The Nuprl Proof Development System, Version 5 Reference Manual
Contents
1. Types Members var z v O T function S r T lambda x t apply Cf 0 z 5 T S T AS HIE product S r T pair s spread el x y u SRT SxT s t let z y el in u union 1 5 7T inl 5 inr C decide e x u y v S4T inl s inr t case e of inl z u inr y gt universe j A i O All types of level j vj equal s t T Axiom O s teT Ax void Q No canonical elements any e void any e Atom O token token tM O atom eq u v s t Atom ioken ifluF v then s else t int natural number n n O indi Hus fo s base y t Z n ind u z f5 5 base y fy t minus natural number n n O minus u add p ul vb sub Qu vp n Tu uv uv mul ul div u s v rem YQ u vp ule v u owul u rem v inteq ul vlis t lessu v s t if u v then s else t iflu lt lv then s else t less_than u v Axiom O U lt U Ax list T nik O cons t list ind 5 base z l fot T list LA bil list ind 5 base z l ft rec X Tx members defined by unrolling Tx rec_ind e ts t rectype X Tx let f x 2t in fde set S qu members of S that satisfy P ems TH SIT isect 5 T Terms that belo2. Figure 4 12 Creating Object Collections An example of an article automatically generated from such an object can be found at http www cs cornell edu home kreitz Abstracts Oi1cucs HybridProtocol nuprl html Theory documentation objects can also be created by typing make thy doc object directory into the editor ML top loop where directory is the object identifier of the directory to be documented 4 3 4 Miscellaneous Operations 4 3 4 1 Creating Object Collections An Obid Collector is a method of collecting a list of object identifiers to be used as an argument to navigator commands An Obid Collector persists as an object but the navigator also maintains a cache of the collector s list of object identifiers To build an obid collector one has to click the ObidCollector command button This will create a collector command zone on top of the current command zone which requires the user to choose between several options shown on the left of Figure 4 12 e JumpToLocalCollectors jump the navigator to a directory containing the list of named collectors e ObidCollector use the object at the navigation pointer as obid collector The object has to be of kind TERM or COM e TempObidCollectorx create an ephemeral collector e NamedObidCollector create a new named collector Named collectors are stored in the library and will persist from session to session while ephemeral collectors will be discarded at the end of a sess
3. d id en 1 2 n O er e2 en d in e P1P2 Pn B 4 1 Declarations Any declaration must be one of the three kinds let b letref bor letrec b where bis a binding Each such declaration is evaluated by first evaluating the binding b to produce a possibly empty set of variable value pairs and then extending the environment in a manner determined by the kind of declaration so that each variable in this set of pairs denotes its corresponding value The evaluation of bindings is described below in Section 1 Evaluating let b declares the variables specified in b to be an ordinary i e non assignable variable and binds in the environment each one to the corresponding value produced by evaluating b To understand what are the variables defined in a declaration may require some knowledge about the environment For example a declaration let f x e declares x if f is a constructor and declares f as the function x e otherwise 2 Evaluating letref b declares the variables specified in b to be assignable and thus binds in the environment each one to a new location whose contents in the store is set to the corresponding value The effect of subsequent assignments to the variables will be to change the contents of the locations they are bound to Bindings in the environment of variables to locations can only be changed by evaluating another declaration to supersede the original one 3 Evaluating letr
4. df where dform b means that a is defined as the display form for b Term slots stretch to accom modate the terms inserted in them For instance the term add mul 1 2 3 will be shown as 1 2 3 NUPRL automatically adds parentheses according to display form precedences When a display form of lower precedence is inserted into the slot of display form with higher precedence parentheses are automatically inserted to delimit the slot For instance if we assign the display form for mul x y a higher precedence than the one for add x y then the term add mul 1 2 3 is displayed without parentheses while mul 1 add 2 3 is displayed as 1 02 413D Note that parentheses are inserted merely to disambiguate the notation for a human reader who cannot see the term slots but only 1 2 3 In addition to term slots and the fixed components of a notation chunk some display forms contain text slots These are slots in a definition that are filled with text strings like values for term parameters and names of binding variables A universally quantified formula for instance is represented by the term a11 T x P meaning that for all x of type T the proposition P is true note that free occurrences of the variable x become bound in P To generate the usual notation Vx T P for this formula we
5. 90 The left right up and down arrow keys move one node left right down or up in the proof tree If a node has many siblings users may also use the key combinations M a and M e for larger jumps In each case the proof window will focus on the new node i e make it the root of the currently displayed proof tree The cursor will be positioned in the refinement slot of that node The proof window on the right of Figure for instance results from the window on the left by pressing first and then Pressing the f key in the right window will again produce the window on the left Proof tree motion is relative to the node where the cursor is positioned If the cursor is at the current root node then pressing or up f will move the focus to a sibling or parent node that is currently not visible while will focus on the first visible subgoal If the cursor is at a subgoal of the current root node then pressing an arrow key will move the focus relatively to that node while pressing M z will cause the proof window to focus on that node C 1 causes the editor to jump to the root of the proof tree that is currently being edited while C M j causes it to jump to the next unproven subgoal in that tree using a preorder traversal of the proof tree If there are none C M j shifts the focus to the root of the proof tree 6 3 Stating and Proving Theorems The proof editor is invoked whenever a statement object is opened fo
6. inii iUm Definition letrec append 11 12 if null 11 then 12 else hd li append tl 11 12 The function el extracts a specified element from a list It fails if the integer argument is less than 1 or greater than the length of the list el int gt list gt Description el i r1 r4 xi Definition letrec el i 1 if null l or i lt 1 then failwith el else if i 1 then hd 1 else el i 1 tl 1 The functions last and butlast compute the last element of a list and all but the last element of a list Both fail if the argument list is empty last x list gt butlast list gt list 206 Description last r1 z4 Zn butlast z1 28 21 3 n 1 Definition letrec last 1 last tl 1 hd 1 failwith last letrec butlast 1 if null tl 1 then else hd 1 butlast t1 1 failwith butlast The next function makes a list consisting of a value replicated a specified number of times It fails if the specified number is less than zero replicate gt int gt list Description replicate x n evaluates to v a a list of length m Definition letrec replicate x n if n 0 then failwith replicate else if n 0 then else x replicate x n 1 B 7 3 List mapping and iterating functions map gt gt list gt list Description map f l returns the list obtained
7. OnSomeHyp T T n ORELSE ORELSE T 1 Try running T on one of the hypotheses of the goal starting with the end of the hypothesis list and working backwards The library contains a few abstractions that provide a more elegant notation for the most common combinations of tactics and tacticals auto T 5 T THEN Auto aux auto T siia T THENA Auto siauto T a T THEN SIAuto autop T gpt T THEN Auto aux autop T a T THENA Auto aux siauto T as T THENA SIAuto 8 9 The Rewrite Package NUPRL s rewrite package is a collection of ML functions for creating rules for rewriting terms into equivalent ones and applying them in various fashions to clauses of a sequent The package supports rewrite rules involving various equivalence relations such as the 3 place equality in a type relation logical bi implication the permutation relation on lists abstractions and computational equivalence and takes care of automating proofs that these equivalence relations are respected by rewriting It also supports rewriting rules involving arbitrary transitive relations such as logical implication and takes care of checking that relevant terms are appropriately monotonic The package is based around ML objects called conversions similar to those found in other tactic based theorem provers such as LCF HOL and Isabelle provide a language for systematically building up rewrite rules in a fashion similar to the way tactics are assembled usi
8. 2 j n sequencing empty list e13 2 jen list of n elements e where b R equivalent to let b in e e whereref b R equivalent to letref b in e e whererec b R equivalent to letrec b in e e wheretype db equivalent to lettype db in e e whereabstype ab equivalent to abstype ab in e e whereabsrectype ab equivalent to absrectype ab in e dine local declaration backslash p po pn abstraction e equivalent to e Table B 4 Expressions 187 B 3 2 Identifiers and other lexical matters In this section the lexical structure of ML is defined B 3 2 1 Identifiers A variable var or identifier is a sequence of alphanumerics starting with a letter where an alphanumeric is either a letter a digit a prime or an underbar _ ML is case sensitive upper and lower case letters are considered to be different B 3 2 2 Constant expressions The ML constant expressions ce s used in Table B 4 are 1 Integers i e sequences of digits 0 1 9 2 Truth values true and false 3 Tokens and token lists a Tokens consist of any sequence of characters surrounded by token quotes e g This is a single token b Token lists consist of any sequence of tokens separated by spaces returns line feed or tabs surrounded by token list quotes e g this is a token list containing 7 members tok1 tok2 tokn is equiv alent to tok1 tok2 tokn In any
9. C M I INITIALIZE initialize object condition so varn INSERT TERMso_varn insert second order var with n args C M CYCLE META STATUS make parameter meta normal C M S SELECT TERM OPTION open condition sequence C 0 OPEN SEQ TO LEFT open slot in cond seq to left M 0 OPEN SEQ TO RIGHT open slot in cond seq to right Since most abstraction objects are created using the AddDef mechanism described in Sec tion 4 3 2 2 the left and right hand side of the abstraction is already present when the object is opened In the rare case that the abstraction object was created with the Mk0bj command button Section 4 3 2 1 it will contain an empty term slot when it is first visited which must be initialized before a definition can be entered The INITIALIZE command will create an uninstantiated abstraction definition term which looks like ab 1hs ab rhs To enter the abstract term on the left hand side of the definition one has to provide its object identifier its parameters and a list of its subterms together with the variables to be bound in these subterms Ways to create new terms with the term editor are described in Sections and The term for the right hand side of the definition is entered in the usual structural top down fashion of the term editor as explained in Section 5 4 so varn has to be used to enter second order variable instances on the left and right hand sides of the definition This wil
10. Cut and paste commands work on terms segments of text slots and segments of text and term sequences In this section we refer to these collectively as items Items can be saved on a save stack in which they are represented as terms Often it is possible to cut one kind of item and then paste it into another kind of context For example one can cut a term and paste into text sequence or cut a segment of text from a text slot and paste into a term sequence Within the context of NUPRL s editor cut and paste commands have the following meaning SAVE push a copy of an item onto the save stack leaving the item in place Similar to copy as kill in Emacs DELETE remove an item from a buffer without saving it CUT SAVE DELETE remove an item from a buffer and push it onto the top of the save stack Similar to kill in Emacs although NUPRL does not append together items that were cut immediately one after the other PASTE insert the item on top of the stack back into a buffer removing it from the stack Successive pastes thus retrieve items that were saved earlier PASTE COPY insert the item on top of the stack back into a buffer without removing it from the stack This is useful for making several copies of an item Similar to yank in Emacs PASTE NEXT remove the item just pasted from the buffer and paste the item that is now on top of the stack Can only be used immediately after a PASTE By repeating PASTE NEXT one may back throug
11. MinLog Figure 1 1 NUPRL 5 distributed open architecture library contains definitions theorems inference rules meta level code e g tactics and structure objects that can be used to provide a modular structure for the library s contents Inference en gines refiners user interfaces editors rewrite engines evaluators and translators are started as independent processes that can connect to the library at any time The library can communicate with arbitrarily many other processes This allows the user to connect several refiners and evaluators simultaneously e g the NUPRL and MetaPRL refin ers proof systems like HOL or PVS ORR 96 first order provers like JProver SLKNO01 Otter WWM 90 EQP McC97 or Setheo LSBB92 proof based program generators like Min Log BBS 98 rewrite engines like Maude CDE 99a computer algebra systems like Mathemat ica or Maple Map decision procedures ISVC and model checkers Hol97 and even to make them cooperate It is also possible to run different refiners in parallel on the same proof goal or several instances of the same refiner on different proof goals Providing several editors enables several users to work in parallel on the same formal theory while using their favorite interface At the same time external users can access the system through the Web without having to start the whole system themselves Translators between the formal knowledge stored in the library and for insta
12. The latter can be inserted by opening a term slot and entering terms as described in Chapter 5 4 2 3 The Process Top Loop Windows The Process Top Loop windows are the windows in which the library refiner and editor Lisp processes were started Usually they run as ML top loops for interacting with the corresponding processes However it is also possible to switch into Lisp mode if low level operations have to be performed The process Top Loops support most of the commands of the corresponding NUPRL ML top loop but lack the features for editing NUPRL terms and most of the navigator commands These windows should only be used for maintenance and debugging purposes It is recommended to run them within an emacs shell to have some text editing support 36 4 3 Library Commands Most library commands are best executed from the navigator may also be invoked from the ML top loop see Section 4 4 In this section we will describe the usual navigator operation and mention the corresponding commands Many commands are initiated by clicking the left mouse button on one of the predefined menu buttons in the navigator s command zone Often this will pop up a template containing one or several slots into which the user has to enter text or terms When issuing commands pressing certain key sequences will have the following effects e The return key o closes a slot and moves to the next empty slot If all slots have been filled it highlights the
13. We saw several examples of types in Section To understand the following syntax note that list is a postfixed unary one argument type constructor thereafter abbreviated to tycon The user may introduce new n argument type constructors A binary type operator directory for example can be introduced The following type expressions will then be types of different kinds of directory e tok int directory e int int gt int directory The user may even deal with lists of directories with the type int bool directory list B 5 1 1 The syntax of types The syntax of ML types is summarized in Table Type abbreviations are introduced by a lettype declaration see Section below which allows an identifier to abbreviate an arbi trary monotype An abstract type likewise consists of an identifier introduced by an abstype or The NUPRL system also relies on strict type checking to ensure that objects of type proof can only be constructed by reference to a fixed set of inference rules 194 Types ty sty Standard non infix type ty ty R Cartesian product ty ty R Disjoint sum ty gt ty R Function type Standard Types sty 7 unit int bool tok string Basic types vty Type variable tycon Type abbreviation see Section B 5 4 tycon Nullary abstract type tyarg tycon L Abstract type see Section B 5 5 ty Type arguments tyarg sty Single type argument 19 09 One or more type arguments Ty
14. gt with these keys Type C t 163 to generate the 4 symbol see table on page 73 for a list of all special characters and the exclamation mark Delete the semicolon and the dot between the term slots and also the right parenthesis EdAlias exists uni J lt T T gt lt x var gt lt P P gt exists_uni lt T gt lt x gt lt P gt To rearrange the order of the slots click left over T T press M p to mark the full slot and C k to cut it Then move the mouse to the immediate right of lt x var gt and press C y Add a colon between lt x var gt and lt T T gt a dot and a space between lt T T gt and lt P P gt EdAlias exists uni dji x var X T T KP P gt exists_uni lt T gt lt x gt lt P gt In principle the display form is now complete However it is advisable to edit the slot description of T and P Click right of the second T in lt T T gt remove it and enter type instead In the same way change the second P in lt P P gt to prop This makes sure that meaningful descriptions for theses slots will show up whenever the template for exists uni is opened EdAlias exists uni J lt x var gt lt T type gt lt P prop gt exists_uni lt T gt lt x gt lt P gt To commit the completed display form to the library press C Z This will also close the window again Do not use C Q unless you want all your changes to be ignored
15. til e T list if T Type t t T and l l T list s t rectype X Tx if rectype X Ty Type and s t Tx rectype X Tx X s ter SIT if x S T Type s teS and there is some term pe T s x t t D S T if Na S T Type and t t3 T s x for all se S s te v y T E if x y T E Type seT teT and there is some term pe Els t x y 21 51 gt T 19 89 gt T gt U if Si S5 eU and Ti si x1 T5 s3 3 cU for all 51 52 with s1 s2 4 i T 95 T5 U if T 23 595 5 U for some variable x 1 Ti T U if z 9 T T U for some variable x 24 91 xT 19 99 x T3 U if Si S2 EU and Ti si 21 T2 s2 72 U for all 54 59 with 541 525 54 T S9xT U if T x2 582xT U for some variable x SixT T U if z 4 91xT T U for some variable x Si 7 S94 T U if 55 eU and T T eU s t eT st eT U if T T eU so s cT and t t eT Us Us U if j 2j2 j as natural number void void e U Atom Atom U Z Z U isi ig U if i i Z und j j Z T list T list U if T T c U rectype X T rectype X T U if T X X1 T4X Xs Uj for all X e U z 5 T z S I T4 e U if S 5 U and there are terms p p and a variable z which occurs neither in T nor in T such that p Va S Ti 2 21 To m v2 and p Vz S Talx x2 gt Ti 12 21 T
16. with b where bis a binding ie the kind of phrase that can follow let or letrec Such a declaration introduces a new type ty which is represented by ty Only within b can one use the automatically declared functions abs ty of type ty gt ty and rep ty of type ty gt ty which map between a type and its representation In the example above abs time and rep time are only available in the definitions of maketime hours and minutes these latter three functions on the other hand are defined throughout the scope of the declaration Thus an abstract type declaration simultaneously declares a new type together with primitive functions for the type The representation of the type i e ty and of the primitives i e the right hand sides of the definitions in 5 is not accessible outside the with part of the declaration let t maketime 8 30 t time hours t minutes t 8 30 intpair 37 Notice that values of an abstract type are printed as like functions 183 B 2 15 Type constructors Both list and amp are examples of type constructors list has one argument hence list whereas has two hence Each type constructor has various primitive operations associated with it for example list has null hd t1 etc and has fst snd and the infix let z it N fst z int snd z 30 int 8 30 intpair 33 Another stan
17. 2 1 fox t 2 l fei let f x t in fde gt t y let f x 2t in f y e f x Table A 2 Redex Contracta Table for Nuprl s Type Theory the principal arguments must be in the corresponding canonical form A 2 Semantics A 2 1 Evaluation Nuprl s semantics is based on a notion of values Terms are divided into canonical forms i e values and noncanonical forms i e terms that need to be evaluated Evaluation in Nuprl is lazy whether a term is canonical or not depends solely on its operator identifier but not on its subterms In noncanonical forms certain subterms are marked as principal arguments If a principal argument is instantiated with a matching canonical form the expression becomes reducible i e a redex and can be evaluated to its contractum defined in a redex contracta table Nuprl s evaluation mechanism first computes the values of all principal arguments of a non canonical expression If an argument does not have a value or if the resulting expression is not reducible evaluation stops the expression has no value Otherwise the expression will be reduced according to redex contracta table and the resulting term will be evaluated Canonical forms and noncanonical forms together with their principal arguments are given in Table The corresponding redex contracta table is given in Table A 2 150 tS OT 48 T if Si 82 and Ti s x1
18. A e The universe level of a type as in lambdaEquality j x e A term that instantiates a variable as in dependent pairFormation j s x e The type of some subterm in the goal as in applyEquality 5 T e The dependency of a term C z from a variable z as in decideEquality z C S4T s t y Most of the elementary inference rules are subsumed by the one step decomposition tactics D MemCD EqCD MemHD EqHD MemTypeCD EqTypeCD MemTypeHD EqTypeHD These tactics try to determine the parameters of the corresponding rules from the context unless they are explicitly provided with the tacticals New At With or Using see Section 8 2 2 A user may choose to use these tacticals to support the tactics in situations where appropriate parameters cannot be found automatically or in order to enforce the use of for instance particular names for newly created variables In the following we present the basic inference rules of NUPRL s type theory as well as the tactics that can be used to perform the same one step decomposition of proof goals For the latter we describe both the minimal form which only lists tactics that are needed for injecting required arguments and a maximal form with all tacticals that may have an effect on the execution of the tactic Some rules that are now considered obsolete are not covered by tactics and have to be converted explicitly into tactics using the function r
19. COM FFF nmk stack start DISP TIF Stacks df ABS TIF Stacks DISP TIF st STACK df ABS TTF st STACK DISP TIF st empty df ABS TIF st empty DISP TIF st push df ABS TTF st push DISP TIF st pop df ABS TIF st pop CODE FFF Stacks FoldUnfold update CODE FFF mk stack AbReduce conv defs CODE FFF mk stack AbReduce conv updates STM TFF Stacks uf STM TFF st STACK wf STM TFF st empty wf STM TFF st push uf STM TFF st_pop wf DISP TIF mk stack df ABS TIF mk stack DISP TIF case nk stack df ABS TIF casemk_ stack CODE FFF mk stack install pattern STM TFF mk stack wf TERM FFF recall nk stack COM FFF mk stack finish Figure 4 7 Creating Recursive Modules code object and created directory e The first token slot contains the name of the module type e g Stacks e The second token slot contains the name of the constructor that builds modules from their individual components e The third token slot contains a short name of the module that is prefixed to the names of the abstractions and display forms defining the module s field selectors This prefix was necessary in previous releases of NUPRL to disambiguate the names of these definitions but has become obsolete because of the directory structure introduced in NUPRL 5 It is retained for compatibility purposes e The fourth slot contains the parameters of the module type and their types which have to be given as list of pairs of NUPRL variables and terms e The fifth slot contain
20. Nau98 Nau99 NO79 ORR 96 Pau87 Pau90 Sho84 SLKNO1 Christoph Kreitz and Stephan Schmitt A uniform procedure for converting matrix proofs into sequent style systems Journal of Information and Computation 162 1 2 226 254 2000 Xavier Leroy The Objective Caml system release 3 00 Institut National de Recherche en Informatique et en Automatique 2000 Reinhold Letz Johann Schumann Stephan Bayerl and Wolfgang Bibel SETHEO high performance theorem prover Journal of Automated Reasoning 8 183 212 1992 Maple home page http www maplesoft com The MathBus Term Structure www nuprl org mathbus mathbusTOC htm W McCune Solution of the Robbins problem Journal of Automated Reasoning 19 263 276 1997 K L McMillan Symbolic Model Checking Kluwer Academic Publishers 1993 Metaprl home page http metaprl org Per Martin Lof Intuitionistic Type Theory volume 1 of Studies in Proof Theory Lecture Notes Bibliopolis Napoli 1984 Pavel Naumov Publishing formal mathematics on the web Technical Report TR98 1689 Cornell University Department of Computer Science 1998 Pavel Naumov Importing Isabelle formal mathematics into Nuprl Technical Report TR99 1734 Cornell University Department of Computer Science 1999 Greg Nelson and Derek C Oppen Simplification by cooperating decision procedures ACM Transactions on Programming Languages and Systems 1 2 245 257 October 197
21. Scroll position 0 STM TFF exists uni wf List Scroll Total 1 Point 0 Visible 1 Figure 4 5 Creating Definitions Initial template and resulting update to the library 4 3 2 2 Creating Definitions A formal definition adds a new abstract term to the formal language of NUPRL that is defined to be equal to some already existing term In NUPRL a formal definition requires the creation of two new objects an abstraction which defines the meaning of the abstract term see Chapters 7 1 and a display form which defines its syntactical appearance see Chapter 7 2 In addition most definitions are accompanied by a well formedness theorem which proves that the newly introduced term belongs to a certain type and is thus well formed The names of these objects follow a certain convention if the operator identifier of the abstract term is opid then the abstraction object is named opid the display form opid_df and the well formedness theorem opid wf The AddDef command button provides a convenient way to generate these three objects and a part of their content Clicking AddDef button will open a template for defining the abstract term To enter the abstract term on the left hand side of the definition one has to provide its object identifier its parameters and a list of its subterms together with the variables to be bound in these subterms Ways to create new terms with the term editor are described in Sections 5 4 4 and
22. gt Description find p l returns the first element of that satisfies the predicate p tryfind f returns the result of applying f to the first member of l for which the application of f succeeds Definition letrec find p fun failwith find x 1 if p x then x else find p 1 letrec tryfind f fun failwith tryfind x 1 f x tryfind f 1 The next two functions are analogous to the quantifiers J and V exists gt bool gt list gt bool forall gt bool gt list gt bool Description exists p l applies p to the elements of l in order until one is found which satisfies p or until the list is exhausted returning true or false accordingly forall is the dual Definition let exists p 1 can find p 1 let forall p 1 not exists not o p 1 The next function tests for membership of a list mem gt list gt bool Description mem zx returns true if some element of l is equal to x otherwise it returns false Definition let mem exists o curry The following two functions are ML versions of Lisp s assoc assoc x gt list gt xx rev assoc gt d list gt 208 Description assoc x l searches a list of pairs for one whose first component is equal to zx returning the first pair found as result similarly rev assoc y l searches for a pair whose second c
23. gt int f 3 9 int Here f 3 results in the evaluation of 3 2 but now the first f is used so 2 evaluates to 241 3 hence the expression f 3 results in 3 3 9 To make a function declaration hold within its own body letrec instead of let must be used The correct recursive definition of the factorial function is thus 4 letrec fact n if n 0 then 1 else n fact n 1 13 fact int gt int fact 3 6 int B 2 6 Iteration The construct if e then e2 loop e3 is the same as if e then es else ez in the true case when e evaluates to false e3 is evaluated and control loops back to the front of the construct again As an illustration here is an iterative definition of fact using two local assignable variables count and result let fact n 14 letref count n and result 1 in if count 0 then result loop count result count 1 count result fact int gt int fact 4 24 int Replacing the then in if ej then ez else ez by loop causes iteration when e evaluates to true e g if es loop eg else ez is equivalent to if not e then ez loop eg The con ditional loop construct can have a number of conditions each preceded by if The expression guarded by each condition may be preceded by then or by loop when the whole construct is to be re evaluated after evaluating the guarded expression 178 let gcd x y 15 letref x y x y in if x
24. implode cd ab tu evaluation failed implode int_to_char int gt char char to int char gt int The function int to char on argument i returns the th character in NUPRL s font The integer i must be non negative and less than 256 For arguments less than 128 the integer character corre spondence is the same as in ASCII The function char to int returns integer code of its argument which must be a one character token string to toks string gt tok list toks to string tok list gt string These functions are similar to explode and implode except that they work on strings rather than tokens int to tok int gt tok tok to int tok gt int These are bound to the obvious type coercion functions with tok to int failing if its argument is not a non negative integer token ml curried infix tok gt unit ml paired infix tok gt unit The functions ml_curried_infix and ml paired infix declare their argument tokens to the ML parser as having infix status Infixed functions can either be curried or take a pair as an argument For example after executing 202 ml paired infix plus let x plus y xty 1 plus 2 is synonymous with plus 1 2 and after executing ml curried infix plus let x plus y x y 1 plus 2 is synonymous with plus 1 24 B 6 2 Predeclared dollared identifiers The following prefix and infix oper
25. lt Navigator theories Scroll position 0 List Scroll Total 13 Point 0 Visible 10 gt DIR TTF General DIR TIF pre utils DIR TIF initial reference environment DIR TIF standard TERM TTF check theories control DIR TTF Obvious DIR TIF user DIR TIF detritus DIR TTF utils MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin RmGroup Chk penThy Usually NUPRL users will work within their own sub directory within the directory user and occasionally browse the standard sub directory which contains the NUPRL type theory and a few standard libraries of formalized mathematical knowledge 9 A new user directory can be created by clicking the MkThyDir button This will open a template for entering the name of the new directory and move the edit point to the name slot OK Cancel create new directory name MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir Rm
26. lt P gt Finally we add a second display form for the term d z T P which drops the type information from the display whenever the type is N Click LEFT on the second character to get a term cursor over the whole definition and then enter M 0 to get a second initial display form definition after it Parens Prec exists Ji lt x var gt lt T type gt lt P prop E gt exists_unique lt T gt lt x gt lt P gt Copy the first definition into the second as follows enter C K to replace the initial display form by an empty term slot move the term cursor over the whole first definition copy it with M K move the term cursor back over the empty term slot and paste the first definition with C Y 109 entering C K Remove the colon with BACKSPACE Parens Prec exists J lt x var gt lt T type gt 17 lt P prop E gt exists_unique lt T gt lt x gt lt P gt Parens Prec exists ia lt x ivar gt lt IT type gt 17 exists_unique lt T gt lt x gt lt P gt On the right hand side of the definition replace the meta term lt T gt by the type constant N Click LEFT on the lt character enter C K and then type nat J to enter On the left hand side remove the term slot for T by clicking LEFT on the gt character and the type N Parens Prec exists J lt x var gt lt T type gt lt P p
27. parameter i l a y O TFs ES yx i Fa a qp Tls x ext t H F subst B x a ext b Das FE Tlax x Uj Ax H y A F subst B x y subst B x y 113 Type of a subterm Sometimes decomposing a proof goal into smaller components involves proving that certain subterms belong to a type that cannot immediately constructed from the types mentioned in the goal Proving the equality of two function applications f t and f t in a type T for instance requires proving f and f equal in some type x S T As this type cannot be derived from T it must be given explicitly TE f t fot Tlt x Ax by applyEquality r 5 T H LF f1 al f2 a2 BY applyEquality x A B IF f f e 2 5 gt T ww HOPE TEt teS wy H Fei f2 a2 Term dependency Applying a proof rule may sometimes involve replacing an sub expression e in the goal by some other expression If e occurs several times in the goal one must indicate which of the occurrences of e shall be replaced and which one shall not Technically this is done by providing a term substitution all occurrences of e in the term C that shall be affect by the rule application are replaced by a new variable z The rule will then substitute every occurrence of z by the new expression Both z and the modified term Cz must be given as arguments As an example consider the rule decideEquality for proving two case analyses equal T F case e of inl
28. text editors like Emacs Users have to get used to entering and editing terms in accordance with their tree structure instead of their textual appearance They also have less control over formatting since all display formatting is done automatically and may only be influenced by display forms see Chapter 7 2 It may take a while to learn how to use a structured editor and to take advantage of its capabilities Suggestions for improvements from users of the NUPRL editor are always welcome 5 2 1 Term Display To associate a chunk of notation with a term NUPRL s term editor relies on display form definitions Binary addition for instance is represented by the term add x y but conventionally written with An alternative approach taken for instance by MATHEMATICA Wol88 is to use a rich parseable ASCII syntax for input and then to process the input with pretty printing routines for formatted output like Display PostScript 68 the symbol in infix notation We could write the notation chunk as where the O s are holes for the two subterms and the outer box shows the extent of the chunk We call these holes term slots because they can be filled by terms In a display form definition we usually label term slots with variables to indicate how term slots correspond to the logical structure of a term The display form for addition for instance can be defined as add r y xi Y
29. the final reference environment This command can also be used tom check sub theories as it does not attempt to build the final reference environment of a theory e ChkMinThy initiates a check with a minimal reference environment Users have to enter one of the flavors reference environment minimal reference environment theories minimal or reference environment relative minimal into a token slot that appears above the com mand zone 54 4 3 3 7 Exporting and Importing Theories A capability for exporting and importing theories is important for moving theories between different libraries in a controlled fashion NUPRL exports theories into files containing raw library data and rebuilds objects from these files when importing theories To export a theory one has to click the ExportTHY command button with the navigation pointer at the theory object This will collect all the objects in the theory and write them into a file nuprlpatch theory name theory trm Alternatively a user may type the command dump theory true directory theory object into the editor ML top loop where directory is the object identifier of the directory where the theory resides and theory object the object identifier of the theory itself To import a theory from a file one has to enter the command replace objects path name into the editor ML top loop where path name is the complete path name of the theory s dump file This will create a directory containing
30. which must be terminated explicitly by a double semicolon Users may also switch to Lisp mode and enter low level system commands in Lisp These commands need to be terminated by a double semicolon as well but will be forwarded to the Lisp interpreter For both ML and Lisp there are also a few dotted commands These are expressions without arguments that are terminated by a period Below we list some of the most commonly used commands e Editor Commands nuprl oed suspend closes all NUPRL windows nuprl oed resume reopens the NUPRL windows nuprl oed reset kills all NUPRL windows win opens the navigator and ML top loop windows set xhost hostname display indez redirects all NUPRL windows to the specified display after the next suspend resume cycle hostname must be a string describing the display host and display index a number usually 0 specifying the display terminal on that host nuprl_oed_rehash rehashes the macros and bindings in the user s mykeys macro file see Section 3 2 2 e Commands for the Editor or Refiner setup connect socket socket hostname sets up a connection to the library at host hostname using the indicated socket numbers de try to establish the connection that was set up dd disconnect the process Open lib lib memnonic opens the connection to the library environment called lib memnonic close
31. 1 1 T e Uj if T x S 1T Uj for some variable z S T T Uj if z S IT T Uj for some variable z fixis T Mezat E U if 1 95 eU and Ti si x T gt 52 x2 eU for all s1 52 with 51 52 S1 if T T U and there are terms p p r s t and variables Ty TE 15 95 TIE U x y z which occur neither in E nor in E such that Pp Va T Vy T Er x y 11 y11 gt Efx y 22 yal Pp Vr T Vy T Eslx y x2 yo gt Elx y x1 y1 r Va T Ei v zi yi s Va T Vy T Elle y 1 yi gt Eily 2 21 1 and te VriT Vy T Vz T Eiz y zi yi gt Eily 2 21 vi gt Fa 2 21 i Table A 4 Member semantics table for Nuprl 152 A 3 Inference rules Nuprl s inference rules describe the top down refinement of proof sequents see Chapter 6 and the bottom up construction of extract terms Rules are written in a top down fashion showing the goal sequent above the rule name and the subgoal sequents below it For each type there are rules for type formation and type equality formation and equality of canonical members equality of noncanonical forms type decomposition in hypotheses elimination computation rules and possibly additional rules In addition to the rule name a rule may need certain arguments see Section 8 1 2 such as es e The position of a hypothesis to be used as in hypothesis e Names for newly created variables as in functionEquality
32. 1 intro COM TTF num thy i intro DISP TIF divides df DISP TIF divides df ABS TTF divides gt ABS TIF divides STM TIF divides_wf STM TIF divides wf STM TIF comb_for divides_wf STM TIF conmb for divides wf STM TIF zero divs only zero STM TIF zero divs only zero STM TIF one divs any STM TIF one divs any Figure 4 2 Pattern based name search Currently search patterns have to be text strings that can match either a substring of an object s name its beginning or its end To search for the beginning of names one simply adds a caret before string to search for the end of names one appends a dollar symbol to its end For instance entering divides into the pattern slot on the left side of Figure searches for the object in the library whose name contains the string divides This includes divides df divides divides wf comb for divides wf etc Entering divides searches only for objects whose name begins with divides which excludes comb for divides wf Entering divides as shown on the right side of Figure searches only for objects whose name ends with divides and entering divides searches for all objects named divides 4 3 1 3 Advanced Motion Using Path Stacks To enable users to jump between commonly used positions in the directory tree the navigator provides a path stack utility Clicking the PathStack button will which will create a path stack command zone on top of the current command zone and store t
33. 185 B 3 1 Syntax equations for ML Table describes ML declarations Table bindings Table patterns and Table on page 187 describes expressions d letb ordinary variables letref b assignable variables letrec b recursive functions lettype tab concrete types rectype cb recursive concrete types abstype ab abstract types absrectype ab recursive abstract types Table B 1 Declarations b pe simple binding id py po pn ty e function definition bi and b2 and b multiple binding Table B 2 Bindings p u Q empty pattern id variable p ty type constraint P1 P2 R list cons P1 gt P2 R pairing empty list p1 p2 ipn list of n elements p equivalent to p Table B 3 Patterns In the syntax equations constructs are listed in order of decreasing binding power For example since ejes is listed before es e2 function application binds more tightly than sequencing and thus 1 2 3 parses as e1e2 ea This convention determines only the relative binding power of differ ent constructs The left or right association of a construct is indicated explicitly by L for left and R for right For example as application associates to the left the expression e1 2e3 parses as e1 2 ez and since e1 gt es ez associates to the right the expression e1 gt es ez gt e4 es parses ase gt ez e3 gt e4 eg Only functions can be defined with le
34. 2 3 The Process Top Loop Windows e e 4 3 Library Commands 4 3 1 Browsing the Library rs 4 3 2 Operations on objects 22 ll rs 4 3 3 Theory Operations 22 ll ee 4 3 4 Miscellaneous Operations lll 4 4 The ML Top Loop 4 4 1 Top loop command buttons re 4 4 2 The command line zone editor 4 4 3 Top Loop Commands lere 4 5 Process Top Loops 4 6 Recovering from Errors lll ees sss 5 Editing Terms 5 1 Uniform Term Structure 5 2 Structured Editing b 21 Term Display 4 ia Rue ROM tee IRR OR RU pere d 5 2 2 Editor Modes o s s a ee eee o 9 E RE EURO E Ros 5 2 3 Term and Text Sequences a 5 9 Term Editor Windows 5 4 Entering Information Oa Inserting Texte 2k amp Row Re oO ORO Eun xe Elbe ae RUN Ex 5 4 2 Adding and Removing Slots a oaa a 5 43 Inserting Terms ce da Rok gp ee hak ee RoR ee gm o 5 4 4 Adding New Terms o oo 5 4 5 Exploded Terms 2s 5 5 Cursor and Window Motion oaa bbe a a eed Gl ode ar Cre e seed ee ee ee ae ee ee de ee TTE 5 0 3 Mouse Commmands 1 unsern 5 0 4 Search for Subterms 2 1 222r 5 6 Cutting and Pasting 5 6 1 Basie Commands oi is s se ce be Be ee a Re Re D cm cS oe i e 5 6 2 Cutting and Pasting Regions aa 5 6 3 Mouse Commands 0 0 00 ee 5 7 Utilities 5 8 Customizing the Editor ss 6 Interactive Proof Develo
35. 3 1 5 int it 5 int ML prompted with the user then typed 2 3 followed by a carriage return 4 1 ML then responded with 5 int anew line and then prompted again The user then typed it 3 and the system responded by typing 5 int again In general to evaluate an expression e one types e followed by a carriage return the system then prints e s value and type the type prefaced by a colon The value of the last expression evaluated at top level is remembered in the identifier it B 2 2 Declarations The declaration let x e evaluates e and binds the resulting value to zx let x 2 3 2 x76 int it x false bool 175 Notice that declarations do not affect the identifier it To bind the variables 71 2 si multaneously to the values of the expressions e1 one can perform either the declaration let r 2e and x2 e9 and 2 e or let 2 19 Tn 1 2 n These two declara tions are equivalent let y 10 and z x 3 y 10 int z 6 int let x y y x x 10 int y 6 int A declaration d can be made local to the evaluation of an expression e by evaluating the expression d in e The expression e where b where b is a binding such as x 2 is equivalent to let b in e let x 2 in x y 4 12 int Hx 10 int x y where x 2 12 int B 2 3 Assignment Identifiers can be declared assignable u
36. 4 AA b A A B F False BY rule instance thin o t3 O 111 S A 4 A A B F False BY 12 4 B b A A B F False BY rule instance thin o 3 O 121 3 BB 4 A B F False BY The keyboard macros C M h and C M 1 are used to show internal details of a refinement step C M h pops up a window that shows the the actual steps performed by the refinement tactic while C M p shows the proof on the level of primitive inferences An example of a primitive proof tree corresponding to simple refinement step is shown above 96 6 4 5 Miscellaneous Features Users may print proofs by typing C M m into the editor window This will print a snapshot of the current proof to a file nuprlprint stm name in the user s home directory where stm name is the name of the corresponding statement object The directory nuprlprint must already exist The generic commands for closing and saving editor windows have a slightly different meaning in the context of proof editing As usual C q closes a proof window without initiating any modifications However since proofs are saved after each refinement step all editing steps that were performed after opening the proof editor are already committed to the library and will not be discarded Saving a proof window with C z therefore has a somewhat stronger meaning than just saving its visible contents In addition an extract term will be created and saved provided the proof is com
37. Appendix A 3 These rules describe how types and their members can be formed and when two types or members are equal by decomposing the corresponding terms in the hypotheses or the conclusion of a goal into smaller fragments Structurally the effect is always the same as the top level terms are analyzed and their sub terms will occur in the subgoals Each single step decomposition tactic covers a large collection of primitive inference rules using a single name The tactic name indicates which part of a hypothesis or conclusion will be decomposed Dc Decompose the outermost connective of clause c D can take several optional arguments e universe argument usually supplied using the At tactical e A ti argument for a term using With This argument is necessary when decomposing a hypothesis with an outermost universal quantifier or a conclusion with an outermost existential quantifier e vi and v2 arguments for new variable names using New These are useful if one is not satisfied with the system supplied variable names e An n argument to select a subterm using Sel This is necessary when applying D to a disjunct in the conclusion Usually D unfolds all top level abstractions and applies the appropriate primitive formation or elimination rule It is somewhat intelligent with instances of set and squash terms ID Intuitionistically decompose clause c This behaves as D does except that when decomposing a functio
38. C Q will always close a window without saving its contents to the library 17 To check the display form open the abstraction exists uni again You will notice that the display of the abstract term exists uni T x P x has now been replaced by 3 x T P x ABS exists uni MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThyx CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops A x T P x PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin jx T P x Vy T P y gt y x T CpObj reNameObj EditProperty Save bj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx CTET TIT LLLI LL o gt Navigator kreitz user theories Scroll position p List Scroll Total 4 Point 2 Visible 4 STM TFF not over and DISP TTF exists_uni_df ABS TTF exists_uni STM TFF exists uni wf The abstraction and the display form are sufficient for using a newly defined term in formal the orems and other abstractions However many proofs involving an instance of exists uni will involve checking the type of this term This can be done automatically if well formedness theorem is provided describes the type of the newly defined term A unique existence q
39. CLOSE LIST TO LEFT close slot and move left M C CLOSE LIST TO RIGHT close slot and move right NUPRL s term editor makes it possible to combine informal semi formal and formal knowledge by inserting terms into text sequences These terms are displayed according to their display forms and surrounded by ordinary text To make this possible a term slot must be opened and then initialized The latter inserts a term holder into the term slot which initially looks like term T he commands OPEN LIST LEFT AND INIT and OPEN LIST RIGHT AND INIT combine these two commands and position the cursor at the empty slot of the term holder Terms may now be inserted into the slot as usual see Section below The commands for opening initializing and removing slots apply both in text and in term mode and thus have a slightly more general meaning than just described In term mode OPEN LIST TO LEFT and OPEN LIST TO RIGHT only apply if the term cursor is an element of a term or text sequence They add a new empty slot to the left or right of the cursor and move the cursor to the new empty slot On an empty term sequence both commands have the same effect they simply delete the nil sequence term In text mode both commands open up an empty term slot at the text cursor and leave the cursor at the new slot With text or term sequences represented by a single term these commands infer the kind of sequence to create from conte
40. EphTHY Make theory ephemeral ExTHY Make theory explicit 4 3 3 3 ExportThy Export theory to file FixRefEnvs Update ephemeral RefEnv Millx Mill a theory 4 3 4 2 MinTHY Make theory relative minimal MkLink Create a link 4 3 2 5 MkML Create a code object 4 3 2 1 MkTHM Create a statement object MkTHY Create a theory 4 3 3 2 MkThyDir Create sub theory directory MkThyDocObj Create theory documentation object 4 3 3 9 MvThyObj Move an object 4 3 2 7 NameSearch Search for object names NavAtAp Apply code to current position 4 3 4 3 ObidCollector Build Obid Collector OpenThy Re open a theory 4 3 3 3 PathStack Advanced motion commands 2 3 1 3 PrintObj Print an object PrintObjTerm Print an object as a term ProofHelp Pop up proof help window 43 2 14 ProofStats Display proof statistics ProveRR Replay proof using RR 4 3 3 5 RaiseTopLoops Raising ML top loop window RmGroup Remove a group of objects RmLink Remove a link 4 3 2 6 RmThy0bj Remove a library object Save0bjx Save copy of an object SetIn0BJx Set RR to RefEnv of proof 4 3 3 5 SetRefenv Set RR to object SetRefenvSibling Set RR to current RefEnv 4 3 3 5 SetRefenvUsing Set RR to least RefEnv containing object ShowRefenv Show RR reName0bj Rename an object 4 3 2 8 showRefEnvs Display existing RefEnvs Clonex Clone the navigator MkDirx Create a directory object MkObj Create a library object PrintCollection Print collection of objects
41. For convenience labels are divided into the classes main and aux The discriminating tacticals allow one to select either subgoals with a particular label or subgoals of one of these two classes 8 2 4 Soft Abstractions In most proofs tactics do not deal with basic expressions of NUPRL s logic but with user defined con cepts Before applying generic tactics to these the corresponding abstractions need to be unfolded first To prevent unwanted unfolding of abstractions tactics usually do not unfold abstractions unless they are designated as soft Some tactics treat soft abstractions as being transparent that is they behave as if all soft abstractions had first been unfolded In practice those tactics only unfold soft abstractions when they need to and for the most part are careful not to leave unfolded soft abstractions in the subgoals that they generate Specific tactics that unfold soft abstractions are MemCD EqCD NthHyp NthDec1 Section 8 3 1 Eq Section 8 3 3 Inclusion Section 8 7 the forward and backward chaining tactics Sec tion 8 4 and the atomic rewrite conversions based on lemmata and hypotheses Section 8 9 2 Table 8 1 lists the most important soft abstractions in NUPRL s standard libraries The logic abstractions and or implies exists all are made soft because the well formedness rule for the underlying primitive term is simpler and more efficient than the well formedness lemma would 3In NUPRL 3 label
42. In principle this could be guaranteed by requiring that a proof may only depend on lemmata that in some linear ordering of the library occur before the proof that refers to them While keeping a certain discipline in the development of formal theories certainly helps avoiding circular references some dependencies are hidden in various reference variables and proof caches employed by some of the tactics In previous releases of NUPRL this fact often led to major problems when theories were replayed NUPRL now supports a dependency checking mechanism that adds a layer of indirection between references and their values and allows greater control over these value during the development of formal proofs A reference environment often abbreviated as RefEnv or RE is an index into a graph of pos sible values for a set of reference variables All refinements are parameterized by a reference envi ronment Reference environments are generally associated with statement and proof object via a reference environment property see Sections 4 1 1 and 4 3 2 10 Code objects can also have a reference environment property to parameterize reference variables during evaluation of the code The specification of a reference environment consists of e an object identifier describing the index being defined e a list of reference environments to inherit from e a list of abstractions to add e a list of lemmas to add e a list of updates consisting of snippets of code tha
43. M g 2 top AB CC Y E m CG a OI BY Actually pressing C M g is not necessary when entering a statement for the first time since it will be committed after the first execution of a proof tactic However subsequent modifications of the statement will not be committed without pressing C M g Thus it is better to make using this key combination a habit 11 To begin with the proof press the down arrow key once or use the left mouse to move the edit point into the empty rule slot next to the BY top VA B P 5A v 5B C5 A B BY The most common proof tactic is the single step decomposition tactic D see chapter 8 for details It requires as argument the index of the proof hypothesis to which it shall be applied or a zero if it shall be applied to the conclusion To enter this tactic type D 0 C u Pressing C 41 when in a rule slot refines the goal at current node with the corresponding tac tic In this synchronous mode you have to wait for the refinement process to be complete Pressing C M 41 instead initializes asynchronous refinement which allows you to continue working while the proof goal is being refined Once a refinement is completed the proof window gets updated and shows the subgoals that were generated by applying the tactic RR notoverand top VA B P CHA v 5B H A B BY DN F VB IP CCA v GB GA B To prove the first subgoal pre
44. One can bypass the simultaneous recursion by using the listind operator to define a function on indices which then is applied to i 1 i listind 1 Aj 0 hd tl jth of tl Aj if j lt 0 then hd else jth of tl i 1 fi i J J J J J 43 actual definition by executing the function add rec def at with the third argument substituted by the location of the code object T his results in 5 additional objects an abstraction a display form a statement object for the well formedness theorem a code object that updates the tac tics for unfolding and folding definitions and a recall object which allows removing all the newly created objects with the RmGroup button Section 4 3 2 6 For example entering listsel 1 1 and if i lt O then hd 1 else listsel t1 1 i 1 into the templates of the recursive definition object listsel ml creates the objects shown on the right of Figure Recursive definitions can also be created with the command add rec def at lhs rhs inr directory position where lhs is the left hand side of the definition rhs its right hand side directory the object identifier of the directory in which the new object shall be placed and position the name of the object after which the definition shall be inserted Thus to create the above five objects within the ML top loop one could type add rec def at listsel l i if i 0 then hd 1 else listsel tl 1 i 1 inr ioid Obid kreitz exists uni wf This command has to be run i
45. Rodeh and Werner Vogels The Horus and Ensemble projects Accomplishments and limitations In DARPA Information Survivability Conference and Exposition DISCEX 2000 pages 149 160 IEEE Computer Society Press 2000 W W Bledsoe A new method for proving certain Presburger formulas In Patrick H Winston and Carl Hewitt editors IJCAI 75 4 International Joint Conference on Artificial Intelligence Tbilisi Georgia USSR September 1975 Morgan Kaufmann 1975 Robert L Constable Stuart F Allen H Mark Bromley W Rance Cleaveland J F Cremer Robert W Harper Douglas J Howe Todd B Knoblock Nax Paul Mendler Prakash Panangaden Jim T Sasaki and Scott F Smith Implementing Mathematics with the Nuprl proof development system Prentice Hall 1986 Manuel Clavel Francisco Duran Steven Eker P Lincoln N Marti Oliet Jose Meseguer and J F Quesada The Maude system In P Narendran and M Rusinow itch editors 10th International Conference on Rewriting Techniques and Applica tions RTA 99 number 1631 in Lecture Notes in Computer Science pages 240 243 Springer Verlag 1999 Manuel Clavel Francisco Duran Steven Eker Jose Meseguer and Mark Oliver Stehr Maude as a formal meta tool In J Wing J Woodcook and J Davies editors FM 99 The World Congress On Formal Methods In The Development Of Computing Systems number 1709 in Lecture Notes in Computer Science pages 1684 1703 Springer Verlag 1999 Guy Cousineau
46. Section below 1 If z is a variable bound by fun or letref then r is ascribed the same type as its binding occurrence In the case of letref this must be monotype if the letref is top level or an assignment to z occurs within a lambda expression within its scope 2 If x is bound by let or letrec then x has ty where ty is an instance of the type of the binding occurrence of z i e the generic type of x in which type variables occurring in the types of current lambda bound or letref bound identifiers are not instantiated 3 If x is not bound in the program in which case it must be an ML primitive then x has ty where ty is an instance of the type of x given in Section B 6 Patterns Cases for a pattern p e p has ty where ty is any type e pity p and p have an instance of ty e pi po If p has ty and pa has tyo then p has ty ty e pi po If p has ty then pa and p have ty list e p pn For some ty each p has ty and p has ty list Expressions Cases for an expression e not a constant or identifier e ejes If e2 has ty and e has ty then e1 has ty gt ty e e ty e1 and e have an instance of ty e px ej Treated as px e when pz is a prefix If e is e1 then e and e1 have int e cj ix es Treated as ir e1 e 9 if ix is introduced with ml paired infix and as Six ei es if ix is introduced by m1 curried infix If e is e1 es or e or e2 then e e and ez have bool
47. THEN SET POINT first sets the mark an auxiliary cursor for marking regions see Section 5 6 2 at the current position of the editor cursor and then sets the editor s cursor the point to where the mouse is pointing MOUSE SET POINT results in a text cursor if one is valid between the character pointed to and the character to the immediate left If there is a null width term to the immediate left of the mouse it results in a term cursor pointing to that term Otherwise the editor cursor is set to the most smallest term that contains the character being pointed to MOUSE MARK THEN SET POINT TO TERM is like MOUSE MARK THEN SET POINT except that point is always set to the term immediately surrounding the character being pointed to 5 5 4 Search for Subterms M s SET SEARCH MODE initialize substring search C s VIEW SEARCH FORWARDS search forward C r VIEW SEARCH BACKWARDS search backward SET SEARCH MODE initializes the search for a substring It expects a substring to be be entered and then sets the cursor to the next text or term slot that contains this substring Thus a user has to enter M s substring SPC to search for the first occurrence of substring Currently substring cannot contain whitespace As long as the editor is in search mode VIEW SEARCH FORWARDS move the cursor to the next slot containing substring VIEW SEARCH BACKWARDS does the same moving backwards 78 5 6 Cutting and Pasting
48. The Reduce tactic can take an optional force argument With force Reduce c only reduces those redices with strength less than or equal to force Details about defining abstract redices and setting the strength of redices can be found in Section 34 To reduce a specific subterm of a clause one may apply the tactic ReduceAtAddr address c where address is a list of integers describing the exact address of the subterm in the term tree of clause c Applying this rule is only recommended for advanced users who are very familiar with the term structure of NUPRL expressions ArithSimp c Arithmetically simplify clause c This creates a main subgoal with clause c rewritten in arithmetical canonical form and an aux subgoal stating the equivalence between the original clause and the rewritten one 8 6 3 Substitution NUPRU logic contains a few rules for carrying out simple kinds of substitutions These rules often generate fewer and easier to solve well formedness goals than the rewrite package and are accessible through the tactics described here Subst eq c If the term eq has the form t t T then replace all occurrences of t in clause c by t Three subgoals are generated an equality subgoal to prove that t t T a main subgoal with the substitution carried out and a wf subgoal to prove functionality of the clause see the rule substitution in Section A 3 5 HypSubst 7 c RevHypSubst 7 c Run the Subst tactic using the equalit
49. Yuf eee 111 T 112 PORRO S Nem M MEME 112 A cTC T 114 8 2 Introduction to Tactics 222 lll ll eel es 116 a Dale a ee es OR A rr la A ed 117 pa aaa a a nc A A 118 8 2 8 Proof Annotations a a 2 ll e a ses 119 B 2 4 Gott Abstractions 2 x x 9x o s Roe a E R6 X Weg EE ak 120 8 2 5 Universal Formulas 22h 121 5 9 Basic Tactics soo Ava io es ta GU 468 Rok 4o bo a ARA 122 PENERE a e EA me Bee BEE ES 122 8 3 2 Structural 2 leen 124 hu Ru deer eed iu Se ee ec geet A cage Se eee 124 SSA Autotactics som x kaon a apa RE ea he x Ge ES Bee ke BO reum d 127 8 4 Forward and Backward Chaining 0 e 128 ibd td ea be Peewee BSE eee Sk 129 8 6 Simple Rewriting 2 0 00 0 ee 130 8 6 1 Folding and Unfolding Abstractions e e 130 I crcc m 131 Hk Gok E we a ar a ee O E amp 131 8 6 4 Generic Rewrite Tactics 222 len 132 8 7 Miscellaneous Tactics ssrds aatia ee 132 8 8 Macticalsio x 20 Pie 2 m RI RUR ee CY A A m RU EIBD BRI UE Rd 133 8 8 1 Basic Tacticals sws esrara nns rpa r ewa Gea rarai 134 8 8 2 Label Sensitive Tacticals le 134 la a 135 AR E E eee ee as 135 8 9 1 Introduction to Conversions 22e 136 8 9 2 Atomic Conversions ses o ss sads so diarana 2s sls 141 PI 144 8 9 4 Conversionals aoa a aoa oa a a lll le ls les 144 8 9 5 Macro Conversions 2 2 ll 2 2 e elles 145 14
