A formal proof of modal completeness for provability logic
AA formal proof of modal completeness forprovability logic
Marco Maggesi ! ˇ University of Florence, Italy
Cosimo Perini Brogi ! ˇ University of Genoa, Italy
Abstract
This work presents a formalized proof of modal completeness for Gödel-Löb provability logic (GL)in the HOL Light theorem prover. We describe the code we developed, and discuss some details ofour implementation, focusing on our choices in structuring proofs which make essential use of thetools of HOL Light and which differ in part from the standard strategies found in main textbookscovering the topic in an informal setting. Moreover, we propose a reflection on our own experiencein using this specific theorem prover for this formalization task, with an analysis of pros and cons ofreasoning within and about the formal system for GL we implemented in our code.
Theory of computation → Higher order logic; Theory of compu-tation → Modal and temporal logics; Theory of computation → Automated reasoning
Keywords and phrases
Provability Logic, Higher-Order Logic, Mechanized Mathematics, HOL LightTheorem Prover
Supplementary Material
The implementation described in this paper is hosted in the subdirectory GL of the distribution of HOL Light theorem prover. HOL Light source code, Jenuary 2021 : https://github.com/jrh13/hol-light/ archived at swh:1:dir:288139a46b5250ca678d928a823173f4f69c8594 Funding
Marco Maggesi : Supported by the Italian Ministry of University and Research and byINdAM-GNSAGA
Introduction
In this paper we wish to report on our results and general experience in using HOL Lighttheorem prover to formally verify some properties of Gödel-Löb provability logic (GL).Our work starts with a deep embedding of the syntax of propositional modal logic togetherwith the corresponding relational semantics. Next, we introduce the traditional axiomaticcalculus GL and prove the validity of the system w.r.t. irreflexive transitive finite frames.After doing that, the most interesting part of our work begins with the proof of a numberof lemmas in GL that are necessary for our main goal, namely the development of a formalproof of modal completeness for the system.In order to achieve that, we had to formally verify a series of preliminary lemmas andconstructions involving the behaviour of syntactical objects used in the standard proof ofthe completeness theorem. These unavoidable steps are very often only proof-sketched inwide-adopted textbooks in logic, for they mainly involve “standard” reasoning within theproof system we are dealing with. But when we are working in a formal setting like we didwith HOL Light, experience reveals that it is generally more convenient to adopt a differentline of reasoning and to make a smart use of our formal tools, so that we can succeed indeveloping alternative (or simpler) proofs, still totally verified by the computer.In other terms: in order to give a formal proof of the completeness theorem for GL , thatis a r X i v : . [ c s . L O ] F e b A formal proof of modal completeness for provability logic ▶ Theorem 1.
For any formula A , GL ⊢ A iff A is true in any irreflexive transitive frame. we needed to split down the main goal into several subgoals – dealing with both the object-and the meta-level – which might seem trivial in informal reasoning. However, when carefullychecked, they revealed unexpected formal subtleties, which guided us towards differentproof-strategies where HOL Light infrastructure played a more active role.A more detailed account of these aspects is given in the main body of the present work,but we can briefly summarise the present paper as follows:In Section 1, we introduce the basic ingredients of our development, namely the formalcounterparts of the syntax and relational semantics for provability logic, along with somelemmas and general definitions which are useful to handle the implementation of theseobjects in a uniform way, i.e. without the restriction to the modal system we are interestedin. The formalization constitutes large part of the file modal.ml ;In Section 2, we formally define the axiomatic calculus GL , and prove in a neat way thevalidity lemma for this system. Moreover, we give formal proofs of several lemmas in GL ( GL -lemmas, for short), whose majority is in fact common to all normal modal logics,so that our proofs might be re-used in subsequent implementations of different systems.This corresponds to contents of our code in gl.ml ;Finally, in Section 3 we introduce all the necessary to give our formal proof of modalcompleteness of GL , starting with the definition of maximal consistent lists of formulae.In order to prove their syntactic properties – and, in particular, the extension lemma forconsistent lists of formulae to maximal consistent lists – we use the GL -lemmas we havementioned in the previous section, and, at the same time, we propose proof-strategieswhich highlight the formal tools provided by HOL Light – or, more informally, whichapply more conveniently higher-order reasoning. Therefore, the proof we are proposing inthis section follows the standard lines presented in e.g. [6] – from extension lemma tomodal completeness via truth lemma – but adopt tools, results, and techniques whichare specific to the theorem prover we used, in line with a clear philosophical attitudein computer-aided proof development. These results, together with a simple decisionprocedure for GL , are gathered in the file completeness.ml .We care to stress that our formalization does not tweak any original HOL Light tools,and it is therefore “foundationally safe”. Moreover, since we used just that original formalinfrastructure, our results can be easily translated into another theorem prover belonging tothe HOL family – or, more generally, endowed with the same automation toolbox.In any case, our code is integrated into the current HOL Light distribution, and it isfreely available from there. Before presenting our results, in the forthcoming subsections of this introduction weprovide the reader with some background material both on provability logic, and on formaltheorem proving in HOL Light: further information about modalities and HOL Light can befound in [11] and [13], respectively.
