Justification for integrating set theory with ACL2
See zfc for an introduction to the integration of set theory with ACL2. The present topic provides intuition and sketches a foundation for that integration.
This documentation topic displays events as though the current-package is
Before we get to the question of how set theory and ACL2 are integrated, let's discuss the relevant set theory.
Our formalization of set theory starts with Zermelo-Fraenkel
set theory, typically known as ZF. It is a first-order theory that
formalizes familiar properties of sets: given
ZF captures the notion of set provided by the so-called cumulative
hierarchy: start with the empty set, and then iterate the powerset (set of
all subsets) operation. Iteration is through the ordinals, which can
be viewed as follows. The least ordinal is 0, which is the empty set. More
generally, each natural number
In ZF, every object is a set that is contained in a member of the cumulative hierarchy V_0, V_1, V_2, ..., V_ω, V_{ω+1}, ..., V_{ω*2}, .... In general V_{α+1} is the powerset of V_α, and for a limit ordinal α — one that is not an immediate successor, such as ω — V_α is the union of {V_β: β \in α}.
Recall (see zfc) the notion of a hypothesis function: a
zero-ary function constrained by an
In a nutshell, that logical basis is provided by showing how ACL2 data and
functions can be defined in the ZFG universe of sets, with all hypothesis
function calls being true. Then assuming ZF is consistent — hence, as
is well-known, so are ZFC and also ZFG — every defaxiom-free ACL2 theory
extended by all
The first step is to identify each ACL2 natural number with the
corresponding finite ordinal. We next define the other usual atoms —
integers, rationals, complex rationals, characters, strings, and symbols
— by encoding them as sets. By treating cons as the
set-theoretic ordered-pair constructor as explained below, we are able to
identify all good ACL2 objects — those built up from those atoms
using
(defun acl2p (x) (declare (xargs :guard t)) (cond ((consp x) (and (acl2p (car x)) (acl2p (cdr x)))) ((bad-atom x) nil) (t t)))
Every good ACL2 object, when interpreted as a set as described below, is in a finite stage of the cumulative hierarchy.
(defthmz v-omega-contains-acl2p (implies (acl2p x) (in x (v-omega))) :props (zfc v$prop domain$prop prod2$prop inverse$prop) :hints ...)
The
(defthmdz cons-as-pair (equal (cons x y) (pair (singleton x) (pair x y))))
Note that a cons is never a natural number, because
We encode the other atoms as sets of the form
(defun negative-int-as-triple (x) (declare (xargs :guard (and (integerp x) (< x 0)))) (triple 1 (cons (- x) 0))) (defun numerator-as-triple (x) (declare (xargs :guard (rationalp x))) (let ((n (numerator x))) (if (< n 0) (negative-int-as-triple n) n))) (defun ratio-as-triple (x) (declare (xargs :guard (and (rationalp x) (not (integerp x))))) (triple 2 (cons (numerator-as-triple x) (denominator x)))) (defun complex-as-triple (x) (declare (xargs :guard (and (complex-rationalp x) (not (rationalp x))))) (triple 3 (cons (realpart x) (imagpart x)))) (defun character-as-triple (x) (declare (xargs :guard (characterp x))) (triple 4 (cons (char-code x) 0))) (defun string-as-triple (x) (declare (xargs :guard (stringp x))) (triple 5 (cons (make-listp0 (coerce x 'list)) 0))) (defun symbol-as-triple (x) (declare (xargs :guard (symbolp x))) (triple 6 (cons (string-as-triple (symbol-package-name x)) (string-as-triple (symbol-name x)))))
These functions are then asserted to define the encodings, as follows.
(defthmz negative-int-as-triple-identity (implies (and (integerp x) (< x 0)) (equal (negative-int-as-triple x) x))) (defthmz ratio-as-triple-identity (implies (and (rationalp x) (not (integerp x))) (equal (ratio-as-triple x) x))) (defthmz complex-as-triple-identity (implies (and (complex-rationalp x) (not (rationalp x))) (equal (complex-as-triple x) x))) (defthmz character-as-triple-identity (implies (characterp x) (equal (character-as-triple x) x))) (defthmz string-as-triple-identity (implies (stringp x) (equal (string-as-triple x) x))) (defthmz symbol-as-triple-identity (implies (symbolp x) (equal (symbol-as-triple x) x)))
The ACL2 primitives (function symbols without definitions, such as char-code and denominator can easily be defined in set theory so that
the ACL2 axioms hold. For example, for a character
We have seen how the good ACL2 objects and ACL2 primitives can be defined in ZF. We have also discussed our formalization of ZFG; see zfc. In this section we sketch an argument for how to interpret an ACL2 theory in ZFG so that all hypothesis function calls are true.
We start with the following definitions.
(a) An ACL2 session is a sequence of events where every axiomatic event is admissible and every alleged theorem TH is indeed a theorem of the axiomatic events present at the introduction of TH. Note that include-book events are not part of a session; we essentially consider them to be “puffed” away.
(b) Let EZ be the encapsulate event that introduces the function,
zfc . An EZ session is a defaxiom-free ACL2 session that includes EZ.(c) The zfc props of an EZ session are its hypothesis function calls. These are as defined above, i.e., they include
(zfc) and calls of zero-ary hypothesis functions generated by invocations ofzsub andzfn . As noted elsewhere (see zfc), the hypothesis functions are exactly the keys of the table,zfc-table .(d) The ZFG theory of an EZ session is the extension of ZFG by all of the following:
- the axiomatic events of the session;
- the comprehension and replacement schemes for the extension of the language of ZFG by the function symbols introduced in those axiomatic events; and
- all zfc props of the session.
Then we claim the following.
(1) The ZFG theory of an EZ session is consistent, assuming that ZF is consistent.
(2) For every theorem event in an EZ session, if we remove all zfc props from its hypotheses then the result is a theorem of the ZFG theory of the session.
In fact (2) is trivial by (d) above. The import of (1) is that (2) is not
vacuous: it is about a consistent theory. Note that (2) allows us to ignore
all
The proof of (1) is based on the following notion. The puffing
procedure modifies an ACL2 session by eliminating all
Claim. Given an EZ session s1 extending the initial ZFG session, let s2 be the result of applying the ZFG puffing procedure to s1. Then s2 is consistent.
The proof is by induction on sessions. The initial EZ session is no problem, as the definitions in EZ are made explicit in zf plus global choice. As we puff, we can replace each definition with an explicit definition in ZFG; this is true even for (mutually) recursive definitions because of the measure theorem. Each defchoose can be replaced by an explicit definition too, using global choice. The result consists entirely of extensions using explicit definitions, hence preserves consistency, comprehension, and replacement.
Note that we have not worked out such an argument for ACL2(r) (see real).
When one uses trust tags (see defttag) in a session, then as usual, this carries is a responsibility to ensure soundness. In particular, if a partial-encapsulate event is accompanied by raw Lisp definitions, then there is a responsibility to guarantee that the implicit exported theorems hold in the ZFG theory of the session.