50. a directory one moves the navigation pointer to the left There are also emacs like key bindings to substitute for the arrow keys and buttons for changing the number of visible objects or screen size Table 4 1 lists all the key bindings and buttons for moving through the navigator window and manipulating its size Users may customize these bindings in their mykeys macro file see Chapter 3 2 2 4 3 1 1 Viewing and Editing Objects In order to view or edit an object one moves the navigation pointer to it and then opens it using the right arrow or MIDDLH If the object is not already being viewed this will pop up a new window and open the appropriate editor a proof editor Chapter is used on theorem objects while the term editor Chapter 5 is used for all other objects Abstractions and display forms of an abstract term can also be opened when an instance of the term is visible in a term editor In this case one may click on the term with MIDDLE to view the display form and RIGHT to view the abstraction Alternatively one may position the term cursor at the term and type C X df or C X ab respectively Chapter 5 7 gives a detailed description of these term editor utilities 37 Key Button 1 C n move navigation pointer one step down C 1 move navigation pointer 5 steps down C M C v move navigation pointer 10 steps down lil move navigation pointer one screen down lll move navigation p
51. access to certain parts of the library to hide the abstract representation of data and to present to the user a consistent view of the library to the user In the user s work space library objects grouped into directories or theories Every object has a unique name and belongs to exactly one theory although they may be linked to from other theories or by a different name within the same theory Theories can be nested like Unix directories and may depend on each other The dependencies of theories on one another forms a partial order Within each theory objects are ordered linearly The NUPRL editor enables users to walk through the directory tree in a visual fashion and to initiate commands for browsing searching editing and structuring library contents through menu buttons The editor does not execute these commands directly but sends requests to the library s application interface which in turn will perform the appropriate actions and sends an updated view of the client s work space back to the editor For most practical purposes the distinction between the apparent external behavior of NUPRL and the internal operations that are performed to realize this effect is irrelevant The subsequent expositions will therefore consider the library to be identical to the directory structure of objects that is presented on the screen 4 2 Nuprl Windows A complete NUPRL session see Section 3 3 usually starts with five windows shown in Figurel4 1
52. actual theory and going backward to the root of the directory tree e The Scroll position field shows the position of the navigation pointer within the current directory When the edit point which is marked by a thin vertical line is in this field the arrow keys on the keyboard can be used to move the through the directory tree e The List Scroll field shows the total number of objects in objects in the current theory the position of the navigation pointer and the number of visible objects T he latter us usually 10 or less if there are less than 10 objects in the directory but can be modified using the or gt lt buttons Table 4 1 35 The navigation zone inthe lower part of the navigator window displays a linear segment of the library one object per line From left to right each line contains The object kind is described by a string of three or four characters STM stands for statement objects PRF for proof objects INF for inference objects ABS for abstractions DISP for display forms PRC for precedence objects CODE for ML code RULE for inference rules COM for comments DIR for directories and TERM for objects of unspecified kind Proof and inference objects are usually not listed in the directory but can be accessed only through the proof editor Chapter 6 2 The object status is described by three characters either T or F The first character describes whether the object has been activated and is T in most cas
53. added as information S Arithmetic property lemmata are identified by invoking the ML function add arith lemma lemma name SupInf is still under development and should be used with caution when combined with type checking tactics it may get invoked unendingly on subgoals derived from ones that it created 8 3 4 Autotactics Autotactics are used primarily for typechecking and well formedness goals They should not be used for other non trivial proof goals as their behavior on such goals is somewhat unpredictable Trivial Completely prove a goal by applying various steps of trivial reasoning Trivial reasoning includes Hypothesis Declaration Contradiction and Eq Trivial also proves goals of the form Ht True H False H C and H Void H C Auto Repeatedly apply the following tactics until no further progress is made Trivial GenExRepD MemCD for non recursive member conclusions and EqCD on reflexive equality conclusions Arith RepeatEqCDForArith EqTypeCD if the conclusion is ae T or a beT and T is a subset of Z Auto and its variants frequently encounter the same goals over and over again so solved proof goals will be cached Common variants of Auto are e StrongAuto which also tries MemCD and EqCD on recursive primitive terms e SIAuto which also tries using the SupInf tactic and e Auto which uses SupInf instead of Arith The condition that A must be equal to some hypothesis is too strict and may
54. all the objects of the dumped theory and place it at the same location in the user s work space If the theory already exists the objects of the dumped theory will be added to the theory directory Objects will not be overwritten in case of name clashes the existing theory object will be renamed if its content is different from the new theory object If the two objects are identical the new object will be ignored 4 3 3 8 Printing Theories To print the contents of an entire theory a user may either click the PrintThyShort or the PrintThyLong command buttons This will create a print representation of the objects in the theory at the navigation pointer and write it into a file nuprlprint name prl or nuprlprint name long prl It will also create a I3TEX presentation of the theory and write it to nuprlprint name tex or nuprlprint name long tex PrintThyShort provides a less detailed presentation of the theory which omits the proofs of a theorem and only includes the extract term if a theorem is complete In contrast to that PrintThyLong adds the complete proof to the presentation of a theorem Users who are only interested in a listing of all the object names in a theory may do so by clicking the PrintObjx button Section 4 3 2 12 Theories can also be printed by typing the command short print theory theory object or or print theory theory object into the editor ML top loop where theory object is the object identifier of the
55. and finds shortest paths in the graph It can also handle strict order relations and relations with differing strengths 125 RelRST uses the the same database on relations and some of the same lemmata as the rewrite package see Section 8 6 In addition it relies on library lemmata of the following forms e Irreflexivity lemmata which should be named opid lt_irreflexivity and have form VET uw T Vans A m dl A Scy e Antisymmetry lemmata which should be named opid le antisymmetry and have form Vo T 0 7 MY Y SA gt gt A yy gt y4 lt y gt y yeS e Complementing lemmata which should be named opid le_complement and have form Va Tao TY Y SAS 016 SA y lt y 9 y lt y or be named opid lt_complement and have form VosT LT MY ESA gt 00 SA y S Ey where opid lt and opid le are the operator identifiers of the relations lt and lt RelRST generalizes the equality decision procedure used in previous versions of NUPRL that could only handle such reasoning with the equality relation Examples of its use can be found in the theory of integer divisibility within the theory num thy 1 8 3 3 3 Integer arithmetic Arith Prove goals of the form HFC v vC by a restricted form of arithmetic reasoning Each C must be an arithmetic relation over the integers built from lt gt gt Z and negation Arith knows about the ring axioms for integer multiplication and addition the total order axiom
56. ay by less_thanMember Tiers t Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals less_thanEquality EqCD less_thanFormation less_thanMember EqCD 164 A 3 10 Lists Lr Uj ext T list by listFormation TF U ext T Lr T list T list U Ax by listEquality r T T U Ax Tr QO 0 e Tlit ax by nilEquality j LlL Te U Ax D FE Tlist ext by nilFormation j PRT e Uj w TF tiL til Tlist wy D FE Tlist jextt l by consEquality by consFormation Prt t e T w LUFT ext t TF L Tlist ix T F Tlist ext ij T F list_ind s base z l fo t list_ind s base x Ll fora t T si z ax by list indEquality z T Slit x fr TF s s Slist ax T E base base T z wx D 2 58 l Slist fa TU Z E tile l ffoi ls faul t lx l fer X2 lo fete Tle 1 2 Ay D z Tlist A F C ext list_ind z base 2 1 fai t by listElimination i fa x l D z Tlist A E C 2 ext base D z Tlist A x T l Tlist fa C l z Cla l z ext t T F listind base x l fai t by list indReduceBase DI F base t T nx 2 T Ax T E listind s u base z l fo t T wx by list indReduceUp T E t s u listindCu base z l fort x 1 fai t T as Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals listFormation E listEquality EqCD nilE
57. below the subgoal as long as it fits into the window If a proof is too large to be shown the editor will only display its top level tactic and indicate that its subgoals are hidden In this case users have to move into the corresponding node to see further details or to continue editing the proof Sometimes the proof window is too short to display all the goal rule and subgoals In this case the cursor motion commands described in Section will automatically scroll the window One can of course also resize the window 6 2 2 Proof Motion Commands c move to sibling to immediate left move to sibling to immediate right M a move to left most sibling M e move to right most sibling 1 move up to parent node l move down to selected subgoal M z zoom in on current node C T move up to top of proof C M j jump to next unrefined node The keyboard commands for navigating through a proof tree are summarized in the table below In addition to these most of the motion commands for terms described in Section 5 5 can be used for navigating through the term tree of a proof window 4 In contrast to previous releases NUPRL 5 only uses arrow keys for proof tree navigation The emacs like keyboard and mouse commands used in NUPRL 4 are now captured by the term editor which has priority over the proof editor and are thus reserved for navigating through the term tree of the proof window as described in Section 5 5 2
58. completed command Pressing 4 again then executes the command e The tabulator key 3 usually cancels a command e The space key SPC moves the cursor back into the navigation zone but leaves the template open This is helpful for moving objects or link objects in different theories e As SPO is used for the above action blanks are inserted into a text slot by pressing S SP e C is used to undo an operation on a fairly fine level C is used to redo an undone operation e Pressing the left mouse button LEFT usually sets the point to that location Pressing LEFT while over a menu command button executes the corresponding command e Pressing the middle mouse button MIDDLE usually raises the display form of a term or the code object containing the definition of an ML function Within the navigation zone it opens the corresponding object e Pressing the right mouse button MIDDLE raises the abstraction of an object if there is one These bindings are also valid in many other editing contexts 4 3 1 Browsing the Library To browse the library a user may move a navigation pointer through the current directory by using arrow keys the mouse or clicking on one of the arrow buttons 1111 LLL f To move into a directory or to open an object for editing one uses the right arrow key or middle clicks on it with the mouse to move out of
59. containing itself e SetRefenvx sets the reference environment register to the current object e ProveRR attempts to replay the proof of the statement at the navigation pointer using the reference environment register instead of the object s reference environment It allows a user to make a copy of a proof experiment without modifying the original proof The proof will be attempted asynchronously so the command will return immediately When it finishes it will pop up a window containing the object identifier of the proof generated Clicking on the object identifier with MIDDLE will pop up the proof Note that the new proof is not linked to the statement It will remain unlinked if the proof is closed with C q If instead one uses C z to exit the proof will be prepended to the statement s proof list see Chapter 6 e SetIn0bj sets the reference environment register to the reference environment property of the first proof of the statement at the navigation pointer The above commands can also be executed by typing Show refenv register Set refenv register sibling term Set refenv register using term Set refenv register term _prove_using refenv register term or Set re in first prf term into the editor ML top loop where term is a term describing the directory and the position of the current object 53 4 3 3 6 Checking Theories Although NUPRL proof environment guarantees that proofs are correct
60. does nothing SELECT DFORM OPTION selects an alternative display form for the term where the term cursor is positioned For instance if term cursor is positioned at an independent function type it selects the more general dependent function display form 5 4 4 Adding New Terms The term editor recognizes certain input sequences as indicating that a new term should be created A new term structure can be created as follows e Position a term cursor at an empty slot and enter the letters of the new term s opid e Enter a possibly empty list of parameter types for the new term see Section A 1 2 abbre viated by single letters The list has to be delimited by and characters and elements must be separated by characters Empty lists of parameter types are optional e Enter a list of subterm arities i e numbers designating the number of binding variables for each subterm The list must be delimited by C and characters and elements must be separated by characters This list has to be entered even when it is empty 75 Upon receiving the opid the list of parameter types and the list of subterm arities the editor creates a new term in uniform syntax with appropriate place holders for parameters and subterms For instance entering myid n t 0 1 creates the term myid natural n token t term binding term 5 4 5 Exploded Terms Exploded terms provide access to the internal structure of a ter
61. e 1 5 If e4 has ty and es has ty then e has ty tye e p e For some ty p e1 and e all have ty e failwith e1 ej has tok and e has any type 197 e if ej then cj if e then e else e Each e has bool and e each el and e all have ty for some ty However this constraint does not apply to an e preceded by loop in place of then nor to e preceded by loop in place of else If el is absent then ty void e e ey e en e Quje Each e has tok list and e eq each e and e all have ty for some ty However this constraint does not apply to an e preceded by in place of nor to e preceded by in place of If Vx is present x has tok e 1 n If en has ty then e has ty e ej en For some ty each ej has ty and e has ty list e d in ej If ej has ty then e has ty If d is a type definition see Sections and B 5 5 then ty must contain no type defined in d p e1 If p has ty and ei has ty then e has ty gt ty Declarations 1 Each bindingx p1 Ppn eis treated as x Mp1 pn e 2 let p es and and p en is treated as let P Pn 1 5 similarly for letrec and letref 3 If dis let p e then d p and e all have ty for some ty similarly for letref Note that e is not in the scope of the declaration 4 If dis letrec 21 Un 1 n then x and ej have tyi and d has ty tyn for some ty In addition each free occurre
62. e Loading more different tactics Currently these initialization can only be run after starting up the pre prepared disksaves for the NUPRL 5 library editor or refiner You probably will want to put all your initialization commands into a Lisp file that is automatically loaded whenever a disksave is started up Note that NUPRL runs in the nuprl package All symbols entered in Lisp will be interpreted relative to this package The package inherits all the symbols of Common Lisp but does not contain the various implementation specific utilities found in the package user or common lisp user To refer to these other symbols either change packages using in package USER or explicitly qualify the symbols with a package prefix If you change packages you can change back to the NUPRL package using in package NUPRL The key bindings for the navigator and the term and proof editors can be altered by creating your own key macro files The NUPRL 5 editor will look for a file mykeys macro to determine any user defined key bindings 30 Chapter 4 The Navigator and the Top Loops The navigator and the interactive ML top loops provide interfaces to the library the editor and the refiners The main interface to the library is the NUPRL 5 navigator It enables the user to 1 browse and search through the library 2 create delete and rename library objects of various 3 arrange objects in folders and theories 4 edit library objects
63. e evaluates to that function which when applied to some argument yields the result of evaluating e in the current i e application time store and in the environment obtained from the definition environment by binding any variables in p to the corresponding components of the argument see Section B 4 1 1 2 Compound lambda expressions A lambda expression with more than one parameter is curried i e pipo pPn e is equivalent to Np Upa Apn e Thus the free variables in a function keep the same binding they had in the definition envi ronment So if a free variable is non assignable in that environment then its value is fixed 193 to the value it has there On the other hand if a free variable is assignable in the definition environment then it will be bound to a location Although that binding is fixed the contents of the location in the store is not and can be subsequently changed with assignments B 5 ML Types So far little mention has been made of types For ML in its original role as the meta language for proof in LCF the importance of strict type checking was principally to ensure that every computed value of the type representing theorems was indeed a theorem 2 The same effect could probably have been achieved by run time type checking but compile time type checking was adopted instead in the design of ML This was partly for the considerable debugging aid that it provides partly for efficient execution and pa
64. ext t y z by rename y x l z y Cla y ext 4 with optional tacticals NthHyp 2 AssertDeclAtHyp i T x UseWitness t Basic Inference Rule Corresponding Tactic with required arguments hypothesis 1 Hypothesis thin 2 Thin 4 cut i T cr Assert T introduction t UseWitness t hyp replacement i S j SubstClause S i lemma heorem name Lemma theorem name extract theorem name instantiate I C o rename y x RenameVar 7 i because Fiat Lemma theorem name Fiat y is the variable declared in hypothesis i 172 Appendix B Introduction to NUPRL ML Whenever NUPRL is fired up several ML top loops are created Running in these windows is an ML interpreter that is embedded into the library editor or refiner process Whenever one has the ML prompt one can type an ML expression terminate it with and press J ML will evaluate the expression and print its value and type One s primary interaction with NUPRL 5 is through the navigator and the windows opened by it However advanced users will find it necessary to interact with the NUPRL 5 processes for examining parts of NUPRL objects or customizing the behavior of NUPRL 5 In particular all NUPRL tactics are written in ML as are a variety of utility functions The tactics are documented in Chapter 8 The utility functions are described throughout this Chapter B 1 The History of ML Several versions of the programming language ML have appe
65. f o g x f g x ml paired infix let f g x y x g y ml paired infix Co let f Cog xy f gy x The following two functions convert between curried and uncurried versions of a binary function curry gt Ck xx gt RK gt gt ck gt xxx uncurry gt gt x gt dx gt xxx Description curry f x y f x y uncurry f x y fxy Definition let curry f x y f x y let uncurry f x y f x y The next function tests for failure can gt x gt gt bool Description can f x evaluates to true if the application of f to x succeeds it evaluates to false if the evaluation fails 205 Definition let can f x f x true false The next function iterates a function a fixed number of times funpow int gt gt gt gt Description funpow n f x applies f to x n times funpow n f f Definition letrec funpow n f x if n 0 then x else funpow n 1 f f x B 7 2 Miscellaneous list processing functions The function length computes the length of a list length list gt int Description length ri 24 n Definition letrec length fun O 1 1 length 1 The function append concatenates lists is an uncurried and infixed version of append append list gt list gt list Description append fiiis tn yi uyml 1
66. first element that satisfies the predicate p it fails if no element satisfies the predicate partition p l returns a pair of lists The first list contains the elements of which satisfy p The second list contains all the other elements of J chop list 4 233 3234 li ad mas Za chop_list fails if i is negative or greater than n Definition letrec remove p 1 if p hd 1 then hd 1 t1 1 else I hd 1 r remove p tl 1 let partition p 1 itlist Ma yes no if p a then a yes no else yes a no 1 0 0 letrec chop list i 1 if i 0 then 1 else let 11 12 chop_list i 1 tl 1 in hd 1 11 12 failwith chop list The next function flattens a list of lists flat list list gt list Description flat Lr HUM E Bu lamad E goa llnigess T Mies ln Biol end peso nad Definition letrec flat fun x 1 x flat 1 The next two functions zip and unzip between lists of pairs and pairs of lists combine list list gt list split x list gt list list Description combine z1 c4 yi uwl 1 Y41 n Yn split 04 90 ives Mn z1 n iJ Definition letrec combine fun H G 1x y 1y x y combine 1x 1y failwith combine letrec split fun C1 DD G y 1 let 1x ly split 1 in x 1x y 1y B 7 6 Functions for lists repre
67. identifiers the user is free to rebind them by let letref etc but note that in the case of infix or prefix operators rebinding the dollared operator will affect even its non dollared uses Predeclared bindings are to be understood as if they had been bound by let rather than by letref In particular therefore none of them can be changed by assignment except of course within the scope of a rebinding of the identifier by a letref declaration 201 B 6 1 Predeclared ordinary identifiers fst x k gt snd gt inl gt inr DO gt null list gt bool outl xk gt hd list gt outr xk gt xx tl list gt list isl gt bool The functions hd and t1 fail if their argument is an empty list The functions outl and outr fail if their arguments are not in the left or right summand respectively A function isr is not provided because it is just the complement of is1 explode tok gt tok list implode tok list gt tok The function explode maps a token into the list of its single character tokens in order The function implode maps a list of single character tokens fails if any token is not of length one into the token obtained by concatenating these characters For example explode whosit 1 Eros hos Sots sts fate t f tok list implode c a t cat tok
68. in the summer of 1984 Philippe Le Chenadec from INRIA implemented an interface with the Yacc parser generator system for the versions of ML running under Unix This permits the user to associate a concrete syntax with a concrete type The ML language is still under design An extended language was implemented on the VAX by Luca Cardelli in 1981 It was then decided to completely re design the language in order to accommodate in particular the call by pattern feature of the language HOPE designed by Rod Burstall and David MacQueen A committee of researchers from the Universities of Edinburgh and Cambridge the Bell Laboratories and INRIA headed by Robin Milner is currently working on the new extended language called Standard ML Progress reports appear in the Polymorphism Newsletter edited by Luca Cardelli and David MacQueen from Bell Laboratories The design of a core language is now frozen and its description will appear in a forthcoming report of the University of Edinburgh as The Standard ML Core Language by Robin Milner This handbook is a manual for ML version 6 1 released in December 1984 The language is somewhere in between the original ML from LCF and standard ML since Guy Cousineau added the constructors and call by patterns This is a LISP based implementation compatible for Maclisp on Multics Franzlisp on VAX under Unix Zetalisp on Symbolics 3600 and Le_Lisp on 68000 VAX Multics Perkin Elmer etc Video interfaces hav
69. in the collector from the current navigator directory e InsertCollectorIntoDir adds the object identifiers in the collector from the current nav igator directory e Undo undoes last Insert or Delete operation Although all obid collector commands could also be issued from the editor ML top loop it is not advisable to do so Printing Object Collections Users may print the objects in a collection by clicking the PrintCollection button when the navigation pointer is at a collector object This will create a print representation of the objects listed in the collector and write it into a file nuprlprint collector name prl and a IXTIEX presentation which will be written to the file nuprlprint collector name tex The objects are printed in the order in which they were added to the collector i e in the reverse order of the object identifier list in the collector object Collections may also be printed by typing the command print collection object into the editor ML top loop whereobject is the object identifier of the collector 4 3 4 2 Milling NUPRL provides a framework for developing tools for importing and migrating data from external libraries into NUPRL s data repository This utility can be used for a wide variety of tasks such as searching for objects that contain a specified combination of object identifiers or for objects that have been modified within a given time specification It is initiated by milling a theory Cl
70. key bindings are intended to be reminiscent of Emacs s key bindings A summary of all the key bindings that we will describe below can be found in Ta ble at the end of this chapter Users who wish to use alternative key bindings may customize the term editor as described in Section The editor adjusts the display of an object in a window to the size of the window If the window is too small not all the object can be displayed at once In this event one can resize the window or scroll the window up and down Sometimes if the window is to narrow some subterms are elided 71 The display form tree for an elided subterm is replaced by Currently the only way to to un elide a subterm is to widen the window as much as possible Eventually one will be able to examine elided subterms by moving the root display form of an editor window to some term tree position other than the term root Term editor windows are opened when a user access a library object through the navigator Opening a proof object opens a proof editor window which in turn opens a term slot for entering the goal sequence and text slots for entering refinement rules see Chapter 6 for details To close and change term editor windows one may use the following commands and key sequences C Z EXIT save check and close window C Q QUIT close window without saving C J JUMP NEXT WINDOW jump to next window EXIT first saves a copy of the o
71. keyboard macro C M r st step refinement emulates the behavior of previous NUPRL releases which is meaningful if reusing the previous proof would be time consuming and of little use for the new proof Often users want to rearrange a proof in a way that each refinement step corresponds to an argument a human would make Usually this means assembling several refinements steps into one and adding a comment that describes the logical meaning of that step NUPRL offers some support for this technique l Pressing C M r kr will collect all the inference steps of the proof tree starting at the current node into a single refinement step This step consists of a tactic that combines the individual steps using the tacticals THEN and THENL The window on the right below shows the result of applying this command to the proof on the left Extensions of this command like accumulating only a certain amount of steps or inserting comments will be added in the future top 1 top 1 l AP d AP 2 BP 2 B 3 FAA v C B 3 FA v CB FA A B IF cA AB BY DO BY D O THENL D 3 THEN Auto Auto 11 4 A A B H false BY D 3 THEN Auto 12 xa dud WE adu AABeP BY Auto Pressing C M r dk turns a kreitzed proof back into its original form It has no effect on refinements that were not previously generated by C M r kr At some time in the past the name kreitzing was introduced for this technique For lack
72. lib lib memnonic closes the connection to the library environment lib memnonic The difference between the commands dc dd and open lib close lib is that the former establish the low level TCP IP connection to the library s object request broker while the latter link to a client work space provided by the library see Section 4 1 The above commands are implicitly executed when the editor and refiner processes are started using the data contained in the user s nuprl config file see Section 3 2 2 e Library commands nosa socket Opens a connection to a client using the indicated socket number 64 library_open lib memnonic opens the library environments lib memnonic for external connections Usually one opens the library environment that was stored the last time the library was closed but there may be reasons to re open older library environments library open as lib memmonic new memmnonic opens the library environ ments lib memnonic under the alias new memnonic library_close libenv closes the library environment libenv library close gc libenv closesthe library environment libenv performing garbage collection first Unlinked library objects will not be included in the stored environment However they will not be removed from the data base and may be recovered by opening an older environment db envs print memnonic match Print a list of all e
73. objects have static reference environments This mode however is only needed to maintain older theories that have not yet migrated to be minimal or ephemeral It will be phased out in the future When a theory is created with MkTHY an initial static reference environment is created and theory will be open and ephemeral until it is explicitly closed The following command buttons can be used to change the mode of a theory e CloseThy closes a theory by creating a finish reference environment named RE final theory name which summarizes the contents of the theory e OpenThy opens or re opens a theory by rebuilding its initial reference environment and resetting its ephemeral reference environment property e MinTHY will make a theory relative minimal and modify the available command buttons for the theory e EphTHY will make a theory ephemeral by rechaining ephemeral reference environments and modify buttons for the theory e ExTHY will make a theory explicit and modify the available command buttons for the theory The above commands can also be executed by typing close theory theory open theory theory Set theory relative minimal theory Set theory ephemeral theory or Set theory explicit theory into the library ML top loop where theory is the object identifier of the current theory 4 3 3 4 Examining and Modifying Reference Environments To examine the current set of reference environments one has to click the
74. occurrences of these identifiers in the declaration are ascribed instances of their generic types Other constraints which the type checker will use to determine the type of map are e All occurrences of a lambda bound variable receive the same type e Each arm of a conditional receives the same type and the condition receives type bool e In each application e e1e2 if e2 receives ty and e receives ty then ej receives ty gt ty e In each abstraction e v e1 if v receives ty and e receives ty then e receives ty gt ty e n a letrec declaration all free occurrences of the declared variable receive the same type Now the type checker will ascribe the type gt gt list gt list to map This is in fact the most general type consistent with the constraints mentioned Moreover it can be shown that 196 any instance of this type also allows the constraints to be satisfied this is what allows us to claim that the declaration is indeed polymorphic In the following constraint list we say p has ty to indicate that the phrase p is ascribed a type ty which satisfies the stated conditions We use z p e d to stand for variables patterns expressions and declarations respectively Constants O has type unit O has type int 1 has type int true has type bool false has type bool has type tok has type string Variables and constructors The constraints described here are discussed in
75. of a better name it is still called that way 94 Similarly to the path stack of the navigator Section the proof editor enable users to jump between commonly used positions in the proof tree Pressing C h marks the current proof address and stores it in an address stack Pressing M h jumps back to that position and removes the address from the stack NUPRL also enables users to copy a pattern of reasoning used in one proof to another proof Pressing M k copies the proof at the current node to a proof stack C y pastes the proof on top of the proof stack into the current proof node and removes it from the stack Pasting a proof means re executing the tactics of its tactic tree until one of the tactics fails or the complete tactic tree has been reused 6 4 2 Proof History In the course of proof development NUPRL s proof editor stores each refinement as a separate object in the library As a consequence users may walk backward and forward through the proof history and continue the refinement of previous versions of the proof Pressing C reverts the proof window to the previous proof in the proof history while C moves to the next proof if there is one If a user refines one of the previous proofs in the history all subsequent proofs in that history will be discarded the new proof will be the last proof in the new history Users who want to save an older version of a proof to the library without modifying it can do so by pr
76. on them The components of a precedence object and the names used to enter them by are summarized in the table below The prser preq and prpar terms are sequence constructors that 106 may be nested The standard editor commands described in Section 5 4 2 work on the sequences built with these terms Name Display Description prser p1 gt gt pn serial precedence term preq pi pn equal precedence term prpar pil p4 parallel precedence term prel obname element of precedence order prptr obnamex precedence object pointer Object names and object pointers are the primitive elements in a precedence order Serial precedence terms impose a linear order on a set of precedences pj Pn Equal precedence term declare all precedences p to be equal in the precedence order Parallel precedence terms declare all precedences pj to have the same rank in the precedence order while being unrelated to each other Each display form not explicitly associated with any precedence element is implicitly associated with a unique precedence element unrelated to all other precedence elements The uniqueness implies that two such display forms have unrelated precedence Examples of a base set of precedences set up for the current NUPRL theories can be found in the standard theory core 1 Automatic Parenthesis Selection The parenthesization of a term slot of a display form is controlled by the parenthesis sl
77. output from evaluating the ML expression in the command line zone The window shown on the right of Figure shows the command prompt of the corre sponding process the ML expression its value its type and a time stamp It also provides three buttons Previous and Next are used for going backward and forward in the evalu ator history RaiseEvaluator inserts the current history command back into the ML top loop provided the command and the ML top loop interact with the same process RaiseNavigator bring the navigator window to the foreground works currently only for twm 4 4 2 The command line zone editor The command line zone provides a term editor The editor is initially in text mode indicated by the text cursor l which allows the user to enter ML text NUPRL terms may be inserted into this text by opening a term slot and entering terms as described in Chapter 5 Most of the editor commands described in Chapter 5 will work the same way in the command line zone The only exception is the return key 1 which sends the command to the ML evaluator instead of inserting a new line as in the term editor The commands and key bindings of the command line zone editor that differ from those of the regular term editor are listed in Table 4 3 y EVALUATOR_EVAL call ML evaluator S 11 INSERT NEWLINE add line break C R EVALUATOR_PREVIOUS scroll back through history Table 4 3 Command line zone editor commands a
78. overwritten e AppendSource filters the milled directory that satisfy a given predicate and adds the found objects to the directory Targets e TransformTargets applies a specific transformation to the contents of all objects in the directory Targets e ViewTargets opens a window displaying the object identifiers in the directory Targets e FilterTargets pops up a list of objects in the directory Targets that satisfy a given pred icate from the directory Target Filters The directory Targets itself will not be modified e CopyTargets copies the contents of the directory Targets to a directory Copies e TargetsAp applies a specific operation to all objects in the directory Targets Current operations include activating and deactivating adding properties and counting e Rerun Bot creates two TERM objects in the milling directory that allow replaying proofs in the directory Targets on a fine level of detail The purpose of this operation is to safely rebuild proofs that are imported from different or older proof environments and fail during replay 58 Milling directories can also be built by typing build mill dir directory tag name into the editor ML top loop where directory is the object identifier of the directory to be milled and tag name a token describing the the tag for the milling directory 4 3 4 3 NavAtAp Clicking the NavAtAp command button when the navigation pointer is at a code object will replace the final ar
79. pairs returned by matching p with E is produced 191 Thus if p matches E then p and E have a similar shape and each identifier in p corresponds to some component of E namely that component paired with the identifier in the set returned by the match Here are some examples 1 x y z matches 1 2 3 with x y and z corresponding to 1 2 and 3 respectively 2 r y z does not match 1 2 or 1 2 3 4 3 x y matches 1 2 3 with x and y corresponding to 1 and 2 3 respectively because E B9 83 En 1 2 83 En 4 x y does not match or 1 2 5 x y matches 1 2 with x and y corresponding to 1 and 2 respectively 6 x y does not match 1 2 T x y z w O matches 1 2 3 4 5 6 7 with z y z and w corresponding to 1 2 3 and 4 5 respectively B 4 2 Expressions If the evaluation of an expression terminates then either it succeeds with some value or it fails in either case assignments performed during the evaluation may cause side effects If the evaluation succeeds with some value we shall say that value is returned We shall describe the evaluation of expressions by considering the various cases in the order in which they are listed in the syntax equations ce The appropriate constant value is returned var The value associated with var is returned If var is ordinary then the value returned is the value bound to var in the environment If var is assignable then the value return
80. prefix string gt gt gt gt x set fail string gt gt gt gt x Description set fail prefix s f x applies f to x and returns the result of the application if it is successful if the application fails then the string s is concatenated to the failure string and the resulting string propagated as the new failure string set fail s f x applies f to x and returns the result of the application if it is successful if the application fails then the string s is propagated as the new failure string Definition let set fail prefix s f x f x Ns failwith concatl s s f x failwith s let set fail s f x 212 Bibliography ACE 00 BBS 98 BCH 00 Ble75 CAB 86 CDE 99a CDE 99b CH90 Stuart Allen Robert Constable Richard Eaton Christoph Kreitz and Lori Lorigo The Nuprl open logical environment In D McAllester editor 17 Conference on Automated Deduction volume 1831 of Lecture Notes in Artificial Intelligence pages 170 176 Springer Verlag 2000 Holger Benl Ulrich Berger Helmut Schwichtenberg Monika Seisenberger and Wolf gang Zuber Proof theory at work Program development in the minlog system In W Bibel and P Schmitt editors Automated Deduction A Basis for Applications volume II chapter 11 1 2 pages 41 71 Kluwer 1998 Ken Birman Robert Constable Mark Hayden Jason Hickey Christoph Kreitz Rob bert van Renesse Ohad
81. require Lucid or Allegro Lisp It runs on Unbx based workstations that use the X window system Note that this manual is still under development and incomplete Additional online docu mentation can be found on the Web at the URL in the directory home nuprl nuprl5 doc of the installed system and in objects such as doc ref editor and doc navigator use while the system is running The original NUPRL book mplementing Mathematics with the Nuprl Proof Development Sys tem CAB 86 also available on the Web at the URL is still a good background reference However one has to keep in mind that the system itself has been changed and extended substantially since the book was published None of the tutorials given in the book will work in NUPRL 5 The reference portion of the book is superseded by this reference manual but contains some useful examples and discussions of tactic writing that are not reproduced here The advanced portion of the book deals with application methodology gives some extended examples of mathematics formalized in Nuprl and also describes some extensions to the type theory which have not been implemented 3 1 3 Tips for Beginning NUPRL 5 Users We recommend that you run through the brief tutorial in chapter 2 before trying to do anything else with the system In learning to use the navigator as well as the proof and term editors check out all the mouse commands and the buttons that are provided Many edi
82. results will be displayed in a separate window e Exit close the command window As proofs are replayed asynchronously this will not stop the ongoing checks e Reset resets the list of remaining proofs to be checked to the initial list of proofs e NumRemaining displays the remaining number of proofs to be checked e Abort aborts the ongoing check and resets the list of remaining proofs to be checked Users may also modify the parameters of the check mechanism The number after MaxPend indicates how many should maximally be used for checking proofs Using more than one refiner is helpful when checking large theories but it takes these refiners away from other tasks The Save status bit determines whether to save the status of the checking mechanism when the command window is saved The Active bit and the check function after Bot Function should not be changed by a user Instead of clicking the ChkThy command button one may also type the command build check theory bot directory into the editor ML top loop Although the individual check commands could be issued from the top loop as well it is not advisable to do so NUPRL provides a few variations of the ChkThy command e ChkAllThys initiates a check for all the theories in the library This is the same as clicking ChkThy with the navigation pointer at the root of the theories directory e ChkOpenThy accumulates all the proofs in the theory instead of only proofs of statements in
83. s remt Z ww remainderEquality FS 8 Z Ax Ft Z Ay Et O ay O lt sremt sremt lt t ax remainderBounds1 F O lt s ay I O lt t ay sremt lt 0 sremt gt t ay remainderBounds3 Fs XO ay t lt 0 ax s stt t sremt ax divideRemainderSum Te by Te by Te by T T Tr by T T rtr by T T TH by T T rtr by T T 161 Z U Ax intEquality Z ext nj natural numberFormation n Z ext s t addFormation EZ ext s EZ ext t Z ext s t subtractFormation EZ ext s E Z ext Z ext s t multiplyFormation EZ ext s Z ext Z ext s t divideFormation F Z ext s EZ ext t Z ext sremt remainderFormation F Z ext s FZ ext t O lt sremt sremt lt t iay remainderBounds2 FOS s Ay I t lt O py sremt lt 0 sremt gt t ax remainderBounds4 F s lt 0 Ay O lt t ay T E ind u z f5 5 base y f y 0 ind u as fo 5 base y fus t Tlui z ww by indEquality z T v jf v Tru u Z wa D 2 Z v 2 lt 0 fe T x1 z T F base base T 0 z ws D z Z v O f T G 1 z E sile f2 21 fai solu f 22 fra Tx z Ax E tile fe Yr Fy t lx fs ya fus Tlefz Ax D z Z At C ext ind z z fz s Ax v i base x fx t Ax v by intElimination i x fp v D z Z A 2 Z v 2 lt 0 fe C at1 z D
84. showRefEnvs command button This will pop up a new window containing a list if all existing static reference environments Clicking on one of the terms with MIDDLE or moving the cursor to it and pressing the right arrow key will open the corresponding object which shows the reference environment specification as an association list of reference variables and indices Clicking MIDDLE on the on a variable index pair will pop up some indication of the data that is bound to that variable by that index Reference environments may also be examined by typing show ref environments into the editor ML top loop The normal methods for creating and manipulating theory objects will maintain the chain of ephemeral reference environments in a theory Occasionally this chain may get corrupted when objects are moved or deleted To fix this problem a user has to click the FixRefEnvs button This will rechaining all the objects in a theory and thus update the ephemeral reference environment 52 Reference environments may also be fixed by typing reset ephemeral refenvs directory into the library ML top loop where directory the object identifier of the theory to be rechained In an open theory users may insert static reference environments by clicking the mkRefEnv command button This will create an object named RE summary theory name index that summa rizes all theory objects up to the current one and places it immediat
85. standard theories 4 4 The ML Top Loop The ML Top Loop shown in Figure 4 14 on the left provides an interactive interface to NUPRL s editor refiner and library ML processes It can be used to evaluate ML expressions and declarations and to issue commands that change the state of the three processes Commands have to be entered into the command line zone between the command line prompt and the double semicolon the termination characters for ML expressions Commands that have been evaluated are stored in a command history which makes it possible to recall and modify complex commands The ML Top Loop also contains a command zone with command buttons that affect the behavior of the editor itself 4 4 1 Top loop command buttons The buttons in the top line of the Top Loop command zone interact with the contents of the command line zone the ones below have more global effects 59 Button Command Section AbReduce Update the Reduce tactic 4 3 2 2 Act Activate an object AddDef Create a definition 4 3 2 2 AddDefDisp Create a display form AddRecDef Create a recursive definition AddRecMod Create a recursive module 4 3 2 3 CheckMinTHY Check with theory minimal RefEnv ChkAllThys Check all library theories 4 3 3 6 ChkOpenThy Check all proofs in theory ChkThy Check a theory CloseThy Close finalize a theory 4 3 3 3 Cp0bj Copy an object DeAct Deactivate an object EditProperty Edit object properties 4 3 2 10
86. sub theories of a theory one should use the MkThyDir button instead of MkTHY Like MkDir this will create an directory within the theory that does not contain a static reference environment In addition to that it adds a theory property to the directory object which will help other commands maintain the reference environment chain within the theory Theories can also be created by typing lib_mkthy preREs directory position name into the editor ML top loop where preREs is a list of object identifiers describing the reference environ ments on which the theory depends directory is an object identifier of the directory in which the theory shall be placed position a token describing the object after which it shall be positioned and name a token describing its name Theories directories can be created with the command lib_mkthy_dir directory position name 51 4 3 3 3 Changing Theory Modes Depending on the reference environments Section 4 3 3 1 of its objects a theory can be in one of two modes e open amp ephemeral where all theory objects will have ephemeral reference environments or e closed amp minimal where all theory objects have some flavor of minimal reference environments and ephemeral reference environments are removed Instead the theory has a final reference environment object that summarizes the contents of the entire theory In addition to that theories can also be static or explicit which means that all theory
87. tactics in Tacs are paired up with the subgoals formed from instantiated antecedents The rewrite goes through only if each tactic completely proves its corresponding subgoal If there are fewer tactics than antecedents an appropriate number of copies of the head of Tacs will be added to left of Tacs If Tacs is empty then rewriting must go through unconditionally name is the name of the lemma gt is the number of a hypothesis Negative numbers are allowed c f Section 8 2 1 1 141 Other useful specializations of GenLemmaWithThenLC and GenHypWithThenLC are GenLemmaC n name GenLemmaWithThenLC n name GenLemmaWithThenLC 1 hints name GenLemmaWithThenLC 1 Tacs name LemmaWithC hints name LemmaThenLC Tacs name GenHypC m 4 GenHypWithThenLC n i HypWithC hints i GenHypWithThenLC 1 hints i HypThenLC Tacs i GenHypWithThenLC 1 Tacs i The hypothesis conversions described here derive their rewrite rules from local environments Sec tion 8 9 1 1 that they are presented with on their first applications If the conversions are applied with conversionals such as HigherC or NthC that start applying a conversion at the top of a term then the environment is always the same as the environment of the clause being rewritten 8 9 2 2 Atomic Direct Computation Conversions Low level direct computation conversions are not usually invoked directly by the user but useful for controlling the evaluation of r
88. term cursors 70 5 2 3 Term and Text Sequences The term editor has special features for handling certain kinds of sequences of terms which makes them appear much like terms with variable numbers of subterms A term sequence is constructed by iteratively pairing term slots in a right associative way and displayed as a linear sequence A sequence containing 4 empty term slots for instance might be displayed as gt El E Different kinds of term sequences have different pairing terms a special term to represent the empty sequence different left and right delimiters the and respectively in the example and different element separators the in the example Delimiters and separators in term sequences always consist of at least one character The editor considers all the term slots of the sequence as siblings in the display form tree and the whole sequence as their immediate parent Often the editor does not distinguish between a term and a one element sequence containing that term but treats a term as a one element sequence Thus for nearly all purposes the internal structure of sequences can safely be ignored A text sequence is a text string in which characters may be replaced by terms Text sequences are primarily used for proof tactics and other ML code for comments and for the left hand sides of display forms l he editor presents a text sequence as a display form with alternatin
89. terms are used we walk through the entry of the term foo bar s A x B Create an empty term slot and enter extermfSPQ _ The highlighted term should look like EXPLODED qIgSEESI bterm gt gt Enter the opid foo to get EXPLODED lt lt foo bterm gt gt Click LEFT on the and you should get a null width term cursor sitting on an empty term sequence for parameters EXPLODED foo bterm gt gt Enter C 0 to add a new slot to the parameter sequence EXPLODED lt lt foo REX bterm gt gt gt Insert the string parameter with text bar by typing sparm bar EXPLODED foo bar s bterm gt gt Click LEFT on the bterm and enter C 0 C 0 to make a two element sequence for bound terms leaving the cursor on the left most element 76 EXPLODED foo bar s bindings Wf e bindings term gt gt Enter C 0 41 to open up a slot in the sequence and enter a binding variable term EXPLODED lt lt foo bar s term bvar term gt gt You could now go ahead and fill in the binding variable and subterm slots by typing A 1x JB EXPLODED foo bar s A x B gt gt Finally click LEFT on any part of EXPLODED and then enter C X im to implode the exploded terms You should now have the term foo bar s A x B In general when imploding and exploding terms the parameter values binding variable names and s
90. the scroll position the navigator will show an error after the next operation Using the undo operation until the entered text is removed and moving the cursor to where it is supposed to be solves the problem Sometimes the contents of a window are not updated after resizing it Scrolling down and up with C v and M v usually forces the window to be updated If a user has messed up the contents of a window and cannot undo the error closing the window with C q and opening it again will often solve the problem C q closes the window without saving the modifications to the object so reopening the object will show the state after the last save operation usually C z Note that the navigator the ML top loop and the evaluator history cannot be closed without using the editor commands from Section 4 5 65 If the system appears to be inexplicably stuck check the ML process loops It is possible that one of them is garbage collecting which may take up to several minutes depending on processor speed and available memory In rare cases one of the three Lisp processes crashes and ends up in debug mode which offers several restart actions to the user Entering the Lisp command ooe after the prompt usually brings the process back to a stable state If a user has initiated a non terminating computation for instance by entering a recursive ML expression into the ML top loop or by applying the NUPRL term evaluator to a term containing
91. the language and would wish to give them further thought if we were mainly concerned with language design In particular the constructs for controlling iteration both by boolean conditions and by escape trapping which we included partly for experiment are perhaps too complex taken together and we are sensitive to the criticism that escape or failure as we call it reports information only in the form of a string This latter constraint results mainly from our type discipline we do not know how best to relax the constraint while maintaining the discipline Concerning the description of ML we have tried both to initiate users by examples of program ming and to give a precise definition B 2 Introduction and Examples ML is an interactive language At top level one can e evaluate expressions e perform declarations To give a first impression of the system we reproduce below a session at a terminal in which simple uses of various ML constructs are illustrated To make the session easier to follow it is split into a sequence of sub sessions A complete description of the syntax and semantics of ML is given in Section and Section respectively B 2 1 Expressions In this tutorial the ML prompt is so lines beginning with this contain the user s contribution all other lines are output by the system The NUPRL ML prompt is different usually ML is used for the first line of user input and gt is used for continuation lines 2
92. the RmGroup button This will remove the objects from the library and update the reference environment see Section 4 3 3 1 accordingly 46 4 3 2 7 Moving Objects Objects may be moved to different locations within the same directory or to locations in other directories Clicking the MvThy0bj command button will open a template on top of the command zone into which the user may type the name of the object to be moved The name of the object at the navigation pointer already occurs in the template with the edit cursor at its beginning To move the object to a different location one has to leave the command zone move to the position where the object should be placed and then click OK The same effect can be achieved by typing lib mv thy obj src dir name dest dir position into the library ML top loop where src dir and dest dir are the object identifier of the source and destination directories name the name of the object to be moved and position the name of the object after which the definition shall be inserted 4 3 2 8 Renaming Objects Renaming an object involves changing both the object s internal name see Section 4 1 1 and the external reference to the object Clicking the reName0bj command button will open a template on top of the command zone into which the user may type the new name of the object Leaving the command zone while renaming an object is not recommended as renaming will be applied to whatever object the navigation
93. the evaluation of a construct fails then failure is signalled and a string is passed to the context which invoked the evaluation This string is called the failure string and it normally indicates the cause of the failure During evaluation failures may be generated either implicitly by certain error conditions or explicitly by the construct failwith e which fails with e s value as failure string For example the evaluation of the expression 1 0 fails implicitly with failure string div while that of failwith str fails explicitly with failure string str We shall say two evaluations fail similarly if they both fail with the same failure string For example the evaluation of 1 0 and failwith div fail similarly Side effects are not undone by failures If during the evaluation of a construct a failure is generated then unless the construct is a failure trap i e an expression built from and or the evaluation of the construct itself fails similarly Thus failures propagate up until trapped or reaching top level For example when evaluating 1 0 1000 the expression 1 0 is first evaluated and the failure which this evaluation generates causes the evaluation of the whole expression viz 1 0 1000 to fail with div On the other hand the evaluation of 1 0 1000 traps the failure generated by the evaluation of 1 0 and succeeds with value 1000 In general the evaluation of e1 e5 proceeds by first evaluating e1
94. the following flavors are recognized minimal minimal relative to the empty environment theories minimal minimal relative to a set of theories most commonly the standard theories relative minimal minimal relative to a specific theory This is commonly used while devel oping a set of theories 50 OK Cancel MkTHY OpenThy CloseThy ExportThy ChkThy ChkAl1Thys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetInOBJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx THT TIT lll lll lt gt gt lt Navigator user theories Scroll position 7 CODE RE init new theory Make Reference Environment RE init new theory List Scroll Total 2 Point 1 Visible 2 Prerequisites bid kreitz Abstractions oid cons Statements loid cons CODE TTF RE_init_user Additions Voldicons gt DIR TIF kreitz Updates loid cons Figure 4 10 Creating Theories initial template and generated static reference environment The presence of static reference environments puts certain restrictions on the nesting of theories Although in principle it would be possibl
95. the functions ml paired infix and ml curried infix in Section B 6 1 for details of how to give an identifier infix status B 4 Semantics of ML The evaluation of all ML constructs takes place in the context of an environment and a store The environment specifies what the variables and constructors in use denote Variables may be bound either to values or to locations The contents of locations which must be values are specified in the store If a variable is bound to a location then and only then is it assignable Thus bindings are held in the environment whereas location contents are held in the store Constructors may only be bound to values constructor constants or constructor functions and this binding occurs when they are declared in a concrete type definition The evaluation of ML constructs may either succeed or fail In the case of success 1 The evaluation of a declaration d say changes the bindings in the environment of the identi fiers declared in d If d is at top level then the scope of the binding is everything following d In d in e the scope of d is the evaluation of e and so when this is finished the environment reverts to its original state see Section B 4 1 2 The evaluation of an expression yields a value the value of the expression see Section B 4 2 If an assignment is done during an evaluation then the store will be changed we shall refer to these changes as side effects of the evaluation If
96. the library refiner and editor processes at this point A typical NUPRL 5 session will have many NUPRL windows open at the same time so it is advisable to create some space for this particularly when using medium sized or larger fonts The library refiner and editor process windows will only be needed for issuing low level system commands and dealing with error situations that cause one of the NUPRL processes to break The following emacs script defines an interactive function nuedit that performs all the above steps in a new emacs shell It pops up a NuEditor window immediately below the library window and starts the NUPRL 5 editor in it defun nuedit interactive nuprl frame NuEditor 10 178 nuedd n message Starting Editor please be patient set foreground color midnightblue set background color ffd8ff comint send string NuEditor top n comint send string NuEditor go n comint send string NuEditor win n If you run the NUPRL 5 editor on a remote machine make sure that its display is directed to your local machine before nuedd is entered This is usually done by setting the environment variable DISPLAY In a cshell you can do this with the following command CSHELL PROMPT gt setenv DISPLAY LOCAL HOST NAME 0 0 In the emacs script you would have to insert the line comint send string bufname setenv DISPLAY LOCAL HOST NAME 0 0 n into the definition of nuprl frame im