Developments of Provability Logic
The origins of provability logic date back to a short paper [10] of Gödel’s where propositionsabout provability are formalized by means of a unary operator B with the aim of giving aclassical reading of intuitionistic logic. See "Supplementary Material" on the first page of this paper. . Maggesi and C. Perini Brogi 3
The resulting system corresponds to the logic S
4, and the proposition B p has to beinterpreted as ‘ p is informally provable’ – as claimed by Gödel himself. This implies that S GL consists of the axiomatic system for classicalpropositional logic, extended bythe axiom schema K : □ ( A → B ) → □ A → □ B ;the Löb schema GL : □ ( □ A → A ) → □ A a necessitation rule A □ A .The Löb schema is just a formal version of Löb’s theorem which holds for a wideclass of arithmetical theories satisfying the so-called Hilbert-Bernays-Löb (HBL) provabilityconditions. On the semantic side, this calculus is the logic of irreflexive transitive frames, and,moreover, it can be interpreted arithmetically in a sound and complete way. In otherterms, GL solves the problem raised by Gödel’s paper by identifying a propositional formalsystem for provability in all arithmetical theories that satisfy the previously mentioned HBLconditions.Published in 1976, Solovay’s arithmetical completeness theorem [19] is in this sense amilestone result in the fields of proof theory and modal logic: for being arithmetical complete, GL is capable of capturing and identifying all relevant properties of formal provability forarithmetic in a very simple system, which is decidable and neatly characterised.Such a deep result, however, uses in an essential way the modal completeness of GL :Solovay’s technique basically consists of an arithmetization of a relational countermodel for agiven formula that is not a theorem of GL , from which it is possible to define an appropriatearithmetical formula that is not a theorem of the mathematical system.In contemporary research, this is still the main strategy to prove arithmetical completenessfor other modalities for provability and related concepts, in particular for interpretabilitylogic. In spite of this, for many theories of arithmetic, including Heyting Arithmetic, thistechnique cannot be applied, and no alternatives are known.Therefore, on the one hand, completeness of formal systems w.r.t. the relevant relationalsemantics is still an unavoidable step in achieving the more substantial result of arithmeticalcompleteness; on the other hand, however, the area of provability logic keeps flourishing andsuggesting old and new open problems, closely related to the field of proof theory, but in factbounded also to seeking a uniform proof-strategy to establish adequate semantics in formaltheories of arithmetic having different strengths and flavours. HOL Light Notation
The HOL Light proof assistant [12] is based on classical higher-order logic with polymorphictype variables and where equality is the only primitive notion. From a logical viewpoint, These properties of the formal predicate for arithmetical provability were isolated first in [14]. The reader is referred to [2] for a survey of open problems in provability logics. As an instance ofrelevant applications of this kind of formal systems to traditional investigations in proof theory seee.g. [1].
A formal proof of modal completeness for provability logic the formal engine defined by the term-conversions and inference rules underlying HOLLight is the same as that described in [15], extended by an infinity axiom and the classicalcharacterization of Hilbert’s choice operator. From a practical perspective, it is a theoremprover privileging a procedural proof style development – i.e. when using it, we have tosolve goals by applying tactics that reduce it to (eventually) simpler subgoals, so that theinteractive aspect of proving is highlighted. Proof-terms can then be constructed by means ofdeclarations of labels and of tacticals that compact the proof into few lines of code evaluatedby the machine.Logical operators – defined in terms of equality – and λ -abstraction are denoted byspecific symbols in ASCII: for the reader’s sake, we give a partial glossary to summarisethem in the next table. In the third column of the table, we also report the notations usedfor the object logic GL (introduced at the beginning of Section 1.1). Informal notation HOL notation GL notation Description ⊥ F False
Falsity ⊤ T True
Truth ¬ p ~ p Not p Negation p ∧ q /\ && Conjunction p ∨ q \/ || Disjunction p = ⇒ q ==> --> Implication p ⇐⇒ q <=> <-> Biconditional □ p Box p
Modal Operator ∀ x. P ( x ) !x. P(x) Universal quantification ∃ x. P ( x ) ?x. P(x) Existential quantification λx. M ( x ) \x. M(x) Lambda abstraction
In the following sections, we will directly state our results as theorems and definitionsin the HOL Light syntax. Note that theorems are prefixed by the turnstile symbol, asin |- 2 + 2 = 4 . We often report a theorem with its associated name, that is, the name ofits associated OCaml constant, e.g.
ADD_SYM|- !m n. m + n = n + m
As expository style, we omit formal proofs at all, but meaning of definitions, lemmas, andtheorems in natural language is clear after the table we have just given.We warn the reader that the HOL Light printing mechanism omit type informationcompletely. However in this paper we manually add type annotations when it might beuseful, or even indispensable, to avoid ambiguity – including the case of our main results
COMPLETENESS_THEOREM and
COMPLETENESS_THEOREM_GEN .As already told in the introduction, our contribution is now part of the HOL Lightdistribution. The reader interested in performing these results in her machine – and perhapsbuild further formalization on top of it – can run our code with the command loadt "GL/make.ml";; at the HOL Light prompt.
As we stated previously, we deal with a logic that extends classical propositional reasoningby means of a single modal operator which is intended to capture the abstract properties ofthe provability predicate for arithmetic. . Maggesi and C. Perini Brogi 5
To reason about and within this logic, we have to “teach” HOL Light – our meta-language– how to identify it, starting with its syntax – the object-language – and semantics – theinterpretation of this very object-language.We want to keep everything neat and clean from a foundational perspective, thereforewe will define both the object-language and its interpretation with no relation to the HOLLight environment. In other terms: our formulae and operators are real syntactic objectswhich we keep distinct from their semantic counterpart – and from the logical operators ofthe theorem prover too.
