UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Applications of a natural deduction set theory Tsiknis, George Konstantinos 1991

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
831-UBC_1991_A1 T75.pdf [ 9.21MB ]
Metadata
JSON: 831-1.0302117.json
JSON-LD: 831-1.0302117-ld.json
RDF/XML (Pretty): 831-1.0302117-rdf.xml
RDF/JSON: 831-1.0302117-rdf.json
Turtle: 831-1.0302117-turtle.txt
N-Triples: 831-1.0302117-rdf-ntriples.txt
Original Record: 831-1.0302117-source.json
Full Text
831-1.0302117-fulltext.txt
Citation
831-1.0302117.ris

Full Text

APPLICATIONS OF A N A T U R A L DEDUCTION SET T H E O R Y by G E O R G E KONSTANTINOS T S K N I S B.Sc, The University of Patras, Greece, 1975 M . S c , The University of British Columbia, 1985 A THESIS SUBMITTED IN PARTIAL F U L F I L M E N T O F T H E REQUIREMENTS FOR T H E D E G R E E OF DOCTOR OF PHILOSOPHY in T H E F A C U L T Y OF G R A D U A T E STUDIES (Department of Computer Science)  We accept this thesis as conforming to the required standard  T H E UNIVERSITY O F BRITISH C O L U M B I A September 1991 © George Konstantinos Tsiknis,  1991  In presenting this thesis in partial fulfilment o f the requirements for an advanced degree at the University o f British Columbia, I agree that the Library shall make it freely available for reference and study. 1 further agree that permission f o r  extensive  copying o f this thesis f o r scholarly purposes may be granted by the head o f my department  or  by  his  or  her  representatives.  It  is  understood  that  copying  or  publication o f this thesis f o r financial gain shall not be allowed without my written permission.  Department The University of British Columbia Vancouver, Canada  DE-6 (2/88)  ABSTRACT  The goal of this thesis is to demonstrate the versatility and suitability of a logic and set theory NaDSet for providing logical foundations to disparate areas of mathematics and computer science. Category theory has been chosen as the area of mathematics, while programming language semantics and semantics for the lambda calculus are the areas of computer science. In each of the three areas NaDSet provides a logical foundation using exactly the same "logistic" method: Basic concepts are defined as terms of the logic and then the logic is used to derive all theorems; no assumptions in the form of additional axioms or rules of deduction are needed. The thesis demonstrates the ease and directness with which this can be done for the three areas, suggesting that in other, as yet unexplored areas, NaDSet may prove to be equally useful.  ii  T A B L E OF CONTENTS  I.  Abstract  ii  Acknowledgements  vi  INTRODUCTION  1  1.1  Goal of the Thesis  1  1.2  The Logistic Method  2  1.3  Choice of Demonstration Areas  4  1.3.1  Category Theory  4  1.3.2  Semantics of Programming Languages  5  1.3.3  The Lambda Calculus  6  1.4  II.  IH.  Main Features of NaDSet  6  1.4.1  Natural Deduction Based Set Theory  6  1.4.2  A Nominalist Interpretation of Atomic Formulas  7  1.4.3  One Universal Quantifier Instead of Two  8  1.4.4  A Generalized Unrestricted Abstraction  8  1.5  How the Goal Has Been Achieved  9  1.6  Thesis Oudine and Reader's Guide  11  T H E L O G I C NaDSet  13  2.1  Elementary Syntax  13  2.2  Logical Syntax  14  2.3  Some Derived Rules and Definitions  17  2.3.1  'for'Definitions  17  2.3.2  Additional Connectives and Quantifiers  19  2.3.3  Bounded Quantifiers  21  2.3.4  Ordered Pairs and Identity  23  2.3.5  Extensional Identity  24  2.3.6  Natural Numbers  25  C A T E G O R Y T H E O R Y IN NaDSet  27  3.1  Categories  29  3.1.1  31  Objects, Hom-Sets and Commutative Diagrams  3.2  Functors  32  3.3  The Category of Categories  36  iii  3.4  3.5  3.6 IV.  Definitions and Preliminaries  36  3.3.2  Identity Functors  39  3.3.3  Composition Functors  40  3.3.4  Cat is a Category  41  Natural Transformations and Functor Categories  42  3.4.1  Natural Transformations  42  3.4.2  Natural Equivalence  44  3.4.3  Functor Categories  45  Other Constructions  46  3.5.1  Opposites56  3.5.2  Product Categories  47  3.5.3  Comma Categories  48  3.5.4  Universals and Limits  49  3.5.5  Adjoints  50  Additional Issues  51  P R O G R A M M I N G L A N G U A G E S E M A N T I C S IN NaDSet  54  4.1  Formalizing Recursive Definitions  56  4.1.1  Axiomatic Method  56  4.1.2  NaDSet Method  57  4.2  4.3  V.  3.3.1  Example of Programming Semantics  60  4.2.1  Syntax  60  4.2.2  Expression Semantics  64  4.2.3  Command Semantics  65  4.2.4  Example Theorem  67  4.2.5  Nondetenriinistic Constructs  72  Remarks on the Use Of Recursive Definitions  75  4.3.1  First Case: Simple Induction  75  4.3.2  Second Case  77  4.3.3  Third Case  79  4.3.4  General Case  81  T H E L A M B D A C A L C U L U S IN NaDSet  83  5.1  Well-Formed Terms of the Lambda Calculus  84  5.1.1  84  Variables and Constants  iv  VI.  5.1.2  Lambda Terms  85  5.1.3  Substitution  86  5.1.4  Change of Bound Variables  88  5.2  The Lambda Conversion  89  5.3  A Term Model  91  5.4  Variable Assignments and X-Models  95  5.5  Scott-Meyer Models  100  CONCLUSION AND F U T U R E DIRECTIONS  BIBLIOGRAPHY  103  110  A P P E N D I X A : Proof of Lemma 3.3.2.1  121  A P P E N D I X B : Proof of Lemma 3.3.3.1  128  A P P E N D L X C : Proof of Theorem 3.3.4.1  138  A P P E N D I X D : Proof of Lemma 4.2.2.1  156  A P P E N D L X E : Proof of Lemma 4.2.3.1  161  A P P E N D I X F : Proof of Lemma 5.4.3  168  A P P E N D I X G : Proof of Theorem 5.4.4  177  A P P E N D I X H : Proof of Theorem 5.5.1  186  v  ACKNOWLEDGEMENTS  I am deeply indebted to Paul Gilmore, my research supervisor,  for his guidance,  encouragement, help and support which was above and beyond the call of duty. The main inspiration of the thesis has been Paul Gilmore's theory, NaDSet and the documents describing it. I have been fortunate in having him as a supervisor. Many thanks to the members of my thesis committee, Andrew Adler, Jeffrey Joyce, David Kirkpatrick and David Pool for their comments and advice on the presentation of the thesis, and to Peter Freyd, Phil Scott, and Robert Seely for their insightful discussions in Kingston. This thesis would not have been possible without the patience, understanding and loving support of my wife Titia and my son Dinos. I am deeply indebted to them. Many thanks to Peter Apostoli, James Andrews, Alex Kean and Rick Morrison for their stimulating and constructive discusions, to  Steve Wismath and Nou Dadoun for their  comradery. Many thanks to Son Vuong for his support at the beginning of the program, to the head and the personnel of the department of Computer Science, especially to Carol Whitehead, Theresa Fong, Grace Wolkosky and Koon Ming Lau for all the favours big and small. Finally, the support of H . R. MacMillan Trust, I. W. Killam Trust and Natural Science and Engineering Research Council of Canada is gratefully acknowledged.  vi  Chapter I: Introduction  1  CHAPTER I  Introduction  1.1  Goal of the Thesis  The goal of this thesis is to demonstrate the versatility and suitability of a logic and set theory NaDSet for providing logical foundations to disparate areas of mathematics and computer science. Category theory has been chosen as the area of mathematics, while programming language semantics and semantics for the lambda calculus are the areas of computer science. In each of the three areas NaDSet provides a logical foundation using exactly the same "logistic" method: Basic concepts are defined as terms of the logic and then the logic is used to derive all theorems; no assumptions in the form of additional axioms or rules of deduction are needed. The thesis will demonstrate the ease and directness with which this can be done for the three areas, suggesting that in other, as yet unexplored areas, NaDSet may prove to be equally useful. The remainder of this introduction will provide answers to four questions: 1)  What advantages does the logistic method have over other more commonly used methods?  2) Why have category theory, programming semantics, and semantics for the lambda calculus been chosen as demonstration areas? 3)  What characteristics of NaDSet make it more suitable than other logics for the logistic method?  4)  How has the thesis achieved its goal?  Chapter!: Introduction  1.2  2  The Logistic Method  Mathematical logic and formal reasoning impinges more and more frequently on the awareness of computer scientists. In the beginning, a limited form of formal logic was used by researchers in the theory of computation but, recently logic has assumed a significant role in the specification, design and verification of any computer system. Some of the recent programming languages have their semantics expressed in some formal system, while others, like Lisp and Prolog, are the implementations of such formal systems. Furthermore, Artificial Intelligence makes wide use of established formal logics as the principal tool in knowledge representation, machine learning, natural language understanding and computer based reasoning in general. But what is meant by logic? Traditionally, formal or mathematical logic consists of a language (a set of symbols and rules for sentence formation) capable of expressing the fundamental concepts of (mathematical) thought, and a definition of a decidable set of proofs for the logic. Occasionally, some kind of semantics is also defined that associates the language with some well known (mathematical, mental or physical) structures or concepts, but this semantics is apart from the formal logic itself. Throughout this century there has always been an agreement that logic should provide formalizations for truth functions (logical connectives), quantifiers and abstraction (the ability of treating a property of objects as an object), and although there is much debate on how such formalizations are to be realized, the value of logic in providing a formalization of areas of mathematics and computer science is not in dispute. The logistic method, associated with the names of Frege and Russell, is one method of using a logic to formalize mathematics; indeed, Frege and Russell defended the thesis that logic is a progenitor of mathematics. [Wilder52] However, one need not accept this thesis to appreciate the advantages of the method. The characteristic feature of the logistic method is that a concept is defined within a given logic and all properties of the concept are derived from the definition without the use of additional axioms or any modification of the given logic. For example, consider category theory. The concept of a category is defined as the set Cat of structures satisfying the axioms of category theory: Cat for {<Ar, = , Sr, Tg, Cp> I axioms } a  Here the < ... > notation is being used to denote the ordered quintuple, and axioms are the  3  Chapter I: Introduction  finitely many axioms needed to express the assumptions concerning Ar, = , Sr, Tg, and Cp. A a  theorem of category theory is then a formula F for which the formula VArV= VSrVTgVCp ( <Ar, = , Sr, Tg, Cp>:Cat 3 F ) a  a  is derivable in the given logic. See chapter II for the logical notation, and chapter LTI for the meaning of the terms Ar, = , Sr, Tg, and Cp. a  As another example of an application of the logistic method, consider recursive definitions of the kind needed to define the semantics of a programming language. For instance, assume that the integer 0 has been defined along with the successor function ' of the integers. Then the set of nonnegative integers can be defined in the style of Frege and Russell as follows: N for {x I [Vz(0:z A Vu(u:z => u':z) z> x:z)} N is the smallest set that contains 0 and is closed under successor. Mathematical induction over the nonnegative integers is then expressed by the following formula: Vz(0:z A Vu(u:z •=> u':z) r> Vx( x:N => x:z)) That is, any set that has 0 as a member and is closed under successor, has N as a subset. Given a suitable logic, mathematical induction can be derived within the logic without any additional assumptions. The logistic method of formalization can be realized within any formal set theory and it has at least four important advantages.  First, all theorems concerning the defined concepts can be  proved from the definitions themselves without additional axioms or rules of deduction. For example, mathematical induction followed from the definition of N . This becomes particularly important in areas of computer science where recursive definitions are extensively used. For example, although induction axioms can be easily discovered for the simple recursively defined sets described in [Manna&Waldinger84], finding them for complex recursive definitions, such as those provided in chapter IV, offers a challenge. Second, the definitions do not in any way modify the underlying logic, so that there need never be a concern that inconsistent axioms may be introduced. Third, the definitions are given as terms that can be shown to have properties and can be reasoned about, as has been demonstrated for N . Lastly, recursive definitions for disparate fields can be kept together without any concern that the axioms for one set of definitions will interact in unforseeable ways with those of another set of definitions. It is only necessary to maintain a discipline which ensures that the abbreviating name for a term uniquely identifies the term, at least in the contexts in which the term will be used.  Chapter I: Introduction  1.3  4  Choice of Demonstration Areas  The three demonstration areas do not exhaust those to which logic may be applied; for example, work in database and knowledge base systems has made extensive use of logic [Reiter 80a], [Gilmore87a,87b,87c], [Morrison91]. Further, a logistic treatment of complexity theory may shed light on the conjecture P=NP [Garey&Johnson79]. But the chosen three areas do provide a sufficiently broad spectrum of applications to achieve the goal of the thesis. 1.3.1  Category Theory  Briefly, category theory has been chosen because of the challenge a formalization of the theory presents to logic and because of the importance of the theory to computer science. Abstraction has been traditionally considered as a characteristic feature of mathematics. The capability of treating a property of objects as an object by itself, has been traditionally used as a process of generalization and simplification of mathematical structures. But, unrestricted abstraction does not come without problems. At the turn of the century Russell and others discovered that the naive use of abstraction introduces inconsistencies known as mathematical paradoxes.  Traditional set theories, like those of Zermelo-Fraenkel [Shoenfield67] and  Godel-Bernays [Godel40], are believed to avoid the paradoxes by restricting abstraction to apply only to collections existing in a cumulative hierarchy of sets. The concern of these set theories with what sets may correctly exist, gives them an ad hoc character that may account for why they have not been of interest to some mathematicians [Gray84]. Moreover, the exclusion of self-referential terms from their set terms is a serious hindrance. Section A l of [Feferman84] provides motivation for considering set theories that permit self-membership by a simple example of a common argument in modern algebra. A set of structures is defined and the set itself is shown to be one of the structures. However, such an argument can not be carried out within the traditional set theories. It is for this reason that the traditional set theories are not suitable for a full formalization of category theory in which no distinction between small and large categories is necessary. Category theory provides an abstract and uniform treatment for many mathematical structures, and increasingly has found applications in computer science [Pierce88]. A short list would include: the design of both functional and imperative languages[Hagino87, Reynolds69], semantic models of programming languages [Smyth&Plotkin82, Huet85, Tennent85], type theory and polymorphism [Raynolds74,84, Wand75, Hagino87], semantics of concurrency  Chapter I: Introduction  5  [Monteiro&Pereira86, Zamfir87], specification and development of algorithms [Pitt et al.85,87, Rydeheard&Burstall88], specification languages, algebraic semantics and atomata theory [Ehrig et al.74]. Therefore, a formalization of category theory is important for its computer science applications especially when an automated (or semi-automated) theorem prover can be provided for the formalization. Such formal treatment then can provide a link between abstract categorical specifications and machine executable specifications. For instance, it can significantly contribute to the development of tools for (semi)automated implementation of a language or an algorithm from its semantics or formal specifications, (semi)automated translation from one language to another or even a tool for (semi)automated design and verification for a specific programming language.  1.3.2  Semantics of Programming Languages  Providing semantics for programming languages is a fundamental problem for computer science that offers special challenges for a mathematical treatment. The need for unrestricted abstraction for programming language semantics has been recognized by many of its researchers. [Scott70] for instance, describes the problems of self-application that can arise when interpreting programming languages and proposes a solution that has led to the development of denotational semantics.  Although Scott's theory provides an elegant  mathematical foundation for the semantics of the lambda calculus and programming languages in general, it is not a formal theory since it lacks an effective proof theory. In Scott's foreword to [Stoy7.7], he concludes "For the future the problems of an adequate proof theory and of explaining non-determinism loom very large."  In his paper [Scott91] he calls for the  development of a formal intuitionistic set theory to provide foundations for programming semantics since such a theory would not only have an effective proof theory, but also would permit the distinction between concepts that are identical in classical set theories.  Thus  programming semantics provides a challenge for the logistic method in as much as it requires the development of a new logic and set theory. Additionally, since programming semantics is an area rich in recursively defined objects about which theorems must be proved, the logistic method is especially suitable for its formalization.  Chapter I: Introduction 1.3.3  6  The Lambda Calculus  The theory of lambda calculus has been chosen to demonstrate how the syntax, the proof theory and the semantics of a formal language can be defined in NaDSet in a direct way. The theory of lambda conversion, [Church41], not only has had a great influence on the development of the theory of computation but also is the first consistent theory that offers unlimited abstraction permitting the formation of self-referencial terms. Moreover, the full lambda calculus is an extensional theory while NaDSet is an intensional one. Defining models for such a theory requires, in addition to the extensive use of recursive definitions, a careful use of the extensional identity relation over the terms of NaDSet; details are provided in 2.3.5, and in chapter V .  1.4  M a i n Features of NaDSet  The logistic method requires of a logic that abstraction be treated as a basic concept along with the usual connectives and quantifiers.  Of necessity, therefore, the logic must offer an  elementary resolution of the paradoxes of set theory. NaDSet resolves the paradoxes of the set theory by formalizing all three basic concepts through rules of deduction in a natural deduction presentation of the logic. A n earlier version of the logic was described in [Gilmore71,80,86], while the extended version used in this thesis is described in [Gilmore89] and proved consistent in [Gilmore90]. That NaDSet is formalized as a natural deduction logic is the first of its four important characteristics which will be discussed. 1.4.1  Natural Reduction based Set Theory  Although the sequent calculus of [Gentzen34,35] was originally used, any natural deduction formalization of first order logic, such as those presented in [Beth55], [Prawitz65], or [Fitch 52] can be extended to be a formalization of NaDSet, [Gilmore&Tsiknis91b]. Natural deduction presentations of logic provide a transparent formalization of the traditional reductionist semantics of [Tarski36], in which the truth value of a complex formula depends upon the truth values of simpler formulas, and eventually upon the truth values of atomic sentences.  Formalizing abstractions in this way has the effect of replacing an unrestricted  Chapter I: Introduction  7  comprehension axiom scheme by a comprehension rule of deduction. This replacement is not novel to NaDSet; for example, several of the theories described in [Schiitte77] or the set theory of Fitch described in [Prawitz65] or [Fitch 52] have this feature. This replacement is, however, not enough to ensure consistency;  the theory described in [Gilmore68], for example, is  inconsistent because of an improper definition of 'atomic formula'. The interpretation of atomic formulas is critical for the reductionist semantics of Tarski. A second important characteristic of NaDSet is its interpretation of atomic formulas.  1.4.2  A Nominalist Interpretation of Atomic Formulas  In NaDSet, only names of sets, not sets may be members of sets. To emphasize that this interpretation is distinct from the interpretation of atomic formulas in classical set theory,':' is used in place of 'e' to denote the membership relationship. For example, the atomic formula (i)  {ul-u:u}:C  is true in an interpretation if the term '{u I -u:u }' is in the set assigned to ' C , and is false otherwise. Note that the term '{u I -u:u }' is being mentioned in the formula while ' C is being used. To avoid confusions of use and mention warned against in [Tarski36] and [Church56], NaDSet must be in effect a second order logic. The first order domain for the logic is the set D of all closed terms in which no parameter ocurs, as defined in clause 4 of the definition of the elementary syntax in section 2.1 of chapter LT. For example, the term '{u I -u:u }' is a member of D. The second order domain for the logic is the set of all subsets of D. Thus if ' C is a second order constant, then an interpretation will assign it a subset of D, so that (i) will be true or false in the interpretation. This nominalist interpretation of atomic sentences is motivated and illustrated at greater length in [Gilmore71,80].  Since computing machines are consummate nominalists, this nominalist  interpretation is a natural one for a logic such as NaDSet motivated by the needs of computer science. Although NaDSet is in effect a second order logic, the elementary syntax requires only one kind of quantifier used for quantification over both the first order and second order domains. This is  Chapter I: Introduction  8  the third important characteristic of NadSet.  1.4.3  One Universal Quantifier Instead of Two  In classical logic, existential quantification can be defined in terms of universal quantification and negation for both first and second order quantifiers. This opportunity for simplification is exploited in NaDSet as well; but the elementary syntax requires only one universal quantifier, not one for first order quantification and one for second order quantification as was the case with the earlier form of NaDSet. However, the second order nature of the logic is revealed in the two kinds of parameters that are required. A n occurrence of a parameter in a formula or term of NaDSet plays the role that it does in [Prawitz65], namely as the occurrence of a variable not bound by a quantifier or an abstraction term. The definition of a substitution operator for a term in which free variables occur is complicated by the possibility of a free occurrence of a variable in the term becoming bound after the substitution. Admitting parameters as free variables allows the simpler definition of a substitution operator restricted to terms without free occurrences of variables. In an interpretation of NaDSet, first order parameters are assigned members of D, while second order parameters are assigned subsets of D. The last of the four important characteristics of NaDSet is discussed next.  1.4.4  A Generalized Unrestricted Abstraction  N is defined in 1.2 as an abbreviation for a term {x I [Vz(0:z A V U ( U : Z Z> u':z) => x:z)}. This latter is a typical abstraction term of set theory that has such terms. In general they take the form {v I F }, where v i s a variable, and F is a formula in which the variable may have a free occurrence.  The term is understood to represent the set of v satisfying F . In NaDSet,  however, v may be replaced by more general terms. For example, the Cartesian product of two sets A and B is defined [AxB] for {<u,v> I ( u:A A v:B )} where <...> is the ordered pair. The abstraction term abbreviated in 1.2 by Cat is another example.  Chapter I: Introduction  9  The rules of deduction for the introduction of abstraction terms such as these are natural generalizations of the rules of deduction for abstraction terms of the form {v I F}.  These  abstraction rules determine what are appropriate uses of abstraction terms in mathematical arguments, rather than determine what sets may consistently coexist.  For example, the  arguments Russell used to show that the empty set is a member of the Russell set and that the universal set is not, are arguments that can be shown to be correct in NaDSet, while the arguments demonstrating that the Russell set is and is not a member of itself cannot be justified in NaDSet. Thus it can be said that NaDSet provides an answer to the question What constitutes a sound argument? rather than to the question. What sets exist? which is a concern of the traditional set theories. In conclusion, NaDSet offers unrestricted generalized abstraction; self-referential set terms can be formed but arguments leading to contradictions are excluded.  1.5  How the Goal Has Been Achieved  The goal of the thesis is accomplished by first providing within NaDSet direct definitions of the basic concepts in each of the chosen areas and then by showing that certain theorems that are known to present problems to some other formalisms, are derivable within the logic using these definitions alone. A NaDSet formalization of the basic concepts in category theory is given first. A NaDSet definition of a category is given that is more general than the traditional definitions in two respects: a category is defined in terms of its arrows only with no reference to objects; and secondly, the identity relation of a category is an explicit part of its structure. The notion of a functor on categories is formalized in a similar way. The larger fragment of this part provides the necessary definitions for the category of categories and a NaDSet proof that the latter structure is itself a category. This proof, although greatly abbreviated, demonstrates the capability of NaDSet to provide logical foundations for category theory.  A n important  consequence of this formalization is the following: It is not necessary to distinguish between small and large categories as it is the case when a traditional set theory (like Zermelo-Fraenkel or Godel-Bernays set theory) is used as a foundation of category theory.  10  Chapter I: Introduction  Definitions for the remaining fundamental concepts and constructs in category theory , such as those described in [MacLane71] or [Barr&Wells85}, are also presented. The need of a set theory that provides for self-referential definitions is imperative in the field of prograrnming language semantics and was recognized by many of its researchers. To further clarify this point, two approaches to formalizing recursive definitions, corresponding to two different views of mathematics, are contrasted. The advantages of NaDSet's complete recursive definitions are demonstrated by defining in NaDSet the semantics of a simple programming language. Recursive definitions for the set of expressions and commands of the language as well as for their semantics are provided and a theorem stating the semantic equivalence between two commands is derived. The significance of this is underscored by the fact that such a proof cannot be carried out within the lambda calculus or a first order formalization of domain theory without the need of additional axioms. In higher order systems like L C F [Milner72, Gordon et al.78] and H O L [Gordon87] a derivation of such theorem requires fix-point induction and a type of admissibility test the way it is described in chapter 9 of [S toy77]. To further illustrate the use of NaDSet in defining semantics of nondeterministic languages, a nondeterministic expression and command are added to the language and their semantics is defined. In NaDSet, the semantics of a nondeterministic construct is not different from that of its deterrninistic counterpart. In the case of a command, for instance, both are defined by a term that represents a binary relation over the states. Of course, in the nondeterministic case an initial state is associated with (possibly) more than one final states. On the other hand, some kind of power set (or power domain) construction is needed to express this concept in traditional domain theory. Finally, Church's theory of lambda conversion [Church41, Hindley&Seldin86] is defined in NaDSet in a direct way, avoiding the use of complicated encodings. NaDSet definitions of the lambda calculus well formed terms, substitution and conversion are given and the main theorems about them are expressed within this framework.  One of the points this part  emphasizes is the capability of NaDSet to provide simple and straightforward treatment to such types of concept:  NaDSet definitions of the various lambda calculus concepts closely resemble  the traditional recursive definitions in any lambda calculus textbook, such as [Barendregt81] or [Hindley&Seldin86].  Chapter I: Introduction  11  In order to show that a significant part of lambda calculus model theory can also be expressed within NaDSet, three of the most acceptable definitions of a lambda calculus model are presented, the structure known as Church's term model is defined and proofs that this structure satisfies the given definitions of models, are provided.  1.6  Thesis Outline and Reader's  Guide  The rest of the thesis is organized in five chapters. Chapter LT contains a review of the theory NaDSet. Its elementary and logical syntax, that is its syntax and proof theory, are described in detail and some derived rules and definitions needed in subsequent chapters are also provided.  Chapter HI provides a NaDSet formalization of the basic concepts in category theory. The set of categories, Cat, and the functors, Func, are defined first and the proof that Cat is also a category is presented. The rest of the chapter contains additional definitions and discussions on natural transformations, functor categories, comma categories, universal elements, limits and adjoint functors.  Some consequences of this formalization are discussed at the end of the  chapter. Chapter IV of the thesis deals with NaDSet applications in programming language semantics. The chapter starts with a comparison of NaDSet's approach to formalizing recursive definitions with the axiomatic approach. Using recursive definitions, the syntax and the semantics of a simple programming language are defined and a derivation of the semantic equivalence of two command sequences is provided. Next, the programming language is extended to include nondeterministic expressions and commands and the definitions of the semantics of the new constructs are provided. Some remarks and intuition on the way the recursive definitions are used are given in the last section of the chapter. Whereas the two previous chapters discuss the use of NaDSet in formalizing concrete (informal) mathematical (or computer science) theories, chapter V demonstrates how the formal theory of lambda calculus can be defined within NaDSet. Recursive definitions of the lambda calculus terms, variable substitution and the Xpn-theory of term conversion are given and the main theorems about them are expressed in NaDSet. Three definitions of a lambda calculus model are presented in the sequence. The first defines a structure with a relation that interprets the term  Chapter I: Introduction  12  conversion. The second definition makes use of variable assignments and the third defines the Scott-Meyer models of the theory. Church's term model is constructed and it is shown to satisfy the given definitions. Finally, chapter V I presents some concluding remarks and discusses some preliminary ideas about the use of NaDSet in other areas of computer science. Chapter II is essential for an understanding the rest of the thesis. However, the hasty reader may just go through the sections 2.1, 2.2 and 2.3.1 before he/she embarks on the rest of the thesis and consult the rest of the material in chapter II as it is necessary.  