97. the subgoals d nudos often attach explicit labels to them indicating their kind sv UNS H Labels consist of an ML token and an optional number Typ 1 ical examples of labels are main upcase aux and wf Some 1 x Z times tactics generate a set of subgoals of the same kind On UE EUR where the order of the subgoals is important The optional numbers are used to discriminate between these subgoals wE Most descriptions of tactics include information on subgoal labeling It is also a simple matter to find out what labels are generated by experimentation For historical reasons goal labels are sometimes known as hidden labels B Labels may be added explicitly using the following tactics AddHiddenLabel lab Add label lab to the current goal AddHiddenLabelAndNumber lab i Add label lab to the current goal along with the integer label i RemoveHiddenLabel Remove the label from the current goal Note that the goal label created by AddHiddenLabelAndNumber x 1is x and not x 1 although it will be displayed as the latter The number is considered as strictly separate from the label and will only be considered by tactics that discriminate on the number as well Removing a label is equivalent to adding the label main This label will not be displayed since unlabeled goals are usually considered main goals To make subsequent tactics discriminate on labels one usually applies the tacticals described in Section below
98. the term slot and RemoveProperty removes that property from the object Properties once removed can only be re inserted explicitly Editing object properties should only be done by advanced users Most users will rarely find it necessary to edit the properties of an object 4 3 2 11 Saving Objects During the development of formal theories users may occasionally want to save the current version of an object before modifying it Clicking the Save0bj command button will copy the object at the navigation pointer to a subdirectory save of the current directory The internal name of the object will be preserved which makes it easier to move the saved version back into its old location and the reference to it will include a time stamp in its name If the subdirectory save doesn t exist yet it will be created The same effect can be achieved by typing the command copy to save directory name into the library ML top loop 48 4 3 2 12 Printing Objects Often users like to create print representations of objects in order to document their formal theories on paper or on the web Clicking the PrintObj command button will create a print representation of the object at the navigation pointer and write it into a file nuprlprint mname obj prl This file can be inspected with any 8bit capable editor that has the NUPRL fonts loaded It will also create a IXTEX version and write it to nuprlprint name_obj tex The directory nuprlprint must alread
99. the top or bottom of the display the window scrolls appropriately There are also explicit window scrolling commands TT 5 5 2 Tree Oriented Motion M P UP move up to parent M B LEFT structured move left M F RIGHT structured move right M N DOWN LEFT move to leftmost child M M DOWN RIGHT move to rightmost child M A LEFTMOST SIBLING move to left most sibling M E RIGHTMOST SIBLING move to right most sibling M UP TO TOP move up top of term C LFD RIGHT LEAF next leaf to right M LFD LEFT LEAF next leaf to left y RIGHT EMPTY SLOT next empty slot to right C u RIGHT EMPTY SLOT next empty slot to right M L1 LEFT EMPTY SLOT next empty slot to left UP LEFT RIGHT DOWN LEFT DOWN RIGHT are the basic walking commands These commands recognize text and term sequences and skip over their internal structure Within text slots LEFT and RIGHT stop at each word RIGHT LEAF LEFT LEAF RIGHT EMPTY SLOT LEFT EMPTY SLOT are particularly good for rapidly moving around terms since you can often get where you want to go by just repeatedly using one of them Note that 1 is not bound to RIGHT EMPTY SLOT within text sequences In that case you need to use C 41 5 5 3 Mouse Commmands LEFT C LEFT MOUSE MARK THEN SET POINT MOUSE MARK THEN SET POINT TO TERM set mark then point set mark then point to term MOUSE MARK
100. then point C 0 open slot to left and init C LEFT set mark then point to term M 0 open slot to right and init MIDDLE view display form of term C C close slot and move left C MIDDLE as PASTE M C close slot and move right M MIDDLE as PASTE NEXT C P move cursor up 1 character C M IMIDDLE as PASTE COPY C N move cursor down 1 character RIGHT view abstraction definition of term C B move cursor left 1 character C RIGHT cut term or region C F move cursor right 1 character M RICHT save term or region C A move to left side of screen C M RICHT delete term or region C E move to right side of screen C X id gives info on term at cursor C L scroll window up 1 line C X su suppress display form at cursor M L scroll window down 1 line C X un unsuppress display form at cursor C V move window down 1 page C X ex explode term at cursor M V move window up 1 page C X im implode term at cursor C T switch to term mode C X ch check object M P move up to parent C X sa save object M B structured move left C X ab view abstraction def of term M F structured move right C X df view display form def for term M N move to leftmost child C X ns insert empty string in text slot M M move to rightmost child exterm insert new exploded term M A move to left most sibling lparm insert level exp parm M E move to right most sibling vparm insert variable parm M move up top of term tparm insert to
101. then stop the respective ML and Lisp processes The library process will cleanly shut down the knowledge base and then stop as well Instead of shutting down gracefully you may also simply kill all three processes to stop NUPRL 5 although this is not recommended 19 20 Chapter 3 Running NUPRL 5 3 1 System Requirements NUPRL 5 is written mostly in Common Lisp but uses some extensions that require Lucid Allegro or LCMU Common Lisp and a Unix based X window system The implementation of CMU Common Lisp is freely available Other Lisp versions require a license CMUCL is faster with smaller memory footprint but currently Allegro is a bit more stable The NUPRL homepage provides an executable copies of the CMUCL version of NUPRL 5 running under Linux Executable copies for Allegro can be provided upon request The source code as well as instructions for installing NUPRL 5 to run under other Lisp and Unix versions will be made available as soon as the system has stabilized The Linux release of NUPRL 5 contains 3 binary executables the library the editor and the re finer that altogether require 120 MegaBytes of disk space for the CMUCL version and 40 MegaBytes for the Allegro Version The standard library initially requires an additional 120 MegaBytes of disk space and quickly grows to 500 MegaBytes or more It is recommended to run NUPRL 5 on systems that have at least 256MB of RAM 512MB of swap space and 800MB of disk space avail
102. theory to be printed 4 3 3 9 Creating Theory Documentation The commands for printing theories only create listings of theory contents in linear order possibly augmented by comment objects as described in Section 4 3 2 13 In addition to these NUPRL provides a more flexible mechanism for creating formal documentation that enables a user to insert references to formal objects into informal text Clicking the MkThyDocO0bj command button creates a comment object thy doc timestamp that contains pointers to all the statement and abstraction objects in the current theory Users may then edit the object to write formal articles by adding text and rearranging and duplicating the existing pointers Printing the object with PrintObj will then create a IATEX article that documents the formal theory The advantage of this approach is that the formal article is always up to date even if a user chooses to change the formalization of a theorem or the display form of an abstraction 55 JumpToLocalCollectors ObidCollector Temp bidCollector NamedObidCollector Cancel Hide ToggleObidList Collect FindNames Reload Save View Finish Clear DeleteDirFromCollector InsertDirIntoCollector mnis M Cd DeleteCollectorFromDir InsertCollectorIntoDir Undo MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy Collecting into kreitz Obid Collector 2002_07_17 PM 03_48_20 CheckMinTHY MinTHY EphTHY ExTHY oid cons Mill ObidCollec
103. they are presented When we talk of the logical structure of a term we are thinking of the abstract 67 mathematical object that it represents NUPRL s uniform term syntax described in the previous section is meant to reflect the regularity of these objects In contrast to that notation aims at a visual presentation of abstract objects on the printed page or on the computer screen Familiar notation for mathematical expressions helps human readers to construct the described abstract object in their minds but should not be confused with the abstract structure itself In mathematics notation is crucial issue Many mathematical developments depend heavily on the adoption of some clear notation which makes mathematics much easier to read However mathematical notation can be rather complex and ambiguous if one is not aware of the immediate context it is presented in Juxtaposition of symbols for instance can mean function application in one place and multiplication in another Notation understandable by machines on the other hand is often restricted to source texts in ASCII files that can be easily be parsed by a computer Programming languages allow overloading of operators and implicit coercions and resolve these ambiguities by type checking and similar methods For interactive theorem proving however parseable ASCII notation is far from being sufficient as it is not anywhere as easy to read as mathematics in books and papers The NUPRL s
104. to a phrase depends in general on the entire surrounding ML program In the case of top level expressions and declarations however the type ascribed depends only on preceding top level phrases Thus you know that types ascribed at top level are not subject to further constraint Before each top level phrase is executed types are ascribed to all its sub expressions sub declarations and sub patterns according to the following rules Most of the rules are fairly natural those which are less so are discussed later You are only presented with the types of top level phrases the types of sub phrases will hardly ever concern you Before giving the list of constraints let us discuss an example which illustrates some important points To map a function over a list we may define the polymorphic function map recursively as follows where we have used an explicit abstraction rather than letrec map f 1 to make the typing clearer letrec map f l null 1 gt f hd 1 map f t1 1 From this declaration the type checker will infer a generic type for map By generic we mean that each later occurrence of map will be ascribed a type which is a substitution instance of the generic type Now the free identifiers in this declaration are nu11 hd and which are ML primitives whose generic poly types are list gt bool list gt and list list respectively The first constraint used by the type checker is that the
105. to present formal content within a variety of notations without having to change the internal logical representation of these terms Display forms are commonly created whenever a definition is introduced using the AddDef mechanisms Section 4 3 2 2 but they may also be added for existing abstractions as well as for the primitive terms of the library 102 def seq definition definition def seq definition format seq term attr seq format seq term format seq format format format seq attr seq attribute attribute attr seq Figure 7 1 Display Object Structure In NUPRL the presentation of all formal content including the appearance of the navigator the editor sequents and proofs is controlled by display forms and may be adjusted according to the preferences of a user Even the mechanisms for editing and presenting display forms themselves may be modified The display forms for the quantifiers all_df exists df and the logical connectives and df or df for instance appear as display form generators The top level structure of a display form object is summarized by the grammar shown in Figure 7 1 An object contains one or more display form definitions Each definition has a right hand side term to which the display form applies and a sequence of formats that specify how to display the term A definition also has an optional sequence of attributes that specify extra information about the de
106. tree Typing J again will search for the next matching name etc The search mechanism can be modified by using the additional buttons of the search command zone These buttons have the following effects e Hidex Hide the search command zone by iconifying it to a button Search e Backward Change the default direction to backward search and search for the next match e Forward Change the default direction to forward search and search for the next match e Global Search within the entire library e Tree Restrict search to the subtree beginning in the current directory e List Restrict search to the list of objects in the current directory e PreviousPattern Replace the current search pattern by the one previously entered This pattern may be modified but the modified pattern will not be stored in the list of patterns e NextPattern Replace the current search pattern by the one entered immediately after it if there is one e Reset Replace the pattern by an empty pattern slot e Cancel End the search and remove the search command zone 38 Hide Backward Forward Global Tree List Hide Backward Forward Global Tree List PreviousPattern NextPattern Reset Cancel PreviousPattern NextPattern Reset Cancel jumps to next matching name in library jumps to next matching name in library Search Forward Pattern pattern Search Forward Pattern divides Searching entire lib Searching entire lib Vo
107. use the display form definition gs ES P all 7 x P df where is used to indicate a text slot La Two display form definitions in NUPRL are rather special the display form definition for variable terms and the display form definition for natural numbers Both display forms have only a single text slot and no other printing or whitespace characters Tan 1 m variable z v lp n 4 natural number i n In general a display form for a term is made up of text and term slots interspersed with printing and space characters We can annotate display forms with formatting commands that specify where line breaks can be inserted and how to control indentation The structure and appearance of display form definitions which are contained in display objects in NUPRL theories as well as the effect of precedences on parenthesization is described in detail in Chapter 7 21 NUPRL s term editor builds the notation for a term from the display forms associated with each node of the term tree Thus the structure of the notation mirrors the tree structure of the term The display form tree of a term is the tree structure that one actually edits with NUPRL s term 69 editor In a display form tree each display form and each slot is considered a node of the tree If a slot is not empty it is identified with the display form tree or the text string filling it All the slots of a d
108. user defined theory in a way that does not reveal the underlying type theory An example for the use of MacroC is the conversion for unrolling the Y combinator defined in the theory core 2 A ycomb Af Ax f x x Ox f x x M ycomb unroll let YUnrollC MacroC YUnrol1C A11C UnfoldC ycomb RedexC RedexC Y Fl A11C UnfoldC ycomb AddrC 2 RedexC IF Y F 145 For another example look at the length unroll object in the list 1 theory SimpleMacroC can be used if the rewrite steps involved in justifying the equivalence of t and t are simpler as in the case of the abstract redex for the projection functions on products let pii evalC SimpleMacroC pil_evalC a b gt 11 fal pil 53 146 Appendix A The Basic Nuprl Type Theory A 1 Syntax Nuprl terms have the form opid p F p F Gl S m Sh Mr hU We name the parts of a term as follows e opid p F p F is the operator The parts of the operator are opid is the operator identifier p F is the j th parameter p is the parameter value and F is the parameter type e The tuple m m where m gt 0 is the arity of the term e 5 T Thn t is the i th bound term of the term which binds free occurrences of the variables z5 25 in t When writing terms we sometimes omit the brackets around the parameter list if it is empty Note that parameters are separated by commas while subter
109. users may still be able to retrieve them if that should be necessary 6 4 4 Views of Proofs and Refinements NUPRL enables users to look at proof trees in different ways In the default view the proof window displays the addresses goals and refinements of each visible node Pressing C M t will show the tactic tree instead C M a a the proof structure i e the address tree and C M v v the goal 95 tree C M d will revert to the default view Examples of these four views are displayed in the windows below top 1 top 1 top 1 BY D O THENW Auto a Le AP 14 AD 2 B P 11 2 B P 3 oA v CB BY D 3 THEN Auto 3 oA v 5B F A B FE A A B BY D O THENW Auto E 11 top 1 4 A B 4 A B 11 F false H false BY D 3 THEN Auto Users may also want to create views on specific proof parts Pressing C M p pops up a new proof window whose main proof is the current node This window is considered a scratch window Users may execute refinements in this window but these refinements will not affect the original proof If a statement has several proofs pressing C M i will pop up a window that contains pointers to other proofs of this same statement top 1 1 A P B P GA v 5B A B T0 d TRWwW st BY rule instance direct computation hypothesis o 43 1 254 v 2B O 1 3 B 4 A B F False BY rule instance unionElimination o 43 42 43 O 11
110. when descending to the subterms of a V and term For other terms it does not modify the environment unless explicitly told so by the user who may extend the list of environment update functions by applying the function add env update fun Further details can be found in the system file env ml 8 9 1 2 Relations The rewrite package supports rewriting with respect to both primitive and user defined equivalence relations Some examples are e t t the computational equality relation e t t cT the primitive equality relation of NUPRL s type theory e PsQ the logical bi implication e ji j mod n the equality on the integers modulo a positive natural e t t equality of rationals represented as pairs of integers e 1 1 the permutation relation on lists The package also supports rewriting with respect to any relation that is transitive but not necessarily symmetric or reflexive such as logical implication gt and order relations because proofs involving transitive relations and monotonicity properties of terms can be made very similar in structure to those involving equivalence relations and congruence properties For each user defined relation the user has to provide the rewrite package with lemmata about transitivity symmetry reflexivity and strength where a binary relation r over a type T is stronger than a relation r a r b implies a r b for all a be T These lemmata are used by the package fo
111. z u inr y v case e of inl z u inr y vw Cle z ax by decideEquality z C S4T st y T F e e S T ww D s S y e inl s e S 4T F u s x wj s z Clinl s z wx D t T y ez inr t e S T 0 t y vjt y ClinrG z ax H F case el of inl x1 gt 11 inr y1 gt ri case e2 of inl x2 gt 12 inr y2 gt r2 BY decideEquality z T A B uv w H F el e2 H u A w el H v B w el inl u inr v E subst li x1 u HE subst ri y1 v isubst 12 x2 u Isubst r2 y2 v In most cases the arguments of an inference rule can easily be determined from the proof goal NUPRL s tactic collection therefore provides a set of single step inference tactics that try to compute the arguments required by the corresponding inference rule from the actual proof context before executing the rule see Section 8 1 3 below In some situations however the relation between the proof goal and the arguments of inference rule is not so obvious and it is necessary that the user provides the rule arguments explicitly in order to be able to complete the proof 8 1 3 Converting rules into tactics NUPRL s basic mechanism for creating and modifying proofs is the application of proof tactics These are functions that take a sequent i e the goal and generate a list of sequents i e the subgoals as well as a validation which shows that a proof for the main goal can be constructed fro
112. z Z A F C 0 z ext base D z Z A x Z v 0 z fz C 10 z D F ind 2 fr s base y fy t t T wx by indReduceDown DL DL I 4 lt O ay E Clzx z ext s E Clx z ext t E t i indCi 1 fr s base y fy t fr t T ws D E indG z f s base y fy t t T ax by indReduceUp DL DL I 0 4 ay E t i indCi 1 fr s basesy fy t y fy t T vw D FE indG 2 f 8 base y fy t t T ww by indReduceBase DL DL HE base t T nx i 20 Z wy D E if u v then s else t if uv then s else t T ax by int egEquality T u Z ay TF v v Z m T v umv F s s T wy D v u fo t t T w u T F if uzv then s elset t T wx by int eqReduceTrue T t T w T v Z Ay T S u T F if uev then s elset t T wx by int_eqReduceFalse Prt t T wy DF uz v m D F if u v then s else t if uv then s else t T pax by lessEquality T Trovo 0 Z m DU v u lt v F s s T ws LU v u gt v Ft t T ww F u u Z ax T F if u v then s else t t T wx by lessReduceTrue T T Es t T nx r u vU Ax I E if u v then s elset t T wx by lessReduceFalse T T t T w F u gt U Ax 162 TEC ext 1j by arith j Tb Si Z Ax Decision procedure for elementary arithmetic subgoals for all non arithmetical exp
113. 11 3 eses 7210 ene C20 ri VidlNid e y If none of ej e2 produces a token list containing tok and e follows e then control is passed to e But if Ve follows e then e is evaluated and control is passed back to the beginning of the whole expression If Vid or id e follows e then e is evaluated in an environment in which id is bound to the failure string tok i e an evaluation equivalent to let d tok in e is done and then depending on whether a of a occurred the value of e is returned or control is passed back to the beginning of the whole expression respectively If none of 1 e2 e n returns a token list containing tok and nothing follows e then the whole expressions fails with tok e1309 5 n3 1 2 are evaluated in that order and the value of e is returned e156 2 n e1 2 n are evaluated in that order and the list of their values returned evaluates to the empty list d in e disevaluated and then e is evaluated in the extended environment and its value returned The declaration d is local to e so that after the evaluation of e the former environment is restored Mip2 pa The evaluation of lambda expressions always succeeds and yields a function value The environment in which the evaluation occurs i e in which the function value is created is called the definition environment 1 Simple lambda expressions p
114. 6 Simple Rewriting Rewriting is the process of transforming goals and hypotheses into equivalent ones In NUPRL rewrite tactics are based on unfolding and folding abstractions applying primitive reductions and using equivalences in lemmata and hypotheses of the form Vx T 2 T a b NUPRL s rewrite package see Section provides a collection of ML functions for creating rewrite rules and applying them in various fashions The rewriting tactics in this section are sufficient in many situations while hiding the complex conversion language of the rewrite package 8 6 1 Folding and Unfolding Abstractions Unfolds as c Unfold ac Unfolds a c Unfold all visible occurrences of abstractions listed in the token list as in clause c Unfolds fails if clause c contains none of the abstractions listed in as RepUnfolds as c Repeatedly try unfolding any occurrences of abstractions listed in the token list as in clause c RecUnfold a c Unfold all visible occurrences of the recursive definition of a in clause c 130 Folds as c Fold a c Folds a c Fold all visible occurrences of abstractions listed in the token list as in clause c Folds fails none of the subterms of clause c matches the right hand side of an abstraction listed in as RecFold a c Iry to fold an instance of the recursively defined term a in clause c 8 6 2 Evaluating Subexpressions Reduce c AbReduce c Repeatedly contract all primitive and abstract redices in clause c
115. 7 ie taa oca aii 147 sie GA brary ee ae ee alae ker ae 147 m 149 E A RIPE 149 A 149 A ct ay ea ae akg ee Sete ee ee eee Ga a oe ee ee ee 149 AI Semantics 24 2 2k ew Eum RAS muy a eh Dew RO BAe OX Sok kee ck 150 Coed eae eo a ee a ee ek es 150 O ehh eb enn ee UNE EE EE 151 nea le aue Qr Ba on ee Rae ae a oe ae ow y Oe ook Sopa aed ud 153 Lcx 154 CC TE 155 MM 156 CC HOS o dee hate et a wk AS ds eo oe de o 157 ee RG ee ee YA ee a RE ep ee Yd eR ee we 158 PUR a a UE E BE m EUR Stee er M ey gee e ua ped nee care ans 159 See Skah a oe a a er aoe ok ee oe 160 anda ania the ui hag ERU ae I M PES 161 PM a gh a acts gdh ae ole pnt 164 CP PIT 165 IE TUR RE aaa es dio EM PE ees 166 RAE A A ee ee as 167 A gee age PON Be Blan Me ole a A Ot aren Hee ae a 168 shy aes CALS aE EN ee E 169 pies Ab ee eee bp eg ee os en een 171 TTE 172 vi B Introduction to NUPRL ML 173 TM 173 pe ee ere S RR SERERE 174 RT 174 E MEN 175 I UTC 175 B22 Declarations 2 0 s uem o eR Ee oe RR Wo el ete YO te 175 B 2 8 Assignment lesse sls m rA 176 B24 Functions s sa s sose a we Rie uomo m a we 309 Xxx X x 4m Xu Ws 177 PI 178 PITT EN E res Sd a ee ee ee 178 ey De MISUSE 2 ara epee ae ae eee A chs wee aces Spee Gee ya pee ee ee eras E cs wan epee eM 179 IB 2 8 Tokens oco apparel Ea 179 3 2 9 Stines un a ee ek ee qu PERM Rae a ee REP ee Rods 180 B 2 10 Polymorphism ll ess sss 180 A EI 181 BAI Failure
116. 9 S Owre S Rajan J M Rushby N Shankar and M K Srivas PVS Combining specification proof checking and model checking In Rajeev Alur and Thomas A Henzinger editors Computer Aided Verification volume 1102 of Lecture Notes in Computer Science pages 411 414 Springer Verlag 1996 Lawrence C Paulson Logic and Computation Interactive Proof with Cambridge LCF Cambridge University Press 1987 Lawrence C Paulson Isabelle The next 700 theorem provers In Piergiorgio Odifreddi editor Logic and Computer Science pages 361 386 Academic Press 1990 R E Shostak Deciding combinations of theories Journal of the Association for Computing Machinery 31 1 1 12 1984 Stephan Schmitt Lori Lorigo Christoph Kreitz and Alexey Nogin JProver Integrat ing connection based theorem proving into interactive proof assistants In R Gore A Leitsch and T Nipkow editors International Joint Conference on Automated Rea soning volume 2083 of Lecture Notes in Artificial Intelligence pages 421 426 Springer Verlag 2001 215 SVC WAL 90 Wol88 WWM 90 The Stanford Validity Checker home page http verify stanford edu SVC Pierre Weis Maria Virginia Aponte Alain Laville Michel Mauny and Acsander Suarez The CAML reference manual Rapports Techniques 121 Institut National de Recherche en Informatique et en Automatique September 1990 S Wolfram Mathematica A System for Doing Mathematics by Computer A
117. A B P 5A v 5B An B VA B P CA v 5B HA BD BY ESPOSA BY ID 1 1 A P FE VB P UA v CB A BD BY A refinement is always initiated for the proof goal at the current location of the cursor Users are free to refine subgoals in any order and to modify already existing refinements The latter will erase the proof tree at the current proof node and insert the result of the modified refinement into the proof window see Section 6 4 1 for details The old proof may however be recovered by walking through the proof editor history see Section 6 4 2 92 6 3 3 Generating Extract Terms Proof steps are committed to the library as soon as a refinement step has been executed successfully Users may therefore simply close the proof editor once a proof is complete Like all other windows the proof editor window will be closed by C q Pressing C z instead will cause the proof editor to build the extract term of the proof before closing the proof window As the extract term is constructed by assembling the validations contained in the refinements of each proof node it can only be built if the proof is complete Using C z on an incomplete proof will close the proof window but pop up a window with an error message Term extraction is NUPRL s mechanism for supporting the proofs as programs principle Ex tract terms describe the computational content of a proof and the algorithms that are synthesize
118. Clicking the middle mouse button MIDDLE on a piece of ML text will raise the code object where the corresponding ML function is defined provided its definition is stored within the library One way to migrate an ML file into the system is to import its text Entering the command import text filename into the editor ML top loop will open a new window containing the contents of the file described by the string filename Users may then copy and paste pieces of the text into any term editor that is in text mode such as the ML top loop or code and comment objects This feature also simplifies the on line documentation of theories as it allows importing previously written text and turning it into comment objects 63 4 5 Process Top Loops The Process Top Loops are NUPRL s interface to the system processes that run the editors refiners or the library They represent the top loops of the corresponding ML interpreters and do not provide any editing features Their main purpose is to display system output and error messages and to execute maintenance and debugging commands Usually they are run within an emacs shell to have some text editing support Most users will hardly ever use the process top loops except for monitoring the process in case of long delays see Section 4 6 below There are however a few useful commands that advanced users may want to take advantage of Most commands have to be entered as conventional ML expressions
119. ET ext 1j TES U Ax case e of inl x u inr y v e Cle1 z vx by decideEquality z C S4T s t y Tre e S4T Ax D s S y esinl s eS4T E wui s zi ua s xo Clinl s z vx D tT y e inr t e S4T v t yi valt ya ClinrCO 2 ix D 2 S T A F C ext case z of inlGz Su inr y vj by unionElimination i x y D 2 S T x S A inl z z D 2 S T y T Alinr yw z T E case inl s of inlGz u inr y gt by decideReduceLeft T F u s x t 2 T ww DI E case inr t of inl z u inr y 5v by decideReduceRight Tr E wt y t 2 T ay E Clinl z z ext y E Clinr y z ext y f 2 T ww t 2 e T Ax Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals unionFormation unionEquality inlEquality 7 inlFormation j inrEquality 7 inrFormation 7 decideEquality z C S4T st y unionElimination i s y decideReduceLeft decideReduceRight EqCD EqCD Sel 1iDO0 EqCD Sel 2D 0 EqCD D i ReduceEquands 0 ReduceEquands 0 Using 2 C With S T New s t y EqCD ReduceAtAddr 2 O ReduceAtAddr 2 O 156 A 3 4 Universes DT F Uk ext Us r k U U e Ug Ay by universeFormation j by universeEquality TP TeUz Ax by cumulativity j TP TeU Ax proviso j lt k Basic Inference Rule Corresponding Tactic with required arguments with optional tactical
120. ETE REGION leaves a text cursor at the old position of the region If the region is of a term sequence an empty term slot is left in place of the region CUT REGION has the same effect as a SAVE REGION followed by a DELETE REGION The paste commands for regions are the same as the basic paste commands described above One can paste with a text cursor in a text slot or text sequence and a term cursor at any empty term slot Pasting a sequence into another sequence of the same kind merges the pasted sequence into the sequence being pasted into In this event the point is set to be the left delimiter for the sequence just pasted and the mark is set to be the right delimiter This ensures proper functionality for the PASTE NEXT operation Otherwise pasting and item into a sequence always incorporates the item as a single sequence element and both the mark and point are set to that element Note that it does not make sense to try to paste a term or a text sequence containing a term into a text slot that is not in a text sequence 5 6 3 Mouse Commands LEFT MOUSE MARK THEN SET POINT set mark then point C LEFT MOUSE MARK THEN SET POINT TO TERM set mark then point to term C MIDDLE MOUSE PASTE paste region M MIDDLE MOUSE PASTE NEXT replace last paste with new paste C M MIDDLE MOUSE PASTE COPY paste copy of region on stack C RICHD MOUSE CUT cut term or
121. FontTest in the library theory core 1 The INSERT NEWLINE command is only appropriate in text sequences Within terms the newline character is actually a term whose display is controlled by the display layout algorithm Currently newly created objects contain an empty term slot Removing this slot in ML and comment objects with C C puts the editor into text mode The term slot in abstractions and display forms cannot be removed The NUPRL fonts may be extended in the future Executing the UNIX command xfd font nuprl 13 pops up a display of the actual standard NUPRL font Clicking LEFT on a character results in its decimal code being displayed 72 0 1 213 4 5 6 7 8 9 120 P R 130 N C Q Z U fa 140 F f 11 B8 l steJ mn 150 A Y T le p Oo O C 2 l0 n jUu v 3 e eo Zo 170 x yv M AI II 180 x tio EE EN I am 190 a p a q b d c 200 a a uleclao 20 NANTU m mE T 220 gt l jal s Alo 230 U T F g g Z 240 P A X e 4 Em 250 k 1 m n Table 5 1 NUPRL special character codes 5 4 2 Adding and Removing Slots C U OPEN LIST TO LEFT open slot to left of cursor M U OPEN LIST TO RIGHT open slot to right of cursor C 0 OPEN LIST LEFT AND INIT open and initialize slot to left M 0 OPEN LIST RIGHT AND INIT open and initialize slot to right C C
122. I THENLL D 33 La Esp JA Apply T and then do the following on each subgoal Select the first list of tactics T s for which l matches the label of the subgoal If the subgoal also has a number label j run the jth tactic from T s on it If it has no number label run the first tactic listed in T s THENLL fails if there are not sufficiently many tactics in Ts It runs the Id tactic if a subgoal label does not match any of the l SeqUnM 7 T Run the tactics T to T on successive main subgoals SUnfortunately main is currently used as both a class name and a particular label name which means there is no way to select only subgoals in with the particular label main 134 RepeatM T RepeatMFor n T Repeat the tactic T on main subgoals exactly n times 8 8 3 Multiple Clause Tacticals Multiple clause tacticals allow to apply a tactic T int gt tactic to several clauses of a goal with n hypotheses On c T T e THENM THENM T c Run T on the clauses c c If T succeeds on some clause then On only continues on subgoals created by T that are labelled main AllHyps T On n n 1 1 1 Try T i Try running T on all hypotheses starting with the end of the hypothesis list and working backwards If T succeeds on some hypothesis then A11Hyps only continues on subgoals created by T that are labelled main All T On n n 1 1 0 1 Try T i Try running T on all hypotheses and then on the conclusion
123. IL FE C ext m 111 expresses the fact that the goal sequent C is provable if all the subgoals T C are Fur thermore it also describes how to construct an implicitly present member m of C from members m of the subgoal conclusions C Rules may operate both on the conclusion or the hypotheses of a proof goal In most cases they simply decompose a type or a member of a type into smaller components The rule for the formation of pairs for instance states that in order to form a member s t of a product type SxT it suffices to form a member s of the type S and a member t of T TF SxT ext s t by independent pairFormation DES ext 5 I pu ext t This rule can be applied to any goal whose conclusion is a product type In this case S is matched against the left and T against the right component of that product while Il is matched against the complete list of hypotheses As a result NUPRL generates two new proof goals the first with the left component as proof goal and the second one with the right component The list of hypotheses remains unchanged in both cases 8 1 1 Representation of Inference Rules NUPRL s inference rules are not hard wired into the code of the system but explicitly represented in the library as objects of kind rule Rule definitions are terms in the sense described in Chapter 5 and they can be edited like any other term The rule for the formation of pairs for instance is represented by a
124. Jackson The Nuprl Proof Development System Version 4 1 Reference Manual and User s Guide Cornell University Department of Computer Science 1993 Paul Jackson The Nuprl Proof Development System Version 4 2 Reference Manual and User s Guide Cornell University Department of Computer Science 1994 Christoph Kreitz Mark Hayden and Jason Hickey A proof environment for the de velopment of group communication systems In C Kirchner and H Kirchner editors 15 Conference on Automated Deduction volume 1421 of Lecture Notes in Artificial Intelligence pages 317 331 Springer Verlag 1998 Christoph Kreitz and Jens Otten Connection based theorem proving in classical and non classical logics Journal of Universal Computer Science 5 3 88 112 1999 Christoph Kreitz Jens Otten Stephan Schmitt and Brigitte Pientka Matrix based constructive theorem proving In Steffen H lldobler editor Intellectics and Compu tational Logic Papers in honor of Wolfgang Bibel number 19 in Applied Logic Series pages 289 205 Kluwer 2000 Christoph Kreitz Formal reasoning about communication systems I Embedding ML into type theory Technical Report TR97 1637 Cornell University Department of Computer Science June 1997 Christoph Kreitz Building reliable high performance networks with the Nuprl proof development system Journal of Functional Programming 2003 214 KS00 Ler00 LSBB92 Map Mat McC97 McM93 Met ML84
125. NUPRL offers users an opportunity to extend the basic language of type theory by introducing new abstract terms whose meaning is defined in terms of existing language constructs In addition to that users may also modify the visual appearance of abstract terms and adjust the presentation of formal material without changing the formal content itself which makes it possible to use familiar notation or to present the same material differently to different target groups Users can create several kinds of library objects for this purpose Abstractions are used to intro duce the abstract definition of a new term display forms define the textual presentation of abstract terms and precedence objects assign precedences for terms to control automatic parenthesization In Section 4 3 2 2 we briefly described how to create abstractions and display forms using the nav igator s AddDef button In this chapter we will describe the contents and features of abstractions display forms and precendences as well as editor support for defining them 7 1 Abstractions Abstractions are terms that are definitionally equal to other terms In NUPRL they may be defined in terms of language primitives and other abstractions but the dependency graph for abstractions should be acyclic In particular an abstraction not depend on itself Recursive definitions can be introduced using the AddRecDef button as described in Section 4 3 2 2 Abstraction definitions have form lh
126. OpenThy CloseThy ChkThy ChkAllThys ChkOpenThyx CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops exists uni T x P x Print bjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin jx T P x Vy T P y gt y x T Cp bj reNameObj EditProperty SaveObj RmLinke MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetInOBJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj TT TT WIL Lb e x Navigator kreitz user theories Scroll position p List Scroll Total 4 Point 2 Visible 4 STM TFF not_over_and DISP TIF exists_uni_df gt ABS TTF exists uni STM TFF exists uni wf The abstraction object shows on the right hand side the term that defines the meaning of exists uni T x P x and on the left hand side the form in which exists uni T x P x is currently displayed Right now this is identical to the abstract term form To close the abstraction object again press C q 16 To change the appearance of the term exists uni T x P x to 3 x T P x you have to edit the accompanying display form For this purpose move the nav point one step up and open the object exists uni df DISP exists_uni_df EdAlias exists uni MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY E
127. PRL allows users to load files containing ML code into the library editor or refiner processes To do so a user has to type the command 1oadt system root dir path files path files into the respective ML top loop root dir is a string describing the root directory of the user s NUPRL files path is a list of strings describing the sub directory in which the specific files reside and files is a list of file names without the m1 extension in that directory The command will compile all the named files and load the compiled code into the current process For instance loadt system home nuprl lib ml standard Prats pu testing new Mat tens gn will compile and load files in the following order home nupr1 lib ml standard a ml home nupr1 lib ml standard b ml home nupr1 1ib m1 testing new d ml home nuprl lib ml testing new e ml home nuprl lib ml testing new f ml Compiled files will be stored in a sub directory mlbin os lisp version of the directory in which the ML files reside where os is currently either linux or solaris and lisp version is the name of the Lisp dialect that runs the process e g allegro61 or cmucl If these directories do not yet exists an error message will be created 4 4 3 3 Importing Text One of the advantages of having code reside within the NUPRL library instead of in external files is that NUPRL links ML functions to the code object in which they are defined
128. PrintThyLong Print theory with proofs 4 3 3 8 PrintThyShort Print theory contents RmDir Completely remove a directory 4 3 2 6 commentObj Create comments for an object 4 3 2 13 mkRefEnv Insert static RefEnv Table 4 2 Navigator command buttons 60 Previous Next Eval Reset Removex SaveWDEvalx Previous Next RaiseEvaluator LIB EDD REF ShowRefenv RaiseHistory RaiseNavigator M REF gt FwdThruLemma M REF FwdThruLemma 2 2 tok gt int list gt tactic Figure 4 14 The ML Top Loop and the Evaluator History Window Previous Insert the previous command from the command history into the command line zone Next Insert the next command from the command history into the command line zone Eval Evaluate the command that is currently in the command line zone Reset Reset the command line zone Remove Remove the current command from the history and reset the command line zone SaveWOEval Save the current command to the command history without evaluating it LIB switch to interaction with the library ML process EDD switch to interaction with the editor ML process Ref switch to interaction with the refiner ML process ShowRefenv show the contents of reference environment register Section refsec nav RefEnvReg i e the reference environment of the ML expression in the command line this makes sense only in refiner mode RaiseHistory open an evaluator history window that shows the
129. T gt s2 2 for all s1 s2 with s1 52 1 T ST if T r S T for some x e V ST T if x S T T for some z cY gaS XT z S XT if S S and Ti si z1 T5 s2 x35 for all 1 52 with s1 52 91 T S xT if T z S xT for some variable z SXT T if x S xT T for some variable x SAT ST if S S and T T Us Us AE j j as natural number s t T s t ET if TT s s T and t t eT void void Atom Atom Z Z 1 lt j 1 53 if i Z and j j EZ T list T list f T T rectype X T rectype X T if T X Xi T X X2 for all types X 19 59 Ta 15 5 Tay E CUNA S S and there are terms p p and a variable x which occurs neither in T nor in T such that p Vx S T x x1 gt To m v9 and p Vx S Talx x2 gt T 0 x1 T x 5 1T for some variable z x 5 1T T for some variable x MaS T mao T 1 55 and TA sy 1 T5 s2 x3 for all 1 592 with 1 32 S Ty TIE La Ya TIE T T and there are terms p p r s t and variables x y z which occur neither in E nor in E such that Pp Va T Wy T E x y x1 y1 gt E2lx y z2 yal Py Va T Wy T E v y x2 ya gt FEi v 21 vi r Va T Ez 2 21 yi s Vx T Vy T Filz y o yi gt FA y 2 x1 y1 and te Va T Vy T V2 T Erlx y 231 41 gt Eily 2 21 i gt FA 2 21 y1 Table A 3 Ty
130. The 3 has two subterms T and P and binds one variable in the second To create a template for entering the details type exists uni 0 1 OK Cancel OK Cancel add def PIERRE OA A add def HEEE IAS rhs rhs This tells the system to create a term called exists_uni whose first term has no bound variables and whose second term has one bound variable The template shown on the right appears as soon as you have entered the right parenthesis that closes the subterm list Pressing 4 then moves the edit point into the first term slot OK Cancel add def exists uni ERE binding term rhs Enter T Jx Jso vari 1 This puts T into the first term slot makes x the binding variable in the second and states that the second term will be a second order variable of arity 1 see Chapter 7 1 OK Cancel add def exists uni T x variable id term rhs Note that NUPRL s term editor treats any unknown name as variable name while names that can be linked to active object identifiers and display forms will cause the corresponding template to appear Thus T will be inserted as variable name while so vari creates a new template x had been entered into a binding slot and is thus viewed as variable Should you mistype so var and actually enter an identifier that is unknown to NUPRL say sovari the identifier will appear as variable name in the term slot OK Cancel ad
131. The Nuprl Proof Development System Version 5 Reference Manual and User s Guide Christoph Kreitz Department of Computer Science Cornell University Ithaca NY 14853 7501 U S A kreitz cs cornell edu Preface This manual is a reference manual for version 5 of the NUPRL proof development system As the NUPRL system is constantly under development this manual will always be incomplete In particular it is missing information about recent advanced features of the system and about certain extensions of NUPRL s type theory that are currently being added to the system More recent information and the system itself can be found at the NUPRL web pages http www nuprl org From its beginnings in the 1980s the PRL project has been guided by Robert Constable Over the years many researchers and students at Cornell have contributed to the theoretical foundations the design and the implementation of the NUPRL system The major developers of NUPRL 5 are Stuart Allen Rich Eaton and Lori Lorigo They have provided explanations for many of the new system features and added new ones that are helpful for novice users while this manual was written Mark Bickford has used and tested the system extensively and designed many extensions that are currently being added to the system Although the architecture of the NUPRL system has significantly changed in release 5 the basic structure of the proof and term editors of abstractions and display forms of
132. The term for the right hand side of the definition is entered in the usual structural top down fashion of the term editor as explained in Section Closing the add def templates creates a display form object opzd df an abstraction object opid and a statement object opid_wf where opid is the object identifier of the new abstract term The abstraction object contains exactly the left and right hand sides of the definition as entered into the add def templates The display form object contains a display form for the abstract term that makes the term look like the left hand side of the definition but can easily be modified The statement object is empty as there are no defaults for initiating a well formedness theorem AII three objects will be placed immediately after the navigation pointer which remains at its current position and are already activated Entering exists uni T x P x and 3x T P x Vy T Ply gt y xe T into the add def templates for instance creates the three objects shown on the right of Figure 4 5 Definitions can also be created with the command 1ib thy add def lhs rhs directory position where lhs is the left hand side of the definition rhs its right hand side directory the object identifier In NUPRL 4 this convention made it easier for tactics to access the well formedness theorems corresponding to a certain abstraction Although NUPRL 5 offers a more general method for making objects depend on each oth
133. Thy0bj MvThyObj TERR TTT ls Al Navigator user theories gt lt Scroll position 0 List Scroll Total 1 Point 0 Visible 1 MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys Chk penThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin CpObj reName0bj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJx MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx TTTT TIT lll LLL 9 gt lt Navigator user theories Scroll position List Scroll Total 2 Point 1 Visible 2 CODE TTF RE init user gt DIR TIF kreitz Enter the name of the directory and click OK or press Jtwice This will create the new directory object place it immediately below the previous nav point and move the navigation pointer to it as shown in the right window 2 4 Creating Theorem Objects Before one can prove a theorem in NUPRL one has to create an object that contains it Clicking the MkTHM button after moving into the user directory will open a template for entering the name and kind of a new library object The edit point will be in the name slot OK Cancel ToggleRefenvRelationship SetRelativeRefenv create new thm
134. a navigator an ML top loop and three windows for the library refiner and editor processes Among these the navigator window is the most important one as most user interaction goes through the navigator The ML top loop will only be needed for more advanced tasks that have not yet been integrated into the navigator The process windows receive all system output and error messages and are usually only needed for maintenance and debugging purposes Users may also connect to existing library and refiner processes and only see one Lisp process window 34 Rctivatex deActivatex NameSearchs PathStackx Clonex RaiseTopLoops Millx Save bjx commentObjx CountClosurex ObidCollectorx MkLinkx MkObj MkDirx MkTHMx CpObj reNameObjx EditPropertyx RmLinkx RmObj RmDirx RmGroupx TT TT TT Whit Ib dW T lt gt Lb gt lt Navigator ROOT Scroll position 3 List Scroll Total 4 Point 3 Visible 4 A E E A Previous Next Evalz Resets Removes Savell Evalz DIR TTF local LIBs EDD REFx ShowRefenve RaiseHistorys RaiseNavigatorx DIR TTF system aux DIR TTF system gt DIR TTF theories MCEDDI gt 5 Figure 4 1 Initial NUPRL 5 screen 4 2 1 The Navigator Window The navigator window shown on the left of the screen in Figure is divided into three major zones a command zone a library statistics zone and a navigation zone The command zone can be found in the upper p
135. able Due to its implementation in Lisp NUPRL runs more efficiently if more memory is available In large applications it can utilize several GigaBytes of RAM NUPRL 5 can also profit from multiple processors or a network of computers because the library editor and refiner run as independent processes 3 2 Preparation Before NUPRL 5 can be started for the first time it needs to be installed properly and certain configuration files must be set up for each user 3 2 1 Retrieving and Installing NUPRL 5 The executable copy of NUPRL 5 running under Linux can be found by going to the NUPRL 5 web page http www nuprl org nuprlb5b index html and following the link to the download pages for the actual NUPRL 5 release To retrieve NUPRL 5 read the instructions in the various README files for up to date information Currently the release can be found at the URL ftp ftp cs cornell edu pub nuprl nupr15 but this direc tory may be moved in the future 21 Currently you have to download the following files install tgz nuprltop tgz nuprl5 tgz standard db tgz nuprl5 linux cmucl run tgz If you run Solaris instead of Linux download the file nupr15 solaris cmucl run tgz instead of nuprl5 linux cmucl run tgz Experienced users who want to build their own NUPRL binaries or modify system tactics may also want to download the file nupr15 source tgz For a single user installation it is best to build the NUPRL system within a sub
136. ach window contains the indicator PRF denoting the kind of the object being viewed and the name of the statement object associated with the proof The numbered parts of these windows are as follows D The indicates that this proof node is considered incomplete Other symbols used here are for complete and for bad proofs The top 1 and top 1 2 are tree addresses of the nodes being viewed The left window shows the first child of the root of the proof and the right window shows the second child of that proof node 3 Some nodes are annotated to indicate the nature of the proof goal Typical annotations are wf for well formedness subgoals or upcase and downcase in inductive proofs These annotations may be used by tactics but are mainly intended to assist the users 3 This is the goal sequent of the proof node Hypotheses are numbered and listed vertically The conclusion is at the bottom after the turnstyle This is a tactic which was executed on the goal 3 above in order to generate the subgoals below The BY is part of the proof node display and is not part of the tactic In an unrefined proof there is an empty text slot after the BY These are the subgoals of the proof node Each subgoal comes with a status or an address and the subgoal sequent For brevity only hypotheses that have changed or been added are displayed in the subgoal sequents 6 If a subgoal has a proof it is being displayed immediately
137. add the following line to your chsrc or login file set path nuprl bin path The syntax is slightly different for other Unix shells To support the use of special mathematical symbols in formal theorems the NUPRL sys tem requires some special font files to be installed These files are contained in the directory nuprl fonts bdf and must be included in the font search path of the X server controlling your display Add the following lines to your xinitrc file xset fp nuprl fonts bdf xset fp rehash These commands tell X the font path to the NUPRL fonts when the X server is first started One may also run them interactively in some shell to add the font path to the current X environment t is not sufficient to have the NUPRL fonts available on the system that runs NUPRL 5 This may cause some complications when running NUPRL 5 remotely particularly when the Exceed X server under Windows NT 98 2000 is used as terminal 22 Most X windows systems understand bdf font files However one may also compile the font files into machine specific fonts to allow faster reading To compile fonts one has to use the command bdftosnf on Sparc stations and bdftopcf on Linux PCs After the fonts have been compiled one has to execute the command mkfontdir to make the font directory Sometimes the X server has limited access to the file system In this case the fonts files may need to be placed in a public directory Your system administ
138. akes parsing unnecessary All visible structure and notation is generated by the editor process which consults display forms that describe how to read an abstract term The separation between internal representation and external presentation makes formal notation extremely flexible and expressive as it supports an almost arbitrary syntax and allows information to be presented differently depending on context and the preferences of the users of NUPRL The kind of an object is a description of the intended role of the abstract term It allows mak ing a distinction between theorems definitions tactics comments etc and identifying structure information when assembling theories Currently the following kinds are defined statement objects contain a proposition and reference to a proof If the proof is complete the proposition is considered a theorem or a lemma Otherwise it is a conjecture A statement object for a complete theorem also contains the extract term of the theorem proof objects contain NUPRL proofs i e directed acyclic graphs of references to inference steps where the conclusion of a child inference is a premise of its parent inference A proof is complete if all its leaves are closed by inferences inference objects contain records of actual inference steps These may consists of instances of primitive rules of tactics executions or more generally of applications of inference engines that are connected to the NUPRL
139. al at the current proof node and reuses the proofs of subgoals that were already refined in the previous proof This is useful when some of the newly created subgoals are identical to subgoals of the previous refinement of that node In the example below for instance replacing the tactic D 0 by D 0 THENW Auto generates the same main subgoal and initiating the refinement with C 41 preserves the proof of that subgoal center window In previous releases that proof would have been lost and the whole proof would have become incomplete right window 93 TS d top 1 top 1 1 A P 1 AP 1 A P 2 BP 2 BaP 2 B P 3 AA v 5B 3 AA v B 3 2 v AB E ACA A B FE ACA B Eta X B BYDO BY D O THENW Auto BY D O THENW Auto eoa 11 amp 11 4 A B 4 A A B 4 A A B H false H false E false BY D 3 THEN Auto BY D 3 THEN Auto BY 12 peeta ME Lio AA BeP BY Auto Instead of reusing the proof of a specific subgoal users may also want to reuse the tactics that had been applied to the subgoals of the previous refinements Using M 1 instead of C 1 causes NUPRL 5 to reuse the tactic tree of the previous proof for subsequent refinements This is useful when the new refinement generates subgoals that are different from the previous ones but that can be solved in the same way If users want to discard the original proof and just execute a single new refinement step they may enter the
140. ame of the 1 twice This will create a new statement object 2 5 Proving Theorems AAB one of the DeMorgan laws theorem not_over_and and click OK or press named not over and To state and prove a theorem one has to open the corresponding object Pressing the right arrow key when the nav point is a statement object pops up a new window that shows the contents of this object If the theorem has not been stated yet there will be a goal slot in the upper part of the window and the rule slot next to the keyword BY below will be empty The in the upper left corner means that the theorem is not complete yet while the top next to it indicates that the top node of the proof tree is being displayed Right now the creation of a theorem object requires the current directory to contain at least one object 10 TERM Navigator PRE not_over_and MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy to CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin BY Cp bj reName0bj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThyObj TR TIT ALIS ddp oe Navigator kreitz user theories Scrol
141. and if this succeeds with value E then E is returned as the value of e1 5 however if e fails then the result of evaluating e1 e2 is determined by evaluating e In describing evaluations when we say that we pass control to a construct we mean that the outcome of the evaluation is to be the outcome of evaluating the construct For example if when evaluating e e2 the evaluation of ej fails then we pass control to ez 189 Expressions and patterns can be optionally decorated with types by writing ty after them e g int list The effect of this is to force the type checker to assign an instance of the asserted type to the construct this is useful as a way of constraining types more than the type checker would otherwise i e more than context demands and it can also serve as helpful documentation Details of types and type checking are given in Section B 5 and will be ignored in describing the evaluation of ML constructs in the rest of this section If we omit types precedence information and those constructs which are equivalent to others then the syntax of ML can be summarized by d let b letref b letrec b b pee var pi po pa e by and b2 and bn p O var pi p2 pipe O pr p2 ipa e ce var ei e prej eiie2 v e failwith e if ei then loop e if ez then loop es if e then loop el 1 else loop e e e es es oo TT u en eh
142. and Gerard Huet The CAML primer Rapports Techniques 122 Institut National de Recherche en Informatique et en Automatique September 1990 213 Cha82 CHP84 Dil96 GM93 GMW79 Hay98 Hol97 Jac93a Jac93b Jac94 KHH98 KO99 KOSP00 Kre97 Kre03 T Chan A decision procedure for checking PL CV arithmetic inferences In Intro duction to the PL CV2 Programming Logic volume 135 of Lecture Notes in Computer Science pages 227 264 Springer Verlag 1982 Guy Cousineau G rard Huet and Larry Paulson The ML handbook 1984 David Dill The Murphi verification system In R Alur and T Henzinger editors Computer Aided Verification CAV 96 volume 1102 of Lecture Notes in Computer Science pages 390 393 Springer Verlag 1996 Michael Gordon and T Melham ntroduction to HOL a theorem proving environment for higher order logic Cambridge University Press 1993 Michael J Gordon Robin Milner and Christopher P Wadsworth Edinburgh LCF A mechanized Logic of Computation Number 78 in Lecture Notes in Computer Science Springer Verlag 1979 Mark Hayden The Ensemble System PhD thesis Cornell University Department of Computer Science 1998 Technical Report TR98 1662 G J Holzmann The model checker SPIN IEEE Transactions on Software Engineer ing 23 5 279 295 1997 Paul Jackson Nuprl ML Manual Cornell University Department of Computer Sci ence 1993 Paul
143. and should have the form Veto Ido Va O O SEXTUS d P duet s fa da where k m gt 0 and r should be the weaker of rg and ry Transitivity lemmata should be named opid of r transitivity ndez Transitivity lemmata are not needed for primi tive equality relations Weakening Lemmata extend the usefulness of the transitivity and functionality lemmata They should have the form Vago peo lg GE A e s o mom di where k m gt 0 and r is weaker than ra and be named op d of ry weakening indez Weakening lemmata are required for all reflexive relations ry with ra being equality Inversion Lemmata are used by the Rev atomic conversions and in conjunction with weaken ing transitivity and functionality lemmata when these mix order and equivalence relations They are required for equivalence relations but not for equality or order relations Inversion lemmata should have the form Veto eee Va RT d ee cu sed Se XS VES where k m gt 0 and should be named opZd of r inversion 139 Note that for order relations one only needs lemmata for one direction as the other can be derived from them For example one does not require both the lemma Va b c a lt b gt b lt c gt acc and Va b c a gt b gt b gt c gt a gt c If NUPRL finds a lemma missing in the course of constructing a rewrite justification it prints out an error message suggesting the kind and structure of the missing lemma After adding an appro priate lemma to the library y
144. are maintained on a stack which enables nesting of tactics that use optional arguments Tacticals for manipulating these arguments are New v u var list T 118 Runs tactic T with variables v to v as optional arguments Typically New is used to supply a tactic with names for newly created variables The argument labels of the v are v1 to vn With t term T Runs tactic T with term t as optional argument which may for instance be a term to be instantiated for a variable or the type of some subgoal The argument label of t will be t1 At U term T Runs tactic T with term U as a optional universe argument U should either be either a type universe or a propositional universe term Using sub var term list T Runs tactic T with the substitution sub as optional sub argument The substitution sub may be applied to instantiate variables or to indicate dependencies in some term Sel k int T Runs tactic T with the integer k as optional argument Sel is used for selecting a simple component of a formula or a subterm of a term The argument label of k will be n Thinning T Runs tactic T with the token yes as optional thinning argument Some tactics may optionally remove or thin hypotheses that are considered superfluous after a refinement step Thinning causes 7 s default behavior to be to thin NotThinning T Runs tactic T with the token no as optional thinning argum