Let us start by fixing the propositional modal language we will use throughout the presentwork. We consider all classical propositional operators – conjunction, disjunction, implication,equivalence, negation, along with the 0-ary symbols ⊤ and ⊥ – and we add a modal unaryconnective □ . The starting point is, as usual, a denumerable infinite set of propositionalatoms a , a , · · · . Accordingly, formulae of this language will have one of the following form a | A ∧ B | A ∨ B | A → B | A ↔ B | ¬ A | ⊤ | ⊥ | □ A .
The following code extends the HOL system with an the inductive type of formulae upto the atoms – which we identify with the denumerable type of strings – by using the above connectives : let form_INDUCT,form_RECURSION = define_type"form = False| True| Atom string| Not form| && form form| || form form| --> form form| <-> form form| Box form";; Next, we turn to the semantics for our modal language. We use relational models – akaKripke models – which consist of directed graphs labelled with formulae. More formally,a Kripke frame is made of a nonempty set ‘of possible worlds’ W , together with a binaryrelation R on W . To this, we add a valuation function V which assigns to each atom of ourlanguage and each world w in W a boolean value. This is extended to a forcing relation holds , defined recursively on the structure of the input formula p , that computes thetruth-value of p in a specific world w : let holds = new_recursive_definition form_RECURSION‘(holds WR V False (w:W) <=> F) /\(holds WR V True w <=> T) /\(holds WR V (Atom s) w <=> V s w) /\(holds WR V (Not p) w <=> ~(holds WR V p w)) /\(holds WR V (p && q) w <=> holds WR V p w /\ holds WR V q w) /\(holds WR V (p || q) w <=> holds WR V p w \/ holds WR V q w) /\(holds WR V (p --> q) w <=> holds WR V p w ==> holds WR V q w) /\ See [7] for the historical development of this notion.
A formal proof of modal completeness for provability logic (holds WR V (p <-> q) w <=> holds WR V p w <=> holds WR V q w) /\(holds WR V (Box p) w <=> !u. u IN FST WR /\ SND WR w u ==> holds WR V p u)‘;;
Then, the validity of a formula p with respect to a frame (W,R) , and a class of frames L ,denoted respectively holds_in (W,R) p and L |= p , are let holds_in = new_definition‘holds_in (W,R) p <=> !V w. w IN W ==> holds (W,R) V p w‘;;let valid = new_definition‘L |= p <=> !f. L f ==> holds_in f p‘;;
The above definitions are already presented in Chapter 20 of Harrison’s HOL Light Tutorial[13].
For carrying out our formalization, we are interested in the logic of the (nonempty) frameswhose underlying relation R is transitive and conversely well-founded – aka Noetherian – on the corresponding set of possible worlds; in other terms, we want to study the modaltautologies in models based on an accessibility relation R on W such thatif xRy and yRz , then xRz ; andfor no X ⊆ W which is nonempty, there are infinite R -chains x Rx Rx · · · .In HOL Light, WF R states that R is a well-founded relation, so that we express the lattercondition as WF(\x y. R y x) . Here we see a recurrent motif in logic: defining a systemfrom the semantic perspective requires non-trivial tools from the foundational point of view,for, to express the second condition, a first-order language is not enough. However, that isnot an issue here, since our underlying system is natively higher order: let TRANSNT = new_definition‘TRANSNT (W,R) <=>~(W = {}) /\(!x y:W. R x y ==> x IN W /\ y IN W) /\(!x y z:W. x IN W /\ y IN W /\ z IN W /\ R x y /\ R y z ==> R x z) /\WF(\x y. R y x)‘;;
From a theoretical point of view, moreover, the question has no deep consequences as wecan characterize this class of frames by using a propositional language extended by a modaloperator □ that satisfies the following axiom – usually called Gödel-Löb axiom schema : GL : □ ( □ A → A ) → □ A. Here is the formal version of our claim:
LOB_IMP_TRANSNT|- !W R. (!x y:W. R x y ==> x IN W /\ y IN W) /\(!p. holds_in (W,R) (Box(Box p --> p) --> Box p))==> (!x y z. x IN W /\ y IN W /\ z IN W /\ R x y /\ R y z ==> R x z) /\WF (\x y. R y x)TRANSNT_IMP_LOB|- !W R. (!x y:W. R x y ==> x IN W /\ y IN W) /\(!x y z. x IN W /\ y IN W /\ z IN W /\ R x y /\ R y z ==> R x z) /\WF (\x y. R y x)==> (!p. holds_in (W,R) (Box(Box p --> p) --> Box p)) . Maggesi and C. Perini Brogi 7
TRANSNT_EQ_LOB|- !W R. (!x y:W. R x y ==> x IN W /\ y IN W)==> ((!x y z. x IN W /\ y IN W /\ z IN W /\ R x y /\ R y z==> R x z) /\WF (\x y. R y x) <=>(!p. holds_in (W,R) (Box(Box p --> p) --> Box p)))
Note that the main claim is proven in both its directions by using both a defined tacticintroduced in [13], and the principle of well-founded induction as implemented in HOL Light.By using this preliminary result, we could say that the frame property of being transitiveand Noetherian can be captured by Gödel-Löb modal axiom, without recurring to a higher-order language. Nevertheless, that class of frames is not particularly informative from alogical point of view: in particular, we have no information about the cardinality of W , sothat it might be possible to find very exotic models for which the axiom holds, with no realinterest yet.We would like, in fact, to sharpen this result by identifying a smaller class of frameswhich is eventually more informative and easier to reason about. To this aim we note thatby definition of Notherianness, our R cannot be reflexive – otherwise xRxRx · · · would giveus an infinite R -chain. This is not enough: the frames we want to investigate are preciselythose whose W is finite , and whose R is both irreflexive and transitive : let ITF = new_definition‘ITF (W:W->bool,R:W->W->bool) <=>~(W = {}) /\(!x y:W. R x y ==> x IN W /\ y IN W) /\FINITE W /\(!x. x IN W ==> ~R x x) /\(!x y z. x IN W /\ y IN W /\ z IN W /\ R x y /\ R y z ==> R x z)‘;; Now it is easy to see that
ITF is a subclass of
TRANSNT : ITF_NT|- !W R:W->W->bool. ITF(W,R) ==> TRANSNT(W,R)
That will be the class of frames whose logic we are now going to define syntactically.