A reader familiar with  the latest version of NaDSet can ignore the chapter as soon as she/he makes himself familiar with the notions of the 'for'-definitions in section 2.3.1 and the conventions on derivations which are discussed at the end of section 2.2. Chapters III, IV and V are fairly independent and can be read in any order but, the reader is cautioned that the complexity of the definitions and derivations presented in each of these chapters increases as the number of the chapter does. Moreover, the remarks of section 4.3 may help in understanding the derivations presented in chapter V. Finally, in order to assist the reader, the lengthy proofs of some lemmas and theorems are given in the appendices.  Chapter II: NaDSet  13  CHAPTER II  The Logic NaDSet  A detailed description of the logic NaDSet is provided in this chapter. The elementary syntax, that is the definitions relating to well-formed formulas and terms, is described in section 2.1, while the logical syntax, that is the definitions relating to well-formed proofs, is described in section 2.2. The last section of the chapter includes some derived rules and definitions that are used later in the thesis but no discussion on the semantics of the theory is included here. [Gilmore89] contains a section on the semantics of NaDSet and [Gilmore90] presents a consistency proof of the theory. [Gilmore&Tsiknis91b] provides alternative natural deduction formulations of NaDSet.  2.1 E L E M E N T A R Y  SYNTAX  To simplify the description of NaDSet, only a single logical connective '1' and only a universal quantifier V are taken to be primitive. The connective is joint denial, so that (FIG) has the same truth table as (~F A - G ) . In this definition, as throughout the thesis, bold expressions represent metavariables over particular sets of strings.  Chapter II: NaDSet  14  Definition of Elementary Syntax 1.1.  A variable is a term. The single occurrence of the variable in the term is a free occurrence in the term.  1.2.  Any parameter or constant is a term. No variable has a free occurrence in such a term.  2.1.  If r and s are any terms, then r:s is a formula. A free occurrence of a variable in r or in s, is a free occurrence of the variable in the formula.  2.2.  If F and G are formulas then (FIG) is a formula. A free occurrence of a variable in F or in G is a free occurrence in (FiG).  2.3.  If F is a formula and v a variable, then V v F is a formula. A free occurrence of a variable other than v in F, is a free occurrence in VvF; no occurrence of v is free in VvF.  3 .  Let t be any term in which there is at least one free occurrence of a variable and no occurrence of a parameter. Let F be any formula. Then {tIF} is an abstraction term. A free occurrence of a variable in F which does not also have a free occurrence in t, is a free occurrence in {tIF}. A variable with a free occurrence in t has no free occurrence in {tIF}.  4.  A term is first order if no second order parameter occurs in it. A formula t:T is atomic if t is first order, and T is a second order parameter or constant. A term or formula in which no variable has a free occurrence is said to be closed.  Clause 3 of this definition introduces the syntax for set abstraction.  It generalizes the  conventional syntax in which t may only be a single variable. The more general form of the abstraction term is a genuine extension of the logic that is essential for many of its applications, including its use for category theory in chapter HI.  2.2  LOGICAL  SYNTAX  The extended NaDSet, like the original, is presented as a Gentzen Sequent Calculus [Genzen31,32]. A sequent in NaDSet takes the form r-> 6  Chapter II: NaDSet  15  where r and 0 are finite, possibly empty, sequences of closed formulas. The formulas r form the antecedent of the sequent, and the formulas of © the succedent.  A sequent can be  interpreted as asserting that one of the formulas of its antecedent is false, or one of the formulas of its succedent is true. By the logical syntax of NaDSet is to be understood the description of the axioms and the rules of deduction for sequents.  Definition of Logical Syntax Axioms  G -> G, where G is a closed atomic formula Propositional Rules  r,G-40  A, H -> A  r, A -»(GiH), 0, A  r->G, © r, (GiH) -> ©  r-> H, e r, (GiH) -> ©  Quantification Rules r -> [p/u]F, © T -> VuF,  0  r, [r/u]F -> ©  r, VuF -> 0  In the first rule, p is a parameter that does not occur in F, or in any formula of r or 0. p is the eigenparameter of the rule. In the second rule, r is any closed term, r is called the eigenterm of the rule. Abstraction Rules  r->Ir_/ujF, ©  r, [r/ujF->0  r->[r/uJt:{tlF},0  r , £ r / u ] t : { t l F } H>0  11 is a sequence of the distinct variables with free occurrences in the term t. F is a formula in which only the variables u have free occurrences.  16  Chapter II: NaDSet  I is a sequence of closed terms, one for each variable in u.. Structural Rules Thinning  r-4 e  r-»e r-» F,  r, F - » ©  9  where F is any closed formula. Contraction r,->F,F, e  r,F,F->©  r -> F, ©  r, F -> ©  Interchange  r -> F, G , ©  r, F, G -> ©  r-> G , F, ©  r, G , F - > ©  Cut Rule  r -> ©, F  F, A -> A  r, A -> ©, A E n d of definition The propositional, quantification and abstraction rules will be denoted respectively by: i->, -»V, V-», -> {} and {} The structural rules will be referred to by name. Some remarks on derivations The concept of a NaDSet derivation, or simply derivation, is similar to the concept of Gentzen's LK-derivation [Szabo69] but, for space reasons, all the derivations presented in this thesis are condensed.  Several applications of the rules of deduction may be represented as one  Chapter II: NaDSet application.  17  To assist in identifying the rule being applied, the principal formula in the  conclusion of the rule is identified with a prefixed *; here "principal sentence" means the explicitly displayed sentence in the conclusion of the rule. More than one sentence may be so prefixed when a single step represents applications of more than one rule. When a step involves a single premiss rule, the long bar between the premiss and the conclusion is omitted. However, in a step with many premisses, the long bar is retained and a short bar is used to indicate the begining of the premissses for the next multi-premiss rule. The first of these premisses is the end sequent of the derivation appearing above it. If the other premisses are not numbered then their derivations are immediate.  Only premisses that are not simple  consequences of a lemma are explicidy annotated. If a short bar should occur immediately after a long bar, it is omitted.  2.3  S O M E D E R I V E D R U L E S AND DEFINITIONS  This section displays some definitions and derived rules that are needed in the remainder of the thesis. 2.3.1  'for' Definitions  Essential to an understanding of the subsequent chapters is the proper interpretation of definitions of the form name for expression or namerr .... r ] for expression . 1  m  In the first definition name is an abbreviation for expression which is a NaDSet term or formula. This means that any NaDSet expression (that is, term or formula) in which name occurs, should be understood as an expression in which name is replaced by the term or formula expression. The second of these definitions is a definition scheme of individual definitions of the first kind. In this, r .., r l5  m  are metavariables ranging over the expressions of NaDSet. Therefore, any  term or formula in which namely,... t ] m  for some terms t ., t lv  m  occurs, it is understood as a  term or formula in which namef^,... t ] is replaced by the expression obtained from  18  Chapter II: NaDSet  expression by replacing r by tj x  and r  m  by t  m  . This second use of the for definitions is  similar to the quasi-quotation corner notation of [Quine51]. As an illustration consider the following definition of the logical connective '-' in terms of ~[F] for FlF In this case name is the s y m b o l F is a metavariable ranging over NaDSet formulas and expression is the formula F l F . By omitting the square brackets, the last definition gets the more traditional appearance: - F for F l F Moreover, Gentzen's negation rules [Szabo69] can be derived using this definition as follows: —y.  -»-:  r, F-> A r -» A, F r, FiF -> A r, ~F -> A  r,F-> A  r-> FlF, A r-> -F, A  The last step in both derivations is not an application of any rule of section 2.2.;  it is an  application of the previous definition, instead. From NaDSet's point of view, the last two sequents in each derivation are identical; one is an abbreviation of the other. Therefore the rule applied at this step is just the rule of repetition which is implicitly acceptable by the logical syntax. The latter is in agreement with the abbreviation-like interpretation of the definitions explained in this section. As another example consider the set of categories defined in section 3.1 of chapter III by the definitions: Cat for {<Ar, = , Sr, Tg, Cp> I Category[Ar, = , Sr, Tg, Cp] } a  a  Category[Ar, = , Sr, T g , Cp] for axioms . a  In the first of these definitions, 'Cat' is provided as an abbreviation for the abstraction term { <Ar, = , Sr, Tg, Cp> I Category[Ar, = , Sr, Tg, Cp] } . a  a  In the second, A r , = , Sr, T g and C p are used as metavariables ranging over the terms of a  NaDSet. When they are replaced with particular terms, as they are in the formula Category[Ar, = , Sr, Tg, Cp] a  Chapter II: NaDSet  19  by variables 'Ar', '= ', 'Sr', 'Tg' and 'Cp', the resulting formula a  Category[Ar, = , Sr, Tg, Cp] a  is an abbreviation for the conjunction of all the axioms for categories in which the terms Ar, = , a  Sr, Tg and C p are replaced by the variables 'Ar', '= ', 'Sr', 'Tg' and 'Cp'. a  Of course most of these definitions are given in order to be used in some context. In the case where expression is a term such an in-context definition has the form n for t in S where n is a name (actually, a subset of the variables can be reserved for names; therefore, n can be treated as variable), t is a term and S is a formula. Such a definition is nothing else than the NaDSet formula t:{nlS} The latter indicates that definitions in NaDSet need not be viewed as metatheoretic notions but can be regarded as sentences in the object language, instead. Nevertheless, for simplicity in this thesis the first form of definitions is used and they are interpreted as abbreviations in the way it was discussed earlier.  2.3.2  Additional Connectives and Quantifiers  Although the logical syntax of the logic was defined using a single logical connective and one quantifier, all the usual logical connectives, - , A, V, Z>,= and the existential quantifier 3 can be defined using i and V and the corresponding rules of deduction can be derived. The previous section offered an illustration for'-'; the rest of the connectives and the existential quantifier can be treated similarly. In the sequence, the deductive rules for the additional logical symbols are listed but their derivations are omitted. When necessary they will be denoted respectively by: ->A, A-», —>v, v-», ->z>, z>—>,  =->,-»3 and 3—>.  r, G -> e  r -> G , ©  r-»~G, ©  r, ~ G -> e  Chapter II: NaDSet  20  -»A, A—>: r->G, e  A-»H,A  r, A -> (GAH), e, A  r, G -»©  r,H -> ©  r, (GAH) -> e  r, (GAH)  -> ©  ->v, v->: r -> G, 0  r -> H, ©  r->(GvH),e  r->(GvH),©  r, G -> ©  A, H -> A  r, A, (GvH) -»©, A  r, G -> H, 0  r -»G, ©  r-KG^H),©  r, A, (Gz>H) -> ©, A  r,G->H,e  A, H -> A  A,H->G,A  r, A -> (G=H), 0, A r -> G, ©  A, H -> A  r, A, (G=H) -»©, A  r, G -> ©  A ->  H, A  r, A, (G=H) -> ©, A  ->3, 3->: r-» [r/u]F, 0 T -> 3 u F ,  0  r, [p/u]F -> ©  r, 3 u F -> ©  In thefirstrule, r is any closed term. In the second rule, p is a parameter that  not occur in F, or in any formula of T or 0.  Chapter II: NaDSet 2.3.3  21  Bounded Quantifiers  Bounded quantifiers are frequently used throughout the paper. For example, each of the axioms (cl) - (c20) for categories given in section 3.1 uses a single or multiple bounded universal quantifier. Consider (c2): [Vf,g:Ar](f= g3g= f) a  a  This expression is an abbreviation for the expression: [VfJ[Vg]( f : A r A g:Ar 3 ( f = g => g= f)) a  a  Thus [Vf,g:Ar] is a conventional bounded quantifier. But a more general form of bounded quantifier is also used: A single variable may be bounded by an abstraction term. For example, lemma 3.2.1 of section 3.2 takes the form: -> [Vx,y:Cat] P[x,y] where P[x,y] is a formula in which the variables 'x' and 'y' occur free. 'Cat', as described in section 2.3.1 above is an abbreviation for the abstraction term {<Ar, = , Sr, Tg, Cp> I Category [Ar, = , Sr, Tg, Cp]} a  a  where Ar, = , Sr, Tg and Cp are variables that are bound in the abstraction term. a  A single bounded quantifier of the form [Vx:Cat] P[x] is an abbreviation for the formula [VAr'] [V= '] [VSr ] [VTg'] [VCp']( 1  a  <Ar',= ',Sr ,Tg ,Cp >:{<Ar,= ,Sr,Tg,Cp> I Category[Ar,= ,Sr,Tg,Cp]} ,  a  ,  ,  a  a  3  P[<Ar',= ',Sr',Tg',Cp'>] ), a  where Ar', = ', Sr', Tg' and Cp' are distinct variables free to replace respectively the variable x a  in the formula P[x]. The formula [Vx,y:Cat] P[x,y] is then an abbreviation for the formula [VAr ] [V= '] [VSr'] [VTg'] [VCp ] [VAr"] [V= "] [VSr"] [VTg"] [VCp"] ( 1  a  1  a  Chapter II: NaDSet  22  <Ar\= \Sr\Tg\Cp'>:{<Ar ,= ,Sr,Tg,Cp> I Category[Ar,= ,Sr,Tg,Cp]} A a  a  a  <Ar" = ",Sr",Tg",Cp">:{<Ar = ,Sr,Tg,Cp> I Category[Ar ,= ,Sr,Tg,Cp]} a  3  a  P[<Ar',= ',Sr',Tg\Cp'>, a  a  <Ar",= ",Sr",Tg",Cp">] a  ),  where the variables Ar', = ', Sr', Tg', Cp', Ar", = ", Sr", T g " and Cp" are suitably chosen. a  a  The general form of the bounded quantifiers is defined: [Vv:{t I F}] G for V u (t:{t I F} => [t/v]G) [3v:{t I F}] G for 3JI (t:{t I F} A [t/v]G) where u. is a sequence of the distinct variables with free occurrences in t, and Vu_, 3u. are sequences of quantifiers Vu and 3u, one for each variable u in u, respectively. The following rules of deduction for the bounded quantifiers can be derived: ->V, 3->: r,[fi/uJt:{tlF}  [[fi/u]t/v]G,8  r,[p./u]t:{tlF}, [[j>/u]t/v]G -> 0  r->[Vv:{tlF}]G,©  r, [3v:{tlF}]G-> 0  where u is a sequence of the distinct variables with free occurrences in t, and P. is a sequence of the same length as u. of distinct parameters, none of which occur in the conclusion of the rule. V->,  3:  r->[ryii]t:{tlF},©  A, [[r/u]t/v]G -» A  r, A, [Vv:{tlF}]G->0,A  r->[r/u]t:{tlF},0  A^[[r/yJt/v]G,A  r, A -> [3v:{tlF}]G, 0, A where u is a sequence of the distinct variables with free occurrences in t, and I is a sequence of the same length as u of closed terms.  23  Chapter II: NaDSet  2.3.4  Ordered Pairs and Identity  Order pairs are defined <r,s>  for {u l(r:C4s:C)},  where ' C is a given second order constant. Any second order constant may be used since the constant need not satisfy any assumptions apart from the assumptions made for every second order constant. This unusually simple definition of ordered pair is satisfactory in NaDSet because NaDSet is an intensional logic. Triples and other tuples can be similarly defined directly, or can be defined by nesting pairs. Note that when r and s are variables, say 'u' and V , the term <u,v> satisfies the conditions placed on the term t in clause 3 of definition 2.1 of the elementary syntax. This is the most common use of the ordered pair. Note also, however, that the form of t is irrelevant for applications of the  } and { } - » rules defined in definition of the logical syntax in 2.2. The  term serves only the purpose of providing an order to the distinct variables with free occurrences in it. Identity is given by the definition = for {<u,v>l [Vz](u:z z> v:z)}. Members of = are ordered pairs <r,s>. The conventional infix notation r=s will be used instead of expressing membership by the formula <r,s>:=. The following are derived rules for identity. Their derivations can be found in [Gilmore89]. ->=:  r, r:P -> s:P, 0 r -> ©, r=s for any closed first order terms r and s, and second order parameter P not occurring in any set of formulae r, 0. =->: r -> 0, [r/u]F  [s/u]F, A —»A  r, A, r=s -> 0, A  24  Chapter II: NaDSet  where F is any formula in which only the variable u has a free occurrence, and r and s are any constant terms. Moreover, for any formula F and constant terms r, s [r/u]F -> [r/u]F  [s/u]F -> [s/u]F  r=s, [r/u]F -> [s/u]F is a derivable rule and r=s  r=s  is a derivable sequent. Finally, the desired properties of the ordered pairs are demonstrated by the following derived rules where,  r , Sj and s are constant first order terms.  r  2  v  2  -><>: r -> ©, r j = r  A -» A, S =S  2  1  r, A —» 0, A, <r  v  2  s >=<r , s > 1  2  2  <>^ : r, r = r -> e t  r, <r  2.3.5  1?  r , s =s,->@  2  t  s >=<r , s > -^0 1  2  Extensional  2  r, <r , s >=<r , s > 1  1  2  2  0  Identity  Extensional identity is defined as =  e  for (<x,y>lVu (u:x = u:y )}  and provides a means for illustrating important aspects of quantification within NaDSet. Consider the following defined 'universal' sets:  25  Chapter II: NaDSet  V I for {ulu=u} V2 for {yly= y} e  For each of these terms tm, it is possible to derive the sequent ->tm= tm e  But the derivations take on a different character in each case. In the following derivations, p is a first order parameter, and P is a second order parameter: For V I : p=p - » p = p  =axiom  p:Vl^p:Vl  {}^>,->{}  ->Vl= Vl  ->s,->V  e  For V2: p:P -» p:P  axiom  -> P= P  ->V  e  ->P:V2  ->{}  P:V2 -> P:V2  thinning  -»V2= V2  ->s,->V  e  Note also that the following sequents are also derivable: ->Vl:Vl,->V2:V2,->Vl:V2and-*V2:Vl The first two demonstrate that self-membership presents no problems for NaDSet. Because of the generalized form of abstraction, other forms of extensional identity may be defined. For example, extensional identity for sets of ordered pairs can be defined: = 2 for {<x,y> I VuVv (<u,v>:x = <u,v>:y )}. e  Other similar forms of extensional identity will be encountered in section 3.3.  2.3.6 Natural Numbers In subsequent chapters some concepts from arithmetic will be needed. Some basic definitions are provided here:  Chapter II: NaDSet 0  for {u  I  -u=u}  Succ[t] for {u I u=t} SuccCls  for  ( Z I O : Z A [ V U : Z ] ( S U C C [ U ] : Z ) }  N for {ul [Vz:SuccCls](u:z)} <  for {<u,v> I [Vz:SuccCl] (u:zz> v:z)}  The full development of arithmetic within NaDSet is sketched in [Gilmore86].  26  Chapter III: Category Theory in NaDSet  27  CHAPTER III  Category Theory in NaDSet  Section A l of [Feferman84] reinforces the argument presented in [Feferman77] that category theory cannot by itself provide a foundation for mathematics since it makes use of prior notions of logic and set abstraction.  At the same time the first paper provides motivation for  constructing set theories other than the traditional Zermelo-Fraenkel and Godel-Bernays set theories. A n example of a common argument in modern algebra is presented using structures <A, ®, =A> consisting of a set A , a commutative and associative binary operation ® and an identity relation =^ over A . If B is the set of all such structures, PR is the Cartesian product on B and ISO isomorphism between the elements of B, then the structure <B, PR, ISO> is itself a member of B. However, a proof of this fact cannot be formalized within the traditional set theories because of the prohibition against self-membership or self-reference. In [Gilmore89] a proof that <B, PR, ISO> is a member of B was provided within NaDSet. This encouraged the conjecture that NaDSet could provide a logic within which category theory could be formalized. This chapter substantiates this conjecture by providing a proof within NaDSet that the set of all categories is itself a category. Category theory, of course, involves many more primitive concepts than the theory of B-structures. Section 3 presents a definition of a category within NaDSet that is more general in  Chapter III: Category Theory in NaDSet  28  two respects than the definition given in [Barr&Wells85] or in [Mac Lane71]. First, a category is defined in terms of its arrows only with no reference to objects, as suggested in [Lawvere66]. Secondly, the identity relation of a category is an explicit part of its structure. While the first simplification is not fundamental, the second generalization has important repercussions. It allows each category to assume its own identity relation that generally may be different than the extensional identity implied by the traditional definitions. The definition of category theory in section 3.1 is typical for definitions of an axiomatic theory within NaDSet. The axioms of the theory are used only to define the set of structures satisfying the axioms, and in no way imply the existence of a structure satisfying the axioms. Therefore, the formalization of the theory within NaDSet has no existential implications for NaDSet. This fact may help to provide an answer to the question posed in [Blass84]: Does category theory necessarily involve existential principles that go beyond those of other mathematical disciplines? When a traditional set theory is used as a foundation for category theory, it is necessary to distinguish between small and large categories [Mac Lane71]. That is not necessary when category theory is formalized within NaDSet. Of course this does not provide an answer to the question: Does the proof of the existence of some categories involve existential principles that go beyond those of other mathematical disciplines? In section 3.2 the notion of a functor on categories is formalized. In section 3.3, which constitutes the larger part of the chapter, the necessary definitions for the category of categories and the detailed NaDSet proof that the category of categories is itself a category, is provided. This proof is of necessity greatly abbreviated, but nevertheless remains long and tedious. Since NaDSet is a logic novel to most readers, and since formal derivations are generally foreign to category theory, this chapter possibly errs on the side of providing too much detail, rather than too little. However, by examining only parts of the derivations provided, readers may gain confidence in the principal result and in the capability of NadSet to provide logical foundations for category theory. The ubiquitous notions of natural transformations and functor categories are formalized in section 3.4, while in section 3.5, definitions and theorems for a variety of basic constructions including comma categories, universals, limits and adjoints are provided. These two sections further demonstrate that NaDSet may be used as the logic for category theory and suggest that any construct in category theory, as well as in the theories of toposes, sheaves, triples etc. can be formalized within NaDSet in a similar way.  29  Chapter III: Category Theory in NaDSet  3.1 C A T E G O R I E S A NaDSet definition of the set of categories will be given using the terminology provided in the introduction of [Barr&Wells85] with one exception: Instead of using objects and arrows in defining a category, by following Lawvere's definition [Lawvere66], objects can be dispensed with altogether, and only arrows used. Nevertheless, for the readers who are accustomed to the more traditional definition of categories, a definition of the objects for a category in terms of its arrows is provided. Throughout this chapter, conventional algebraic notations are used as abstraction variables and as parameters.  These notations will be explained as they are introduced. Additionally,  metavariables ranging over terms of NaDSet that are intended to represent algebraic concepts, are used. They will always be printed in bold type. For example, the variables of this kind used in this section, together with their intended interpretation are: Ar  the set of arrows or morphisms  =  identity of arrows  a  Sr  a binary term with first argument an arrow and second argument its source object  Tg  a binary term with first argument an arrow and second argument its target object  Cp  a ternary term the third argument of which is the composite of the arrows that are its first two terms.  The first use of these metavariables is in the following definition: Category[Ar, = , Sr, T g , Cp] for axioms a  "axioms" is the conjunction of the sentences listed below. In these axioms, the usual infix notation for = is used instead of the postfix notation of NaDSet. a  Identity Axioms  [Vf:Ar] f= f  (cl)  a  (c2)  [Vf,g:Ar](f= g3g= f) a  a  [Vf,g,h:Ar]( f= g A g= h 3 f= h) a  a  a  (c3)  30  Chapter III: Category Theory in NaDSet  [Vf,g,a:Ar]( f= g A <f,a>:Sr 3 <g,a>:Sr)  (c4)  [Vf,a,b:Ar]( a= b A <f,a>:Sr 3 <f,b>:Sr )  (c5)  [Vf,g,a:Ar]( f= g A <f,a>:Tg 3 <g,a>:Tg)  (c6)  [Vf,a,b:Ar]( a= b A <f,a>:Tg 3 <f,b>:Tg)  (c7)  [Vf,g,h,k:Ar] (f= k A <f,g,h>:Cp 3 <k,g,h>:Cp )  (c8)  [Vf,g,h,k:Ar] (g= k A <f,g,h>:Cp 3 <f,k,h>:Cp )  (c9)  [Vf,g,h,k:Ar] (h= k A <f,g,h>:Cp 3 <f,g,k>:Cp)  (clO)  a  a  a  a  a  a  a  Sr. Tg and Cp are functions [Vf:Ar][3a:Ar] <f,a>:Sr  (ell)  [Vf,a,b:Ar]( <f,a>:Sr A <f,b>:Sr 3 a= b)  (cl2)  [Vf:Ar][ 3a:Ar] <f,a>:Tg  (cl3)  a  [Vf,a,b:Ar]( <f,a>:Tg A <f,b>:Tg 3 a= b)  (cl4)  [Vf,g,b:Ar]( <f,b>:Tg A <g,b>:Sr 3 [ 3h:Ar]<f,g,h>:Cp)  (cl5)  a  [Vf,g,h,a,b,c:Ar]( <f,g,h>:Cp 3 (( <f,a>:Sr 3 <h,a>:Sr) A (<g,b>:Tg 3 <h,b>:Tg) A (<f,c>:Tg = <g,o:Sr))) [Vf,g,h,k:Ar] (<f,g,h>:Cp A <f,g,k>:Cp 3 h= k) a  (cl6) (cl7)  Note that compositions are written in the order of the arrows from left to right. Therefore, <f,g,h>:Cp if and only if h is g° f where  0  denotes morphism composition.  Identity Arrows-Exist [Vf,a:Ar]( <f,a>:Sr 3 <a,a>:Sr A <a,a>:Tg A <a,f,f>:Cp )  (cl8)  [Vf,a:Ar]( <f,a>:Tg 3 <a,a>:Sr A <a,a>:Tg A <f,a,f>:Cp )  (cl9)  Composition is Associative [Vf,g,h,fg,gh,fglh,flgh:Ar]( <f,g,fg>:Cp A <g,h,gh>:Cp A <fg,h,fglh>:Cp A <f,gh,f lgh>:Cp 3 fglh= flgh) a  (c20)  Chapter III: Category Theory in NaDSet  31  The set of categories is now defined to be the set of structures satisfying the given axioms : Cat for { <Ar, = , Sr, Tg, Cp> I Category[Ar, = , Sr, Tg, Cp ]} a  a  where Ar, = , Cp, Sr and Tg are all used as variables that are bound in the abstraction term. a  Finally, the projections on a tuple that represents a category can be given by the following definitions. Ar[<Ar,= ,Sr,Tg,Cp>]  for { u I u:Ar }  = [<Ar,= ,Sr,Tg,Cp>]  for { <u,v> I <u,v>: =  Sr[<Ar,= ,Sr,Tg,Cp>]  for  { <u,v> I <u,v>: Sr }  Tg[<Ar,= ,Sr,Tg,Cp>]  for  { <u,v> I <u,v>: T g }  Cp[<Ar,= ,Sr,Tg,Cp>]  for  { <u,v,w> I <u,v,w>: C p }  a  a  a  a  a  a  3.1.1  }  a  Objects. Hom-Sets and Commutative Diagrams  The axiomatization of category theory presented here does not require the specification of a set of objects, since the objects of a category correspond exactly to its identity arrows. Therefore the set of objects Ob[<Ar,= ,Sr,Tg,Cp>] of a category <Ar,= ,Sr,Tg,Cp> may be defined a  a  to be any one of the following extensionally identical terms. (i)  { x I x:Ar A <x,x>:Sr A <x,x>:Tg }  (ii)  { x I x:Ar A (pf:Ar]<f,x>:Sr v [3f:Ar]<f, x>:Tg) }  (iii)  { x I x:Ar A [Vf,g:Ar](<f,x,g>:Cp 3 f= g) a  A [Vf,g:Ar](< x,f,g>:Cp z> f= g) } a  The hom-set for objects o and o can be defined: l  HomtOj.Oj]  for  Finally, that the diagram  2  { x I x:Ar A <x,o >:Sr A <x,o >:Tg } 1  2  32  Chapter III: Category Theory in NaDSet  C commutes means <f,a>:Sr A < f , t » : T g A <g,b>:Sr A <g,c>:Tg A <f,g,h>:Cp, while that the diagram a k V dcommutes means <f,a>:Sr A < f , t » : T g A <g,b>:Sr A <g,c>:Tg A <k,a>:Sr A <k,d>:Tg A <m,d>:Sr A <m,c>:Tg A [3h:Ar]( <f,g,h>:Cp A <k,m,h>:Cp ), that is, that both the following diagrams commute:  3.2  FUNCTORS  To define the category of categories the notion of functor  from one category to another is  needed. Its definition is given in the typical NaDSet style with the symbols F, A r ^ , STQ, T g £ , CPQ, A r p , = D ' ^ D » 8 D ^  ^PD  T  r  a  u s e c  *  a s  c  for axioms  a C  ,Sr ,Tg ,Cp >,<Ar ,= D>Sr ,Tg ,Cp >] c  c  c  D  a  A  metavariables ranging over  second order terms.  Functor[F,<Ar ,=  = Q,  D  D  D  Chapter III: Category Theory in NaDSet  33  where axioms consists of the conjunction of the following sentences: F is a map for categories <Ar ,=a ,Sr ,Tg ,Cp >:Cat c  c  <Ar ,= D  a D  c  c  (fl)  c  ,Sr ,Tg ,Cp >:Cat D  D  ( ) 0  D  F maps arrows to arrows, preserving arrow identity [Vfc:Ar ][ 3fd:Ar ] <fc,fd>:F c  (f3)  D  [Vfc,gc:Ar ][Vfd,gd:Ar ]( fc = c  D  3fd=  a D  [Vfc,gc:Ar ][Vfd:Ar ]( fc = c  D  c  D  gd)  a C  [Vfc:Ar ][Vfd,gd:Ar ]( fd =  gc A <fc,fd>:F A <gc,gd>:F  a C  a D  (f4)  gc A <fc,fd>:F 3 <gc,fd>:F )  (f5)  gd A <fc,fd>:F 3 <fc,gd>:F )  (f6)  F preserves source, target and composition [Vfc,c:Ar ][Vfd,d:ArD] ( <fc,c>:Sr A <fc,fd>:F A <c,d>:F c  c  3 <fd,d>:Sr )  (f7)  D  [Vfc,c:Ar ][Vfd,d:Ar ] ( <fc,c>: T g A <fc,fd>:F A <c,d>:F c  D  c  3 <fd,d>: T g  D  )  (f8)  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar ](< fcl,fc2,fc3>:Cp A c  D  c  <fcl,fdl>:F A <fc2,fd2>:F A <fc3,fd3>:F 3 < fdl,fd2,fd3>:Cp ) D  (f9)  Functors, following a suggestion of [Lawvere66], are defined as triples that include the source and target categories. The set of functors is defined: Func for { < F , < A r , = , S r , T g , C p > , < A r , = c  aC  c  c  c  D  aD  ,Sr ,Tg ,Cp >> I D  D  D  Functor[F,<Ar , = , S r , T g , C p > , < A r , = , S r , T g , Cp >]} c  aC  c  c  c  D  aD  D  D  D  Chapter III: Category Theory in NaDSet  34  The set of functors from a category <Ar^-,= ^,Sr^,Tg(^,Cp(^> to a category a  <Arj),= j),Srj),Tg£),Cp£)>  is defined as  a  Func[<Ar ,= c  a C  ,Sr ,Tg ,Cp >,<Ar ,= c  c  c  D  a D  ,Sr ,Tg ,Cp >] D  D  D  for {x I < x , < A r , = c  aC  ,Sr ,Tg ,Cp >,<Ar ,= rj Sr ,Tg ,Cp >>:Func c  c  c  D  a  >  D  D  D  }.  In [Mac Lane71] and [Barr&Wells85] an additional axiom is included in the definition of functors; the axiom states that a functor must map identity arrows to identity arrows. But that axiom is not independent of the seven axioms given here. Since the identity arrows of a category are its objects, they can be defined by one of the three equivalent definitions given in section 3.1. The first of these definitions will be used here: Id[<Arc,=ac,Src,Tgc,Cpc>]  for {x I x:Ar^- A <x,x>:Sr^ A <x,x>:Tg^ }  The sequent asserted to be derivable in the following lemma, expresses the additional axiom.  3.2.1  Lemma  The sequent -> [Vx,y:Cat][Vf:Func[x,y][Vc:Ar[x]][Vd:Ar[y]]( c:Id[x] A <c,d>:f ZD d:Id[y]) is derivable. Proof of lemma  3.2.1  A derivation of the sequent follows. In this, pc and pd are first order parameters, F, ATQ, = Q STQ, TgQ CpQ and Arjj, = j), Sr^, Tgry Cpjj are second order parameters and C and a  s  D are abbreviations for the tuples <Ar^<, = Q, STQ, T g ^ C p £ > and <ATQ, = j> Srr> T g j ^ &  Cpjj> respectively.  <pc,pc>:Sr£ -» <pc,pc>:Sr(-< <pc,pd>:F -» <pc,pd>:F A <pc,pd>:F <pc,pc>:SrQ <pc,pd>:F -»  a  Chapter III: Category Theory in NaDSet  35  *(<pc,pc>:Sr£> A <pc,pd>:F A <pc,pd>:F) <pd,pd>:Sij) -> <pd,pd>:Srj) *(<pc,po:Src A <pc,pd>:F A <pc,pd>:F 3 <pd,pd>:Srj)), <pc,pc>:Sr£, <pc,pd>:F -» <pd,pd>:Srjj pd:ArQ -> pd: Arjj pd:Arj3 -»pd: Arj) pc:Ar£ -> pc:Ar£ pc:Ar£ -» pc:Ar^  *[Vfc,c:Ar ]*[Vfd,d:Ar ] (<fc,c>:Sr A <fc,fd>:F A <c,d>:F 3 <fd,d>:Sr ), c  D  c  D  pc:AiQ, pd:Arj), <pc,pc>:Sr^, <pc,pd>:F -> <pd,pd>:Srj)  (a)  *Functor[F,C,D], pcrAr^, pd:Arj), <pc,pc>:Sr(~<, <pc,pd>:F -> <pd,pd>:Srj3  f7,thinning  Functor[F,C,D], pc:ArQ pd:Arjj, <pc,pc>:TgQ <pc,pd>:F -> <pd,pd>:Tg  similar to (a)  D  pd:Arj) -» pd: A i p Functor[F,C,D], pc:ArQ pd:Arr> <pc,pc>:SrQ <pc,pc>:Tg^>, <pc,pd>:F -> *(pd:Ar A <pd,pd>:Sr A <pd,pd>:Tg ) D  D  D  Functor[F,C,D], p c : A r , p d : A r , *pc:Id[C], <pc,pd>:F -> *pd:Id[D] c  D  Functor[F,C,D], pc:Ar^, pd:Arj) -> *( pc:Id[C] A <pc,pd>:F 3 pd:Id[D]) Functor[F,C,D] -> *[Vc:Ar[C]]*[Vd:Ar[D]]( c:Id[C] A<c,d>F3d:Id[D]) *F:Func[C,D] -> [Vc:Ar[C]][Vd:Ar[D]]( c:Id[C]  36  Chapter III: Category Theory in NaDSet A<c,d>:F3d:Id[D]) *C:Cat, *D:Cat, F:Func[C,D] -> [Vc:Ar[C]][Vd:Ar[D]]( c:Id[C] A <c,d>:F z> d:Id[D])  thinning  -> *[Vx,y:Cat]*[Vf:Func[x,y][Vc:Ar[x]][Vd:Ar[y]]( c:Id[x] A<c,d>:f3d:Id[y])  E n d of proof of lemma 3.2.1  3.3 T H E C A T E G O R Y O F C A T E G O R I E S  3.3.1  Definitions and Preliminaries  The category of categories is defined as the tuple < A r , = , S r , T g , C p > of the second order a  terms A r , = , Sr, T g , C p whose definitions are given in this section. Because of the great a  number of variables used in this section, some abbreviations similar to those used in the derivation of lemma 3.2.1, are again used here, and later in this chapter: The capital letters A , B,  C, D, E  <Ar ,= A  Tg  A  a A  with or without  ,Sr ,Tg ,Cp > A  A  A  and C p , . . . , A r , = , A  E  aE  subscripts,  are  used to  , ... , < A r , = , S r , T g , C p > E  aE  E  E  E  abbreviate  the  of the terms A r , = , A  aA  tuples Sr , A  S r , T g and C p respectively. At different occasions these E  E  E  terms can be second order parameters, abstraction variables or metavariables that range over the second order terms. However, what the terms are to be in a particular context will be described prior to their use. In the following definitions, the letters C and D , with or without subscripts, are abbreviations for the previously mentioned tuples of abstraction variables, while the letters F, G , H possibly subscripted, are regular abstraction variables. A definition of the set A r of arrows for the category of categories will be provided first; it is just the set of functors, as defined in section 4:  Chapter III: Category Theory in NaDSet  37  A r for Func  The identity = for members of A r is defined in terms of extensional identity. &  - a for { ^ C ^  >, < F , C , D » I q = C A D ! = D A F 2  2  2  E  2  C  2  1  = F e  2  }  In this definition = is the coordinate-wise extensional identity among tuples of terms defined e  by =  for { « A r , = , S r , T g , C p  e  1  a l  1  =  1  e^ 2 r  A =  >, < A r , = , S r , T g , C p » I  1  2  a i e a2 =  =  A  =  A T  where A r identity =  C p  v  e  for  2  =ai =e =a2 S = Sr r i  e  f o r  for  2  2  2  2  e^ 2 r  Si e §2 =  T  P i =e P2 J  A C  C  are all being used as abstraction variables. The definition of extensional  depends upon the context:  e  Ar = Ar 1  2  a 2  .  [V^Ar^ f:Ar A [Vf:Ar ] fcA^ 2  2  [Vf,g:A ](f = g 3 f = g) A [Vf,g:Ar ](f = g 3 f = g) ri  al  a2  2  a2  al  [Vf,g:Ar ](<f,g>:Sr 3<f,g>:Sr )A 1  1  2  [Vf,g:Ar ](<f, g>:Sr 3 <f, g>:S ) 2  T  g l  = T g for e  2  [Vf,g:Ar ](<f, g>:T 1  gl  2  ri  3 <f, g>:Tg ) A 2  [Vf,g:Ar ](<f, g>:Tg 3 <f, g > : T ) 2  CP! = C p for e  2  2  gl  [Vf,g,h:Ar ](<f, g,h>:Cp 3 <f, g,h>:Cp ) A 1  1  2  [Vf,g,h:Ar ](<f, g,h>:Cp 3 <f, g ^ ^ P j ) 2  Fj = F e  2  for  [Vf:Ar  Cl  ][Vg:Ar  Dl  2  ]( <f,g>:F 3 <f,g>:F ) A 1  2  [Vf:Ar ][Vg:Ar C2  D2  ]( <f,g>:F 3 <f,g>:F ) 2  1  Clearly, the source and target of an arrow has to coincide with the identity functor of the source and target category, respectively. Their definitions follow, in a style similar to that of A r . Sr  for  {«F ,C ,D 1  1  1  >,<F ,C ,D » I 2  2  2  Chapter III: Category Theory in NaDSet  c  2 =e  i  C  A  2 =e  D  38  i [ V f , g : A r ] ( <f,g>:F = f =  C  A  Cl  2  a C l  g) }  Similarly, Tg  for  {«F ,C ,D >,<F ,C ,D » I 1  C  1  2 =e  1  i  D  A D  2  2 =e  2  i  D  A  2  [Vf,g:Ar ](<f,g>:F = f Dl  2  =  a  D  g)}  l  The final definition needed is of Cp, composition of the arrows for the category of categories. Cp for { « F , C , D > , < F , C , D 1  1  1  Ci e 3 =  C  A  2  ^l~G^2  2  A D  2  >,<F ,C ,D » I 3  2 e 3 =  D  3  A  [Vf:Ar ][Vg:Ar ](<f,g>:F Cl  3  D2  3  = [ 3h:Ar ](<f,h>:F A<h,g>:F )) } . Dl  1  2  The main goal of the paper is to show that the set Cat with the defined constructs is itself a category. The proof of this result provided later makes use of some preliminary results that are discussed next.  Some trivial consequences of the definitions of = and = are listed in the following lemma. e  3.3.1.1  e  Lemma  For any second order parameters P, Q and R, the following sequents are derivable: (1)  P= Q^P= Q  (2)  -> P= P  (3)  P= Q^Q= P  (4)  P= Q, Q= R - » P= R  e  e  e  e  e  e  e  e  For any tuples C, D and E of second order parameters, as defined in this section, and any first order parameters a, b, c, the following sequents are derivable. (5)  C =  (6)  C= C  e  e  D ^ C =  e  D  39  Chapter III: Category Theory in NaDSet  (7)  C = D ->  D= C  (8)  C= D, D= E  (9)  SLIAIQ, C= D -» a:Arpj  (10)  a  e  e  e  ->  e  C= E e  e  =aC > b  C =  e  D  ->  =aD  a  b  (11)  < a , t » : S r c , C = D -> <a,b>:Sr  (12)  <a,b>:Tg , C = D ^  (13)  <a,b,c>:Cp^, C = D -> <a,b,c>:Cp£)  e  c  e  D  <a,b>:Tg  D  £  The sequents 1-13 are simple consequences of the definitions of =  e  and =  e  . Their derivations  are elementary and are therefore omitted.  3.3.2  Identity  Functors  Let Id[C]  for  =  a C  .  The next lemma insures that for any category (an element of Cat) there exists an identity functor from the category to itself. 3.3.2.1  Lemma  The sequent -> [Vx:Cat] <Id[x], x, x>:Ax is derivable. Proof Outline: If C is any tuple <ATQ, = Q, STQ, TgQ, CpQ> of second order parameters, the lemma is &  obtained by an application of ->V to the sequent C:Cat -> <Id[C], C, C>:Ar  Chapter III: Category Theory in NaDSet  40  whose derivation is obtained as following.  Let Ax[G,A,B] be the result of replacing F by G , <ATQ, =aC' ^ C ' 8 C ' ^ P C r  T  >  ^  v  a n c  *  <Arj), = j), Srj), Tgp,Cpj)> by B in an axiom of (f 1) to (f9) in the definition of a functor a  in section 3.2. From the definition of A r , it is obvious that a proof of the lemma can be obtained from a derivation of the sequent C:Cat -> Functor[ Id[C], C, C ] by a single application of ->{}.  The latter derivation can in turn be obtained if for each axiom  (fl) to (flO) a derivation for the sequent C:Cat -> Ax[ Id[C], C, C ]  (LI)  is provided. Derivations for the non-trivial cases of L I are given in appendix A . E n d of Proof  3.3.3  Composition  Functors  For the next lemma, the following definition of the composition of two functors is required: FC[F1,C1,D1,F2,C2,D2] for {< f,g> I [ 3 h : A r ] ( < f,h>:Fl A <h, g >:F2) } D1  The lemma states that if two functors are composable, their composite is also a functor. 3.3.3.1  Lemma  The sequent -» [Vf,g:Func][Vb,c,d,e:Cat]( <f,b,c>:Ar A <g,d,e>:Ar A c= d e  =. < F C [ f,b,c,g,d,e ], b, e > : A r ) is derivable. Proof Outline: If F l , F2 are second order parameters and CI, D l , CI, D l are the usual tuples of second order parameters, the lemma can be obtained from the sequent  Chapter III: Category Theory in NaDSet  <F1,C1,D1>:AJ, <F2,C2,D2>:Ar,  41  Dl= C2 e  -> <FC[F1,C1,D1,F2,C2,D2], C I , D2 > : A r by successive applications of the -»V rule. The last sequent can be derived from the sequent Functor[Fl,Cl,Dl], Functor[F2,C2,D2]  Dl= C2 e  -> Functor[ FC[F1,C1,D1,F2,C2,D2], C I , D2 1 by two applications of {}->  and one of  ->{}.  Let Ax[G,A,B] be as in the proof of lemma 3.3.2.1. Obviously, a proof of the latter sequent can be obtained if for each axiom (f 1) to (f9) in the functor definition in section 3.2, a derivation of the sequent A x [ F l , C l , D l ] , Ax[F2,C2,D2] D l = C 2 -> e  Ax[ FC[F1,C1,D1,F2,C2,D2], C I , D2 ]  (L2)  is provided. Derivations for the non-trivial cases of the last sequent are shown in appendix B. E n d of Proof  3.3.4  Cat is a Category  The main theorem of the chapter is proved in this section. The theorem states that the set of categories equipped with the structure defined in this section is itself a category.  3.3.4.1  Theorem  The sequent -> < A r , = , S r , T g , Cp>:Cat a  is derivable in NaDSet. Proof Outline: A derivation of -> < A r , = , S r , T g , C p > : C a t a  can be obtained from a derivation of  42  Chapter III: Category Theory in NaDSet  -> Category[Ar,= ,Sr,Tg,Cp] a  by one application of -> {} rule and the definition of Cat. To derive the latter sequent it is necessary to provide a derivation of each sequent of the form -> Ax[ A r , = , S r , T g , C p ]  (Tl)  a  where Ax[Ar,= ,Sr,Tg,Cp] is one of the axioms c l to c20 in the definition of categories in a  section 3.1. Lemma 3.3.2.1 provides an eigenterm of the form <Id[C],C,C>, where C is a five-tuple of second order parameters, for the existential quantifier in (cl 1) and (cl3) and lemma 3.3.3.1 is used to provide the eigenterm for the quantifier in (cl5) which has the form <FC[F ,C ,D ,F2,C ,D ],C ,D2> 1  1  1  2  2  for some second order parameters F  1  second order parameters C  V  D  V  p  F and five-tuples of 2  C and D . The derivations of the remaining sequences of the 2  2  form (Tl) can be obtained by simple applications of the definitions given in section 3.3.1. The complete proof of the theorem is shown in appendix C. E n d of Proof  3.4. N A T U R A L T R A N S F O R M A T I O N S and F U N C T O R  CATEGORIES  As Eilenberg and Mac Lane observed [MacLane71], "category" has been defined in order to define "functor", and "functor" has been defined in order to define "natural transformation". This notion induces an equivalence relation between categories that allows the comparison of categories that are "alike" but of different "sizes". Moreover, natural transformation is the basic ingredient in the ubiquitous construction of functor categories.  3.4.1 Natural Transformations We now proceed with a NaDSet definition of a natural transformation from one functor to another. In this, T , F , G , A r , = B  a B  , S r , T g g , C p g , A r ^ , = Q, STQ, TgQ, CPQ, B  a  A r j ) , = j), S r p , Tgj), C p p are used as metavariables ranging over second order terms, a  43  Chapter III: Category Theory in NaDSet  while B , C , D are used as abbreviations of the tuples < A r g , = g , S r g , T g g , C p g >, a  <Ar , = , c  aC  S r , T g , C p > and < A r , = D , S r , T g , C p > respectively. c  c  c  D  a  D  D  D  As with categories and functors, the set of natural transformations is defined in two steps: NatTransform[ T , F, G , C , D ] for axioms where "axioms" consist of the conjunction of the following formulas: T is a map for functors <F,C,D>:Func  (tl)  <G,C,D>:Func  (t2)  T is a function from objects in C to arrows in D [Vc:Ob[C]] [3tc:Ar ] <c,tc>:T  (t3)  D  [Vc:Ob[C]] [Vtc:Ar ](<c,tc>:T 3 [3fc,gc:Ar ]( D  D  <c,fc>:F A <c,gc>:G A <tc,fc>:Sr A <tc,gc>:Tg )) D  (t4)  D  [Vcl,c2 Ob[C]] [Vtcl,tc2:Ar ]( D  cl =  a C  c2 A <cl,tcl>:T A <c2,tc2>:T 3 tcl =  [Vcl,c2:Ob[C]] [Vtc:Ar ]( c l = D  D  aD  cl For every arrow  c2  (t6)  tc2 A <c,tcl>:T 3 <c,tc2>:T )  Fcl  h ^ of C. the diagram  (t5)  c2 A <cl,tc>:T 3 <c2,tc>:T )  a C  [Vc:Ob[C]] [Vtcl,tc2:Ar ]( tcl =  tc2 )  aD  Tcl  •  Fh^ Fc2  Gel Jch  Tc2  •  (t7)  commutes  Gc2  [Vcl,c2 Ob[C]] [ V h : A r ] [Vtcl,tc2,fh,gh:Ar ]( c  D  <h,cl>:Sr A <h,c2>:Tg A <cl,tcl>:T A <c2,tc2>:T A <h,fh>:F A <h,gh>:G c  c  3 [3k:Ar ]( <tcl,gh,k>:Cp D  D  A <fh,tc2,k>:Cp )) D  (t8)  ,  Chapter III: Category Theory in NaDSet  44  The set of natural transformations is defined: NatTrans for {<t,f,g,c,d>l NatTransformf t,f,g,c,d] } Given the functors F, G : C-> D , the sets of natural transformations from F to G can now be defined:  NatTrans[F,G,C,D] for {t I <t,F,G,C,D>:NatTrans }  3.4.2 Natural Equivalence A natural transformation is a natural isomorphism (or a natural equivalence) if each component of it is an isomorphism in the target category: NatIsomorphism[F,G,C,D] for { 11 t:NatTrans[F,G,C,D] A [Vc:Ob[C]] [Vtc,dl,d2:Ar ] (<c,tc>:t A <tc,dl>:Sr D  D A  <tc,d2>:Tg  D  => [3h:Ar ]( <tc,h,dl>:Cp A <h,tc,d2>:Cp )) } D  D  D  Given two categories C and D, the equivalence relation among functors from C to D is given by: NatEq[C,D] for {<f,g> I [3t:NatTrans[f,g,C,D] t:NatIsomorphism[f,g,C,D]} A n equivalence relation = between categories that meets the requirements mentioned at the beginning of the section, can be given by the following definition in which C, D are used as tuples of abstraction variables. = for { <C,D> I [3F:Func[C,D]] [3G:Func[D,C]] ( < F C [ F , C D , G , D C ] , Id[C] >: NatEq[ C, C ] i  i  A < F C [ G , D C F , C D ] , M[D] >: NatEq[ D , D ] ) } i  i  i  where Id[_] and FC[_,_,_,_,_,_] are the terms defined prior to lemmas 3.3.2.1 and 3.3.3.1 respectively.  Chapter III: Category Theory in NaDSet 3.4.3  Functor  45  Categories  If C and D are caregories, the category of functors —functor category -- from C to D, denoted by  or FunCat[C,D], is defined as the tuple  D  for <Ar[C,D],= [C,D],5r[C,D],rg[C,D],C/>[C,D]>  C  fl  of the parameterized terms A r [ C , D ] , = [ C , D ] , S r [ C , D ] , Tg[C,B], fl  Cp[C,D]  whose  definitions follow. Obviously, the arrows of this category are the natural transformations among functors from C to D. The reader should note that the objects of this category are the functors themselves. Thus we define Ar[C,D]  for {<T,F,G> I NatTransform[ T, F, G , C , D ] }  The identity among the members of Ar [C,D] is defined in terms of the extensional identity. = [C,D] fl  for { « T 1 , F 1 , G 1 > , < T 2 , F 2 , G 2 » I Fl= F2 A Gl= G2 A Tl= T2 e  e  e  }.  The identity = for the terms that represent functors (F's and G's) was defined in section 3.2; it e  only remains to give its definition for the terms representing natural transformations: T l = T2 for [Vc:Ob[£J] [Vd:Ar ]( <c,d>:Tl = <c,d>:T2 ) . e  D  The source and the target of an arrow coincides with the source and the target functors of the transformation which are viewed as identity natural transformations. Consequendy we define Sr[C,D] for  {«T1,F1,G1>, <T2,F2,G2» I T2= Fl A F2= Fl A G 2 = F l } e  e  e  and Tg[C,D] for  {«T1,F1,G1>, <T2,F2,G2» I T2= Gl A F2= Gl A G2= Gl } . e  e  e  Finally, the composition of two natural transformations is given by the next definition.  46  Chapter III: Category Theory in NaDSet  Cp [C,D] for  { « T 1 , F 1 , G 1 > , <T2,F2,G2>, < T 3 , F 3 , G 3 » I  Fl=eF3 A G= F2 A G2= G3 e  e  A [Vc:Ob[C]] [Vd:Ar ]( <c,d>:T3 D  = [3dl,d2:Ar ](<c,dl>:Tl A <c,d2>:T2 A <dl,d2,d>Cp )) } . D  D  The sequent of the following theorem states that for any categories C, D , the set of functors from C to D is itself a category.  3.4.3.1  Theorem  The sequent -> [Vx,y:Cat] <Ar [x,y], =  fl  [x,y], Sr [x,y], Tg [x,y], Cp [x,y]>:Cat  is derivable within NaDSet. A derivation of the theorem can be obtained if a derivation is provided for each sequence of the form Ax[Ar ,= c  a C  ,Sr ,Tg ,Cp ], c  c  c  AxtArp^^Sr^Tg^Cpj)]  -> Ax[ilr[C,D],= [C,D],Sr[CJ)],rg[C,D],Cp[C,D]] fl  where A r ^ , = Q, STQ, TgQ, C p ^ , A l p , = j), Srp> Tgj), Cpj} are second order parameters, a  &  C and D are the tuples <Ar^,= Q,Sr^,Tg(^,CpQ>, <Ai^,= j),Srj),Tg£),Cp£)> and a  a  Ax[-,-,-,-,-] is one of the axioms (cl) to (c20). The latter derivations are similar (in structure as well as in length) to those in the proof of theorem 3.3.4.1 and are omitted for space reasons.  3.5. 3.5.1  OTHER  CONSTRUCTIONS  Opposites  To each category C , we associate the opposite category, C°P, defined to be the term  Chapter III: Category Theory in NaDSet  47  <Ar ,= ,SrOP[C],TgOP[C],Cp°P[C]> c  c  with components: Sr°P[C] for {<u,v> I <u,v>:Tg } c  T g ° P [ C ] for { <u,v> I <u,v>:Sr } c  C p ° P [ C ] for { <u,v,g> I <v,u,g>:Cp } c  3.5.1.1  Lemma  The sequents -> [Vx:Cat] x°P:Cat -> [Vx:Cat] (x°P)°P = x e  are derivable.  3.5.2:  Product  Categories  Given two categories B and C , the product of them, BxC, is defined to be the term < A r [ B , C ] , = [B,C], S r [ B , C ] , T g [ B , C ] , C p [ B , C ] > x  X  x  x  x  with components: A r [ B , C ] for {<u,v> I u : A r x  B  A W.ATQ }  = [B,C] for { « u , v > , < f , g » I <u,f>: =  A <v,g>: =  X  AB  a C  }  S r [ B , C ] for { « u , v > , < f , g » I <u,f>:Sr A <v,g>:Sr^; } x  B  T g [ B , C ] for { « u , v > , < f , g » I <u,f>:Tg A <v,g>:Tg } x  B  c  C p [ B , C ] for { « u l , v l > , < u 2 , v 2 > , < f , g » I <ul,u2,f>:Cp A <vl,v2,g>:Cp x  B  Given two functors F and G their product, F x G is given by: F x G for { « u , v > , < f , g » 3.5.2.1.  Lemma  The sequents -> [Vw,z:Cat] wxz:Cat  I <u,f>:F A <v,g>:G } .  c  }.  Chapter III: Category Theory in NaDSet ->  48  [Vwl,w2,zl,z2:Cat][Vf:Func[wl,zl]][Vg:Func[w2,z2]] fxg:Func[wlxw2, zlxz2]  are derivable.  3.5.3.  Comma  Categories  If B , C and D are categories and F:C->B, G:D->B functors, the comma  category (F,G) is  defined to be the term <Ax[F,G,B,C,D],=[F,G,B,C,D],Sr[F,G,B,C,D],Tg[F,G,B,C,D],Cp[F,G,B,C,D]> with components: A r [ F , G , B , C , D ] for {<u,v,w,x> I u : A r ^ A v:Arj) A w : A r g A x : A r g A [3f,g,h:Ar ]( <u,f>:F A <v,g>:G A <f,x,h>:Cp A <w,g,h>:Cp B  =[F,G,B,C,D] for  B  B  )}  {«ul,vl,wl,xl>,<u2,v2,w2,x2» I  <ul,u2>: = £ A <vl,v2>: = rj A <wl,w2>: = g A <xl,x2>: = g a  A  S r [ F , G , B , C , D ] for  a  }  a  { «ul,vl,wl,xl>,<u2,v2,w2,x2» I  <ul,u2>:Sr^; A <vl,v2>:Srj) A <wl,w2>: = g A <wl,x2>: = g a  T g [ F , G , B , C , D ] for  {  a  «ul,vl,wl,xl>,<u2,v2,w2,x2» I  <ul,u2>:Tg(^ A <vl,v2>:Tgj) A <xl,w2>: = g A <xl,x2>: = g a  C p [ F , G , B , C , D ] for  {  }  a  }  «ul,vl,wl,xl>,<u2,v2,w2,x2>, <u3,v3,w3,x3» I  <wl,w3>: = g A <xl,w2>: = g A <X2,X3>: = g a  a  a  A <ul,u2,u3>:Cpc A < v l , v 2 , v 3 > : C p £ ) } .  The meticulous reader will have already noticed in the last definition a slight deviation from the traditional one. The arrows of a comma category, according to the above definition, are quadruples instead of pairs. Although such a deviation is immaterial (it only affects the representation of the construct not its properties), it has been found necessary in order to avoid the explicit use of objects and Horn-sets. Nevertheless, it can be shown that a triple <e,d,f> is an object of (F,G) as defined in [MacLane 71] iff <e,d,f,f> is an object of (F,G) according to our definition. Moreover, an arrow <k,h> : <e,d,f> -> <e',d',f> in [MacLane 71] is exactly the arrow <k,h,f,f > in our definition. The difference is that in the first case an arrow cannot be determined by the pair <k,h> alone without explicitly giving its source and target, while in our  Chapter III: Category Theory in NaDSet  49  presentation the tuple <k,h,f,f > uniqely determines an arrow in (F,G). 3.5.3.1.  Lemma  The sequent -> [Vx,y,z:Cat][Vf:Func[x,y]][Vg:Func[z,y]]  (f,g):Cat  is derivable.  3.5.4.  U n i v e r s a l and Limits  To improve readability, in the next two sections additional abbreviations will be used that resemble the functional notation used in mathematics. Specifically, if F is a functor (or transformation) from B to C , we use: F[X]Q  for {y I y : A r £ A <x,y>:F},  [y-» ]C f ° ( z  r  w  '  w:A  i*c A <w,y>:Src A < w , z > : T g £ },  and combining them [y-»F[x]]c for {w I w : A r ^ A <w,y>:Sr^ A [3z:F[x]^<]<w,z>:TgQ }. Similar definitions can be given for [F[y]->x](~« and [F[y]->F[x]]c . We can proceed now with the definition of universal arrows. Given a functor F : D - » C and an object c of C , the following term defines the set of universal arrows  from c to F.  UniArrFrom[F,D,C,c] for {<r,u> I r:Ob[D] A u:[c->F[r]]  c  A [Vd:Ob[D]] [Vg:[c->F[d]] ] [3gl:[r->d] ] [3fgl:F[gl] ]( <u,fgl,g>:Cp c  D  c  A [Vg2:[r->d] ] [Vfg2:F[g2] ]( <u,fg2,g>:Cp 3 g l = D  c  c  aD  c  g 2 )) }  By duality, the set of universal arrows from the functor F to an object c is given by: UniArrTo[F,D,C,c] for {<r,u> I r:Ob[D] A u:[F[r]->c]  c  A [Vd:Ob[D]] [Vg:[F[d]^c] ] [3gl:[d-^r] ] [3fgl:F[gl] ]( <fgl,u,g>:Cp c  D  c  c  50  Chapter III: Category Theory in NaDSet A [Vg2:[d->r] ] [Vfg2:F[g2] ](<fg2,u,g>:Cp => g l = D  c  c  a D  g2)) }  A definition of the diagonal functor must precede a discussion of limits and colimits. In the following definitions B and C are categories, c an object of C and f an arrow of C : DF[B,C,c] for {<u,v> I u : A r g A v= ^<c } a  DT[B,C,fJ for { <u,v> I u:Ob[B] A v = The diagonal functor from C to C  B  a C  f }.  is defined as  A[B,C] for {< u,y> I u : A r A y = D T [ B , C , u] } c  e  The following lemma justifies these definitions: 3.5.4.1.  Lemma  The sequents -> [Vj,x:Cat][Vc:Ob[x]] DF[j,x,c]:Func[j,x] -» [Vj,x:Cat] [Vc,c':Ar ] [Vf:[c->c*] ] x  x  DT[j,x,f]:NatTrans[DF[j,x,c], DFrj,x,c'],j,x] -> [Vj,x:Cat] A[j,x]:Func[x,xJ] are derivable. Definitions of limits and colimits can now be given. Given a functor F:B->C, the limits for F are given by Limit[F,B,C] for { <u,v> I <u,v>:UniArrowTo[ A[B,C], C , C , F] } B  and the colimits of F by Colimit[F,B,C] for { <u,v> I <u,v>:UniArrowFrom[ A[B,C], C , C , F] } . B  Products, powers, equalizers, pullbacks and their duals can easily be defined as special cases of limits and colimits respectively.  3.5.5.  Adjoints  Given two categories C , D, an adjunction from C to D consists of a pair of functors F:C->D, G:D-»C and a natural transformation n from the identity functor of C to the composition of F  51  Chapter III: Category Theory in NaDSet and G with some additional properties given by the following definition. Adjunction[C,D,F,G,n]  for  F:Func[C,D] A G:Func[D,C] A n:NatTrans[Id[C], F C [ F , C , D , G , D , C ] , C , C] A [Vx:Ob[C]] [Vy:Ob[D]] [Vf:[x^G[y]] ] [3nx:n[x] ] C  c  [3fl:[F[xi->y] ] [3gfl:G[fl] ] ( <nx,gfl,f>:Cp D  A [Vf2:[F[x]^y]  c  D  c  ] [Vgf2:G[f2] ] ( <Tix,gf2,f>:Cp c  C  fl=  aD  f 2 ))  or equivalently, Adjunction[C,D,F,G/n] F:Func[C,D]  for  A G:Func[D,C]  A n:NatTrans[Id[C], F C [ F , C , D , G , D , C ] , C , C] A [Vx:Ob[C]] [3fx:F[x] ] [3TIX:TI[X]] <fx,Tix>:UniArrFrom[G,D,C,x] D  c  Finally, the set of adjoint pairs of functors from C to D is defined as Adjoint[C,D] for {<f,g> I [3Ti:NatTrans[Id[C], F C [ f,C,D, g,D,C], C , C] ] Adjunction[C,D, f, g.n] }.  3.6  ADDITIONAL  ISSUES  The discussion in the last section suggests that the variety of constructs defined for categories, toposes, triples and related theories, [Barr Wells 85] can be defined within NaDSet. Nevertheless, there are two kinds of issues that have not been addressed in this chapter. The first concerns the definition of the category of sets per se and the second involves notions like completeness that make either an implicit or an explicit reference to the traditional foundations of the category theory. Although these issues are topics of future research, some preliminary ideas and directions are presented in the following paragraphs. In a traditional presentation of category theory [MacLane 71], the category of sets, Set, is  Chapter III:  52  Category Theory in NaDSet  defined to be a category whose objects consist of every object that a classical set theory accepts as a set and whose arrows are the mappings among these sets. In NaDSet, however, set abstraction is introduced via abstraction rules, rather than through a comprehension axiom scheme, and enjoys an equal treatment with the connectives and quantifiers. As a consequence, NaDSet provides a characterization of sound arguments, and not a characterization of acceptable sets. Nevertheless, the category Set should be definable within NaDSet. Section 8 of [Gilmore 89] provides a NaDSet formalization of Godel-Bernays set theory within which every theorem of Godel-Bernays theory can be derived. Using the formalization, it should be possible to define a term representing the class of Godel-Bernays sets; the class of mappings among these sets then can be defined as the set of triples with elements the domain, co-domain, and the extension of the mapping. Among the remaining components of Set, target, source, and composition should have the expected definitions while arrow identity is taken to be the extensional identity over the mappings.  It is expected that the traditional categorical  constructions that are related to Set, such as hom-functors, functor representations and the Yoneda construction, can also be developed within NaDSet. Set is not the only meaningful category of sets that can be defined within NaDSet. There are two identity relations definable in the theory: the intensional identity defined by = for {<u,v> I [Vz]( u:z z> v:z) } and the extensional identity =  e  for {<u,v> I [Vz]( z:u = z:v ) } .  Each one of them defines a different 'universal' set: V I for  {u I u=u }  V2 for  {u I u= u } . e  Any one of V I , V2 and V I n V2 can be used as the object component of a category of sets V I S e t , V2Set, and V12Set, respectively. subcategory of V I S e t .  It should be possible to show that Set is a  What properties each of them has and whether the classical  constructions on Set can be carried over to these categories, remains to be seen. A n analogous treatment may given to the second group of issues. The concept of completeness is taken to illustrate the main idea. A category is said to be small if its objects and arrows are Godel-Bernays sets. Traditionally, a category C is called small-complete  if every functor from  a small category J to C has a limit [MacLane 71]. Such a notion can be defined in NaDSet given the NaDSet definition of Godel-Bernays sets. Moreover we believe that classical results like  Chapter III: Category Theory in NaDSet  53  Freyd's proposition (that a small category which is small-complete is a preorder) [MacLane 71] can be proved in this framework. Nonetheless, a more general notion of completeness can be defined in NaDSet. Let R be a unary relation on Cat definable within NaDSet, and define an /?-category to be one that satisfies R.  A category C is called R-complete if every functor from an /?-category to C has a limit.  Small-complete categories, categories with terminal objects, with products, with pullbacks, with finite products, etc. are some of the interesting special cases of /?-complete categories.  Chapter IV: Programming Semantics  54  CHAPTER IV  Programming Language Semantics in NaDSet  In the field of programming language semantics, the need for unrestricted abstraction that provides for self-referential definitions was early recognized by many of its researchers. [Scott70] for instance, describes the problems of self-application that can arise when interpreting programming languages and proposes a solution that has led to the development of denotational semantics.  Although domain theory provides an elegant mathematical foundation for the  semantics of A,-calculus and programming languages in general, it is not a formal theory in the sense described in the introduction of the thesis; it lacks an effective proof theory. In Scott's foreword to [Stoy77], he concludes "For the future the problems of an adequate proof theory and of explaining non-determinism loom very large." NaDSet on the other hand, not only has an effective proof theory, its sequent calculus presentation can benefit from a variety of automated deduction techniques already established for this type of system [Bibel87]. The need for such a set theory for the development of programming language semantics is illustrated by contrasting the presentation of recursive definitions in first order logic with their presentation in NaDSet. Within first order logic such definitions are always incomplete in a very simple sense: Induction axioms must be added to the given definitions and extended with every new recursive definition. Within a set theory such as NaDSet, recursive definitions of sets are represented as terms in the theory and are complete in the sense that all properties of the  Chapter IV: Programming Semantics set can be derived from its definition.  55 Such definitions not only have this advantage of  completeness, but they also permit recursively defined sets to be members of the universe of discourse of the logic and thereby be shown to be members of other defined sets. This is particularly important when complex recursive definitions are needed, such as those in prograrnming languages. Furthermore, set definitions do not in any way modify the models of NaDSet; there need never be a concern that inconsistent axioms may be introduced. Finally, recursive definitions of disparate fields can be kept together without any concern that one definition may interact in an unforseeable way with another. These advantages are demonstrated by defining in NaDSet the semantics of a simple programming language. Its expressions include simple boolean expressions and its commands include conditional, while and repeat commands.  Recursive definitions for the set of  expressions and commands of the language as well as for their semantics are provided and some simple lemmas are derived as an illustration of the use of this type of definitions within the proof theory. The main result in this section is the derivation of a theorem stating the semantic equivalence between the command " C repeatwhile E " and the sequence " C; while E do C ". The latter is a demonstration of the first point made in the previous paragraph: The defined semantics is formal, meaning that an effective proof theory is available to reason about it. It should be emphasized that when lambda calculus is used to define the denotational semantics of this language, such a theorem cannot be proved within that formalism. A type of fixed point induction rule is needed, not available within the theory. Moreover in a formalization of domain theory such a proof needs, in addition to a fixed point induction rule (or axioms), some type of admissibility test as was pointed out by Scott. NaDSet's ability to carry out this type of reasoning, without resorting to any additional assumptions, is a strong indication of its suitability in this field. To further illustrate the use of NaDSet in defining semantics of nondeterministic languages, a nondeterministic command named choice is added to the language and its semantics is defined. The main purpose of this addition is to show that it does not change the semantics of commands (or of a program); this is to be contrasted with traditional denotational semantics. In NaDSet the semantics of a command is defined by a term that represents a binary relation over the states. Informally, the pair <s ,s > is in the semantics of the command C if it is possible to execute C 1  2  in state s and result in state s . The semantics of a nondeterministic command is nothing more 1  2  than that; the difference is that an initial state can be associated with more than one final state.  56  Chapter IV: Programming Semantics  On the other hand, some kind of power set (or power domain) construction is needed to express this concept in traditional denotational semantics.  4.1  F O R M A L I Z I N G R E C U R S I V E DEFTNTTTONS  Two contrasting approaches to formalizing recursive definitions correspond to two different views of mathematics. In the first, a derivative of Hilbert's "formalist" view of mathematics, a recursive definition is expressed by axioms added to first order logic. This is the method used in the programming language Prolog. In the second, a derivative of the Frege-Russell "logistic" view of mathematics [Wilder58], a recursive definition is provided by an abstraction term within a formalized set theory. For derivations of atomic sentences, that is for programming, both methods work equally well. But to prove results about programs, for example, to define a formal semantics for programs, only the second approach is satisfactory.  This will be  demonstrated in the next two subsections: 4.1.1  Axiomatic Method  Given 0 as a constant, and ' as a one place successor function, a one place natural number predicate N is defined by the axioms: N[0] Vu( N [ u ] 3 N [ u ' ] )  A related predicate N N can similarly be defined by the axioms NN[0'] Vu( N N [ u ] 3 N N [ u ' ] )  However it is not possible to prove from these four axioms the theorem: Vu( N N [ u ]  3  N[u])  A counter-example is provided by the interpretations is  N N  N  {0, is  0', 0", ... }  {c, c', c", ... , 0', 0",  ...}  Under these interpretations, both N and N N satisfy their axioms, but (NN[C]A~N[C] )  is true. To prove the theorem an additional axiom is needed for N N , namely (  N [ 0 ' ] A Vu( N [ u ] 3 N [ u ' ] ) 3 Vu( N N [ u ] 3 N [ u ] ))  Chapter IV: Programming Semantics  57  . which is an instance of an induction axiom for N N . Because a recursive definition by first order axioms always requires the addition of new axioms with each new recursive definition, such definitions are said to be incomplete. Consider, for example, the definition of the plus predicate by the axioms: Vu( N[u] 3 +[0,u,u] ) VuVvVw( N[u] A N[v] A N[w] A +[U,V,W] 3 +[u',v,w'] ) From the given axioms, the theorem Vu( NN[u] 3 3v(NN[v] A +[u,u,v] ) can only be proved from additional axioms for N . The need to add additional axioms to recursive definitions is more than just an inconvenience: There is always the danger of adding inconsistent axioms. Further, some kinds of results for computer science, as for mathematics, require proving that a particular formula is not derivable; for such results it is necessary that all assumptions be made explicit. 4.1.2  NaDSet Method  Consider now recursive definitions for N, N N and + in NaDSet. Recall that intensional identity is defined: =  for {<u,v> I Vw ( u:w = v:w ) }  The usual infix notation for identity is used in the following definitions: 0  for {u I ~u = u }  {t}  for{vlv = t }  NCls N  for  {z I 0:z A Vu(u:z 3 {u} :z) }  for {x I [Vz:NCls]x:z}  NNCls f o r { z l {0}:ZAVU(U:Z3{U}:Z) } N N f o r {x I [Vz:NNCls]x:z} The definitions of NCls and NNCls, prior to the definitions of N and N N , will be typical of the recursive definitions provided in this paper. NCls for instance, is the set of sets that have 0 as member and are closed under successor (O-successor sets). The bounded universal quantifier [Vz:NCls] in the definition of N, together with the scope of the quantifier, ensures that N is the least such set. Similar remarks can be made for the definitions of NNCls and N N . The sequent  Chapter IV: Programming Semantics  58  ->Vu(u:NN=>u:N) is derivable in NaDSet. In the following derivation from the sequent (a), 'p' and 'q' are first order parameters, and 'Q' is a second order parameter.  