145. ared over the years between the time it was first designed and implemented by Milner Morris and Wadsworth at the University of Edinburgh in the early 1970 s and the time it was settled and standardized in the mid 1980 s The original ML the meta language of the Edinburgh LCF system is defined in G MW79 The ML used in the NUPRL system is fairly close to the original It is derived from a early version that Huet at INRIA and Paulson at the University of Cambridge were working on in 1981 Todd Knoblock at Cornell made most of the NUPRL specific modifications in the mid 1980 s NUPRL s ML hasn t changed since then and is not compatible with the ML versions that are widely used today The ML of Huet and Paulson is described in the preface to The ML Handbook CHP84 Huet used this version in the Formel project and it subsequently evolved into a version of ML called CAML Paulson also used it as part of the first version of Cambridge LCF but switched to Standard ML in the later versions of Cambridge LCF Pau87 The CAML language is now rarely used But there is a scaled down version called CAML Light which is actively used in teaching programming to over 10 000 engineers a year in France Its object oriented version OCaml have become quite popular in recent years and has been used in the implementation of the group communication toolkit Ensemble BCH 00 The Standard ML language has also become increasingly popular for implementing theorem p
146. art of the navigator window as in most NUPRL 5 windows It contains several buttons which are are indicated by a at the end of a piece of text Clicking these buttons with the left mouse button will trigger the action described by the text and occasionally pop up a template that needs to be filled in The arrows in the window 1111 Lidl 7 also operate as buttons that can be clicked for faster scrolling The commands linked to the navigator buttons are described in detail Section 4 3 below Many commands require interaction with the user for instance typing in the name of an object to be created The interaction takes place through templates and additional command buttons that will appear on top of the command zone as illustrated in Section The additional button and slots created depend on the individual command It should be noted that the buttons in the command zone may depend on the directory that is currently shown by the navigator Subsequent snapshots will show for instance that the buttons for the standard theories include a variety of theory specific buttons that are not relevant for the root directory NUPRL allows users to customize the command zone by adding new buttons tailored for specific modes of operation in certain theories The statistics zone immediately above the display of library contents shows directory statistics e The line beginning with Navigator describes the current directory path path beginning with the
147. ast one of its proofs is complete If a statement object is linked to more than one proof object one of them is considered the actual proof The proof editor enables users to switch between proofs for the same statement which allows them to formalize different approaches to solving the same problem or to work on a better proof for a theorem while preserving the existing ones The system provides a few ML functions for accessing the components of a proof var of hyp int gt proof gt var type of hyp int gt proof gt term conclusion proof gt term hypotheses proof gt assumption list refinement proof gt rule children proof gt proof list mk sequent var term bool list gt term gt proof refine rule gt tactic The function mk sequent is the only way to build unrefined proofs in NUPRL while refine is the only way for constructing functions that modify proofs from scratch The proof editor implicitly makes use of these functions when a user initiates and refines a proof 6 1 3 Refinement Rules Refinement rules in NUPRL serve two purposes They decompose a goal sequent into a list of subgoal sequents and they provide a validation which transforms evidence for the validity of the subgoals into evidence for the validity of the original goal Refinement rules are therefore implemented as functions that transform a proof into a list of unrefined proofs and a validation v The validation in turn is a f
148. ators are provided as primitives where the dollar symbol is omitted from the table the constants are do and so on do x gt void not bool gt bool int int gt int gt lt int int gt bool gt bool list list gt list x x list gt list Clarifying remarks do is equivalent to x do e evaluates e for its side effects returns the integer part of the result of a division for example 7 3 7 3 2 7 3 7 3 2 The failure token for division by zero is div is the binary subtraction function Negation unary minus is not available as a predeclared function of ML only as a prefix operator Of course the user can define negation if he or she wishes e g by let minus x x Not all dollared infix operators are included above is not provided since it would be equivalent as a function to the identity on pairs nor is amp as it has no corresponding call by value function because e amp el evaluates to false when e does even if evaluation of e would fail to terminate nor is or analogously The period symbol is an infixed Lisp cons igor lt bal is bound to the expected predicate for an equality test at non function types but is nec essarily rather weak and may give surprising results at function types You can be sure that semantically i e extensionally different functions are not equal and that s
149. ay that the slot is empty or uninstantiated Place holders for subterms of a term are term slots while others are text slots T he labels that appear in the place holders the var type or prop in the example above are controlled by the definition of the term s display form If a text term slot contains a a text string term we say that slot is filled or instantiated If a display form has no uninstantiated slots then it is considered complete Place holders re appear when the contents of slots are removed name INSERT TERM name insert name into empty slot C I name INSERT TERM LEFT name insert name using existing term as left subterm M I name INSERT TERM RIGHT name insert name using existing term as right subterm C S name SUBSTITUTE TERM name replace existing term with name C M I INIT TERM initialize term slot C M S SELECT DFORM OPTION selects display form variations To insert terms into term slots one may use the editor commands listed above In these com mands name is a string of characters naming a new term to be inserted The interpreter for name strings checks each of the following conditions until it finds one which applies 1 name is an editor command enabled in a particular context 2 name is an alias for some display form defined in in the library object for that display form 3 name is the name of a display form object In this case it refers to the first display form defined in that o
150. ays identical to the goal sequent of the current proof node and that p also includes validations 2 Instead of simply replacing the proof node by the proof p the editor stores p together with the tactic text in a tactic rule 3 The tactic rule is inserted as refinement of the proof node and the leaves pj Ppn become the new children of the node This may change in the future as NUPRL may also accept proofs provided by external proof engines without transforming them into type theoretical proofs 88 The display of the tactic rule hides the proof tree p When one views a tactic rule refinement one only ever sees the text of the tactic From a logical point of view it is not strictly necessary to keep p around at all after the tactic has executed However it is necessary to access the validation contained in the proof when constructing the extract term of the main theorem Running a tactic as a refinement rule makes it appear in a proof as a high level rule of inference and consequently greatly increases the readability of proofs Note that applying a tactic rule to an already refined proof node overwrites the existing proof tree The editor first discards the existing refinement of the node and then proceeds as described above The previous refinement however remains stored in the library and can still be accessed and reinserted into the proof 6 2 The Proof Editor The proof editor is designed to support the top down refi
151. b c is displayed as a b c Similarly function A function B C is displayed as A B C but function function A B C is displayed as A gt B gt C The L E and characters in the display of term slot formats are display forms for parenthe sization control terms To change the parenthesis slot options one may delete the term and enter the new option using the names shown in the table below 107 Name Display Description lparens L L option eparens E E option sparens option The parenthesization control terms also allow the specification of the delimiter characters used for parenthesization and a precedence for the individual slot No specific editor support has yet been provided for these features 7 2 5 Examples As an example we walk through the entry of a display form definition from scratch We start by creating a new display form object and viewing it Click the MkObj button enter tst df as name and disp as kind and click the OKx button Open the object by pressing the right arrow or clicking on it with the mouse This will pop up a window containing a highlighted empty term slot Initialize the display form definition by entering C M 1 The window now looks like We begin by entering the right hand side of the display form Click LEFT on the rhs placeholder and enter exists unique 0 1 to create a new term see Section 5 4 4 Do not fill in the variable
152. be relaxed in the future 127 8 4 Forward and Backward Chaining Forward and backward chaining means treating a component of a universal formula see Sec tion 8 2 5 as derived inference rule Backward chaining involves matching the conclusion of the goal against the consequent of a universal formula which leaves the instantiated antecedents of the universal formula as new subgoals Forward chaining involves matching hypotheses of the goal against antecedents of a universal formula and asserting the instantiated consequent of the universal formula as a new hypothesis A simplified version of forward chaining is instantiating the universal formula by explicitly providing a list of terms to be substituted for the quantified variables Chaining tactics consult universal formulas can either be found in the hypotheses of the current proof goal or as lemma in the library Therefore each tactic comes in two versions InstHyp 43355 2 InstLemma name t t Instantiate hypothesis 7 or lemma name with terms t t If the lemma has m distinct level expressions the first m terms should be level expressions to substitute for these Inst oncl 73 43 Instantiate existential quantifiers in the conclusion with terms t t n FHyp 2 hps a i FLemma name h h Forward chain through hypothesis or lemma name matching its antecedents against any of the hypotheses h h The order of the h is immaterial the tactics try all possib
153. bid kreitz not over and However it is recommended to use the interactive version of the command 41 OK Cancel MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk penThy CheckMinTHY MinTHY EphTHY ExTHY add def rhs Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Cp0bj reNameObj EditProperty Save0Obj RmLink MkLink RmGroup MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ CheckMinTHY MinTHY EphTHY ExTHY MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs TTTT TTT 111 lll lt gt gt CpObj reName0bj EditProperty Save0bj RmLink MkLink RmGroup Navigator kreitz user theories ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJx MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Scroll position D Act DeAct MkThyDir RmThyObj MvThyObj List Scroll Total 4 Point 0 Visible 4 TITT TTT LLL LE mY tm MM gt STM FFF not over and Navigator kreitz user theories DISP TIF exists uni df ABS TIF exists uni
154. binds occurrences of x in P Secondly it states that the term is to be presented as J x T P In NUPRL a formal definition requires the creation of two new objects an abstraction which defines the abstract term and a display form which defines its syntactical appearance see Chapters 7 1 and 7 2 In addition to that it is advisable to prove a well formedness theorem which describes the type of the newly introduced term All three objects can be created with the AddDef mechanism To initialize this mechanism click the AddDef button with the left mouse This will open a template for defining the abstract term OK Cancel add def rhs MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThyObj TIT TTT dll lll e gt lt Navigator kreitz user theories Scroll position b List Scroll Total 1 Point O Visible O To enter the new term on the left hand side of the definition you have to provide its name or object identifier and a list of subterms
155. bject 4 name is of the form ni where n is the name of a display form object and 7 is a natural number ni refers to the i th display form definition in the object named n Definitions in objects are numbered starting from 1 Note that this order gives display form names and aliases preference over abstraction names The operator identifier of a term can not be used to identify a term if it is neither of these three This is particularly important when referring to the elementary terms of type theory To find out how to refer to a particular term mark the term and enter C X df to see its display form or C X ab to see the abstraction that defines it if there is one 74 5 name is the name of an abstraction object In this case it refers to the earliest display form in the library for that abstraction 6 name is all numerals then the term referred to is the term natural number name n O term of NUPRL s object language 7 If none of the above applies name is assumed to refer to the term variable name v O Since names always have acceptable extensions as variable names the editor does not interpret name until some explicit terminator such as BPG NO OP or a cursor motion command is typed RIGHT EMPTY SLOT see Section 5 5 is a particularly useful terminator INSERT TERM name is only applicable at empty term slots It results in the display form referred to by name being inserted into the slot If name is ter
156. bject It then checks the object before closing the window This checking has the same effect on library objects as using the ML check command If the check fails then the window is left open If you still want to close the window use QUIT instead Separate save and check commands are described in Section 5 71 QUIT is an abort command It closes the window abandoning any changes made to the window since it was last checked by attempting EXIT JUMP NEXT WINDOW allows one to cycle around all the currently open windows including any proof editor windows 5 4 Entering Information Term editor windows for ML and comment objects initially open in text mode while abstractions and display forms usually open in term mode Special display forms allow opening text slots in term windows while special key sequences are used to open term slots within text sequences see Section below 5 4 1 Inserting Text The following commands are for inserting text whenever the editor is in text mode T INSERT CHAR amp insert char z C num INSERT SPEC CHAR num insert special char x i INSERT NEWLINE insert newline Standard ASCII printing characters including space self insert in text mode Non standard characters can be inserted using INSERT SPEC CHAR num where num is the decimal code for the character Table 5 1 lists the currently available special character codes B Alternatively special characters can be copied from the object
157. by applying f to the elements of l in turn Definition letrec map f 1 if null 1 then else f hd 1 map f tl 1 The following three functions are versions of reduce itlist A gt ox gt ck gt list gt gt x rev itlist gt gt gt list gt gt end itlist gt gt xx gt list gt x Description itlist f zi 292 24 x Milla WD f 21 o f 22 0 o f Tn x rey itlist f ba a iia f Xd tner Cee Xd e f En o f 24231 0 o f 1 x end itlist f mit oil 7 a Uf a ass f na E e f 21 o f 22 o o f 2p 1 Tn Definition letrec itlist f lx if null 1 then x else f hd 1 itlist f tl 1 x letrec rev itlist f 1 x if null 1 then x else rev itlist f tl 1 f hd 1 x let end itlist ff 1 if null 1 then failwith end itlist else let last rest rev l in rev itlist ff rest last 207 or equivalently letrec itlist f fun I y 1 x f y Gtlist f 1 x letrec rev itlist f fun I y 1 lx rev itlist f 1 f y x B 7 4 List searching functions The functions described in this section search lists for elements with various properties Those functions that return elements fail if no such element is found those that return booleans never fail false is returned if the element is not found find gt bool gt list gt tryfind gt gt list
158. by invoking a term editor Chapter 5 or a proof editor Chapter 6 5 check the validity of objects and theories 6 export and import theories 7 print library objects and theories to text and IATEX files The same operations can also be initiated from NUPRL s ML top loop which provides an interactive interface to the ML system of the editor process The difference is that the navigator provides a visual interface to the library while the ML top loop requires a user to enter ML commands that will be accepted by the NUPRL 5 editor and communicated to the library The ML top loop also provides additional functionality such as experimenting with NUPRL functions loading ML files and exploring the NUPRL state These functions can also be executed from the ML top loop that was initially started by the editor process The difference between these two top loops is that NUPRL s ML top loop runs in a term editor window and thus supports most of the editing commands described in Chapter 5 work in it In contrast to that the process ML top loop runs in a Unix shell that does not support editing NUPRL terms but may support text editing features if run from within emacs Furthermore most library functions are not accessible from the process top loop NUPRL s ML top loop can also be run as refiner ML top loop or as library ML top loop In these cases the ML top loop interfaces with the refiner process or the library process instead of the editor This means t
159. ce new names id for the types ty Within the scope of the declaration the expression e id behaves exactly like e ty and the type ty will always be printed as id One aspect of such type abbreviations should be emphasized Suppose for the rational numbers you declare lettype rat int int and set up the standard operations on rationals Within the scope of this declaration any expression of type int int will be treated as though it had type rat and this could be not only confusing but also incorrect in which case it ought to cause a type failure If you wish to introduce the type rat isomorphic to int int but not matching it for type checking purposes then you should use abstract types B 5 5 Abstract types As with concrete types abstract type constructors may be introduced by a declaration in which type variables are used as dummy arguments or formal parameters of the operators The syntax of abstract type bindings ab is ab vtyarg tycon ty and and vtyarg tyconn tyn with b where each vtyarg must contain no type variable more than once and all the type variables in ty must occur in vtyarg An abstract type declaration takes the form abstypelabsrectype ab The declaration introduces a set of type operators and also incorporates a normal binding 6 treated like let of ML identifiers Throughout the scope of the abstract type declaration the type operators and ML identifiers are both available but it is
160. claration and T is a equal to T Contradiction Prove goals where both P and P occur in the hypotheses list Assert t Assert term t as last hypothesis Generates a main subgoal with t asserted and an assertion subgoal to prove t Logically this inference is often called a cut A more general variant is AssertAt i t which asserts t before hypothesis i Thin 2 Delete hypothesis 7 MoveToHyp 2 j Move hypothesis 2 to before hypothesis 7 MoveToConcl 2 Move hypothesis 7 into the conclusion If the goal has the form A C where A is the i th hypothesis then MoveToConcl generates the main subgoal A C If the i th hypothesis is a declaration x T it generates the main subgoal HVx T C MoveToConcl first invokes itself recursively on any hypothesis that might depend on hypothesis 7 MoveDepHypsToConcl 4 Use MoveToConcl to move all hypotheses that use the variable declared by hyp 7 into the conclusion Hypothesis 7 itself will not be moved RenameVar v i Rename the variable declared in hypothesis 7 to v RenameBVars o var var list c Rename all occurrences of bound variables in clause c using the substitution oc The following two tactics are usually used inside other tactics Id The identity tactic which does not change the proof goal Fail The tactic that always fails 8 3 3 Decision procedures Decision procedures use special purpose reasoning to decide problems within a specific limited application domain In many ca
161. create CODE TTF stack_create DIR TTF mk stack object directory Figure 4 8 Editing Object Properties the name of the property e g DESCRIPTION NAME or reference environment and a term slot for entering the value of that property It is not recommended to enter the value of a particular property directly Instead one should make use of the command buttons for editing the important object properties that are immediately above the two slots Each of the buttons in the top row represents a particular property of the current object which will be inserted into the slots upon clicking the button These buttons vary depending on the kind of the object Clicking the NAME button for instance will insert the token NAME into the token slot and the term object name t into the term slot where object name is a token describing the object s name Clicking reference environment will insert the token reference environment into the token slot and the term Obid object identifier into the term slot where object identifier is the identifier of the object that is immediately before the current object in the ephemeral reference environment chain A user may now edit these properties by modifying the corresponding terms The buttons in the bottom row are the same for all objects Clicking ReferenceEnvironment inserts the reference environment property into the two slots ReadFromLib inserts the stored value of the current property back into
162. ct analogously to using loop in place of then let same x y if x gt y then failwith greater if x lt y then failwith less else x same int int gt int let gcd x y letref x y x y in same x y greater x x y 4 less yi y X33 gcd int int gt int gcd 12 20 4 int 38 182 B 2 13 Type abbreviations Types can be given names lettype intpair int int type intpair defined let p 12 20 p 12 20 intpair 39 The new name is simply an abbreviation for example intpair and int int are completely equivalent The system always uses the most recently defined name when printing types gcd intpair gt int gcd p 4 int 30 B 2 14 Abstract types New types can also be defined by abstraction For example to define a type time we could use the construct abstype abstype time int int with maketime hrs mins if hrs lt 0 or 23 lt hrs or mins lt 0 or 59 lt mins then fail else abs_time hrs mins and hours t fst rep_time t and minutes t snd rep_time t maketime intpair gt time hours time gt int minutes time gt int 37 This defines an abstract type time and three primitive functions naket ime hours and minutes In general an abstract type declaration has the form abstype ty ty
163. ctness of a NUPRL proof depends only on the correctness of these rules and of NUPRL s refiner The refiner is a fixed piece of LisP that applies primitive rules to unrefined leaves of proofs In contrast to previous releases of NUPRL users of NUPRL 5 cannot invoke primitive rules directly The proof editor expects users to enter tactics when refining a proof which means that primitive rules have to be converted into tactics before they can be applied see Section 8 1 3 Furthermore using primitive rules would require users to understand how mathematical concepts are coded within type theory Tactics operate at a higher level of reasoning and are much easier to deal with 6 1 3 2 Tactic Rules As explained in detail in Chapter 8 tactics are ML functions that enable one to automate applica tion of primitive rules If one applies a tactic to a proof and the tactic does not fail then the tactic returns a proof built entirely from primitive rules The NUPRL proof editor treats a tactic like a single inference rule and only displays the unrefined leaves of the generated proof tree Users may view the generated primitive proof on demand More precisely if a tactic rule is applied to a proof node the NUPRL proof editor will perform the following steps 1 The ML text of the tactic is interpreted by the ML system and applied to the current proof node resulting in a proof tree p with unrefined leaves p1 Pn Note that the root goal of p is alw
164. d while formally solving a program specification problem These algorithms are proven to satisfy the specification and can be executed by the NUPRL term evaluator as described in Section 4 4 3 1 Once created extract terms and the corresponding proof extract tree can also be viewed from within the proof editor Typing C M v pex pops up the extract term of the saved proof while C M v pet shows the proof extract tree The windows below for instance show a complete proof of the statement VA B P A v B A B and the term extracted from that proof top Refresh Quit VA B P CCGA v 5B ACA BD get_prf_extract Obid not over and BYDO Q 2 15PM 9 10 2002 1 AA B 1 case of inl 2 gt Ax inr 43 gt Ax d ASP FE VB P CA v 5B A A BD BY Auto 11 2 B P 3 EN v 5B A B BY D O THEN D 3 THEN Auto BY Auto 6 4 Advanced Editing Features 6 4 1 Modifying existing refinements In previous releases of NUPRL modifications to an existing refinement of a proof node caused the entire proof tree below that node to be lost Often however some of the subgoals generated by the new refinement could be solved by replaying certain parts of that proof tree Since NUPRL 5 immediately commits all successful refinement steps to the library it is possible to reuse these steps when a proof is modified The default refinement initiated by pressing C 41 or C M 1 refines the go
165. d by T T THENL Lied Apply T and then run T on the i th subgoal generated by T T must create exactly n subgoals T ORELSE T Apply T If it fails run T instead Try T T DRELSE la Apply T If it fails leave the proof unchanged Complete T Apply T but fail if T generates subgoals i e does not complete the proof Progress T Apply T but fail if T does not change the goal i e makes no progress Repeat T Repeat running T on subgoals created by previous applications until no further progress is made RepeatFor n T Repeat the application of T exactly n times If d Le Apply T if epf evaluates to true where pf is the current proof goal Otherwise run T 8 8 2 Label Sensitive Tacticals Label sensitive tacticals tacticals allow one to apply a tactic only to goals with a particular label or to goals of one of the classes main aux and predicate c f Section 8 2 3 For the former the label associated with the tactic has to match exactly the label of the goal For the latter one may use the class names main aux and predicate as wild cards IfLab lab T E If lab matches the label of pf run T Otherwise run T IfLabL MT Ws oh 2 64 Run the first tactic T for which matches the label of pf If none of the labels match leave the proof unchanged T THENM T T THEN IfLab main T Id T THENA T T THEN IfLab aux T Id T THENW T T THEN IfLab wf T Id Apply T and then run 7 on all main aux wf subgoals
166. d def exists uni T x sovari There are two ways to correct that mistake You may delete the term sovar1 by clicking LEFT over it pressing M P to mark the full term and then C K to cut it Afterwards you enter so vari 41 to get the correct template Note that C k saves the term in a cut buffer and that you can paste this term with C Y To delete a term without saving it you need to press C C Alternatively you may use NUPRL s generic undo command C which will restore the empty term slot Move the edit cursor into that slot either by pressing 41 or by clicking LEFT over it and then enter enter so vari J Entering P 1x41 next generates P x and moves the edit point into the right hand side of the definition OK Cancel add def exists uni T x P x 15 To enter the right hand side of the definition you have to proceed in a structural top down fashion Type exists x T jand so var1 JP x 41 OK Cancel add def exists uni T x P x 3x T P x and then all iy JT implies i so vari JP ly equal ix py JT OK Cancel add def exists_uni T x P x sheet E A A Mtro la gt seme The definition is now complete To save it to the library click OK or press 4 again This closes the AddDef template and creates a display form exists_uni_df of kind DISP an abstraction object exists_uni of kind ABS and a well formedness theorem e
167. d together into universes Types built from the base types such as Z or Atom using the various type constructors are in universe U4 The subscript 1 is the level of the universe Types built from universe terms with level at most 7 are in universe U 4 Universe membership is cumulative each universe also includes all the types in lower universes Since propositions are encoded as types propositions reside in universes too In keeping with the propositions as types encoding we define a family of propositional universe abstractions P4 P which unfold to the corresponding primitive type universe terms Uy Us If one is only allowed to use constant levels for universes one often has to choose arbitrarily levels for theorems One would then find that one needed theorems that were stated at a higher level and would have to reprove those theorems T his was the case in NUPRL 3 and earlier releases NUPRL now allows one to prove theorems that are implicitly quantified over universe levels Quantification is achieved by parameterizing universe terms by level expressions rather than natural number constants The syntax of level expressions is given by the grammar Esso e iil LE 11 12 The v are level expression variables which can be arbitrary alphanumeric strings They are implic itly quantified over all positive integer levels The k are level expression constants which can be arbitrary positive integers The i are level expression i
168. dard constructor of two arguments is is the disjoint union of types and and associated with it are the following primitives isl inl inr Ck k gt bool gt CR xx gt ee outl x xx gt outr These are illustrated by x xx gt x tests membership of left summand injects into left summand injects into right summand projects out of left summand projects out of right summand inl 1 inr 23 let x and y x inl 1 int 2 int y inr isl x true bool isl y false bool outl x 1 int outl y evaluation failed outr x evaluation failed outr y 2 int outl outr 37 Abstract types such as time defined above can be thought of as type constructors with no arguments i e nullary constructors The abstype with construct may also be used to define non nullary type constructors with absrectype in place of abstype if these are recursive For example trees analogous to LISP S expressions could be defined by 184 absrectype sexp sexp sexp 35 with cons si s2 abs sexp inr s1 s2 and car s fst outr rep sexp s and cdr s snd outr rep sexp s and atom s isl rep sexp s and makeatom a abs sexp inl a cons sexp sexp gt sexp car sexp gt sexp cdr sexp gt sexp atom sexp
169. ddison Wesley 1988 L Wos S Winker W McCune R Overbeek E Lusk R Stevens and R Butler Automated reasoning contributes to mathematics and logic In M E Stickel editor 10 Conference on Automated Deduction volume 449 of Lecture Notes in Computer Science pages 485 499 Springer Verlag 1990 216
170. dependent processes that can connect to the library at any time 2 1 Preparation We assume that the NUPRL 5 system has already been installed see Section 3 2 1 and can be found in the directory home nuprl nuprl5 We also assume that the NUPRL 5 binaries can be found in home nuprl bin and that the NUPRL fonts are installed in the directory home nuprl fonts bdf Make sure that your Unix path includes home nupr1 bin and that the X server has NUPRL s fonts loaded Create a file nuprl config in your home directory with the following entries libhost HOSTNAME dbpath home nupr1 nupr15 Nupr1DB libenv standard The HOSTNAME for the libhost configuration should be the name of the host running the library process The values for dbpath and the libenv describe the physical and logical location of the standard library Optional settings like specific colors and fonts for the NUPRL windows may also be given in that file Copy the file home nuprl nuprl5 mykeys macro to your home directory NUPRL reads the file mykeys macro to determine the key bindings that will be used in various windows You need it to initialize the key combinations described in this manual and to customize them according to your own preferences later 2 2 Running NUPRL 5 For the basic NUPRL 5 configuration you need to run three processes a library an editor and a refiner The library nulib should be started first The editor nuedd and the refiner n
171. der variable is essentially an identifier as with normal variables but it also has an associated arity n gt 0 Second order terms are a generalization of terms that can be thought of as terms with holes i e as terms with missing subtrees 2 They can be represented by bound terms such as 21 Ta t where the binding variables are place holders for the missing subtrees In a second order binding v gt 21 Ta t the arity of v must be equal to n An instance of a second order variable v with arity n is a term v a1 a4 where a1 an are terms also called the arguments of v A second order substitution is a list of second order bindings The result of applying the binding v gt w1 Wn twy w to the variable instance v az an is the term ta a the arguments of the instance of the second order variable fill the holes of the second order term In our above example P is a second order variable with arity 1 and the terms P x and P y are second order variable instances Consider unfolding an instance of the left hand side say the term 3 1i Z i 0 Z The substitution generated by matching this against 3 x T P x would be Pri deL Tu and the result of applying this to the right hand side of the definition would be Jx T x 0 eZ Vy Z y 0eZ gt y xeZ Roughly second order terms are like functions on terms but there are subtle differences between the two concepts 100 Actua
172. directory of the user s home directory For a default installation this subdirectory should be called nuprl For a multi user installation it is recommended to build NUPRL in a directory home nupr1 and to create a user nuprl and a group nuprl that gives users controlled access to this directory In the following we describe the default single user installation for Linux Instructions for a custom installation can be found in the file README install Move all the downloaded tgz files into your home directory and then untar the file install tgz using the commands SHELL PROMPT gt cd SHELL PROMPT gt tar xzf install tgz This will build a directory nuprl in which you will find an installation script install nupr15 pl as well as a file README install with instructions for building NUPRL 5 As the installation proce dure may change in the future it is advisable to read these instructions before starting the actual installation Enter the nuprl subdirectory and execute the installation script SHELL PROMPT gt cd nuprl SHELL PROMPT gt install nuprl5 pl This will untar the other tgz files in your home directory and build the NUPRL system within the current directory The NUPRL knowledge base will be installed at nuprl nupr15 NuPrlDB The library editor and refiner processes as well as several utilities can be found in nupr1 bin To run NUPRL 5 the directory for NUPRL binaries must be included in the user s Unix load path To do so
173. e its arguments from the proof context For the sake of efficient interaction the heuristics built into these tactics only determine variable names universe levels types of subterms and term dependencies while the user always has to provide the clause index and values to be substituted for variables A user may also want to override the choices made by the single step decomposition tactics For this purpose NUPRL provides a collection of tacticals i e functions that take tactics as arguments and generate tactics that enable a user to supply rule arguments explicitly see Section 8 2 2 for details Arguments may be supplied to tactics as follows Clause index Most single step tactics require a clause index to be given as explicit argument By convention see Section 8 2 1 1 for a discussion the index 0 stands for the conclusion of the proof goal while positive numbers indicate hypotheses s a convenience negative indices can be used to count backwards from the end of the hypothesis list The index 1 indicates the last hypothesis in the goal 2 the second to last etc The rule independent pairFormation for instance operates on the conclusion and is repre sented by the single step tactic D 0 The rule hypothesis i is represented by NthHyp i Variable names All tactics in NUPRL s library automatically assign names to new variables In rare cases a user may want to select different names The tactical New takes as an input a li
174. e meta parameters meta bound variables and meta terms B Meta parameters and meta bound variables correspond to text slots on the left hand side of a definition and meta terms correspond to term slots The meta parameters are different from those used in abstraction definitions To be clear we sometimes call those ones abstraction meta variables and the ones in display definitions display meta variables 103 The right hand side term is restricted to being a term whose subterms are either constant terms i e terms with no meta variables or meta terms To enter a meta term into a term slot one has to use the name mterm To turn parameters and variable into meta parameters or meta bound variables position a text cursor in the appropriate parameter or bound variable slot and give the CYCLE META STATUS command C M twice Display meta variables are readily recognized because they have lt gt as delimiters The rhs right hand side term may also contain normal parameters bound variables and variable terms T hese are treated like constants for a definition to be applicable they must match exactly 7 2 3 Format Sequences Format sequences are text sequences that may contain slots for meta variables and commands for controlling the layout of formal material through insertion of optional spaces line breaking and indentation Except for text strings all formats must be entered into term slots which may be created as described in Sect
175. e been implemented by Philippe Le Chenadec on Multics and by Maurice Migeon on Symbolics 3600 The ML system is maintained and distributed jointly by INRIA and the University of Cambridge B 1 2 Preface to Edinburgh LCF ML is a general purpose programming language It is derived in different aspects from ISWIM POP2 and GEDANKEN and contains perhaps two new features First it has an escape and escape trapping mechanism well adapted to programming strategies which may be in fact usually are inapplicable to certain goals Second it has a polymorphic type discipline which combines the flexibility of programming in a typeless language with the security of compile time type checking as in other languages you may also define your own types which may be abstract and or recursive For those primarily interested in the design of programming languages a few remarks here may be helpful both about ML as a candidate for comparison with other recently designed languages and about the description of ML which we provide On the first point although we did not set out with programming language design as a primary aim we believe that ML does contain features worthy of serious consideration these are the escape mechanism and the polymorphic type discipline mentioned above and also the attempt to make programming with functions including those of 174 higher type as easy and natural as possible We are less happy about the imperative aspects of
176. e contains no line breaks and always is laid out on a single line If a linear zone doesn t fit on a single line the layout algorithm chooses subterms to elide see Section 5 3 to try and make it fit When laying out a soft zone the layout algorithm first tries treating it as a linear zone If that would result in any elision then it treats the zone as a hard zone The soft break format a sbreak is similar to the break format but is not as sensitive to the zone kind Soft breaks in linear zones are never taken but otherwise the layout algorithm uses a separate procedure to choose which soft breaks to take and which not This procedure uses various heuristics to try and layout a term sensibly in a given size window with at little elision of subterms as possible 7 2 3 4 Optional Spaces The space format Space inserts a single blank character if the character before it isn t already a space Otherwise it has no effect 7 2 4 Attributes Attributes specify extra information about display form definitions By default display form defi nitions are created with a right hand side term a standard sequence of formats and a single alias attribute Moving the cursor over the whole attribute term and using C 0 or M 0 will create additional attribute slots to the left or right of this attribute Possible display form attributes are summarized in the table below The Name column gives the name that has to be entered into a term slot to cr
177. e functions usually fail with failure string equal to their name sometimes however the failure string is the one generated by the subfunction that caused the failure B 7 1 General purpose functions and combinators The standard primitive combinators are I K and S I gt K gt xx gt ox S gt x gt xx gt gt x gt gt KKK Description Ir r Kxy x Sji9ge foalua Definition let Ix x let Kx y x let Sf g x f x g x The derived combinators KI the dual of K C the permutator W the duplicator B the compos itor and CB which is declared to be infix have types KI gt gt C gt x gt xx gt x gt ok gt xk Wo X gt gt gt x gt xk B gt xx gt kk gt gt x gt x CB gt xx gt x gt kk gt gt 204 Description KIry y Cfuy fywz Bfgr f gr Whe frr CBfygu gl fx Definition let KI KI let Cfxy fyx let Wfx fxx let Bf g x f g x let f CB g x g f x The next group of functions are various useful infixed function composition operators o gt xx x gt gt ok gt x Ck gt x d ek gt okok gt x gt KK Co gt e gt wk CRRA gt gt xk gt ok gt xxx Description fog zu gu f g z y f 2 gy fCog xy C ifog xy f gy x Definition ml paired infix o let
178. e to have theories be objects within other theories there is no reliable method for moving such a theory within a theory directory without making its static reference environment inconsistent Conceptually most sub theories are not autonomous theories in themselves but only means for structuring a theory into smaller fragments Placing them in sub directories is more appropriate than opening a new theory Therefore NUPRL does not allow theories to contain other theory objects 4 3 3 2 Creating Theories and Sub Theories Theories are created by clicking the MkTHY command button This will open a token slot on top of the command zone into which a user may enter the name of the theory Also visible is a reference to the object after which the theory will be placed This object will be used for building the reference environment of the theory Upon closing the template by clicking OK or typing 41 a new directory will be placed imme diately after the navigation pointer This directory contains a code object named RE_init_theory name the specification of the static reference environment of the new theory An example of such a static reference environment is shown in Figure 4 3 3 2 Users should not move theory objects or create objects immediately before them without fixing the static reference environment since otherwise the static reference environment of that theory would be inconsistent with the visible presentation of the library To create
179. ePropWith T which tries running the tactic T before abandoning a search path in an or branch and continues the search on any main subgoal that T creates e ProvePropi which leaves main subgoals at or branching points of the search for a solution when the search down every branch fails JProver Prove a goal that involves only first order reasoning JProver is a complete theorem prover for first order intuitionistic logic that is based on a strategy called the connection method KO99 Upon success it generates a sequent proof for the proof goal that may be inspected by the user Since first order logic is undecidable JProver will not terminate if the goal cannot be proven and must be interrupted JProver is run as an external prover which means that the METAPRL proof engine must be connected to NUPRL before invoking JProver 8 3 3 2 Exploiting properties of relations Eq Prove goals of form Hl s teT using hypotheses that are equalities over T and the laws of reflexivity commutativity and transitivity Eq also uses hypotheses that are equalities over a type T when T T can be deduced from other hypotheses using reflexivity commutativity and transitivity RelRST Prove goals by exploiting common properties of binary relations including reflexivity symmetry transitivity irreflexivity antisymmetry and linearity The heart of Re1RST is a routine that builds a directed graph based on the binary relations in a sequent
180. eate the attribute while the Display column describes how it will be presented within a display form definition 105 Name Display Description alias EdAlias a alias for definition input ithd Hd a head of iteration family ittl T1 a tail of iteration family parens Parens parenthesis control prec Prec a precedence index Index a definition name conds C1 CnY conditions The alias attribute provides an alternate name which the input editor recognizes as referring to the definition Alternate names are often convenient abbreviations for the full names of definitions The iteration attributes ithd and ittl control selection of a definition by the display layout algorithm They are used to come up with convenient notations for iterated structures which are discussed in Section 7 2 4 1 The parens and prec attributes affect automatic parenthesization described in Section The index attribute together with the name of the object containing a definition give a unique name for the definition Conditions specify requirements for using a display form definition Each condition c c in the conds term is a term with a alpha numeric label associated with the display form definition 7 2 4 1 Iteration The iteration attributes control choice of display form definition based on immediately nested occurrences of the same term The idea is to group occurrences into iteration families An iteration family has a head disp
181. ec b is similar to evaluating let b except that a The binding b in letrec b must consist only of function definitions 190 b These functions are made mutually recursive For example consider a let f n if n O then 1 else n f n 1 b letrec f n if n 0 then 1 else n f n 1 The meaning of f defined by the first case depends on whatever f is bound before the decla ration is evaluated while the meaning of f defined by the second case is independent of this and is the factorial function B 4 1 1 The evaluation of bindings There are three kinds of variable binding each of which when evaluated produces a set of variable value pairs or fails 1 Simple bindings which have the form p e where p is a pattern and e an expression 2 Function definitions which have the form id p Pn e This is just an abbreviation for the simple binding id Ap pn e 3 Multiple bindings which have the form b and bg and b where b b3 b are simple bindings or function definitions As a function definition is just an abbreviation for a cer tain simple binding each b 0 lt i lt n 1 either is or is an abbreviation for some simple binding p 7e The multiple binding bjand b2 and b then abbreviates p1 po ps 1 2 n Which is a simple binding As function definitions and multiple bindings are abbreviations for simple bindings we need only describe the evaluation of the latter A simple binding p e i
182. ed is the contents of the location to which var is bound es es e and ez are evaluated and the result of applying the value of e which must be a function to that of es is returned Due to optimizations in the ML compiler the order of evaluation may vary pr e eis evaluated and then the result of applying px to the value of e is returned e and not e have the obvious meanings do e evaluates e for its side effects and then returns ey ix es es e2 is equivalent to if ej then es else false so sometimes only e needs be evaluated to evaluate es amp ez q or eg is equivalent to if ej then true else c so sometimes only e needs to be evaluated to evaluate e or In all other cases es and ez are evaluated in that order and the result of applying ix to their two values is returned e esz returns a pair whose first component is the value of e1 and whose second component is the value of eo The meaning of the other infixes are given in Section B 6 p e Every variable in p must be assignable and bound to some location in the environment The effect of the assignment is to update the contents of these locations in the store with the values corresponding to the variables produced by evaluating the binding p e see Sec tion B 4 1 1 If the evaluation of e fails then no updating of locations occurs and the as signment fails similarly If the matching to p fails then the assignment fails with MATCH The value o
183. ed using NUPRL s X typed A predefined mechanism helps with setting up new module type definitions adding projection functions as module component selectors and updating the AbReduce tactic Section to recognize applications of these functions Like adding recursive definitions it proceeds in two phases In the first phase clicking the AddRecMod command button will create a code object that con tains the ML function create rec module at which will later build the actual module Currently the object contains the function call in its raw from providing a few slots for the user to describe the module A more elegant approach is implementing record types as dependent function types on a type of labels This approach does not require creating definitions that map field selectors onto projection functions but is somewhat more complex theoretically and not yet supported by the existing tactics collection 44 MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk penThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Cp bj reName0bj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThyObj TETT TTT LLL HI o gt Naviga
184. edices and the folding unfolding of abstractions in advanced rewrite strategies Computation conversions for interactive invocation are described in Section 8 9 3 UnfoldTopAbC UnfoldsTopC as UnfoldTopC a UnfoldsTopC a Unfold t if it is an abstraction with operator identifier listed in as AUnfoldsTopC attrs Unfold t if it is an abstraction that has any of the attributes in attrs see Section 7 1 3 RecUnfoldTopC a Unfold the recursive definition of a if it occurs on the top level of t FoldsTopC as FoldTopC a FoldsTopC a Try to fold an instance of an abstraction whose operator identifier is listed in as RecFoldTopC a Try to fold an instance of the recursively defined term a on the top level of t RecUnfoldTopC and RecFoldTopC work only with recursive definitions that have been introduced with the AddRecDef button see Section 4 3 2 2 TagC tagger Do forward computations on the term t as indicated by the tags in tagger t RedexC Contract t if it is a primitive redex AbRedexC ForceRedexC force Contract t if it is a primitive or abstract redex of strength less or equal to force AnyExtractC ExtractC names Expand t if it is an extract term of a theorem listed in names 142 Abstract redices Primitive redices that are buried under abstractions are called abstract redices For example the first and second projection functions for pairs are abstractions A pil Ed A pi2 t 2 let lt x y gt t in X let
185. efine see Section 8 1 3 For integer and list induction we use the abstract terms instead of the lengthy display forms Goals of the form a T always abbreviate a a T P stands for P void s t for s teZ and s lt t for t lt s 153 A 3 1 Functions Lr Uj ext z ST TE Uj ext ST by dependent functionFormation v S by independent functionFormation PRS e Uj ww P FU ext 5 lT c F U ext T T E U ext T TE x 58 gt T 2 5 gt T U Ax Tt ST ST U Ax by functionEquality v by independent functionEquality PES 8 60 Ax Pr S S Uj Ax D z S F Ti v zi Talx x2 Uj x DF T T e Uj w T F Ag t Ax t c 5 gt T ww D F x S T ext Az t by lambdaEquality j v by lambdaFormation j v D 2 8 F ty mi to 2 x2 e T 2 x ax D z S Tle x ext t DF Seu ww PRES Uj w DF ft f e Tlt x ax D f S T AF C ext t f s y by applyEquality r S T by independent functionElimination i y Tef fex Ss T ax D f SoT AF S exty TRFt t S pax D f SoT y T AFC exty D f a SoT A F C ext t fs Ax y z by dependent functionElimination 7 s y 2 D f a SoT A F seS px D f a SoT y Tls x z y fseT s x AF C gxtt TE Az t s t T ps by applyReduce TP t s x t T ww Drf fex S5 gt T ext t by functionExtensionality j 1 5 gt T r 5 9T 1 D a S H fia f v eT x x ext t T Base U Ax Te f e z 5 2T ww Te f r 5 25T Ax Basic Infer
186. ely after the current object Static reference environments are inserted into a theory mostly for debugging purposes They enable a user to set the reference environment register see Section 4 3 3 5 below to a specific environment and to replay proofs in that environment to analyze dependencies in the proof Static reference environments may also be inserted by typing the command add refenv summary directory position into the library ML top loop where position is a token describing the object up to which the theory should be summarized 4 3 3 5 The Reference Environment Register The reference environment register briefly RR is a global variable in the editor containing a reference environment index The it is used as an implicit parameter in the some of the navigator commands and also when evaluating refiner top loop commands The following command buttons can be used to examine or change the contents of the reference environment register e ShowRefEnv shows the contents of reference environment register This will be the empty term until one of the commands below has been applied e SetRefenvSibling sets the reference environment register to the reference environment used by the current object e SetRefenvUsing sets the reference environment register to the least reference environment that contains the current object For ephemeral reference environments this command will be phased out since an object is the least reference environment
187. emantically equivalent functions are equal when they originate from the same evaluation of the same textual occurrence of a function denoting expression for other cases the equality of functions is unreliable i e implementation dependent For example after the top level declarations Only ordinary identifiers should be used as infixes infixing other tokens may have unpredictable effects on the parser 203 let f x x 1 and g x x 2 let f f and h x f x and h x x 1 f f evaluates to true and f g evaluates to false but the truth values of f h f h and h h are unreliable Furthermore after declaring let plus x y xty let f plus 1 and g plus 1 the truth value of f g is also unreliable e is a predeclared list concatenation operator the symbol has a special parser status and cannot be redeclared as a curried infix B 7 General Purpose and List Processing Functions This Section describes a selection of commonly useful ML functions applicable to pairs lists and other ML values All the functions are definable in ML Each function is documented by 1 Its name and type 2 A brief description 3 An ML declaration defining the function note that this is not necessarily the definition used some of the functions are coded directly in Lisp Functions preceded by may be used as infix operators without the or in normal prefix form or as arguments to other functions with the Th
188. ence Rule Corresponding Tactic with required arguments with optional tacticals dependent functionFormation 1 S independent_functionFormation functionEquality v EqCD New x EqCD independent functionEquality gt lambdaEquality j v EqCD At U EqCD lambdaFormation j x DO applyEquality S T EqCD With x S gt T EqCD independent functionElimination 1 y D i dependent functionElimination s y 2 D i applyReduce ReduceEquands 0 ReduceAtAddr 2 0 functionExtensionality j 12 5 gt T v S 0T x EqExtWith Ext 154 A 3 2 Products TP U ext x SxT by dependent productFormation x S T Se U Ax I 2 S b U ext T TE ges xT x2 5 xT U Ax by productEquality PR 5 25 e Us m D z S Ti z zi1 T E s t s t SxT ax by dependent pairEquality j x TF s 8 S jax Tb t t T si x Ax D z S T z x e U ws T F s t s t SXT wx by independent pairEquality rF s s S ay Trt t T wy To x 2 9 TP Uj ext SxT independent productFormation Te U ext S TF U ext T Lr S xT S xT EU Ax by independent_productEquality TF S Us w Uj x UE T T Uj a D E z SxT ext 5 0 by dependent pairFormation j s x TFH s eS mw T T s z ext t D z S E T z x e U Ay D FE SxT ext 5 0 by independent pairFormation TES ext 3 PET ext 1j D F let y e in t let x y e
189. ent This causes 7 s default behavior to be to not thin WithArgs args tok arg list T Run tactic T with the arguments in args on the top of the stack arg is an ML abstract data type defined as the disjoint union of the types int tactic term tok var and var term list There are injection and projection functions for each of these types such as int to arg and arg to int All the above tacticals are special cases of WithArgs Each tactic description in this chapter includes information on the optional arguments if any that it takes Note that some tactics do useful preprocessing on some of their arguments In these cases there would be a performance penalty if such arguments were supplied 8 2 3 Proof Annotations NUPRL proof terms can be annotated with extra information that is not relevant to the logical correctness of a proof but may assist in structuring proofs and identifying applicable tactics Goal Labels NUPRL tactics generate various kinds of subgoals Some express the main proof idea while others are only auxiliary or well formedness goals In inductive proofs one distinguishes the base case from the step cases Usually different kinds of goals have to be treated differently so one would like subsequent tactics to discriminate on subgoal kind Sometimes a subgoal s kind can 119 be deduced directly from its structure but this can be a error PRF in mul prone process Thus the tactics that generate
190. entifies counter examples if it fails These can be viewed by looking at value of the ML variable supinf info The value gives a list of bindings of variables in the goal for the counter Arithmetic simplification applies only subterms that involve the basic arithmetic operators and rem Currently simplification involving and rem does not work and has been disabled 126 example If SupInf finds an integer counterexample then the goal is definitely unprovable If a rational counter example is given then SupInf is unsure whether the goal is true or not SupInf Like SupInf but tries inferring additional arithmetic information about the non linear terms in arithmetic expressions The information on a non linear term t is gathered in two ways 1 If standard type inference returns a subtype of Z for t then the predicate information from the subtype is added 2 Information may be gathered from arithmetic property lemmata i e lemmata of the form Wis T essa ud m uuu eR O where C is constructed from v and standard arithmetic relations over integer subtypes built from lt gt gt Z and their negations To apply the lemma match handles are selected from C i e terms occuring in arithmetic relations in C that contain all the free variables contained in C and the 4 If after matching a match handle with t all the instantiated A are equal to hypotheses of the sequent then the instantiated clause C will be
191. env SetRefenvSibling SetRefenv ProveRR SetIn0BJx MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThyObj TETE TTT Lill lll e gt lt Navigator kreitz user theories Scroll position b List Scroll Total 1 Point O Visible 1 A theorem can also be activated by closing the proof window with C Z instead of C Q This will cause NUPRL to create the extract term of the proof a A term describing its computational content and to store it along with the theorem object The status of that theorem will then be TTF 2 6 Adding Definitions Besides proving theorems the most common activity in mathematics is introducing new concepts which are defined in terms of already existing ones This makes the formulation of theorems crisper and easier to comprehend NUPRL supports such an enhancement of the formal language through a definition mechanism This mechanism allows a user to introduce new terms that are definitionally equal to other terms As an example consider the 3 quantifier which states the existence of a unique element x e T that satisfies a property P A typical definition for this quantifier is the following j x T P x dx T P x Vy T Ply y xeT This definition actually presents two aspects of a newly defined term It first states that a new abstract term say exists uni is to be introduced which has two subterms T and P and
192. envSibling SetRefenv ProveRR SetIn0BJx MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThy0bjx TETT TTT lll lll o gt Navigator kreitz user theories Scroll position B List Scroll Total 4 Point 3 Visible 4 STM TFF not over and DISP TIF exists_uni_df ABS TTF exists_uni gt STM TFF exists uni wf This completes all necessary steps for adding a unique existence quantifier to the formal language of Nupr1 Close the well formedness theorem with C Q 18 2 7 Printing Snapshots To print a snapshot of a particular object simply click the PrintObj button This will create a print representation of the object at the nav point and write it into a file nuprlprint OBJECT NAME pr1 This file can be inspected with any 8bit capable editor that has the NUPRL fonts loaded It will also create a IXTEX version and write it to nuprlprint OBJECT NAME tex The directory nuprlprint must already exist Otherwise clicking the PrintObj button will result in an error The button PrintCollection will create a print representation of a whole range of objects while the buttons PrintThyLong and PrintThyShort will create a print representation of the directory at the nav point T he long version shows the complete proofs of theorems while the short version only prints the theorem statement and the extract of the proof that is a term representing its computational con
193. er we preserve the convention for compatibility reasons 42 MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk penThy MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk penThy CheckMinTHY MinTHY EphTHY ExTHY CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm Print0bj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs PrintObjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetInOBJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj Act DeAct MkThyDir RmThyObj MvThy0bjx TETT TTT LLY dul o x THT tt LO 44b 9 amp Navigator kreitz user theories Navigator kreitz user theories Scroll position k Scroll position 6 List Scroll Total 5 Point 4 Visible 5 List Scroll Total 10 Point 6 Visible 10 STM FFF not over and STM FFF not over and ABS listsel DISP TTF exists uni df DISP TIF exists uni df LESTE ABS TTF exists uni ABS TIF exists uni i