As stated before, we want to identify the logical system generating all the modal tautologiesfor transitive Noetherian frames; more precisely, we want to isolate the generators of themodal tautologies in the subclass of transitive Noetherian frames which are finite, transitive,and irreflexive.When dealing with the very notion of tautology – or theoremhood , discarding the com-plexity or structural aspects of derivability in a formal system – it is convenient to focus onaxiomatic calculi. The calculus we are dealing with here is usually denoted by GL .It is clear from the definition of the forcing relation that for classical operators anyaxiomatization of propositional classical logic will do the job. Here, we adopt a basic systemin which only → and ⊥ are primitive – from the axiomatic perspective – and all the remainingclassical connectives are defined by axiom schemas and by the inference rule of Modus Ponensimposing their standard behaviour. This is essentially the calculus introduced by Wajsberg in 1939, and, independently by Church in 1956.
A formal proof of modal completeness for provability logic
To this classical engine we addthe axiom schema K : □ ( A → B ) → □ A → □ B ;the axiom schema GL : □ ( □ A → A ) → □ A ;the necessitation rule NR : A NR □ A ,where A, B are generic formulae (not simply atoms). Then, here is the complete definition ofthe axiom system GL . The set of axioms is encoded via the inductive predicate GLaxiom : let GLaxiom_RULES,GLaxiom_INDUCT,GLaxiom_CASES = new_inductive_definition‘(!p q. GLaxiom (p --> (q --> p))) /\(!p q r. GLaxiom ((p --> q --> r) --> (p --> q) --> (p --> r))) /\(!p. GLaxiom (((p --> False) --> False) --> p)) /\(!p q. GLaxiom ((p <-> q) --> p --> q)) /\(!p q. GLaxiom ((p <-> q) --> q --> p)) /\(!p q. GLaxiom ((p --> q) --> (q --> p) --> (p <-> q))) /\GLaxiom (True <-> False --> False) /\(!p. GLaxiom (Not p <-> p --> False)) /\(!p q. GLaxiom (p && q <-> (p --> q --> False) --> False)) /\(!p q. GLaxiom (p || q <-> Not(Not p && Not q))) /\(!p q. GLaxiom (Box (p --> q) --> Box p --> Box q)) /\(!p. GLaxiom (Box (Box p --> p) --> Box p))‘;; The judgment GL ⊢ A , denoted |-- A in the machine code, is also inductively defined inthe expected way: let GLproves_RULES,GLproves_INDUCT,GLproves_CASES = new_inductive_definition‘(!p. GLaxiom p ==> |-- p) /\(!p q. |-- (p --> q) /\ |-- p ==> |-- q) /\(!p. |-- p ==> |-- (Box p))‘;; GL -lemmas As usual, GL ⊢ A denotes the existence of a derivation of A from the axioms of GL ; we couldalso define a notion of derivability from a set of assumptions just by tweaking the previousdefinitions in order to handle the specific limitations on NR – so that the deduction theoremwould hold [8] – but this would be inessential to our intents.What matters for the subsequent development is to derive further GL -lemmas with thehelp of the automation in HOL Light. In accordance with this aim, we denoted the classicalaxioms and rules of the system as the propositional schemas used by Harrison in the file Arithmetic/derived.ml of the HOL Light standard distribution [12] – where, in fact, manyof our lemmas relying on the propositional calculus only are already proven there w.r.t. anaxiomatic system for first-order classical logic; our further lemmas involving modal reasoningare denoted with names that are commonly used in informal presentations.The code in gl.ml mainly consists then of the formalized proofs of those lemmas in GL that are useful for the formalized results we present in the next section. This file mightbe thought as a “kernel” for further experiments in reasoning about axiomatic calculi byusing HOL Light. The lemmas we proved are, indeed, standard tautologies of classicalpropositional logic, along with specific theorems of minimal modal logic and its extension fortransitive frames – i.e. of the systems K and K . Maggesi and C. Perini Brogi 9 More precisely, we have given, whenever it was useful, a “natural deduction” characteriz-ation of classical operators both in terms of an implicit (or internal) deduction – and in thatcase we named the lemma with the suffix _th –, such as
GL_modusponens_th|- !p q. |-- ((p --> q) && p --> q) and as a derived rule of the axiomatic system mimicking the behaviour of the connective inGentzen’s formalism, e.g.,
GL_and_elim|- !p q r. |-- (r --> p && q) ==> |-- (r --> q) /\ |-- (r --> p)
We had to prove about 120 such results of varying degree of difficulty. We believe that thisfile is well worth the effort of its development, for two main reasons to be considered – alongwith the just mentioned fact that they provide a (not so) minimal set of internal lemmaswhich can be moved to different axiomatic calculi at, basically, no cost.Indeed, on the one hand, these lemmas simplify the subsequent formal proofs involvingconsistent lists of formulae since they let us work formally within the scope of ⊢ , so thatwe can rearrange subgoals according to their most useful equivalent form by applying theappropriate GL -lemma(s).On the other hand, the endeavour of giving formal proofs of these lemmas of the calculus GL has been important for checking how much our proof-assistant is “friendly” and efficientin performing this specific task.As it is known, any axiomatic system fits very well an investigation involving the notionof theoremhood for a specific logic, but its lack of naturalness w.r.t. the practice of developinginformal proofs makes it an unsatisfactory model for the notion of deducibility . In morepractical terms: developing a formal proof of a theorem in an axiomatic system by penciland paper can be a dull and uninformative task.After approaching this very same objective by using HOL Light, we feel like expressingmixed opinions on the general experience. In most cases, relying on the automation toolsof this specific proof assistant did indeed save our time and resources when trying to givea formal proof in GL . Nevertheless, there has been a number of GL -lemmas for provingwhich those automation tools did not revealed useful at all. In those cases, actually, we hadto perform a tentative search of the specific instances of axioms from which deriving thelemmas, so that interactive proving them had advantages as well as traditional instrumentsof everyday mathematicians.Just to stress the general point: it is clearly possible – and actually useful in general –to rely on the resources of HOL Light to develop formal proofs both about and within anaxiomatic calculus for a specific logic, in particular when the lemmas of the object systemhave relevance or practical utility for mechanizing (meta-)results on it; however, these veryresources – and, as far as we can see, the tools of any other general proof assistant – donot look peculiarly satisfactory for pursuing investigations on derivability within axiomaticsystems. The HOL Light tactics for first-order reasoning
MESON and
METIS were unable, for instance, of instantiatingautonomously the obvious middle formula for the transitivity of an implication, or even the specificformulae of a schema to apply to the goal in order to rewrite it.