Readers are advised to read the  derivation as it has been developed, namely bottom-up. A n attractive feature of natural deduction presentations is that the derivation of a sequent is almost determined by the sequent. (a)  Q:NCls -> Q:NNCls p:Q->p:Q *[Vz:NNCls]p:z, Q:NCls -> p:Q * p : N N , Q:NCls->p:Q p:NN -> *[Vz:NCls]p:z p:NN -» * p : N ->*Vu(  U : N N D U : N )  A derivation of the sequent (a) from the sequent (b) follows: q:Q-»q:Q ( q } : Q - » { q } : Q q:Q,(q:Q3{q}:Q)^{q}:Q (q:QD(q}:Q)^(q:QD(q}:Q) *[VU](U:QD  (u):Q)^(q:QD{q}:Q)  [Vu](u:Q=> ( u } : Q )  (b)  ->  *^/U](U:QD  fu}:Q)  0:Q,Q:NCls-KO}:Q  *(0:QA[VU](U:QD *Q:NC1S,  (U}:Q)),  Q:NC1S  ^ *({0}:QA  [VU](U:Q 3  (U}:Q))  Q : N C l s -> * Q : N N C l s  Q:NCls -> Q:NNCls  contraction  The need for a derivation of the sequent (a), which might be expected to be an axiom, is typical of NaDSet. Derivations of such sequents are usually omitted. A derivation of the sequent (b) follows: 0:Q->0:Q  59  Chapter IV: Programming Semantics {0}:Q^{0}:Q  0:Q, *(0:Q3{0}:Q)->{0}:Q 0 : Q , *[VU](U:QD ( U } : Q ) - > { 0 } : Q 0 : Q , 0 : Q , [Vu](u:Q3 ( u } : Q )  - >  thinning  {0}:Q  0:Q, *Q:NCls->{0}:Q  Consider next +: +Cls for {ZI[VV](V:ND<0,V,V>:+) A VuVvVw(<u,v,w>:z 3 <{u},v,{w}>:z ) } + for {<x,y,z> I [Vw:+Cls]( 3 <x,y,z>:w ) } The following sequent can be derived in NaDSet: -> [Vu:NN][3v:NN](<u,u,v>:+) As the reader can verify, a derivation can be provided directly from the given definitions, again emphasizing that logistic definitions are complete in themselves. Recursive definitions in a set theory such as NaDSet have the four important advantages discussed in the introduction of the thesis:  First, it is unnecessary to construct induction  axioms, since they follow from the definitions. Second, they do not in any way modify the underlying logic, so that there need never be a concern that inconsistent axioms may be introduced.  Third, the definitions are given as terms that can be reasoned about, as  demonstrated above for N and N N . But also these terms can be shown to be members of other sets; for example, each of N and N N can be shown to be a member of the universal set V I , that is defined to be {u I u=u }. Lastly, recursive definitions for disparate fields do not interact in unforeseeable ways with one another if the abbreviating name for a term uniquely identifies the term. These advantages suggest that NaDSet may provide extensions to Horn clause programming languages such as Prolog.  Chapter IV: Programming Semantics 4.2  60  E X A M P L E OF PROGRAMMING SEMANTICS  In this section, semantics will be defined within NaDSet for the simple language of flow diagrams used in [Stoy77] as an example of the application of denotational semantics. Since they add nothing to the exposition here, primitive commands and primitive predicates will not be considered.  4.2.1  Syntax  The elementary syntax for the language is first described in a variant of Backus-Naur form and then the corresponding NaDSet definitions are presented. 4.2.1.1  Expressions  First the set of expressions is defined: Exp ::= true I false I < ExpQ, Expi, Exp2» CndExp > Here true, false and CndExp are given constant strings, with the latter abbreviating 'conditional expression'.  This Backus-Naur form is, of course, a recursive definition of a set Exp. In  NaDSet it would be defined: ExpCls for {z I true:z A false:z A fVu.v.w:zl<u.v.w.CndExp>:z } Exp for {e I [Vz:ExpCls]e:z} This type of definitions will be used extensively in the rest of the thesis. Therefore, it is important that its meaning is well understood. A recursive definition is usually given by a pair of NaDSet definitions as in the case of expressions. The first definition defines the term whose members are the sets that are closed under the expression constructors. That is, each element of ExpCls has the constants true and false among its members and if u, v, w are in it, so is the tuple <u.v.w.CndExp>.  The second definition then (which actually defines the desired set of  expressions) defines Exp to be the  least such set (closed under the expression constructors).  The following lemma, although simple, gives an illustration on the way recursive definitions of this type are used. At the end of this chapter a broader discussion on the use of such definitions  Chapter TV: Programming Semantics is provided. 4.2.1.1.1  Lemma  The sequent -» [Vx:Exp](x= true v x=false v [3u,v,w:Exp]x=<u,v,w,CjidExj2>) is derivable. Proof of lemma 4.2.1.1.1 Let for the context of this proof T for fxl x= true v x=false v |"3u.v.w:Exp] x=<u.v.w.CndExp> I. A derivation of the lemma sequent follows. In this, p, r, s and t are first order parameters. r:Exp -> r:Exp s:Exp -» s:Exp t:Exp -> t:Exp p=<r.s.t.CndExp> -» p=<r.s.t.CndExp> r:Exp, s:Exp, t:Exp, p=<r.s.t.CndExp> -> *r3u.v.w:Exp1p=<u.v.w.CndExp> *r3u.v.w:Exp1p=<u.v.w.CndExp> -> r3u.v,w:Explp=<u,v,w,CndExp> p= true -> p= true p=false -» p=false *(p= true v p=false v [3u,v,w:Exp]p=<u,v,w,CndExp.>) -> p= true. p=false. r3u.v.w:Explp=<u.v.w.CndExp> *p:T -> p= true. p=false. r3u.v.w:Exp1p=<u.v.w.CndExp> (a)  ^ T:ExpCls * [Vz:ExpCls]p:z -> p= true , p=false. r3u.v.w:Explp=<u.v.w.CndExp> *p:Exp  p= true. p=false, r3u.v.w:Explp=<u.v.w.CndExp>  p:Exp -» *(p= true v p=false v r3u.v.w:Explp=<u.v.w.CndExp>) -»  *[Vx:Exp](x= true v x=false v r3u.v.w:Explx=<u.v.w.CndExp>')  61  Chapter IV: Programming Semantics  62  Proof of (a): A derivation of the sequent (a) from sequents (1),.., (27), in which pu, pv, and pw are first order parameters, follows. (1)  pu= true., pv= mie, pw= true. -» [3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp>  (2)  pu= true. pv= true.  [3u,v,w:Exp] pw=<u.v.w.CndExp>  ->  [3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp>  (27)  [3u,v,w:Exp] pu=<u.v.w.CndExp>. [3u,v,w:Exp] pv=<u.v.w.CndExp>. [3u,v,w:Exp] pw=<u.v.w.CndExp> -»[3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp> (pu= true v pu=false v [3u,v,w:Exp] pu=<u.v.w.CndExp>). (pv= true v pv=false v [3u,v,w:Exp] pv=<u.v.w.CndExp>). (pw= true v pw=false v [3u,v,w:Exp] pw-<u.v.w.CndExp>) -» (<pu.pv.pw.CndExp> = true v <pu.pv.pw.CndExp> =false v [3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp>) *pu:(xl x= true v x=false v [3u,v,w:Exp] x=<u,v,w,CndEjcp.> }, *pv:fxl x= true v x=false v r3u.v.w:Exp1 x=<u.v.w.CndExp> 1. *pw:(xl x= true v x=false v r3u.v.w:Exp1 x=<u.v.w.CndExp> 1 -» * <pu.pv.pw.CndExp>: f xl x= true v x=false v [3u,v,w:Exp] x=<u,v,w,CndExj3> } *pu:T, *pv:T, *pw:T  *<pu.pv.pw.CndExp>:T  *fVu.v.w:Tl<u.v.w.CndExp>:T true:T false:T -> *(true:T A false:T A rVu.v.w:Tl<u.v.w.CndExp>:T) -> T:ExpCls  Chapter IV: Programming Semantics  63  Sequents (1) to (27) can be easily derived using the definition of Expressions. A derivation of (27) is given next, the derivations of the others are similar.  A proof of (27): The terms pu, pv, pw, u v v  v  w u , v , w , u , v and w are first order p  2  2  2  3  3  3  parameters.  UpExp, v^Exp, WpExp, pu=<u VpWpCndExp_> -» pu:Exp p  u :Exp, v :Exp, w :Exp, pv=<u ,v ,w ,CjidExE> -» pv:Exp 2  2  2  2  2  2  u :Exp, v :Exp, w :Exp, pw=<u ,v .w ,CndExp> -» pv:Exp 3  3  3  3  3  3  -> <pu.pv,pw.CndExp> =<pu.pv.pw.CndExp>  UpExp, VpExp, WpExp, pu=<u .v .w .CndExp>. 1  1  1  u :Exp, v :Exp, w :Exp, pv=<u ,v ,w ,CjidExj3>, 2  2  2  2  2  2  u :Exp, v :Exp, w :Exp, pw=<u .v .w .CndExp>. 3  3  3  3  3  3  -> *[3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp> *[3u,v,w:Exp] pu=<u.v.w.CndExp>. *[3u,v,w:Exp] pv=<u.v.w.CndExp>. *[3u,v,w:Exp] pw=<u.v.w.CndExp> -> [3u,v,w:Exp] <pu.pv.pw.CndExp> =<u.v.w.CndExp> E n d of proof of lemma 4.2.1.1.1  4.2.1.2  Commands  The set of commands is similarly defined: Cmd ::= dummy I < Exp, C m d i , Cmd2, CndCmd > I < C m d i , Cmd2, SeqCmd > I < Exp, Cmd, WCmd > I < Cmd, Exp, RWCmd > The five nondummy commands are respectively the conditional command, the sequence command, the whiledo command and the repeatwhile command. As with the set Exp, the set Cmd can be defined in NaDSet CmdCls for {z I dummy.:z A [Ve:Exp] [Vc ,c : z] <e,c ,c ,CndCmd>: z x  2  x  2  64  Chapter IV: Programming Semantics A [Vc ,c :z] <c .c .SeqCmd>:z 1  2  l  2  A rVe:Expl rVc:zl<e.c.WCmd>:z A [Ve:Exp][Vc:z]<c,e,RWCrnd>:z } Cmd for {c I [Vz:CmdCls]c:z) and a lemma similar to lemma 4.2.1.1.1 can be derived for the commands as well. The strings false, true. CndExp. dummy. CndCmd. SeqCmd. WCmd. and R W C m d are the primitive strings of the language.  They are not only assumed to be distinct, but must be  assumed to be provably distinct. By this is meant that for each distinct pair S and R of strings from this list, the following sequent is derivable in NaDSet: S =R  ->  One of the simplest ways of assuring this is to take the strings in order as abbreviations of the integers 0, 1, 2, 3, 4, 5, 6, 7, since all integers can be proved to be distinct using only the definition N of the integers. In addition, the basic properties of ordered pairs and tuples, shown to be derivable in [Gilmore89], must be assumed. In particular, therefore, the following sequent is derivable: <t .t .SeqCmd> = <t ,t ,WCmd> -> 1  2  3  for any first order terms t  v  4.2.2  Expression  4  t^, tj, and t . 4  Semantics  It is assumed that a finite set S of states has been defined, and that the set B has been defined B for {v I v = 1 w  = 0}  to represent the set of boolean values. A set ExpSem is to be defined so that "<e,s,v>:ExpSem" means "expression e in state s has value v". But first a definition of ExpCls, expression closed, is needed: ExpSemCls for {w I [Vs:S] <true. s,l>:w A [Vs:S]<false, s,0>:w A [Ve, el,e2:Exp][Vs:S][Vv:B]( <e,s,l>:w A <e s,v>:w z> « e . e . e . C n d E x p > . s . v > : w ' ) l5  1  2  65  Chapter IV: Programming Semantics A [Ve, e ,e :Exp][Vs:S][Vv:B]( 1  2  <e,s,0>:w A <e ,s,v>:w => « e , e . e . C n d E x p > , s . v > : w ) } 2  1  2  ExpSem for {<e,s,v> I [Vw:ExpSemCls]<e,s,v>:w }  For any expression e the abbreviation ExpSem[e] for {<s,v> I <e,s,v>:ExpSem} will be used for convenience. The following lemma which is a consequence of the previous definition is a reminiscent of the traditional definition of the semantics of an expression [Stoy77, Gordon79,89]. The symbol = is the extensional identity as was defined in the second chapter. e  4 . 2 . 2 . 1 Lemma The sequents (1)  -> ExpSem[true] = , {<s,v> I v=l}  (2)  -> ExpSemrfalsel = {<s,v> I v=0}  (3)  -> [Vce^e^Exp] ExpSemr<e.e .e .CndExp>l =  e  1  2  e  {<s,v> I (<s,l>:ExpSem[e] A <s,v>:ExpSem[e ]) 1  v (<s,0>:ExpSem[e] A <s,v>:ExpSem[e ]) } 2  are derivable.  The proof of the lemma is given in appendix D.  4.2.3  Command Semantics  Now a set CmdSem is to be defined so that "<c,r,s>:CmdSem" means "command c in state r moves system to state s". Command closed is defined first: CmdSemCls for {w I rvt:Sl<dummv.t.t>:w A [Vcl,c :Cmd][Vr,s,t:S]( <Cj,r,s>:w A <c ,s,t>:w = > « c .c .SeqCmd>.r.t>:w) 2  2  1  2  A [Ve:Exp][Vc ,c :Cmd][Vr,s:S]( <e,r,l>:ExpSem A <c ,r,s>:w => 1  2  1  «e.c .c .CndCmd>.r.s>:w') 1  2  Chapter IV: Programming Semantics  66  A [Ve:Exp][Vc ,c :Cmd][Vr,s:S]( <e,r,0>:ExpSem A <c2,r,s>:w => 1  2  « e , c pC ,CjidCmd>,r, s>: w) 2  A [Ve:Exp][Vc:Cmd][Vr:S]( <e,r,0>:ExpSem => <<e,c,W£md>,r,r>:w) A [Ve:Exp][Vc:Cmd][Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:w A « e . c . W C m d > . s . t > : w 3 <<e,c,WjCmd>,r,t>:w) A [Ve:Exp][Vc:Cmd][Vr,s:S]( <e,s,0>:ExpSem A <c,r,s>:w 3 <<c,e,PJ^rM>,r,s>:w) A [Ve:Exp][Vc:Cmd][Vr,s,t:S]( <e,s,l>:ExpSem A<c,r,s>:w A «c.e.RWCmd>,s,t>:w 3 «c,e.RWCmd>,r,t>:w ) } CmdSem for {<c,r,s> I [Vw:CmdSemCls]<c,r,s>:w } It is interesting to contrast the definition of CmdSem with the denotational semantics for the commands provided in [Stoy77]. Apart from the obvious absence of the top and bottom in the definition of CmdSem, the most striking difference is that the semantics for all commands of the language is provided in the definitions of CmdSemCls and CmdSem, while the semantics for the commands are provided separately by Stoy. However, the properties of the separate commands can be recovered using the following parameterized definitions: WCls[e,c]  for {w I [Vr:S]( <e,r,0>:ExpSem 3 <r,r>:w)  A [Vr,s,t:S] (<e,r,l>:ExpSem A <c,r,s>:CmdSem A<s,t>:w 3 <r,t>:w) } RWCls[c,e]  for {w I [Vr,t:S]( <e,t,0>:ExpSem A <c,r,t>:CmdSem 3 <r,t>:w)  A [Vr,s,t:S] (<e,s,l>:ExpSem A <c,r,s>:CmdSem A <s,t>:w 3 <r,t>:w) } The properties of the separate commands are summarized in the following lemma:  4.2.3.1.  Lemma  The following sequents are derivable. (1)  -> [Vt:S] <dummy,t,t>:CmdSem  (2)  -»[Vc ,c :Cmd][Vr,t:S]( « 1  2  c .c .SeqCmd>.r.t>:CmdSem 1  2  67  Chapter IV: Programming Semantics =[3s:S]( <c ,r,s>:CmdSem A <c ,s,t>:CmdSem )) 1  (3)  2  -»[Ve:Exp][Vc ,c :Cmd][Vr,s:S]( <<e.c .c .CndCmd>,r.s>:CmdSem 1  2  1  2  = (<e,r,l>:ExpSem A <c ,r,s>:CmdSem) v ( <e,r,0>:ExpSem A <c ,r,s>:CmdSem)) 1  (4)  2  -> [Ve:Exp][Vc:Cmd][Vr,t:S]( «e.c.WCmd>.r.t>:CmdSem B [Vz:WCls[e,c]] <r,t>:z)  (5)  -»[Ve:Exp][VcrCmd][Vr,t:S]( « c . e . R W C m d > j . t > : C m d S e m = [Vz:RWCls[c,e]] <r,t>:z)  The proof of the lemma is in appendix E.  4.2.4  Example Theorem  To illustrate the point that all the desired properties of the set CmdSem can be derived from its definition and the definitions of the other sets upon which it is dependant, a sketch of a derivation of the following sequent will be provided: -> [Ve:Exp][Vc:Cmd][Vr,t:S] ( « c . e . R W C m d > . r . t > : C m d S e m = «c.<e.c.WCmd>.SeqCmd>.r.t>:CmdSem ) This sequent expresses that the effect of the command <c,e,RWCmd> is the same as the effect of the sequence of commands c and <e.c.WCmd> in terms of state transformations. It is theorem 9.22 of [Stoy77].  4.2.4.1  Theorem  The  sequent  (th)  -> [Ve:Exp][Vc:Cmd][Vr,t:S] ( «c.e.RWCmd>.r.t>:CmdSem = «c.<e.c.WCmd>.SeqCmd>.r.t>:CmdSem)  is derivable in NaDSet. Proof of theorem 4.2.4.1 Using the variables in the formula of the sequent as first order parameters, the sequent can be simply derived from the following two sequents: (i)  e:Exp, c:Cmd, r:S, t:S, « c . e . R W C m d > . r . t > : C m d S e m ->  68  Chapter IV: Programming Semantics <<c.<e.c.WCmd>.SeqCmd>.r.t>:CmdSem (ii)  e:Exp, c:Cmd, r:S, t:S, <<c.<e.c.WCmd>.SeqCmd>j.t>:CmdSem -» «c.e.RWCmd>.r.t>:CmdSem  Sketches of a derivation of the first sequent will be provided in the next subsections. The derivation of the second sequent is similar and therefore is omitted. As before the reader is advised to read the derivations as they have been developed, namely bottom-up. .1  A Derivation of (i)  The following abbreviation will be used in this subsection only: T for {<r,t> I [3s :S](<c,r,s >:CmdSem A <<c,<e,c,WCmd>,s ,t>:CmdSem )}. 1  1  1  There follows a sketch of a derivation of (i) from two sequents (a) and (b) in which this abbreviation has been used. (a) e:Exp,c:Cmd -» T:RWCls[c,e] (b) e:Exp, c:Cmd, r:S, t:S, <r,t>:T -> [3s,:S]( <c,r,Sj>:CmdSem A < <c,<e,c,WCmd>,s ,t>:CmdSem ) 1  e:Exp, c:Cmd, r:S, t:S, *(T:RWCls[c,e] 3 <r,t>:T) -> [Bs^SK ^ ^ . s ^ r C m d S e m A < <c,<e,c,WCmd>,s ,t>:CmdSem ) 1  e:Exp, c:Cmd, r:S, t:S, *[Vz:RWCls[c,e]] <r,t>:z - » [ 3 s : S ] ( ^ ^ . S j >:CmdSem A < <c.<e.c.WCmd>.s .t>:CmdSem ) 1  1  [Using sequents (2) and (5) of lemma 4.2.3.1 and cut rule ] e:Exp, c:Cmd, r:S, t:S, * « c . e . R W C m d > . r . t > : C m d S e m -» * « c . < e . c . W C m d > . S e q C m d > . r . t > : C m d S e m A derivation of sequent (b) will be left as an exercise for the reader. A derivation of sequent (a) follows. e:Exp, r:S, s:S, <e,s,l>:ExpSem -> <e,s,l>:ExpSem c:Cmd, s:S, s^S, <c,s,Sj >:CmdSem -> <c,s,Sj >:CmdSem t:S, s^S, <s ,t>:W 1  <s t>:W l5  69  Chapter IV: Programming Semantics e:Exp, c:Cmd, r:S, s:S, t:S, Sj:S, <e,s,l>:ExpSem, ^ . s . s ^ i C m d S e m , <s ,t>:W, 1  -» *(<e,s,l>:ExpSem A <c,s,s^>:CmdSeni A<s ,t>:W) 1  <s,t>:W -> <s,t>:W  e:Exp, c:Cmd, r:S, s:S, t:S, s^S, <e,s,l>:ExpSem, ^.s.SjXCmdSem, <s ,t>:W, 1  *(<e,s,l>:ExpSem A <c,s,s^>:CmdSem A<S ,I>:W 3 <s,t>:W) 1  -» <s,t>:W s:S -> s:S s^S -> s ^ S t:S -> t:S  e:Exp, c:Cmd, r:S, s:S, t:S, s^S, <e,s,l>:ExpSem, ^ . s . s ^ C m d S e m , <s ,t>:W, 1  *[Vr,s,t:S] (<e,r,l>:ExpSem A <c,r,s>:CmdSem A<s,t>:W 3 <r,t>:W) -> <s,t>:W  e:Exp, c:Cmd, r:S, s:S, t:S, s^S, <e,s,l>:ExpSem, ^ . s . s ^ r C m d S e m , <s ,t>:W, 1  *W:WCls[e,c] (thinning, A->, {}->)  <s,t>:W W:WCls[e,c] -> W:WCls[e,c]  e:Exp, c:Cmd, r:S, s:S, t:S, SjiS, <e,s,l>:ExpSem, ^ . S j S ^ i C m d S e m , *[Vz:WCls[e,c]] <s t>:z, W:WCls[e,c] lf  -> <s,t>:W e:Exp, c:Cmd, r:S, s:S, t:S, s^S, <e,s,l>:ExpSem, ^ . s . S j >:CmdSem, [Vz:WCls[e,c]] •<s ,t>:z 1  -» *[Vz:WCls[e,c]] <s,t>:z [Using sequent (4) in lemma 4.2.3.1 and cut] e:Exp, c:Cmd, r:S, s:S, t:S, s ^ S , <e,s,l>:ExpSem, ^ s ^ x C m d S e m , *<<c,<e,c,WCmd>,s ,t>:CmdSem 1  -» *<<c,<e,c,WCjnd>,s,t>:CmdSem c:Cmd, r:S, s:S, <c,r,s>:CmdSem -» <c,r,s>:CmdSem  70  Chapter IV: Programming Semantics s:S -> s:S e:Exp, c:Cmd, r:S, s:S, t:S, s^S, <e,s,l>:ExpSem, <c,r,s>:CmdSem, ^ s . S j X C m d S e m , <<c.<e.c.WCmd>.s .t>:CmdSem 1  -» *(s:S A <c,r,s>:CmdSem A « c . < e . c . W C m d > . s . t > : C m d S e m ) e:Exp, c:Cmd, r:S, s:S, t:S, SjiS, <e,s,l>:ExpSem, <c,r,s>:CmdSem, ^.s.SjXCmdSem, « c . < e . c . W C m d > . s . t > : C m d S e m 1  -» *[3s :S](<c,r,s >:CmdSem A <<c,<e,c,WCmd>,s ,t>:CmdSem ) 1  1  1  e:Exp, c:Cmd, r:S, s:S, t:S, <e,s,l>:ExpSem, <c,r,s>:CmdSem, *[3s :S]*(<c,s,s >:CmdSem A « c . < e , c , W C m d > , s , t > : C m d S e m ) 1  1  1  -» [3s :S](<c,r,s >:CmdSem A « c . < e . c . W C m d > . s . t > : C m d S e m ) 1  1  1  e:Exp, c:Cmd, r:S, s:S, t:S, <e,s,l>:ExpSem, <c,r,s>:CmdSem, *<s,t>:T  -> *<r,t>:T  e:Exp, c:Cmd -> *[Vr,s,t:S] *(<e,s,l>:ExpSem A <c,r,s>:CmdSem A <s,t>:T 3 <r,t>:T) Similarly e:Exp, c:Cmd -» [Vr,t:S]( <e,t,0>:ExpSem A <c,r,t>:CmdSem 3 <r,t>:T) e:Exp, c:Cmd -> *([Vr,t:S]( <e,t,0>:ExpSem A <c,r,t>:CmdSem 3 <r,t>:T) A [Vr,s,t:S] (<e,s,l>:ExpSem A <c,r,s>:CmdSem A <s,t>:T 3 <r,t>:T)) e:Exp, c:Cmd -> *T:RWCls[c,e] E n d of proof of theorem 4.2.4.1 The success of NaDSet in deriving such an equivalence property among those recursively defined set terms, reinforces the claim about the power of the generalized abstraction and the completeness of NaDSet definitions. Note that such an argument can not be carried out in the X-calculus formalism. The semantics of the while command is usually defined in ^.-calculus [Stoy77, Gordon79] as follows: C[[while e do c]] ^ ( Y F )  71  Chapter IV: Programming Semantics  where Y is the least fixed point operator defined by Y = Xf.(Xx.f (x x)) (Xx.f (x x))  and F = Xf.Xs.((e s) => (f°a s), s)  .  In this expression, a is used as an abbreviation of C[[c]], the semantics of the command c, e is an abbreviation of E[[e]], the semantics of the expression e, (a => b, c) is a conditional function (like the one defined in [Stoy77])and ° is the composition operator defined as f° g = Xx.f (g x). Similarly, the semantics of the repeatwhile command can be defined: C[[c repeatwhile e]] ^ ( Y G ) where G = XfAs.((e°a s) => (f°a s), (a s))  .  If 'cnv" denotes the ^-conversion, the previous theorem is expressed in ^.-calculus by the statement (st)  ( Y G ) cnv ( Y F ) ° o .  But such a conversion cannot be derived with the traditional rules of X-conversion.  As an  illustration the first steps of such a conversion are shown next. First, (Y F) cnv  where F  (Xx.F (x x)) (Xx.¥ (x x))  cnv  F [(Xx.F (x x)) (Xx.F (x  cnv  Xs.((e s) => (F °o s), s)  x))]  is the expression [(Xx.F (x x)) (Xx.F (x x))].  (Y F)°a =  Therefore,  Xy.(YF)(cry)  cnv  Xy.((e (a y)) => (F*°a (a y)), (a y))  cnv  A.y.((e°a y) => (F*°a°a y), (a y))  Similarly, (Y G) cnv (Xx.G (x x)) (Xx.G (x x))  where G  cnv  G [(Xx.G (x x)) (Xx.G (x  x))]  cnv  XS.((E°O S) => (G*°a s), (a s))  is the expression [(Xx.G (x x)) (Xx.G (x x))].  Consequently, to prove the statment  (st) it is necessary to show G  cnv F °a  which is not much different than the original statement. The problem here is that the terms (Y F) and (Y G) do not have a normal form (they are not meant to) so, they cannot be compared easily.  Of course, for any specific command c,  72  Chapter IV: Programming Semantics expression e and state s, the special case of (st), given by a statement of the form ((Y G) s) cnv ((Y F)°a s)  is indeed provable but (st) itself is not. Some type of fixed point induction rule is needed to carry out the general case of this argument but, such a rule cannot be added in the type-free X-calculus [Kleene&Rosser35]. On the other hand, the typed X-calculus can be extended to include some type of fixed point induction. A n example of the latter is Scott's L C F [Milner72, Gordon et al.78] and its successor H O L system [Gordon87]. Of course, these systems prohibit self-application and therefore are not suitable for other applications. Finally, to carry out this type of argument, any formalization of Scott's domain theory [Scott72,82] must not only provide for fixed point induction but it also has to restrict this type of induction to admissible properties only; otherwise undesirable or even contradictory statements are deducible. Section 9 of [Stoy77] includes a comprehensive discussion on the need of the admissibility test while [Park70] gives an exposition of the fixed point induction per se.  4.2.5  Nondeterministic Constructs  The task of modelling nondeterminism and developing appropriate semantics for nondeterministic programming languages is a challenging problem researchers in theoretical computer science have been facing in the last two decades. Because of their strong relation to parallelism and concurrency, nondeterministic languages have many semantic problems associated with them [de Bakker76, Plotkin76, Smyth78, Park80]. The present section does not aspire to solve any of these semantic problems since such a task is outside the scope of the thesis. It rather demonstrates that the established ideas on the semantics of nondeterministic languages can be expressed in NaDSet in a coherent and rather natural way. Moreover, in NaDSet this type of semantics is not different than the semantics of deterministic programs; the difference lies in the interpretation of a term that defines the semantics not in the term itself. To illustrate this claim, our simple programming language is augmented to include a choice expression and a choice command of the form <Exp  l5  Exp , ChExp> and <Cmd 2  l5  Cmd , 2  ChCmd> respectively. Their intended interpretation implies that the value of the choice expression is either the value of Exp or that of Exp and that when control reaches the choice t  2  command one of the commands Cmj and C n ^ is indiscriminately chosen and executed.  Of  Chapter IV: Programming Semantics  73  course this type of nondeterministic choice is very simple but, it is adequate for the exposition of this section. Dijkstra's guarded commands or other similar nondeterministic commands can be treated the same way within NaDSet. To accommodate the new constructs, proper sentences have to be added in the definitions of the semantics of expressions and commands. More specifically, the conjunct A [ V e j ^ E x p J t V s r S H V v r B K ^ e p S ^ x w v <e ,s,v>:w) 3 «  e .e .ChExp>.s.v>:w)  2  1  2  is added to the definition of the term ExpSemCls and A [Vc ,c :Cmd][Vr,s:S]((<c ,r,s>:w v <c ,r,s>:w) 3 « 1  2  1  2  c .c .ChCmd>.r.s>:w') 1  2  is added to the definition of the term CmdSemCls. It is rather interesting that the addition of the nondeterministic expressions and commands does not bring any radical change to the semantics: the semantics of an expression or a command is still a relation over SxB or SxS respectively. Of course, these relations are no longer functional and their interpretation reflects that difference as well. While the sentence <s,v>:ExpSem[e] was interpreted as "v is the value of e when it is evaluated in state s", in the presence of nondeterminism the statement is interpreted as "v is a possible value of e when it is evaluated in state s". Similarly the sentence <s,r>:CmdSem[c] is interpreted as "r is one of the possible states resulting by executing c in state s".  However, such an interpretation is completely  transparent to the logic. From the deductive point of view, the new terms that define the semantics of the new constructs are used in the same way the old terms were used. For instance, the proof of theorem 4.2.4.1 is not affected by the change; only the induction in the proof of lemma 4.2.3.1 has to include an additional case corresponding to the new conjuct in the definition of the CmdSemCls term. On the contrary, in denotational semantics some type of powerdomain structure is necessary to express the semantics of nondeterministic constructs [Plotkin76, Smyth78, Apt&Plotkin81]. In that framework the semantics of a command is given as a function from S to the powerset of S. Therefore, (C[[c]] s) is the subset of S containing every states r that can result from executing c in state s.  Of course such theories are primarily concerned with computation and such  representations may be necessary.  On the other hand, the way programming semantics are  defined and used in NaDSet makes the use of this type of construction unnecessary, in general. Nevertheless, a type of semantics similar to powerdomain semantics can also be defined within  74  Chapter IV: Programming Semantics  NaDSet. If T is any second order term the term that corresponds to the powerset of T is defined: P[T] for {z I [Vx:z]x:T} As an illustration, consider the set of boolean values B defined in section 4.2.2.  If an  expression is viewed as a function from S to the powerset of B, F[B], its semantics can be defined as follows. ExpSemCls for {w I rVs:Sl<true. s,{xlx=l}>:w A rVs:Sl<false. s,{xlx=0}>:w A [Ve, e ,e :Exp][Vs:S][Vu,v:P[B]](<e,s,u>:w A 1:U A <e ,s,v>:w 1  2  1  => « e . e , e , C n d E x p > , s , v > : w ) 1  2  A [Ve, e ,e :Exp][Vs:S][Vu,v:/°[B]](<e,s,u>:w A 0:U A <e ,s,v>:w 1  2  2  => « e . e . e . C n d E x p > . s . v > : w ) 1  2  A [Ve ,e :Exp][Vs:S][Vv ,v :/°[B]](<e ,s,v >:w A <e ,s,v >:w 1  2  z>«  1  2  1  e e .ChExp>.s.fxlx:v vx:v r  2  1  1  2  2  2  }>:w)  A [Ve][Vs:S][Vv ,v :/ [B]](<e,s,v >:w A \ = v => <e,s,v >:w) } 1  2  >  1  x  e  2  2  ExpSem for {<e,s,v> I [Vw:ExpSemCls]<e,s,v>:w }  Naturally, the extentional identity, = , has to be used in reasoning with this type of semantics. e  The corresponding command semantics can be defined in a similar way.  We conclude this chapter with some general remarks and guidelines on the use of NaDSet recursive definitions in a type of reasoning that corresponds to the traditional structural induction.  Chapter IV: Programming Semantics 4.3  75  R E M A R K S O N T H E USE O F R E C U R S I V E DEFINITIONS  In the previous section, recursive definitions have been extensively employed in defining a formal semantics of a simple programming language within NaDSet. The set of expressions, commands and their semantics are given by NaDSet terms that formalize specific recursive definitions. Subsequently, these definitions were used to prove various arguments about the sets they define. A careful examination of these proofs reveals that in general a type of reasoning that resembles the traditional induction can be carried out with such definitions. The present section makes an effort to outline the main elements of such a reasoning. In general, a recursive set RS is defined in NaDSet by a recursive definition of the form RSCls for {zl St A S^ A ... A St } t  n  RS for {t I [Vz:RSCls]t:z} where t is a first order term with free variables v, z is usually a variable and St^ l<i<n, are NaDSet sentences. Informally, since RS is a recursively defined set, it is generated from some basic elements via the use of some generators (constructors or operators). The sentences St to :  St define exactly how the elements of the set are generated by the constructors. Therefore, the n  first definition defines all the sets that are closed under the operations defined by the constructors, while the second one defines the minimum such set. Let Z be a derivable sequent containing a sentence in which RS occurs. Some typical cases of the use of the definition of RS in deriving E are discussed below. The derivations shown in the following cases must be considered as tentative derivations; they may not be always feasible. Nevertheless, they outline the patterns of the derivations presented in the present and the next chapter of the thesis.  4.3.1  First Case: Simple induction  Let S be the sequent r  [VxrRS]*?, A where r and A are sequences of closed formulae and ¥  is a formula with x its only free variable. In this case a derivation of E can be constructed from a derivation of the sequent (i)  r - » {xl *P}:RSCls, A  76  Chapter IV: Programming Semantics as follows. [[p/yjt/x]* -> [[p/yJt/x]»P *[p/v]t:{xl (i)  -> [[p/yjt/x]^  r -» {xl *P}:RSCls, A r, *[Vz:RSCls]([p/yJt:z) -»[[E/v]t/x]¥, A r, *[p/v]t:RS -> [[p/vlt/x]*?, A r -> * [ V x : R S ] ¥ , A  Informally, this states that if under the assumptions r, the set of elements that satisfy ¥ is closed under the generators of RS, every element of the minimum set closed under the generators of RS satisfies ¥ under the same assumptions. Finally, the derivation of the sequent r - ^ x l ^ J r R S C l s rnirrors the traditional structural induction used in mathematics: to show that {xlT}:RSCls is derivable under the assumptions r, it is necessary to show that {xl  satisfies  the sentences St to S ^ or, equivalently, that ¥ is satisfied by the basic elements of RS and it is 2  preserved by the generators of RS, under the same assumptions.  Similar remarks apply to a  sequent of the form [3x:RS]»P -> A or of the form r -> [Vx:RS]^, A and r, [ 3 x : R S ] ¥ -> A . 4 . 3 . 1 . 1 Example Consider the set of natural numbers: NCls for  (ZIO:ZAVU(U:ZD{U):Z))  N for {x I [Vz:Cls]x:z} where 0  f o r {u I ~u = u }  {t}  for {v I v = t }.  Suppose that < is defined. To show that -> [Vx:N](x<{x}) is derivable it is necessary to show that - » { x l x < { x } }:NCls is derivable which in turn requires the derivation of -» 0<{0} and of ->Vu(u<{u}3{u}<{{u}}). The following example shows that the same technique can be applied in cases in which RS does occur in ¥. x  4.3.1.2  Example  Chapter IV: Programming Semantics  77  Recall the definition of expressions given in section 4.2.1.1: ExpCls for {z I true:z AMSS:Z A fVii.v.w:z]<ii.v.w.CnHRxp>:7. } Exp  for {e I [Vz:ExpCls]e:z}  The derivation of the sequent of lemma 4.2.1.1.1 follows the general patern discussed here. Specifically, in order to show that the sequence -»  *[Vx:Exp](x= true v x=false v [3u,v,w:Exp] x=<u.v.w.CndExp>')  is derivable, it was necessary to derive (a)  -» {xl x= true v x=false v [3u,v,w:Exp] x=<u.v.w.CndExp> 1 :ExpCls.  In this case,  is the formula x= true v x=false v [3u,v,w:Exp] x=<u.v.w.CndExp> and the  derivation of sequent (a) is a proof of ^ by a structural induction on the expression x.  4.3.2  Second  Case  Let Z be the sequent r, [s/v]t:RS  A where £ is a sequence of constant first order tetms of  length equal to the that of v . In this case it is sufficient to be shown that the term {t I t:RS A (t=[s/v]t z>  is closed under the RS-generators. More specifically, a derivation of £ can be  constructed, from a derivation of the sequent (i)  r -» {t I t:RS A (t=[s/v]t 3 V)} .RSCls, A  as follows. ¥ -> ¥ -> [s/v]t =[s/yjt *([s/v]t =[s/yjt 3  -> V  [s/yJt:RS, ([s/y]t =[s/v]t z> W) -> *[s/yjt:{t I t:RS A ( t ^ s / y l t ^ ) } - > ¥ (i)  r -> {t I t:RS A (t=[s/v]t3 »P)}:RSCls, A r, *[Vz:RSCls]([s/v]t:z) —> r, *[s/yJt:RS —>  A  A  thinning  78  Chapter IV: Programming Semantics  The rationale of this proof can be describe as follows. Note that the term {t I t:RS A (t=[s/v]t 3 ¥ ) } used as the eigenterm for z in the previous derivation, defines the (largest) subset of RS that satisfies the property (t=[s/v]t 3 *¥). Therefore, if this subset of RS is closed under the RS-generators (i.e. it is a member of RSCls), it is coextensional to RS since the later is the smallest such a set (closed under the RS-generators). 4.3.2.1  Example  The derivation of the sequent (b) in the proof of lemma 4.2.2.1 demonstrates this type of reasoning using the recursively defined term ExpSem. In order to prove the sequent p:Exp, PpExp, p :Exp, t:S, u : B . « p . p . p . C n d E x p > . t . u > : E x p S e m 2  1  2  -> ((<p,t,l>:ExpSem A <p ,t,u>:ExpSem) 1  v (<p,t,0>:ExpSem[p] A <p ,t,u>:ExpSem)) 2  the term T defined to be {<x,s,v> I <x,s,v>:ExpSem A rVa.a .a :Expl(x=<a.a .a .CndExp> 1  2  1  2  r> ((<a,s,l>:ExpSem A <a ,s,v>:ExpSem) 1  v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem))} is used as the eigenterm for z, and the sequent -» T:ExpSemCls had to be derived first.  