194. ertain parts of the library The foreground and background colors set the colors for the NUPRL windows and can be chosen according to personal preferences Users may also chose a font for the NUPRL windows By default nuprl 13 is being used but users may also select any other NUPRL fonts or other fonts that are consistent with them B The NUPRL 5 editor will read the file mykeys macro to determine any user key bindings for motion and macro commands If this file is missing the key bindings that were present at compile time will be used The standard bindings of the NUPRL 5 system are listed in the file nupr1 nupr15 sys macro keys macro Users who wish to customize their NUPRL 5 key bind ings may copy this file into the file mykeys macro and modify it according to their needs It is helpful for the user to become familiar with an editor like emacs version 19 and higher that supports 8 bit fonts and has a capability for starting sub shells The editor should be run with one of the nuprl fonts This is not strictly necessary but is a good idea for several reasons e Each NUPRL process runs a top loop in the same window as the one from which it was started up It accepts input from that window and frequently writes output to it If NUPRL is started up from an editor sub shell it becomes easy to review this output and save portions of it to files Editing capabilities for the input are sometimes useful as well e Some of NUPRL s output is
195. es The second character is reserved for theorem objects and describes if the theorem has a complete proof and an extract term For all other objects it is T The third character describes the status of the sticky bit It is F for most objects The object s name can have arbitrarily many characters and may include blanks One of the displayed objects in the library is also marked by an arrow gt to the left of its kind We call this distinguished object the navigation pointer or nav point All navigator commands will be executed relatively to this object 4 2 2 The ML Top Loop Window The ML Top Loop window shown on the right bottom of the screen in Figure 4 1 offers a command interface to the editor refiner and library processes It is divided into two major zones a command button zone and a command line zone The command button zone in the upper part of the ML Top Loop window is similar to the command zone of the navigator The command buttons however do not interact with the library contents but affect the behavior of the editor itself Most importantly the buttons LIB EDD and RED switch between the processes that the ML Top Loop interacts with and change the command prompt of the command line zone accordingly to M LIB gt M EDD or M REF gt The command line zone between the command line prompt and the double semicolon provides a term editor window for entering ML commands that may contain NUPRL terms as arguments
196. es The constructivity of NUPRL s logic manifests itself in the fact that the decomposition of sets in hypotheses rule setElimination in Section 3 12 results in a subgoal containing the predicate part of the set term as a hidden hypothesis the rule quotient equalityElimination in Section A 3 14 has a similar effect A hidden hypothesis does not contribute to the computational content of a proof i e the term inhabiting its conclusion and is therefore not immediately usable However there are ways in which it might become usable later A hidden hypothesis P in a proof goal can be unhidden if either P or the conclusion of the goal is squash stable which roughly means that it is possible to determine the computational content if one knows that there is one in the classical sense Squash stability is defined in the theory core_2 as P P where the proposition P x Unit P read squash P is true exactly when P is true but has no computational content Squash stability can be inferred for many predicates using the tactic ProveSqStable which is not called by the D tactic because it can be rather slow Instead hypothesis can be unhidden by applying one of the following tactics Unhide Iry to unhide hidden hypotheses first by checking whether the conclusion is squash stable and then if this fails by checking each hidden hypothesis separately for squash stability Unhide applies the tactics UnhideAllHypsSinceSqStableConcl whic
197. essing C x C s just moving through the history does not change the stored proof Pressing C M e reverts the proof window to the proof that was last stored in the library The proof history is only preserved through a proof editing session Once the proof window is closed the history is discarded 6 4 3 Backup Proofs In addition to using a temporary proof history NUPRL 5 allows users to create and edit backup proofs that are linked permanently to a statement object This makes it possible to elaborate and keep different proofs of the same statement and to preserve several interim versions of a proof attempt until they are not needed anymore Pressing C M c will create a backup copy of current proof and save it to the library This proof will usually remain invisible Pressing M pops up a proof editor window for each backup proof of the current statement Users may create multiple backup copies including backups of backup proofs The proof from which all these backups were created will remain to be the main proof unless the user explicitly changes that by pressing C M f This will declare the current proof to be the main proof from now on To remove a specific proof users may type C M d into the proof window of that proof Typing C x C b deletes all backup proofs It should be noted that deleted backup proofs and the temporary proof history are still contained in the library but not linked to the statement object anymore Expert
198. expressiveness of type theory the well formedness of a type expression cannot be decided automatically but must be established in the course of a proof devel opment Whenever a rule creates a new declaration in one of the its subgoals the well formedness of the corresponding type must be established If this cannot not guaranteed by the proof of the other subgoals as in the case of functionEquality it must be proven as a separate subgoal The rule lambdaEquality for instance proves the equality of two A terms in a function type x 5 7T For this purpose it declares a new variable X of type S and adds a subgoal stating that S belongs to some universe U The level j of that universe must be given T F z t Az t v S T wx H F Axi bi Ax2 b2 by lambdaEquality j x BY lambdaEquality parameter i 1 z O Dar tb zt x Tlx x Ax H z A E subst bi xi z subst b2 x2 z Tr SeU ws tt Values for variables Some proof goals can only be decomposed if it is known how to instantiate a certain variable To prove 3x T r which is the same as the dependent product SxT z for instance one has to provide a value s for the existentially quantified variable r and can then go on to prove T s The corresponding rule dependent pairFormation requires this term as one of its arguments TF x SxT ext 5 0 by dependent pairFormation j s x H E x A x B ext lt a b BY dependent pairFormation
199. f p e is the value of e failwith e eis evaluated and then a failure with e s value which must be a token is generated 192 1 2 n are evaluated in turn until one of them say m returns true each e must be a boolean expression When the phrase fol lowing em is then el control is passed to e However when the phrase is loop cj then e is evaluated for its side effects and then control is passed back to the beginning of the whole expression again i e to the beginning of if ej if ei then loop e if ez thenlloop es if en then loop ej elselloop e In the case that all of e e2 e return false and there is a phrase following e then if this is else el control is passed to e while if it is loop e then e is evaluated for its side effects and control is then passed back to the beginning of the whole expression again In the case that all of e1 e2 en return false but no phrase follows e then O the unique value of type void is returned e is evaluated and if this succeeds its value is returned If e fails with failure token tok then each of e e2 y are evaluated in turn until one of them say em returns a token list containing tok each e must be a token If immediately precedes em then control is passed to e If precedes it then e is evaluated and control is passed back to the beginning of the whole expression e e 1 ee 1
200. f the free variables in a such that oa t then t will be replaced by t 0b For instance rewriting the term 2x3 0 with the relation z 0 z means matching 2x3 4 0 against 0 which yields a substitution that binds x to 2x3 The result of rewriting is the term ox 2x3 Atomic conversions cannot by themselves rewrite subterms of a given term For instance ap plying an atomic conversion to rewrite 1 0 x3 with the relation z 0 x fails Conversionals Section 8 9 4 provide the means for applying conversions to subterms of a term and help control ling the sequence in which atomic conversions are applied to these subterms An example of a conversional is SweepUpC which attempts to apply a conversion c to each subterm of a term t working from the leaves of term t up to its root Another example is ORELSEC which first tries to apply a conversion c to a term and if that fails applies a conversion c Conversionals rely on a variety of lemmata which we will describe in Section 8 9 1 4 These lem mata have to state reflexivity transitivity and symmetry properties of the relation r and congruence properties of the terms making up the clauses that are being rewritten A tactic Rewrite convn gt int gt tactic is used for making a conversion applicable to some clause of a proof goal It takes care of executing the justifications generated by conversions Section 8 9 1 5 lists common variations on this tactic 8 9 1 1 Envi
201. few special characters with code 204 and higher Actually it may not even be necessary to start a new NUPRL 5 refiner as the editor will connect to refiners that are already running However this would mean that you need to share that refiner with other users which may cause unnecessary delays if the refiner is busy Generally it is recommended that you start your own refiner unless you only intend to browse the library 24 defun nuprl5 O interactive message Starting NuPRL 5 Library Editor and Refiner nulib sleep for 5 nuedit nurefine It wil take several minutes until all the NUPRL editor windows will begin to pop up because initially there is a lot of communication between the editor and the library 3 3 1 Starting the Library The library process should be started first because both the editor and the refiner rely on informa tion that is explicitly stored in the knowledge base to simplify customization of these processes In a shell enter the command nulib i SHELL PROMPT gt nulib A Lisp session will start followed by system messages At the Lisp USER prompt enter top J USER 1 top This will start an ML top loop with some library specific commands preloaded At the ML prompt enter go J to initialize the NUPRL 5 library CURRENT TIME TIME AND DATE ML ORB go The library process will now use the information in the file nuprl config to load the desired library e
202. finition Usually all the definitions in one object refer to a closely related set of terms When choosing a display form to use for a term the layout algorithm tries definitions in a backward order so definitions are usually ordered from more general to more specific 7 2 1 Editing Display Form Objects Since most display forms are created using the AddDef mechanism described in Section 4 3 2 2 a right hand side term a standard sequence of formats and an alias attribute see Section 7 2 4 below are already present when the object is opened If the object was created with the MkObj command Section it will contain an empty term slot which must be initialized before a display form definition can be entered The command C M I will create an initial display form definition which looks like rhs To get additional slots for display form definitions one may use the commands C 0 and M 0 An initial display form definition has an empty attribute sequence as a subterm which is hidden by the display form for display form definitions Moving the term cursor over the whole term and using C M S will add an empty term slot for an attribute 7 2 2 Right hand side Terms The right hand side term is a pattern A definition applies to some term t if t is an instance of the right hand side term The display definition matcher has a notion of meta variable different from that of NUPRL s usual matching routines it has 3 kinds of meta variabl
203. g declare order rel pair stronger rtm weaker rtm For the sake of clarity all relation declarations should be inserted in ML objects that are positioned after the referred to relations but before any lemmata that might be accessed by the rewrite package 8 9 1 3 Justifications The justification produced by a rewrite rule describes how to prove that the origin and the result of rewriting stand in the relation r This information is used by the rewrite tactic to generate the corresponding NUPRL proof There are two types of justifications Computational Justifications are lists of precise applications of the forward and reverse direct computation rules As these are comparatively very fast and generate no well formedness subgoals the rewrite package uses these whenever possible Tactic Justifications are more generally applicable but make extensive use of lemmata see Section below and often generate many well formedness subgoals Conversions generating both types of justification can be freely intermixed the system takes care of converting computational justifications to tactic justifications when necessary 138 8 9 1 4 Lemma Support The rewrite package must have access to several kinds of lemmata in order to construct justifications for rewrites This section describes those lemmata Functionality Lemmata give congruence and monotonicity properties of terms They are re quired by conversionals like SubC to construct justification
204. g text and term slots In contrast to term sequences text sequences normally have no delimiters or element separators They are however easily identified because they usually occur in well defined contexts An example of a text sequence is the ML expression With n 1 D 0 o THENW TypeChecko This text sequence consists of 3 term slots filled with the terms n 1 9 and and 4 text slots filled with the text strings With D 0 _THENW TypeCheck and the null or empty text string The o s are new line terms which are usually kept invisible and only shown with a printing character for illustration purposes New line characters in text should be avoided as much as possible as this simplifies the display formatting algorithm 5 3 Term Editor Windows Term editor windows are used for viewing and editing terms Except for the navigator and proof editor windows most windows opened by NUPRL are term editor windows Each window displays a single display form tree representing a single term All editing operations can be carried out from the keyboard alone but the editor accepts input from the keypad and the mouse as well Input characters typed at the keyboard in multi character commands are echoed as high lighted text near the position of the cursor and can be corrected by using DEL Certain key combinations are bound to editor commands which also may be invoked explicitly by typing _ C M x command name The default
205. gment of any text slot or a segment of a text or term sequence region is delimited by the editor s term or text cursor and an auxiliary text or term cursor position Following Emacs s terminology we call the cursor s position the point and the auxiliary cursor position the mark It does not matter whether mark is to the left or the right of point when selecting a region In what follows we call the left most of point and mark the left delimiter and the right most the right delimiter If a term is used as a region delimiter the term is included in the region Various regions are acceptable For selecting a text string in a text slot both delimiters must be text cursor positions For selecting a segment of a term sequence both delimiters must be term cursor positions For selecting a segment of a text sequence text or term cursor positions may be used for each delimiter The commands for cutting and pasting regions are shown below C BPO SET MARK set mark at point C X C X SWAP POINT MARK swap point and mark C W CUT REGION cut region M W SAVE REGION save of region C M W DELETE REGION delete region SET MARK sets the mark to the current cursor position while SWAP POINT MARK swaps the mark and the editor cursor This command is often used to check the mark s position SAVE REGION saves a region onto the save stack DELETE REGION deletes the region If the region is of a text slot or a text sequence DEL
206. gro Common Lisp Other Lisps should be similar The initial message put out by the debugger should tell you what caused it to be invoked The following message for instance appears after a keyboard interrupt Error Received signal number 2 Keyboard interrupt condition type INTERRUPT SIGNAL Restart actions select using continue 0 continue computation changing package from COMMON LISP USER to NUPRL5 1c NUPRL5 2 To resume after an interrupt or breakpoint enter cont J 1c NUPRL5 2 cont ML edd gt If the ML prompt appears again the process has successfully resumed In some cases Lisp cannot simply resume and will print another error message as in the following case Error Non structure argument NIL passed to structure ref 1 NUPRL5 3 cont Error Can t continue and no restarts 2 NUPRL5 4 In most of these cases entering the expression fooe J will reset and restart the process 29 2 NUPRL5 4 fooe ML edd gt In the worst case kill the process by entering exit and then restart it from scratch The other processes will detect the link going dead and clean it up automatically If you kill NUPRL window using window manager commands instead of the appropriate NUPRL editor commands you will break the X connection and crash the editor Future releases of NUPRL 5 will automatically repair the editor process but until then you have to recover at the lisp debug
207. gt bool makeatom gt sexp B 3 Syntax of ML We shall use variables to range over the various constructs of ML as follows Variable Ranges over var variables con constructors ce constant expressions ty types tab type abbreviation bindings see B 5 4 ab abstract type bindings see B 5 5 d declarations b bindings p patterns expressions Variables and constructors are both represented by identifiers but they are different syntax classes Identifiers and constant expressions are described in Section B 3 2 below Types and type bindings are explained in Section Declarations bindings patterns and expressions are defined by the following BNF like syntax equations in which T 2 Each variable ranges over constructs as above The numbers following the various variables are there merely to distinguish between different occurrences this will be convenient when we describe the semantics in Section C denotes an optional occurrence of C and for n gt 1 C11C5 C denotes a choice of exactly one of C4 C5 Cs The constructs are listed in order of decreasing binding power D or R following a construct means that it associates to the left L or right R when juxtaposed with itself where this is syntactically admissible Certain constructs are equivalent to others and this is indicated by equiv followed by the equivalent construct
208. gt y loop x x y if x lt y loop y y x else x gcd int int gt int gcd 12 20 4 int B 2 7 Lists If e1 n all have type ty then the ML expression e e has type ty list The standard functions on lists are hd head t1 tail nu11 which tests whether a list is empty i e is equal to and the infixed operators cons and append or concatenation let m 1 2 2 1 4 EUR m 1 2 3 4 int list hdm tlm 1 2 3 4 int int list 4 null m null false true bool bool 0 m 0 1 2 3 4 int list amp 1 2 3 4 5 6 1 2 3 4 5 6 int list 1 true 2 ill typed phrase true has an instance of type bool which should match type int 1 error in typing typecheck failed All the members of a list must have the same type although this type could be a sum or disjoint union type see Section B 5 B 2 8 Tokens A sequence of characters enclosed between token quotes i e ascii 96 is a token this is a token 17 this is a token tok this is a token list this ist Saf tokens list tok list it this is a token list true bool The expression tok tok tok is an alternative syntax for tok tok tok 179 B 2 9 Strings A sequence of characters enc
209. gument of the code in the object with the term inr directory position where directory the object identifier of the current directory and position the name of the object at the navigation pointer and then evaluate the code The main purpose of this command is compatibility of the methods for creating recursive definitions Section 4 3 2 2 and modules Section 4 3 2 3 with the ones used in libraries developed with NUPRL 4 The command is likely to be removed in the future 4 3 4 4 Cloning the Navigator Users who want to use multiple navigators simultaneously may do so by cloning the navigator Clicking the Clone command button will open a new navigator window that is a clone of the current one Alternatively a user may type the command dyn navigator clone term into the editor ML top loop where term is the complete term contained in the current navigator window Note that navigator windows like the ML top loop and the evaluator history window cannot be closed with C q again 4 3 4 5 Raising the ML top loop window If the ML top loop is buried under other windows clicking the RaiseTopLoops command button will bring the ML top loop window to the foreground This feature works currently only in the twm window manager Table summarizes all the navigator command buttons that are described in this manual The buttons in the upper part of the table occur in all standard user theories while the other buttons are only present in some of the
210. h the save stack for some desired item Similar to yank next in Emacs 5 6 1 Basic Commands DEL DELETE CHAR TO LEFT delete char to left of text cursor C D DELETE CHAR TO RIGHT delete char to right of text cursor M D CUT WORD TO RIGHT cut word to right of text cursor C K CUT cut term M K SAVE save term C M K DELETE delete term C Y PASTE paste item M Y PASTE NEXT delete item then paste next item C M Y PASTE COPY paste copy of item DELETE CHAR TO LEFT and DELETE CHAR TO RIGHT are conventional character deletion com mands They only remove the character without saving it on the save stack They can be used in any text slot of a term or in a text sequence and also work on newline terms in text sequences CUT WORD TO RIGHT cuts the word to the right of a text cursor If a term is to the immediate right of a text cursor in a text sequence then that term is cut CUT SAVE and DELETE work on a term underneath a term cursor as described above These commands work fine on terms in text and term sequences Note that deleting a term leaves an empty term slot When a term cursor is at an empty term slot the PASTE and PASTE COPY commands paste the term on top of the stack into the slot PASTE NEXT replaces the last term pasted with the term on top of the paste stack It should only be used immediately after a PASTE or a previous PASTE NEXT 79 5 6 2 Cutting and Pasting Regions A region is a se
211. h tries to prove the con clusion squash stable using ProveSqStable and unhides all hidden hypotheses if this succeeds and UnhideSqStableHyp 2 which tries to prove the hidden hypothesis 7 squash stable AddProperties 1 Add the predicate part of the set type underlying an abstraction A in hypothesis as a new hypothesis immediately after i Hypothesis 7 should be declaration of form A or a proposition of form te A or t t A where A is an abstraction with an associated property lemma of the form F Vr T Vy A Plz y GenConcl t v T Generalize occurrences of t as subterms of the conclusion to the variable v This adds new hypotheses declaring v to be of type T and stating t v T Fiat If you about to give up hope on a theorem this tactic is guaranteed to provide satisfaction Fiat uses NUPRL s because rule which should be used for experimental purposes only NUPRL s library has a mechanism to detect uses of this rule while checking a theory for consistency 8 8 Tacticals Tacticals are functions for converting tactics into new one Apart from injecting optional arguments as described in Section 8 2 2 they are most commonly used for composing tactics 2 ary tacticals are often written in infix form and distinguished from others by having the first part of their name in all capitals Infix tacticals always associate to the left 133 8 8 1 Basic Tacticals T THEN T Apply T and then run T on all the subgoals generate
212. hat a different set of functions will be preloaded and that the commands entered will affect a different process For instance all tactics see Chapter 8 are accessible from the refiner top loop which enables a user to experiment with new tactics while having access to a term editor In the library top loop functions for modifying the library itself such as loading patches or structural rearrangements become available The same functionality will also be provided by the corresponding process ML top loops yet without term editing support Most users will rarely use the ML top loops because all standard tasks can be performed by using the navigator More experienced users will occasionally use the refiner or editor top loops The refiner top loop is usually only required for maintenance 31 4 1 The Library NUPRL s library is a mathematical and logical database All library contents are represented by a common basic data structure called objects There are objects for theorems definitions inference rules tactics and other algorithms comments and articles objects that control the visual appear ance of the mathematical notation and objects that are used to organize other objects in theories and directories A library table binds objects to identifiers that are used when referring to them In contrast to previous releases of NUPRL all library contents are kept in a persistent library and are accessible modulo permission restrictions as soo
213. he current position of the navigation pointer in the path stack A user may add additional positions to the path stack and jump back to any position stored in it using the additional buttons of the path stack command zone These buttons have the following effects e Hide Hide the path stack command zone by iconifying it to a button PathStack see the right of Figure 4 3 This is usually a good idea if one works with several directories at the same time but doesn t jump very often e Yank Jump to the position on top of the path stack e Rot amp Yank Rotate the positions in the path stack moving the top position to the bottom and jump to the position that is now on top e Push Add the current position of the navigation pointer on top of the path stack e Pop Remove the position on top of the path stack e Swap amp Yank Swap the two positions on top of the path stack and jump to the position that is now on top 39 Hide Yank Rot amp Yank Push Pop Swap amp Yank Swap Rot RevRot CpLink Cancel divides num_thy 1 standard theories MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reNameObj EditProperty Save0bj RmLink MkLink RmGroup PathStack MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk
214. he right of it that is the hypotheses Hi 1 Hn and in the conclusion C The expression t is called the extract term of the sequent It will be constructed during the proof and remains unknown up to its completion Sometimes we refer collectively to the hypotheses and the conclusion of the sequent as clauses The word goal is used either to refer to a whole sequent or to just the conclusion Which should be clear from context NUPRL s inference rules refine sequents obtaining subgoal sequents whose proofs would suffice to validate the original goal Primitive rules see Section 6 1 3 1 below are usually characterized by rule schemata that match placeholders for the hypotheses and conclusion against a goal sequent and instantiate subgoal sequents accordingly They also describe how to construct the extract term of the goal sequent from extract terms of the subgoal sequents see Section 8 1 for details Tactic rules Section 6 1 3 2 combine several primitive rules into a single inference rule Proofs are trees whose nodes contain a goal sequent and a refinement slot The refinement slot usually contains an inference rule and the goal sequents of the children of the node are the subgoals resulting from applying this rule to the node s goal If the refinement slot is empty the node has no children and is considered unrefined The older NUPRL literature uses gt gt instead of the turnstyle symbol to separate hypotheses from the conclus
215. hich associates logical propositions with the type of all their proofs all the clauses of a sequent contain types 86 6 1 2 Proof Objects Proof trees are implemented in NUPRL as recursive data structure consisting of either e an unrefined goal sequent g or e a goal sequent g an inference rule r and a list p1 p of proofs Thus each sub tree of a proof is considered a proof as well which makes it possible to reason locally The NUPRL proof editor see Section 6 2 below enables users to focus on any node of a proof tree and to view the corresponding sub proof as a full proof object The sequent g in a proof object is referred to as the root goal of the proof and the goals of the proofs pi p in a refined proof are referred to as its subgoals A proof is good if 1 every sequent in the proof is closed 2 in every sequent all variables declared in the hypotheses are distinct and 3 at every refined node of the proof tree the subgoals are the result of applying the rule r to the root goal g A proof is complete if it is good and contains no unrefined nodes A proof is incomplete if it is good but does contain unrefined nodes Each statement object in NUPRL s library is associated with a list of proof objects with the same root goal sometimes referred to as the main goal of the statement object The main goal must be an initial sequent i e a sequent with an empty hypotheses list The main goal is a theorem if at le
216. his chapter we will describe the structure of basic inference rules and tactics as well as the most important groups of tactics that are currently implemented NUPRL s type theory its semantics and the guiding principles for its development is explained in CAB 896 It should be noted however that NUPRL s type theory is open ended and that fundamentally new concepts and their inference rules are added whenever this is turns out to be necessary A complete list of the current set of inference rules can be found in Appendix 8 1 Rules Inference rules characterize the semantics of all formal expressions in NUPRL For each type con struct they describe how to form types and the conditions for two types to be equal how to form members of types and the prerequisites for two members of a type to be equal in that type NUPRL s proof calculus is based on the notion of sequentis These are objects of the form 2 T 2 T C which should be read as Under the hypotheses that the x are variables of type T a member of the conclusion C can be constructed see Section 6 1 1 for details In NUPRL a proof for such a sequent is developed in a top down fashion Proof rules refine a goal sequent obtaining subgoal sequents whose proofs would suffice to validate the original goal They are described by rule schemata with placeholders for lists of hypotheses and conclusions A rule TEC ext m by rule name amp optional arguments I H C ext Mj
217. ht order SubIfC p c Apply c to all immediate subterms of t that satisfy the proposition p NthSubC m c Apply c to the n th immediate subterm of t AddrC addr c Apply c to the subterm of t with term address addr HigherC c LowerC c Apply c the first applicable subterm of t starting from the root leaves NthC n c Execute the n th successful application of c to the subterms of t starting from the root SweepDnC c SweepUpC c Apply c to all subterms of t starting from the root leaves TopC c DepthC c Repeatedly apply c to the first applicable subterm of t starting from the root leaves 8 9 5 Macro Conversions Macro conversions allow to express rewrite rules via pattern terms that describe the left and the right hand side of a transformation MacroC name c t c b Rewrite an instance of t to the corresponding instance of t using forward and reverse compu tation steps c and c must be direct computation conversions that rewrite the pattern terms t and t to the same term MacroC uses second order matching when matching instance terms against t name is a failure token which will be returned if rewriting fails SimpleMacroC name t t as Rewrite an instance of t to an instance of t by unfolding abstractions from as and contracting redices FwdMacroC name c t Rewrite an instance of t to an instance of the term resulting from applying c to t Using macro conversions enables a user to express rewrite steps in a
218. hyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs PIP TTT TT T e CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup EEE a qup l x ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ Navigst r kreitz useri theories MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx Scroll position o TEIT TTT TT T e List Scroll Total 1 Point 0 Visible 1 x HU lex o K f s2 Navigator kreitz user theories 2 nnn nn nn nnn nnn nnn nn nnn nn nnn nnn nnn nnn Scroll position p List Scroll Total 0 Point 0 Visible O Figure 4 4 Creating Objects Initial template and resulting update to the library the name of the theorem In a similar way MkML creates a new code object MkDir creates a directory object and MkThyDir creates a directory object within a theory see Section 4 3 3 2 The command button MkTHY creates a new theory within the current directory Theories are similar to directories but in addition contain code objects for initializing their reference environ ments We will discuss them separately in Section 4 3 3 1 AddDefDisp creates a display form for a given abstraction If the navigation pointer is at an abstraction with name absname then clicking the command button AddDefDisp will create a display form object named absname df and places it i
219. ia 4218 divides MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reNameO0bj EditProperty Save0bj RmLink MkLink RmGroup CpObj reNameO0bj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj Act DeAct MkThyDir RmThyObj MvThyObj MIT TT 1 To e MIT TT TT Tee il Wb dl 1x Ll dl dl dx Navigator num thy 1 standard theories Navigator num thy 1 standard theories Scroll position 0 Scroll position 5 List Scroll Total 159 Point 0 Visible 01 List Scroll Total 159 Point 5 Visible 10 gt CODE TTF RE init num thy i CODE TTF RE init num thy i COM TIF numthy i begin COM TIF num thy i begin COM TIF num_thy_1_summary COM TIF num thy i summary COM TIF num thy
220. icking Mill while the navigation pointer is at a directory will open a tag slot above the current command zone into which the user may enter a tag for the milling directory to be created The system will then create a sub directory tag name mill at the beginning of the indicated directory This directory comes with a variety of new command buttons and examples of code pieces that can be assembled for the tasks the user wants to perform 57 FilterSource AppendSource TransformTargets ViewTargets FilterTargets CopyTargets TargetsAp Rerun Bot MkTHY OpenThy CloseThy ExportThy ChkThy ChkAl1Thys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetInO0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx TTT TTT LULL 11 lt gt gt lt Navigator Examples TAG mill kreitz user theories Scroll position la List Scroll Total 6 Point 4 Visible 6 DIR FTF aux CODE FilterSource By Kind and Name Search let kind STM and namestring st DIR FTF packages in gt DIR FTF FilterSource oid k oc DIR FTF Target Aps kind k DIR FTF Target Filters amp stri
221. ies it to the current proof goal The proof goals generated by the tactic will be added to the proof tree as children of the current proof node and displayed as subgoal sequents still to be proven The validation is stored in the proof node as well but remains invisible Upon completion of the proof the validations of all proof nodes are composed into a proof for the initial proof goal which provides computational evidence for the validity of the initial theorem 116 Tactics can either be built from elementary inference rules using the function refine see Section 8 1 3 or by composing existing tactics into new ones using tacticals see Section 8 8 or more sophisticated ML programs that analyze the proof context before initiating a refinement step T his makes sure that all refinements performed by tactics are eventually based on elementary inference rules and thus correct with respect to the underlying logic 2 Applying a tactic to a proof goal may produce incomplete proofs or not terminate but it always results in a valid proof NUPRL s standard library contains a large collection of useful tactics that have been developed over the past 15 years Users may extend that collection by adding their own tactics as code objects to their personal directories But in most cases it is sufficient to use the existing tactics and to combine them through tacticals In the rest of this chapter we will describe the most important standard tactics contained in
222. ifferent fashion 8 7 Miscellaneous Tactics Type Inclusion Inclusion 4 Prove goals of the form 1 2 T rreT or i teT teT where either types T and T are equivalent or T is a proper subtype of T Inclusion also solves similar goals where one or both of the membership terms are replaced by equality terms The specific kinds of relations between T and T that Inclusion currently handles are roughly e T and T are the same once all soft abstractions are unfolded e T and 7 are both universe or prop terms and the level of T is no greater than the level of T for any instantiation of level variables e T and T are each formed by using subset types and both have some common superset type In this case Inclusion tries to show that the subset predicates of T are implied by the subset predicates of T together with other hypotheses e T and T have the same outermost type constructor In this case the inclusion goal is reduced to one or more inclusion goals involving the immediate subterms of T and T Currently works for function product union and list types e T is a subtype of T according to a lemma in the library 132 For the inclusion reasoning involving subset types to work one has to supply information about abstractions involving subset types using the function add set inclusion info The theory int 1 contains several examples of the use of this function Squash Stability and Hidden Hypothes
223. ily identical to their abstract form Usually they are presented in a more conventional notation which is created by the display forms described in Chapter In Table we present the standard display of NUPRL terms immediately below their abstract form 149 Redex Contractum QAx upt ult x let x y s in u uls t x y case inl s of inl x u inr y gt v EU u s x case inr of inl z u inr y v JP v t y if Ja b then s else t gt s ifa b t otherwise ind 0 fe s base y fy t base ind li fr s base y fy t thiind i 1 fr S base dt wd 0 ind i fx 91 base y fy t s i ind i 1 fr S base yi fot fm ful G gt 0 4 The negation of i as number im gt The sum ofi and j As The difference of i and j a pk gt The product of i and j tH J 0 if j 0 the integer division of i and j otherwise 1 rem j 0 if j 0 the division rest of i and j otherwise ifl iH j then s else gt s ifi Jj t otherwise if j then s else t s ifi lt j t otherwise list ind base x 1 fai t base list ind s ul base z l fai 0 gt tls u list ind u base
224. in NUPRL s 8 bit font e Listings of theory files use NUPRL s 8 bit font These files contain definitions theorems and proofs and it is often useful to be able to browse them 3 3 Starting NUPRL 5 The basic NUPRL 5 configuration consists of three separate processes a library an editor and a refiner In single user mode you have to start all three processes In multi user mode you will connect to an already running library process and only have to start an editor and an optional refiner after setting up your nuprl config file accordingly It is important to initialize the library before the editor and the refiner Generally it is a good idea to run the NUPRL 5 processes in separate emacs frames In addition to editor support for the corresponding top loops this also allows you to define an interactive emacs command that starts all three processes and initializes them correctly The NUPRL distribution provides a few utilities for starting the NUPRL 5 processes from within emacs buffers Consult the file README running nuprl for instructions how to use them The next three subsections describe three interactive emacs commands nulib nuedit and nurefine If you add these and the following definition of the emacs command nupr15 to your emacs file you may start NUPRL 5 from emacs by typing M x nupr15 4 3The table of NUPRL s special characters Table 5 1 on page 73 is actually based on a font nuprl 8x13 which extends nuprl 13 by a
225. in t e Cl ei z ax by spreadEquality z C r SxT s t y THe e SxT ww D s S t T s x y e s eu SxT E ti s t zi yi tols t x2 ya Clis t z ax D z a SxT AFC eext let s t zin y by productElimination 7 s t D z a SxT s S t T s z A 0 z F Clis t z ext y D F let x 9 s t in u t T ww by spreadReduce T F u st z y t T ax Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals dependent productFormation v S independent productFormation productEquality v independent productEquality dependent pairEquality j v dependent pairEquality2 j v dependent pairFormation j s x independent pairEquality independent pairFormation spreadEquality z C x SxT s t y productElimination 7 s t spreadReduce EqCD EqCD EqCD With s D O EqCD DO EqCD Di ReduceEquands 0 At U With s New z D 0 ReduceAtAddr 2 0 155 A 3 3 Disjoint Union Uj ext S T by unionFormation TP U jext S Lr U T F inl s inl s S T jax by inlEquality j T T rF ext T F s s S wx T e Uj m T F int inr S T jay by inrEquality j TFH t t ET n TES U Ax T F case e of inl 2 u inr y v Lr S T S T U Ax by unionEquality TES S U Ax r T T U Ax T F S T ext inl s by inlFormation j DES exts TErTe U Ax T F S T ext inr t by inrFormation j P
226. in the declaration x has type list throughout its textual scope and store fetch receive types gt list respectively In the two ensuing phrases they get respective types term gt term list void gt thm instances of their declaring types and the value of eureka is a contradictory formula masquerading as a theorem The problem is that the type checker has no simple way of discovering the types of all values assigned to the polymorphic x since these assignments may be invoked by calls of the function store outside the textual scope of x This is not possible under our constraint However polymorphic assignable identifiers are still useful consider let rev 1 letref 1 1 1 in if null 1 then 1 loop 1 1 tl 1 hd 1 1 Such uses of assignable identifiers for iteration may be avoided given a suitable syntax for iteration but assignable identifiers are useful for a totally different purpose namely as own variables shared between one or more functions as in the store fetch example Our constraint of course requires them to be monomorphic this is one of the few cases where the user occasionally needs to add an explicit type to a program 199 B 5 4 Type abbreviations The syntax of type abbreviation bindings tab is tab id ty and and id ty Then the declaration lettype tab in which each ty must be a monotype built from basic types and previously defined types allows you to introdu
227. inations to commands of NUPRL s term editor as well as to navigator and proof editor commands Bindings can be made globally or depending on the context of cursor Table 5 3 lists the term editor fragment of a standard mykeys macro file with the default bindings Users should exercise caution when changing global bindings as these may have unwanted effects on the navigator and the proof editor 83 84 Chapter 6 Interactive Proof Development Whenever an object of kind STM is opened NUPRL s proof editor will be invoked on it The proof editor provides an interactive method for constructing and modifying proofs in a highly visual fashion Users enter a goal statement and develop its proof in a top down fashion proof goals will be refined into smaller subgoals until all subgoals represent basic axioms or already proven facts In this chapter we will first describe the general structure of NUPRL proofs and then discuss the features and usage of the proof editor 6 1 Proof Structure NUPRL s inference system is based on the notion of sequents These are objects of the form H3552 H Fu ext t which are read as under the assumptions H we can prove that the type C is inhabited by some member t C is called the conclusion of the sequent and the H the hypotheses 1 A hypothesis is either an assumption A or a type declaration x T A type declaration x T is considered to bind free occurrences of the variable r in the terms to t
228. ind them somewhat awkward to use The definition for selecting the i th element of a list 1 for instance would typically be expressed as l i if i lt O then hd 1 else tl1 1 i 1 fi This definition however involves a si multaneous recursion over both the list 1 and the index i Although it is possible to express this in a primitive recursive fashion Pl a direct representation of the above definition would certainly be more natural NUPRL therefore provides a mechanism for a controlled introduction of general recursive definitions using the Y combinator This mechanism proceeds in two separate phases In the first phase clicking the AddRecDef command button will create a code object that contains the ML function add rec def at which will later build the actual definition For the sake of comprehensibility the function is encapsulated in a formal definition and initially appears as template lhs r rhs A user has to provide the left hand side and the right hand side of the recursive definition as arguments to this function A third argument two the function is the location where the definition is to be placed To make sure that the function does not execute every time the object is viewed and closed again this third argument is initially set to inl O After the user has entered the left hand side and the right hand side of the recursive defi nition and closed the code object clicking the NavAtAp button Section will create the
229. ine can be invoked independently from each other T his may be helpful if one of the processes breaks and has to be completely restarted or if several refiners and or editors shall be started 3 3 3 Starting the Editor To start the editor enter the command nuedd 1 into a shell and then proceed as before SHELL PROMPT gt nuedd USER 1 top ML CORB gt go Again the library s go command must precede that of the editor The library contains a variety of explicit set up information that the editor needs to receive in order to determine how to display data e g how to present the directory structure of the knowledge base when and how to pop up windows the location and meaning of editor buttons etc 26 Because of the amount of communication between the editor and the library it takes several minutes until the editor process is set up correctly When it is ready it will return with another prompt ML ORB gt Enter win J to have the editor pop up NUPRL 5 windows ML CORB gt win The editor will establish a connection to the X windows system and then pop up two windows a navigator and a top loop which will be explained in detail in Chapter 4 Afterwards it will return with another prompt ML CORB gt The NUPRL top loop can be used for issuing commands to the library refiner and editor processes and provides support for editing NUPRL 5 terms see Section 5 3 Users may safely iconify the emacs windows of
230. ing SPQ move to the position where the object should be placed and then click OK Objects may also be copied by typing copy object after directory position name obid into the editor ML top loop where directory the object identifier of the directory and position the name of the object after which the copy shall be placed name the name of the copy and obid the object identifier of the object to be copied 4 3 2 5 Links Links are named references to objects in the library similar to links or shortcuts in operating systems Unlike copies of objects different links refer to the same object and changes to the object will be visible from wherever it is referenced to For consistency reasons a directory may not contain duplicate references to the same object To create a link one has to click the MkLink command button This will open a template on top of the command zone into which the user may type the name of the link to the object If the link is not placed in a different directory by leaving the command zone and moving into that directory creating the link will rename the reference to the object but keep its internal name Links may also be created by typing dyn mklink directory position name obid rmdup into the editor ML top loop where rmdup is a boolean flag indicating whether or not to remove duplicate links to the same object from the directory This flag should usually be set to true 4 3 2 6 Removing Objects and L
231. ing meta parameters explicitly makes it easier to identify them as such In general the term on the left hand side of an abstraction can have a mixture of normal and meta parameters You can define a family of abstractions which differ only in the constant value of some parameter However it is an error to make two abstraction definitions with left hand sides that have some common instance 7 1 3 Attributed Abstractions A recently added feature of abstraction definitions is an optional list of attributes or conditions An attribute is simply an alpha numeric label associated with the abstraction and the general form of an abstraction with conditions c Cn is C1 Cn lhs rhs Abstraction conditions can be used to hold information about abstractions that may be useful to tactics and other parts of the NUPRL system They could for instance be used to group ab stractions into categories and when doing a proof one could ask for all abstractions in a given category to be treated in a particular way e g to unfold all abstractions of a category notational abbreviations 7 1 4 Editor Support In this section we describe the editor support for abstraction objects An abstraction can be viewed by opening it with the navigator Section or by using the VIEW ABSTRACTION command C X ab on a term containing an instance of it Section 5 7 The following commands and key sequences may be used for editing abstractions 101
232. inition of a in t FoldsC as FoldC a Fold all instances of abstractions whose operator identifiers are listed in as RecFoldC a Fold all instances of the recursively defined term a in t ReduceC AbReduceC PrimReduceC ForceReduceC force Repeatedly contract all redices in t with maximal strength force starting from the root EvalC as Repeatedly unfold abstractions listed in as starting at the leaves and then contract all redices NormalizeC SemiNormC as Repeatedly unfold abstractions listed in as starting at the root and then contract redices IntSimpC Rewrite t into arithmetical canonical form 8 9 4 Conversionals Conversionals provide the means for sequencing conversions in a way similar to the basic tacticals described in Section and to apply them to subterms in a controlled fashion c ANDTHENC c Apply c to the result of c Fail if either c or c fails c ORTHENC c Apply c to the result of c or to t if c fails c ORELSEC c Apply c If this fails apply c RepeatC c RepeatForC n c Repeat c until it fails exactly n times ProgressC c Apply c but fail if c does not change the term TryC c Apply c If this fails leave the term unchanged A11C cs Iteratively apply all conversions from cs Fail if one of them fails SomeC cs Iteratively apply all applicable conversions from cs 144 FirstC cs Apply the first applicable conversion from cs SubC c Apply c to all immediate subterms of t in left to rig
233. inks To remove an object in a theory one simply moves the navigation pointer to it and clicks the RmThyObj button This will remove the object from the current directory but preserve external links to it The same effect can be achieved by typing lib rm thy obj directory name into the library ML top loop where directory object identifier of the directory in which the object to be deleted resides and name a token describing its name Similarly clicking RmLink will remove a reference to an object from the current directory The effect is almost the same as RmThy0bj but the command will be executed by the editor instead of the library and will not immediately affect proof tactics that refer to the object Some theories also provide a RmDir button which allows to remove a directory and all the objects contained in it Since this is a dangerous operation the user is asked for confirmation to avoid that a directory is wiped out accidentally Directories can also be removed by typing delete tree directory name into the editor ML top loop In this case there the command is executed without asking for confirmation Some editor commands such as AddRecDef and AddRecMod create groups of objects related to each other NUPRL offers a convenient method for removing all these objects by a single command For this purpose one has to position the navigation pointer at the recall object of the group an object of the form recall group name and click
234. ion 85 A proof is complete if it has no unrefined nodes which means that the goals of the leaf nodes are completely proven by their inference rules In this case the top goal of the proof i e the goal of the root node is called a theorem The extract term of a theorem can be constructed bottom up using the instructions contained in each of the inference rules occurring in the proof In NUPRL sequents rules and proofs are abstract data structures that are accessible from ML Like all system components they are implemented in the form of abstract terms and in principle all term editing features described in Chapter b can be applied to them However all modifications to a proof have to pass through the proof editor before they are saved to the library which ensures that all the proofs in the library are correct In the sections below we will briefly describe the essential aspects of these data structures 6 1 1 Sequents The data structure of sequents consists of a list of hypotheses H4 Hn and a conclusion C The conclusion is a proposition of NUPRL s logic while each hypothesis may either be an assumption ie a proposition or a type declaration For the sake of uniformity assumptions are considered type declarations with invisible variables Furthermore a sequent may contain hidden hypotheses These are hypotheses that cannot be used for constructive reasoning but become accessible in parts of the proof that do not contribu
235. ion After the user has created or re opened an obid collector the collector command zone contains a variety of buttons that modify the collector shown on the right of Figure 4 12 e Hide Hide the search collector command zone by iconifying it to a button ObidCollector e ToggleObidList hides or shows the list of object identifiers in the collector e Collect adds the object at the navigation pointer to the collector 56 e FindNames starts a dialog to search for objects in the library by name If the string entered by the user matches the name of an object exactly then its object identifier will be added to the collector T his is useful for finding objects not in directory tree and then adding them to a directory with InsertCollectorIntoDir e Reload loads the stored object identifiers list into the collector s navigator cache e Save dumps the object identifiers list from the collector s navigator cache to the collector object e View opens the collector object for editing purposes e Finish saves the object identifiers list and then removes the collector from the navigator e Clear clears the collector s navigator cache e DeleteDirFromCollector subtracts the object identifiers of objects in the current navigator directory from the collector e InsertDirIntoCollector adds all object identifiers of objects in the current navigator directory from the collector e DeleteCollectorFromDir removes the object identifiers
236. ion 5 4 2 The various kinds of formats are summarized in the table below The Name column gives the name that has to be entered into a term slot to create the format while the Display column describes how the format will be presented within a display form definition Name Display Description slot id ph text slot format lslot lt id ph L gt term slot format eslot lt id ph E gt term slot format sslot lt id ph gt term slot format pushm i push margin popm pe pop margin break a break sbreak a soft break hzone HARD start hard break zone szone 1 SOFTF start soft break zone lzone iLLIN start linear break zone ezone end break zone space Space optional space 7 2 3 1 Slot Formats Slot formats are placeholders for the children of a display form instance Text slots are generally used for meta parameters and meta bound variables while term slot formats contain meta terms The zd in a slot format is the name of the slot The slot corresponds to the meta variable of the right hand side term with the same name ph is place holder text which will appear enclosed within s in the slot whenever it is uninstantiated in some instance of the display form The L E and options on the term slot formats control parenthesization of the slot and are discussed in Section 7 2 3 2 Margins The margin control format 7 where i gt 0 pushes a new left margin 7 characters
237. ionally numbered from left to right starting from 1 These hypothesis num bers are displayed by the proof editor and tactics usually refer to hypotheses by these numbers Sometimes it is convenient to consider the hypotheses numbered from right to left and for this rea son tactics consider a hypotheses list H H to also be numbered H_ H_1 Occasionally the index n 1 or 0 is used to refer to the position to the right of the last hypothesis An experienced NUPRL hacker will of course find ways to bypass these mechanisms and modify proofs without using elementary inference rules However the dependency tracking mechanisms of NUPRL s library are able to detect theorems whose proofs were constructed that way and to identify all library objects that depend on such theorems Thus it is possible to account for the validity of theorems even in the presence of hacks 117 There are tactics which work in similar ways on both hypotheses and the conclusion In this case we call the hypothesis and conclusion collectively clauses refer to the conclusion as clause 0 and to hypothesis 140 as clause i As a convention in this manual we prefix a hypothesis with a number followed by a period if we want to indicate explicitly the number of a hypothesis in a schematic sequent For example if hypothesis i is proposition P we write the hypothesis as i P 8 2 1 2 Universes and Level Expressions In NUPRL s type theory types are groupe
238. is printed Section 4 3 3 8 4 3 2 14 Proof Help NUPRL offers users a minimal form of online help for the development of proofs Clicking the ProofHelp button will open a comment object that describes the most important standard key bindings for the proof editor Further online documentation will be added in the future Clicking the ProofStats button while the navigator points to a statement object will pop up a window displaying some statistics about the proof of that statement This can also be achieved by typing the command show stm stats object into the editor ML top loop 4 3 3 Theory Operations Theories are groups of objects that describe the definitions theorems and specific methods of rea soning of a mathematical or computational discipline Formally they are organized like directories but they contain objects describing their dependencies on other theories and they can also be as sociated with different sets of command buttons For structuring purposes theories may be broken into sub theories However these have to be ordinary directories instead of theory objects since otherwise the dependency tracking mechanism may get confused when sub theories are moved 49 4 3 3 1 Object Dependencies and Reference Environments While the notion of correctness of a formal proof is easy to define see Chapter 6 1 the correctness of a formal theory depends on the fact that there is no circular chain of lemma references in its proofs
239. isplay form are considered to be the immediate children of the display form and the editor considers slots ordered in the order they appear left to right in display form definitions In this manual we refer to terms by their display notation rather than their abstract syntax unless we want to emphasize their logical structure Also in our description of the editor we talk informally about nodes of terms when we are actually referring to nodes of the corresponding display form trees 5 2 2 Editor Modes Users can navigate through a term by moving a cursor sometimes called the point Depending on the position of the cursor the term editor will be in one of three modes which are indicated by the shape of the cursor In term mode the cursor is positioned at some node of the term tree The term node is indicated by highlighting its notation and the notation for all its subtrees T he highlighting is usually achieved by using reverse video swapping foreground and background colors For example Vi Z 3j Z SEM indicates that a term cursor is at the subterm j i 1 Occasionally a term has no width and a term cursor on such a term is displayed as a thin vertical line In this document we indicate such a cursor by In term mode keystrokes corresponding to printing characters form parts of editor commands In text mode the cursor is positioned within a text slot and displayed as Keystrokes corre sponding to printing charac
240. istic for determining from the proof context which of the two must be applied although this is possible in limited application domains Instead a user has to select between the two rules using the tactical Sel The rule inlFormation j will be executed by writing Sel 1 D 0 while Sel 2 D O leads to the execution of inrFormation j In both cases a universe level can also be supplied A complete description of all the inference rules currently present in the NUPRL system as well as the corresponding single step tactics can be found in Appendix 8 2 Introduction to Tactics The creation and modification of proofs in NUPRL is based on the concept of tactics Logically tactics are functions that represent valid refinements They convert a proof goal into a list of subgoals such that the validity of all the subgoals implies the validity of the initial proof goal They range from elementary inference steps to sophisticated proof strategies that can solve major proof problems automatically Technically tactics are functional programs written in the ML programming language see Appendix B They take as input a proof goal and return a list of proof goals and a validation The validation is a function that constructs a proof for the initial goal from proofs for the subgoals and thus validates the refinement step performed by the tactic Tactics are usually initiated from within the proof editor After the user types in the tactic the proof editor appl