At this point, we can prove that GL is sound – i.e. every formula derivable in the calculus isa tautology in the class of irreflexive transitive frames. This is obtained by simply unfoldingthe relevant definitions and applying theorems TRANSNT_EQ_LOB and
ITF_NT of Section 1.2:
GL_TRANSNT_VALID|- !p. (|-- p) ==> TRANSNT:(W->bool)
From this, we get a model-theoretic proof of consistency for the calculus
GL_consistent~ |-- False
This having exhausted the contents of gl.ml , we would move to consider now the mostinteresting part of our effort, namely the mechanized proof of completeness for the calculusw.r.t. this very same class of frames. That constitutes the remaining contents of ourimplementation, beside the auxiliary code in misc.ml furnishing some general results aboutlists of items with same type we needed to handle the subsequent constructions, but havemore general utility.
When dealing with normal modal logics, it is common to develop a proof of completenessw.r.t. relational semantics by using the so-called ‘canonical model method’. This can besummarized as a standard construction of countermodels made of maximal consistent sets offormulae and an appropriate accessibility relation [17].For GL , we cannot pursue this strategy, since the logic is not compact: maximal consistentsets are (in general) infinite objects, though the notion of derivability involves only a finiteset of formulae. For being not compact, we cannot therefore reduce the semantic notionof (in)coherent set of formulae to the syntactic one of (in)consistent set of formulae: whenextending a consistent set of formulae to a maximal consistent one, we might end up with a syntactically consistent set that nevertheless cannot be semantically satisfied.In spite of this, it is possible to achieve a completeness result by identifying the relevant properties of maximal consistent sets of formulae; and tweaking the definitions so that those properties hold for specific consistent sets offormulae related to the formula we want to find a countermodel to.As a matter of fact, we can claim something more: it is possible to carry out in a verynatural way a related tweaked Lindenbaum construction to extend consistent lists to maximalconsistent ones, preserving the standard line of reasoning in completeness proofs, and, at thesame time, avoiding symbolic subtleties that have no real relevance for the argument, buthave the unpleasant consequence of making the formalized proof unnecessarily long, so thatthe implementation would sound rather pedantic – or even dull. . Maggesi and C. Perini Brogi 11 As just claimed, in order to make efficient use of our formal device, we will work with lists offormulae, instead of simple sets. Accordingly, we define first, by recursion on the list, theoperation of finite conjunction of formulae in a list: let CONJLIST = new_recursive_definition list_RECURSION‘CONJLIST [] = True /\(!p X. CONJLIST (CONS p X) = if X = [] then p else p && CONJLIST X)‘;;
Afterwards, we prove some properties of this operation on lists that characterize it in termsof GL -derivability, and which depends, basically, on most of the GL -lemmas defined above.In particular, since GL is a normal modal logic – i.e. its modal operator distributes overimplication and preserves theoremhood – we have that our modal operator distributes overthe conjunction of X so that we have CONJLIST_MAP_BOX : GL ⊢ □ ^ X ↔ ^ □ X, where □ X is an abuse of notation for the list obtained by “boxing” each formula in X .We are now able to define the notion of consistent list of formulae and prove themain properties of this kind of objects: let CONSISTENT = new_definition‘CONSISTENT (l:form list) <=> ~ (|-- (Not (CONJLIST l)))‘;; In particular, we prove that:a consistent list cannot contain either both A and ¬ A for any formula A , nor ⊥ (see the-orems CONSISTENT_LEMMA , CONSISTENT_NC , and
FALSE_IMP_NOT_CONSISTENT , respect-ively);for any consistent list A and formula A , X + A is consistent, or X + ¬ A is consistent( CONSISTENT_EM ), where + denotes the usual operation of appending an element to a list.Our maximal consistent lists w.r.t. a given formula A will be consistent lists that do notcontain repetitions and that contain, for any subformula of A , that very subformula or itsnegation: let MAXIMAL_CONSISTENT = new_definition‘MAXIMAL_CONSISTENT p X <=>CONSISTENT X /\ NOREPETITION X /\(!q. q SUBFORMULA p ==> MEM q X \/ MEM (Not q) X)‘;; where X is a list of formulae and MEM q X is the membership relation for lists. We thenestablish the main closure property of maximal consistent lists:
MAXIMAL_CONSISTENT_LEMMA|- !p X A b. MAXIMAL_CONSISTENT p X /\(!q. MEM q A ==> MEM q X) /\b SUBFORMULA p /\|-- (CONJLIST A --> b)==> MEM b X See Section 3.2 below for the reasons of our choice. Here we define the set of subformulae of A as the reflexive transitive closure of the set of formulaeon which the main connective of A operates: this way, the definition is simplified and it is easier toestablish standard properties of the set of subformulae by means of general higher-order lemmas in HOLLight for the closure of a given relation. After proving some further lemmas with practical utility – in particular, the fact that anymaximal consistent list behaves like a restricted bivalent evaluation for classical connect-ives (
MAXIMAL_CONSISTENT_MEM_NOT and
MAXIMAL_CONSISTENT_MEM_CASES ) – we can finallydefine the ideal (type of counter)model we are interested in. The type
STANDARD_MODEL consists, for a given formula A , of: the set of maximal consistent lists w.r.t. A made of subformulae of A or their negations,as possible worlds; an irreflexive transitive accessibility relation R such that for any subformula □ B of A and any world w , □ B is in w iff for any x R -accessible from w , B is in x ; an atomic valuation that gives value 1 to p in w iff p is a subformula of A .Here is the corresponding code: let GL_STANDARD_FRAME = new_definition‘GL_STANDARD_FRAME p (W,R) <=>W = {w | MAXIMAL_CONSISTENT p w /\(!q. MEM q w ==> q SUBFORMULA p \/(?q’. q = Not q’ /\ q’ SUBFORMULA p))} /\ITF (W,R) /\(!q w. Box q SUBFORMULA p /\ w IN W==> (MEM (Box q) w <=> !x. R w x ==> MEM q x))‘;;let GL_STANDARD_MODEL = new_definition‘GL_STANDARD_MODEL p (W,R) V <=>GL_STANDARD_FRAME p (W,R) /\(!a w. w IN W ==> (V a w <=> MEM (Atom a) w /\ Atom a SUBFORMULA p))‘;; What we have to do now is to show that the type
GL_STANDARD_MODEL is nonempty. Weachieve this by constructing suitable maximal consistent lists of formulae from specificconsistent ones.Our original strategy differs from the presentation given in e.g. [6] for being closer tothe standard Lindenbaum construction commonly used in proving completeness results. Bydoing so, we have been able to circumvent both the pure technicalities in formalizing thecombinatorial argument sketched in [6, p.79] and the problem – apparently inherent to theLindenbaum extension – due to the non-compactness of the system, as we mentioned before.Given a formula A , the key idea is to extend a consistent list of subformulae of A or theirnegations in a step-by-step construction, by adding at each stage of the process a subformulaof A – if the resulting list is consistent – or – otherwise – the negation of that very subformula,after fixing an enumeration of the subformulae of A : EXTEND_MAXIMAL_CONSISTENT|- !p X.CONSISTENT X /\(!q. MEM q X ==> q SUBFORMULA p \/ (?q’. q = Not q’ /\ q’ SUBFORMULA p))==> ?M. MAXIMAL_CONSISTENT p M /\(!q. MEM q M==> q SUBFORMULA p \/(?q’. q = Not q’ /\ q’ SUBFORMULA p)) /\X SUBLIST M . Maggesi and C. Perini Brogi 13
This way, we are in the pleasant condition of carrying out the construction by using theHOL Light device efficiently, and, at the same time, we do not have to worry about thenon-compactness of GL since we are working with finite objects – the type list – by default.Henceforth, we see that – under the assumption that A is not a GL -lemma – the set ofpossible worlds in STANDARD_FRAME w.r.t. A is nonempty, as required by the definition ofrelational structures: NONEMPTY_MAXIMAL_CONSISTENT|- !p. ~ |-- p==> ?M. MAXIMAL_CONSISTENT p M /\MEM (Not p) M /\(!q. MEM q M ==> q SUBFORMULA p \/(?q’. q = Not q’ /\ q’ SUBFORMULA p))
Next, we have to define an R satisfying the condition 2 for a STANDARD_FRAME ; the followingdoes the job: let GL_STANDARD_REL = new_definition‘GL_STANDARD_REL p w x <=>MAXIMAL_CONSISTENT p w /\(!q. MEM q w ==> q SUBFORMULA p \/ ?q’. q = Not q’ /\ q’ SUBFORMULA p) /\MAXIMAL_CONSISTENT p x /\(!q. MEM q x ==> q SUBFORMULA p \/ ?q’. q = Not q’ /\ q’ SUBFORMULA p) /\(!B. MEM (Box B) w ==> MEM (Box B) x /\ MEM B x) /\(?E. MEM (Box E) x /\ MEM (Not (Box E)) w)‘;;
Such an accessibility relation, together with the set of the specific maximal consistent listswe are dealing with, defines a structure in
ITF with the required properties:
ITF_MAXIMAL_CONSISTENT|- !p. ~ |-- p==> ITF ({M | MAXIMAL_CONSISTENT p M /\(!q. MEM q M ==> q SUBFORMULA p \/?q’. q = Not q’ /\ q’ SUBFORMULA p)},GL_STANDARD_REL p),ACCESSIBILITY_LEMMA|- !p M w q.~ |-- p /\MAXIMAL_CONSISTENT p M /\(!q. MEM q M ==> q SUBFORMULA p \/ (?q’. q = Not q’ /\ q’ SUBFORMULA p)) /\MAXIMAL_CONSISTENT p w /\(!q. MEM q w ==> q SUBFORMULA p \/ (?q’. q = Not q’ /\ q’ SUBFORMULA p)) /\MEM (Not p) M /\Box q SUBFORMULA p /\(!x. GL_STANDARD_REL p w x ==> MEM q x)==> MEM (Box q) w,