In this example T has a more general form than the corresponding  eigenterm in 4.3.2 but the similarity is transparent. Nevertheless, the term {<x,s,v> I <x,s,v>:ExpSem A (<x.s.v>=«p.p .p .CndExp>.t.u> 1  2  z> ((<p,s,l>:ExpSem A <pj,s,v>:ExpSem) v (<p,s,0>:ExpSem A <p ,s,v>:ExpSem))} 2  could be used as well. 4.3.2.2  Example  A similar argument is used in the derivation of sequent (b) in the proof of lemma 4.2.3.1 where the definition of the command semantics, CmdSem, is used. There, in order to derive the sequent e:Exp, c:Cmd, r:S, t:S, « e . c . W C m d > . r . t > : C m d S e m . W:WCls[e,c]  Chapter IV: Programming Semantics  79  -> <r,t>:W the term {<x,y,z>l <x,y,z>:CmdSem A (x=<e.c.WCmd> 3 <y,z>:W)} was used as the eigenterm and the corresponding sequent (c) e:Exp, c:Cmd, W:WCls[e,c] -> T:CmdSemCls which expresses its closedness with respect to CmdSem was derived in the subsection 4.2.3.1.2.1 of the proof.  4.3.3 T h i r d  Case  E is the sequent r, [r/yJt:RS -> [s/v]t:RS, A where each of r, s is a sequence of constant first order tetms of length equal to the that of v. A derivation of Z can be obtained as follows. fefr]t:Z->[s&]t:Z -> [r/yjt =[r/yjt *([l/yjt =[r/yjt 3 k/yJt:Z) -> k/YJt:Z [r/yJt:Z, ([r/yjt =[r/yjt 3 k/y]t:Z) -> [s/y]t:Z  thinning  *tr/yjt:{t I t:Z A (t=[r/v]t 3 [s/yJt:Z)> ^ [s/yJt:Z (hi) r, Z:RSCls ^ {t I t:Z A (t=[r/yjt 3 [s/yJt:Z)}:RSCls, A r, *[Vz:RSCls]([r/yJt:z), Z:RSCls -> [s/yJt:Z, A r, [Vz:RSCls]([r/v]t:z) -> *[Vz:RSCls]([s/yJt:z), A r, *Q/v]t:RS -> *ts/v]t:RS, A where Z is a second order parameter. Sequent (iii) has to be derived to completes the proof of Z. The meticulous reader may have already noticed the similarities of this with the second case. Indeed, the only difference is the introduction of the second order parameter Z that replaces the occurrence of RS in the eigenterm for z. Moreover a similar informal justification for the argument can be carried over to this case as well. 4.3.3.1  Example  In section 5.4 of the next chapter, the derivation of the sentence (5) of lemma 5.4.3 uses the  Chapter IV: Programming Semantics  80  type of argument discussed here. Specifically, the recursively defined term used there is the term Cnv that defines the X-conversion relation over the X-calculus terms. A proof of the sequent g:Asgn[D,«], w:Lterm, v:Lterm, w^Lterm, VpLterm, <w,w >:ASubst[g], -cv^xASubsttg], <w,v>:Cnv 1  -> <w ,v >:Cnv 1  1  is obtained from a proof of the sequent (a)  g:Asgn[D,«], ZrCnvCls -> T:CnvCls  where Z is a second order parameter T is the term {<w,v> I [Vw ,v :Lterm](<w,w 1  1  1  >:ASubst[g] A <v,v >:ASubst[g] 3 <w ,v >:Z)}. 1  1  1  The reader can easily verify the similarities by examining the main segment of this derivation which is repeated here for convenience:  <w,w >:ASubst[g] -> <w,w >:ASubst[g] 1  1  cv.v^ASubsttg] -> <v,Vj>:ASubst[g] <w ,v >:Z -> <w ,v >:Z 1  1  1  1  <w,Wj>:ASubst[g], -cv.v^^Substfg], *(<w,w >:ASubst[g] A -cv.v^ASubsttg] 3 <w ,v >:Z)} 1  1  1  -> <WJ,VJ>:Z  w^Lterm -> w^Lterm v^Lterm -> v^Lterm thinning w:Lterm, v:Lterm, w^Lterm, v^'Lterm, <w,w >:ASubst[g], cv.v^ASubsttg], 1  •[VWpV^LtermJ^w.w^ASubsttg] A <v,Vj>:ASubst[g] 3 <w ,v >:Z)} 1  -> <w ,v >:Z 1  1  w:Lterm, v:Lterm, w^Lterm, v^Lterm,  1  81  Chapter IV: Programming Semantics <w,w >:ASubst[g], -cv.v^ASubsttg], *<w,v>:T 1  -» <w ,v >:Z 1  (a)  1  g:Asgn[D,«], Z:CnvCls -> T:CnvCls  g:Asgn[D,»], w:Lterm, v:Lterm, w^Lterm, v^Lteim, Z:CnvCls, <w,w >:ASubst[g], ^.v^rASubsttg], *[Vz:CnvCls]<w,v>:z 1  -»<w ,v >:Z 1  1  g:Asgn[D,»], w:Lterm, v:Lterm, w^Lterm, VpLterm, <w,w >:ASubst[g], <v,Vj>:ASubst[g], [Vz:CnvCls]<w,v>:z 1  *[Vz:CnvCls]<w ,v >:z 1  1  g:Asgn[D,«], w:Lterm, v:Lterm, w^Lterm, v^Lteim, <w,w >:ASubst[g], -cv/v^xASubsttg], *<w,v>:Cnv 1  -» *<w ,v >:Cnv 1  4.3.4  General  1  Case  In the general case, the sequent £ may contain multiple occurences of RS in its antecedent and its succedent. Some forms of the current case can be perceived as the NaDSet representations of the traditional double or multiple-induction arguments.  In a bottom-up construction of a  derivation of £ the objective is to reduce Z to a sequent (or sequents) where RS does not occur (it has been replaced by a second order parameter or a term). The procedurefrequendyadopted in this case is a combination of the following two general directions: The first is to use lemmas already proved and eliminate or reduce the occurences of RS using the cut rule. The other method opts for consecutive repetitions of the procedures outlined in the three special cases discussed above. Nevertheless, the rationale of any of the methods can be recapitulated by the following informal argument. Let O be a property on x (ie. a sentence with a free variable x). To show that RS satisfies <D, it is sufficient to show that for any set Z that is closed under the generators of RS, the subset of Z whose elements satisfy <t> is also closed under the RS-generators. A proof of the  Chapter IV: Programming Semantics  82  latter implies that every element of the minimum closed set necessarily satisfies <3>. Usually Z is the set RS itself or a second order parameter but, the form of its subset mentioned above depends not only on the form of * but also on the positions in <& that the variable x occurs. The proofs of the lemmas and theorems of the following chapter provide excellent illustrations of these ideas.  Chapter V: Lambda Calculus in NaDSet  83  CHAPTER V  The Lambda Calculus in NaDSet  The last two chapters have provided an adequate demonstration of the advantages and significance of the type of abstraction provided by the logic NaDSet in formalizing concrete mathematical theories. The present section, then, demonstrates how a formal theory like the theory of lambda calculus can be defined within NaDSet. The theory of lambda conversion, or simply lambda calculus, developed by Church, [Church41], not only has had a great influence on the development of the theory of computation but also is the first consistent theory that offers abstraction and allows the formation of self-referential terms.  Of course, lambda calculus does not provide any formalization of  quantification. This is exacdy what NaDSet has managed to combine [Gilmore80]. Of course, NaDSet terms are different, more general than the lambda terms; NaDSet aims at a broader spectrum than just formalizing computation. On the other hand, the full X-calculus (that includes the n-conversion) is an extensional theory while NaDSet is an intensional one. Therefore, providing a treatment of the theory of lambda conversion within NaDSet is not only an interesting task per se, but it also provides an additional illustration of the value of NaDSet for some computer science problems. Section 5 of [Gilmore86] presents an approach for simulating p-reduction in first order NaDSet through the use of definite descriptions. Although descriptions may be needed to express some concepts of this type in the first order version of the theory, the final version of (second order)  Chapter V: Lambda Calculus in NaDSet  84  NaDSet does not face such limitations. The availability of full induction i.e. the ability to provide recursive definitions by abstraction terms (as it was discussed in the previous chapter) implies that a more direct definition of the lambda calculus is possible. To that extent, well formed X-terms, variable substitution, the X-conversion and most of the basic concepts in the theory are naturally given by terms that resemble the traditional recursive definitions found in any X-calculus textbook [Barendregt81, Hindley«&Seldin86]. Nevertheless, the present chapter undertakes a further exposition than a simple definition of the ^-calculus conversion in NaDSet. In keeping with the method of defining programming semantics illustrated in the previous chapter, the basic concepts of the X-calculus model theory are defined as well.  Three definitions of a lambda calculus model are presented, each  highlighting a different part of the overall picture[Hindley&Seldin86]. Finally, the Church's term model of the theory is constructed and it is shown to satisfy each one of the given definitions of a model. Much of the work of this chapter appears in [Gilmore&Tsiknis91a].  5.1  W E L L - F O R M E D T E R M S O F T H E X-CALCTJLUS  A set of terms of NaDSet will be defined to be the set Lterm of well-formed terms of the lambda calculus. It is first necessary, however, to define the variables and constants of the calculus. 5.1.1  Variables and Constants  The variables and constants of the calculus, called lambda variables and parameters (or briefly Lvariables and Lconstants), are not those of NaDSet. Denumerably many distinct terms of NaDSet are chosen to be Lvariables, and denumerably many distinct terms distinct from the Lvariables are chosen as the Lconstants. Since the arithmetic can be developed within NaDSet, the non-2ero even integers will be defined to be the Lvariables and the odd integers defined to be the Lconstants: Lvar for {2n I n:N A n :> 0 } Leon for {2n+l I n:N } The integer 0 will be reserved to represent the symbol X:  X for 0  85  Chapter V: Lambda Calculus in NaDSet 5.1.2  Lambda Terms  As was the case with the recursive definitions given in the previous chapter, the recursive definitions will be given in two steps. The following definition of Lterm is typical: LtermCls for {z I [Vu:Lvar] u:z A [Vu:Lcon] u:z A [VWj,w :z] < W p W > : z 2  2  A [Vw:z][Vx:Lvar] « X , , x > , w > : z } Lterm for {w I [Vz:LtermCls] w:z} Next it is necessary to define Free, a set of pairs the first element of which is a variable with a free occurrence in the term that is the second element of the pair. FreeCls for {z I [Vv:Lvar]<v,v>:z A [Vw ,w :Lterm][Vv:Lvar](<v,w >:z 1  2  1  v <v,w >:z 3 < v , < W p W » : z 2  2  A [Vw:Lterm][Vv,x:Lvar](<v,w>:z A v^x 3 < v , « X , x > , w > : z ) } Free for {<v,w> I [Vz:FreeCls]<v,w>:z } The following is a convenient notation: Free[w] for {v I <v,w>:Free } The definition of variable and the ordering on the integers permits the following definition: FirstNotFree[w]  for {v I ~v:Free[w] A [Vu](-u:Free[w] 3 v < u )}  The following definition of !Free[w] is the set of all Lvariables if w is a Lterm with no free variables, and is the singleton set {v} if v is the only Lvariable with a free occurrence in w: !Free[w] for {v I [Vx:Lvar](<x,w>:Free 3 v=x)} A closed Lterm is a Lterm in which no variable has a free occurrence: CLterm for {w I w:Lterm A [Vv:Lvar]-<v,w>:Free } The occurrence of a constant in a term is also needed is some of the subsequent sections. Therefore, Coccur is defined to be the set of pairs whose first element is a constant occurring in the term that is the second element of the pair. CoccurCls for {z I [Vc:Lcon]<c,c>:z A [ V W p W ^ L t e m H v c L c o n J O ^ W j X z v <c,w >:z 3 < c , < w w » : z 2  l 5  A [Vw:Lterm][Vx:Lvar][Vc:Lcon] (<c,w>:z 3 < c , « X , x > , w > : z ) } Coccur for {<c,w> I [Vz:CoccurCls]<c,w>:z }  2  Chapter V: Lambda Calculus in NaDSet  86  In addition, the convenient notation Coccur[w] for {c I <c,w>:Coccur } is used and the the first constant not occurring in a term is given by the following definition: FirstCNotlnfw] 5.1.3  for {c I ~c:Coccur[w] A [Vu](-u:Coccur [w] => c < u )}.  Substitution  Lastly, it is necessary to define recursively the set of quadruples <w,x,w ,w > for which the 1  2  term w is the result of replacing every free occurrence of the Lvariable x in the term Wj with the 2  term w, with changes of bound variables made to prevent clashes of free and bound variables. The definition follows that of definition 1.11 of [Hindley&Seldin86], which in turn follows that of [Curry&Feys58]. SubstCls for {z I [Vw:Lterm][Vx:Lvar]( [Vy:Lvar]((x=y 3 <w,x,y,w>:z) A (x#y 3 <w,x,y,y>:z)) A [Vc:Lcon] <w,v,c,c>:z A [Vw ,w ,w ,w :Lterm]<w,x,w ,w >:z A <W,X,W,W>:Z 1  2  3  4  1  2  3  3  4  <w,x,<w ,w >,<w ,w »:z 1  3  2  4  A [Vw :Lterm]<w,x,«X,x>,w >,«A.,x>,w »:z) 2  2  2  A [Vy:Lvar][Vw ,w :Lterm](<w,x,w ,w >:z A y*x 1  2  1  2  A (~y:Free[w] v -xiFreetwJ) 3 < w , x , « X , y > , w > , « X , y > , w » : z ) 1  2  A [Vy:Lvar] [Vw^w^Lterm] [Vz:FirstNotFree[<w,w >] 1  ( <z,y,Wj,w >:z A <w,x,w ,w >:z A y*x A y:Free[w] A x:Free[w ] 2  2  3  1  3 <w,x,«X,y>,w >,«A.,z>,w »:z ) 1  3  Subst for { <w,v,w ,w >l [Vz:SubstCls] <w,v,w ,w >:z} 1  2  1  2  The next theorem expresses the basic properties of the substitution . The derivation of each sequent of the theorem envolves a straightforward application of the recursive definition of substitution and it is left as an exersise to the reader. 5.1.3.1  Theorem  87  Chapter V: Lambda Calculus in NaDSet The following sentences are derivable. (1)  [Vw,u:Lterm] [ Vx:Lvar] [3v:Lterm]<u,x,w,v>:Subst  (2)  [Vw:Lterrn][Vu:CLterm][Vx:Lvar](x:!Free[w] 3 [3v:CLterm]<u,x,w,v>:Subst)  (3)  [Vw,v:Lterm][Vu:CLterm][Vx:Lvar](x:!Free[w] A <u,x,w,v>:Subst 3 v:CLterm)  (4)  [Vw:Lterm][Vx:Lvar]<x,x,w,w>:Subst  (5)  [Vw,u:Lterm][Vx:Lvar](~x:Free[w] 3 <u,x,w,w>:Subst)  (6)  [Vw,u,v:Lterm][Vx:Lvar](x:Free[w] A <u,x,w,v>Subst 3 [Vy:Lvar](y:Free[v] = y:Free[u] v (y:Free[w] A y*x)))  (7)  [Vw,w ,W2,w ,u,v,v :Lterm][Vx,y:Lvar](-y:Free[w] A <y,x,w,Wj >Subst 3  1  1  A <u,x,w,w >Subst 3 <u,y,w ,w >Subst) 2  (8)  2  [Vw,w v:Ltenri][Vx,y:Lvar](--y:Free[w] A <y,x,w,Wj >Subst p  3 (9)  1  <x,y,w ,w>Subst) 1  [Vw,w ,w ,w ,u,v,v :Lterm][Vx,y:Lvar](-y:Free[w] A ^ y . W j W ^ S u b s t 1  2  3  1  A <u,x,w,w >Subst A <u,x,v,v >Subst A <v ,y,w ,w >Subst 2  3 (10)  1  1  2  3  <u,x,w w >Subst) p  3  [Vw,w ,w ,w ,u,v,:Lterm][Vx,y:Lvar](-y:Free[u] A ~x:Free[v] 1  2  3  A -cv.y.w.w^Subst A <u,x,w,w >Subst A <v,y,w ,w >Subst 2  3 (11)  2  3  <u,x,Wj,w >Subst) 3  [Vw,w ,w ,w ,u,v,v :Lterm][Vx:Lvar](<v,x,w,w >Subst 1  2  3  1  1  A -cu.x.v.v^Subst A <VpX,w,w >Subst 2  3  ^.x.WpW^Subst) .  In one of the following subsections another type of substitution is required as well. The term CSubst is like Subst with the difference that a constant rather than a variable is replaced by a term. It is given by the following term. CSubstCls for {z I [Vw:Lterm][Vc:Lcon]( [Vd:Lcon]((c=d 3 <w,c,d,w>:z) A (c#d 3 <w,c,d,d>:z)) A [Vx:Lvar] <w,c,x,x>:z A [Vw ,w ,w ,w :Lterm]<w,c,w ,w >:z A <W,C,W,W>:Z 1  2  3  3  4  1  2  3  <w,c,<w ,w >,<w ,w »:z 1  3  2  4  4  88  Chapter V: Lambda Calculus in NaDSet A [Vx:Lvar][Vw ,w :Lterm](~x:Free[w] 1  3  A <w,x,w ,w >:z  2  1  2  <w,c,«A,,x>,w >,«X,x>,w »:z) 1  2  A [Vx:Lvar][VWpW ,w :Lterm][Vy:FirstNotFree[<w,w >] 2  3  1  (x:Free[w] A <y,x,w ,w >:z A <W,C,W,W>:Z 1  2  2  3  3 <w,c,«A,,x>,w >,«A,,y>,w »:z ) 1  3  CSubst for {<w,c,w ,w > I [Vz:CSubstCls]<w,c,w ,w >:z} 1  5.1.3.2  2  1  2  Remark  Several properties of the set CSubst that are analogous to the properties stated in the previous theorem are assumed to be derivable for the rest of the chapter. 5.1.4  Change of Bound Variables  The bound variable variant terms are given by the following definition which also implies the subsequent lemma. B w C l s for {z I [Vv:Lvar]<v,v>:z A [Vc:Lcon]<c,c>:z A [Vw ,w ,w ,w :Wff](<w ,w >:z 1  2  3  3  4  1  A <w ,w >:z  2  3  4  «w ,w >,<w ,w »:z) 1  3  2  4  A [Vx,y:Lvar][Vw ,w ,w :Wff]( « < X . , x > , w > , « X , x > , w » : z ) 1  2  3  1  1  A ( ~y:Free[Wj] A <y,x,w ,w >:Subst A <W,W>:Z 1  2  2  3  3 «<X,x>,w >,«X,y>,w »:z) } 1  Bw 5.1.4.1  3  for {<w w > I [Vz:BvvCls]<w ,w >:z}. l5  2  1  2  Lemma  The sentences (1)  [Vx:Lvar ][Vw:Wff ](<x,w>:Bvv = w=x)  (2)  [Vc:Lcon ][Vw:Wff ](<c,w>:Bvv e W=C)  (3)  [Vw ,w ,w :Wff](«w ,w >,w >:Bw = 1  2  3  1  2  3  [3w ,w5:Wff](w =<w ,w5> A <W W >:BVV A <W ,W5>:BVV )) 4  (4)  3  4  15  4  [Vx:Lvar][Vw ,w :Wff](«<X,x>,w >,w >:Bw = 1  2  1  2  2  Chapter V: Lambda Calculus in NaDSet  89  [3y :Lvar] [3 w ,w :Wffj ( w = « X , y > , w > 3  4  2  4  A ~y:Free[Wj] A <y,x,w ,w >:Subst 1  3  A <W ,W >:BVV )) 3  4  are derivable. The next theorem, whose proof is also straightforward and is omitted, states some useful properties of the bound variable variant terms. 5.1.4.2  Theorem  The following sequents are derivable. (1)  [Vu,v:Wff ](<u,v>:Bw 3 [Vx:Lcon ](x:Free[u] = x:Free[v])  (2)  [Vw:Wff ]<w,w>:Bw  (3)  [Vu,v:Wff ](<u,v>:Bw 3 <v,u>:Bw)  (4)  [Vw,u,v:Wff ](<w,u>:Bvv A <u,v>:Bw 3 <w,v>:Bvv)  (5)  [Vw ,w ,u ,u ,v ,v :Wff HVxtLvarJOcwpW^rBw A <U ,U >:BVV 1  2  1  2  1  2  1  2  A cupX.Wj.v^rSubst A <u ,x,w ,v >:Subst 3 <v ,v >:Bvv) 2  5.2  THE L A M B D A  2  2  1  2  CONVERSION  The lambda conversion relation defined in this section is the Xpn-conversion (or X$r\ formal theory) presented in chapter six of [Hindley&Seldin86]. CnvCls for (z I [Vw:Lterm]<w,w>:z  (1)  A [Vw,u:Lterm]<w,u>:z 3 <u,w>:z  (2)  A [Vw,u,v:Lterm](<w,u>:z A <U,V>:Z 3 <w,v>:z)  (3)  A [Vw,u:Lterm][Vx,y:Lvar]( ~y:Free[w] A <y,x,w,u>:Subst  3 <«X,x>,w>,«X,y>,u»:z)  (4)  A [Vw,u,v:Lterm][Vx:Lvar](<u,x,w,v>:Subst 3 ««X,x>,w>,u>,v>:z)  (5)  A [Vw:Lterm][Vx:Lvar]( ~x:Free[w] 3 «<A,,x>,<w,x»,w>:z)  (6)  A [Vw,u,v:Lterm](<u,v>:z 3 « w , u > , < w , v » : z )  (7)  A [Vw,u,v:Lterm](<w,u>:z 3 « w , v > , < u , v » : z )  (8)  A [Vw,u:Lterm][Vx:Lvar](<w,u>:z  90  Chapter V: Lambda Calculus in NaDSet 3 «<X,x>,w>,«X,x>,u»:z)  }  (9)  Cnv for {<w,v> I [Vz:CnvCls]<w,v>:z } Some useful properties of Cnv that are direct consequences of its definition are listed in the next lemma. 5.2.1.  Lemma  The sentences (1)  [Vw:Lterm]<w,w>:Cnv  (2)  [Vw,u:Lterm](<w,u>:Cnv z> <u,w>Cnv)  (3)  [Vw,u,v:Lterm](<w,u>:Cnv A <u,v>:Cnv 3 <w,v>Cnv)  (4)  [Vw,u:Lterm](<w,u>:Bw 3 <w,u>:Cnv)  (5)  [Vw,u,v:Lterm][Vx:Lvar](<u,x,w,v>:Subst  (6)  [VwLterm][Vx:Lvar](~x:Free[w] 3 « < X , x > , < w , x » , w > : C n v )  (7)  [Vw,u,v:Lterm](<u,v>:Cnv 3 « w , u > , < w , v » : C n v )  (8)  [Vw,u,v:Lterm](<w,u>:Cnv 3 « w , v > , < u , v » : C n v )  (9)  [Vw,u:Lterm][Vx:Lvar](<w,u>:Cnv 3 <<<A.,x>,w>,<<X,x>,u>>:Cnv)  3 <«<&,x>,w>,u>,v>:Cnv)  are derivable. Proof of lemma 5.2.1 The derivations of the sentences are similar. Only a derivation of (3) is given as an illustration. In this derivation Z is a second order parameter while u,v,w are used as first order parameters as well as variables bound by quantifiers. <u,w>:Z -» <u,w>:Z <w,v>:Z -> <w,v>:Z <u,v>:Z -» <u,v>:Z *(<u,w>:Z A <w,v>:Z 3 <u,v>Z), <u,w>:Z, <w,v>:Z -» <u,v>:Z u:Lterm -» u:Lterm w:Lterm -> w:Lterm v:Lterm -» v:Lterm w:Lterm, v:Lterm, u:Lterm,  91  Chapter V: Lambda Calculus in NaDSet  *[Vw,u,v:Lterm](<w,u>:Z A  <U,V>:Z  => <w,v>Z),  <u,w>:Z, <w,v>:Z -» <u,v>:Z w:Lterm, v:Lterm, urLterm, *Z:CnvCls,  thinning  <u,w>:Z, <w,v>:Z -> <u,v>:Z ZrCnvCls -» Z:CnvCls w:Lterm, v:Lterm, u:Lterm, Z:CnvCls, <u,w>:Z, *[Vz:CnvCls]<w,v>:z -» <u,v>:Z Z:CnvCls -> ZrCnvCls w:Lterm, v:Lterm, u:Lterm, Z:CnvCls, *[Vz:CnvCls]<u,w>:z, [Vz:CnvCls]<w,v>:z -> <u,v>:Z w:Lterm, v:Lterm, u:Lterm, [Vz:CnvCls]<u,w>:z, [Vz:CnvCls]<w,v>:z -> *[Vs:CnvCls]<u,v>:z w:Lterm, v:Lterm, u:Lterm, *<u,w>:Cnv, *<w,v>:Cnv -> *<u,v>:Cnv -» [Vw,v,u:Lterm](<u,w>:Cnv A <w,v>:Cnv 3 <u,v>:Cnv) E n d of proof of lemma  5.3  5.2.1  A TERM MODEL  Intuitively, a structure is a model of the Xpn formal theory if it satisfies the theory. More precisely, a model should consist of a collection of individuals D, an interpretation function I mapping each term in the formal language to an element of D and a relation = that interprets the conversion relation. Model for {<D,=,I> I [Vw:Lterm][3a:D](<w,a>:I A [Vb:D](<w,b>:13 a=b)) A [Vw,v:Lterm][Va,b:D](<w,a>:I A <v,b>:I A <w,v>:Cnv 3 a=b) } The simplest model of the theory is the model defined in [Church41] in which D is the quotient of Lterm by Cnv and is known by the name 'term model'. Formally, the term model is the structure <D,«,I> where the terms D , » , I are defined as follows.  92  Chapter V: Lambda Calculus in NaDSet  For each Lterm w, its equivalence class under Cnv is defined as [w] for {x I <x,w>:Cnv }, and the domain D is then defined to be the set of the equivalent classes of the terms. D for {[w] I w:Lterm }. » i s the extentional identity over D « for {<x,y> I [Vu:Lterm](u:x = u:y)} and the interpretation I maps each term to its equivalent class I for {<v,[w]> I <v,w>:Cnv}. The relation « as defined has the property that two elements of D are related through « i f f their representatives converge to each other. This property is expressed in the following lemma and is extensively used in the subsequent sections of this chapter.  5.3.1. Lemma The sentence [Vw,v:Lterm]([w]«[v] = <w,v>:Cnv) is derivable.  Proof of lemma 5.3.1 A derivation of the lemma follows from the derivations of the sequents (a)  w:Lterm, v:Lterm, [w]»[v] -> <w,v>:Cnv  (b)  w:Lterm, v:Lterm, <w,v>:Cnv -> [w]=[v]  where w, v are first order parameters. Their derivations follow. A derivation of (a): w:Lterm, v:Lterm, <w,v>:Cnv -» <w,v>:Cnv w:Lterm, v:Lterm, *w:[v] -» <w,v>:Cnv w:Lterm -» w:[w] w:Lterm, v:Lterm, *(w:[w] w:[v]) S  -» <w,v>:Cnv w:Lterm -» w:Lterm  93  Chapter V: Lambda Calculus in NaDSet  w:Lterm, v:Lterm, *[Vu:Lterm](u:[w] = u:[v]) -» <w,v>:Cnv w:Lterm, v:Lterm, *[w]=[v] -» <w,v>:Cnv A derivation of (b):  The first sequent in this derivation is a consequence of theorem 5.2.1.  w:Lterm, v:Lterm, u:Lterm, <w,v>:Cnv, <u,w>:Cnv -» <u,v>:Cnv w:Lterm, v:Lterm, u:Lterm, <w,v>:Cnv, *u:[w] -» *u:[v] w:Lterm, v:Lterm, u:Lterm, <w,v>:Cnv,  similarly  u:[v] -» u:[w] w:Lterm, v:Lterm, u:Lterm, <w,v>:Cnv -> *(u:[w] s u:[v]) w:Lterm, v:Lterm, <w,v>:Cnv -» *[Vu:Lterm](u:[w] = u:[v]) w:Lterm, v:Lterm, <w,v>:Cnv -> *[w]«[v] E n d of proof of lemma  5.3.1  In the rest of this chapter lemma 5.3.1 is tacitly used as an alternative definition of the set term » . The following theorem shows that the structure <D,«,I> is indeed a model of the X$r\ formal theory. 5.3.2.  Theorem  The sequent -> < D , » J > : M o d e l is derivable. Proof of theorem  5.3.2  A derivation of the theorem's sequent can be obtained from the derivations of the sequents (a) -> [Vw:Lterm][3a:D](<w,a>:I A [Vb:D](<w,b>:13 a~b)) (b)  -> [Vw,v:Ltenn][Va,b:0](<w,a>:I A <v,b>:I A <w,v>:Cnv 3 a«b)  by an application of - » { } followed by an application of ->A . Derivation of (a) and (b) are  94  Chapter V: Lambda Calculus in NaDSet given next. A derivation of (a):  In this derivation sequent (i) is a direct consequence of lemma 5.2.1 while  sequents (ii) and (iii) are direct consequents of lemma 5.3.1. (i)  w:Lterm, b:Lterm, <b,w>:Cnv -» <w,b>:Cnv  (ii)  w:Lterm, b:Lterm, <w,b>:Cnv -> [w]«[b] cut wrLterm, b:Lterm, <b,w>:Cnv -> [w]«[b]  (iii)  w:Lterm, b:Lterm, [b]»[w] -> <b,w>:Cnv cut w:Lterm, b:Lterm, [b]«[w] -> [w]«[b] w:Lterm, *[b]:D, [b]«[w] -» [w]«[b] wrLterm, [b]:D, *<w,[b]>:I-» [w]*[b] w:Lterm, [b]:B-> *(<w,[b]>:13 [w]«[b])  w:Lterm -> *[Vb:D](<w,b>:13 [w]«b) w:Lterm -» <w,[w]>:I  w:Lterm -> *(<w,[w]>:I A [Vb:D](<w,b>:13 [w]«b)) w:Lterm -> [w]:D  w:Lterm -> *[3a:B](<w,a>:I A [Vb:D](<w,b>:13 a«b)) -> *[Vw:Lterm][3a:0](<w,a>:I A [Vb:D](<w,b>:13 a«b)) A derivation of (b): The sequents in the derivation that are marked by a (*) are direct consequence of lemma 5.2.1. (*)  w:Lterm, v:Lterm, p:Lterm, q:Lterm, <p,v>:Cnv, <v,q>:Cnv -» <p,q>:Cnv  (*)  w:Lterm, v:Lterm, p:Lterm, <p,w>:Cnv, <w,v>:Cnv -> <p,v>:Cnv cut  Chapter V: Lambda Calculus in NaDSet  95  w:Lterm, v:Lterm, p:Lterm, q:Lterm, <p,w>:Cnv, <v,q>:Cnv, <w,v>:Cnv - » <p,q>:Cnv (*)  w:Lterm, p:Lterm, <w,p>:Cnv -> <p,w>:Cnv cut w:Lterm, vrLterm, p:Lterm, q:Lterm, <w,p>:Cnv, <v,q>:Cnv, <w,v>:Cnv -» <p,q>:Cnv w:Lterm, vrLterm, *[p]:D, [*q]:D, *<w,[p]>:I, *<v,[q]>:I, <w,v>:Cnv - » [p]«[q] w:Lterm, v:Lterm, [a]:D, [b]:D -» *(<w,[p]>:I A <v,[q]>:I A <w,v>:Cnv 3 [p]«[q]) w:Lterm, v:Lterm, -> *[Va,b:D](<w,a>:I A <v,b>:I A <w,v>:Cnv 3 a~b) -» *[Vw,v:Lterm][Va,b:D](<w,a>:I A <v,b>:I A <w,v>:Cnv 3 a«b)  E n d of proof of theorem 5.3.2  5.4.  V A R I A B L E ASSIGNMENTS AND Ti-MODELS  The type of models defined in the previous subsection are such that each model defines exactly one interpretation of the lambda terms; no provision for variable assignments— variable valuations or environments— was made by this definition. A more involved definition of the models of the Xpn-theory is given in this section. The notion of a variable assignment is needed first. The set of assignments with respect to a domain D with identity relation ~ can be defined as Asgn[D,=] for {g I [Vx:Lvar][3d:D](<x,d>:g A [ V d ^ D K ^ d j >:g 3 d^d)) }. New assignments can be defined from a given one with the help of parameterized definitions. More specifically, if g is an assignment, v a variable and d any element of D , [d/v]g is an assignment identical to g except it assignes d to v [d/v]g for { <x,y> I (x^v A <x,y>:g) v (x=v A y=d)}. For any (fixed) n, [ d / v , d / v , ... >d /v„]g is defined similarly. 1  1  2  2  n  The following lemma  Chapter V: Lambda Calculus in NaDSet  96  insures that the new assignment [d/v]g is a legitimate variable assignment if g itself is such. Its proof is nearly elementary and it is omitted. 5.4.1  Lemma  The sentence [VD~][Vg:Asgn[D~]][Vv:Lvar][Vd:D]([d/v]g:Asgn[D~]) is derivable. A n interpretation of the theory , called X-Interpretation, is a tuple <D,=,»,I,g> where D is the domain, = is an identity on D , • is a binary operation on D and I is the interpretation map defined in terms of the variable assignment g: Xlnt for {<D,=,»,I,g> I LIAxioms[D,=v,I,g] } where L I A x i o m s [ D , = , « , I , g ] is the conjunction of the following sentences.  The usual  abbreviation <w,d>:I[g] for < g , < w , d » : I is used. Informally, this notation means that d is the denotation assigned to w by the interpretation I and the assignment g. g is a variable assignment with respect to D g:Asgn[D,=]  (1)  ~ is identity in D [Va:D]a-a  (2)  [Va,b:D](a-bDb-a)  (3)  [Va,b,c:D](a=b A b~c z> a~c)  (4)  [Va,b,c,d:D](<a,b,c>:« Aa=d=> < d , b , c > : » )  (5)  [Va,b,c,d:D](<a,b,c>:» A b=d z> < a , d , c > : » )  (6)  [Va,b,c,d:D](<a,b,c>:» A c=d z> <a,b,d>:»)  (7)  [Vw:Lterm][Va,b:D](<w,a>:I[g] A a=b 3 <w,b>:I[g])  (8)  (D.*) is an applicative structure [Va,b:D][3c:D](<a,b,c>:» A [Vd:D](<a,b,d>:- 3 c-d))  (9)  I is an interpretation [Vw:Lterm][3a:D](<w,a>:I[g] A [Vb:D](<w,b>:I[g] 3 a=b)) [Vx:Lvar][Va,b:D]( <x,a>:g A <x,b>:I[g] 3 a=b)  (10) (11)  97  Chapter V: Lambda Calculus in NaDSet  [Vw ,w :Lterm][Va,b,c:D](<w ,b>:I[g] A <w ,c>:I[g] 1  2  1  2  A «w ,w >,c>:I[g] => <a,b,c>:») 1  (12)  2  [Vw:Lterm][Vx:Lvar] [Va,b,c:D](<<<A.,x>,w>,a>:I[g] A <w,o:I[[b/x]g] 3 < a , b , c > : » )  (13)  [Ve ,e :Asgn[D,==]][Vx:Lvar][Vw:Lterm][Va:D]( 1  2  [Vx:Free[w]][Vc:D](<x,o:e = <x,c>:e ) A <w,a>:I[e ] 1  2  1  A <w,b>:I[e ] -> a=b)  (14)  2  [Vx j ,x :Lvar] [ Vwj ,w :Lterm] [Va,b:D] ( 2  2  «<A,,x >,w >,a>:I[g] A ~x :Free[w ] A <x ,x ,w ,w >:Sub 1  1  2  1  2  1  1  2  A «<X,x >,w >,b>:I[g] 3 a=b) 2  (15)  2  [Vw:Lterm][Vx:Lvar] [Va,b,c:D](-x:Free[w] A <«A.,x>,<w,x»,a>:I[g] A <w,b>:I[g] z> a=b)  (16)  [Vx:Lvar][Vw ,w :Lterm][Vb,c: <w,c>:I[[b/x]g] ]( 1  2  [Va ,a ,d:D](<w ,a >:I[[a7x]g] A <w ,a >:I[[d/x]g] 3 a ^ a ^ 1  2  1  1  2  2  A <«X,x>,Wj>,b>:I[g] A «<X,x>,w >,c>:I[g] 3 b=c)) 2  (17)  A model of the theory , called XModel, is a structure <D,=,»,I> where I is an interpretation map with respect to any variable assignment: AModel for {<D «,•,!> I [Vg:Asgn[D,=]]LIAxioms[D,=,»,I,g]}. The definition of XModel presented here is a NaDSet version of definition 11.3 of [Hindley&Seldin86] with the following additions. Clauses (1) to (8) and clause (10) are not present in definition 11.3. This group of sentences deals with the identity = on D and the functionality of I, notions that are implicitly used in any proof presented in section 11 of [Hindley&Seldin86]. NaDSet as a formal theory does not enjoy such a luxury; a complete definition is necessary to carry out its derivations. Finally, clause (16) correcponds to the Tj-rule and is not present in 11.3 which defines the models of the Xp-theory. To show that the previously defined term model is a A-model, suitable definitions of the operation ° and interpretation I' must be provided. On that account, is defined by 0  ° for {<[u],[v],[w]> I « u , v > , w > : C n v }  Chapter V: Lambda Calculus in NaDSet  98  and for any assignment g in Asgn[B,»], I[g] is defined as follows: I'[g] for {<u,[v]> I <u,v>:ASubst[g] } where <u,v>:ASubst[g] if v is the result of simultaneously substituting every free variable x in the term u by the value w whenever the assignment g assigns [w] to x. ASubstCls[g] for (z I [Vc:Lcon]<c,c>:z A [Vx:Lvar][Vv:Lterm](<x,[v]>:g3 <x,v>:z) A [Vw ,w ,v ,v :Lterm](<w ,v >:z A <w ,v >:z 1  2  1  2  3  1  1  2  2  «w ,w >,<v ,v »:z) 1  2  1  2  A [Vx,y:Lvar][Vw,w w ,W3:Lterm][Vc:Lcon](-c:Coccur[w] A~y:Free[w] ls  2  A [Vu:Free[w]][Vv:Lterm](<u,[v]>:g => (~c:Coccur[v] A -y:Free[v])) A <c,x,w,Wj >:Subst A <w ,w >:z A <y,c,w ,w >:CSubst 1  2  2  3  3 <«A,,x>,w>,«X,,y>,w »::z) } 3  ASubst[g] for {<w,v> I [Vz:ASubstCls[g]]<w,v>:z } For convenience, the abbreviation ASubst[w,g] for {v I <w,v>:ASubst[g]} will be used in the following lemma which is a direct consequence of the previous definition and its proof is omitted. 5.4.2.  Lemma  The sentences (1)  [Vg:Asgn[D,«]][Vc:Lcon]( ASubst[c,g] = , {v I v=c}  (2)  [Vg:Asgn[D,«]][Vx:Lvar]( ASubst[x,g] = {v I <x,[v]>:g}  (3) .  [Vg:Asgn[D,«]][Vw w :Lterm]( ASubst[<w ,w >,g] =  e  p  2  1  2  e  {v I [3v ,v :Lterm](<w ,v >:ASubst[g] A <w ,v >:ASubst[g] A v=<v v >)} 1  (4)  2  1  1  2  2  p  [Vg:Asgn[D,«]][Vx:Lvar][Vw:Lterm]( A S u b s t [ « X , x > , w > , g ] = {v I [3y:Lvar][3w :Lterm]( ~y:Free[w] 1  A [Vu:Free[w]][Vv:Lterm](<u,[v]>:g 3 ~y:Free[v]) A <w,w >:ASubst[[[y]/x]g] A v = « X , x > , w > ) } 1  1  e  2  Chapter V: Lambda Calculus in NaDSet  99  are derivable. Some additional properties of the assignment related substitution (ASubst) which will be used in this chapter, are given by the following lemma whose proof is given in appendix F. 5.4.3.  Lemma  The sentences (1)  [Vg: Asgn [D,«] [Vw.Wj ,w :Lterm] (<w,w >: ASubst [g] 2  1  A <w,w >:ASubst[g] z> <w w >:Bvv) 2  (2)  l5  2  [VgrAsgntDHltVxrLvarJtVw^pViLtermK-xiFreetw] A <w,w >:ASubst[g] => <w,Wj >:ASubst[[[v]/x]g]) 1  £3)  [Vg:Asgn[D,«]][Vx,y:Lvar][Vw,u,v,w ,v ,u :Lterm](-y:Free[w] 1  1  1  A [Vu :Free[w]][Vv :Lterm](<u ,[v ]>:g => -y:Free[v ]) 2  2  2  2  2  A <u,x,w,v>:Subst A ^ . v ^ A S u b s t t g ] A <w,w >:ASubst[[[y]/x]g] 1  A "Cu^xASubsttg] ZD •cupy.WpVjXSubst) (4)  [Vg:Asgn[D,«]][Vx,y ,y :Lvar][Vw,v,u:Lterm](-y :Free[w] 1  2  1  A -y^Freetw] A <w,v>:ASubst[[[y ]/x]g] A -y :Free[v] A -y :Free[v] 1  2  2  A <y ,yj,v,u>:Subst 3 <w,u>:ASubst[[[y ]/x]g] 2  (5)  2  [Vg:Asgn[D,«]][Vx:Lvar][Vw,v,w ,v :Lterm][Va,b:Lterm](<w,w >:ASubst[g] 1  1  1  A ^ V j X A S u b s t t g ] A <w,v>:Cnv => <w ,v >:Cnv) 1  1  are derivable. The main theorem of this section states that the term model < D , » > , supplied with the operation ° and the mapping I', becomes a XModel. 5.4.4.  Theorem  The sequent -» <D,«,°,I'>:XModel  is derivable.  Proof Outline Let LIAxiom^[D,=,»,I,g], l<i<17, be the i-th sentence in the definition of the ^-interpretation.  100  Chapter V: Lambda Calculus in NaDSet It is sufficient to show that for each i, l<i<17, the sequent g:Asgn[D,»] -> LIAxiom^D^.oJ']  where g is a second order parameter, is derivable. The cases for i=9,ll, 13, 17 are presented in appendix G . The other cases are either similar or simpler than these and are omitted. E n d of Proof  5.5.  SCOTT-MEYER MODELS  A simple characterization of the models of the xp-theory that does not make any reference to the interpretation of the X-terms implied by the model, is due to Dana Scott [Scott80b] and Albert Meyer [Meyer82]. Following [Hindley&Seldin86] a strict Scott-Meyer model is given by the following definition. StrictSMModel for {<D, =,»,e> I SMAxioms[D,=,«,e] } where SMAxioms[D,=,»,e] is the conjunction of the following sentences: ~ is identity on D [Va:D]a=a [Va,b:D](a=b 3  (1) b=a)  [Va,b,c:D](a=b A b=c 3 [Va,b,c,d:D](<a,b,c>:»  (2) a=c)  (3) <d,b,c>:»)  (4)  [Va,b,c,d:D](<a,b,c>:» A b=d 3 < a , d , c > : » )  (5)  [Va,b,c,d:D](<a,b,c>:» AC=(1D <a,b,d>:»)  (6)  Aa=d3  (T).*) is an applicative structure [Va,b:D][3c:D](<a,b,c>:« A [Vd:D](<a,b,d>:» 3  c=d))  (7)  (D.«) is combinatorially complete [3k:D][Va,b,ka,kab:D](<k,a,ka>:» 3 <ka,b,a>:»)  (8)  [3s:D][Va,b,c,sa,sab,sabc,ac,bc:D](<s,a,sa>:« A <sa,b,sab>:» A <sab,c,sabc>:» A <a,c,ac>:» A <b,c,bc>:» 3 <ac,bc,sabc>:»)  (9)  Chapter V: Lambda Calculus in NaDSet  101  e is a strict representation of the mapping A e:D  (10)  [Va,b,ea,eab:D](<e,a,ea>:« A <ea,b,eab>:» => <a,b,eab>:»)  (11)  [Va,b,ea:D]( [Vd,ad:D](<a,d,ad>:« 3 <b,d,ad>:») A <e,a,ea>:» => < e , b , e a > : » )  (12) (13)  <e,e,e>:»  A Scott-Meyer model is a loose Scott-Meyer model if it does not necessarily satisfy sentence (13): that is, the element e of D may not be a 'fixed point' of •. We now can show that the term model defined in the previous section is also a strict Scott-Meyer model. The definitions for the operation ° was also given in the previous section; the element e is defined to be the equivalence class of the term Xxky.xy : e for  [«X,x>,«X,y>,<x,y>»]  where x, y are the NaDSet terms that represent the natural numbers 2 and 4 respectively. The next theorem states that the structure <D,«,°,e> is a restricted Scott-Meyer model.  