eindhoven University of Technology, Dept. of Math.

Samenvatting

Dit proefschrift bevat een verslag van de vertaling en verificatie van

Landau's "Grundlagen der Analysis", in AUT-QE, een van de AUTOMATH-talen.

Deze talen zijn geconstrueerd met het doe1 er wiskundige redeneringen in

uit te drukken, met behoud van de herkenbaarheid van de gedachtengang, en

we1 zo precies dat mechanische controle (b.v. door een computer) van de

correctheid mogelijk is.

De vertaling werd ondernomen om na te gaan in hoeverre de taal AUT-QE aan

bovenvermelde specificatie voldoet.

In het proefschrift vindt men onder meer een overzicht van de gebruikte

logische axioma's, een verslag van de bij de vertaling ondervonden moeilijk-

heden, en een aantal suggesties voor het gebruik van AUTOMATH-talen.

De appendices 4 en 7 bevatten fragmenten uit de vertaling.

De belangrijkste conclusie is dat AUT-QE en andere AUTOMATH-talen in prin-

cipe geschikt zijn voor het gestelde doel.

CHECKING LANDAU'S GRUNDLAGEN IN … · Preface This thesis contains an account of the translation...

Documents

Transcript of CHECKING LANDAU'S GRUNDLAGEN IN … · Preface This thesis contains an account of the translation...