For our ideal model, it remains to reduce the semantic relation of forcing to the more tractableone of membership to the specific world. More formally, we prove – by induction on thecomplexity of the subformula B of A – that if GL ̸⊢ A , then for any world w of the standardmodel, B holds in w iff B is member of w : GL_truth_lemma|- !W R p V q.~ |-- p /\GL_STANDARD_MODEL p (W,R) V /\q SUBFORMULA p==> !w. w IN W ==> (MEM q w <=> holds (W,R) V q w),
Finally, we are able to prove the main result: if GL ̸⊢ A , then the list [ ¬ A ] is consistent, andby applying EXTEND_MAXIMAL_CONSISTENT , we obtain a maximal consistent list X w.r.t. A that extends it, so that, by applying GL_truth_lemma , we have that X ̸ ⊨ A in our standardmodel. The corresponding formal proof reduces to the application of those previous resultsand the appropriate instantiations: COMPLETENESS_THEOREM|- !p. ITF:(form list->bool)
Notice that the family of frames
ITF is polymorphic, but, at this stage, our result holds onlyfor frames on the domain form list , as indicated by the type annotation. This is not anintrinsic limitation: the next section is devoted indeed to generalize this theorem to frameson an arbitrary domain.As an immediate corollary, we have that the system GL is decidable and, in principle,we could implement a decision procedure for it in OCaml. However, this is a difficult task –especially if one seeks efficiency and completeness – and it is out of the scope of the presentwork. Nevertheless, we feel like offering a very rough approximation.We define the tactic GL_TAC and its associated rule
GL_RULE that perform the followingsteps: (1) apply the completeness theorem, (2) unfold some definitions, and (3) try to solvethe resulting semantic problem using first-order reasoning. let GL_TAC : tactic =MATCH_MP_TAC COMPLETENESS_THEOREM THENREWRITE_TAC[valid; FORALL_PAIR_THM; holds_in; holds;ITF; GSYM MEMBER_NOT_EMPTY] THENMESON_TAC[];;let GL_RULE tm = prove(tm, REPEAT GEN_TAC THEN GL_TAC);;
The above naive strategy is able to prove automatically some lemmas which are common tonormal modal logic, but require some effort when derived in an axiomatic system. As anexample consider the following GL -lemma: GL_box_iff_th|- !p q. |-- (Box (p <-> q) --> (Box p <-> Box q))
When developing a proof of it within the axiomatic calculus, we need to “help” HOLLight with by instantiating several further GL -lemmas, so that the resulting proof-termconsists of ten lines of code. On the contrary, our rule is able to check it in few steps: . Maggesi and C. Perini Brogi 15 In spite of this, the automation offered by
MESON tactic is not enough when the generated se-mantic problem involves in an essential way the fact that our frames are finite (or Noetherian).So, for instance, our procedure is not able to prove the Löb axiom GL ⊢ □ ( □ A −→ A ) −→ □ A .
This suggests the need for improving
GL_TAC to handle more general contexts: in the longrun, it is a likely-looking outcome of what we reached so far.
As we stated before, our theorem
COMPLETENESS_THEOREM provides the modal completenessfor GL with respect to a semantics defined using models built on the type :form list . It isobvious that the same result must hold whenever we consider models built on any infinitetype. To obtain a formal proof of this fact, we need to establish a correspondence betweenmodels built on different types. It is well-known that a good way to make rigorous suchcorrespondence is through the notion of bisimulation [4].In our context, given two models (W1,R1) and (W2,R2) sitting respectively on types :A and :B , each with a valuation function V1 and V2 , a bisimulation is a binary relation Z:A->B->bool that relates two worlds w1:A and w2:B when they can simulate each other.The formal definition is as follows:
BISIMIMULATION|- BISIMIMULATION (W1,R1,V1) (W2,R2,V2) Z <=>(!w1:A w2:B.Z w1 w2==> w1 IN W1 /\ w2 IN W2 /\(!a:string. V1 a w1 <=> V2 a w2) /\(!w1’. R1 w1 w1’ ==> ?w2’. w2’ IN W2 /\ Z w1’ w2’ /\ R2 w2 w2’) /\(!w2’. R2 w2 w2’ ==> ?w1’. w1’ IN W1 /\ Z w1’ w2’ /\ R1 w1 w1’))
Then, we say that two worlds are bisimilar if there exists a bisimulation between them: let BISIMILAR = new_definition‘BISIMILAR (W1,R1,V1) (W2,R2,V2) (w1:A) (w2:B) <=>?Z. BISIMIMULATION (W1,R1,V1) (W2,R2,V2) Z /\ Z w1 w2‘;;
The key fact is that the semantic predicate holds respects bisimilarity:
BISIMILAR_HOLDS|- !W1 R1 V1 W2 R2 V2 w1:A w2:B.BISIMILAR (W1,R1,V1) (W2,R2,V2) w1 w2==> (!p. holds (W1,R1) V1 p w1 <=> holds (W2,R2) V2 p w2)
From this, we can proof that validity is preserved by bisimilarity. The precise statements arethe following:
BISIMILAR_HOLDS_IN|- !W1 R1 W2 R2.(!V1 w1:A. ?V2 w2:B. BISIMILAR (W1,R1,V1) (W2,R2,V2) w1 w2)==> (!p. holds_in (W2,R2) p ==> holds_in (W1,R1) p)BISIMILAR_VALID|- !L1 L2.(!W1 R1 V1 w1:A.