5.5.1.  Theorem  The sequent -> <D,«,°,e>:StrictSMModel is derivable. Proof Outline Let SMAxiom^[D,=,»,e], l<i<13, be the i-th sentence in the definition of the SM-model. It is sufficient to show that for each i, l<i<13, the sequent -> SMAxiomj[D,«,°,e] is derivable. The cases for i=8, 9 and 13 are presented in appendix H . Cases (1) to (7) are the same as in theorem 5.4.4 while the rest are similar (even simpler) to case (13) and are omitted. The important terms in this proof are the eigenterms for k and s in the cases of sentences (8) and (9).  The term [<<X,x>,<<X,y>,x>>] is used as an eigenterm for k and  [ « X , x > , « A , , y > , « X , z > , « x , z > , < x , z > » » ] is used for s, where x, X and z are the NaDSet terms that represent the natural numbers 2, 4 and 6 respectively. Finally, the case (13) is the only case that requires the n-conversion rule given by the sixth sentence in the definition of the conversion (CnvCls). E n d of Proof  Chapter V: Lambda Calculus in NaDSet  102  We conclude the presentation of lambda calculus in NaDSet with some remarks. First, it should be emphasized that the success in defining abstract models of the lambda calculus in this chapter does not necessarily imply that concrete models of the theory can also be defined in the same way. More work is needed in this area. It will be interesting to see whether constructions like Scott's D ^ model [Scott70,73] and Plotkin's T  w  model [Plotkin78], can be carried out in  NaDSet. Finally, the ideas expressed in this chaprer can be used to provide a NaDSet representation of the theory of typed lambda calculus or other formal theories. Specifically, any axiomatic first order theory can be represented within NaDSet in a similar way. Section 8 of [Gilmore89], for instance, defines the set of structures that satisfy the axioms of Godel-Bernays set theory by the term G B S T for {<Cls,M,e> I ajrioms.} where axioms are the NaDSet sentences corresponding to the axioms of the original set theory.  103  Chapter VI: Conclusion  CHAPTER VI  Conclusion and Future Directions  Traditional set theories, in order to avoid the paradoxes, restrict abstraction to apply only to collections existing in a cumulative hierarchy of sets.  Such a restriction on abstraction,  disallows self application (or self reference except through Godelization) and complicates their proof theory. Theories like the type-free lambda calculi, on the other hand, allow unrestricted abstraction but, they do not provide for quantifiers or logical connectives. A third type of theory, like typed lambda calculus and L C F , restrict both, abstraction and quantification, by imposing well-typedness constraints. However, both unrestricted abstraction and general (untyped) quantification, are essential to some applications.  Certain conclusions in  mathematics, like "the set of all categories is itself a category", cannot be directly expressed within a language that does not admit self-referential abstraction terms and quantification. Similarly, certain arguments about the semantics of interesting programming languages cannot be formulated in a system not strong enough to handle all three logical concepts without (the previous) restrictions. This thesis has demonstrated that Gilmore's Natural Deduction Set Theory is a logic suitable for such demanding applications. NaDSet combines unrestricted generalized abstraction terms with general untyped quantifiers in a sequent calculus system that naturally blends Tarskian semantics with the Frege-Russell logistic view. Exploiting these features a formalization of the basic concepts of category theory has been provided. The set of all categories, furnished with the appropriate structure, was shown to be a category by itself.  A s a result of such  Chapter VI: Conclusion  104  formalization the distinction between small and large categories is no longer necessary as it is in formalizations of category theory within the traditional set theories. In addition, more general notions of categorical completeness and the category of sets can be defined within this formalization, although this has not been thoroughly explored in the thesis. It is our conjecture that other concepts in category theory that depend upon an underlying set theory can enjoy similar generalizations within NaDSet. Moreover, we believe that the category of categories, as it is defined in chapter III, can be shown to be small-complete but it can not be shown to be complete in the general sense. NaDSet's restriction on the axioms would not permit a derivation of the latter. Substantial evidence of the suitability of the logic in the realm of programming language semantics has also been provided. The syntax and the semantics of a simple programming language were defined within NaDSet and a variety of properties have been shown to be derivable from the definitions. Nondeterministic constructs of the language were shown to enjoy the same semantic treatment in NaDSet as their deterministic counterparts do. Moreover, the given proof of the semantic equivalence of two sequences of commands illustrates the power of NaDSet in formalizing recursive definitions. Such definitions are complete within NaDSet in the sense that the properties of the sets defined by them can be deduced from the definitions alone without the need of extra rules or axioms. The type of semantics obtained through such definitions are called formal semantics of programming languages for the following two reasons. The semantics is expressed within a formal theory in which the programming language itself has also been defined. The existence of a proof procedure and the completeness of the semantic definitions in the theory imply that most (depending on the completeness of the proof procedure) of the semantic properties of the programming languages can be derived within the same formalism from the definitions alone. The latter distinguishes this type of semantics from the traditional denotational semantics. We contemplate to investigate in the future how these ideas can be extended to define semantics for more complicated programming language features like escapes and jumps, procedures and functions, declaration  and data types.  The standard approaches [Stoy77, Gordon79] of  continuation semantics can be used in defining semantics of such constructs in NaDSet as well, but other possibilities of more natural semantics should also be explored. By taking further advantage of NaDSet's complete recursive definitions, a way of defining a  Chapter VI: Conclusion formal theory in NaDSet was also demonstrated.  105 Recursive definitions for the syntax, the  proof procedure and the models of lambda calculus was provided. To show that a considerable part of lambda calculus model theory can be carried out within this formalism, Church's term model was defined and shown to satisfy the definitions of a model.  This, of course, does not  imply that any model of the theory can be defined in NaDSet in a similar way. We are currently investigating ways in which more complicated model constractions, like Scott's D ^ construction can be carried out within NaDSet. There are two general aspects of the applications considered in the thesis which, although they have not been emphasized up to this point, should not be overlooked. First, every definition of any concept in each of the three areas of exposition is coherent and natural in the sense that it is defined the same way the concept is usually defined in mathematics. Similar remarks can be made for the formal proofs of the lemmas and theorems: their derivations reflect the usual informal proofs but, they contain more details. Second, the definitions used in each of the three areas do not have any existential import for the theory NaDSet; they do not have any impact on the models of the theory. The inclusion of an inconsistent definition does not cause any problem other than the concern that the term it defines is empty. However, the success of NaDSet in the three disparate areas considered in the thesis must be attributed to the features that distinguish NaDSet from the other conventional set theories; they can be summarized as following. NaDSet resolves the paradoxes of the set theory by replacing the naive compehension axiom scheme of an inconsistent first order set theory with natural deduction rules that introduce abstraction terms into arguments. Generalized set abstraction terms of the form {talF} in which ta may be a term, not just a single variable, and F may be any formula, are admitted. A nominalist interpretation of atomic formulas is used: Only the name of a set, not the set itself, can be a member of another set. To avoid confusions of use and mention, it is necessary that NaDSet be a second order logic, although only a single kind of quantifier and variable is required. As a result, the theory is mainly concerned not with what sets may correctly exist but with what arguments are correct. Self-referencing set terms can be formed in NaDSet but certain contradictory arguments involving that type of terms are not derivable within the logic. It would be of great significance to computer scientists, if the logic's proof procedure were automated. Because of the sequent calculus presentation of the theory, Bibel's connection method [Bibel87] can be extended to provide an automated proof procedure for NaDSet.  Chapter VI: Conclusion  106  However, the unification procedure has, in this case, to cope with NaDSet's second order unification which is undecidable, in general. The procedure and ideas of [Huet75] on X-term unification can be extended to NaDSet terms but, a semi-automated theorem proving system for NaDSet is deemed more feasible, for the time being. We believe an interactive system similar to H O L [Gordon87] can be developed for NaDSet. H O L is a version of Milner's [Milner72] theorem proving system for L C F and is designed in a Lisp-like meta-language called M L . Deduction rules are expressed as functions in M L . H O L permits a proof to be constructed backwards from the goal, the sentence to be proved, by means of tactics and tacticals. A tactic is a function that reduces a goal to zero or more subgoals while a tactical operates on tactics themselves. When all the subgoals of a goal have been solved, the original goal becomes a theorem (it can be used again without a proof). Tactics and tacticals are M L functions and comprise a powerful control language through which the user interacts with the system. A proof is therefore the result of cooperation between H O L and its user; the user defines the tacticals and the system executes them until every subgoal of the initial goal is proved. We anticipate that a similar interactive, cooperating theorem proving system can be developed for the logic NaDSet. A n alternative is to use Paulson's generic theorem prover, Isabelle [Paulson88].  For the time being it is not clear what extensions are necessary to  accommodate NaDSet in Isabelle but in any case the resulting system is expected to be less efficient than the system resulting from the first approach. The rest of this section discusses some prehminary ideas about the use of NaDSet in other areas of computer science. First, in the case of sequential programs, the ideas developed for the domain of programming language semantics can be extended to the area of program specification and verification. Our conjecture is that Hoare axiomatic method [Hoare69] and Dijkstra's predicate transformers and weakest precondition semantics [Dijkstra76] for a programming language can be derived from the formal semantics of the language. In the realm of concurrent programs, it has to be seen how the ideas discussed in [Hailpern&Owicki83, Manna&Pnueli81,Tsiknis85,Cardell89] can also developed in NaDSet.  Obviously, any  temporal logic system of linear or branching time [Manna&Pnueli81] can be expressed in NaDSet. However, it may be preferable to directly define in NaDSet the semantics of a system of communicating processes in terms of the possible event sequences and express the properties of the program in terms of these sequents instead of going through the temporal logic development.  Chapter VI: Conclusion  107  The concepts of data types and polymorphic operations pose some important issues for the semantics of modern programming languages.  The presence of polymorphism demands  abstractions over types as was recognized independently by Girard and Reynolds. In addition [Reynolds84] shows that a non-trivial interpretation of polymorphic types in the standard (founded on the axioms of Zermelo-Fraenkel theory) category of sets is impossible. However, [Freyd&Scedrov87] reports (without an explicit reference) that Moggi and Hyland have recently shown that such an interpretation is possible within a category of (intuitionistic) sets that is constructed using toposes [Hyland82].  ([Lambek&Scott86] shows the connection between  toposes and intuitionistic type theory). We believe that a comprehensive treatment of types and polymorphism is possible within NaDSet.  We currently investigate ways in which types are  represented by certain set terms the collection of whom is also definable within the logic. The latter might provide a simple and general treatment for polymorphism but this has yet to be seen. Nontheless, a formalization of data types and polymorphism is a challenging undertaking for NaDSet. In 1985 Mike Gordon gave a comprehensive illustration of the use of higher order concepts in the specification and verification of hardware components [Gordon85]. Since then, a variety of approaches has been developed and a considerable number of component designs have been verified using the H O L system [Joyce88,89, Melham87,88, Herbert88].  In [Joyce88] for  instance, a complete microprocessor has been specified and verified in H O L .  We believe  NaDSet can be used equally well as a hardware specification and verification formalism. Moreover, NaDSet's relational character might turn out to be advantageous, especially for analog components where ranges of values, rather than single values, are of interest. In any case, it is interesting to see that NaDSet's parameterized definitions can help in applying Joyce's ideas of parameterized specifications [Joyce88]. The need of high order features in logic programming has been recognized from the early days of the design of the language Prolog. The inclusion of the predicate "call" in Prolog was a strong manifestation of such a need. Later, the semantic difficulties associated with this predicate instigated new approaches like the Lambda Prolog [Miller&Nadathur86] and HILog [Chen et al.89].  Andrews in [Andrews90] gives a simple extension to logic programming  using the first order version of NaDSet [Gilmore86]. Although such extension is sufficient to allow predicate names as parameters, the use of the current second order version of NaDSet can provide for complete predicate definitions and, hopefully, comprehensible semantics. We also  Chapter VI: Conclusion  108  believe that such an extension can use the evaluation (or computation) techniqes established for the existing languages when the set definitions succumb to certain restrictions. Restricting the form of the definitions is just one way to overcome the undecidability of the second order unification; other ways need to be investigated as well. In the area of knowledge representation and reasoning, NaDSet can perform fairly well especially in the cases where many levels of abstraction are necessary. To this end, a number of representation techniques like frames[Minsky75], inheritance systems [Etherington&Reiter83, Touretzky86], and semantic networks [Sowa84] can be expressed in NaDSet in a straightforward way and the techniques described in [Gilmore87a,87b,87c,87d,88] can help in these cases. However, some of the problems associated with the original approaches (frame problem etc.) may get carried over. In the general case of nonmonotonic reasoning we need to distinguish the following paradigms.  In the Theorist framework [Pool88a,88b,89a,89b],  NaDSet can be used the same way as any other formal logic; it is the domain of the application that will determine whether the advance features of NaDSet are necessary or advantageous in this case. The same remarks are also appropriate for the case of default reasoning [Reiter80]. The case of circumscription [McCarthy80], on the other hand, seems different, although it exhibits many semantic similarities to the previous approaches. Usually, the circumscription formula is a second order formula and can be naturally defined in NaDSet by a recursive definition of the type used in chapter IV. Moreover, the proof procedure of the logic and the guidelines discussed in that chapter provide a comprehensive proof strategy  for  circumscription. However, it remains to be seen what advantages (of the type discussed in section 4.1) such definitions can offer in this case and whether this treatment can lead to better algorithms for computing with this type of representation framework. Finally, in cognitive science the representation of notions such as beliefs requires a formalism that admits a truth predicate and provides the means for defining a quotation mechanism (that assigns a term (name) to a sentence). Section 5.5 of [Gilmore90] gives a simple way to define them in NaDSet. According to it, the term "S" that represents a sentence S is defined: "S" for  {ulS}  where u has no free occurences in S, and the truth predicate T is given by the definition T for {z I [Vu]u:z} . Kripke's ideas, [Kripke75], that only grounded sentences can be assigned truth values, is reflected by the following derived rule: S->S  Chapter VI: Conclusion  ->  "S":T =  109  S  Let's assume for a moment that the following definition were admissible  L for ~"L":T then L would be the famous liar sentence. L is not derivable because it is not grounded as the following segment of a derivation, in which p is any parameter and t is any term, shows: ->L ->p:"L" -> [Vu]u:"L" -> "L":T  ~"L":T -> L-> t:"L" -> [Vu]u:"L" ->  "L":T -> - 4 ~"L":T ->L  This formulation gives a simpler, more comprehensive formalization of Tarski and Kripke ideas than the axiomatization of [Perlis85]. However, more effort is needed to develop within the theory a quotation mechanism that provides for fixed points of the type needed in the liar formula case. As a final remark we point out that although the ideas discussed in this section are very sketchy and preliminary, they provide some indication that the type of abstraction offered by NaDSet may be valuable for a number of important applications.  Bibliography  110  BIBLIOGRAPHY [Aczel&Feferman] [80] Peter Aczel, Solomon Feferman, Consistency of the Unrestricted Abstraction Principle Using an Intentional Equivalence Operator. To H.B. Curry: Essays on Combinatorial Logic, Lambda Calculus and Formalism, Editors J.P. Seldin, J.R. Hindley, Academic Press, 1980, pp. 67-98. [Andrews] [90] James H . Andrews, The Logical Structure ofSequencial Prolog. Technical Report LFCS-90-110, Laboratory for the Foundations of Computer Science, University of Edinburgh, 1990. [91] James H . Andrews, Predicates as Parameters in Logic Programming. A Set-Theoretic Basis. Preliminary Report in Progress. [Apt&Plotkin] [81] K.R. Apt, G . D . Plotkin, A Cook's Tour of Countable Nondeterminism. LNCS 115, 1981, pp. 479-494. [Barendregt] [81] H . P. Barendregt, The Lambda Calculus. Its Syntax and Semantics. North-Holland, Amsterdam, 1981. [Barr&Wells] [85]  M . Barr, C. Wells, Toposes, Triples and Theories. Springer-Verlag, New York, 1985.  [Bell] [88]  J. L . Bell, Toposes and Local Set Theories. An Introduction., 1988.  [Beth] [55] E.W. Beth, Semantic Entailment and Formal Derivability. Mededelingen de Koninklijke Nederlandse Akademie der Wetenschappen, Afdeeling Letterkunde, Nieuwe Reeks, v.18, n.13,1955, pp. 309-342. [Bibel] [87] Wolfgang Bibel, Automated Theorem Proving. Vieweg & Sohn, Braunschweig, 1987. [Black] [85] Mickael Julian Black, Naive Semantic Networks. A paper for CPSC 448, Directed Studies in Computer Science, 1985. [Blass] [84] Andreas Blass, The Interaction between Category Theory and Set Theory. Mathematical Applications of Category Theory, J.W. Gray editor, Contemporary Mathematics, 30, American Mathematical Society, 1984, pp. 5-29.  Bibliography  111  [Blyth] [86]  T . S. Blyth, Categories. Longman, 1986.  [Cardell] [89] Rachel Cardell-Oliver, The Specification and Verification of Sliding Window Protocols in Higher Order Logic. University of Cambridge Computer Laboratory Technical Report No. 183,1989. [Carnap] [58] Rudolf Carnap, Introductioon to Symbolic Logic and its Applications. Dover Publications, New York, 1958. [Chen et al.] [89] Weidong Chen, Michael Kifer, David S. Warren, HiLog: A First-Order Semantics of Higher-Order Logic Programming Constructs. Proc. of Notrh American Conference on Logic Programming, Cleveland, Ohio, 1989. [Church] [40] Alonzo Church, A Formulation of the Simple Theory of Types. Journal of Symbolic Logic, 5,1940. [41] Alonzo Church, The Calculi of Lambda Conversion. Princeton University Press, 1941. [56] Alonzo Church, Introduction to Mathematical Logic. Vol I. Princeton University Press, 1956. [Corella] [89] Francisco Corella, Mechanizing Set Theory. IBM T. J. Watson Research Report R C 14706, 1989. [89] Francisco Corella, The Double Nature of Type Theory. IBM T. J. Watson Research Report R C 14706, 1989. [Curry] [42] H . B. Curry, The Inconsistency of certain formal logics. Journal of Symbolic Logic, 7, 1942, pp.115-117. [de Bakker] [76] J. W. de Bakker, Semantics and Termination ofNondeterministic Recursive Programs. Proc. 3rd Coll. Automata, Languages and Programming, Edinburgh, 1976. [Dijkstra] [76] E . W. Dijkstra, A Discipline Programming. Prentice-Hall, Englewood Cliffs, N. J., 1976. [Dybjer] [85] Peter Dybjer, Category Theory and Programming Language Semantics: A n Overview. LNCS 240, Springer-Verlag, 1985, pp. 165-181. [Etherington] [87a] David W. Etherington, Formalizing Nonmonotonic Reasoning Systems. Artificial Intelligence 31,1987, pp.41-85. [87b] David W. Etherington, Relating Default Logic and Circumscription. HCAI1987.  Bibliography  112  [Ehrig et al.] [74] H . Ehrig, K. D . Kiermeier, H . J. Kreowski, W. Kuehnel, Universal Theory of Automata: A Categorical Approach. B.G. Teubner, Stuttgart, 1974. [Feferman] [77] Solomon Feferman, Categorical Foundations and Foundations of Category Theory. Logic, Foundations of Mathematics and Computability Theory, Editors Butts and Hintikka, D . Reidel, 1977, pp. 149-169. [84] Solomon Feferman, Towards Useful Type-Free Theories, I. Journal of Symbolic Logic, March 1984, pp. 75-111. [Fitch] [52]  Frederick B. Fitch, Symbolic Logic: An Introduction. Ronald Press, New York, 1952.  [Fitting] [85] Melvin Fitting, A Kripke-Kleene semantics for Logic Programs. Journal of Logic Programming, 4, 1985, pp.295-312. [86] Melvin Fitting, Notes on the Mathematical Aspects ofKripke's Theory of Truth. Notre Dame Journal of Formal Logic, v.27, n . l , January 1986. [Freyd] [64] Peter Freyd, Abelian Categories: An Introduction to the Theory of Functors. Harper and Row, 1964. [Freyd&Scedrov] [87] Peter Freyd, Andre Scedrov, Some Semantic Aspects of Polymorphic Lambda Calculus. LICS 1987 IEEE. [Garey&Johnson] [79] Michael R. Garey & David S. Johnson, COMPUTERS AND INTRACTABILITY, A Guide to the Theory of NP-Completeness, Freeman, 1979. [Gentzen] [34,35] Gerhard Gentzen, Untersuchungen uber das logische Schliessen. Mathematische Zeitschrift, 22, 1934-35, pp. 176-210,405-431. [Gilmore] [68] Paul C. Gilmore, A Formalized Naive Set Theory. A paper presented at the Summer Conference on Intuitionism and Proof Theory, Buffalo, New York, 1968. [71] Paul C. Gilmore, A Consistent Naive Set Theory: Foundations for a Formal Theory of Computation. IBM Research Report R C 3413, June 22, 1971. [80] Paul C. Gilmore, Combining Unrestricted Abstraction with Universal Quantification. To H.B. Curry: Essays on Combinatorial Logic, Lambda Calculus and Formalism, Editors J.P. Seldin, J.R. Hindley, Academic Press, 1980, pp. 99-123. This is a revised version of [Gilmore71]. [86] Paul C. Gilmore, Natural Deduction Based Set Theories: A New Resolution of the Old Paradoxes. Journal of Symbolic Logic, 51,1986, pp. 393-411. [87a] Paul C. Gilmore, The SET Conceptual Model and the Domain Graph Method of Table Design. U B C Computer Science Department Technical Report 87-7,1987. [87b] Paul C. Gilmore, Justifications and Applications of the SET Conceptual Model. U B C Computer Science Department Technical Report 87-9,1987. [87c] Paul C. Gilmore, Formalizing Attribution by Default. U B C Computer Science Department Technical Report 87-26,1987.  Bibliography [87d] [87e] [88] [89] [90]  113  Paul C. Gilmore, Semantics of Updates with Incomplete Information. Working notes for the database group discussions, 1987. Paul C. Gilmore, Comments on " A logical Framework for Depiction and Image Interpretation" by Raymond Reiter and Alan K. Mackworth, 1987. Paul C. Gilmore, A Foundation for the Entity Relationship Approach: How and Why. Proceedings of the 6th Entity Relationship Conference, editor S.T. March, North-Holland, 1988, pp. 95-113. Paul C. Gilmore, How Many Real Numbers are There?. U B C Technical Report TR 89-7,1989, revised July 1990. Paul C. Gilmore, The consistency of an Extended NaDSet.. ITLI Prepublication Series for Mathematical Logic and Foundations, ML-90-11, University of Amsterdam, December 1990.  [Gilmore&Tsiknis] [90a] Paul C. Gilmore, George K. Tsiknis, A Logic for Category Theory. U B C Computer Science Department Technical Report 90-2, May, 1990. [90b] Paul C. Gilmore, George K. Tsiknis, Logical foundations for Programming Semantics. A paper presented to the Sixth Workshop on the Mathematical Foundations of Programming Semantics, Kingston, Ontario, Canada, May 15-19, 1990. U B C Computer Science Department Technical Report 90-22. Submitted for publication to Theoretical Computer Science. [90c] Paul C. Gilmore, George K. Tsiknis, A Formalization of Category Theory in NaDSet. A paper presented to the Sixth Workshop on the Mathematical Foundations of Programming Semantics, Kingston, Ontario, Canada, May 15-19,1990. U B C Computer Science Department Technical Report 90-23. Submitted for publication to Theoretical Computer Science. [91a] Paul C. Gilmore, George K. Tsiknis, The Lambda Calculus in NaDSet, in preparation. [91b] Paul C. Gilmore, George K. Tsiknis, Formulations of an Extended NaDSet, in preparation. [Godel] [40] Kurt GodeL. The Consistency of the Continuum Hypothesis, Annals of Mathematics Studies, Number 3, Princeton University Press, 1940. [Goguen et al.] [73] J. A . Goguen, J. W. Thatcher, E . G . Wagner, J. B. Wright, A Junction Between Computer Science and Category Theory: I, Basic Definitions and Concepts. Technical Report RC-4526, IBM Research, 1973, (part 1). [75] J. A . Goguen, J. W. Thatcher, E . G . Wagner, J. B. Wright, An Introduction to Categories, Algebraic Theories and Algebras. Technical Report RC-5369, IBM Research, 1975. [76] J. A . Goguen, J. W. Thatcher, E . G . Wagner, J. B. Wright, A Junction Between Computer Science and Category Theory: I, Basic Definitions and Concepts. Technical Report RC-5908, IBM Research, 1976, (part 2). [77] J. A . Goguen, J. W. Thatcher, E . G . Wagner, J. B. Wright, Initial Algebra Semantics and Continuous Algebra. Journal of the A C M , v.24, n . l , January 1977, pp. 68-95. [Gordon] [79] Michael J.C. Gordon, The Denotational Description of Programming Languages. An Introduction. Springer-Verlag, New York, 1979. [85] Mike Gordon, Why Higher-order Logic is a Good Formalism for Specifying and Verifying Hardware. Formal Aspect of VLSI Design, G . Milne, P.A. Subrahmanyam,  Bibliography  [87]  114  Eds., North-Holland, 1986. Also, University of Cambridge Computer Laboratory Technical Report No. 77,1985. Mike Gordon, A Proof Generating System for Higher-order Logic. VLSI Specification, Verification and Synthesis, G . Birtwistle, P. Subrahmanyam, Eds., Academic Publishers, Boston, 1988, pp. 73-128. Also, University of Cambridge Computer Laboratory Technical Report No. 103, 1987.  [Gordon et al.] [78] M . Gordon, R. Milner, L. Morris, M . Newey, C. Wadsworth, A Metalanguage for Interactive Proof in LCF. Fifth A C M SIGACT-SIGPLAN Conference on Princ. of Prog. Lannguages, Tucson, Arizona, 1978. [Gray] [84] J. W. Gray, Editor, Mathematical Applications of Category Theory. Contemporary Mathematics, 30, American Mathematical Society, 1984. [Gunter] [86] Carl A . Gunter, The Largest First-Order -Axiomatizable Cartesian Closed Category of Domains. Lies 1986, IEEE. [Hagino] [87] Tatsuya Hagino, A Typed Lambda Calculus with Categorical Type Constructors. LNCS 283, Springer-Verlag, 1987. [Hailpern&Owicki] [83] Brent T. Hailpern, Susan S. Owicki, Modular Verification of Computer Comunication Protocols. D3EE Transactions on Communications, COM-31(l), 1983, pp. 56-68. [Henkin] [49] Leon Henkin, The Completenes of the First-Order Functional Calculus. Journal of Symbolic Logic, 14, 1949, pp. 159-166. [50] Leon Henkin, Completenes in the Theory of Types. Journal of Symbolic Logic, 15, 1950, pp. 81-91. [53] Leon Henkin, Some Notes on Nominalism. Journal of Symbolic Logic, 18, 1953, pp. 19-29. [Herbert] [88] John Herbert, Temporal Abstraction of the Digital Designs. University of Cambridge Computer Laboratory Technical Report No. 122, 1988. [Hindley&Seldin] [86] Roger J. Hindley, Jonathan P. Seldin, Introduction to Combinators and X-Calculus. Cambridge University Press, Cambridge, 1986. [Hoare] [69] C. A . R. Hoare, An Axiomatic Basis for Computer Programming. Communication of the A C M , v.12, n.10, October 1969, pp. 576-583. [78] C. A . R. Hoare, Communicating Sequenctial Processes. Conn, of the A C M 2,1978, pp. 666-677. [Hoare&Shepherdson] [85] C. A . R. Hoare, J. C. Shepherdson, Editors, Mathematical Logic and Programming Languages. Prentice-Hall, Englewood Cliffs, New Jersey, 1985.  Bibliography  115  [Huet] [75] G . P. Huet, A Unification Algorithm for Typed X-calculus. Theoretical Computer Science, 1,1975, pp. 27-57. [85] G . P. Huet, Cartesian Closed Categories and Lambda Calculus. LNCS 242, Springer-Verlag, 1985. [Hyland] [82] J. M . E . Hyland, The Effective Topos. The L.E.J. Brouwer Centenary Symp., ed. A.S. Troelstra, D. van Dalen, Noth-Holland, pp. 165-216. [Joyce] [88] Jeffrey J. Joyce, Formal Specification and Verification of Microprocessor Systems. Euromicro 88, Proc. of the 14th Symbosium on Microprocessing and Microprogramming, Zurich, 1988, North-Holland, 1988, pp.371-378. Also, University of Cambridge Computer Laboratory Technical Report No. 147,1988. [89a] Jeffrey J. Joyce, A Verified Compiler for a Verified Microprocessor. University of Cambridge Computer Laboratory Technical Report No. 167,1989. [89b] Jeffrey J. Joyce, Totally Verified Systems: Linking Verified Software to Verified Hardware. University of Cambridge Computer Laboratory Technical Report No. 178, 1989. [Kean&Tsiknis] [88a] Alex Kean, George Tsiknis, An Incremental Method for Generating Prime ImplicantslImplicates. U B C Computer Science Department Technical Report 88-16, July 1988. [88b] George Tsiknis, Alex Kean, Clause Management Systems (CMS). U B C Computer Science Department Technical Report 88-21, October 1988. Submitted to Computational Intelligence. [90a] Alex Kean, George Tsiknis, An Incremental Method for Generating Prime ImplicantslImplicates. Journal of Symbolic Computation 9, 1990, pp. 185-206. (This is a different version of [Kean&Tsiknis88a] ). [90b] Alex Kean, George Tsiknis, Assumption Based Reasoning and Clause Management Systems. U B C Computer Science Department Technical Report 90-9, May 1990. To appear in the journal of Computational Intelligence. [Kleene] [52]  Stephaen Cole Kleene, Introduction to Metamathematics. North-Holland, 1952.  [Kleene&Rosser] [35] S. C. Kleene, J. B. Rosser, The Inconsistency of Certain Formal Logics. Annals of Mathematics, 36, 1935, pp. 630-636. [Kripke] [75] Saul Kripke, Outline of a Theory of Truth. Journal of Philosophy, November 1975, pp.690-716. [Lambek] [80] J. Lambek, From X-lalculus to Cartesian Closed Categories. To H.B. Curry: Essays on Combinatorial Logic, Lambda Calculus and Formalism, Eds. J.P. Seldin, J.R. Hindley, Academic Press, 1980, pp. 375-402.  