241. ith the reduction rule for the redex e The strength is associated with the canonical term that is the principal argument of the redex Strengths can be associated with canonical terms using the function note reduction strength opid strength The currently supported strengths in increasing order are 1 beta redices 2 other primitive redices 3 abstract redices recursive 4 abstract redices non recursive 6 module projection functions with coercion arguments 7 functions creating module elements from concrete parts 8 quasi canonical redices 9 irreducible terms Contraction conversions that should be sensitive to the force of reduction can be added to the abstract redex table using the function add_ForceReduce_conv opid c where opid is the operator identifier of the outermost term of the redex and c is a conversion that takes a token argument for the force with which contraction of the redex is being attempted Tf the outermost term is an iterated apply term then opid refers to the operator identifier of the term at the head of the application 143 8 9 3 Composite Direct Computation Conversions The following conversions are commonly used for folding and unfolding abstractions and for the evaluation of primitive and abstract redices in a term UnfoldsC as UnfoldC a Unfold all occurrences of abstractions listed in as starting at the leaves of t RecUnfoldC a Unfold all occurrences of the recursive def
242. ity j quotient memberFormation j quotient memberEquality j quotient equalityElimination i j v quotientElimination i j 1 y v quotientElimination 2 i j 1 y v EqCD QuotEqCD WeakEqTypeCD DO EqTypeCD EqTypeD 1 D i QuotD i QuotientHD x y i 170 A 3 15 Direct Computation TFC ext ty by direct computation tagC DF Cliaga ext t TFC ext ty by reverse direct computation tagC D E CTiaga ertt D zs T AF C ext by direct computation hypothesis i tagT T 2 T tag T AF C ext D z T AFC xt by reverse direct computation hypothesis i tagT D z TT tagT gt AFC ext Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals direct computation tagC ComputeWithTaggedTerm agC 0 reverse direct computation tagC RevComputeWithTaggedTerm agC 0 direct computation hypothesis 1 tagT ComputeWithTaggedTerm tagT 1 reverse direct computation hypothesis 1 tagT RevComputeWithTaggedTerm agT 1 171 A 3 16 Miscellaneous D zx T AF T exu by hypothesis 4 D AF C ext Oz 5 by cut iT z D AF T ext 5 D zx T AF C ygxti D zT AFC ext by hyp replacement i S j D z S AF C gexty DU 2 7 ArTe S U Ax Lr C ext t by lemma theorem name TEC ext te by instantiate I c Irc jext 1j TEC ay by because D zx T AF C extt by thin i T AFC ext 1j TET ext t by introduction t TrteT ay PTrteT wy by extract theorem name DEC
243. ken parm C LED next leaf to right sparm insert string parm M LED next leaf to left nparm insert natural number parm y next empty slot to right C 0 open bterm parm bvar slot to left C L1 next empty slot to right M 0 open bterm parm bvar slot to right M L1 next empty slot to left Table 5 2 All key and mouse commands 82 4 Arrow keys 4 Default 4 UP m p LEFT n b RIGHT m f DOWN m n Text 4 RIGHT text m X screen right LEFT 22 text m X screen left 4 Mouse keys MouseLeft cm X mouse mark then set point c MouseLeft cm X mouse mark then set point to term MouseMiddle m X view disp c MouseMiddle cm X mouse paste m MouseMiddle cm X mouse paste next cm MouseMiddle cm X mouse paste copy MouseRight m X view abs c MouseRight cm X mouse cut m MouseRight cm X mouse save m X blink cm MouseRight cm X mouse delete Table 5 3 Term editor fragment of the standard mykeys macro file 5 8 Customizing the Editor The current key bindings of NUPRL s term editor which are summarized in Table 5 8 are intended to be reminiscent of Emacs s key bindings and compatible with previous releases of NUPRL Users who wish to change the default bindings may do so by putting a file called mykeys macro into their home directory In this file one may define bindings of keys or key comb
244. l the input will be discarded and the statement object remains empty To commit a proof goal explicitly to the library one may use the key combination C M g This will save the main goal into a proof object which will be linked to the statement object that is currently being viewed Currently all input until the first will be ignored This is an interface bug that will be corrected in the future 91 Using C M g is required if one wants to change an already existing main goal Simply editing the goal is not sufficient and an error message will be produced if a user tries to refine a modified proof goal that has not yet been committed Changing a proof by modifying either its main goal or one of the refinement steps will remove it from the proof window but not from the library Previous versions of a proof may be recovered by walking through the proof editor history see Section 6 4 2 for details 6 3 2 Refining Proof Goals To refine a proof goal one uses the arrow keys or the mouse to move the cursor into the text slot for entering proof tactics and then types the name of the tactic to be applied Tactics are ML functions that may have NUPRL terms and other parameters as arguments see Chapter 8 The structure and special editing commands for tactics are the same as for CODE objects NUPRL terms may be entered using the term editor after opening a term slot with C o Section 5 4 2 Other tactic arguments have to follow the s
245. l insert a term of the form variable x v a a where z is the variable s name and n gt 0 is a natural number The library display form object for this term is named so varn so this family of names can be used to reference them Note that abstraction objects are the only places where these second order variable instances are used When writing propositions second order variable instances are simulated using the so_applyn abstraction CYCLE META STATUS converts a parameter into a meta parameter if the text cursor is in the pa rameter s text slot If the parameter is already meta using this twice will cycle its status back to being a normal parameter SELECT TERM OPTION enables a user to add conditions to an abstraction By default an abstrac tion definition term has an empty condition sequence as a subterm which is hidden by the display form for abstractions Moving the term cursor over the whole abstraction term and using SELECT TERM OPTION will add an empty term slot for a condition The condition term is much like the term for variables it has a single text slot and otherwise no other dis play characters To get additional slots for condition terms one may use OPEN SEQ TO LEFT Or OPEN SEQ TO RIGHT 7 2 Term Display Display form objects are used to control the visual presentation of formal mathematical concepts They define how a term shall appear when it is being displayed on the screen or printed on paper This enables users
246. l position p List Scroll Total 1 Point 0 Visible 1 Move the mouse cursor into the new window and click left in the goal slot This initializes the NUPRL 5 term editor in this slot The goal is now entered in a structural top down fashion Entering all i creates the template for the universal quantifier top Vilvar type prop BY The var slot of the all template is a text slot and will not be interpreted Entering A J inserts the character A in the variable slot and moves the edit point to the next slot The typel and prop slots are term slots which means that input will be interpreted and may open new templates Entering propJi Jall J inserts the propositional universe term whose name prop has nothing to do with the prop in the prop place holder into the type slot and another template for the universal quantifier in the prop slot top VA P v Lvax type prop BY Entering B iprop ji i fills the second quantifier Notice that the two quantifiers get contracted as A and B have the same type P top VA B P BY Entering the rest of the theorem is straightforward Typing implies 1 creates the implication template Entering or inot A not B J generates 2A v CB and A 1B is generated by mot and JA B i Before a statement can be used in a proof it must be committed to the permanent library This can be done by using the key combination C
247. lay form definition and one or more tail definitions A tail definition can only be used as an immediate subterm of a head in the same family or another tail in the same family Choice of display form is also affected by the use of the iterate variable as the id of a term slot format Section 7 2 3 1 If is used in some term slot of a definition then the definition is only usable if the same term occurs in the subterm slot that uses the The following set of display forms for A abstraction terms for instance makes sure that the A character is suppressed on nested occurrences A lt x var gt lt t term E gt lambda lt x gt lt t gt Hd A lt x var gt lt term E gt lambda lt x gt lt gt HTl A lt x var gt lt t term E gt lambda lt x gt lt t gt HTl A lt x var gt lt H term E gt lambda lt x gt lt gt Using these the term lambda x lambda y lambda z x will be displayed as Ax y z x instead of Ax Ay Az x 7 2 4 2 Parenthesization Automatic parenthesization is controlled by certain display definition attributes term slot options and by definition precedences A precedence is an element in the precedence order which is de termined by the precedence objects in the NUPRL library A display form definition is assigned a precedence by giving it a prec attribute which names some precedence element Precedence Objects collectively introduce a set of precedence elements and define a partial order
248. le pairings of hypotheses with antecedents If there are more antecedents that hypotheses listed the an tecedents not matched will manifest themselves as new subgoals to be proved The main subgoal with the consequent asserted is labelled main Unmatched antecedents are labelled antecedent and the rest are labelled wf Aliases are FwdThruLemma and FwdThruHyp Forward chaining can take an optional argument c f Section 8 2 2 supplied by using the Sel tactical to select a specific component of a conjunction or equivalence in a universal formula An argument of 1 forces the tactic to treat the whole subformula as simple BHyp 2 BLemma name Backward chain through hypothesis i or lemma name matching its consequent against the conclusion of the goal Subgoals corresponding to antecents of the lemma hyp are labelled with antecedent The rest are labelled wf Aliases are BackThruLemma and BackThruHyp An explicit list of variable bindings can be supplied to backward chaining as optional argument by using the Using tactical T his argument is necessary if some of the variable bindings cannot be inferred by matching For instance Using n 3 BackThruLemma int upper induction would bind the variable n in the lemma int upper induction to the value 3 BHypWithUnfolds 1 as BLemmaWithUnfolds name as Backward chain through hypothesis i or lemma name while unfolding the abstractions in as TTo inject a level expression L into a te
249. library abstraction objects introduce the abstract definition of a new term 32 display objects define display forms for primitive terms and abstractions precedence lattice objects assign precedences for terms Precedences control the automatic parenthesization of terms code objects contain the code of tactics and other ML code rule objects define primitive rules of the object logic directory objects define NUPRL theories They contain lists of references to other objects and are used to add structure to the library comment objects contain comments Comments have no logical significance but can be used to link formal material to informal text term objects are used to represent all library objects whose kind is not specified Inactive see below directories are considered term objects Statement objects proofs and inferences are discussed more in Chapter 6 abstractions in Chap ter 7 1 display forms and precedences in Chapter 7 2 rules and tactics in Chapter 8 and ML code in Appendix B The properties contain status information that is helpful for maintaining the object tracking dependencies building justifications etc The most common properties are e A liveness bit indicating whether the object is active and may be referenced to by others e A sticky bit indicating whether the object may be removed from the library table during garbage collection Most objects are not sticky e A description of clients
250. lly the matching and substitution functions used by NUPRL are a little smarter than shown above as they try to maintain names of binding variables The result one would get in NUPRL would be di T i 0 Z Vy Z y 0 eZ gt y i8 Z NUPRL does not allow nested bindings on the left hand side of abstraction definitions All variables must either be first order or second order variables with first order variable arguments 7 1 2 Parameters in Abstractions Abstractions can also contain meta parameters i e placeholders for parameters that matching and substitution treat as variables We usually indicate that a parameter is meta by prefixing it with a sign For example we might define an abstraction label x t i n as shown below label tok t nat n lt tok nat gt Meta parameters make it possible to map parameters in newly defined abstractions onto pa rameters of existing terms In the above example labels are defined as pairs of tokens and natural numbers and the parameter tok is mapped onto the parameter of the term token while the pa rameter nat is mapped onto the parameter of the term natural_number which is revealed when the right hand side of the definition is exploded into _pair token tok t natural nat n Level expression variables occurring in level expression parameters of abstraction definitions are always considered meta parameters so there is no need to designate them explicitly However indicat
251. losed between string quotes i e ascii 34 is a string this is a string 18 this is a string string i ss o string Although similar strings and tokens are implemented differently in Lisp strings are imple mented as character arrays and tokens as symbols The implementation affects the efficiency of such operations as comparison and concatenation Tokens are much slower to concatenate but faster to compare B 2 10 Polymorphism The list processing functions hd t1 etc can be used on all types of lists hd 1 2 3 19 1 int hd true false true true bool hd 1 2 3 4 1 2 int int Thus hd has several types for example it is used above with types int list gt int bool list gt bool and int int list gt int int In fact if ty is any type then hd has the type y list gt ty Functions like hd with many types are called polymorphic and ML uses type variables etc to represent their types hd 20 list gt letrec map f 1 if null 1 then else f hd 1 map f t1 1 map gt gt list gt list map fact 1 2 3 4 1 2 6 24 int list The ML function map takes a function f with argument type and result type and a list l of elements of type and returns the list obtained by applying f to each element of l which is a list of elements of ty
252. lt x y gt i in y and the term lt a b gt 1 is an abstract redex which contracts to the term a To contract abstract redices the conversion AbRedexC consults an abstract redex table whose entries are created using the function add AbReduce conv opid c where opid is the operator identifier of the outermost term of the redex and c is a conversion for contracting instances of the redex Instances of add AbReduce conv are usually included in ML objects positioned immediately after the definitions of non canonical abstractions An alternative method for indicating an abstract redex is to associate a reducible attribute see Section with a non canonical abstraction using the function add reducible ab opid The AbRedexC conversion first unfolds all reducible abstractions at the top level of the term before further analyzing it to see if it is a redex When this method is applicable it is more concise than using add AbReduce conv Reduction Strengths and Forces In some situations it is desirable to have some redices contracted but not others To this end one may specify the strength of a redex and provide an optional force argument to tactics invoking direct computation conversions Strengths and forces are arranged in a partial order on ML tokens A redex is contracted only if the reduction force applied to it is greater or equal to its strength A strength is associated with a redex in two ways e The strength is directly associated w
253. luation failed div failwith hd a b evaluation failed a A failure can be trapped by the value of the expression e e is that of e1 unless e1 causes a failure in which case it is the value of es hd t1 2 0 24 O int 1 0 7 1000 1000 int let half n if n 0 then failwith zero else let m n 2 in if n 2 m then m else failwith odd half int gt int 181 The function half only succeeds on non zero even numbers on 0 it fails with zero and on odd numbers it fails with odd half 4 2 int half 0 evaluation failed zero half 3 evaluation failed odd half 3 1000 1000 int 35 Failures may betrapped selectively on string by 7 ey t1 3tn es is the value of eg if t is one of t1 the value of t if e1 fails with token t then the value of 5tn otherwise the expression fails with half 0 zero plonk 1000 1000 int half 1 zero plonk 1000 evaluation failed odd 25 One may add several traps to an expression and one may add a trap at the end as a catch all half 1 zero 1000 odd 2000 2000 int hd tl half 4 zero 1000 odd 2000 3000 3000 int 27 One may use or in place of or to cause re iteration of the whole constru
254. ly used at top level so that their scope is the re mainder of the top level program But for non top level declarations a simple constraint ensures that a value of abstract type cannot exist except during the execution of phrases within the scope of the type declaration In the expression abs rec type vtyarg id ty and and vtyarg id ty with b in e the type of e and the types of any non local assignments within b and e must not involve any of the id Finally in keeping with the abstract nature of objects of abstract type the value of a top level expression of abstract type is printed as a dash as functional values are Users who wish to see such an object should declare a coercion function in the with part of the type declaration to yield a suitable concrete representation of the abstract objects B 6 Primitive ML Identifier Bindings The primitive ML identifier bindings are described in this Section Some useful derived functions are in Section The primitive bindings are of two kinds e ordinary bindings e dollared bindings which are preceded by having prefix or infix status The description of the ML value to which an identifier is bound is omitted if the semantics is clear from the identifier name and type given For those functions whose application may fail the failure string is the function identifier Predeclared identifiers are not regarded as constants of the language As with all other ML
255. m allowing users to change its opid the number and kind of its parameters or its arity They are most commonly used for creating new terms in an abstraction or for changing the definition of an abstraction A term constructor is exploded by replacing it by a special collection of terms that make it possible to edit its structure Exploded terms may be generated from scratch by typing exterm into an empty term slot or by positioning the term cursor over a term and typing C X ex Exploded terms may be imploded again into the term which the exploded term represents by typing C X im The commands for editing exploded terms are summarized in the table below C X ex EXPLODE TERM explode term at cursor C X im IMPLODE TERM implode term at cursor exterm INSERT TERM exterm insert new exploded term lparm INSERT TERM lparm insert level expression parameter vparm INSERT TERM vparm insert variable parameter tparm INSERT TERM tparm insert token parameter sparm INSERT TERM sparm insert string parameter nparm INSERT TERM nparm insert natural number parameter C 0 OPEN LIST TO LEFT open new slot to left M 0 OPEN LIST TO RIGHT open new slot to right The editor is somewhat intelligent when new slots with OPEN LIST TO LEFT and OPEN LIST TO RIGHT Depending on the context the new slot will be a placeholder for a bound term bterm bound variable bvar or a parameter parm To show how exploded
256. m itme STM TFF exists uni wf SED STM TFF exists uni wf gt CODE TIF listsel create ABS listsel create CODE TIF listsel create Alistsel 1 i oe listsel 1 i DISP TTF listsel_df ibi d r ifi lt 0 gt ABS FFF listsel then hd 1 then hd 1 CODE FFF listsel RecUnfoldFold conv else listsel t1 1 i 1 else listsel t1 1 i 1 STM TFF listsel wf 8 fi TERM FFF recall listsel i Figure 4 6 Creating Recursive Definitions code object and created definition objects of the directory in which the new object shall be placed and position the name of the object after which the definition shall be inserted Thus to create the above three objects within the ML top loop one could type r lib thy add def exists uni T x P x 3x T P x Vy T Ply gt y xeT ioid Obid kreitz not over and The refiner s def utility provides a more advanced method for creating definitions and their well formedness theorems This method however is less easy to use The AddDef mechanism is sufficient for creating non recursive extensions of NUPRL s object language For integers lists and recursive data types NUPRL s type theory also provides expres sions that describe primitive recursion over these types see Appendix ch app type theory The terms ind u z fx s base y f t listind s base z l f t and let f x t in f e however are insufficient for describing more general forms of recursion and most users f
257. m proofs for all the subgoals Basic inference rules cannot be applied directly to a proof goal but first have to be converted into a tactic Technically this is done by calling a meta level function refine that takes a primitive rule that is the name of a rule object and the corresponding rule arguments and generates a tactic that executes the rule The function refine encodes NUPRL s mechanism for applying rule objects to proofs c f Section 8 1 1 above and is the only method for creating proof tactics from scratch 114 This guarantees that all proof steps are eventually based on primitive inference rules and thus correct with respect to the implemented proof calculus In most cases the applicable inference rule and its arguments can easily be determined from the proof context NUPRL s library therefore contains a small collection of single step inference tactics that subsumes the complete set of elementary inference rules Almost all primitive inferences can be expressed the single step decomposition tactics D MemCD EqCD MemHD EqHD MemTypeCD EqTypeCD MemTypeHD EqTypeHD and NthHyp These tactics which are described in detail in Section 8 3 1 uniformly apply to both the hypotheses and the conclusion of a proof goal Often a user only has to give the index of the goal clause to which they shall be applied The tactic then analyzes the syntactical structure of the indicated clause identifies the applicable rule and tries to determin
258. me from the other windows Experienced users can make further use of the function comint send string to send additional commands to the NUPRL 5 process at their convenience 3 3 2 Starting the Refiner Starting the refiner is similar to starting the library In a shell enter the command nuref SHELL PROMPT gt nuref At the Lisp USER prompt enter top J USER 1 top At the ML prompt enter go 1 to initialize the NUPRL 5 refiner ML CORB gt go Although it is not necessary to wait for the library process before starting the refiner it is important to enter the refiner s go command after the library s go The library contains informations about tactics and rules that the refiner needs in order to operate properly Initially there will be only little exchange between the library and the refiner The refiner process will return quickly with another prompt ML 0RB The following emacs script defines an interactive function nurefine that performs the above steps in a new emacs shell It pops up a NuRefine window immediately below the editor window and starts the NUPRL 5 refiner in it defun nurefine interactive nuprl frame NuRefine 10 280 nuref n message Starting Refiner set foreground color Green4 set background color ffffbb comint send string NuRefine top n comint send string NuRefine go in It should be noted that the emacs functions nulib nuedit and nuref
259. means add 3 4 In the expression add 3 the function add is partially applied to 3 the resulting value is the function of type int gt int which adds 3 to its argument Thus add takes its arguments one at a time We could have made add take a single argument of the cartesian product type int int let add x y x y 9 add int int gt int add 3 4 3 int let z 3 4 in add z 7 int add 3 ill typed phrase 3 has an instance of type int which should match type int int 1 error in typing typecheck failed As well as taking structured arguments e g 3 4 functions may also return structured results let sumdiff x y x y x y Ea sumdiff int int gt int int sumdiff 3 4 7 1 int int 177 B 2 5 Recursion The following is an attempt to define the factorial function let fact n if n 0 then 1 else n fact n 1 11 unbound or non assignable variable fact 1 error in typing typecheck failed The problem is that any free variables in the body of a function have the bindings they had just before the function was declared fact is such a free variable in the body of the declaration above and since it is not defined before its own declaration an error results To make things clear consider let f n n 1 12 f int gt int let f n if n 0 then 1 else n f n 1 f int
260. mediately before comint send string bufname cmd Alternatively you may change the eddhost setting in you nuprl config file to redirect the NUPRL windows to your local machine s X server 3 4 Exiting NUPRL 5 When you are ready to stop first stop the editor and refiner process and lastly the library To shutdown gracefully enter stop 1 at the ML prompts of the three processes ML CORB gt stop As a result the editor and refiner will communicate to the library that they will disconnect now and then stop the respective ML and Lisp processes The library process will cleanly shut down the 27 knowledge base and then stop as well Depending on the size of the knowledge base this may take between a few seconds and several minutes It is important that you explicitly terminate the three NUPRL processes rather than just quitting out of the editor NUPRL 5 is running under In the latter case the Lisp process can be left floating around in a hung state hogging memory resources This could also happen if your editor crashes or if you kill the shell or emacs buffer in which NUPRL 5 runs You can use the Unix command ps to check for a hung Lisp process and the command ki11 to kill it The interactive emacs command nuxit described below is a safe way to terminate NUPRL 5 defun nuxit interactive message Shutting Down NuPRL 5 Library Editor and Refiner comint send string NuEditor stop Wn comint send s
261. minated by a NO OP then a term cursor is left at the new term If name is terminated by some cursor motion command then that command is obeyed INSERT TERM LEFT name is intended for use at a filled term slot Its behavior is to 1 save the existing term in the slot leaving the slot empty 2 insert the new display form referred to by name into the slot 3 paste the saved term into the leftmost term slot of the new display form If the new display form has no term slots then the saved term is lost INSERT TERM RIGHT name behaves in a similar way to INSERT TERM LEFT except that in step 3 the saved term is pasted into the rightmost term slot of the new display form SUBSTITUTE TERM name replaces one display form with another that has the same sequence of child text and term slots The children of the old display form become the children of the new one If the new display form has a different sequence of children SUBSTITUTE TERM name tries something sensible but in these cases it is safer to explicitly cut and paste the children INIT TERM initializes a term slot to some default term INITIALIZE TERM is automatically invoked by NUPRL to initialize new windows To re initialize a window place a term cursor at the root of the term in the window delete the term and then give the INITIALIZE TERM command The default terms for particular contexts are described in various sections of this document If no default has been designated INITIALIZE TERM
262. mmediately after the the abstraction object No new object will be created if an object named absname _df already exists Clicking AddDefDisp while the nav point is not at an abstraction will result in an error Currently there are no special command buttons for creating comments inference rules or precedence objects The command for creating abstractions has been subsumed by the mechanism for creating definitions which is described in Section 4 3 2 2 below Objects can also be created by typing the command dyn mkobj kind position directory name into the editor ML top loop where e kind is a token indicating the object s kind e position is a token indicating the object after which the new object shall be inserted The empty token null token is used to describe a position in an empty directory e directory is an object identifier indicating the directory in which the new object shall be placed To create this identifiers one has to mark the directory object by clicking on it and yank the corresponding term into the editor top loop by entering C y The term will usually be displayed as Obid directory name lo convert this term into an object identifier one has to apply the ML function ioid e name is a token indicating the name of the new object Thus to create the theorem not over and with an editor command instead of using the interactive command initiated by Mk0bj one could alternatively type dyn mkobj stm null token ioid O
263. ms are separated by semicolons A 1 1 Operator Identifiers Operator identifiers are character strings drawn from the alphabet a z A Z 0 9 _ An at the start of a character string indicates that the term does not belong to Nuprl s object language Operator identifiers are implemented using ML type tok Valid operators are listed in Nuprl s operator table which contains the basic operators given in Table as well as conservative language extensions defined by abstractions in the library We distinguish between the ASCII character and the character range z y indicating the characters from x to y Note that the operator identifier of a term is not always identical to the name a user has to type into Nuprl s term editor in order to generate the corresponding display template The latter depends only on the information provided in the display form while the abstract name can only be used to enter terms in the abstract expanded mode Different names are for instance used for the simple inductive types simplerec instead of rec and the less than predicate It instead of less than A complete list of display forms for the basic terms can be found in the system s core 1 theory 147 Canonical noncanonical
264. n a universal quantifier or an implication in a hypothesis the original hypothesis is left intact rather than thinned MemCD Decompose the immediate subterm of a membership term in the conclusion For primitive terms MemCD uses the appropriate primitive Ro equality rule For abstractions it tries to use an appropri i diss ate well formedness lemma Soft abstractions will be unfolded if there is no appropriate well formedness lemma A subgoal i corresponding to the n th subterm will be labeled with label biy subterm and number n Other subgoals are labeled wf BY WENO BY An example application of MemCD is shown on the right Well formedness lemmata for a term t with operator iden ER M dae pese eg tifier opid should have the name opid wf and consist of a s simple universal formula with consequent te T Usually the subterms of t should be all variables but constants are acceptable too If more than one lemma is needed the lemma names should be distinguished by suffices to the opid wf root Usually MemCD attempts to use lemmata in reverse dependency order i e the later ones do not refer to the former and are often more general but different orders may be specified if needed If the conclusion is a A where a is an instance of t and A does not match any of the T of the lemmata then MemCD tries matching a against the term t of the last lemma If this succeeds and 122 Tactic In the hypotheses In the conclusi
265. n as the NUPRL 5 system is started The library roughly operates like a data base modifications to theories such as creating deleting or editing objects are immediately committed to the library However all changes may be undone if necessary A backup of all previous versions of an object is kept until is explicitly destroyed in a garbage collection process which enables a user to recover previous versions if needed The navigator shows information on a segment of the library which is sometimes called the user s work space The format of the navigator window is discussed in Section Commands for for browsing searching editing and structuring library contents as well as for controlling the navigator window and are discussed in Section 4 3 In the rest of this section we briefly explain the internal structure of NUPRL s library and its relation to the externally visible behavior of NUPRL 4 1 1 Library Objects Library objects the common representation of all the contents of NUPRL s library They are abstract terms that are associated with a kind a variety of properties and possibly with extra data Abstract terms provide a uniform data structure for representing almost any kind of formal content They consist of an operator identifier a list of parameters and a list of bound subterms see Chapter 5 for a detailed description The abstract term syntax makes sure that no predefined structure is imposed on the contents of the library and m
266. n in the window below In contrast to the corresponding emacs top loops the NUPRL 5 top loop incorporates the NUPRL 5 term editor It is better suited for editing object level terms but do not support the full editing capabilities of emacs Unless there is a need to interact with the top ML level one usually iconifies these four windows to create some space for the windows that will pop up while working with the system 2 3 Using the Navigator The navigator is the main user interface of NUPRL 5 It can be used to browse the library and to create delete or edit objects by initiating the appropriate editors Figure 2 2 shows navigator window shown in its initial state As in most NUPRL 5 windows the upper part of the navigator window contains several buttons which are indicated by a at the end of a word Clicking a button with the left mouse will trigger some action or pop up a template to be filled in The lower part of the navigator window shows the current directory here ROOT and a listing of the type status and name of some of the objects in the directory There is also a distinguished object the nav point which is marked by an arrow the navigation pointer When the edit point is in the Scroll position field use the left mouse the arrow keys on the keyboard can be used to move the through the directory tree T UP move navigation pointer one step up l DOWN move navigation pointer one step down LEFT move navigation p
267. n object called independent pairFormation H F A x B ext lt a b gt BY independent pairFormation H FA exta H F B ext b The fact that the rule object is almost identical to the rule described on paper makes it very easy to verify the implementation of intuitionistic type theory in NUPRL The explicit representation of inference rules in NUPRL also allows a user to modify the logic represented in system by adding new rules or deactivating existing ones Thus NUPRL supports any logic that can be represented as a top down sequent calculus NUPRL provides the basic mechanisms for applying rule objects to proofs In most cases this means matching the rule s top goal against the current proof goal and extending the proof tree by the instantiated sub goals of the rule Some rules such as the decision procedure arith provide explicit calls to special purpose algorithms that will be executed when NUPRL applies the rules H FC ext t BY arith U Let SubGoals t CallLisp ARITH SubGoals 8 1 2 Rule Arguments In most cases the application of an inference rule to a proof goal requires more information than just the name of the rule For instance if a rule shall be applied to one of the hypotheses it is 112 necessary to identify this hypothesis or if a rule creates new variables in the subgoals it is necessary to give names to these variables Because inference rules are supposed to be applied schematically this informa
268. n refiner mode and will not create the initial code object listsel ml Again there is a more advanced version of this command Besides creating abstractions display forms and well formedness theorems introducing a defi nition may also require updating the tactics that rely on folding and unfolding definitions As only the user can decide which abstractions should be unfolded automatically and which ones shouldn t NUPRL provides a mechanism for updating the Reduce tactic see Section 8 6 2 on demand Clicking the AbReduce command button will open two templates on top of the command zone The first is a token template into which a user may enter the name of a new conversion to be added to Reduce The second is a term describing the left hand side of that conversion Upon clicking OK the right hand side of the conversion will be computed by applying UnfoldsC opid ANDTHENC ReduceC see Section to this term and the resulting macro conversion will be added to the list of conversions used by the tactic Reduce 4 3 2 3 Creating Modules NUPRL provides support for defining module types which are useful for defining abstract data types and algebraic classes Module types are essentially dependent record types where the type of each field can depend on the value of previous fields and are allowed to have parameters For instance an abstract data type for stacks may use the type of stack elements as a parameter Module types are currently implement
269. name creates a thm after current object MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin CpO0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThy0bjx TETT TTTBEE BED ee Navigator kreitz user theories gt lt Scroll position 0 List Scroll Total 0 Point 0 Visible MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops Print bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJx MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bj TITT THT HILL LiL o gt Navigator kreitz user theories Scroll position D List Scroll Total 1 Point 0 Visible 1 As example theorem we take VA B IP A v B for propositional logic Enter the n
270. nce programming languages like Java or Ocaml allow the formal reasoning tools to supplement real world software from various domains NUPRL 5 is highly configurable In its current standard configuration which is described in this manual the system essentially provides an extended functionality of the NUPRL 4 system Jac94 It consists of the library the NUPRL 5 editor and the NUPRL 5 refiner The Knowledge Base The knowledge base is based on a transaction model for entering and modifying objects All changes to objects e g the effects of editor commands or inference steps are immediately committed to the persistent library The knowledge base also provides the option to undo changes redo transactions or to have several processes view or work on the same object essentially following the same protocols as databases However changes do not overwrite an object but instead create a new version The previous version is preserved until it is explicitly destroyed in a garbage collection process A version control mechanism allows the user to recover previous versions of an object To account for the validity of library objects the knowledge base supports dependency tracking which will enable a user to check if theorems are valid wrt a specific set of rules axioms and proof procedures In principle the library does not impose any predefined structure All visible structure e g the directory structure as observed by the NUPRL 5 navigato
271. nce of x in e en has ty so that the type of recursive calls of x is the same as the declaring type B 5 3 Discussion of type constraints We give here reasons for our constraints on the types ascribed to occurrences of identifiers The reader may like to skip this section at first reading 1 Consider constraint 1 for lambda bound identifiers This constraint implies that the ex pression let x e in e may be well typed even if the semantically equivalent expression let f x e in f eis not since in the former expression z may occur in e with two in compatible types which are both instances of the declaring type The greater constraint on f is associated with the fact that f may be applied to many different arguments during evalua tion To show the need for the constraint suppose that it is replaced by the weaker constraint for let bound identifiers so that for example let f x if x then 1 x else x 1 isa well typed declaration of type gt int in which the occurrences of x receive types bool int int gt int respectively In the absence of an explicit argument for the abstraction no constraint exists for the type of the binding occurrence of x But because f is let bound expressions such as f true and f dog are admissible in the scope of f although their evaluation should result in either nonsense or run time type errors one of our purposes is to preclude these The only exception to this rule is for expressio
272. ncrements and must be non negative integers The expression L i is interpreted as standing for levels L i L is an abbreviation for L 1 The expression L L is interpreted as being the maximum of the expressions L L Usually when stating theorems only level expressions of the form v and v need be used Other expressions get automatically created by tactics Further it is sufficient to use a single level expression variable throughout a theorem statement as two occurrences of the same level expression variable will not be related For example we normally prove the theorem VA B P A B A rather than VA P VB P A gt B gt A 8 2 2 Optional Arguments Unlike Lisp functions ML functions cannot take optional arguments although it is natural to want to write tactics which do take optional arguments One approach is to provide a set of variants of each tactic for the most common combinations of arguments This can be confusing and places an extra burden on the user who has to keep track of these variants NUPRL allows optional arguments to be passed to tactics by providing tacticals see Section 8 8 below that attach these arguments to the proof argument i e the last argument of a tactic c f Section 8 2 1 Currently this is supported for arguments of type int tactic term tok var and var term list Each argument is also given a token label and arguments are looked up by these labels Sets of arguments
273. nd bindings 61 To evaluate an expression type it in at a text cursor after the command prompt and then use either the Eval button or the return key 41 You may edit the expression using the term editor commands described in Chapter 5 To break an expression into several lines use S 41 Output from evaluating the ML expression in the command line zone is usually directed to the evaluator history window although it is possible to have it appear below the command line zone in the ML top loop window as well NUPRL error messages appear in a separate window that describes the nature of the error and some debugging information The window can be closed by either clicking it s Quit button or by typing C Q Errors can come from various sources In most cases the ML expression you typed doesn t parse or type check properly or has been sent to the wrong process Occasionally you can get the ML top loop into an unexpected state In this case undo the previous steps using C until a stable state has been recovered If that doesn t work the editor process itself may have reached an unrecoverable state It is best to close all other NUPRL windows saving their contents if needed to kill the editor process and to start it again 4 4 3 Top Loop Commands Depending on the command prompt at the beginning of the command line zone top loop commands are sent by the editor to either the library editor or refiner processes Refiner commands usually in
274. ne Hh aig We nt eee ote deta cree oy eaten ee 103 List of Tables 4 1 Navigator Motion Commands lr 38 4 2 Navigator command buttons 2 ll esr 60 4 3 Command line zone editor commands and bindings 61 5 1 NUPRL special character codes o oo T3 5 2 All key and mouse commands 2 ls 82 5 3 Term editor fragment of the standard mykeys macrofile 83 6 1 Proof Editor Keyboard Macros aooaa 98 8 1 Soft abstractions in NUPRL s basic libraries 2 2 less 121 8 2 Iterated decomposition tactics and the connectives they decompose 123 8 3 Format of Tokens in Rewrite Control Strings less 132 A l Basic operators of Nuprl s Type Theory ls 148 A 2 Redex Contracta Table for Nuprl s Type Theory o 150 A 3 Type semantics table for Nuprl 2 rn 151 A 4 Member semantics table for Nuprl 2n 152 B Declarations 240 600 la aoe RUE hm RO GL R Re GER de dx A RS a 186 p inr A TT c 186 Ba Patterns sue voee pla eum ck YU ee ae ERE MUS NOR HIS feug ar 186 BE ExpressioHs pe i ee a poten Beh ee Qm m v ROME EINER UE lbi R DR WU Ee 187 B 5 ML Type Sym 195 xi Chapter 1 Introduction The NUPRL proof development system is a framework for the development of formalized math ematical knowledge as well as for the synthesis verification and optimization of software It is based on a significant extension of Martin L f s intuitioni
275. nement style generation of proofs The refinement style entails repeatedly choosing an unrefined leaf node of a proof and a rule to try on that node If the rule applies the NUPRL system changes the node to a refined node and automatically generates appropriate children nodes The proof editor generates windows onto sections of proofs One can have windows open on different proofs at the same time and even view multiple proofs of the same theorem In the latter event one proof is the main proof while the other ones are backup proofs 6 2 1 Proof Window Format Each proof window is associated with a node of a proof It shows the goal sequent at that node the refinement rule if any at that node the immediate subgoals and the proofs if any of these subgoals as long as they fit into the window Figure shows an example of a window onto a refined node of a proof and an example of a window onto an unrefined node of a proof D amp top 1 top 1 2 Q 2 anama upcase 1 x N Xo HAD FE 3y N y2 lt x x lt y 1 1 2 ORK 3 dy N y lt x 1 x 1 lt y 1 BY NatInd 1 H S3y N y x x lt y 1 911 3 BY A basecase H 3y N y x0 0 lt y 1 BY exR O There is 1 hidden subgoal 94512 deem upcase 1 x Z 2 0 x 3 dy N y Xx 1 x 1 lt y 1 H 3y N y Xx x lt y 1 Figure 6 1 Proof window on refined and unrefined proof node 89 The title of e
276. ng match f false namestring tok to string name_of_oid oid DIR FTF Transforms n wae Figure 4 13 Standard Milling Directory To perform a particular operation users should copy the corresponding object from one of the sub directories of the directory Examples into the main milling directory modify the declaration part of the code and then click the command button that corresponds to the name sub directory from where the piece of code was copied The object By Kind and Name Search in the directory FilterSource shown in Figure 4 13 for instance contains the code for collecting all the objects of the milled directory that have a given kind and name Changing the let binding of the variables kind and namestring to STM and st will cause the search to focus on statement object whose name contains the string st_ Clicking the button FilterSource will initiate the search and collect all the found objects in a sub directory Targets If that directory already exists the user will be asked to confirm that its previous contents can be removed Code pieces are provided in the following categories e FilterSource collects all objects of the milled directory that satisfy a given predicate and places them in the sub directory Targets The search predicate may involve the kind name status or creation time of the object strings and object identifiers occurring in it and similar criteria Existing contents of the directory Targets will be
277. ng tacticals 135 8 9 1 Introduction to Conversions A conversion is a function that transforms a term t into a new term t that is equivalent to t with respect to some relation r The conversion also produces a justification j that describes how to prove that t r t holds The transformation takes place in an environment e which specifies amongst other things the types of the variables that might be free in t Conversions fail if they are not appropriate for the term they are applied to In NUPRL the type convn of conversions is an ML concrete type abbreviation for the type env gt term gt term reln just where env reln and just are abstract types for environments Section 8 9 1 1 relations Sec tion 8 9 1 2 and justifications Section 8 9 1 3 The language of conversions provides a small set of atomic conversions that may be assembled into more advanced conversions using higher order functions called conversionals Atomic conversions Section 8 9 2 are either based on direct computation rules which includes folding and unfolding abstractions or can be created from lemmata and hypotheses that contain universally quantified formulas with consequent of the form a r b where the free variables of b are a subset of those in a Applying a conversion to a term t means either executing the corresponding computation or matching the term t against a and replacing it by an appropriate instance of b That is if is a substitution o
278. ng their definition left to right so instances of their right hand sides can be folded up to be instances of their left hand sides Folding however does not always work as information can be lost in the unfolding process For instance an abstraction can have variables and parameters that are not used in its definition but are only used for book keeping purposes In this case the variables and parameters only occur on the left hand side of the definition and would have to be inferred when folding up a specific instance of the right hand side 7 1 1 Bindings in Abstractions In additions to ordinary variables abstractions can have binding structure Consider for instance the definition of the unique existence quantifier below j x T P x 3x T P x Vy T Ply y xeT Here x represents a variable that becomes bound in the term P x and this binding structure must be mapped from the abstract term exists uni T x P x to its definition First order matching and substitution are inadequate for handling terms with binding struc ture since they consider variables to be independent from each other and thus cannot express the dependency between x and P x NUPRL s therefore uses second order matching and substitution functions to handle abstractions with binding variables in a systematic way A second order binding is a binding v gt 21 Tq Of a second order variable v to a second order term 21 Ta t A second or
279. ng to all Tz NESsT quotient T z y E members of T new equality YU THE Table A 1 Basic operators of Nuprl s Type Theory Terms are divided into canonical and noncanoni cal terms Principal arguments in noncanonical terms are marked by a box Standard display forms of terms are written below the abstract representation The distinction between types and members is not a part of Nuprl s syntax 148 A 1 2 Parameters Parameters p F consist of a parameter name p and a parameter family F The current parameter families and associated values are variable Names of variables implemented using the ML data type var Acceptable names are generated by the regular expression a z A Z 0 9 The character has a special use natural Natural numbers including 0 implemented using the ML data type int Acceptable numbers are generated by the regular expression 0 1 9 0 9 token Character strings implemented using the ML data type tok Acceptable strings can draw from any non control characters in Nuprl s font string Character strings implemented using the ML data type string Acceptable strings can draw from any non control characters in Nuprl s font level expression Universe level expressions implemented using the ML data type level exp Universe level expressions are used to index universe levels in Nuprl s type theory Their syntax is described by the g
280. ns are higher in the lattice and relations within a family satisfy a lt b amp b a a b axbab lt a a lt b e b gt a a lt b amp ax lt ba 7 b lt a The converse of an order relation r should always be defined directly in terms of r For example the definition of the abstraction rev_implies is P Q Q P The rewrite package assumes that order relations can be inverted by folding and unfolding such definitions A relation family should be declared using an invocation of declare_rel_family lt le eq ge gt where dummy terms i e the abstraction dummy O which displays as should be used as place holders when a member of a family is missing To simplify such invocations a user may enter the name relfam into a term slot which will display the template Relation Family 1t z O I w ct H O B B H Hn Sd xi iid j lt le Mid eq a ae gt ge zit gt gt Sei OB J As an example the invocation to the right shows the declaration of the standard order relations on the integers as relation family Frequently several order relation families share the same equivalence relation but there may also be equivalence relations that are not be associated with any order relation family The partial order of strengths of relations is the reflexive transitive closure of the strength relation for each family and the equivalence relation declarations Additional relations between order relations can be declared usin
281. ns of the form yr e e which is treated exactly as let x e in e Here we know the unique instance of type of the argument x namely the type of e 198 2 The analogous restriction for letref bound identifiers is also due to the possibility that the identifier value binding may change during evaluation this time because of assignments Consider the following letref x in if e then do x 1 x else do x true hd x If letref were treated like let this phrase would be well typed and indeed have type despite the fact that the value returned is either 1 or true So calling the whole expression e all manner of larger expressions involving e would be well typed even including e e 3 Top level letrefs must be monomorphic to avoid retrospective type constraints at top level If this restriction were removed the following would be allowed letref x 2 X 5 But on type checking the last phrase it would appear that the type of x at declaration should have been int list not list and the types of intervening phrases may likewise need constraining 4 To see the need for the exclusion of polymorphic non local assignments consider this example in the HOL system this example is originally due to Lockwood Morris The type thm is the type of theorems let store fetch letref x in y x yD AO hd x store T F let eureka thm fetch Now suppose we lift our constraint Then
282. nsuppress display form at cursor C X ns TERM INSERT NULL insert empty string in text slot C X df VIEW DISP view display form def for term C X ab VIEW ABS view abstraction def of term MIDDLE VIEW DISP view display form of term RIGHT VIEW ABS view abstraction definition of term IDENTIFY will print out in the ML Top Loop window information on the term and display form at the current cursor position SUPPRESS suppresses use of the display form of all occurrences of the term pointed to by the cursor in the currently viewed object If multiple display forms are defined for a term a single SUPPRESS DFORM might result in some other more general display form being selected In this case one can repeat SUPPRESS DFORM When all appropriate display forms for a term are suppressed the term is displayed in uniform syntax UNSUPPRESS restores a suppressed display form if the editor cursor is at a term to which that sup pressed display form belongs Display forms remain suppressed until explicitly unsuppressed or until the editor window is closed TERM INSERT NULL is useful for inserting empty text strings into text slots Normally when all the characters in a text slot that is outside of a text sequence are deleted a text slot placeholder is left to indicate what kind of item should be inserted into the slot Use this command if an empty string is what is really wanted VIEW DFORM and MOUSE VIEW DISP open the dis
283. nted as follows e C x read as control 1 Hold down a control key and simultaneously press key zx e M x read as meta 1 Hold down a meta key and simultaneously press key z e C M z read as control meta 2 Hold down both a control key and a meta key and simultaneously press key zx e S z read as shift x Hold down a shift key and simultaneously press key z Note that x can be either a keyboard key or a mouse button for example both C a and M IRIGHT are valid modified keys On some keyboard s for example those of Sparc stations the usual meta keys are the keys marked O either side of the space bar while on PC keyboards this key is often marked as Alt The S z modifier is only used with non printing characters for example 41i When we say click LEFT on some part of a window we mean that the mouse cursor should be pointed at that part and then the LEFT button should be pressed 4 Be aware that occasionally NUPRL can be quite slow to respond to keystrokes sometimes taking several seconds Don t hold keys down till you get a response You might easily make the keys autorepeat which could be rather annoying For clarity when presenting input which a user might type or output which NUPRL generates we sometimes enclose the text in special quotes For example this is example output 1 5 Structure of this Manual Chapter 2 gives a tutorial like overvie
284. nvironment and to open the sockets for communication It will write some system messages to the process window and then wait for other processes to connect The following emacs script defines an interactive function nulib that performs all the above steps in a new emacs shell Using the function nuprl frame it pops up a new frame at a specific position on the screen opens a shell process NuLibrary in it and then subsequently sends the above command to that process defun nuprl frame bufname height top corner cmd save excursion set buffer make comint bufname bin csh nil v switch to buffer other frame concat bufname x let NuPRLframe car cadr current frame configuration set frame size NuPRLframe 81 height set frame position NuPRLframe 515 top corner set default font 6x10 while buffer size 0 sleep for 1 comint send string bufname limit coredumpsize On comint send string bufname cmd 212 defun nulib interactive nuprl frame NuLibrary 10 76 nulib n message Starting Library set foreground color Red set background color ddddff comint send string NuLibrary top n comint send string NuLibrary go n 25 The shell script is designed for an XGA 1024x786 display and uses a fairly small font You need to adjust the frame position on larger displays and if a larger font is chosen The colors are chosen to distinguish the library fra
285. ointer to bottom T C p move navigation pointer one step up C 1 move navigation pointer 5 steps up C M P M v move navigation pointer 10 steps up TTT move navigation pointer one screen up TTT move navigation pointer to top LEFT move navigation pointer to mouse point C open object at navigation pointer MIDDLE open object at mouse point C b move navigation pointer to next higher directory lt gt increase screen size by 10 gt lt reduce screen size by 10 Table 4 1 Navigator Motion Commands Objects can also be viewed by typing the command view name into the editor ML top loop where name is a token indicating the name of the new object The view command was the standard method for viewing objects in the predecessors of NUPRL 5 Its use in NUPRL 5 is discouraged as the command is ambiguous if the same name use used for multiple objects 4 3 1 2 Searching for Objects The navigator provides a utility for a pattern based search for object names in the library Name search is initiated by clicking the NameSearch button in the navigator s command zone which will create a search command zone on top of the current command zone and place the edit point into a pattern slot After entering a text string into the pattern slot a user types 1 start the search for the next object whose name contains the entered string By default the search proceeds forward beginning at root of the library directory
286. ointer to next higher directory RIGHT open object at navigation pointer in a new window enter sub directory if object is of type DIR 8 RmLink RmObj RmDir RmGroup ntur wy Te WU dE dE 1 gt lt Navigator ROOT Scroll position jo List Scroll Total 4 Point 0 Visible 4 DIR TTF theories DIR TIF system aux DIR TIF local DIR TIF system Activate deActivate NameSearch PathStack Clone Mill SaveObj commentObj CountClosure ObidCollector MkLink MkObj MkDir mkTHM CpO0bj reNameObj EditProperty RaiseTopLoops Figure 2 2 NUPRL 5 Navigator The navigator window also contains arrow buttons for faster navigation through a directory TT and scroll half a screen 111 and scroll a full screen and 1111 and move to the top and bottom of the directory In addition to buttons and arrow keys there are also a variety of special key combinations that can be used to manipulate objects in the library These are described in Chapter To begin working with the NUPRL system one will usually move into the theories directory Leaving the initial state will cause additional buttons to become visible CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops CpObj reName0bj EditProperty SaveObj RmLink MkLink ShowRefenv SetRefenvSibling SetRefenv ProveRR SetInOBJ Activate DeActivatex MkObj MTT TlH Wl lt gt
287. ome of the properties of an object see Section 4 1 1 For instance when using abstraction objects to represent definitions of the PVS system it makes sense to make them visible to PVS clients but not to the NUPRL refiner In rare cases it may be necessary to adjust the reference environment Section of an object Therefore NUPRL provides a simple method for editing the properties of an object directly Clicking the EditProperty command button will open a property command zone for the object at the navigation pointer on top of the current command zone It contains a token slot for entering 47 OK Cancel reference environment NAME tttt DESCRIPTION ReferenceEnvironment ReadFromLib RemoveProperty ledit property args not over and o token t term MKTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetInOBJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx THT TMT UL WL 9 gt lt Navigator kreitz user theories Scroll position 0 List Scroll Total 4 Point 0 Visible 4 STM TIF not_over_and CODE TTF listsel_
288. omponent is equal to y For example assoc 2 1 2 5 3 2 2 555 2 0 E 2 5 int int rev assoc 2 1 4 3 2 2 5 2 60 3 2 int int Definition let assoc x find x y x x let rev_assoc y find x y y y B 7 5 List transforming functions The next function reverses a list rev list gt list Description rev r1 x4 zx4 21 Definition let rev revi whererec revi 1 fun 1 x 1 revi x 1 1 The following two functions filter a list to the sublist of elements satisfying a predicate filter gt bool gt list gt list mapfilter gt gt list gt list Description filter p l applies p to every element of l returning a list of those that satisfy p evaluating mapfilter f l applies f to every element of l returning a list of results for those elements for which application of f succeeds Definition letrec filter p fun LJ x 1 if p x then x filter p 1 else filter p 1 letrec mapfilter f fun 2 IE x 1 let 1 mapfilter f 1 in f x 1 DP The following three functions break up lists remove gt bool gt list gt list partition gt bool gt list gt list list chop list int gt list gt list list 209 Description remove p lseparates from the rest of the