L1 (W1,R1) /\ w1 IN W1==> ?W2 R2 V2 w2:B. L2 (W2,R2) /\BISIMILAR (W1,R1,V1) (W2,R2,V2) w1 w2)==> (!p. L2 |= p ==> L1 |= p)
Finally, we can explicitly define a bisimulation between
ITF -models on the type :form list and on any infinite type :A . From this, it follows at once the desired generalization ofcompleteness for GL : COMPLETENESS_THEOREM_GEN|- !p. INFINITE (:A) /\ ITF:(A->bool)
Related Works
Our formalization gives a mechanical proof of completeness for GL in HOL Light whichsticks to the original Henkin’s method for classical logic. In its standard version, its natureis synthetic and intrinsically semantic [9], and, as we stated before, it is the core of thecanonical model construction for most of normal modal logic.That very approach does not work for GL . Nevertheless, the modified extension lemmawe proved in our mechanization introduces an analytic flavour to the strategy – for buildingmaximal consistent lists in terms of components of the given formula non-proven in thecalculus – and shows that Henkin’s idea can be applied to GL too modulo appropriatechanges.As far as we know, no other mechanized proof of modal completeness for GL has beengiven before, despite there exist formalizations of similar results for several other logics,manly propositional and first-order classical and intuitionistic logic.Formalizations of completeness for classical logic define an established trend in interactivetheorem proving since [18], where a Hintikka-style strategy is used to define a theoremhoodchecker for formulas built up by negation and disjunction only.In fact, a very general treatment of systems for classical propositional logic is given in[16]. There, axiomatic calculus is investigated along with natural deduction, sequent calculus,and resolution system in Isabelle/HOL, and completeness is proven by Hintikka-style methodfor sequent calculus first, to be lifted then to the other formalisms by means of translationsof each system into the others. Their formalization is more ambitious than ours, but, at thesame time, it is focused on a very different aim.Finally, a recent overview of meta-theoretical results for several calculi and theoremprovers formalized in HOL/Isabelle is given in [5], where, in any case, a different proofassistant is used towards a more general investigation unrelated to modal logics.An objective more similar to ours is obtained in [3], where the Henkin-style completenessfor the system S References Juan Aguilera and David Fernández-Duque. Strong completeness of provability logic for ordinalspaces.
The Journal of Symbolic Logic , 82:608–628, 11 2017. doi:10.1017/jsl.2017.3 . Lev Beklemishev and Albert Visser. Problems in the logic of provability. In
MathematicalProblems from Applied Logic I , pages 77–136. Springer, 2006. Bruno Bentzen. A henkin-style completeness proof for the modal logic S5.
CoRR ,abs/1910.01697, 2019. URL: http://arxiv.org/abs/1910.01697 , arXiv:1910.01697 . . Maggesi and C. Perini Brogi 17 Patrick Blackburn and Johan Van Benthem. Modal logic: a semantic perspective. In
Handbookof modal logic , volume 3, pages 1–84. Elsevier, 2007. Jasmin Christian Blanchette. Formalizing the metatheory of logical calculi and automaticprovers in isabelle/hol (invited talk). In
Proceedings of the 8th ACM SIGPLAN InternationalConference on Certified Programs and Proofs , CPP 2019, page 1–13, New York, NY, USA,2019. Association for Computing Machinery. doi:10.1145/3293880.3294087 . George Boolos.
The logic of provability . Cambridge university press, 1995. B. Jack Copeland. The genesis of possible worlds semantics.
Journal of Philosophical logic ,31(2):99–137, 2002. Melvin Fitting. Modal proof theory. In
Handbook of modal logic , pages 85–138. Elsevier, 2007. Melvin Fitting and Richard L Mendelsohn.
First-order modal logic , volume 277. SpringerScience & Business Media, 2012. Kurt Gödel. Eine interpretation des intuitionistischen aussagenkalküls. ergebnisse einesmathematischen kolloquiums, 4: 39–40, 1933. english translation, with an introductory noteby as troelstra.
Kurt Gödel, Collected Works , 1:296–303, 1986. Robert Goldblatt. Mathematical modal logic: A view of its evolution. In
Handbook of theHistory of Logic , volume 7, pages 1–98. Elsevier, 2006. John Harrison. The HOL Light Theorem Prover. Web site: https://github.com/jrh13/hol-light . John Harrison. HOL Light tutorial. , 2017. David Hilbert and Paul Bernays.
Grundlagen der Mathematik, Vol. I (1934), Vol II (1939) .Berlin: Springer, 1939. Joachim Lambek and Philip J Scott.
Introduction to higher-order categorical logic , volume 7.Cambridge University Press, 1988. Julius Michaelis and Tobias Nipkow. Formalized proof systems for propositional logic. InA. Abel, F. Nordvall Forsberg, and A. Kaposi, editors, , volume 104 of
LIPIcs , pages 6:1–6:16. Schloss Dagstuhl -Leibniz-Zentrum fuer Informatik, 2018. Sally Popkorn.
First steps in modal logic . Cambridge University Press, 1994. Natarajan Shankar. Towards mechanical metamathematics.
Journal of Automated Reasoning ,1(4):407–434, 1985. Robert M Solovay. Provability interpretations of modal logic.