Bibliography  116  [Lambek&Scott] [86] J. Lambek, P. J. Scott, Introduction to Higher Order Categorical Logic. Cambridge University Press, 1986. [Lawvere] [66] William F. Lawvere, The Category of Categories as a Foundation for Mathematics. Proc. Conf. on Categorical Algebras, Springer, 1966, pp. 1-21. [MacLane] [71] Saunders Mac Lane, Categories for the Working Mathematician. Springer-Verlag, 1971. [Manna&Pnueli] [81] Z. Manna, A . Pnueli, Verification of Concurrent Programs: The Temporal Framework. The Correctness Problem in Computer Science, R. Boyer, J. Moore eds., Academic Press, London, 1981, pp. 215-273. [Manna&Waldinger] [84] Zohar Manna, Richard Waldinger, The Logical Basis for Computer Programming, Volume 1: Deductive Reasoning. Addison-Wesley, 1984. [90] Zohar Manna, Richard Waldinger, The Logical Basis for Computer Programming, Volume 2: Deductive Systems. Addison-Wesley, 1990. [McCarthy] [80] John McCarthy, Circumscription- A Form ofNon-monotonic Reasoning. Artificial Intelligence 13, 1980, pp. 27-39. [86] John McCarthy, Applications of Circumscription to Formalizing Common-Sense Knowledge. Artificial Intelligence 28,1986, pp. 89-116. [Melham] [87] Thomas F. Melham, Abstraction Mechanisms for Hardware Verification. University of Cambridge Computer Laboratory Technical Report No. 106,1987. [88] Thomas F. Melham, Using Recursive Types to Reason about Hardware in Higher Order Logic. University of Cambridge Computer Laboratory Technical Report No. 135, 1988. [Meyer] [82] A . R. Meyer, What is a Model of Lambda Calculus?. Information arid Control, 52, 1982, pp. 87-122. [Miller&Nadathur] [86] Dale A . Miller, Gopalan Nadathur, Higher-order Logic Programming. Proc. of the Third International Logic Programming Conference, Imperial College, London, July 1986. [Milner] [72] Robin Milner, Implementation and Applications of Scott's Logic for Computable Functions. Proc. of A C M Conference on Proving Assertions about Programs, SIGPLAN Notices 7, January 1972, pp. 1-6. [79] Robin Milner, A Calculus of Communicating Systems. LNCS 92, Springer-Verlag, 1979. [83] Robin Milner, Calculi for Synchrony and Asynchrony. Theoretical Computer SCience 25, 1983,pp.267-310.  Bibliography  117  [Minsky] [75] M . Minsky, A Framework for Representing Knowledge. The Psychology of Computer Vision, P.H. Winston, Ed., McGraw-Hill, New York, 1975. Also, MIT A l Lab., Memo 306,1974. [Monteiro&Pereira] [86] Luis F. Monteiro, Fernando C. N . Pereira, A Sheaf-Theoretic Model of Concurrency. LICS 1986, IEEE. [Morrison] [91] Richard Morrison, Design of an Operating System Kernel for Representative-Intensive Environments Based on the SET Data Model. In progress. [Owicki&Gries] [76] S. Owicki, D . Gries, An Axiomatic Proof Technique for Parallel Programs, I. Acta Informatica, 6,1976, pp. 319-340. [Park] [70] David Park, Fixpoint Induction and the Proofs of Program Properties. Machine Intelligence 5,1970, pp.59-78. [80] David Park, On the Semantics of Fair Parallelism. LNCS 86, Springer-Verlag, 1980, pp.504-526. [Paulson] [88] Lawrence C. Paulson, Experience with Isabelle: A Generic Theorem Prover (Preliminary Version). University of Cambridge Computer Laboratory Technical Report No. 143, 1988. [Perlis] [85] Donald Perlis, Languages with Self-Reference I: Foundations. Artificial Intelligence, 25, 1985, pp.301-322. [Pierce] [88] Benjamin C. Pierce, A Taste of Category Theory for Computer Scientists. Thechnical Report CMU-CS-88-203, Computer Science, Carnegie Mellon University, 1988. [Pitt et al.] [85] D . H . Pitt, S. Abramsky, A . Poigne, D. Rydeheard, Eds, Category Theory and Computer Programming. LNCS 240, Springer-Verlag, 1985. [87] D . H . Pitt, A . Poign6, D . Rydeheard, Eds, Category Theory and Computer Science. L N C S 283, Springer-Verlag, 1987. [Plotkin] [66] Gordon D. Plotkin, A Powerdomain Construction. SIAM J. Computing 5, 1976, pp.452-487. [78] Gordon D. Plotkin, T® as a Universal Domain. J. Comput. Systems Sci., 17, pp. 209-236. [Poole] [88a] David Poole, A Logical Framework for Default Reasoning. Artificial Intelligence 36, 1988.  Bibliography [88b] [89a] [89b]  118  David Poole, Representing Knowledge for Logic-Based Diagnosis. Proc. of Int. Conf. on Fifth Generation Computing, Tokyo, 1988. David Poole, Explanation and Prediction: An Architecture for Default and Abductive Reasoning. Computational Intelligence 5,2,1989. David Poole, What the Lottery Paradox Tells Us About Nonmonotonic Reasoning. Proc .First Int. Conf. on Principles of Knowledge Representation and Reasoning, 1989.  [Prawitz] [65] Dag Prawitz, Natural Deduction, A Proof-Theoretical Study. Stockholm Studies in Philosphy 3, Almquist & Wiksell, Stockholm, 1965. [68] Dag Prawitz, Hauptsatz for Higher Order Logic. Journal of Symbolic Logic, 33, 1968, pp. 452-457. [Reiter] [80] Raymond Reiter, A logic for Default Reasoning. Artificial Intelligence 13,1980, pp. 81-132. [80a] Raymond Reiter, Equality and Domain Cosure in First-Order Databases. J.ACMS 27, 1980, pp.235-249. [82] Raymond Reiter, Circumscription Implies Predicate Completion (sometimes). Proc. Second Conf. on Artificial Intelligence, Pittsburgh, PA, 1982. [Reynolds] [69] John C. Reynolds, Using Category Theory to Design Implicit Conversions and Generic Operators. LNCS 94, Springer-Verlag, 1980. [74] John C. Reynolds, Towards a Theory of Type Structure. LNCS 19, Springer-Verlag, 1974, pp.408-425. [84] John C. Reynolds, Polymorphism is not Set-Theoretic. LNCS 173, Springer-Verlag, 1984,pp.l45-156. [Rydeheard&Burstall] [88] David E. Rydeheard, Rod M . Burstall, Computational Category Theory. Prentice Hall, 1988. [Schiitte] [60] Kurt Schiitte, Syntactical and Semantical Properties of Simple Type Theory. Journal of Symbolic Logic, 25,1960, pp.305-326. [77] Kurt Schiitte, Proof Theory. Springer-Verlag, 1977. [Scott] [70] Dana S. Scott, Outline of a Mathematical Theory of Computation. Technical Monograph PRG-2, Oxford University Computing Laboratory, 1970. [72] Dana S.Scott, Continuous Lattices. S L N M 274, 1972, pp.97-136. [73] Dana S.Scott, Models of Various Type-Free Calculus. Logic, Methodology and Philos. Sci. IV, P. Suppes et al., Eds., North-Holland, 1973, pp. 157-187. [76] Dana S. Scott, Data Types as Lattices. SLAM J. Computing, 5, 1976, pp. 522-587. [80a] Dana S. Scott, Lambda Calculus: Some Models Some Philosophy. Kleene Symposium, Eds. J. Barwise et al., Noth-Holland, 1980, pp. 223-265. [80b] Dana S. Scott, Relating Theories of the X-Calculus. To H.B. Curry: Essays on Combinatorial Logic, Lambda Calculus and Formalism, Eds. J.P. Seldin, J.R. Hindley, Academic Press, 1980, pp. 403-450. [82] Dana S.Scott, Domains for Denotational Semantics. SLNCS 140,1982, pp. 577-613.  Bibliography [91]  119  Dana Scott, A Language for Semantics, Mathematical Foundations of Programming Semantics, Carnegie Mellon University, March 25-28,1991.  [Shoenfield] [67]  Joseph R. Shoenfield, Mathematical Logic. Addison-Wesley, 1967.  [Smullyan] [68]  Raymond M . Smullyan, First-Order Logic. Springer-Verlag, 1968.  [Smyth] [77] M . B . S m y t h , Effectively Given Domains. Theoretical Computer Science 5, 1977, pp.257-274. [78] M . B. Smyth, Power Domains. Journal of Computer and System Science 16,1978, pp.23-36. [Smyth&PIotkin] [82] M . B. Smyth, G . D. Plotkin, The Category-Theoretic Solution of the Recursive Domain Equations. SLAM J. Computing 11, 1982, pp. 761-783. [Sowa] [84] J. F. Sowa, Conceptual Structures: Information Processing in Mind and Machine. Addison-Weslay, 1984. [Stoy] [77] Joseph E. Stoy, Denotational Semantics: The Scott-Strachey Approach to Programming Language Theory. MIT Press, 1977. [Szabo] [69] M . E . Szabo, The Collected Papers of Gerhard Gentzen. Noth-Holland, Amsterdam, 1969. [Tarski] [36] Alfred Tarski, DerWahrheitsbegriffindenformalisiertenSprachen. Studia Philosophica, vol. 1,1936, pp.261-405. English translation appears in Logic, Semantics, Metamathematics, Papers from 1923 to 1938, Oxford University Press, 152-278,1956. [Tennent] [85] R. D . Tennent, Functor-Category Semantics of Programming Languages and Logics. L N C S 240, Springer-Verlag, 1985. [Touretzky] [86] David S. Touretzky, The Mathematics of the Inheritance Systems. Morgan-Kaufmann, London, 1986. [Tsiknis] [85] George Tsiknis, Specification-Verification of Protocols - The Significant Event Temporal Logic Technique. M.Sc. Thesis, University of British Columbia, April 1985. [88a] George Tsiknis, The Inconsistency of a Belief Revision System. U B C Computer Science Department Technical Report 88-4, January 1988. Revised June 1988. [88b] George K. Tsiknis, A Connection Method for Non-Monotonic and Autoepistemic Logic. U B C Computer Science Department Technical Report 88-5, January 1988.  Bibliography  120  [Tsiknis&Vuong] [88] George K. Tsiknis, Son T. Vuong, Protocol Specification and Verification Using the Significant Event Temporal Logic. U B C Computer Science Department Technical Report 88-3, January 1988. Was accepted in the Fifth International Workshop on Protocol Specification Testing and Verification, Toulouse, France, June 1985. [Wand] [79] M . Wand, Fixed-Point Constructions in Order-Enriched Categories. Theoretical Computer Science, 8,1979, pp. 13-30. [Wilder] [58]  Raymond L . Wilder, Introduction to the Foundations of Mathematics. Wiley, 1958.  [Zamfir] [87] Maria Zamfir, Initial Algebra Semantics and Concurrency. LNCS 298, Springer-Verlag, 1987, pp.528-549.  Appendix A: Proof of Lemma 3.3.2.1  121  APPENDIX A Proof of Lemma 3.3.2.1.  3.3.2.1  Lemma  The sequent -> [Vx:Cat] <Id[x], x, x>:Ar is derivable. Proof of Lemma 3.3.2.1  If C is any tuple <ATQ, = Q, Sr^, T g £ , CpQ> of second order parameters, the lemma is a  obtained by an application of -»V to the sequent C:Cat -> <Id[C], C, C > : A r whose derivation is obtained as following. Let Ax[G,A,B] be the result of replacing F by G , <ATQ, = £ , Sr^;, T g ^ , C p ^ > by A , and a  <Arj), = D ' ^ D ' ^^D'^PD r  a  >  d  v B  m  a  n  ^  O  M  °f(fl)  t o  (f9). From the definition of A r , it  is obvious that a proof of the lemma can be obtained from a derivation of the sequent C:Cat -> Functor[ Id[C], C, C ] by a single application of ->{}. The latter derivation can in turn be obtained if for each axiom (fl) to (flO) a derivation for the sequent C:Cat -> Ax[ Id[C], C, C ]  (LI)  is provided. Derivations of the last sequent will be given for axioms (f3), (f4), (f7) and (f9) only, the rest being either similar or trivial. 3.3.2.1.1  Sequent (LI) is derivable when Ax is (f3). A derivation in which f is a first order  parameter follows:  Appendix A: Proof of Lemma 3.3.2.1  f =  aC  ->  f  f =  aC  122  f  f:Arj-. - » f:Ar^>  k  [Vg:Ar ] g = c  g, f : A r  a C  -> f =  c  f  a C  thinning *C:Cat, f : A r C:Cat,f:Ar  -> f = C  c  a  f  -> *<f,f>:Id[C]  c  f : A r ^ - 4 f:Ar£ C:Cat, f : A r  c  -> *[3fd:Ar ] <f,fd>:Id[C] c  C:Cat -> *[Vfc:Ar ][3fd:Ar ] <fc,fd>:Id[C] c  3.3.2.1.2  c  Sequent (LI) is derivable when Ax is (f4). In the following derivation f l , f2, f3  and f4 are first order parameters: f3 =  a C  f1  f3 =  f1 =  a C  f4  f1 =  f3=  a C  a C  fl A fl =  a C  f3=  f4  a C  f 4 -> f 3 =  *( f3 =  a C  fl, fl=  f l : A r ^ -»  f\:AiQ  f3:ArQ ->  fi.AiQ  f1  a C  f4 f4  a C  a C  f3 =  3  f4  a C  f3=  a C  f4), f4  f4:Ar(~> -» f4:Ar^ *[Vf,g,h:Ar ]( f = c  a C  gAg=  a C  h3 f=  f l : A r , f3:Ar , f4:Ar , f 3 = c  f1 =  a C  c  f3-.fl =  [Vf,g,h:Ar ]( f = c  a C  a C  c  a C  a C  h),  fl, fl =  f3 g A g=  a C  h 3 f=  a C  h),  a C  *4 ->  f3=  a C  f4  Appendix A: Proof of Lemma 3.3.2.1 *(fl= fl=  a C  f3 3 f3=  f3, fl=  a C  a C  a C  123  f l ) , f l : A r , f3:Ar , f4:Ar , c  f4  f3=aC  c  c  f 4  fhAiQ - » f l : A j Q f3:AxQ -> f3:Ar^ [Vf,g,h:Ar ]( f = c  g A g=  a C  h 3 f=  a C  *[Vf,g:Ar ](f= g 3 g= c  aC  a C  h),  a C  f),  f l : A r , f3:Ar , f4:Ar , c  fl = f1  =  a  C  f2=  a C  c  f4, f 1 =  a C  f2 -> f l =  c  f 1  =  f3 ^ f3 =  a C  f4  a C  f2  a C  f 4 -> f 2 =  [Vf,g,h:Ar ]( f = *(  c  a C  f4  g A g=  a C  a C f^ A f2 =  [Vf,g:Ar ](f= c  a C  a C  f4  g 3  a C  h 3 f=  3  f1 =  g=  a C  a C  a C  h),  f4),  f),  f l : A r , f3:Ar , f4:Ar , c  fl =  a C  c  f2, f 1 =  c  f3,  a C  a=  a C  f4 -» f3 =  a C  f4  f l : A r ^ -» f l : A r ^ f2:Ar  c  -> f 2 : A r  c  f4:ArQ -» f4:Arc *[Vf,g,h:Ar ]( f = c  g A g=  a C  [Vf,g:Ar ](f= g 3 g= c  h 3 f=  a C  aC  a C  a C  h),  f),  f l : A r , f2:Ar , f3:Ar , f4:Ar , c  fl =  a C  c  c  f2, f l = a C f3, f2 =  c  a C  f4 ->  f3 =  a C  f4  *C:Cat, f l : A r , f 2 : A r , f 3 : A r , f 4 : A r , c  fl =  a C  f2, f 1 =  c  a C  f3,  c  a=  a C  thjjining  c  f4 -» f3 =  a C  f4  Appendix A: Proof of Lemma 3.3.2.1  124  C:Cat, f l : A r , f 2 : A r , f 3 : A r , f 4 : A r , c  fl=  a C  c  f2,  c  c  *<fl,f3>:Id[C], *<f2,f4>:Id[C]  C:Cat, f l : A r , f 2 : A r , f 3 : A r , f 4 : A r c  *(fl =  c  c  c  ->  f3=  f4  ->  fl A <fl,f3>:Id[C] A <f2,f4>:Id[C] 3 f i =  a C  a C  a C  f4 )  C:Cat -> *[Vfc,gc,fd, gd:Ar ]( c  fc =  3.3.2.1.3  a C  gc A <fc,fd>:Id[C] A <gc,gd>:Id[C] 3 fd =  a C  Sequent (LI) is derivable when A x is (f7). In the following derivation f l , fl, al  and a2 are first order parameters:  a l = £ a2 -» al = Q a2 a  &  <f2, a l > : S r <f2, a2>:Sr *( a l =  a C  c  c  -> <f2, a l > : S r  c  -> <f2, a2>:Sr  c  a2 A <f2, a l > : S r 3 <f2, a2>:Sr ), c  <f2,al>:Sr ,  al =  c  f2:Ar  c  H> f 2 : A r  a C  a2 ->  c  <f2,a2>:Sr  c  c  al:AXQ - » a l : A r £ a2:ArQ —> a2:AiQ *[Vf,g,h:Ar ]( g = c  h A <f, g>:Sr  a C  c  3 <f, h>:Sr ), c  SLIIATQ, f2:ArQ a2:Ar^, <f2,al>:Sr , al = c  f1 =  gd )  a C  f2 -> f 1 =  a C  a C  a2 ->  <f2,a2>:Sr  c  f2  <fl, al>:SrQ - » <fl, al>:Sr^< *( f l =  a C  f2 A <fl, a l > : S r 3 <f2, a l > : S r ), c  [Vf,g,h:Ar ]( g = c  a C  h A <f, g>:Sr  c  c  3 <f, h>:Sr ), c  Appendix A: Proof of Lemma 3.3.2.1 a l : A r £ , f2:AiQ,  125  a2:Ar£,  <fl,al>:Sr , f l = c  a C  f 2 , al =  a2 -> <f2,a2>:Sr  a C  c  f l : A r ^ -» H:AXQ f2:Ar  -> f 2 : A r  c  c  al:Ar^. -» alrAr^. * [ V f , g , h : A r ] ( f = g A <f,h>:Sr c  aC  [Vf,g,h:Ar ]( g = c  a C  a  <fl,al>:Sr , f l = c  a C  a C  fl-.AiQ, f2, a l =  C:Cat, f l : A r , a l : A r , f 2 : A r , c  c  3 <f, h>:Sr ),  c  c  a2:Aj(-«,  <fl,al>:Sr , f l = £ f2, al = *C:Cat, fl:Ar(~<, ahAiQ,  c  h A <f, g>:Sr  fl:Ar^., &1:AXQ, f2:AiQ, c  3 <g, h>:Sr ),  c  c  a2 -> < £ 2 , a 2 > : S r  a2:Ar^, a C  c  a2:Ar , c  c  C:Cat, f l : A r , a l : A r , f 2 : A r , a 2 : A r c  thinning  a2 -> <f2,a2>:Sr  <fl,al>:Sr , *<fl,f2>:Id[C], *<al,a2>:Id[C] c  c  c  c  -> <f2,a2>:Sr  c  ->  *( <fl,al>:Sr A <fl,f2>:Id[C] A <al,a2>:Id[C] 3 <f2,a2>:Sr ) c  c  C:Cat -> *[Vfc,c,fd,d:Ar ] ( c  < f c , o : S r A <fc,fd>:Id[C] A <e,d>:M[C] 3 <fd,d>:Sr ) c  3.3.2.1.4  c  Sequent (LI) is derivable when A x is (f9). A derivation  provided in which f 1, f2, f3, g l , g2 and g3 are first order parameters: < gl,g2,g3>:Cp  -> < gl,g2,g3>:Cp  c  gl:Ar  c  -> g l : A r  c  g2:Ar  c  -> g 2 : A r  c  -» 0 : A T Q  f3:AiQ g3:Ar a  c  -> g 3 : A r  =aC §  3  ->  fi  c  =aC g  3  c  of this sequent is  Appendix A: Proof of Lemma 3.3.2.1  126  < gl,g2,f3>:Cp -> < gl,g2,f3>:Cp c  *[Vf,g,h,k:Ar ]*(h = c  c  k A <f,g,h>:Cp  a C  3 <f,g,k>:Cp ),  c  c  f 3 : A r , g l : A r , g 2 : A r , g 3 : A r , < gl,g2,f3>:Cp , c  c  c  c  a =aC g -» < gl,g2,g3>:Cp 3  gl:Ax f2:Ax  c  -» g l : A r -> f 2 : A r  c  c  c  c  c  f3:Ar^ -» f3:Ar^ g2:Ar  c  f2=  g 2 ->  a C  -» g 2 : A r  c  G=  a C  g2  < gl,f2,f3>:Cp -» < gl,f2,f3>:Cp c  *[Vf,g,h,k:Ar ]*( g = c  k A <f,g,h>:Cp  aC  [Vf,g,h,k:Ar ](h = c  c  aC  3 <f,k,h>:Cp ),  c  c  k A <f,g,h>:Cp 3 <f,g,k>:Cp ), c  c  f2:Ar , B : A r , g l : A r , g2:Ar , g3:Ar , c  f2 =  g2, f3 =  aC  fl:Arc f2:Ar  c  c  c  c  c  g3 -> < gl,g2,g3>:Cp  aC  <gl,f2,f3>:Cp , c  c  fhArQ -» f 2 : A r  c  f3:ArQ -H> f3:ArQ gl:Ar  c  f^aCg  -> g l : A r  c  f^aCg  1  1  < fl,f2,f3>:Cp -> < fl,f2,f3>:Cp c  *[Vf,g,h,k:Ar ]*(f= k c  aC  [Vf,g,h,k:Ar ]( g = c  [Vf,g,h,k:Ar ](h = c  aC  aC  c  A <f,g,h>:Cp 3  <k,g,h>:Cp ),  c  k A <f,g,h>:Cp k A <f,g,h>:Cp  c  c  c  3 <f,k,h>:Cp ), c  3  <f,g,k>:Cp ), c  f l : A r , f 2 : A r , f 3 : A r , g l : A r , g 2 : A r , g 3 : A r , < fl,f2,f3>:Cp , c  fl =  a C  c  g l , f2 =  c  aC  g2, f3 =  c  aC  g3 ^  c  c  < gl,g2,g3>:Cp  c  c  Appendix A: Proof of Lemma 3.3.2.1  127  *C:Cat, f l : A r £ , f 2 : A j Q f 3 : A j Q g l : A j Q g2:AxQ, g3:AjQ < fl,f2,f3>:Cp , f l = a C g L c  -> < gl,g2,g3>:Cp  f 2  =aCg ' 2  B  =aC g  thmning  3  c  C:Cat, f l : A r , f 2 : A r , f 3 : A r , g l : A r , g 2 : A r , g 3 : A r , < fl,f2,f3>:Cp , c  c  c  c  c  c  c  *<fl,gl>:Id[C], *<f2,g2>:Id[C], *<f3,g3>:Id[C] -> < gl,g2,g3>:Cp  c  C:Cat, f l : A r , f 2 : A r , f 3 : A r , g l : A r , g 2 : A r , g 3 : A r , c  c  c  c  c  c  *(< fl,f2,f3>:Cp A <fl,gl>:Id[C] A <f2,g2>:Id[C] A <f3,g3>:Id[C] c  => < gl,g2,g3>:Cp ) c  C:Cat ->  *[Vfcl,fc2,fc3,fdl,fd2,fd3:Ar ](<fcl,fc2,fc3>:Cp A c  C  <fcl,fdl>:Id[C] A <fc2,fd2>:Id[C] A <fc3,fd3>:Id[C] 3 < fdl,fd2,fd3>:Cp ) c  E n d of proof of lemma 3.3.2.1  Appendix B: Proof of Lemma 3.3.3.1  128  APPENDIX B Proof of Lemma 3.3.3.1  3.3.3.1  Lemma  The sequent -> [Vf,g:Func][Vb,c,d,e:Cat]( <f,b,c>:Ar A <g,d,e>:Ar A c= d e  ZD < F C [ f,b,c,g,d,e ], b, e > : A r ) is derivable. Proof of Lemma 3.3.3.1. If F l , F2 are second order parameters and C l , D I , C l , DI are the usual tuples of second order parameters, the lemma can be obtained from the sequent < F l , C l , D l > : A r , <F2,C2,D2>:Ar,  Dl= C2 e  -> < FC[F1,C1,D1,F2,C2,D2], C l , D2 > : A r by successive applications of the ->V rule. The last sequent can be derived from the sequent Functor[Fl,Cl,Dl], Functor[F2,C2,D2]  Dl= C2 e  -» Functor[ FC[F1,C1,D1,F2,C2,D2], C l , D2 1 by two applications of {}-> and one of - » { } . Let Ax[G,A,B] be as in the proof of lemma 3.3.2.1. From the functor definition it is obvious that a proof of the latter sequent can be obtained if for each axiom (f 1) to (f9) a derivation for the sequent A x [ F l , C l , D l ] , Ax[F2,C2,D2] D l = C 2 -> e  Ax[ FC[F1,C1,D1,F2,C2,D2], C l , D2 ]  (L2)  is provided. Derivations for this sequent will be given for the axioms (f3), (f4), (f7) and (f9) only, the rest being either similar or trivial.  Appendix B: Proof ofLemma 3.3.3.1  3.3.3.1.1  129  Sequent (L2) is derivable when Ax is (f3). In the following derivation pc, pd  and pe are first order parameters: <pc,pd>:Fl -> <pc,pd>:Fl <pd,pe>:F2 -> <pd,pe>:F2 pd:Ar  D1  pd:Ar  D1  -> p d : A r  D1  , <pc,pd>:Fl, <pd,pe>:F2 -> *[ 3d:Ar ]*(<pc,d>:Fl A <d,pe>:F2) D1  p d r A i D ! , <pc,pd>:Fl, <pd,pe>:F2 -> *<pc,pe>: FC[F1,C1,D1,F2,C2,D2] pe:Ar  D2  -> p e : A r  D2  pd:Arrji, <pc,pd>:Fl, pe:Arr_) , <pd,pe>:F2 2  -> * [ 3 d : A r  D2  ] <pc,d>: FC[F1,C1,D1,F2,C2,D2]  p d : A r , <pc,pd>:Fl, *[ 3 d : A r ] <pd,d>:F2 D1  D2  -> [ 3 d : A r  D2  ] <pc,d>: FC[F1,C1,D1,F2,C2,D2]  pd:Arjji, D l = C 2 -> p d : A r ^ e  p d : A r , <pc,pd>:Fl, D1  -> [ 3 d : A r  D2  (lemma 3.3.1.1)  2  * [ V c : A r ] [ 3 d : A i b ] <c,d>:F2, D l = C 2 C2  2  e  ] <pc,d>: FC[F1,C1,D1,F2,C2,D2]  *[ 3 d : A r ] <pc,d>:Fl, [Vc:Ar ][ 3 d : A r ] <c,d>:F2, D l = C 2 D1  -> [ 3 d : A r  C2  D2  D2  e  ] <pc,d>: FC[F1,C1,D1,F2,C2,D2]  p c : A r c i -> p c : A r Q  * [ V c : A r ] [ 3 d : A r ] <c,d>:Fl, [Vc:Ar ][ 3 d : A r ] <c,d>:F2, D l = C 2 cl  D1  C2  D2  e  Appendix B: Proof of Lemma 3.3.3.1 pc:Ar  c l  130  -> [ 3 d : A r ] <pc,d>: FC[F1,C1,D1,F2,C2,D2] D2  [ V c : A r ] [ 3 f d : A r ] <c,d>:Fl, [Vc:Ar ][ 3 d : A r ] <c,d>:F2, Dl= C2 cl  D1  C2  D2  e  .-> * [ V c : A r ] [ 3 d : A r ] <c,d>: FC[F1,C1,D1,F2,C2,D2] cl  3.3.3.1.2  D2  Sequent (L2) is derivable when Ax is (f4). In the following derivation pc 1, pc2,  pdl, pd2, pddl and pdd2 are first order parameters:  P =aClP c l  c 2  -> P = a C l P c l  <pcl,pddl>:Fl ->  c 2  <pcl,pddl>:Fl  <pc2,pdd2>:Fl -> <pc2,pdd2>:Fl p c l = ^ i p c 2 , <pcl,pddl>:Fl, <pc2,pdd2>:Fl, a  -» *(pcl= ^ipc2 A <pcl,pddl>:Fl A <pc2,pdd2>:Fl) a  pddl=  aD1  *(pcl=  p d d 2 , = Dl=e=aC2  aC1  ~> p d d l =  a  aC2  pdd2  (lemma 3.3.1.1)  p c 2 A <pel,pddl>:Fl A <pc2,pdd2>:Fl 3 p d d l = i p d d 2 ), aD  =aDl e=aC2' P =aClP ' =  cl  c2  <pcl,pddl>:Fl, <pc2,pdd2>:Fl,  -> pddl= ^ pdd2 a  2  <pddl,pdl>:F2 ->  <pddl,pdl>:F2  <pdd2,pd2>:F2 -> <pdd2,pd2>:F2 (pcl= (^ipc2 A <pcl,pddl>:Fl A <pc2,pdd2>:Fl 3 pddl= j3ipdd2 ), a  a  =aDl =e =aC2> P = a C l P ' c l  c 2  <pcl,pddl>:Fl, <pddl, pdl>:F2, <pc2,pdd2>:Fl, <pdd2, pd2>:F2 -> *( p d d l = P =aD2P dl  aC2  p d d 2 A <pddl,pdl>:F2 A <pdd2,pd2>:F2 )  P =aD2P  d2  dl  d2  (pcl= cipc2 A <pcl,pddl>:Fl A <pc2,pdd2>:Fl a  *( p d d l =  aC2  3  pddl= rjipdd2 ), a  p d d 2 A <pddl,pdl>:F2 A <pdd2,pd2>:F2 3 p d l =  =aDl =e =aC2>  aD2  p d 2 ),  P =aClP ' c l  c 2  <pcl,pddl>:Fl, <pddl, pdl>:F2, <pc2,pdd2>:Fl, <pdd2, pd2>:F2  Appendix B: Proof of Lemma 3.3.3.1  -»  P =aD2P dl  131  d2  pddl:Ar , A r  D 1  =  e  A r ^ -> p d d l : A r  C2  (lemma 3.3.1.1)  pdd2:Ar , A r  D 1  =  e  A r ^ -> p d d 2 : A r  C2  (lemma 3.3.1.1)  D1  D1  pdl:Ar  D 2  -> p d l : A r  D 2  pd2:Ar  D2  -> p d 2 : A r  D2  thinning (pcl= cipc2 A <pcl,pddl>:Fl A <pc2,pdd2>:Fl => pddl= rjipdd2 ), a  a  *[Vcl,c2:Ar ] *[Vdl,d2:Ar ]( C2  cl=  a C 2  D2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 3 d ^ ^ ^ ),  *Dl= C2, p c l : A r , p c 2 : A r , p d l : A r c l  e  cl  D 2  , pd2:Ar , pcl= D2  aC1  pc2,  pddliAjjjj, <pcl,pddl>:Fl, <pddl, pdl>:F2, p d d 2 : A r i , <pc2,pdd2>:Fl, <pdd2, pd2>:F2 D  -»  pdl=aD2P  d2  pddlrArrji -> pddl:Arj)j pdd2:Aijjj -» pdd2:AiQi *[Vdl,d2:Ar ]( p c l = D1  aC1  p c 2 A <pcl,dl>:Fl A <pc2,d2>:Fl 3  61=^62),  [Vcl,c2:Ar ] [Vdl,d2:Ar ]( C2  cl=  a C 2  D2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 3  d ^ , ^ ^ ) »  Dl= C2, p c l : A r ^ i , pc2:Ar^ , p d l : A r , p d 2 : A r , p c l = £ i p c 2 , 1  e  D 2  D2  a  p d d l : A r ^ , <pcl,pddl>:Fl, <pddl, pdl>:F2, D  p d d 2 : A r , <pc2,pdd2>:Fl, <pdd2, pd2>:F2 D1  ->  P =aD2P dl  d2  [Vdl,d2:Ar ]( p c l = D1  aC1  p c 2 A <pcl,dl>:Fl A <pc2,d2>:Fl 3 d l =  aD  i d 2 ),  [Vcl,c2:Ar ] [Vdl,d2:Ar ]( C2  cl=  a C 2  D2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 3 d l =  Dl= C2, p c l : A r , p c 2 : A r , pdl: A r e  c l  cl  D 2  aD2  d 2 ),  , pd2:Ar , pcl= D2  aC1  pc2,  Appendix B: Proof of Lemma 3.3.3.1  132  *[ 3d:Ar ](< pcl,d>:Fl A <d, pdl>:F2), D1  *[ 3d:Ar ](< pc2,d>:Fl A <d, pd2>:F2) D1  -> P = a D 2 P dl  d2  [Vdl,d2:Ar ]( p c l = D1  aC1  p c 2 A <pcl,dl>:Fl A <pc2,d2>:Fl ? 61=^62  ),  [Vcl,c2:Ar ] [Vdl,d2:Ar ]( C2  cl=  a C 2  D2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 =»  Dl= C2, p c l : A r , pc2:Ar , p d l : A r e  c l  cl  D 2  d l ^ ^ ) »  , pd2:Ar , pcl= D2  aC1  pc2,  *<pcl,pd 1 >: FC[F 1 ,C 1 ,D 1 ,F2,C2,D2], *<pc2,pd2>:  FC[F1,C1,D1,F2,C2,D2]  -> P = a D 2 P  d2  dl  pcl:Ar^2 -> pclrAr^j pc2:ArQ| -> pc2:Ar^j * [ V c l , c 2 : A r ] [Vdl,d2:Ar ]( cl  cl=  a C 1  D1  c 2 A <cl,dl>:Fl A <c2,d2>:Fl 3 d l  = a D 1  d 2 ),  [Vcl,c2:Ar ] [Vdl.cErArr^K C2  cl=  a C 2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 3 dl-^jy^dl ),  D l = C 2 , p c l : A r ^ i , pc2:Ar(-<i, p d l : A r j 3 , pd2:Ai£) e  2  -» * ( p c l =  aC1  2  p c 2 A <pcl,pdl>: FC[F1,C1,D1,F2,C2,D2]  A <pc2,pd2>: FC[F1,C1,D1,F2,C2,D2]  3 pdl=  aD2  [Vcl,c2:Ar ] [ V d l ^ i A i p j i K cl  cl=  a C 1  c 2 A <cl,dl>:Fl A <c2,d2>:Fl 3 d l =  a D 1  d2),  [Vcl,c2:Ar ] [Vdl,d2:Ar ]( C2  cl=  a C 2  D2  c 2 A <cl,dl>:F2 A <c2,d2>:F2 3 d l =  Dl= C2 e  -> * [ V c l , c 2 : A r ] *[Vdl,d2:Ar ]( cl  D2  a D 2  d 2  )'  pd2 )  Appendix B: Proof of Lemma 3.33.1 cl=  a C 1  133  c 2 A <cl,dl>: FC[F1,C1,D1,F2,C2,D2]  A <c2,d2>: FC[F1,C1,D1,F2,C2,D2] 3 d l =  3.3.3.1.3  a D 2  d2 )  Sequent (L2) is derivable when Ax is (f7). In the following derivation, the terms  f d l , d l , fd2 and d2 are first order parameters:  <fd2,d2>:Sr fdl:Ar  D 1  -» <fd2,d2>:Sr  D2  , Ar  D2  = A r ^ -> f d l : A r ^  D 1  e  (lemma 3.3.1.1) dl:Ar  D 1  , Ar  = Ar  D 1  e  -> d l : A r ^  C 2  (lemma 3.3.1.1) fd2: A r j ) d2: A r  -> fd2: Arj-)  2  -> d2: A r  D 2  <fdl,dl>:Sr , S r  D 1  D 2  D1  2  = Sr e  C 2  - > <fdl,dl>:Sr  (lemma 3.3.1.1)  C2  <fdl,fd2>:F2 -> <fdl,fd2>:F2 <dl,d2>:F2 -> <dl,d2>:F2 thinning *[Vfc,c:Ar ]*[Vfd,d:Ar ] *( C2  D2  <fc,c>:Sr  C2  A <fc,fd>:F2 A <c,d>:F2 3 <fd,d>:Sr ), D2  * D l = C 2 , <fdl,dl>:Sr i, fd2: A r e  D  fdl:Ar  D 1  , d2:Ar , d l : A r  , <fdl,fd2>:F2, <dl,d2>:F2  -> <fd2,d2>:Sr  D2  f c l : A r c i -» f c l : A r ^ j cl:Ar(-<j -> C\:ATQI fdl: Arryi  D 2  -> f d l : A r j ) i  dl:Arp3j - » d l : A r j ) j <fcl,cl>:Sr^  1  -> <fcl,cl>:Sr^  <fcl,fdl>:Fl -> <fcl,fdl>:Fl <cl,dl>:Fl -> <cl,dl>:Fl  1  D2  D 1  ,  134  Appendix B: Proof of Lemma 3.3.3.1  *[Vfc,c:Ar ]*[Vfd,d:Ar ] *( cl  D1  <fc,c>:SrQj A <fc,fd>:Fl A <c,d>:Fl 3 <fd,d>:Srj)i), [Vfc,c:Ar 2][Vfd,d:Ar ] ( C  <fc,c>:Sr  D2  C2  A <fc,fd>:F2 A <c,d>:F2 => <fd,d>:Sr 2)» D  Dl= C2, fcl: A r e  fdl:Ar  D 1  c l  , c l : A r , fd2: Ar 2> d2:Ar > <fcl,cl>:Sr , c l  D  D2  cl  , <fcl,fdl>:Fl, <fdl,fd2>:F2, d h A r r j i , <cl,dl>:Fl, <dl,d2>:F2  -> <fd2,d2>:Sr ) D2  [Vfc,c:Ar ][Vfd,d:Ar ] ( cl  D1  <fc,c>:SrQ A <fc,fd>:Fl A <c,d>:Fl 3 <fd,d>:Srr3i), 1  [Vfc,c:Ar ][Vfd,d:Ar ] ( C2  <fc,c>:Sr  D2  C2  Dl= C2, fcl: A r e  A <fc,fd>:F2 A <c,d>:F2 3 <fd,d>:Sr 2)> D  c l  , c l : A r , fd2: Ar 2> d 2 : A r c l  D  D2  ' <fcl,cl>:Sr , cl  *[ 3f:Ar ]*(<fcl,f>:Fl A <f,fd2>:F2), *[ 3f:Ar ]*(<cl,f>:Fl A <f,d2>:F2) D1  D1  -> <fd2,d2>:Sr ) D2  [Vfc,c:Ar ][Vfd,d:Ar ] ( cl  D1  <fc,c>:SrQ A <fc,fd>:Fl A <c,d>:Fl 3 <fd,d>:Sr i), 1  D  [Vfc,c:Ar ][Vfd,d:Ar ] ( C2  <fc,c>:Sr  D2  C2  Dl= C2, fcl: A r e  A <fc,fd>:F2 A <c,d>:F2 3 <fd,d>:Sr 2)> D  c l  , c l : A r , fd2: A r c l  D 2  , d2:Ar  D2  , <fcl,cl>:Sr , cl  *<fcl,fd2>: FC[F1,C1,D1,F2,C2,D2], *<cl,d2>: FC[F1,C1,D1,F2,C2,D2] -> <fd2,d2>:Sr ) D2  [Vfc,c:Ar ][Vfd,d:Ar ] ( cl  D1  <fc,c>:SrQj A <fc,fd>:Fl A <c,d>:Fl 3 <fd,d>:Sr i), D  [Vfc,c:Ar ][Vfd,d:Ar ] ( C2  D2  <fc,c>:Sr^2 A <fc,fd>:F2 A <c,d>:F2 3 <fd,d>:Sr 2)> D  Appendix B: Proof of Lemma 3.3.3.1  135  Dl= C2 e  -> *[Vfc,c:Ar ]*[Vfd,d:Ar 2] *(<fc,c>:Sr cl  D  cl  A <fc,fd>: FC[F1,C1,D1,F2,C2,D2] A <c,d>: FC[F1,C1,D1,F2,C2,D2] => <fd,d>:Sr 2) D  3.3.3.1.4  Sequent (L2) is derivable when Ax is (f9). In the following derivation the first  order parameters pel, pc2, pc3, pdl, pd2, pd3, pel, pe2 and pe3 are used:  pel:Arj)i, A r ^ ^ A r ^  ~* P  pe2:Arjji, Arj)i= Ar^<2 e  ^Cl  (lemma 3.3.1.1)  pe2: A r ^  (lemma 3.3.1.1)  e l :  pe3:Arjji, Arj- ^= Ar^2 -» p e 3 : A r £ 2 )  (lemma 3.3.1.1)  e  pdl: A r  D 2  -> pdl: A r  D 2  pd2: A r  D 2  -> pd2: A r  D 2  pd3: A r  D 2  -> pd3: A r  D 2  <pel,pe2,pe3>:Cpjji, A T J J I = Ar(-<2 -» <pel,pe2,pe3>:Cp^2  (lemma 3.3.1.1)  e  <pel,pdl>:F2 ->  <pel,pdl>:F2  <pe2,pd2>:F2 -> <pe2,pd2>:F2 <pe3,pd3>:F2 -» <pe3,pd3>:F2 <pdl,pd2,pd3>:Cpj32 -> <pdl,pd2,pd3>:Cp£)  2  thinning * [Vfc 1 ,fc2,fc3: A r  C 2  ] * [Vfdl ,fd2,fd3: A r  D 2  ] *(< fc 1 ,fc2,fc3>:Cp  C2  A <fcl,fdl>:F2 A <fc2,fd2>:F2 A <fc3,fd3>:F2 => <fdl,fd2,fd3>:Cp ). D2  *Dl= C2, p d l : A r 2 » P^ '- D2> pd3: A r e  2  D  Ar  D 2  , pel:Ar  D1  , pe2:Ar , pe3:Ar , D1  <pel,pe2,pe3>:Cpjji, <pel,pdl>:F2, <pe2,pd2>:F2, <pe3,pd3>:F2 -> <pdl,pd2,pd3>:Cpj) pchAiQi  -» p c l : A r Q  pc2: ATQI -» pc2: AIQ^ pc3: A T Q  -> pc3: A r ^  2  D1  Appendix B: Proof of Lemma 3.3.3.1  136  pel:Arr_)i -» pel:Arj)j pe2:Arj3i ->  pe2: ATJ^J  pe3: Arj3i -> pe3: Arjji <pcl,pc2,pc3>:Cp^j <pcl,pel>:Fl  ->  -»  <pcl,pc2,pc3>:Cp^j  <pcl,pel>:Fl  <pc2,pe2>:Fl -> <pc2,pe2>:Fl <pc3,pe3>:Fl  <pc3,pe3>:Fl  *[Vfcl,fc2,fc3:Ar ] *[Vfdl,fd2,fd3:Ar ]*(< fcl,fc2,fc3>:Cp cl  D1  cl  A <fcl,fdl>:Fl A <fc2,fd2>:Fl A <fc3,fd3>:Fl 3 <fdl,fd2,fd3>:Cp ), D1  [Vfc 1 ,fc2,fc3:Ar ] [Vfdl ,fd2,fd3:Ar ](< fc 1 ,fc2,fc3>:Cp C2  D2  C2  A <fcl,fdl>:F2 A <fc2,fd2>:F2 A <fc3,fd3>:F2 3 <fdl,fd2,fd3>:Cp ), D2  D l = C 2 , pel: A T Q J , pc2: ATQ^, p c 3 : A r ^ j , p d l : A i j j , pd2: A r j j , pd3: Arj-) , e  2  < pcl,pc2,pc3>:Cpci, p e l : A r j j i , <pcl,pel>:Fl,  2  2  <pel,pdl>:F2,  p e 2 : A r i , <pc2,pe2>:Fl, <pe2,pd2>:F2, p e 3 : A r , <pc3,pe3>:Fl, <pe3,pd3>:F2 D  D1  -» <pdl,pd2,pd3>:Cpj)  2  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar ](< fcl,fc2,fc3>:Cp cl  D1  cl  A <fcl,fdl>:Fl A <fc2,fd2>:Fl A <fc3,fd3>:Fl 3 <fdl,fd2,fd3>:Cp ), D1  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar ](< fcl,fc2,fc3>:Cp C2  D2  C2  A <fcl,fdl>:F2 A <fc2,fd2>:F2 A <fc3,fd3>:F2 3 <fdl,fd2,fd3>:Cp ), D2  Dl= C2,pcl: A r e  c l  , pc2:Ar , pc3:Ar , pdl:Ar c l  c l  D 2  , pd2:Ar  <pcl,pc2,pc3>:Cp ,  *[3f:Ar ]*(<pcl,f>:Fl A <f,pdl>:F2),  *[3f:Ar ]*(<pc2,f>:Fl  A <f,pd2>:F2), *[3f:Ar ]*(<pc3,f>:Fl  cl  D1  -> <pdl,pd2,pd3>:Cpj)  , pd3: A r  D1  A <f,pd3>:F2)  2  D1  cl  A <fcl,fdl>:Fl A <fc2,fd2>:Fl A <fc3,fd3>:Fl 3 <fdl,fd2,fd3>:Cp ), D1  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar ](< fcl,fc2,fc3>:Cp C2  D 2  D1  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar ](< fcl,fc2,fc3>:Cp cl  D2  D2  C2  ,  Appendix B: Proof of Lemma 3.3.3.1  137  A <fcl,fdl>:F2 A <fc2,fd2>:F2 A <fc3,fd3>:F2 3 <fdl,fd2,fd3>:Cp )> D2  D l = C 2 , pel: Ar^-ij, p c 2 : A r Q i , p c 3 : A r £ , pdl:Arj)2» pd2:Arj)2» P 3 : Arj)2> e  d  1  < pcl,pc2,pc3>:Cp , *<pcl,pdl>: FC[F1,C1,D1,F2,C2,D2], cl  *<pc2,pd2>: FC[F1,C1,D1,F2,C2,D2], *<pc3,pd3>: FC[F1,C1,D1,F2,C2,D2] -» <pdl,pd2,pd3>:Cpj32 [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar i](< fcl,fc2,fc3>:Cp cl  D  cl  A <fcl,fdl>:Fl A <fc2,fd2>:Fl A <fc3,fd3>:Fl 3 <fdl,fd2,fd3>:Cp ), D1  [Vfcl,fc2,fc3:Ar ] [Vfdl,fd2,fd3:Ar K< fcl,fc2,fc3>:Cp C2  D2  C2  A <fcl,fdl>:F2 A <fc2,fd2>:F2 A <fc3,fd3>:F2 3 <fdl,fd2,fd3>:Cp )> D2  Dl= C2 e  -> *[Vfcl,fc2,fc3:Ar ] *[Vfdl,fd2,fd3:Ar ]*(< fcl,fc2,fc3>:Cp cl  D2  cl  A <fcl,fdl>: FC[F1,C1,D1,F2,C2,D2] A <fc2,fd2>: FC[F1,C1,D1,F2,C2,D2] A <fc3,fd3>: FC[F1,C1,D1,F2,C2,D2] 3 <fdl,fd2,fd3>:Cp ) D2  E n d of proof of lemma 3.3.3.1  Appendix C: Proof of Theorem 3.3.4.1  138  APPENDIX C Proof of Theorem 3.3.4.1  3.3.4.1 Theorem The sequent -> < A r , = , Sr, Tg, Cp>:Cat a  is derivable in NaDSet. Proof of Theorem 3.3.4.1 In the proof of the theorem we use a notation similar to the one used in the previous lemmas. A r ^ , =ax> S F £ , T g ^ , Q>X' * w  X being A , B, C, D, E, possibly subscripted, are used as  t n  second order parameters while X alone will abbreviate the tuple <Ar^, =&X' ^ X ' T&X' ^P " • r  5  A derivation of -> <Ar,= ,Sr,Tg,Cp>:Cat can be obtained from a derivation of a  -> Category[Ar,= ,Sr,Tg,Cp] by one application of - » { } rule and the definition of Cat. To a  derive the latter sequent it is necessary to provide a derivation of each sequent of the form ->Ax[Ar,= ,Sr,Tg,Cp] a  (Tl)  where Ax[Ar,= ,Sr,Tg,Cp] is one of the axioms c l to c20. Derivations will be provided for a  the complicated and "interesting" axioms only.  3.3.4.1.1 The sequent T l is derivable when Ax is the axiom c3. A derivation for it follows. Fl= F2, F2= F3 - » F l = F 3  (lemma 3.3.1.1)  C l = C 2 , C2= C3 -> C l = C 3  (lemma 3.3.1.1)  e  e  e  e  e  e  Appendix C: Proof of Theorem 3.3.4.1  139  D l = D 2 , D2= D3 -> D l = D 3 e  e  (lemma 3.3.1.1)  e  thinning < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3J)3>:Ar, Fl= F2, C l = C 2 , D l = D 2 , e  e  F2= F3, C2= C3, D2= D3  e  e  e  e  -> Fl= F3, C l = C 3 , D l = D 3 e  e  e  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3J)3>:Ar -> *( *<F1,C1,D1> ^ <F2,C2,D2> A *<F2,C2,D2> ^ <F3,C3,D3> a  a  3 *<F1,C1,D1> ^ <F3,C3,D3> ) a  ^ *[Vf,g,h:Ar]( f = g A g ^ h 3 f ^ h ) a  a  a  3.3.4.1.2 The sequent T l is derivable when Ax is the axiom c6. In the following derivation, a l , a2 are first order parameters:  al  a2, D l = D2 -> al  a2  e  (lemma 3.3.1.1)  <al,a2>:F3 -> <al,a2>:F3  *(<al,a2>:F3 => al  (a)  (<al,a2>:F3 3 al = (  f =  aDlS  D 2  e  a  a D 2  a 2 3 <al,a2>:F3 ) (similar to a)  a2), D l = D 2 -> *(<al,a2>:F3 = a l =  a D 1  e  a D 2  D 2  a2:Arj)2 -> a2:Arj)2  *[Vf,g:Ar ](<g>:F3 D1  a2  e  e  -> a l : A r  = £>2  a2), D l = D 2 -> *(<al,a2>:F3 3 al =^2 a2)  a D 1  <al,a2>:F3), D l = D 2 -> * ( a l =  3  (<al,a2>:F3 = a l = al:Ar  a2), D l = D 2 , <al,a2>:F3 -> al  s  f=  a D 1  g), D l = D 2 , a k A r r ^ , a2:Ar e  -> (<al,a2>:F3 a al =302 a ) 2  D2  a2)  Appendix C: Proof of Theorem 3.3.4.1  [Vf,g:Ar ](<f,g>:F3 = f D1  =  a  D  1  140  g), D l = D 2 e  -> *[Vf,g:Ar ](<f,g>:F3 = f=aD2g) D2  C 3 = D l , D l =_D2 - » C 3 = D 2  (lemma 3.3.1.1)  D3 =- D l , D l = „ D2 -> D3 = D2  (lemma 3.3.1.1)  e  e  e  thinning < F l , C l , D l > : A r , <F2,C2JJ2>:Ar, <F3,C3,D3>:Ar, F l = F2, C l = C2, D l = D2, e  c  e  C 3 = D l , D 3 = D l , [Vf,g:Ax ](<f,g>:F3 = f ^ i g ) , e  e  D1  -» * ( C 3 = D 2 A D 3 = D 2 A [Vf,g:Ar ](<f,g>:F3 = f = e  e  D2  a D 2  g))  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3,D3>:Ar, *<F1,C1,D1> ^ <F2,C2,D2>,  *«Fl,Cl,Dl>,<F3,C3,D3»:Tg  a  -* *«F2,C2,D2>,<F3,C3,D3»:Tg -> * [ V f , g , a : A r ] * ( f ^ g A < f , a > : T g 3 < g , a > : T g )  3.3.4.1.3 The sequent T l is derivable when Ax is the axiom c l 1. In the following derivation a l , a2 are first order parameters.  