289. on UnivCD Y gt gt GenUnivCD Vo ao Xx RepD Y gt GenRepD V ao Xx ExRepD j Y gt gt GenExRepD Jav Vo x Table 8 2 Iterated decomposition tactics and the connectives they decompose generates some substitution c MemCD produces a subgoal oTCA and tries to use the Inclusion tactic Section 8 7 to prove it MemHD 2 Decompose the immediate subterm of a membership term in hypothesis i Since there are no primitive rules for decomposing equalities in hypotheses MemHD only works on hypotheses when the type of the membership term is a product or function type For products the decomposition generates the first and second projection of the term For functions it creates a function application A t1 argument is required in this case MemberEqD c Decompose the immediate subterm of a membership term in clause c Works like MemCD on the conclusion and like MemHD on a hypothesis EqD c Decomposes terms which are the immediate subterms of an equality term in clause c EqD is like MemberEqD except that it expects and generates equality terms rather than member ship terms It is good for congruence reasoning and is used extensively by the rewrite package see Section 8 6 Commonly used variants are the tactics EqCD and EqHD 2 which work identical to EqD on the conclusion and a hypothesis respectively EqTypeD c Decompose just the type subterm of an equality term in clause c Only works when the
290. on of type N generating two subgoals labelled upcase and basecase NatInd first moves any depending hypotheses to the conclusion and maintains the name of the induction variable NSubsetInd 1 Perform induction on a subrange of the natural numbers Hypothesis 7 must contain a decla ration of type N N i or i j7 NSubsetInd generates two main subgoals labelled upcase and basecase an many aux subgoals which should always be easily solvable by Auto CompNatInd 2 Perform complete induction on hypothesis 7 which must contain a declaration of type N ListInd 4 Perform list induction on hypothesis i which must contain a declaration of type T list generating two subgoals labelled upcase and basecase ListInd is a little smarter than the primitive rule listElimination see Appendix in that it first moves any depending hypotheses to the conclusion and maintains the name of the induction variable The theory well fnd has some definitions for well founded induction In particular it defines the tactic Ranknd This is useful when you know how to do induction over some type A and you want to perform induction over a type B using some rank function which maps elements of B to elements of A The tactic is described in the objects inv image ind tac and rank ind The theory bool_1 defines various tactics for case splitting on the value of boolean expressions in the conclusion such as BoolCasesOnCExp and SplitOnConclITE View the theory for details 8
291. only within b that the representation of the type operators as declared in terms of other operators is available In an abstract type declaration abs rec type vtyarg id ty and and vtyarg id ty with b the sense in which the representation of each id is available only within b is as follows the isomor phism between objects of types ty and vtyarg id is available only in b via a pair of implicitly declared polymorphic functions abs id ty gt vtyarg id rep_id vtyarg id gt tyi which are to be used as coercions between the abstract types and their representations Thus in the simple case abstype a ty with x e in e the scope of a is e and e the scope of abs a and rep a is e and the scope of z is e As an illustration consider the definition of the type rat of rational numbers represented by pairs of integers together with operations plus and times and the conversion functions inttorat int gt rat rattoint rat gt int 200 Since rat is a nullary type operation no type variables are involved and rat can be defined by abstype rat int int with plus x y abs rat x1 y2 x2 yl x2 y2 where x1 x2 rep rat x and yl y2 rep rat y and times x y abs rat xi yl x2 y2 where x1 x2 rep rat x and y1 y2 rep rat y and inttorat n abs rat n 1 and rattoint x x1 x2 x2 x1 gt x1 x2 failwith rattoint where x1 x2 rep rat x jus Most abstract type declarations are probab
292. only zero STM TTF one divs any Figure 4 3 Path stack command zone e Swap Swap the two positions on top of the path stack e Rot Rotate the positions in the path stack moving the top position to the bottom e RevRot Rotate the positions in the path stack moving the bottom position to the top e CpLink Insert a link Section 4 3 2 5 to the current position of the navigation pointer immediately below the object that is currently on top of the path stack Links cannot be inserted into the same where the object resides e Cancel Close the path stack and remove the path stack command zone 4 3 2 Operations on objects 4 3 2 1 Creating Objects Objects are created by describing their name their kind and the position where they shall be inserted into the library Usually this is done interactively by clicking the Mk0bj command button which will open two templates on top of the current command zone into which a user may enter the name and kind of a new object and place the edit point in the name slot as shown on the left of Figure 4 41 After the name and the kind has been entered into the corresponding slots a user has to click the OK button or type twice which will close the new object templates and place the corresponding object into the current directory immediately after the navigation pointer The object will have the status FFF and no content assigned to it yet The name of an object is case sensitive and may con
293. open them at any time although it is not recommended to do so You may create multiple clones of the navigator but not of the top loops Chapter 4 describes the use of these windows as well as the kinds of objects that can be found in the library There are two other kinds of windows term editor windows and proof editor windows Both are used for editing objects in the library The structure of NUPRL terms and the term editor is described in Chapter 5 The proof editor is described in Chapter 6 If the system appears to be inexplicably stuck check the Lisp windows it is very possible that Lisp is garbage collecting T his sometimes takes a few minutes Most Lisp versions allow computations to be interrupted This is usually done by sending C C to the Lisp process or C C C C if Lisp is started up from an emacs sub shell Sometimes Lisp 28 catches the first two or three interrupt requests This will cause Lisp to enter its debugger from which the computation can be resumed or aborted Section 3 6 below describes how to use the Lisp debugger and in particular what to do if a NUPRL 5 process crashes NUPRL is a continually evolving experimental research system and it is inevitable that it will contain bugs Aborting either of the three NUPRL 5 processes is always safe since changes to objects e g the effects of editor commands or inference steps are immediately committed to the persistent li brary When a NUPRL 5 process is res
294. ot option i e the third field of the term slot in the display form definition see Section 7 2 3 1 by the parens attribute of the display form filling that term slot and by the relative precedences of the term slot and the term filling it The precedence of a term slot is usually that of the display form containing it although it is possible to assign precedences to individual slots The parenthesis control works as follows e Term slots are parenthesized only if the filling display form has a parens attribute If this attribute is absent the slot is never parenthesized The parens attribute must be explicitly added to a display form definition for that definition to ever be parenthesized e Term slots are parenthesized unless parenthesization is suppressed by the parenthesis slot options T hese options have the following meanings L Suppress parentheses if the display form precedence is less than the display form prece dence of the term filling the slot E Suppress parentheses if the display form precedence is less than or equal to the display form precedence of the term filling the slot Always suppress parentheses The L and E options make it possible to represent the conventional precedences and associativity laws of standard infix operators If they are used in the definitions of display forms for the arithmetic terms plus a b and times a b then the term plus a times b c is displayed as a b c but times a plus
295. ou need to evaluate the function initialize rw lemma caches to make it accessible to the rewrite package 8 9 1 5 Applying Conversions The following tactics can be used to make conversions applicable to some clause of a proof goal Rewrite c 2 Apply conversion c to clause i The subgoal with the result of the conversion is labelled main while the labels of the other subgoals fall into the aux class A shorthand notation for Rewrite is RW The following variants of Rewrite provide a con trolled application of the conversion c to the subterms of clause by combining Rewrite with conversionals see Section 8 9 4 in various fashions RWH c 2 RW HigherC c i Apply c to the first possible subterm of clause 7 starting from the root RWU c 2 RW SweepUpC c i Apply c to all subterms of clause 7 starting from the leaves RWD c 2 RW SweepDnC c i Apply c to all subterms of clause 7 starting from the root RWN n c 2 RW NthO m c i Apply c to the n th immediate subterm of clause 7 RWAddr addr c i RW AddrC addr c i Apply c to the subterm of clause i whose address in addr RewriteType c 1 Apply conversion c to the type of a member or equality term in clause 7 The advantage of this tactic over Rewrite is that this generates simpler well formedness goals In particular it generates no well formedness goals involving the equands of the equality or the element of the member term A shorthand notation for RewriteType is RWT Fo
296. ouse next to the BY allows you to enter the tactic into an empty rule slot with out having to move into the corresponding sub node Typing D O THEN D 3 THEN Auto C 1 results in a complete proof of the subgoal top 1 1 A P E VB P CCCA v 5B H A BD BY Auto 11 2 BP 3 AA v 5B F ACA A B yap O THEN D 3 THEN Auto Using the up arrow key will get you back to the parent node which now shows the complete proof to VA B P HA v 5B GA B BY DO 1 LL AF FE VB P CAJ v CB A A BJ BY Auto 11 2 B P 3 aA v B F AA B BY D O THEN D 3 THEN Auto BY Auto The proof has already been saved in the library To close the proof window press C Q This key combination will always close the current window If a theorem shall be used as lemma in other proofs it has to be activated Many tactics use a list of active theorems which are searched through when attempting to prove a theorem automatically For this purpose you have to click the Act button which changes the object status of not over and from FFF to TFF MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRef
297. pe map can be used at any instance of its type above both and were instantiated to int below is instantiated to int list and to bool Notice that the instance need not be specified it is determined by the type checker map null 1 2 0 3 015 21 false true false true bool list 180 B 2 11 Lambda expressions The expression Vr e evaluates to a function with formal parameter x and body e Thus the decla ration let f x e is equivalent to let f Wr e Similarly let f x y z e is equivalent to let f x y z e Repeated Vs as in x y z e may be abbreviated by V z y z e The character V is our x e and 1 x y z e are called lambda expressions x xt1 22 int gt int it 3 4 int map x x x 1 2 3 4 1 4 9 16 int list let doubleup map x x x doubleup list list gt list list doubleup 1 2 3 4 5 1 2 1 2 87 4 5 3 4 BIJ f int list list doubleup list list B 2 12 Failure Some standard functions fail at run time on certain arguments yielding a string which is usually the function name to identify the sort of failure A failure with token t may also be generated explicitly by evaluating the expression failwith t or more generally failwith e where e has type tok hd t1 2 23 evaluation failed hd 1 0 evaluation failed div 1 0 1000 eva
298. pe semantics table for Nuprl A 2 2 Judgments The meaning of type theoretical expressions is given in the form of judgments about essential properties of the terms Judgments are assertions of certain truths that form the foundation of type theory We distinguish 4 types of judgments Typehood T Type Type Equality S T Membership t T and Member Equality s te T The precise meaning of these judgments is defined as follows T Type if T T S T if there are canonical terms S and T such that S gt S T 5 J and S T follows from the type semantics table teT ifi icl s tcT if there are canonical terms s t and T such that s gt s t t T T and s t T follows from the member semantics table Nuprl s type semantics table is given in Table A 3 and its member semantics table in Table A 4 151 Azt Am t ST if z 9 T Type and ti s x1 to s2 x2 T si x for all s s with s s S s t s t x SxT if z 9xT Type s s and t t e T si x inl s inl s S T if S T Type and s s eS inr t inr t e S T if S T Type and t t eT Ax Ax s teT ifs teT s t void never holds token token Atom i icl Ax Ax s lt t if s i and t j for some integers i j with i lt j O 0 e Tlist if T Type Lid
299. pe variables vty i 0 xx xid xid 0 O 1 1 ME Table B 5 ML Type Syntax absrectype declaration see Section B 5 5 postfixed to zero or more type arguments Two or more arguments must be separated by commas and enclosed by parentheses T he type operator list is a predeclared unary type operator and and may be regarded as infix forms of three predeclared binary type operators For an object to possess a type means the following For basic types all integers possess int both booleans possess bool all strings possess string etc The only object possessing void or unit is that denoted by O in ML For a type abbreviation tycon an object possesses tycon during execution of phrases in the scope of the declaration of tycon if and only if it possesses the type which tycon abbreviates For compound monotypes 1 The type ty list is possessed by any list of objects all of which possess type ty so that the empty list possesses type ty list for every ty The type ty amp ty2 is possessed by any pair of objects possessing the types ty and ty respectively The type ty ty is possessed by the left injection of any object possessing y1 and by the right injection of any object possessing y These injections are denoted by the ML function identifiers inl gt and inr gt xx see Section B 6 A function possesses type ty gt ty if wheneve
300. penThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Cp0bj reName0bj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetInOBJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThy0bjx TIT fTT TT T LP LLE QE q Navigator num thy 1 standard theories TERT CERT IRP HEEL LIAE 43 Navigator num thy 1 standard theories le gt l gt x lt gt x Scroll position 5 List Scroll Total 159 Visible 10 Point 5 Scroll position 6 CODE TIF RE init num_thy 1 COM TIF num thy 1 begin List Scroll Total 159 Point 5 Visible 10 COM TIF num thy i summary COM TIF num thy i intro RE_init_num_thy 1 divides df COM TTF num thy 1 begin gt ABS TTF divides COM TTF num thy 1 summary STM TTF divides wf COM TTF num thy 1 intro STM TIF comb_for_divides wf DISP TTF divides_df STM TIF zero divs only zero ABS TTF divides STM TTF one_divs_any mem NF A AAA AA AA A rN STM TTF comb for divides wf STM TTF zero divs
301. play form object that defines the display form of the term pointed to by the editor cursor or the mouse VIEW ABSTRACTION and MOUSE VIEW AB open the abstraction object that defines the type theo retical meaning of the term pointed to by the editor cursor or the mouse 81 c U open term slot DEL delete char to left of text cursor cm I init term slot with prl term C D delete char to right of text cursor c O open term slot and init M D cut word to right of text cursor C Q close window without saving C K cut term C Z save check and close window M K save term C J jump to next window C M K delete term IS jump to ML top loop C Y paste item x insert char x M Y delete item then paste next item C num insert special char zx C M Y paste copy of item PET insert newline C SPC set mark at point name insert name C X C X swap point and mark C I name insert name C W cut region M I name insert name M W save of region C S name replace with name C M W delete region C M 1 initialize term slot C Y paste region C M S selects dform variations M Y replace last paste with new paste C U open slot to left of cursor C M Y paste copy of region on save stack top M U open slot to right of cursor LEFT set mark
302. plete 6 5 Customizing the Proof Editor Table 6 5 summarizes the current commands of NUPRL s proof editor Users may change the key board macros that initiate these commands by editing the file mykeys macro which is also used for modifying the key bindings of the term editor Section 5 8 Modifications should be done carefully to avoid that they affect the navigator and term editor as well 6 6 Troubleshooting Most proof editing mistakes can easily be corrected by typing the undo command C or by walking backwards through the proof history with C A common problem occurs when users try to delete a refinement rule as a whole with C k or C c This will delete the text slot for entering refinement tactics and leave a term slot displayed as left Usually the undo command C will bring back the original rule which can then be modified using text editing commands If the rule cannot be removed by text editing for instance if it was created by C M r kr users should instead enter itext df into the left slot to get an empty text slot 97 Movement move to sibling to immediate left move to sibling to immediate right move to left most sibling move to right most sibling move up to parent node move down to selected subgoal M z zoom in on current node C 1 move up to top of proof C M 5 jump to next unrefined node Inference C L1 refine goal at curren
303. pment 6 1 Proof Structure 6 1 1 Sequents 6 1 2 Proof Objects i amp f Xe as nee OR a Ree RR RR E EA E SR E S 0 1 3 Refinement Rules o Reese pargada eu ee ED KR nU 6 2 The Proof Editor 6 2 1 Proof Window Format 89 6 2 2 Proof Motion Commands lll llle 90 Cada ou a deed AL qeu ie Gee RR pu AO Gu ce 91 6 3 1 Editing The Main Goal 2 0 00000 eee eee 91 sede ea mom mee dl cds EORR a Boe E x d 92 podes Ad ace a o o des Alta E 93 Bak ao a ade da ca a a ee ee 93 6 4 1 Modifying existing refinements 2e 93 6 4 2 Proof History z amp eoe doe ee ewe a GR ee ea xr d 95 Loa arar ad as A 95 6 4 4 Views of Proofs and Refinements 22 2 95 6 4 5 Miscellaneous Features 97 ILC DA a SH eS a Te e ON SE 97 6 6 Troubleshooting 2 2 2 RR ee 97 7 Definition and Presentation of Terms 99 El Abstractions 2o 4 3 9o m9 reno nex eno poko BANG A ad ewe pou 99 DT 100 7 1 2 Parameters in Abstractions lll 101 1 1 3 Attributed Abstractions ie ea lll rss 101 1 1 4 Editor Support 9 42224854 RR be X ORO OX UR a AR 101 17 2 Serm Display i s a node A EUREN uet TR T a 102 SOMERS LE oR ee eS 103 die ARMES x heu ete ah oe Bee R ow eG wo RS 103 a e e a a E E E E E e E e e A 104 2A AD eee c aaa et a Re A e Ae a OE os a te 105 E eae ated Boas Ge ae pe oe Rc Pies Sys ae gees Stas 108 8 Rules and Tactics 111 BI Riles aa eee b dee x o ewe eee Ree EAM Ee
304. pointer points to at the time the OK button is clicked The same effect can also be achieved by using the EditProperty button Section 4 3 2 10 to change the object s name and MkLink Section 4 3 2 5 to change the external reference to it 4 3 2 9 Activating and Deactivating Objects Usually a library object is active in the sense that it may be referenced by tactics and other objects Occasionally users may want to experiment with alternate versions of a definition or theorem and to prevent tactics from using a particular object without having to remove it from the library This can be done by changing the liveness bit of the object see Section 4 1 1 indicated by the first character of the object s status information To deactivate an object one moves the navigation pointer to it and clicks the DeAct com mand button To activate it again one clicks the Act command button Notice that deactivating directories converts them into TERM objects and makes their contents temporarily inaccessible Activating a code object will execute its content The same effects can be achieved by typing the commands lib thy deactivate directory object and lib thy activate directory object into the library ML top loop where directory the object identifier of the directory of the object to be de activated and object the object identifier of the object itself 4 3 2 10 Editing Object Properties In advanced applications users may want to change s
305. prompt using the following command sequence 2 NUPRL5 4 ml text nuprl oed reset 2 NUPRL5 5 fooe ML edd gt win If you kill the library process while it is shutting down the knowledge base the knowledge base may end up in an unstable state and you may not be able to restart the system anymore In this case you have to enter the directory containing the knowledge base e g nupr1 nupr15 NuPr1DB and move the most recent subdirectories out of it preserving them in some temporary directory The system will usually come up properly afterwards and return the knowledge base into a well defined state but you will lose all the modifications recorded in the subdirectories that you moved out of the main directory so it may be useful to move them out one at a time until the NUPRL system starts again If you run into the same type of unrecoverable error twice you may want to send a bug report to nuprlbugs cs cornell edu In this case type zoom i into the Lisp process before killing it and copy the output together with the initial error messages into you bug report Also mention briefly what you were doing at the time of the crash This will help the NUPRL programmers to identify the cause for the problem and fix it 3 7 Customization Experienced users will probably want to create their own initialization procedures for NUPRL These could allow customizations such as e Changing key bindings for the term and proof editors
306. quality 7 EqCD nilFormation j DO consEquality EqCD consFormation list_indEquality z T Slist x l fs EqCD listElimination i 1 l Di list_indReduceBase ReduceEquands 0 ReduceAtAddr 2 0 list_indReduceUp ReduceEquands 0 ReduceAtAddr 2 0 165 A 3 11 Inductive Types DI E rectype X Tx1 rectype X Tx2 U Ax by recEquality X DL X U H Tx X X Tx2 X X5 U Ax TH s t e recype X Tx ww T E rectype X Tx ext tj by rec memberEquality j by rec memberFormation j TH s t e Tx rectype X Tx X ax T Tx rectype X 2 Tx X ext t T E rectype X 2 Tx U Ax T F rectype X 2 Tx U Ax D F let f z t in f e let f x t in f e Tles z ww by rec_indEquality z T rectype X Tx j P f c TF e e recype X Tx ww D E rectype X 2 Tx U lAy D P rectype X Tx gt P f r z rectype X 2 Tx P x Tly z x Tx x rectype X 2 Tx P x X F tlf fiumi to fim fo xa T m 2 ax D z rectype X Tx A F C ext let f x 2t Ay A P in f z by recElimination i j P y f x D z rectype X 2 Tx AF rectype X Tx U Ax T z rectype X Tx A P rectype X Tx gt P f y x rectype X 2 Tx P x gt Cly 2 x Tx x rectype X Tx P x X F Clx z ext t D z rectype X Tx AF C ext t z x by recUnrollElimination i x v D z rectype X 2 Tx A x Tx rectype X Tx X v z xe Tx rectype X Tx X C x z ext t Basic Inference Rule Corre
307. r See Chapter 4 is generated by structure objects that are explicitly present in the library and can be customized by the user To prevent name clashes the library distinguishes between objects and the names that users choose to denote them The latter are just display versions of internal names The can be changed without affecting the object itself User Interfaces The main user interface of NUPRL 5 is the navigator It communicates with the knowledge base by sending and receiving abstract terms While displaying and editing these terms it presents them as directories theorems definitions proofs or mathematical expressions depending on structural information found in the library For the user it provides the functionality of a structure editor the user can mark subterms and edit slots in the displayed term and then cause the navigator to send the result back to the library which processes the result while the user may continue to work with the editor Again structural information in the library determines whether the abstract terms received by the knowledge base are interpreted as a commands to store or retrieve data as tactics calling a refiner or as utility functions In addition to the navigator NUPRL 5 provides emulations of the editors used in the NUPRL 4 system as well as valuable extensions for facilitating proof browsing merging replaying and ac counting There is also a web front end that allows external users to bro
308. r its argument possesses type ty its result if defined possesses type ty This is not an exact description for example a function defined in ML with non local variables may possess this type even though some assumption about the types of the values of these non local variables is necessary for the above condition to hold The constraints on programs listed below ensure that the non locals will always have the right types 3We shall talk of objects possessing types and phrases having types to emphasize the distinction 195 5 An object possesses the abstract type tyarg id if and only if it is represented via the abstract type representation by an object possessing the tyarg instance of the right hand side of the declaration of id Finally an object possesses a polytype ty if and only if it possesses all monotypes which are substitution instances of ty B 5 2 Typing of ML phrases We now explain the constraints used by the type checker in ascribing types to ML expressions patterns and declarations The significance of expression e having type ty is that the value of e if evaluation terminates successfully possesses type ty As consequences of the well typing constraints listed below it is impossible for example to apply a non function to an argument or to form a list of objects of different types or as mentioned earlier to compute an object of the type corresponding to theorems which is not a theorem The type ascribed
309. r testing the effect of a conversion c on a term t with an empty environment one may evaluate the expression apply conv c in the refiner top loop 8 9 1 6 Conversion Arguments The descriptions of conversions in the sections below assume that the conversions have been applied to an environment e and a term t Types of arguments to conversions are C convn type of conversions ex env environment ij int hypothesis or clause indices addr int list subterm address a tok name of abstraction name tok name of lemma or cached conversion tx term A suffix s on the name of an argument indicates that it is a list For example cs is considered to have type conv list 140 8 9 2 Atomic Conversions Atomic conversions are the basic building blocks for constructing conversions They may rewrite terms according to given lemmata and hypotheses fold and unfold abstractions or evaluate prim itive and abstract redices For the sake of completeness there are also two trivial conversions IdC The identity conversion which does not change a term FailC The conversion that always fails 8 9 2 1 Lemma and Hypothesis Conversions Lemma and hypothesis conversions derive rewrite rules from lemmata and hypotheses that contain either simple or general universal formulae see Section 8 2 5 The consequents of these formulae must be of form a r b where r is a relation as described in Section Usually we describe these conversions as rew
310. r the justification of rewrites see Section 8 9 1 4 The user may also provide a declaration that identifies relation families and extra properties of relations Rewrite relations should be defined as first order terms with two principal arguments supplied as subterms Additional parameters should always be positioned before the principal argument subterms For example the equality relation t t e T has the type T as additional parameter and the internal structure equal T t t Relations are most commonly represented as logical propositions i e are of type P Boolean valued relations are also accepted but they have to be wrapped in the assert abstraction if used in a context where a logical proposition is expected Equivalence relations should be declared by an invocation of declare equiv rel rnam stronger rnam This declares the term with operator identifier rnam to be an equivalence relation and the term with operator identifier stronger rnam to be an immediately stronger equivalence relation Commonly there will be only one such declaration for each rnam and stronger rnam will be equal However multiple declarations for a single equivalence relation are sometimes needed Note that treating implication as a rewrite relation leads to a generalization of forward and backward chaining 137 Order relations are grouped into relation families i e lattices of order and equivalence relations of dd x C cM where weaker relatio
311. r viewing Usually this is done through the navigator by using either the right arrow key or the middle mouse button Sec tion 4 3 1 1 As proofs associated with statement objects are not copied when they are viewed with the proof editor all changes made to proofs are immediately committed to the library This is in contrast to editing objects of other kinds abstractions display forms code objects where changes are only committed when one exits the object or explicitly asks for changes to be saved Users who want to make tentative changes to a section of a proof should first create a backup proof see Section 6 4 3 and then work on either of the two versions 6 3 1 Editing The Main Goal to top ig AB CE Y E UA A 1892 BY BY When a new proof window is opened the window appears as depicted on the left above A term cursor is positioned on an empty goal slot immediately below the root address A user may now enter the main goal using the structured term editor Chapter The window on the right for instance is the result of entering all JA Jprop Ji Jall JB Jprop Ji Jimplies Jor Jnot JA Jnot JB Jnot Jand JA JB into the initial proof window Pressing then moves the cursor into the text slot for proof tactics It should be noted that the proof goal is not committed to the library until the first refinement step has been executed If a user closes the proof window after entering the main goa
312. rammar L v k Li L L L where v denotes a level expression variable alphanumeric string k a level expression constant positive integer and i a level expression increment non negative integer Level expression variables are implicitly quantified over all positive integer levels The ex pression L i is interpreted as standing for levels L i L is an abbreviation for L 1 The expression Li L is interpreted as being the maximum of expressions L1 Ln The names of parameter types are usually abbreviated to their first letters A 1 3 Binding Variables Binding variables are character strings drawn from the same alphabet as variable parameters To express terms without bindings the empty string can be used as null variable Null variables never bind Binding variables are implemented using ML type var A 1 4 Injection of Variables and Numbers In Nuprl we consider variables and terms to be distinct We have a special term kind variable v for injecting variables into the term type When we talk of the variable x as a term we really mean the term variable x v In a similar way when we talk of the number n as a term we really mean the term natural number n n The injection is often made implicitly when it is clear from the context Nuprl s editor atomat ically converts variables and numbers into terms when they are typed into templates for terms A 1 5 Term Display The display of NUPRL terms is not necessar
313. rator should be able to advise you in this case 3 2 2 User specific Configuration Upon startup NUPRL 5 expects to find a file nuprl config in the user s home directory to determine how the individual NUPRL processes will communicate If this file is missing NUPRL 5 will use the configuration that was present at compile time and may not be able to establish the communication The structure of a typical nuprl config file is as follows foreground FOREGROUND COLOR 3 background BACKGROUND COLOR font FONT NAME The HOSTNAME for the libhost configuration should be the name of the host running the library process Currently even a stand alone machine needs a host name The values for dbpath and the libenv describe the physical and logical location of the standard library In the default single user installation it should be nupr1 nupr15 NuPr1DB In a multi user installation it is usually home nuprl nupr15 NuPrlDB The value of STANDARD LIBRARY is usually standard 23 All other entries of in the nuprl config file are optional Users may redirect the NUPRL windows to a specific X server or choose a specific set of sockets for communication between the NUPRL processes If several users shall work with the same library the socket numbers should be identical to the ones used by the joint library process Specific users can be identified by the system which will be necessary for granting controlled access to c
314. re not suited for representing single step inferences 115 Type of a subterm Although type checking in general is undecidable for intuitionistic type the ory the types of subterms occurring in a proof goal can almost always be determined automatically A user may override the heuristically chosen type if it is too coarse for completing the proof or provide a type explicitly to improve the efficiency of proof checking The tactical With can be used for this purpose as well The tactic MemCD which usually suffices to represent the rule applyEquality x 5 T can be forced to use a particular function type 7 S T by writing With x S T MemCD Term dependency Term dependencies can be supplied to a tactic with the Using tactical The tactic D 0 which usually suffices to represent the rule decideEquality z C S T s t y can be forced to use a particular dependency C z with a new variable z by writing Using z C D 0 Note that a disjunctive type and up to three new variables could be provided as well as in Using z C With S T New s t y D 0 Rule selection In some rare cases it is impossible to determine the exact rule that shall be applied to a particular proof clause For instance there are two different rules can be applied to a disjoint union S T in the conclusion of a goal T F S T ext inlCs T F S T ext inr t by inlFormation j by inrFormation j DES ext s DET xti PET e Us w PRES e Uj m There is no simple heur
315. region M RIGHT MOUSE SAVE save term or region C M RIGHT MOUSE DELETE delete term or region MOUSE SET POINT and MOUSE SET TERM POINT first set the mark at the current editor cursor position and then set the point to where the mouse is pointing as described in Section 5 5 3 These 80 commands are set up so that a region can be selected by using them at both ends after the second MOUSE SET POINT the mark will be at one end of the region and point will be at the other MOUSE PASTE MOUSE PASTE NEXT and MOUSE PASTE COPY are the same as PASTE PASTE NEXT and PASTE COPY MOUSE CUT is the same as CUT REGION in text sequences and text slots and the same as CUT otherwise MOUSE SAVE and MOUSE DELETE behave similarly Note all that these commands do not move the point before cutting and pasting 5 7 Utilities NUPRL s term editor provides various utility commands that are shown in the table below The IDENTIFY TERM SUPPRESS DFORM and UNSUPPRESS DFORM commands assist in interpreting unfa miliar or ambiguous display forms Exploding a term reveals its internal structure Viewing abstrac tion and display form definitions of a term help understanding the formalization of a user defined concept and its notation The latter two commands can also issued via mouse commands C X id IDENTIFY gives info on term at cursor C X su SUPPRESS suppress display form at cursor C X un UNSUPPRESS u
316. ressions s in C Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals intFormation intEquality natural numberEquality natural numberFormation 7 minusEquality addEquality addFormation subtractEquality subtractFormation multiplyEquality multiplyFormation divideEquality divideFormation remainderEquality remainderFormation remainderBounds1 remainderBounds2 remainderBounds3 remainderBounds4 divideRemainderSum indEquality z T v v intElimination i 7 fp v indReduceDown indReduceUp indReduceBase int_eqEquality int_eqReduceTrue int_eqReduceFalse lessEquality lessReduceTrue lessReduceFalse arith j EqCD EqCD With n D O EqCD EqCD EqCD EqCD EqCD EqCD StrongEqCD Di PrimReduceFirstEquand PrimReduceFirstEquand PrimReduceFirstEquand EqCD PrimReduceFirstEquand PrimReduceFirstEquand EqCD PrimReduceFirstEquand PrimReduceFirstEquand Arith down up base true false true false PrimReduceEquands PrimReduceEquands PrimReduceEquands PrimReduceEquands PrimReduceEquands PrimReduceEquands PrimReduceEquands down 1 up 1 base 1 true 1 false 1 true 1 false 1 163 A 3 9 Less Than Proposition D E st st U Ax rr Uj ext s lt t by less_thanEquality by less thanFormation TF s 5s Zw TF Z ext s TFt t Z ps TF Z ext t T F Ax s t
317. riting in a left to right direction they replace instances of a s by instances of b s Each conversion also has a twin conversion that works right to left which is indicated by a prefix Rev to their names LemmaC mame RevLemmaC name If lemma name contains a simple universal formula with consequent a r b rewrite instances of a to instances of b or instances of b to instances of a respectively HypC 1 RevHypC 2 If hypothesis contains a simple universal formula with consequent a r b rewrite instances of a to instances of b or instances of b to instances of a respectively The above conversions are instances of two more general conversions GenLemmaWithThenLC n int hints var term list Tacs tacticlist name tok GenHypWithThenLC n int hints var term list Tacs tacticlist i int which rewrite according to general universal formulae in lemmata and hypotheses The meaning of their arguments is as follows n indicates the n th consequent of a general universal formula If 1 is used then the formula is always treated as simple In particular a lt relation will be considered the relation in the consequent rather than a part of the structure of the general universal formula hints supply bindings for variables in the formula that NUPRL s matching routines cannot guess Tacs is used for conditional rewriting i e when the antecedents of a formula have to be checked for validity before the rewrite rule is used The
318. rm list one has to invoke the special term parameter in the term editor 128 Backchain bc names CompleteBackchain bc names Repeatedly try backchaining using lemmata named in bc names in the order given Backchain leaves alone any subgoals which do not match the consequent of any of the lemmata while CompleteBackchain backtracks in the event of any such subgoal coming up In addition to lemma names bc names may contain a few special names e An positive integer i indicating that hypothesis shall be consulted e hyps indicating that all hypothesis should be consulted in the order in which they occur Hypotheses that declare variables will be ignored e rev_hyps indicating that all hypothesis should be consulted in reverse order e new hyps indicating that all new hypotheses introduced by backchaining should be consulted beginning with the least recent e rev new hyps indicating that all new hypotheses introduced by backchaining should be consulted beginning with the most recent Common variants of backchaining are HypBackchain and CompleteHypBackchain which per form backchaining with the arguments rev new hyps rev hyps 8 5 Case Splits and Induction Case split and induction tactics analyze conclusions that depend on finite or enumerable alter natives The general way to do this is to backchain through an appropriate lemma see e g the lemmata int upper ind and int seg ind at the end of the int 2 theo
319. ronments An environment is a list of propositions and declarations of variable types that are being assumed The environment of the conclusion of a sequent is the list of all the hypotheses The environment of a hypothesis is the list of hypotheses to the left of it We can also talk about local environments of subterms of sequent clauses For example in the sequent z H z H F Vy T BSC the local environment for the subterm C in the conclusion is x H H y T B The rewrite conver sionals keep track of the local environment each conversion is being applied in and every conversion takes as its first argument an expression e of type env which supplies this local information The environment information is used by lemma and hypothesis conversions in three ways 136 e Declarations of variables in the environment are used to infer types that help to complete matches e Propositions in the environment state the assumptions that are necessary for conditional rewrites to go through For example if the subterm C in 2 4 2 H FWyT B C is rewritten by a rewrite rule based on the lemma Vz T A z gt t z t z and matching the term C against t results in binding the variable z to a term s then the subgoal that has to be proven for the rewrite rule to be valid is z H 2 H y T B A s e The hypothesis conversions access the hypothesis list via environment terms n Currently NUPRL only knows how to extend the environment
320. rop E gt exists_unique lt T gt lt x gt lt P gt Parens Prec exists di lt x var gt lt P prop E gt exists_unique N lt x gt lt P gt In a similar way one may add further display form definitions with iteration families to suppress the J string and duplicate type information in nested occurrences of the term 4 Iz T P The display form object exists df in the standard theory core 1 can be used as an example for doing that 110 Chapter 8 Rules and Tactics Logically all formal reasoning in NUPRL is based on the basic inference rules of intuitionistic type theory ICAB 86 In practice however reasoning with basic inference rules can become very tedious Therefore NUPRL provides the concepts of proof tactics i e programmed applications of inference rules Proof tactics range from straightforward applications of inference rules to fully automated proof search mechanisms for certain domains Most tactics are deal with intellectually trivial but formally lengthy proof details enabling the user to concentrate on the more interesting aspects of a proof Others mimic the particular style of reasoning in a certain application domain and can only be applied in this context Technically all refinement steps in NUPRL are executions of tactics Basic inference rules although explicitly present in the NUPRL library cannot be invoked directly but only through conversion into tactics In the rest of t
321. rovers such as HOL or Isabelle Pau90 Note that the ML prompt is different in each window It is ML ORB gt in the NUPRL process windows for the library editor or refiner and may later change into ML 1ib gt ML edd gt and ML ref gt In the NUPRL 5 top loop it is ML EDD gt ML LIB gt or ML REF gt The latter already provide the double semicolon for terminating an ML expression so the user does not have to enter in these windows 173 The description of ML that appears in Sections B 3 to B 6 is based very closely on The ML Handbook CHP84 It was adapted for NUPRL purposes from ATEX sources provided by the HOL theorem proving group in Cambridge For completeness and historical interest the preface to The ML Handbook and the preface to Edinburgh LCF a Mechanised Logic of Computation are reproduced below B 1 1 Preface to The ML Handbook This handbook is a revised edition of Section 2 of Edinburgh LCF by M Gordon R Milner and C Wadsworth published in 1979 as Springer Verlag Lecture Notes in Computer Science n 78 ML was originally the meta language of the LCF system The ML system was adapted to Maclisp on Multics by G rard Huet at INRIA in 1981 and a compiler was added Larry Paulson from the University of Cambridge completely redesigned the LCF proving system which stabilized in 1984 as Cambridge LCF Guy Cousineau from the University Paris VII added concrete types
322. rtly to explore the possibility of combining polymorphism with type checking T his last reason is of general interest in program ming languages and has nothing to do specifically with proof the problem is that there are many operations list mapping functions functional composition etc which work at an infinity of types and therefore their types should somehow be parameterized but it is rather inconvenient to have to mention the particular type intended at each of their uses The ML type checking system is implemented in such a way that although the user may occasionally either for documentation or as a constraint ascribe a type to an ML expression or pattern it is hardly ever necessary to do so The user of ML will almost always be content with the types ascribed and presented by the type checker which checks every top level phrase before it is evaluated The type checker may sometimes find a more general type assignment than expected B 5 1 Types and objects Every data object in ML possesses a type Such an object may possess many types in which case it is said to be polymorphic and possesses a polytype i e a type containing type variables for which we use a sequence of asterisks possibly followed by an identifier or integer and moreover it possesses all types which are instances of its polytype formed by substituting types for zero or more type variables in the polytype A type containing no type variables is a monotype
323. ry To use these lemmata one must ensure that the outermost universal quantifier in the conclusion corresponds to the type of the induction The following tactics are good for a few common cases They expect the variable the induction case split is being done over to be declared in some hypothesis BoolCases 2 Do a case split over a boolean variable declared in hypothesis 7 Generates two subgoals labelled truecase and falsecase where the boolean variable is replaced by tt or ff Cases t 3 Perform an n way case split over the terms 1 as follows HFC by Cases t t mn assertion Decide P Perform a case split over a decidable proposition P and its negation Like Cases P P but immediately runs the tactic ProveDecidable tactic on the first sub goal Pv P which may generate wellformedness subgoals with labels in the aux class If ProveDecidable fails then Decide fails too Because of the constructive nature of NUPRL s type theory P v P is not true for every propo sition P 129 IntInd 2 Perform integer induction on hypothesis 7 generating three subgoals labelled upcase basecase and downcase IntIndisa little smarter than the primitive rule intElimination see Appendix in that it first moves any hypotheses that depend on the induction variable to the conclusion and maintains the name of the induction variable NatInd 2 Perform natural number induction on hypothesis which must contain a declarati
324. s universeFormation j DO universeEquality EqCD cumulativity j Cumulativity j 157 A 3 5 Equality TE Uj by equalityFormation T lL T g Uj Ax PET ext s Luc ext 1j ext s te T T F Ax Ax s teT ww by axiomEquality Trs teT wy D z s teT AF C exty by equalityElimination 4 D z s teT AJAx z C Ax z ext y D z T Arbrzx xzx T w by hypothesisEquality i T F C s z ext u by substitution j s teT x C L s teT ay T Clt x ext u TDT Ce U Ax THF s te T wy by equality s t cT s t eT U lAy equalityEquality T T Us w Eos s T ws Et t T ax HHH Decision procedure for elementary equalities Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals equalityFormation T equalityEquality EqCD axiomEquality EqCD equalityElimination 7 D i hypothesisEquality t Declaration substitution j s teT x C equality Eq Subst s teT O NthDecl 2 At j BasicSubst s teT x C Eq 158 A 3 6 Void T F U ext void T E void void U Ax by voidFormation by voidEquality T F any s any t T ax T z void AF C ext any z by anyEquality by voidElimination 4 TH s t void ax Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals voidFormation 5 voidEquality EqCD anyEquality EqCD voidElimination 2 D 159 A 3 7 Atom Lr U jex
325. s rhs where lhs and rhs are pattern terms that may contain free variables The latter are implicitly universally quantified When NUPRL unfolds some lhs inst instance of lhs it first matches this instance against the pattern lhs and generates bindings for the free variables of lhs accordingly It then applies these bindings to the free variables in rhs to calculate the term rhs inst into which lhs inst unfolds Therefore all free variables of rhs must also occur free in since otherwise unfolding a definition would yield a term with unbound variables An example of an abstraction object is given below i j a k Z i lt k lt j This includes user defined terms primitive terms of NUPRL s type theory and even the terms used for describing NUPRL editing features such as the navigator proof terms or the appearance of abstractions and display forms 99 The abstraction defines a type of segments of integers The abstraction object int seg already consults a display form in the presentation of the left hand side of the definition The structure of the left hand side becomes more readily apparent if we write it in uniform syntax which can be made visible by exploding the term as described in Section 5 4 5 i j is int seg i j a term with opid int seg no parameters and two subterms An instance of the left hand side is 0 107 which would unfold to k Z 0 k lt 10 Just as abstractions can be unfolded by applyi
326. s evaluated by first evaluating e to obtain a value E if the evaluation fails then the evaluation of pze fails similarly Next the pattern p is matched with E to see if they have the same form precise details are given in Section B 4 1 2 If so then to each identifier in p there is a corresponding component of E The evaluation of p e then returns the set of each identifier paired with its corresponding component If p and E do not match then the evaluation of p e fails with failure token MATCH B 4 1 2 Matching patterns and expression values When a pattern p is matched with a value E either the match succeeds and a set of identifier value pairs is returned each identifier in p being paired with the corresponding component of E or the match fails We describe by cases on p the conditions for p to match E and the sets of pairs returned O Always matches E The empty set of pairs is returned var Always matches E The set consisting of var paired with E is returned Di po E must be a non empty list E E such that p matches E and po matches E The union of the sets of pairs returned from matching p with E and po with E is returned Di po E must be a pair E E such that p matches E and po matches E2 The union of the sets of pairs returned from matching p with E and pa with E is returned piip2 pnl E must be a list LE E2 En of length n such that for each i p matches E The union of the sets of
327. s for rewriting terms based on the justifications for rewriting the immediate subterms of those terms functionality lemma for a term with operator op should have the form VEIS EDO OSA AA A ne A DPS EN Op ee OA where k m gt 0 The universal quantifiers and A s can be intermixed but the antecedents containing the r must come afterward and be in the same order as the subterms of op If op binds variables in its subterms then these variables should be bound by universal quanti fiers wrapped around the appropriate r antecedents For example the lemma for functionality of 3 with respect to the lt relation is V A U VP A P VP A P A A U Vai Piz Pel 204 P e ee SaLIPI To allow conversionals to find functionality lemmata in the library they should be named opid functionality indez where opid is the operator identifier of op and _indez is an optional suffix When more than one functionality lemma is created for a given operator they must be ordered with the most specific r r first as conversionals search for functionality lemmata in the order in which they appear Functionality lemmata are not needed when all the r and r are primitive equalities In this case functionality information can be derived from the well formedness lemma for op Transitivity Lemmata give transitivity information for rewrite relations They are used to con struct the justification in sequencing conversionals like ANDTHENC
328. s of the reflexivity symmetry and transitivity of equality and a limited form of sub stitutivity of equality As a convenience Arith will attempt to prove goals in which not all of the C are arithmetic relations it simply ignores such disjuncts The heart of Arith is a procedure that translates the sequent into a directed graph whose egdes are labelled with natural numbers and finds positive cycles in that graph Cha82 RepeatEqCDForArith Apply arithmetic equality reasoning if the conclusion is a beT and a and b arithmetically simplify to same expression l RepeatEqCDForArith first decomposes a and b using EqCD and then applies Arith to subgoals containing integer equalities SupInf Solve linear inequalities over integers and subtypes of integers The algorithm used in Arith cannot solve general sets of linear inequalities over the integers though such problems are abundant SupInf uses an adaptation of Bledsoe s Sup Inf method for solving integer inequalities While this method is only complete for the rationals it is sound for the integers and does work well in practice SupInf converts the sequent into a conjunction of terms of the form 0O lt e where each e is a linear expression over the rationals in variables r r and determines whether or not there exists an assignment of values to the z that satisfies the conjunction The algorithm works by determining upper and lower bounds for each of the variables in turn SupInf id
329. s the fields of the module type again as a list of pairs of variables and types The type of a field may use the variables declared in the previous fields In addition to that the last two function arguments are already filled in The type of the module is U and the the location where the module is to be placed is initially set to inlO Clicking the NavAtAp button Section will create the actual module by executing the function create_rec_module_at with the last argument substituted by the location of the code object This results in the creation of an object directory for the module that contains definitions for the module type projection functions the module constructor and uniform module decomposition operator unproven well formedness theorems code for updating the AbReduce tactic a recall object and two comment objects that serve as delimiters for the module type definition Figure 4 7 describes a code object for defining an abstract data type of stacks over a type T and the object directory created by it 45 4 3 2 4 Copying Objects Copies of existing objects can be created using the the Cp0bj command button This will open a template on top of the command zone into which the user may type the name of the object that will contain the copy The current name of the object already occurs in the template with the edit cursor at its beginning To place a copy into a different directory a user may leave the command zone by press
330. s used not to be visible when editing proofs with the proof editor 120 member teT t teT and AvB AxB nequal rZycT 1 yeT or AnB A B ge i gt j j lt i implies AB AB gt ij j lt i rev implies A lt B B gt A lelt i lt j lt k iXj j k aff ASB A B A B lele i lt j lt k i lt j a j lt k exists dz A B r AxB prop Lp U all VI A B x A Bs Table 8 1 Soft abstractions in NUPRL s basic libraries be The softness is also useful when one wishes to blur the distinction between propositions and types for example when reasoning explicitly about the inhabitants of propositions member nequal rev implies ge and gt are soft principally because it can simplify matching Abstractions are not soft by default They can be declared soft or hard by supplying their opids to the functions add soft abs abs Declare the abstractions in the token list abs as soft remove soft abs abs Declare the abstractions in the token list abs as hard Instances of these functions are usually kept in ML objects in close proximity to the abstrac tion definitions that they are declaring soft For an example use of add soft abs see the object soft ab decls in the core 2 theory 8 2 5 Universal Formulas Many of NUPRL s tactics work on a specific subclass of logical formulas generated by the grammar P 2a WT P P gt P PePL PaAP PeSP C0 where T is a type and C is a propositional term not of the above form We call the
331. se universal formulas positive definite formulas or Horn clauses Formulas generates without the a and connectives are also called simple universal formulas We call the proposition C a consequent and each P an antecedent Occasionally we refer to the types T as type antecedents We view a universal formula as being composed of several simple formulas one for each conse quent The simple components are numbered from 1 up starting with the leftmost consequent Such formulas are the standard way of describing derived rules of inference and are used as such by the forward and backward chaining tactics see Section 8 4 Often a consequent C of a formula will be an equivalence relation in which case the formula can be used as a rewrite rule by the rewrite package see Section 8 6 Occasionally one has a universal formula where the outermost constructor of C is also one of the constructors that make up the universal formula In this case one can surround C by a guard abstraction to designate it as consequent of the formula A guard abstraction takes a single subterm as argument and unfolds to this subterm The tactics that take apart universal formulas recognize and automatically remove guard abstractions so the user rarely has to explicitly unfold them 121 8 3 Basic Tactics 8 3 1 Single Step Decomposition Single step decomposition tactics invoke the primitive formation equality and elimination rules of NUPRL s logic described in
332. senting sets The following functions behave like the corresponding set theoretic operations on sets represented as lists without repetitions intersect list gt list gt list subtract list gt list gt list union x list gt list gt list 210 Description intersect l lg l Ml subtract l lo l l2 union l l2 l U l2 Definition let intersect 11 12 filter Mx mem x 12 11 let subtract 11 12 filter Xx not mem x 12 11 11 subtract 12 11 let union 11 12 There are also functions to test if a list is a set remove duplicates from a list and test two lists for set equality distinct list gt bool setify x list gt list Set equal list gt list gt bool Description distinct returns true if all the elements of are distinct otherwise it returns false setify l removes repeated elements from l leaving the last occurrence of each duplicate in the list set equal l l returns true if every element of l appears in la and every element of la appears in l1 otherwise it returns false Definition letrec distinct 1 null 1 or not mem hd 1 t1 1 amp distinct tl 1 let setify 1 itlist a s if mem a s then s else a s 1 let set equal 11 12 subtract 11 12 amp subtract 12 11 B 7 7 Miscellaneous string processing functions The following functions split strings into words words2 u
333. ses they analyze the problem by translating it into a different 124 problem domain e g the problem of finding cycles in a directed graph for which there are well known decision algorithms To ensure consistency with type theory some of these procedures have to generate proof tactics that validate the result of the analysis and create appropriate subgoals if necessary For Arith and Eq the consistency of the decision procedure has been proven externally and the procedures are implemented as elementary inference rules Decision procedures require the well formedness of the components used during the analysis to be proven as separate subgoals as this is a purely type theoretical issue that cannot be addressed by the decision algorithm 8 3 3 1 Logical reasoning ProveProp Prove a goal that involves only simple propositional reasoning The proof strategy is basically a classical tableau prover for propositional logic which exhaus tively decomposes propositions and seeks for applications of the Hypothesis tactic Because NUPRL sequents only allow one conclusion rather than many as in tableau calculi the tac tic has to do or branching and backtracking when it tackles an v conclusion or an or hypothesis It fails if not all main goals can be solved The tactic is not complete for intuitionistic propositional logic because it always thins gt and hypotheses that are decomposed Common variants of ProveProp are e Prov
334. ses a user supplied separator while words uses space and carriage return as separators words2 string gt string gt string list words string gt string list Description words2 c s1cs89Cc CS4 581 5 89 s4 words Si 9 Sp tt 9 re Eu Definition let words2 sep string snd itlist ch chs tokl if ch sep then if null chs then tokl else implode chs tokl else ch chs tokl sep explode string CLE S 1332 let word separators L 211 let words string snd itlist ch chs tokl if mem ch word separators then if null chs then tokl else implode chs tokl else ch chs tokl explode string 101 013 The next three functions the second of which is an infixed version of the first are string concate nation operators concat string gt string gt string 7 string gt string gt string concatl string list gt string Description concat concatenates two strings 7 is an infixed version of concat and concatl concatenates all the strings in a list of strings Definition let concat si s2 implode explode s1 explode s2 ml curried infix let si s2 concat s1 s2 let concatl sl implode itlist append map explode s1 B 7 8 Failure handling functions The failure handling functions described here are useful for writing code that fails with a backtrace set fail
335. sing letref instead of let Values bound to such identifiers can be changed with the assignment expression z e which changes the value bound to x to be the value of e Attempts to assign to non assignable variables are detected by the type checker x 1 5 unbound or non assignable variable x 1 error in typing typecheck failed letref x 1 and y 2 1 int 2 int lt gt O H Il BO Ho The value of an assignment x e is the value of e hence the value of y 6 is 6 Simultaneous assignments can also be done x y y X 6 2 6 int int x yi 2 6 int int The type int int is the type of pairs of integers 176 B 2 4 Functions To define a function f with formal parameter r and body e one performs the declaration let f x e To apply the function f to an actual parameter e one evaluates the expression f e let f x 2 x 7 f int gt int f 4 8 int Functions are printed as a dash followed by their type since a function as such is not printable Application binds more tightly than anything else in the language thus for example f 3 4 means f 3 4not f 3 4 Functions of several arguments can be defined let add x y x y 8 add int gt int gt int add 3 4 7 int let f add 3 f int gt int f 4 7 int Application associates to the left so add 3 4
336. slot or either of the subterm slots The definition should now look like mae xists_unique term binding term Enter 3 or click LEFT on the left most term slot and enter T x and lt P gt as meta terms and meta variable respectively by typing mterm T x C M mterm 1 P As a result you get exists_unique lt T gt lt x gt p To create a display form for the term on the right hand side click LEFT on the first to get a text cursor in the empty format sequence on the left hand side of the definition Type _ C 163 C 0 slot 1x 41 var C F to generate an d symbol and an exclamation mark as initial text and a slot for the variable x The definition should now look like 3 lt x var gt exists_unique lt T gt lt x gt lt P gt Enter a colon the type slot a period a space and the second term slot C 0 sslot T type C F C F C F C O eslot JP 4 prop The definition should now look like Note that the MkOb j button is not present in user theories The only way to create display forms is through the AddDef and AddDefDisp buttons which already generate a right hand side term a standard sequence of formats and an alias attribute 108 d lt x var gt lt T type gt lt P proP E gt exists_unique lt T gt lt x gt lt P gt The display form definition is now complete and may be saved by closing the di
337. splay form ob ject with C Z However the definition does not yet include line breaking or parenthesization information In particular it does not contain any visible delimiter for the end of the prop slot We therefore want the layout algorithm to automatically parenthesize the display form To add parenthesizing attributes click LEFT on the second character to get a term cursor over the whole definition and then enter C M S 1 C 0 to get two empty attribute slots with a term cursor over the first m attr d lt x var gt lt T type gt lt P prop E gt exists_unique lt T gt lt x gt lt P gt To instantiate the attribute slots enter parens 1 prec J exists To get Parens Prec exists d lt x var gt lt T type gt lt P prop E gt exists_unique lt T gt lt x gt lt P gt This means that we assign the same precedence to the term J x T P as is assigned to the term Jx T P in the standard libraries We may also add a soft break format such that the period separating the type slot from the prop slot does not appear if a break is taken Click LEFT on the character and delete it using C D Enter C 0 sbreakBPO click LEFT on the after the character in the soft break display form and enter Parens Prec exists 4 lt x var gt lt T type gt lt P prop E gt exists_unique lt T gt lt x gt
338. sponding Tactic with required arguments with optional tacticals recEquality X rec_memberEquality j EqTypeCD rec mmemberFormation 7 rec_indEquality z T rectype X Tx j Pfs recElimination i j Py j c RecTypeInduction 2 recUnrollElimination i x v D 166 A 3 12 Subset TE U ext 7 S T Jj Lr Uj ext SIT by dependent setFormation v by independent setFormation PRS Uj m Dr U ext 5 I 2 S F U ext T TE U ext T TE 4x2 58 17 4x 58 1T Uj x by setEquality v PF S 8 Uj m D z 5 Ti z mi Talx x2 Uj ax TF s t e x SIT ax T F a S T ext s b dependent set memberEquality 7 zg by dependent set memberFormation j s x lD s 2te S wy TFH s e S m Tr F T s x wx Tr F T s z wx D z S T z x e U x D z S E T z x e U ws TF s t e SIT ws TE SIT ext s by independent set memberEquality by independent set memberFormation Trs te S pw TES ext 5 PET wx DF T wy D z x S IT AFC ext Oy 0 z by setElimination i y v D z z SI TY y S lv Tly z Aly z F Cly z ext Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals dependent setFormation 5 vx independent_setFormation setEquality v EqCD dependent set memberEquality j v EqTypeCD dependent set memberFormation j s DO independent set memberEquality EqTypeCD independent set memberFormation DO setElimination 1 y v D2 167 A 3 13 Intersec
339. ss the down arrow key This will move into the first sub node of the theorem indicated by a top 1 top 1 1 A P E VB P CCCA v 5B HA B BY To move into the second subgoal press the right arrow key As indicated by the Wii annotation the second subgoal is a well formedness goal stating that IP is a well formed type theo retical expression Most goals of this kind can be dealt with automatically Typing Auto C 1 will complete this subproof no subgoals are generated and the status marker changes into a BY MA Pressing the left arrow key will bring you back into the first subgoal Alternatively you can press C M j which causes the editor to jump to the next unproven subgoal Proving the first subgoal requires more efforts Typing Auto C 1 will decompose the universal quantifier the implication and deal with the corresponding well formedness subgoals The result will be a subgoal with two additional hypotheses a declaration of the variable B and the assumption A v B 12 To prove this goal both the conclusion D 0 and the third hypothesis D 3 need to be decom posed Auto does neither of these two steps automatically but can deal with the resulting subgoals These steps can be combined into a single one by using the tactical THEN a oe a SC top 1 1s AGP E VB P CGAY v 5B A B BY 11 2 BP 8 CA v 9B F A B BY Clicking the left m
340. st of variables and a tactic and generates a tactic that uses the provided variables instead of the automatically chosen ones The the tactic D 0 which usually suffices to represent the rule functionEquality v can be forced to choose the name z for the new variable by writing New x D 0 Universe level Universe levels can usually be determined from the immediate proof context and the well formedness theorems of user defined concepts In some cases the heuristics choose a rather arbitrary high universe level To enforce a particular level one may use the tactical At The the tactic D 0 which usually suffices to represent the rule lambdaEquality j 1 can be forced to choose the universe level 7 by writing At U D 0 In addition one could also enforce the use of x as new variable name as in At U New z CD 0 Values for variables The With tactical can be used to supply terms that are needed for the instantiation of variables The rule dependent pairFormation j s 1 for instance requires the term s to be provided explicitly It is represented by the tactic With s D 0 A universe level and a variable name may also be provided by writing At U With s New x D 0 NuPRL s library contains proof tactics that attempt to determine clause index and values for variables automat ically But since the underlying heuristics are often time consuming and sometimes choose values leading to subgoals that cannot be proven they a
341. stic Type Theory ML84 which includes formalizations of the fundamental concepts of mathematics data types and programming The system itself supports interactive and tactic based reasoning decision procedures evaluation of programs language extensions through user defined concepts and an extendable library of verified knowledge from various domains Since its first release in 1984 CAB 86 the system has been undergone several significant modifications to meet the growing demands for formal knowledge and tools in programming and mathematics the most recent being a complete redesign of its architecture discussed in ACE 00 The NuPRL 5 system which is documented in this manual features an open distributed architec ture that integrates all its key subsystems as independent components and uses a flexible knowledge base as its central component 1 1 The NupRL 5 Architecture Figure 1 1 illustrates the architecture of NUPRL 5 The system is organized as a collection of com municating processes that are centered around a common knowledge base called the library The Structure Web Emacs Mode Editor Library inference Nupr Refiner THEORY defs thms tactics MetaPRL THEORY Y n MetaPRL pcd JProver rules SoS Lisp THEORY HOL PVS THEORY es defs thms tactics defs thms tactics defs thms tactics rules structure code rules structure code rules structure code PVS
342. stractions are stored in abstraction objects of NUPRL s library see Section 4 1 1 The visual appearance of a term is governed by its display forms see Chapter 7 2 which are defined in the display form objects of NUPRL s library This chapter describes the internal structure of terms the interplay between NUPRL s structured editor and display forms and the commands for interactively viewing and editing terms in NUPRL 5 1 Uniform Term Structure NUPRL terms have the form pid in UP c a POE ess Sassi cs where opid is the operator identifier The p F are parameters and the 21 T t are the bound subterms expressing that the variables Dual become bound in the term t The tuple m m where m 20 is the arity of the term Appendix A 1 describes the current parameter types and the acceptable strings for opids parameters and variables The primitive operators of NUPRL s type theory are listed in Table A 1 on page 148 When writing terms we sometimes omit the brackets around the parameter list if it is empty Note that parameters are separated by commas while subterms are separated by semicolons Terms are implemented as tree data structures in NUPRL s meta language ML see Appen dices B Most users will rarely have to work with terms on the ML level but use the term editor to view and edit terms 5 2 Structured Editing In mathematics one distinguishes between logical structure of objects and the notation in which
343. t Atom by atomFormation T F token token by tokenEquality Atom ax T E if uv then s else t by atom eqEquality v if u v then s else t T ax TF u u Atom jax TF v v Atom ax T v u v eAtom F s s T w T v A u u c Atom F t t T ww D E if u2v then s elset t T ax by atom eqReduceTrue Tr s Pru w I Atom Atom U Ax by atomEquality T F Atom ext token by tokenFormation token D E if u2v then s elset t T ax by atom eqReduceFalse t P m THt t Atom ax THF alu v e Atom ax 2 T ww Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals atomFormation atomEquality EqCD tokenEquality EqCD tokenFormation token D O atom eqEquality v EqCD atom_eqReduceTrue PrimReduceFirstEquand true atom_eqReduceFalse PrimReduceFirstEquand false PrimReduceEquands true 1 PrimReduceEquands false 1 160 A 3 8 Integers U ext Zj intFormation neneZ Ax natural_numberEquality s 5 Z lx minusEquality c Z Ax F s 8 stt st Z wy addEquality m 5 7 8 Z Ax Ft t Z Ay 2 Sit st Z ax subtractEquality E 8 Z Ax S Ft t Zw 5 t sx t Z aw multiplyEquality F s s Z m Pt Z iy 2 Soc st Zw divideEquality s remt
344. t make it possible to recover from failures and system crashes Library transactions also provide a model for controlling the outside access to the actual library contents which enables the library to certify the correctness of its formal theorems and proofs The primitive library operations are 33 e Binding an object identifier to an object and unbinding an object identifier Looking up object contents bound to an abstract identifier Generating new object identifiers De activating an object changing the liveness bit Dis allowing garbage collection for the object changing the sticky bit There are also primitives for creating new object contents from existing object contents and new data The most basic primitive creates a new abstract term for the object Other primitives modify extra data related to building proof structures by changing the list of proofs linked to a statement modifying the inference tree of a proof or changing the inference step of an inference object 4 1 3 User Interaction with the Library NUPRL users do not directly interact with the library but through an editor process that communi cates with one of the library s application interfaces The application interface generates the user s work space from the actual library table and communicates the modifications initiated by the user to the transaction manager which in turn performs the actual modification to the library This makes it possible to restrict
345. t node M L1 refine goal reusing the tactic tree below C M 41 asynchronously refine goal C M r st step refine C M r kr kreitz this subtree C M r dk de kreitz this node Copy Paste C h mark proof address M h goto proof at address on stack M k copy proof when selected C y paste proof on stack into current proof node Proof Editor History C reverts window to previous proof in history walk C reverts window to next proof in history walk C x C s save proof in window to library C M e update the proof window with the current proof in the library Saving and Deleting Proofs C M g save goal to library C M c make backup copy of current proof C M f set current proof to be the main proof M bring up backup proofs C M d delete current proof C x C b delete all backup proofs Alternative Views C M p create scratch window containing the current sub proof C M i pop up pointers to other proofs of the current statement C M d select default view mode C M t view the tactic tree C M a a view the address tree C M a v view the goal tree Proofs Details C M h show interior proof C M 1 show primitive proof C M v pet show extract tree C M v pex show extract term Miscellaneous C M m print current proof C q close proof window C z generate extract term and close proof window Table 6 1 Proof Editor Keyboard Macros 98 Chapter 7 Definition and Presentation of Terms
346. t update the value of a reference variable for the current index Update code should not itself lookup values of reference variables Currently reference environments also contain a list of additions to the code of a code object a method used in previous releases of NUPRL Additions are preserved for compatibility reasons but they will be phased out in the future To contain updates to a reference environment NUPRL uses code objects that have a property reference environment additions t update t property There are three vari eties of reference environments e Static reference environments are ML code objects placed in theory directories that evaluate to a reference environment specification e Ephemeral reference environments are computed at refine time by chaining backwards through reference environment properties of objects until a static reference environment is located The reference environment specification is then built in a linear depth first order it includes the objects above it and all the objects in directories above it e Minimal reference environments are partial specifications of reference environments Instead of defining an index they bind an arbitrary temporary index for the scope of some evaluation The intent is that only objects necessary for a successful evaluation will be listed A minimal reference environment may be relative to a static one Thus there are flavors of minimal reference environments Currently
347. tain blanks enter S BP to create them and other special characters T he kind is not case sensitive but is usually displayed in capitals Typing not over and stm after clicking MkObj in the above context for instance leads to the result shown on the right of Figure 4 4 NUPRL also provides commands and buttons for creating objects of a particular kind They can be used instead of the more general command whose button is not shown in most user theories Clicking the command button MkTHM creates a statement object and places it into the current directory immediately after the navigation pointer In the interactive version one only has to enter 40 OK Cancel MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY new object name kind Mill ObidCollector NameSearch PathStack RaiseTopLoops creates an object in the current directory PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reName0bj EditProperty Save0bj RmLink MkLink RmGroup MKTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJx CheckMinTHY MinTHY EphTHY ExTHY MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm Print bj MkT
348. tarted the state should be exactly as it was before the process was killed Please report any behavior you think is due to a bug or inconsistencies between the operation of the system and the documentation Also report any break points that you hit they have either been left in the code accidentally or they are there to help track down the source of bugs We welcome suggestions for improvement Send e mail to nuprlbugsOcs cornell edu 3 6 Troubleshooting In this section we discuss problem situations that need to be resolved on the system level Recovering from errors within either of the editors or the navigator is discusses in the respective chapters All system and error messages are directed to the emacs windows containing the three NUPRL 5 processes It is recommended to check these windows if the system seems to be stuck or if other problems occur In most cases where the system appears to be stuck one of the three Lisp processes is garbage collecting Depending on processor speed and available memory this may take a few minutes If the editor hangs for an unusually long time one of the three main processes may have been thrown into the Lisp debugger This may happen if a breakpoint was mistakenly left in the NUPRL code or if you hit a bug You may also have accidentally interrupted Lisp In either there will be an error message in the corresponding Lisp top loop The particular debugger appearance and commands given below are for Alle
349. te to the extract term Sequents must be closed Free variables in the conclusion must be declared in one of the hy potheses while free variables occurring in hypothesis H must be declared in on of the hypotheses H Hi 1 Obviously all variables declared in the hypotheses have to be distinct Sequents do not explicitly contain extract terms since extract terms are only constructed for complete proofs In NUPRL sequents occur only within the nodes of a proof and are therefore considered iden tical to proof nodes with empty refinement slots Usually NUPRL displays sequents vertically and explicitly numbers the hypotheses so a sequent H H C is displayed as 1 Hi Wi Ha FC Variables whose name starts with a character are considered invisible and will not be displayed The system provides a few ML functions for accessing the components of a sequent var of declaration assumption gt var type of declaration assumption gt term is hidden declaration assumption gt bool mk declaration var term bool gt assumption conclusion proof gt term hypotheses proof gt assumption list mk sequent var term bool list gt term gt proof Advanced users may take advantage of these functions when developing proof tactics that analyze the contents of a sequent in order to determine appropriate inferences Since NUPRL s type theory incorporates the propositions as types principle w
350. tent 2 8 Troubleshooting Since the NUPRL library never destroys information typos and almost all commands can be undone by entering the key combination C The undo history however is limited and recovering from an error that was made many steps ago is more difficult Should you accidentally close the navigator window you may open it again by typing the com mand win into the editor process top loop This will open all the windows of the initial screen If the editor hangs for an unusually long time one of the three main processes editor refiner or library may be broken In this case there will be an error message in the corresponding emacs top loop Often evaluating the expression fooe will recover the process Sometimes typing the Lisp command cont will help as well In the worst case kill the process and then restart it The library process will detect the link going dead and clean it up automatically 2 9 Shutting NUPRL down In principle there is no need to shutdown NUPRL as all data are saved immediately and updates may be integrated by by loading patches into the running process However the NUPRL 5 are quite demanding as far as cpu and memory are concerned To shutdown gracefully you should first close the refiner and the editor and then the library Enter stop at the corresponding ML prompt ML ORB stop As a result the editor and refiner will communicate to the library that they will disconnect now and
351. ters cause those characters to be inserted at the position of the cursor The text cursor is significantly thinner than the term cursor on a no width term so it should be easy to distinguish the two It may be positioned either between two adjacent characters before the first character of a text slot or after the last Valid text cursors for the text string abcdef for instance include labcdef abcdef abcdef There is a potential ambiguity as to which text slot a text cursor is at Consider for instance two adjacent text slots containing the strings aaa and zzz and the following text cursor aaazzz Display forms are designed that this kind of situation should never occur Certain cursor motion commands are designed for moving around a term s display character by character as with a conventional text editor In this case the cursor occupies a single charac ter position on the screen If possible the editor uses a text cursor Otherwise it uses a screen cursor which is displayed by outlining the character For instance if we had the following text cursor in a term Wi Z 3j Z G G 1 then a move left one character command would leave a screen cursor over the character V Bi Z 3j Z j G 1 In screen mode keystrokes corresponding to printing characters form parts of editor commands In the rest of this document we will never have to explicitly represent a screen cursor so all outlined terms should be interpreted as
352. the Y combinator the corresponding process must be interrupted explicitly Typing C c repeatedly will eventually break the Lisp process which then can be restarted with fooe If everything else fails one may have to restart the editor the refiner or even all three NUPRL processes Interrupt the Lisp process with C c type exit or kill the process from Unix and then start it again as described in Chapter 3 If all three NUPRL processes have to be shut down it is best to stop those that are still alive using the stop command shutting down the library last 66 Chapter 5 Editing Terms Terms in NUPRL are a general purpose uniform data structure that serves two different purposes e Terms are used to represent NUPRL s object logic that is the expressions and types of its type theory together with user defined extensions as well as all NUPRL propositions Sometimes we refer to terms of this kind as object language terms e Nearly all library objects that is proofs abstractions display forms and even the descriptions of the NUPRL editors are represented as terms to which we refer as system language terms Terms are either primitive or abstract Primitive terms have fixed pre defined meanings and are used to describe the primitives of NUPRL s type theory as well as the foundation of the NUPRL system Abstract terms or abstractions see Chapter are defined as being equal to other more primitive terms The definitions of ab
353. the library Further tactics may be found by inspecting NUPRL s library of standard theories 8 2 1 Tactic Arguments Invoking a tactic often requires certain arguments to be supplied These may be indices of hypothe ses to which the tactic shall be applied type int NUPRL terms that instantiate variables type term new variables to be generated type var universes to be used in well formedness goals type term names of library objects to be consulted type token substitutions to be applied type var term list sub tactics to be used during refinement type tactic and others The proof goal type proof to which the tactic shall be applied is always the last argument of a tactic If the tactic is invoked in the proof editor the user does not have to supply this argument as the proof editor will automatically insert it Unless otherwise stated we assume that arguments to tactics have the following types and uses Tx tactic cx int clause index ix int hypothesis index tx term term of NUPRL s type theory nx tok name of lemma object in NUPRL s library ax tok name of abstraction object in NUPRL s library U Var variables in terms of NUPRL s object language lx tok subgoal label p proof current proof goal A suffix s on the name of an argument indicates that it is a list For example vs is considered to have type var list 8 2 1 1 Referring to hypotheses in a sequent Hypotheses are convent
354. the metalanguage ML and of rules and tactics is largely compatible with previous releases The NUPRL 4 manuals Jac93b written by Paul Jackson served as a foundation for the corresponding chapters Ithaca December 1 7 2002 Contents 1 Introduction T Pc ihe ee A ae a E E 1 2 Purpose of this Manual 000 e T LA Conventions lt s o oce ss BRE 4 9 4 koron BOX X09 4 3 A A ee 1 5 Structure of this Mamual rs kGEGROE a Apdese aaie x A 9 OX ADU A URUR UE EORR AE UR ROG a 2 2 Running NOPRE O ox c koe Sok doe e a AR Gwe ee NA Btn dst pa a oa es de GO hte Ow RO UE a Gk ae Anus rg ete d ie aie oe 3G Be nw gw a T T fe Gn ia EA a e aa as EA ede E 2 8 Troublesho0ting 2 22 los s TT 3 Running NUPRL 5 uL TID 3 2 1 Retrieving and Installing NUPRL 5 aaa aaa poh Gate War e e ade Ge Bo dos eek t ADU ie a 3 3 Starting NUPRL 5 s sr gos eaaa pa da ess hm ym nn 3 3 1 Starting the Library 2h rc T oA Exiting NUPRLE Ofra 3 ko tege e eb eee BR ee WIES be ee EO c r Se Gs ee a es Ge AO es 3 6 Troubleshooting 2 2 2 ee A E SN 4 l Ehe Library i ox Roe a a A ro ada RUE Rs d ad rcc QW V 4 1 3 User Interaction with the Library o e ii 21 21 21 21 23 24 25 26 26 27 28 29 30 4 2 Nuprl Windows 4 2 4 The Navigator Window les 4 2 2 The ML Top Loop Window e 4
355. ting operations can be done most easily with the mouse and the buttons Familiarize yourself with the standard NUPRL theories that are already present in the library Existing theories are an excellent resource for learning about how to structure theories and how to write proofs The NuPRL ML manual in Appendix B contains a tutorial in the use of ML Appendix B 2 Use this as an introduction to ML Daring users may also take a look at the m1 files in the directory home nuprl nuprl5 lib ml standard which contain the implementation of the existing tactics collection and can be used as examples for writing tactics We recommend that fairly early on you at least browse through this manual familiarizing yourself with the general contents of each chapter This will help you know where to look if you have questions 1 4 Conventions We give the conventions we use in this manual for presenting user input and NUPRL output Input which you should type is presented typewriter font For example this is in typewriter font The following symbols are also used e BPO for the space bar e i for the Return key sometimes marked as Enter e LED for the linefeed key e 53 for the Tab key e DEL for the delete key sometimes marked as Rubout On some keyboards the BACKSPACH has the same effect e LEFT MIDDLE and RIGHT for the left middle and right mouse button Modified keys are prese
356. tion TF Uj ext Nz S T TE na 8 T a U Ax by isectFormation x S by isectEquality 1 PRS e Uj m PDFS SEU ww D 2 58 FU ext Tj D 2 58 F Ti z vi Tolx x2 Uj wx TF t t Na S T px TF na S T ext 4 by isect_memberEquality j x by isect memberFormation j x D z S F t tg T x x ax D z S T z v ext t PRS Uj m PRES Uj w Tb ds J T t a Ax by isect member caseEquality Nx S T t rH fi fa Oz S T ax THte Sm D f Ow S T Abr C ext t f Ax y z by isectElimination i s y 2 D f Mx S T AF seS wy D f na S T y Tls x z y feT s x AF C pxt y Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals isectFormation 1 S isectEquality v EqCD isect memberEquality j v EqTypeCD isect memberFormation j x DO isect member caseEquality Nx S T t GenTypeCD 2 r S isectElimination i s y With s D 2 168 A 3 14 Quotient Type Lr U ext x y T E by quotientFormation T E xy 2 vv TETe U ix Dow y T HE U Ax D z T Elx x x y vx D zx T y T v E y z y Ely v x y vw D zx T y T z T v Elx y x y v Ely z m y Elx 2 x0 y ww rE oY T E Vd tT E U Ax by quotientWeakEquality x y z v v PF T 7 T Uj w D x y T Eim y vi yi Es y zaoyo Uj wx D zx T F Ejlx 2 1 y1 vw D e f y T vimm Eily x1 y es D z T y T 2 T v FA y my yi v Eily
357. tion will not be determined automatically but has to provided as additional arguments Inference rules may require the following arguments Hypothesis index If a rule shall be applied to a particular hypothesis of the proof goal the corresponding index i of that hypothesis in the hypotheses list of the goal must be provided The rule hypothesis for instance can be used to prove a goal if the conclusion is identical a equal to one of the assumptions but the index of that assumption must be given D v T A F T exty H x A JF A est x by hypothesis BY hypothesis i No Subgoals Variable names Many inferences require the creation of new variables when refining a proof goal The corresponding proof rules do not choose the names for these variables automatically but expect them to be provided explicitly The rule functionEquality for instance is used to prove two dependent function types x 9 T and zS gt T equal It creates two subgoals the two domains S and S must be equal and the two ranges 7 1 x and T r z must be equal for each argument z S The second subgoal contains a new variable whose name must be given TE 1 8 gt T 2x 6 gt T Uj Ax by functionEquality x Pr 8 Us lA H F al a2 D x S T a 2 T c a U Ax H y al E subst bi x1 y subst b2 x2 y H F xt al bi x2 a2 b2 BY functionEquality y 8 Universe level Because of the
358. to the right of the format position onto the margin stack The layout algorithm uses the top of the margin stack 104 to decide the column to start laying out at after a line break To create the format enter pushm into a term slot and edit the number 0 in the format 0 accordingly The margin control format popm pops the current margin off the top of the margin stack and restores the left margin to a previous margin Usually display forms should have matching pushm s and popm s 7 2 3 3 Line Breaking Line breaking formats divide the display into nested break zones There are 3 kinds of break zone hard linear and soft The effect of the break format a depends on the break zone kind e Ina hard zone a always causes a line break e Ina soft zone either none or all of the a are taken e In a linear zone a never causes a line break Instead its position is filled by the text string a which usually is a sequence of blank characters Break zones are started and ended by zone delimiters Display form format sequences should usually include matching start and end zone formats There is one end delimiter 41 ezone for all kinds of zones Each kind of zone has its own start delimiter e HARD hzone starts a hard zone e SOFT szone starts a soft zone e LIN 1zone starts a linear zone A linear zone is special in that all zones nested inside are also forced to be linear Therefore a linear zon
359. to which the object shall be made visible e A memnonic name which is commonly used for presenting the object identifier e The language in which a code object is programmed e A reference environment Section 4 3 3 1 describing the context of the object Extra data are used to collect information that accounts for the validity of an object s content Statements include a list of links to proof objects as extra data proofs include a tree of inferences and inferences include primitive inference steps 4 1 2 The Library Table In the library table objects are also associated with abstract identifiers that are bound to the contents of the object All references to objects have to use these abstract identifiers which in turn are linked to names for objects in a user s work space Object contents are viewed as non destructive To change the content of an object the library creates a new object content and rebinds the abstract identifier of the object to the new content To remove the object from the library it simply removes the binding between the abstract identifier and the content Object contents are usually not removed from the library except by garbage collection All library operations are built from a small collection of primitive operations on object contents and library tables These operations are performed by the library s transaction manager which ensures that the library is always in a consistent state and provides mechanisms tha
360. token or token list the occurrence of x has the following meanings for different s O ten spaces n nspaces 0 lt n lt 10 S one space R return AL line feed MT tab Xx x taken literally otherwise e g to include token quotes in a token or token list 4 Strings consisting of any sequence of characters surrounded by string quotes e g This is a single string Any characters within a string must be preceded by The escape sequence Vr for any other character means always to insert the character x 5 The expression called thing which evaluates to the unique object of ML type unit B 3 2 3 Prefixes and infixes The ML prefixes pr and infixes ix are given by pr not im ise l l lIl lel si lt l gt l amp lorl In addition any identifier and certain single characters can be made into an infix Such user defined infixes bind more tightly than gt but more weakly than or All of them have the same power binding and associate to the left 188 Except for amp and or each infix ix or prefix pr has correlated with it a special identifier ir or pr which is bound to the associated function For example the identifier is bound to the addition function and 0 to the list append function see Section B 6 for the meaning of dollared infixes This is useful for passing functions as arguments for example f 0 applies f to the append function See the descriptions of
361. top level reduction step on the NUPRL term Clicking it again will perform the next step and so on For the term 3 4 5 6 for instance this will result in the reduction sequence 3 4 5 6 12 5 6 gt 7 6 13 The other three buttons proceed in larger steps Compute5 and Compute10 perform 5 respec tively 10 computation steps at once ComputeAll continues with the evaluation until no further reduction is possible To undo a computation step simply use the undo key combination C _ 62 Note that evaluation in NUPRL is lazy evaluating the term 3 4 5 67 will leave it unchanged Using ComputeAll on terms like Y Ax x whose evaluation does not terminate will cause the library and refiner processes to loop indefinitely A user will have to interrupt these processes and bring them back into a stable state see Section 4 6 below With a similar command a user may also invoke the NUPRL term evaluator on the extract term of a theorem see Section 6 3 3 Typing view show co obid into the editor ML top loop will open a NUPRL term evaluator window that contains as its term argument the extract term of the theorem object denoted by the term obid This however requires that the extract term of the theorem has been made available to the editor If this hasn t been done already one has to enter the command require termof ioid obid before invoking the evaluator 4 4 3 2 Loading and compiling ML code NU
362. tor kreitz user theories Scroll position LO List Scroll Total 12 Point 10 Visible 12 not over and exists uni df exists uni exists uni uf listsel create listsel df listsel listsel RecUnfoldFold conv listsel uf recall listsel Stack create mk stack object directory STM DISP ABS STM CODE DISP create rec module at Stacks Name of the module type constructor for module elements prefix to disambiguate definition names mk stack faut tok to var T U default tok_to_var T module parameters tok to var STACK U tok to var empty STACK tokto var push T STACK STACK tok to var pop STACK T x STACK module fields Universe of the module 2 in10 MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys Chk penThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs CpObj reNameObj EditProperty Save0bj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThy0bjx TTTT TIT lll LIL 9 gt lt Navigator mk_stack_object_directory kreitz user theories Scroll position D List Scroll Total 27 Point D Visible 27 gt
363. tor NameSearch PathStack RaiseTopLoopst PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs MkTHY OpenThy CloseThy ExportThy ChkThy ChkAllThys ChkOpenThy CpObj reName0bj EditProperty SaveObj RmLink MkLink RmGroup CheckMinTHY MinTHY EphTHY ExTHY ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJx Mill ObidCollector NameSearch PathStack RaiseTopLoops MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp PrintObjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FixRefEnvs Act DeAct MkThyDir RmThyObj MvThyObj CpObj reName0bj EditProperty Save0bj RmLink MkLink RmGroup TTT TTT LLL H gt x ShowRefenv SetRefenvSibling SetRefenvUsing SetRefenv ProveRR SetIn0BJx MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Navigator kreitz user theories Act DeAct MkThyDir RmThyObj MvThyObj Scroll position p THT TMT LLL lb e gt List Scroll Total 5 Point 3 Visible 5 AA ee ee ee Navigator kreitz user theories CODE TTF RE init_kreitz STM TTF not over and Scroll position B CODE TIF listsel_create gt CODE TIF stack create List Scroll Total 5 Point 3 Visible 5 CODE TIF RE init kreitz STM TIF not over and CODE TIF listsel create CODE TIF stack create DIR TIF mk stack object directory DIR TIF mk stack object directory
364. trec For example letrec x 2 x would cause a syntax error All the variables occurring in a pattern must be distinct On the other hand a pattern can contain multiple occurrences of the wildcard O Spaces ASCII 32 carriage returns ASCII 13 line feeds ASCII 10 form feeds L ASCII 12 and tabs I ASCII 9 can be inserted and deleted arbitrarily without affecting the meaning as long as obvious ambiguities are not introduced For example the space in x but not in not zr can be omitted Comments which are arbitrary sequences of characters surrounded by s can be inserted anywhere a space is allowed 186 ce constant var variable 1 2 L function application e ty type constraint e unary minus e 2 L multiplication e1 e9 L division e e9 L addition 1 69 L subtraction 1X 9 less than e1 gt e2 greater than 1 9 R list cons 10 R list append 1 2 L equality not e negation es amp es R conjunction 1 or p R disjunction 1 user infix es L user declared infix identifier 17 e ea R equivalent to if e then ez else e3 do e evaluate e for side effects 1 2 R pairing p e assignment fail equivalent to failwith fail failwith e failure with explicit token if ei then loop ej conditional and loop if ez then loop e if e then loop e else loop e e e e failure trap and loop e2 es v2 en e terim Vid rid er 1
365. tring NuRefine stop Wn sleep for 5 Advanced emacs users may want to add to this script commands that kill the respective buffers and emacs frames after the library process has terminated Instead of shutting down gracefully you may also simply kill all three processes to stop NUPRL 5 In this case the library process will clean up the knowledge base when it is started the next time This method for exiting NUPRL however is is not recommended 3 5 Hints on Using the System NUPRL s windows are at the top level in the X environment The windows can be managed posi tioned sized etc in the same way as other top level applications such as X terminals Creation and destruction of NUPRL windows and manipulation of window contents is done solely via commands interpreted by NUPRL NUPRL will receive mouse clicks and keyboard strokes whenever the input focus is on any of its windows Any input event will make this window active which is identified by the presence of NUPRL s cursor This cursor appears either as a thin vertical bar between characters or as a highlighted reverse video region The specific location of the cursor determines the semantics of keyboard strokes and mouse clicks and is like in most editors independent of the current location of the mouse cursor The two main windows the navigator window and the NUPRL 5 top loop are intended to remain throughout the session You may kill and re
366. type is a set type or is an abstraction that eventually unfolds to a set type Commonly used variants are EqTypeCD and EqTypeHD 4 MemTypeD c Decompose just the type subterm of a membership term in clause c Only works when the type is a set type or is an abstraction that eventually unfolds to a set type Commonly used variants are MemTypeCD and MemTypeHD i The above tactics cover almost all of the primitive inference rules of NUPRL s logic Appendix gives a complete description of all the inference rules and the corresponding tactics Several tactics perform iterated decomposition of clauses Table lists the most commonly used ones together with the logical connectives they decompose These tactics do not decompose guarded terms If a guard is encountered in the process of decomposing the conclusion the guard is removed and decomposition of the conclusion stops A better name would have been MemD 123 8 3 2 Structural Structural tactics invoke inferences that depend only on the syntactical structure of the proof goal but are independent of a particular logic Hypothesis Prove goals of form A A where the conclusion A is a equal to A NthHyp 2 Prove goals of form A A where A is the i th hypothesis and A is a equal to A Declaration Prove goals of form 2 T rxreT or 2 T rr xeT where T is a equal to T NthDecl 4 Prove goals of form z T FzeT or z T F x zreT where x T is the i th de
367. uantifier d x T P x is a proposition provided that T is a type and P is a predicate on T In other words the type of 4 x T P x is IP if T is an element of the universe U of types and P T P Formally you need to prove VT U VP T P d x T P x e P To state this theorem open the object exists uni wf and enter all oT univ u iall uP u fun uT u prop u member into the goal template top VT U VP T gt P qM c typel BY Continue with exists uni x T4 so applyl P x4 prop a C M g to complete the goal and commit it to the library The proof of this theorem is fairly simple since it can be handled almost completely by NUPRL s tactic Auto However since Auto does not unfold a definition unless it is explicitly declared as automatically unfoldable you need to unfold the definition of exists uni in the first step Typing Unfold exists_uni O THEN Auto into the rule slot will result in a proof of the well formedness theorem for exists uni PRF exists uni wf MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAllThys ChkOpenThy to CheckMinTHY MinTHY EphTHY ExTHY Mille ObidCollector NameSearch PathStack RaiseTopLoops VT U VP T gt P CQ x T Pix e P Print bjTerm Print bj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin A sie CpObj reNameObj EditProperty Save0Obj RmLink MkLink RmGroup BY p existsuni 0 THEN Auto ShowRefenv SetRef
368. ubterms stay the same so entering and or editing them when a term is exploded has the same effect as when the term is imploded 5 5 Cursor and Window Motion NUPRL s editor supports two basic forms of cursor motion Screen oriented cursor motion commands ignore the structure of the term in the window and allow one to quickly navigate to parts of the screen In contrast to that tree oriented cursor motion commands follow the structure of the term tree In addition to key sequences mouse commands allow easy jumping around terms and search commands allow moving the cursor to a particular substring 5 5 1 Screen Oriented Motion C P SCREEN UP move cursor up 1 character C B SCREEN LEFT move cursor left 1 character C F SCREEN RIGHT move cursor right 1 character C N SCREEN DOWN move cursor down 1 character C A SCREEN START move to left side of screen C E SCREEN END move to right side of screen C L SCROLL UP scroll window up 1 line M L SCROLL DOWN scroll window down 1 line C V PAGE DOWN move window down 1 page M V PAGE UP move window up 1 page C T SWITCH TO TERM switch to term mode Screen oriented cursor motion commands are listed in the table above After a screen cursor command the cursor is always either in text mode or screen mode To switch to term mode one may use the SWITCH TO TERM command if the cursor is over the printing character of a display form If the cursor is moved over
369. unction transforms a list of proofs into a proof 87 A refinement rule is correct if the validity of the generated subgoals gi gn implies the valid ity of the root goal g and if the validation v transforms complete proofs p1 Pn for the subgoals into a complete proof p for the root goal Logically validations only prove for the correctness of the rule applications Computationally however they provide evidence for the validity of the main theorem and can therefore be used for building the extract term of a theorem NUPRL distinguishes two kinds of rules Primitive refinement rules are the basic rules of in ference that constitute the formal theory on which NUPRL is founded Tactic rules are the basis for automating the application of primitive rules Tactics can only be constructed by combining converted primitive rules and other tactics into a new refinement rule This guarantees that the correctness of proofs generated by tactics only depends on the correctness of the primitive inference rules which in turn are justified semantically 6 1 3 1 Primitive Refinement Rules NUPRL s primitive refinement rules are all introduced by rule objects see Section 8 1 1 in the system s library The current system has primitive rules for a constructive type theory that is closely related to Martin L f type theory see Appendix A 3 for a complete list of rules All NUPRL proofs are eventually justified by these primitive rules The corre
370. uref can then be started in any order Generally it is a good idea to run these processes in separate emacs frames there will be interactive top loops so editing capabilities are sometimes useful 7 Rctivatex deActivatex NameSearch PathStackx Clonex RaiseTopLoops Millx Save bjx commentObjx CountClosurex ObidCollectorx MkLinkx MkObjx MkDirx MkTHMx CpObj reNameObjx EditPropertyx RmLinkx RmObj RmDirx RmGroupx TT TT TT Whit Ib dW T lt gt bo gt lt Navigator ROOT 3 Scroll position List Scroll Total 4 Point 3 Visible 4 A AO RAS Previous Next Eval Resets Removes Savell Evalz DIR TTF local LIBs EDD REFx ShowRefenve RaiseHistorys RaiseNavigatorx DIR TTF system aux DIR TTF system gt DIR TTF theories MIEDDI Figure 2 1 Initial NUPRL 5 screen Once the processes have started entering top at the Lisp prompt will start the ML system USER 1 top Enter go at the prompt to initialize the corresponding NUPRL process ML ORB go It is important to initialize the library before the editor and the refiner The editor process will take few minutes and then pop up two windows a navigator and a top loop Figure shows a typical initial NUPRL 5 screen The window on the left is the NUPRL 5 navigator The three emacs windows on the upper right run interactive top loops for the library editor and the refiner The NUPRL 5 top loop is show
371. uu a a baw eae E hE a a a 181 ar co Gk ia a amp A ee Shee nda al 183 AAA AIRE 183 SN II 184 A a Sete eee a hye os ca 185 B 3 1 Syntax equations for ML 2 2 2 200 002 2 ee 186 B 3 2 Identifiers and other lexical matters len 188 zc p a Ses Bee ee as A eh ge ee 189 BAT Declarations 4 xo sino oo ee 190 PDC 192 PA A A 194 A A a O A A a 194 GP MM CE 196 AA dE 198 MD T a ua en Ge a a A 200 A 200 MOM TTE 201 COT 202 B 6 2 Predeclared dollared identifiers o 203 RETO MIO 204 DEMNM NM 204 cL 206 A E 207 Ep 208 A A a TS a 209 Cp 210 B 7 7 Miscellaneous string processing functions a 211 a Mae ae eg aa ae ET 212 vil viii List of Figures E i rp OM eta a 1 ee 8 bom A Ghgi os ee See ae ge Gt eee C 9 NE 35 4 2 Pattern based name search ee 39 4 3 Path stack command zone 222 rs 40 4 4 Creating Objects Initial template and resulting update to the library 41 4 5 Creating Definitions Initial template and resulting update to the library 42 T 43 4 7 Creating Recursive Modules code object and created directory 45 fuu oh oe ph ke X ouo RE eee ee ex x ue b ae cete 48 4 9 Commenting an object s e lees oss 49 E 4 11 Checking a theory rs 54 ER AAA AAA ARA 56 4 13 Standard Milling Directory llle 58 TON AME 61 Oe ee ee ne ia 89 tte Ge
372. volve evaluating existing or newly developed tactics Chapter 8 and related ML functions or analyzing proof details that are not shown by the proof editor Chapter 6 Library commands affect the contents of the library as permitted by the corresponding library application interface Editor commands change the visible contents of the navigator which my also affect the library modify the behavior of the editor itself or open new windows that invoke specific applications such as a proof editor or the NUPRL term evaluator Most of the editor and library top loop commands have been described in Section 4 3 In this section we briefly summarize other commands that may be of interest for a user 4 4 3 1 Invoking the NUPRL term evaluator The ML top loop provides the means to evaluate expressions of NUPRL s meta language ML NUPRL s object language however comes with its own notion of evaluation see Table in Appendix A 2 1 which is supported by a separate term evaluator To invoke this evaluator a user has to type the command view showc name term into the editor ML top loop where the token name will be a suffix to the name of a new window and term is a NUPRL term to be evaluated This will open a new window with the name compute name that contains the NUPRL term term and four buttons that initiate the evaluation of the term Computei Compute5 ComputeiO ComputeAll B 4 5 6 Clicking Compute1 once will perform one
373. w of the essential features of the NUPRL 5 system Novice users should run through this tutorial before trying to do anything else Chapter 3 describes how to install start and exit the system It also give a few hints on customization and basic troubleshooting NUPRL s windows are at the top level in the X environment and come with their own context specific editors The two main windows the navigator and the ML top loop are described in Chapter 4 while Chapters 5 and 6 describe the editors for term and for proof windows The following chapters describe NUPRL s support for the formalization of mathematical concepts and proofs In chapter 7 we explain how to extend the logical language of NUPRL by abstract definitions and how to modify the visual presentation of formal material through display forms Chapter 8 describes the structure of basic inferences in NUPRL as well as the most important tactics for automated reasoning The appendices describe important background information such as the type theory of NUPRL Appendix A and NUPRL s meta language ML Appendix B Chapter 2 A Quick Overview The NUPRL 5 system is organized as a collection of communicating processes that are centered around a library which contains definitions theorems inference rules tactics structure objects comments etc Inference engines refiners user interfaces editors rewrite engines evaluators and translators are started as in
374. wrt the available set of rules refiners and 5 eP Start Exit Reset MumRemaining Abort lemmata at the time the proof is being constructed a stored status check kreitz proof may become invalid if the rules and lemmata on which active F it depends are removed or modified afterwards The NUPRL mae library provides a certification mechanism that accounts for se Function check tneory bot conpletion the validity of its contents However it would be computa tionally infeasible to recheck these certificates whenever a library object is modified Instead the system provides a utility that enables users to explicitly check the consistency of their theories by replay the proofs in a controlled fashion To do so one has to move the navigation pointer to the root of the theory and click the ChkThy command button This will cause the system to accumulate the object identifiers of the proofs of all the statements in the final reference environment of the theory and then pop up a control window for initiating the checks Figure 4 3 3 6 Since ChkThy has to determine the final reference environment it will fail if the theory lacks an initial static reference environment The command buttons in the control window have the following effects Figure 4 11 Checking a theory e Stop completes the replay of the current proof and then stops the check e Start starts the replay of the remaining proofs in the theory Intermediate
375. wse the NUPRL library remotely Inference Engines The NUPRL 5 inference engine refines proof goals by executing ML code that may include references to library objects particularly to the inference rules and tactics stored in the knowledge base It applies the code to a given proof goal that it receives as an abstract term and returns the resulting list of subgoals back to the library Based on the validations given in the rule objects it can also extract programs from proofs and evaluate them The inference mechanism is fairly straightforward and compatible with the one in NUPRL 4 As an alternative one may invoke the MetaPRL refiner Met a modularized version of NUPRL s inference engine implemented in OCaml which is significantly faster due to improvements in rewrit ing and evaluation The communication between NUPRL 5 and MetaPRL utilizes the MathBus design Mat We are in the process of connecting a variety of external refiners such as a constructive first order theorem prover KOSPO00 the HOL system via Maude CDE 99b Mathematica and Isabelle Nau99 We will also emulate the refiner of NUPRL 3 in order to be able to restore older theories that did not survive the transition from NUPRL 3 to NUPRL 4 1 2 Purpose of this Manual This manual is a reference manual for version 5 of the NUPRL system It is aimed at beginning and intermediate users of the system NUPRL 5 is written mostly in Common Lisp but uses some extensions that
376. xTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops exists_uni lt T T gt lt x var gt lt P P gt Print bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin exists uni T lt x gt lt P gt CpObj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJx MKTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThyObj MvThyObj THT TTT LLLL AL 4 x Navigator kreitz user theories Scroll position List Scroll Total 4 Point 1 Visible 4 STM TFF not over and gt DISP TIF exists uni df ABS TTF exists_uni STM TFF exists_uni_wf The display form consists of a list of attributes in this case only the name that can be used to open the template a template that determines the outer appearance of a term and the term that is to be represented by that template Both the template and the term contain slots that are marked with lt gt and describe the name of a placeholder a description that will appear whenever the template is initiated and information about parenthesizing Chapter describes how to create display forms from scratch but usually copying and pasting is sufficient To edit the template click mouse over the exist_uni in the second line and erase the text exist_uni using backspace and delete keys Notice that you can t delete the slot lt T T
377. xisting library environments that match all the tokens in the list memnonic match Library Lisp commands stop db buffering stops buffering data base information This is useful when one sees buffering messages like WBI 23 or LBI 25 building up to high numbers and never decreasing e Commands for all processes envs prints a list of the environments currently accessible by the process 1 switches to Lisp mode ml switches to ML mode stop terminates the process 4 6 Recovering from Errors Most NUPRL errors relate to commands that were entered into the navigator the ML top loop or the proof editor Quite often they have to do with misspelled tactics or ML functions type errors or unsuccessful executions of the command In these cases error messages appear in a separate window that describes the nature of the error and some debugging information Usually it suffices to re enter the command after correcting the mistake Many library commands that were executed erroneously like removing an object or unlinking a directory can be undone by entering the key combination C see Section 4 3 Since the library never destroys information it is possible to retrieve the contents of every object that was previously accessible The undo history is limited though Recovering from an error that was made many steps ago is more difficult If a user enters text into the navigator while the cursor is at
378. xists_uni_wf of kind STM The navigation pointer is still where it has been before MkTHY MkThyDir ExportThy OpenThy CloseThy ChkThy ChkAl1Thys ChkOpenThy CheckMinTHY MinTHY EphTHY ExTHY Mill ObidCollector NameSearch PathStack RaiseTopLoops PrintO0bjTerm PrintObj MkThyDocObj ProofHelp ProofStats showRefEnvs FindTheoriesMin Cp0bj reNameObj EditProperty SaveObj RmLink MkLink RmGroup ShowRefenv SetRefenvSibling SetRefenv ProveRR SetIn0BJ MkTHM MkML AddDef AddRecDef AddRecMod AddDefDisp AbReduce NavAtAp Act DeAct MkThyDir RmThy0bj MvThyObj TTT TIT LLL Wb e gt lt Navigator kreitz user theories Scroll position b List Scroll Total 4 Point O Visible 4 gt STM TFF not_over_and DISP TIF exists uni_df ABS TTF exists uni STM TFF exists uni wf The abstraction object contains exactly what has been typed into the AddDef template and usually does not have to be edited anymore The display form has been generated from the left hand side of the AddDef template and currently causes the term exists uni to be displayed in exactly this way The well formedness theorem is empty but already activated which enables the general tactics to access it whenever they have to deal with exists uni To view the abstraction move the navigation pointer down 2 steps then open the object exists uni by pressing the right arrow key ABS exists uni MkTHY MkThyDir ExportThy
379. xt Occasionally with term sequences more than one kind of sequence is permitted in a given context for example in precedence objects and in such cases you can use explicit term insertion commands to create the sequence Such ambiguity should not arise with text sequences 73 OPEN LIST LEFT AND INIT and OPEN LIST RIGHT AND INIT are similar but if there is some obvious term to insert in the opened up slot then that term is automatically inserted and the cursor is left at an appropriate position in the new term If a term cursor is at an empty term slot in a term sequence the commands CLOSE LIST TO LEFT and CLOSE LIST TO RIGHT delete the slot and then if possible move the cursor to the element to the left or right respectively of the slot just deleted If the term slot is filled with a term that term is deleted as well If the term slot is in a text sequence these commands leave a text cursor at the position of the deleted slot 5 4 3 Inserting Terms In structured editing one usually enters terms in a top down fashion starting with the root of the term tree and working on down to the leaves This means that one has to work with incomplete terms For example at an intermediate stage of entering the term Vi Z 4j Z j i 1 one might be presented with the term NE 3 var type prop Here var typel and prop are place holders for slots in the display of the existential quantifier If a slot has a place holder we s
380. y exist Otherwise clicking the PrintObj button will result in an error The same effect can be achieved by typing the command print an object object into the editor ML top loop In the conversion to IATEX PrintObj is capable of interpreting IATEX syntax that occurs in a comment object and to re interpret display forms as IATEX macros which allows for a more elegant type setting In contrast to that clicking the PrintObjTerm command button will print the object contents as a single term without interpreting them further 4 3 2 13 Commenting Objects In addition to providing comment objects for an online COM not_over_and_comment documentation of formal material NUPRL offers users the op 7 F oPject not over and P Prefix Comments portunity to produce formal articles that blend informal text with direct quotations of the formal material For this purpose it allows the user to create comment objects that are linked to Suftis Comments a specific object i JJ Clicking the comment0bj button will create this object for the object at the navigation pointer and place it ina sub Figure 4 9 Commenting an object directory comments which will be created if it does not exist yet The object contains a template that allows the user to enter comments that will be printed before prefix comments and after suffix comments the object when the theory containing the object
381. y proposition in hypothesis in reversed order This generates only a main and a wf subgoal SubstClause c Replace clause c with term t This generates a main subgoal and an equality subgoal see the rule hyp replacement in Section A 3 16 131 Token Rule J Use hypothesis 7 as an left to right rule i Use hypothesis 4 as an right to left rule name Use lemma name as an left to right rule name Use lemma name as an right to left rule riid Reduce redex with operator identifier id r Reduce any redex r force Reduce any redex with force force u id Unfold abstraction with operator identifier id f id Fold abstraction with operator identifier id Table 8 3 Format of Tokens in Rewrite Control Strings 8 6 4 Generic Rewrite Tactics The tactics RWW and RWO subsume the above tactics by providing uniform access to all kinds of rewrite rules They take a control string to specify the rewrite rules to use The control string should be a whitespace separated list of tokens as specified in Table 8 3 RWW ctl str c Repeatedly apply rewrite rules specified by ctl str to all subterms of clause c until no further progress is made RWO ctl str c Apply rewrite rules specified by ctl str in one top down pass over clause c RWO does not go into subterms of terms that result from rewriting a subterm of c In some cases RWW and RWO generate more subgoals than the more specific tactics as they are implemented in a d
382. yntax of the corresponding ML data types Tactics may include ML comments using both as left and right delimiter and newline characters which will be inserted when a user types the 1 key There are two possible modes for executing a tactic In synchronous mode initiated by pressing C 41 the tactic is sent to the refiner and the editor waits for the refinement process to be complete before allowing the user to continue Pressing C 3 instead initiates asynchronous refinement which allows the user to work on other proof goals while the proof goal is being refined This is useful when executing complex tactics that may take a long time to complete Once a synchronous or asynchronous refinement is successfully completed the proof is com mitted to the library and the proof window gets updated showing the subgoals that were generated by applying the tactic If the refinement fails an error message describing the nature of the error and some debugging information will be inserted after the tactic and the proof goal will be marked as bad The proof itself will not be changed Entering D 0 C M 41 for instance surrounds the tactic D O by markers to indicate that it is currently being processed see the window on the left below Upon completion of the refinement the editor removes the markers and inserts the resulting subgoals as shown in the window on the right below The latter is also the result of entering D 0 C u top top V
383. ystem provides an interactive editing mechanism that presents terms in mathe matical notation and groups the notation in chunks that correspond to parts of the internal tree structures Users edit the tree structure directly so there is no need for a parser H Such editors are often called structured editors The advantages of structured editors are e Structured editors allow using a notation that is ambiguous to a machine but unambiguous to a human who is aware of its full context e Formal notation is not limited to ASCII characters NUPRL uses a single 8 bit font of up to 256 characters for displaying formal text on the screen while it is being edited and provides mechanisms for integrating IAXTEX and Display PostScript like technology to generate almost text book quality displays Currently the latter is only used for printing formal mathematical text but not for editing it e Formal notation may become context dependent Theorems definitions and proofs may con tain local abbreviations and implicit information e Notation can be freely changed without altering the underlying logical structure of terms e Structured editors link abstract terms to notation Users who find a particular notation con fusing only need to point and click the mouse on the notation in question in order to receive a formal definition and possibly additional explanations The main disadvantage of structured editors is that they are quite different from conventional
384. z z1 y1 E Erlx 2 21 Y1 ex pi v T E Bag YE U Ax by quotientEquality Te TY T E U Ax T F Y TE Uj ws PET T e U Ay T v TzT cU z T y T E Elx y x1 y1 gt Ez2lc y ta ya vx D v T T U z T y T H E x y zxs yo gt Eiw y oiwvi ex DTes te z y T E vw Tr F z y T E ext t by quotient memberWeakEquality j by quotient memberFormation j Tt a y T E U Ax Tt a y T E Uj Ax TF s t e T ux PET ext Des te z T E vw by quotient memberEquality j DF a y T E U Ax Es e T w te T w a Els t x y Ax AA D visstex y T E AF C gxtu by quotient equalityElimination i j v D v sctez y T E lv E s t z y AF C jext y D v s tezx y T E At Els t x y U ws D z z y T E IN s t S m by quotientElimination i j 1 y v D z zx y TE A v T y T F E lz y v u Uj Ax T z x y T E AFS Uj Ax D z x y T E A T y T v Elx y x y F s z z tly z e S x z ws 169 D z a y T E N s t S m by quotientElimination 2 i j wv y v D z z y T E A Y T y T E Elx y om uy U Ax D z zx y T E AF S e U Ax D z x y T E v T y T v Elx y x y Alr z F sl z tly 2 e Siu z ws Basic Inference Rule Corresponding Tactic with required arguments with optional tacticals quotientFormation T E s y s v v quotientWeakEquality x y z v v quotientEquality quotient memberWeakEqual
Download Pdf Manuals
Related Search