al = Q a2 — > al = Q a  A  2  &  al = Q a2 -> a l = Q a2 A  A  -» (al =ac a2) = (al =  a C  a2)  a l : A r Q a2:Ar^ -» ( a l = £ > a 2 ) a  s (al= ^a2) a  thinning  - * * [Vf,g:Ar ](*<f,g>:Id[C] - ( f = g ) ) c  -> C=„C  aC  (lemma 3.3.1.1)  Appendix C: Proof of Theorem 3.3.4.1  141  -> *(C= C A C = C A [Vf,g:Ax ](<f,g>:M[C] = f = e  e  c  a C  g)  -» * « F , C , D > , < H [ C ] , C , C » : S r C:Cat -> <Id[C],C,C>:Ar  (consequence of lemma 3.3.2.1) thinning  Functor[F,C,D] -> *[3a:Ar] « F , C , D > , a > : S r *<F,C,D>:Ar - » [3a:Ax] « F , C , D > , a > : S r -» *[Vf:Ar][3a:Ax] <f,a>:Sr  3.3.4.1.4 The sequent T l is derivable when Ax is the axiom cl5. T l will follow from (1)  <Fl,Cl,Dl>:Ar, <F2,C2,D2>:Ar, D 3 = D l , D 3 = C 2 e  e  -> < F C [ F l , C l , D l , F 2 , C 2 , D 2 ] , C l , D 2 > : A r and (2)  D 3 = D l , D3= C2 e  C  -> « F 1 , C 1 , D 1 > , < F 2 , C 2 , D 2 > , <FC[F 1 ,C 1 ,D 1 ,F2,C2,D2],C 1 , D 2 » : C p . 3.3.4.1.4.1 The sequent (1) is derived next:  D3 = D l , D3 = C2 -> D l = C2 e  e  (consequence of lemma 3.3.1.1)  e  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, D l = C2 c  -> < F C [ F l , C l , D l , F 2 , C 2 , D 2 ] , C l , D 2 > : A r  (consequence of lemma 3.3.3.1) cut  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, D 3 = D l , D3 = C2 e  e  -> < FC[Fl,Cl,Dl,F2,C2,D2],Cl,D2>:Ar  3.3.4.1.4.2 The above sequent (2) is derivable. In the following derivation, a l , a2 and a3 are first order parameters.  Appendix C: Proof of Theorem 3.3.4.1  142  a3:Arrj)i -> a3:Axj)j <al,a3>:Fl -> <al,a3>:Fl <a3,a2>F2 -» <a3,a2>F2 a 3 : A r , <al,a3>:Fl, <a3,a2>F2 -> * [ 3 h : A r ] * ( <al,h>:Fl A <h,a2>F2) D1  D1  * [ 3 h : A r ] * ( <al,h>:Fl A <h,a2>F2 ) D1  -> [ 3 h : A r ] ( <al,h>:Fl A <h,a2>F2) D1  * [ 3 h : A r ] * ( <al,h>:Fl A <h,a2>F2 ) D1  -> [ 3 h : A r ] ( <al,h>:Fl A <h,a2>F2 )  ( sameas(i))  D1  -> [3h:Ar ]( <al,h>:Fl A <h,a2>F2 ) = [3h:Ar ](<al,h>:Fl A <h,a2>F2) D1  D1  -> *<al,a2>:FC[Fl,Cl,Dl,F2,C2,D2]  m [3h:Ar  D1  ](<al,h>:Fl A <h,a2>F2) thinning  ZL1:ATQI, a2:Ar£)2 -»  (<al ,a2>:FC[F 1 ,C 1 ,D 1 ,F2,C2,D2]= [3h:Ar i](<al,h>:Fl A <h,a2>F2 )) D  -> * [ V f : A r ] [ V g : A r ] ( cl  D2  <f,g>:FC[Fl,Cl,Dl,F2,C2,D2] ^ [3h:Ar ](<f,h>:Fl A <h,g>F2)) D1  D3 = D l , D3 = C2 - » D l = C2 e  e  (consequence of lemma 3.3.1.1)  e  ->Cl= Cl  (lemma 3.3.1.1)  ->D2= D2  (lemma 3.3.1.1)  e  e  D 3 = D l , D3= C2 e  e  -> *( C l = C l A D l = C2 A D2 = D2 A [ V f : A r ] [ V g : A r ] ( e  e  e  cl  D2  <f,g>:FC[Fl,Cl,Dl,F2,C2,D2] = [3h:Ar ](<f,h>:Fl A<h,g>F2 ))) D1  D3= Dl, D3= C2 e  e  -> * « F 1 , C 1 , D 1 > , <F2,C2,D2>, < F C [ F l , C l , D l , F 2 , C 2 , D 2 ] , C l , D 2 » : C p  Appendix C: Proof of Theorem 3.3.4.1  143  3.3.4.1.4.3 Finally, a derivation of T l from (1) and (2) is given.  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, D 3 = D l , e  D3= C2 e  -» < F C [ F l , C l , D l , F 2 , C 2 , D 2 ] , C l , D 2 > : A r D3= Dl, e  D3= C2 e  (1)  ->  * « F 1 , C 1 , D 1 > , <F2,C2,D2>, < F C [ F l , C l , D l , F 2 , C 2 , D 2 ] , C l , D 2 » : C p < F l , C l , D l > : A r , <F2,C2,D2>:Ar, D 3 = D l , e  D3= C2 e  -> *[ 3h:Ar] « F 1 , C 1 , D 1 > , <F2,C2,D2>,h>:Cp < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3,D3>:Ar, * « F 1 , C 1 , D 1 > , <F3,C3,D3> >:Tg,  * « F 2 , C 2 , D 2 > , <F3,C3,D3»:Sr  -> [3h:Ar] « F 1 , C 1 , D 1 > , <F2,C2,D2>,h>:Cp thinning < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3,D3>:A -> * ( « F l , C l J ) l > , < F 3 , C 3 , D 3 > > : T g A « F 2 , C 2 , D 2 > , < F 3 , C 3 , D 3 » : S r 3 [ 3h:Ar] « F 1 , C 1 , D 1 > , <F2,C2,D2>,h>:Cp) -» *[Vf,g,a:Ar]( <f,a>:Tg A <g,a>:Sr => [3h:Ar] <f,g,h>:Cp)  3.3.4.1.5 The sequent T l is derivable when Ax is the axiom cl7. A derivation with first order parameters al, a2, a3, follows:  a3:Arj)i -> a3:Arj)j <al,a3>:Fl -> <al,a3>:Fl <a3,a2>:F2 -> <a3,a2>:F2  a 3 : A i b i , <al,a3>:Fl, <a3,a2>:F2 -> *[3h:Ar ]*(<al,h>:Fl A <h,a2>:F2) D1  <al,a2>:F4 -> <al,a2>:F4  ^•.ATQI, <al,a3>:Fl, <a3,a2>:F2, *([ 3h:Arj)i](<al,h>:Fl A <h,a2>:F2) 3 <al,a2>:F4)  (2)  Appendix C: Proof of Theorem 3.3.4.1 -»  144  <al,a2>:F4  <al,a2>:F3 - » <al,a2>:F3  *(<al,a2>:F3 3 *[3h:Ar ]*(<al,h>:Fl A <h,a2>:F2)), D1  ([3h:Ar ](<al,h>:Fl A<h,a2>:F2) 3 <al,a2>:F4), D1  <al,a2>:F3  ->  <al,a2>:F4  *(<al,a2>:F3 = [3h:Ar ](<al,h>:Fl A <h,a2>:F2)), D1  *(<al,a2>:F4 = [3h:Ar ](<al,h>:Fl A <h,a2>:F2)), D1  <al,a2>:F3  ->  <al,a2>:F4  &1:ATQ3, C l = C3 -> a l r A r ^ j  (lemma 3.3.1.1)  a l : A r ^ 3 , C l = C 3 -> a h A r ^  (lemma 3.3.1.1)  a2:Ar 3, D 2 = D 3 -> a 2 : A r e  D2  (lemma 3.3.1.1)  a 2 : A r , D 2 = D 3 -> a 2 : A r  D2  (lemma 3.3.1.1)  e  e  D  D3  Cl= C3, e  e  D2= D3, e  * [ V f : A r ] * [ V g : A r ] ( < f , g > : F 3 - [3h:Ar ](<f,h>:Fl A <h,g>:F2)), cl  D2  D1  * [ V f : A r ] * [ V g : A r ] ( < f , g > : F 4 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), cl  al:Ar  (i)  C 3  D2  , a2:Ar  D3  D1  , <al,a2>:F3  ->  <al,a2>:F4  C l = C 3 , D2= D3, e  e  [ V f : A r ] [ V g : A r ] ( < f , g > : F 3 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), cl  D2  D1  [ V f : A r ] [ V g : A r ] ( < f , g > : F 4 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)) cl  D2  D1  -> * [ V f : A r ] * [ V g : A r ] * ( < f , g > : F 3 3 <f,g>:F4) C3  Cl= C4, e  D3  D2= D4, e  [ V f : A r ] [ V g : A r ] ( < f , g > : F 3 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), cl  D2  D1  [ V f : A r ] [ V g : A r ] ( < f , g > : F 4 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)) cl  D2  D1  - » [Vf:Ar ][Vg:Ar ](<f,g>:F4 3 <f,g>:F3) C4  D4  (similar to (i)  Appendix C: Proof of Theorem 3.3.4.1 C l = C3, C l = C4 -> C3 =. C4  (lemma 3.3.1.1)  D2 =. D3, D2 = D4 - * D3 =. D4  (lemma 3.3.1.1)  e  e  e  Cl= C3,  D2= D3,  e  e  [Vf:Aj- ][Vg:Ar ](<f,g>:F3 cl  D2  Cl= C4,  = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), D1  D2= D4,  e  e  [Vf:Ar ][Vg:Ar ](<f,g>:F4 cl  D2  - [3h:Ar ](<f,h>:Fl A <h,g>:F2)) D1  -> *(C3 = C4 A D3 = D4 e  e  A [Vf:Ar ][Vg:Ar ](<f,g>:F3 3 <f,g>:F4) C3  D3  A [Vf:Ar 4][Vg:Ar ](<f,g>:F4 3 <f,g>:F3) ) C  <Fl,Cl,Dl>:Ar,  D4  <F2,C2,D2>:Ar, <F3,C3,D3>:Ar, <F4,C4,D4>:Ar,  * « F 1 , C 1 , D 1 > , <F2,C2,D2>, <F3,C3,D3»:Cp, * « F 1 , C 1 , D 1 > , <F2,C2,D2>, <F4,C4,D4»:Cp -> *<F3,C3,D3> = <F4,C4,D4>  thinning  a  -> *[Vf,g,h,k:Ar] *( <f,g,h>:Cp A <f,g,k>:Cp 3 h = k ) a  3.3.4.1.6 The sequent T l is derivable when Ax is the axiom cl8. First we derive the sequents: (1)  « F 1 , C 1 , D 1 > , <F2,C2,D2»:Sr  -> « F 2 , C 2 , D 2 > , <F2,C2,D2»:Sr  (2)  « F 1 , C 1 , D 1 > , <F2,C2,D2»:Sr  -> « F 2 , C 2 , D 2 > , < F 2 , C 2 , D 2 » : T g  (3)  < F l , C l , D l > : A r , « F 1 , C 1 , D 1 > , <F2,C2,D2»:Sr - 4 « F 2 , C 2 , D 2 > , <F1,C1,D1>, < F l , C l , D l » : C p  3.3.4.1.6.1 A derivation of (1) with first order parameters al and a2 follows: <al,a2>:F2 -> <al,a2>:F2 al=  a C 1  a 2 , C 2 = C l -> a l = e  a C 2  a2  (lemma 3.3.1.1)  146  Appendix C: Proof of Theorem 3.3.4.1 (i)  *(<al,a2>:F2 3 al = (al=  a C 1  a2), C2 = C l - » *(<al,a2>:F2 3 a l = e  a 2 3 <al,a2>:F2), C 2 = C l  -> ( a l =  e  *(<al,a2>:F2 = a l = al:Ar  a C 1  a C 1  a2), C 2 = C l  a C 2  a2)  a 2 3 <al,a2>:F2)(similar to i)  - » *(<al,a2>:F2 m al =  e  a C 2  a2)  a C 2  , C2= Cl  -> a l : A r  c l  (lemma 3.3.1.1)  a2:Ar , C 2 = C l  -> a 2 : A r  cl  (lemma 3.3.1.1)  C 2  e  C2  e  C2 = C l , *[Vf,g:Ar ](<f,g>:F2 = f = e  cl  al:AxQ , a2:ArQ 2  2  g),  -> (<al,a2>:F2 = al = C 2 ) a2  a  C 2 = C l , [Vf,g:Ar ](<f,g>:F2 - f = e  a C 1  cl  - * *[Vf,g:Ar ](<f,g>:F2 = f = C2  a C 1  a C 2  g) g)  -> C 2 = C 2  (lemma 3.3.1.1)  e  D2= Cl, C2= Cl e  e  -> D 2 = C 2  (lemma 3.3.1.1)  e  C2 = C l , D2 = C l , [Vf,g:Ar ](<f,g>:F2 * f = e  e  cl  a C 1  g)  -> * ( C 2 = C 2 A D 2 = C 2 A [Vf,g:Ar ](<f,g>:F2 = f = e  e  C2  *«F1,C1,D1>, <F2,C2,D2»:Sr  a C  2§))  -» * « F 2 , C 2 , D 2 > , < F 2 , C 2 , D 2 » : S r  3.3.4.1.6.2 The derivation of (2) is similar to that of (1) and is omitted. 3.3.4.1.6.3 To derive (3) it is necessary to derive the following two sequents: (a)  <Fl,Cl,Dl>:Ar, D2 = C l , [Vf,g:Ar ](<f,g>:F2 = f = e  a l : A r , a2: A r c l  (b)  cl  D 1  a C 1  g),  -> *( <al,a2>:Fl 3 [3h:Ar ](<al,h>:F2 A <h,a2>:Fl)) D2  <Fl,Cl,Dl>:Ar, C2 = C l , D2 = C l , *[Vf,g:Ar ](<f,g>:F2 = f = e  a l : A r , a2: Ar c l  Dl  e  cl  a C 1  g),  -> *( [3h:Ar ](<al,h>:F2 A <h,a2>:Fl) 3 <al,a2>:Fl) D2  3.3.4.1.6.3.1 First we derive (a) using al and a2 as first order parameters.  Appendix C: Proof of Theorem 3.3.4.1  a l : A r , D 2 = C l -> a l : A r c l  e  147  (lemma 3.3.1.1)  D 2  <al,al>:F2 -> <al,al>:F2 <al,a2>:Fl -> <al,a2>:Fl D 2 = C l , <al,al>:F2, a l : A x , <al,a2>:Fl e  c l  -> * [3h:Ar ]*(<al,h>:F2A<h,a2>:Fl) D2  Cl:Cat, al:AxQj -» a l  = ci a l  (direct consequence of cl)  a  thinning <Fl,Cl,Dl>:Ar, D2 = C l , * ( a l = e  aC1  a l => <al,al>:F2),  a l : A r , a2: Aijji, <al,a2>:Fl -> [3h:Ar ](<al,h>:F2 A <h,a2>:Fl) c l  D2  al:Arci -» a L A r ^ i al:Ar^j  al:Ard thinning  <Fl,Cl,Dl>:Ar, D2 = C l , *[Vf,g:Ar ](<f,g>:F2 = f = e  cl  a l : A r , a2: A r c l  D 1  a C 1  g),  , <al,a2>:Fl -> [3h:Ar ](<al,h>:F2 A <h,a2>:Fl) D2  <Fl,Cl,Dl>:Ar, D 2 = C l , [Vf,g:Ar ](<f,g>:F2 = f = e  cl  a C  ig),  a l : A r , a2: Aipi -> *( <al,a2>:Fl =5 [3h:Ar ](<al,h>:F2 A <h,a2>:Fl)) c l  3.3.4.1.6.3.2  D2  A derivation of the sequent (b) is given next. In this, the symbols a l , a2 and  a3 are first order parameters:  al:Arci -» ahAiQi SL3:ATQI -» a3:AiQi a l  =aCl  a3 =  a C 1  a 3  ~>  a  l  =aCl  al - » a3 =  a l  =aCl  a 3  al  a C 1  *[Vf,g:Ar ]*(f= c l  a 3  a C 1  -»  g 3 g=  a 3  =aCl  a C  a l  lf), al:Ar , a3:Ar , c l  cl  Appendix C: Proof of Theorem 3.3.4.1  148  *Cl:Cat, a h A r ^ j , * a 3 : A r ^ i , a l = ^j a3 -> a3= ^j a l a  a3:Ar 2» D2 = C l -> * a 3 : A r D  e  (c2 & thinning)  a  (lemma 3.3.1.1)  cl  cut Cl:Cat, D 2 = C l , a l i A r ^ , a3:Arj)2» a l = a ci a3 ~* e  a 3 =  aCl * a  <a3,a2>Fl -> <a3,a2>Fl <al,a2>Fl -> <al,a2>Fl Cl:Cat, * ( a 3 = al  a C 1  = ci a3, a  a l A <a3,a2>Fl => <al,a2>Fl), D 2 = C l , e  a l : A r £ i , a3:Arj)2> <a3,a2>:Fl -> <al,a2>:Fl  a3:Ar , D 2 = C l D2  ahAiQi  e  -> a 3 : A r  (lemma 3.3.1.1)  cl  -» al:Ar^j  a2:Ar j j - » a2:Aij)i r  )  Cl:Cat, * [ V f c , g c : A r ] * [ V f d : A r ] ( f c = cl  D1  a C 1  gc A <fc,fd>Fl 3 <gc,fd>Fl),  D 2 = C l , al = C l a3, a l : A r £ i , a2:ArT3i, a3:Ar£>2» <a3,a2>:Fl e  a  -> <al,a2>:Fl  *<Fl,Cl,Dl>:Ar, D2 = C l , a l = e  a C 1  a3,  al:Arrji, a 2 : A r i , a3:Ar 2> <a3,a2>:Fl -» <al,a2>:Fl D  ahAiQi a3:Ar  D  (f5 & thinning)  -> a l : A r £ i D2  A D2= Cl e  -> a 3 : A r  (lemma 3.3.1.1)  cl  <al,a3>:F2 -> <al,a3>:F2 <Fl,Cl,Dl>:Ar, D 2 = C l , *[Vf,g:Ar ]*(<f,g>:F2 3 f = e  cl  a C  ig),  a l : A r , a 2 : A r i , a3:Ar 2, <al,a3>:F2, <a3,a2>:Fl c l  D  D  - * <al,a2>:Fl <Fl,Cl,Dl>:Ar, D 2 = C l , [Vf,g:Ar ](<f,g>:F2 - f = e  a l : A r , a2: A r c l  cl  D 1  a C  lg),  , *[3h:Ar ](<al,h>:F2 A <h,a2>:Fl) D2  Appendix C: Proof of Theorem 3.3.4.1  149  -» <al,a2>:Fl  thinning  < F l , C l , D l > : A r , D 2 = C l , [Vf,g:Ar ](<f,g>:F2 = f = e  cl  a C 1  g),  a l : A r , a2: A i b i -» *( [3h:Ar ](<al,h>:F2 A <h,a2>:Fl) => <al,a2>:Fl) c l  D2  3.3.4.1.6.3.3 A derivation of (3) from (a) and (b) follows: (a)  (b)  < F l , C l , D l > : A r , D 2 = C l , [Vf,g:Ar ](<f,g>:F2 = f = e  a l : A r , a2: A r c l  cl  D 1  a C  ig),  -> *( <al,a2>:Fl = [3h:Ar ](<al,h>:F2 A <h,a2>:Fl)) D2  < F l , C l , D l > : A r , D 2 = C l , [Vf,g:Ar ](<f,g>:F2 = f = e  cl  a C  l g)  -> * [ V f : A r ] * [ V g : ArrjiK <f,g>:Fl = [3h:Ar ](<f,h>:F2 A <h,g>:Fl)) cl  D2  C 2 = C l -> C 2 = C l  (lemma 3.3.1.1)  D2= Cl ->D2= Cl  (lemma 3.3.1.1)  e  e  e  e  < F l , C l , D l > : A r , C 2 = C l , D 2 = C l , [Vf,g:Ar ](<f,g>:F2 EE f = e  e  cl  a C  lg)  -» *( C2 = C l A D2 = C l A D l = D l e  e  A [Vf:Ar ][Vg: A r cl  e  D 1  ] ( <f,g>:Fl - [3h:Ar ](<f,h>:F2 A <h,g>:Fl))) D2  <Fl,Cl,Dl>:Ar, * « F 1 , C 1 , D 1 > , <F2,C2,D2»:Sr -> * « F 2 , C 2 , D 2 > , <F1,C1,D1>, < F l , C l , D l » : C p 3.3.4.1.6.4 Finally, T l can be obtained from (1), (2) and (3) by the following simple derivation. (1)  (2)  (3) thinning  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, « F 1 , C 1 , D 1 > , < F 2 , C 2 , D 2 » : S r -» ( « F 2 , C 2 , D 2 > , <F2,C2,D2»:Sr A « F 2 , C 2 , D 2 > , < F 2 , C 2 , D 2 » : T g A « F 2 , C 2 , D 2 > , <F1,C1,D1>, < F l , C l , D l » : C p )  Appendix C: Proof of Theorem 3.3.4.1  150  -> *[Vf,a:Ar]*( <f,a>:Sr =3 <a,a>:Sr A <a,a>:Tg A <a,f,f>:Cp)  3.3.4.1.7 The sequent T l is derivable when Ax is the axiom c20. In the following derivation c, d, d l and d2 are first order parameters, and the D and C notations previously introduced to represent five tuples is used again. Further the notation <F(12)3, C(12)3, D(12)3> represents a functor resulting from first composing functors <F1, C l , D l > and <F2, C2, D2> and then composing the result with the functor <F3, C3, D3>. The triple <F1(23), Cl(23), Dl(23) > has a similar meaning.  dl:Ar  D 1 2  , D2 = D12 -> d l : A r e  (lemma 3.3.1.1)  D 2  <d2,dl>:F2 -> <d2,dl>:F2 <dl,d>:F3 -> <dl,d>:F3 <d2,dl>:F2, dl:Ai ,  <dl,d>:F3, D 2 = D 1 2  m2  e  -> *[3h:Ar ]*(<d2,h>:F2 A <h,d>:F3) D2  <d2,d>:F23 - » <d2,d>:F23 <d2,dl>:F2, *([3h:Ar ](<d2,h>:F2 A <h,d>:F3) 3 <d2,d>:F23 ), D2  dl:Ar d2:Ax , Dl  d:Ar  D 1 2  , <dl,d>:F3, D 2 = D 1 2 -> <d2,d>:F23 e  Dl= C23 e  -> d 2 : A r  (lemma 3.3.1.1)  C 2 3  D(12)3> D 3 = D 2 3 , D3= D(12)3 -> d : A r e  e  D 2 3  (lemma 3.3.1.1) thinning  d 2 : A r , <d2,dl>:F2, D1  *[Vf:Ar dl:Ar  C23  D 1 2  ]*[Vg:Ar  D23  ]([3h:Ar ](<f,h>:F2 D2  A <h,g>:F3) = <f,g>:F23),  , <dl,d>:F3, d : A r ( ) , D  12  3  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3 e  ^  <d2,d>:F23  e  e  e  Appendix C: Proof of Theorem 3.3.4.1  151  d2:Aij-)i ^ d 2 : A r £ ) i <c,d2>:Fl - » <c,d2>:Fl d2:Ar  D1  , <c,d2>:Fl,  <d2,dl>:F2,  [Vf:Ar 23][Vg:Ar 23]([3h:Ar ](<f,h>:F2 C  dl:Ar  D  D 1 2  A <h,g>:F3) = <f,g>:F23),  D2  , <dl,d>:F3, d:Ar (i2)3, D  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3 e  e  e  e  -> *[3h:Ar ]*(<c,h>:Fl A <h,d>:F23) D1  *[3h:Ar ]*(<c,h>:Fl A <h,dl>:F2), D1  [Vf:Ar 23][Vg:Ar 23]([3h:Ar ](<f,h>:F2 A <h,g>:F3) * <f,g>:F23), C  dl:Ar  D  D 1 2  D2  , <dl,d>:F3, d : A r ( ) 3 , D  12  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3 e  e  e  e  -> [3h:Ar ](<c,h>:Fl A <h,d>:F23) D1  <c,dl>:F12 -> <c,dl>:F12 *(<c,dl>:F12 => [3h:Ar ](<c,h>:Fl A <h,dl>:F2)), D1  [Vf:Ar 3][Vg:Ar 23]([3h:Ar ](<f,h>:F2 A <h,g>:F3) = <f,g>:F23), C2  dl:Ar  D 1 2  D  D2  , <c,dl>:F12, <dl,d>:F3, d : A r ( ) , D  1 2  3  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3 e  e  e  e  -> [3h:Ar ](<c,h>:Fl A <h,d>:F23) D1  c:Ar  C(12)3> C12= C(12)3 -> c : A r  d l : A r  e  D12  "*  d l : A r  (lemma 3.3.1.1)  c l 2  D12 thinning  *[Vf:Ar  cl2  ]*[Vg:Ar  D12  ] ( < f , g > : F 1 2 - [3h:Ar ](<f,h>:Fl A <h,g>:F2)), D1  [Vf:Ar 23][Vg:Ar 23]([3h:Ar ](<f,h>:F2 A <h,g>:F3) - <f,g>:F23), C  dl:Ar  D 1 2  D  D2  , <c,dl>:F12, <dl,d>:F3,  D2 =. D12, D l = C23, D3 = D23, D3 = D(12)3, e  e  e  C12 = C(12)3, e  Appendix C: Proof of Theorem 3.3.4.1  152  C:AI-QI2)3, drAijjQ2)3 ~* Ph:Arrjj](<c,h>:Fl A <h,d>:F23)  [Vf:Ar ][Vg:Ar 2](<f,g>:F12 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), cl2  D1  D1  [Vf:Ar 23][Vg:Ar 23]([3h:Ar ](<f,h>:F2 A <h,g>:F3) = <f,g>:F23), C  D  *[3h:Ar  D12  D2  ]*(<c,h>:F12 A <h,d>:F3),  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3, C12 = C(12)3 , e  c:Ar  e  C(12)3'  d:Ar  e  c  e  D ( 1 2 ) 3 -» [3h:Ar ](<c,h>:Fl A <h,d>:F23) D1  <c,d>:F(12)3 -> <c,d>:F(12)3 <c,d>:Fl(23) -> <c,d>:Fl(23) [Vf:Ar 2][Vg:Ar cl  D12  ](<f,g>:F12= p h r A T D ^ K ^ r F l A<h,g>:F2)),  [ V f : A x 2 3 ] [ V g : A r 3 ] ( [ 3 h : A r ] « f , h > : F 2 A <h,g>:F3) = <f,g>:F23), C  D2  D2  *(<c,d>:F(12)3 3 [3h:Ar  D12  ](<c,h>:F12 A <h,d>:F3)),  *(ph:Ar ](<e,h>:Fl A <h,d>:F23) 3 <c,d>:Fl(23)), D1  D2 = D12, D l = C23, D3 = D23, D3 = D(12)3, C12 = C(12)3 , e  c:Ar  e  C(12)3>  d:Ar  c:Ar  C(12)3  c:Ar  d:Ar  D ( 1 2 ) 3 ~>  d:Ar  c:Ar  C(12)3>  C  1  e  e  D(12)3> <c,d>:F(12)3 -> <c,d>:Fl(23)  C(12)3 D(12)3  =c > C12  C  1  2  =e < ) ' C  12  3  C  1  =e < ) C1  23  —» c:Ar^i(23) d:Ar  e  (lemma 3.3.1.1)  D ( 1 2 ) 3 ' D3= D(12)3, D 3 = D 2 3 , D23= Dl(23) e  e  e  -> d:Arj)j^23)  (lemma 3.3.1.1) thinning  [Vf:Ar ][Vg:Ar cl2  D12  ](<f,g>:F12 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), D1  [Vf:Ar 3][Vg:Ar 23]([3h:Ar 2](<f,h>:F2 A <h,g>:F3) = <f,g>:F23), C2  *[Vf:Ar  D  C(1  D  2 ]*[Vg:Ar )3  - [3h:Ar  D12  D(1  2 ](<f,g>:F(12)3 )3  ](<f,h>:F12 A <h,g>:F3)),  Appendix C: Proof of Theorem 3.3.4.1 *[Vf:Ar 23)]*[Vg:Ar cl(  a  D1(  153  23)]([3h:Ar ](<f,h>:Fl A <h,g>:F23) D1  <f,g>:Fl(23)),  Cl= C12, D l = C 2 , D2= D12, C2= C23, D2= C3, D3= D23, e  e  e  e  e  e  C12= C(12)3, D12= C3, D3= D(12)3, Cl= Cl(23), Dl= C23, e  e  D23= Dl(23), c : A r e  e  C(12  e  e  ) 3 , d : A r ( ) 3 , <c,d>:F(12)3 D  12  -> <c,d>:Fl(23)  (i)  [Vf:Ar 2][Vg:Ar cl  D12  ] ( < f , g > : F 1 2 = p h r A r j ^ K ^ h x F l A <h,g>:F2)),  [Vf:Ar 23][Vg:Ar 23]([3h:Ar 2](<f,h>:F2 A <h,g>:F3) = <f,g>:F23), C  [Vf:Ar  D  C(12)  D  3][Vg:Ar = [3h:Ar  [Vf:Ar  D(1  D12  2)3](<f,g>:F(12)3  ](<f,h>:F12 A <h,g>:F3)),  23)][ g: Dl(23)](P v  cl(  Ar  h:Ar  D l K < f , h > : F l * <h,g>:F23)  = <f,g>:Fl(23)), Cl= C12, D l = C 2 , D2= D12, C2= C23, D2= C3, e  e  e  e  e  D3= D23, C12= C(12)3, D12= C3, D3= D(12)3, e  e  e  e  Cl= Cl(23), Dl= C23,D23= Dl(23) e  e  -> * [ V f : A r [Vf:Ar  cl2  C(12)  ][Vg:Ar  [Vf:Ar  C23  [Vf:Ar  C(1  D12  e  3]*[Vg:Ar  D(1  2 ] * ( < f , g > : F ( 1 2 ) 3 3 <f,g>:Fl(23)) )3  ] ( [ 3 h : A r ] ( < f , h > : F l A <h,g>:F2) - <f,g>:F12 ), D1  ][Vg:Ar  D23  ] ( < f , g > : F 2 3 - [3h:Ar ](<f,h>:F2 A <h,g>:F3)),  2 3][Vg:Ar )  D2  D(1  2)3]([3h:Ar  D12  ](<f,h>:F12 A <h,g>:F3)  = <f,g>:F(12)3), [Vf:Ar  cl(23)  ][Vg:Ar  D1(  23 ](<f,g>:Fl(23) )  = [3h:Ar ](<f,h>:Fl A <h,g>:F23)), D1  Cl= C12, D l = C 2 , D2= D12, C2= C23, D2= C3, e  e  e  e  e  D3= D23, C12= C(12)3, D12= C3, D3= D(12)3, e  e  e  e  Cl= Cl(23), Dl= C23, D23= Dl(23), e  -> [ V f : A r  e  cl(23)  ][Vg:Ar  e  D1(23)  ] ( < f , g > : F l ( 2 3 ) 3 <f,g>:F(12)3)  (similar to i)  Appendix C: Proof of Theorem 3.3.4.1  [Vf:Ar ][Vg:Ar cl2  D12  ](<f,g>:F12 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), D1  [Vf:Ar  C23  [Vf:Ar  C(12)3  ][Vg:Ar  s  [3h:Ar  [Vf:Ar  ][Vg:Ar  cl(23)  154  ](<f,g>:F23 « [3h:Ar ](<f,h>:F2 A <h,g>:F3)),  D23  D2  D(12)  D12  3](<f,g>:F(12)3  ](<f,h>:F12 A <h,g>:F3)),  ][Vg:Ar i( 3)](<f,g>:Fl(23) D  2  - [3h:Ar ](<f,h>:Fl A <h,g>:F23)), D1  Cl= C12, D l = C 2 , D2= D12, C2= C23, D2= C3, e  e  e  e  e  D3= D23, C12= C(12)3, D12= C3, D3= D(12)3, e  e  e  e  Cl= Cl(23), Dl= C23, D23= Dl(23) e  e  -> * ( [ V f : A r  C ( 1 2 )  A [Vf:Ar  e  3][Vg:Ar  cl(23)  D ( 1 2 ) 3  ][Vg:Ar  C l = C12, C12 = C(12)3, C l = e  e  ] « f , g > : F ( 1 2 ) 3 3 <f,g>:Fl(23))  D1(23)  ] ( < f , g > : F l ( 2 3 ) 3 <f,g>:F(12)3) )  Cl(23)  e  -> C(12)3 = Cl(23)  (consequence of lemma 3.3.1.1)  e  D3 = D(12)3, D3 = D23, D23 = Dl(23) e  e  e  -» D(12)3 = Dl(23)  (consequence of lemma 3.3.1.1)  e  C l = C12, D l = C2, D2 = D12, e  c  e  [Vf:Ar ][Vg:Ar cl2  D12  ](<f,g>:F12 = [3h:Ar ](<f,h>:Fl A <h,g>:F2)), D1  C2 = C23, D2 = C3, D3 = D23, e  e  [Vf:Ar 3][Vg:Ar C2  e  D23  ](<f,g>:F23 - [3h:Ar ](<f,h>:F2 A <h,g>:F3)), D2  C12= C(12)3, D 1 2 = C 3 , D3= D(12)3, e  [Vf:Ar  e  C(12)3  ][Vg:Ar  = [3h:Ar  D(12)3  D12  e  ](<f,g>:F(12)3  ](<f,h>:F12 A <h,g>:F3)),  C l = Cl(23), D l = C23, D23 = Dl(23), e  [Vf:Ar  e  cl(2  3 ][Vg:Ar )  e  D1(23)  ](<f,g>:Fl(23)  Appendix C: Proof of Theorem 3.3.4.1  « [ 3 h : A r ] ( < f , h > : F l A<h,g>:F23)) D1  -> *( C(12)3 = Cl(23) A D(12)3 = Dl(23) A *F(12)3 = Fl(23)) e  e  e  < F l , C l , D l > : A r , <F2,C2,D2>:Ar, <F3,C3,D3>:Ax, <F12,C12,D12>:Ar, <F23,C23,D23>:Ar,<F(12)3,C(12)3,D(12)3>:Ar, <F1 (23),C 1 (23),D 1 (23)>: A r , * « F 1 , C 1 , D 1 > , <F2,C2,D2>, <F12,C12,D12»:Cp, * « F 2 , C 2 , D 2 > , <F3,C3,D3>, <F23,C23 J D 2 3 » : C p , * « F 1 2 , C 1 2 , D 1 2 > , <F3,C3,D3>, <F(12)3,C(12)3,D(12)3»:Cp, * « F 1 , C 1 , D 1 > , <F23,C23,D23>, <Fl(23),Cl(23),Dl(23)»:Cp -> *<F(12)3,C(12)3,D(12)3>s <Fl(23),Cl(23),Dl(23)> a  -> *[Vf,g,h,fg,gh,fglh,flgh:Ar]*( <f,g,fg>:Cp A <g,h,gh>:Cp A <fg,h,fglh>:Cp A <f,gh,f lgh>:Cp 3 fglh = f lgh ) a  E n d of proof of theorem 3.3.4.1  thinning  Appendix D: Proof of Lemma  156  4.2.2.1  APPENDIX D Proof of Lemma 4.2.2.1  4.2.2.1  LvPima  The sequents (1)  ExpSem[true] = {<s,v> I v=l} e  (2)  -»ExpSem[false] = {<s,v> I v=0}  (3)  - » [Ve,el,e2:Exp] ExpSem[<e.el.e2.CndExp>1 =  e  e  {<s,v> I (<s,l>:ExpSem[e] A <s,v>:ExpSem[el]) v (<s,0>:ExpSem[e] A <s,v>:ExpSem[e2])} are derivable. Proof of Lemma 4.2.2.1 A proof of (3) is provided in the sequence. Derivations of (1) and (2) are similar (and simpler) and are omitted. (3) can be obtained from the sequents (a)  p:Exp, pl:Exp, p2:Exp, t:S, u:B, <t,u>:{<s,v> I (<s,l>:ExpSem[p] A <s,v>:ExpSem[pl]) v (<s,0>:ExpSem[p] A <s,v>:ExpSem[p2])} -»<t.u>:ExpSemr<p.p 1 .p2.CndExp>l  (b)  p:Exp, pl:Exp, p2:Exp, t:S, u:B, <t,u>:ExpSem[<p,p 1 ,p2,CndExp.>] -» <t,u>:{<s,v> I (<s,l>:ExpSem[p] A <s,v>:ExpSem[pl]) v (<s,0>:ExpSem[p] A <s,v>:ExpSem[p2])}  where p, p i , p2, t, and u are first order parameters. Derivations of these sequents follow. .1 A derivation pf (a); In this, W is a second order parameter.  Appendix D: Proof ofLemma 4.2.2.1  157  p:Exp -> p:Exp pl:Exp -> plrExp p2:Exp -> p2:Exp t:S -> t:S u.B -» u:B (<p,t,l>:W A <pl,t,u>:W 3 <<p,pl,p2,CndExp>,t,u>:W) <p,t,l>:W, <pl,t,u>:W -» « p . p 1 .p2.CndExp>.t.u>:W p:Exp, pl:Exp, p2:Exp, t:S, u:B, *[Ve, el,e2:Exp]*[Vs:S]*[Vv:B]( <e,s,l>:W A <el,s,v>:W z> <<e.el,e2.CndExp>,s,v>:W) <p,t,l>:W, <pl,t,u>:W -> <<p,pl,p2,CndExrj>,t,u>:W p:Exp, pl:Exp, p2:Exp, t:S, u:B, *W:ExpSemCls,  thinning  <p,t,l>:W, <pl,t,u>:W -> « p . p 1 .p2.CndExp>.t.u>: W WrExpSemCls -» W:ExpSemCls W:ExpSemCls -> WrExpSemCls p:Exp, plrExp, p2:Exp, t:S, u:B, WrExpSemCls, *[Vw:ExpSemCls]<p,t,l>:w, *[Vw:ExpSemCls]<pl,t,u>:w -» « p . p 1 ,p2,CndExp>,t,u>:W prExp, plrExp, p2:Exp, t:S, u:B, [Vw:ExpSemCls]<p,t,l>:w, [Vw:ExpSemCls]<pl,t,u>:w -» * [VwrExpSemCls] « p . p 1 .p2.CndExp>.t.u>:w p:Exp, pl:Exp, p2:Exp, t:S, u:B, *(*<t,l>:ExpSem[p] A *<t,u>:ExpSem[pl]) -» *<t.u>:ExpSem[<p,pl.p2,CndExp>1 p:Exp, pl:Exp, p2:Exp, (<t,0>:ExpSem[p] A <t,u>:ExpSem[p2]) -> <t.u>:ExpSem[<p.p 1 ,p2.CndExp>) p:Exp, plrExp, p2:Exp, t:S, u:B, *((<t,l>:ExpSem[p] A <t,u>:ExpSem[pl])  Similarly  Appendix D: Proof of Lemma 4.2.2.1 v (<t,0>:ExpSem[p] A <t,u>:ExpSem[p2])) -» <t.u>:ExpSem[<p.pl.p2.CndExp>1 p:Exp, pl:Exp, p2:Exp, t:S, u:B, *<t,u>:{<s,v> I (<s,l>:ExpSem[p] A<s,v>:ExpSem[pl]) v (<s,0>:ExpSem[p] A <s,v>:ExpSem[p2])} -> <t.u>:ExpSem[<p,pl,p2,CndExp.>] .2 A derivation of (b): Let for this proof only define T for {<x,s,v> I <x,s,v>:ExpSem A rva.a 1 .a2:Explfx=<a.al.a2.CndExp> r> ((<a,s,l>:ExpSem A <al,s,v>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem))} A derivation of (b) from the sequents ( c ) ( f ) follows. (c)  -» fVs:Sl<true. s,l>:T  (d)  -> rVs:Sl<false. s,0>:T  (e)  -> [Ve,el,e2:Exp][Vs:S][Vv:B]( <e,s,l>:T A <el,s,v>:T z> « e . e l . e 2 . C n d E x p > . s . v > : T )  (f)  -> [Ve,el,e2:Exp][Vs:S][Vv:B]( <e,s,0>:T A <e2,s,v>:T z> <<e,el,e2,CndEx£>,s,v>:T) -» *T:ExpSemCls p:Exp, pl:Exp, p2:Exp, t:S, u:B, «p.pl.p2.CndExp>.t.u>:T ->(<p,t,l>:ExpSem A <pl,t,u>:ExpSem), (<p,t,0>:ExpSem A <p2,t,u>:ExpSem) p:Exp, plrExp, p2:Exp, t:S, u:B, *rVw:ExpSemClsl«p.pl.p2.CndExp>.t.u>:w -» (<p,t,l>:ExpSem A <pl,t,u>:ExpSem), (<p,t,0>:ExpSem A <p2,t,u>:ExpSem) p:Exp, pl:Exp, p2:Exp, t:S, u:B, *<t,u>:ExpSem[<p,p 1 .p2.CndExp>l -> (*<t,l>:ExpSem[p] A *<t,u>:ExpSem[pl]),  158  Appendix D: Proof of Lemma 4.2.2.1  159  (*<t,0>:ExpSem[p] A *<t,u>:ExpSem[p2]) p:Exp, pl:Exp, p2:Exp, t:S, u:B, <t,u>:ExpSem[<p,p 1 .p2.CndExp>] - » * < t , u > : { < s , v > I (<s,l>:ExpSem[p] A <s,v>:ExpSem[pl]) v (<s,0>:ExpSem[p] A <s,v>:ExpSem[p2])} To complete the proof the sequents (c) to (f) must be derived. A derivation of (e) is given next. Derivations of (c) and (d) are trivial and (f) is similar to (e). .2.1 A derivation of (e): In the following derivation, sequents (i) and (ii) are direct consequences of the identity and ordered pairs rules of section 2.4.4 and sequent (iii) is implied by the definition of ExpSem. Of course, the free ocurrences of e, e l , e2, a, a l , a2, s and v are first order parameters. (i)  <e,s,l>:ExpSem, <el,s,v>:ExpSem, (e=a Ael=al) -> (<a,s,l>:ExpSem A <al,s,v>:ExpSem)  (ii)  <e,e 1 .e2.CndExp> =<a,a 1 .a2.CndExp> -> (e=a Ael=al) cut <e,s,l>:ExpSem, <el,s,v>:ExpSem, <e.e 1 ,e2.CndExp> =<a.al ,a2.CndExp> -> (<a,s,l>:ExpSem A <al,s,v>:ExpSem) a:Exp, al:Exp, a2:Exp, <e,s,l>:ExpSem, <el,s,v>:ExpSem, <e.e 1 .e2.CndExp> =<a.al.a2.CndExp> - » * ( ( < a , s , l > : E x p S e m A <al,s,v>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem)) <e,s,l>:ExpSem, <el,s,v>:ExpSem, *rva.a 1 .a2:Expl*(<e.e 1 .e2.CndExp> =<a,al,a2,Cnd&cp> => ((<a,s,l>:ExpSem A <al,s,v>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem)))  (iii)  e:Exp, el:Exp, e2:Exp, sS, v:B,  thinning  160  Appendix D: Proof ofLemma 4.2.2.1 <e,s,l>:ExpSem, <el,s,v>:ExpSem - » « e . e l .e2.CndExp>.s.v>:ExpSem thinning e:Exp, el:Exp, e2:Exp, sS, v:B, <e,s,l>:ExpSem, [Va,al ,a2:Exp] (e=<a.aLa2.CndExp> 3 ((<a,s,l>:ExpSem A <al,s,l>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,l>:ExpSem))), <el,s,v>:ExpSem, [Va,a 1 ,a2:Exp] (e 1 =<a,a 1 .a2.CndExp> 3 ((<a,s,l>:ExpSem A <al,s,v>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem))) -» *C«e.el.e2.CndExp>.s.v>:ExpSem A rVa.al.a2:ExpK<e.el.e2.CndExp> =<a.al.a2.CndExp> 3 ((<a,s,l>:ExpSem A <al,s,v>:ExpSem) v (<a,s,0>:ExpSem A <a2,s,v>:ExpSem)))) e:Exp, el:Exp, e2:Exp, sS, v:B, *<e,s,l>:T, * <el,s,v>:T -» * « e . e 1 .e2.CndExp>.s.v>:T -> *[Ve,e 1 ,e2:Exp]*[Vs:S]*[Vv:B]*( <e,s,l>:T A <el,s,v>:T 3 «e.el.e2.CndExp>.s.v>:T') End of Proof of Lemma 4.2.2.1  Appendix E: Proof of Lemma 4.2.3.1  APPENDIX E Proof of Lemma 4.2.3.1  Lemma 4.2.3.1 The following sequents are derivable. (1)  -> [Vt:S] <djmTrm/,t,t>:CmdSem  (2)  -> [Vci,c :Cmd][Vr,t:S]( « c j x .SeqCmd>.r.t>:CmdSem 2  2  =[3s:S]( <ci ,r,s>:CmdSem A <C2,s,t>:CmdSem )) (3)  -> rVe:ExpirVci.C2:CmdirVr.s:SK «e.Ci.C2.CndCmd>.r.s>:CmdSem = (<e,r,l>:ExpSem A <CI ,r,s>:CmdSem) v ( <e,r,0>:ExpSem A <C2,r,s>:CmdSem))  (4)  -> [Ve:Exp][Vc:Cmd][Vr,t:S]( <<e,c,WCrnd>,r,t>:CrndSem = [Vz:WCls[e,c]] <r,t>:z)  (5)  -> [Ve:Exp][Vc:Cmd][Vr,t:S]( « c . e . R W C m d > . r . t > : C m d S e m = [Vz:RWCls[c,e]] <r,t>:z)  Proof of Lemma 4.2.3.1 Only the proof for case (4) is given. The other cases are similar. The proof consists of two parts, each deriving one of the following sequents: (a)  - » [Ve:Exp][Vc:Cmd][Vr,t:S]([Vz:WCls[e,c]] <r,t>:z z> <<e,c,WCmd>,r,t>:CmdSem)  (b)  -> [Ve:Exp][Vc:Cmd][Vr,t:S]( <<e,c,W^md>,r,t>:CmdSem => [Vz:WCls[e,c]] <r,t>:z )  .1  A proof for (a); <<e,c,WCmd>,s,t>:W -» <<e,c,WjCmd>,s,t>:W « e . c . W C m d > . r . t > : W -> « e . c . W C m d > . r . t > : W  Appendix E: Proof of Lemma 4.2.3.1 («e.c.WCmd>.s.t>:W 3 «e.c.WCmd>.r.t>:W). «e.c.WCmd>.s.t>:W -> « e . c . W C m d > , r . t > : W <e,r,l>:ExpSem -> <e,r,l>:ExpSem W:CmdSemCls, <c,r,s>:CmdSem -» <c,r,s>:W W:CmdSemCls, *(<e,r,l>:ExpSem A <c,r,s>:W 3 f « e . c . W C m d > . s . t > : W 3 <<e,c,W£rM>,r,t>:W)), <e,r,l>:ExpSem, <c,r,s>:CmdSem, « e . c . W C m d > . s . t > : W -> « e . c . W C m d > . r . t > : W r:S -» r:S s:S -> s:S t:S -> t:S r:S, s:S, t:S, W:CmdSemCls, *[Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:W 3 ( « e . c . W C m d > , s , t > : W 3 <<e,c,WCmd>,r,t>:W)), <e,r,l>:ExpSem, <c,r,s>:CmdSem, « e . c . W C m d > . s . t > : W -> « e , c . W C m d > , r . t > : W W:CmdSemCls, [Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:W 3 ( « e , c . W C m d > , s , t > : W 3 «e,c.WCmd>,r,l>:W)) -> *[Vr,s,t:S]*(<e,r,l>:ExpSem A <c,r,s>:CmdSem A « e . c . W C m d > . s , t > : W 3 «e.c.WCmd>j.t>:W) [Vr:S]( <e,r,0>:ExpSem 3 « e , c . W C m d > , r , r > : W ) -> [Vr:S]( <e,r,0>:ExpSem 3 <<e,c,W^rnd>,r,r>:W) W:CmdSemCls, [Vr:S]( <e,r,0>:ExpSem 3 « e . c . W C m d > . r . r > : W ) , [Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:W 3 («e.c.WCmd>.s.t>:W 3 «e.c.WCmd>.r.t>:W)) -> *([Vr:S]( <e,r,0>:ExpSem 3  «ex.WCmd>.r.r>:W)  A [Vr,s,t:S] (<e,r,l>:ExpSem A <c,r,s>:CmdSem A <<e,c,WCrnd>,s,t>:W 3 « e , c , W C m d > , r , t > : W ) )  Appendix E: Proof of Lemma 4.2.3.1 e:Exp - » e:Exp c:Cmd -» c:Cmd e:Exp -» e:Exp c:Cmd -> c:Cmd e:Exp, c:Cmd, W:CmdSemCls, *[Ve:Exp]*[Vc:Cmd][Vr:S]( <e,r,0>:ExpSem 3 « e . c . W C m d > . r . r > : W ) , *[Ve:Exp]*[Vc:Cmd][Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:W 3 (<<e,c,WCmd>,s,t>:W D « e , c , W Q n d > , r , t > : W ) ) -> *([Vr:S]( <e,r,0>:ExpSem 3 « e . c . W C m d > . r . r > : W ) A [Vr,s,t:S] (<e,r,l>:ExpSem A <c,r,s>:CmdSem A «e.c.WCmd>.s.t>:W 3 «e.c.WCmd>.r.t>:W)) e:Exp, c:Cmd,  W:CmdSemCls,  [Ve:Exp][Vc:Cmd][Vr:S]( <e,r,0>:ExpSem 3 <<e,c,WQrid>,r,r>:W), [Ve:Exp][Vc:Cmd][Vr,s,t:S]( <e,r,l>:ExpSem A <c,r,s>:W 3 («e.c.WCmd>.s.t>:W 3 «e,c.WCmd>.r,t>:W)) -> ([Vr:S]( <e,r,0>:ExpSem 3 *<r,r>: {<x,y>l « e . c . W C m d > . x . y > : W I ) A [Vr,s,t:S] (<e,r,l>:ExpSem A <c,r,s>:CmdSem A *<s,t>:{<x,y>l « e , c . W C m d > . x . y > : W ) 3 *<r,t>:{<x,y>l « e . c . W C m d > . x . v > : W ) )) e:Exp, c:Cmd, *W:CmdSemCls -> *{<x,y>l « e . c . W C m d > . x . y > : W I :WCls[e.cl e:Exp, c:Cmd, r:S, t:S, <r,t>: {<x,y>l « e , c , W C m d > . x , y > : W ) -> « e . c . W C m d > . r . t > : W e:Exp, c:Cmd, r:S, t:S, W:CmdSemCls, *({<x,y>l « e . c . W C m d > . x . v > : W ) :WCls[e,c] 3 <r,t>:{<x,y>l « e , c . W C m d > . x . y > : W I ) -> « e , c , W C m d > , r . t > : W e:Exp, c:Cmd, r:S, t:S, *[Vz:WCls[e,c]] <r,t>:z, W:CmdSemCls -» <<e,c,W^md>,r,t>:W thinning e:Exp, c:Cmd, r:S, t:S, [Vz:WGls[e,c]] <r,t>:z, W:CmdSemCls, [Vsl:S]<djmTmy,sl,sl>:W -> « e . c , W C m d > , r . t > : W e:Exp, c:Cmd, r:S, t:S, [Vz:WCls[e,c]] <r,t>:z  163  Appendix E: Proof of Lemma 42.3.1 -> *[Vw:CmdSemCls] *([Vsl:S]<djmirrry,sl,sl>:w  164 3 <<e,c,WjCmd>,r,t>:w)  e:Exp, c:Cmd, r.S, t:S, [Vz:WCls[e,c]] <r,t>:z -> *<<e.c.WCmd>.r.t>:CmdSem -> *[Ve:Exp]*[Vc:Cmd]* [Vr,t:S]*( [Vz:WCls[e,c]] <r,t>:z 3 <<e.c.WCrnd>.r.t>:CmdSem) .2  A derivation of (b)  There follows a derivation of (b) from the sequents (c) and (d). In this derivation, the following abbreviation is used: T for {<x,y,z>l <x,y,z>:CmdSem A fx=<e.c.WCmd> r> <y,z>:W)} (c)  e:Exp, c:Cmd, W:WCls[e,c] -> T:CmdSemCls  (d)  e:Exp, c:Cmd, r.S, t:S, (TVsl:Sl<dummv.sl.sl>:T => « e , c , W ^ m d > , r , t > : T ) -> <r,t>:W e:Exp, c:Cmd, r:S, t:S, W:WCls[e,c], *[Vw:CmdSemCls] ([Vsl:S]<dummy,sl,sl>:w 3 <<e,c,WCmd>,r,t>:w) -»<r,t>:W e:Exp, c:Cmd, r:S, t:S, *<<e,c W£md>,r,t>:CmdSem, W:WCls[e,c] )  -> <r,t>:W e:Exp, c:Cmd, r:S, t:S, «e,c,WCmd>,r,t>:CmdSem -> *[Vz:WCls[e,c]] <r,t>:z -> *[Ve:Exp]*[Vc:Cmd] *[Vr,t:S]*( <<e,c,WCmd>,r,t>:CmdSem 3 [Vz:WCls[e,c]] <r,t>:z) A derivation of sequent (d) will be left as an exercize for the reader. .2.1  A derivation of (c)  Let [T/w]Si, l<i < 7, be the formula obtained by replacing w by T in the i-th conjunct in the definition of CmdSem. Then, (c) is obtained from the derivations of (ci)  e:Exp, c:Cmd, W:WCls[e,c] -> [T/w]Si  for 1 < i < 7. In the following, only the derivations for the case of (cl) and (c5) are given. Case (c4) is similar  Appendix E: Proof of Lemma 4.2.3.1  165  to (c5) while the remaining cases are similar to (cl). .2.1.1  A derivation of (cl)  The first sequent in the following derivation is obtained by thinning from the last sequent in section 4.2.1, expressing that the strings <cl.c2.SeqCmd> and <e.c.WCmd> are provably distinct. e:Exp, c:Cmd, cl:Cmd, c2:Cmd, <cl.c2.SeqCmd> ='<e.c.WCmd> -> e:Exp, c:Cmd, cl:Cmd, c2:Cmd, r:S, t:S -> *(<cl.c2.SeqCmd> =<e,c,WCmd> => <r,t>:W) cl:Cmd, c2:Cmd, r:S, s:S, t:S, <cl,r,s>:CmdSem, <c2,s,t>:CmdSem -> « c 1 .c2.SeqCmd>.r.t>:CmdSem [From defn of CmdSem] e:Exp, c:Cmd, cl:Cmd, c2:Cmd, r:S, s:S, t:S, W:WCls[e,c], <cl,r,s>:CmdSem, (cl=<e,c,WCmd> 3 <r,s>:W) <c2,s,t>:CmdSem, (c2=<e,c,WCmd> 3 <s,t>:W) -* *(«cl.c2.SeqCmd>.r.t>:CmdSem A (<cl.c2.SeqCmd> =<e.c.WCmd> 3 <r.t>:W)V e:Exp, c:Cmd, cl:Cmd, c2:Cmd, r:S, s:S, t:S, W:WCls[e,c], *<cl,r,s>:T, *<c2,s,t>:T -> * « c 1 ,c2.SeqCmd>.r.t>:T e:Exp, c:Cmd, W:WCls[e,c] -> *[Vcl,c2:Cmd]*[Vr,s,t:S]*(<cl,r,s>:T A <c2,s,t>:T 3 <<cl,c2,SeaCmd>,r,t>:T) .2.1.2  A derivation of fc5)  The sequent (c5) can be derived from from sequents (i) and (ii) as following. (i)  el:Exp,cl:Cmd,r:S, s:S,t:S, *W:WCls[el,cl], <e 1 ,r, 1 >:ExpSem, <c 1 ,r,s>:CmdSem, <s,t>:W -> <r,t>:W  (ii)  e:Exp, c:Cmd, el:Exp, cl:Cmd, W:WCls[e,c], <el.cl.WCmd> = <e.c.WCmd> -»W:WCls[el,cl] cut (onW:WCls[el,cl]) e:Exp, c:Cmd, el:Exp, cl:Cmd, r:S, s:S, t:S, W:WCls[e,c], <el,r,l>:ExpSem, <cl,r,s>:CmdSem, <el,cl,WCmd> = <e,c,WCmd>, <s,t>:W -> <r,t>:W  Appendix E: Proof of Lemma 4.2.3.1  166  <el.cl.WCmd> =<e.c.WCmd> -» <el.cl.WCmd> =<e.c.WCmd> e:Exp, c:Cmd, el:Exp, cl:Cmd, r:S, s:S, t:S, W:WCls[e,c], <el,r,l>:ExpSem, <cl,r,s>:CmdSem, *(<el.cl.WCmd> =<e.c.WCmd> 3 <s,t>:W), <el.cl.WCmd> =<e.c.WCmd> -> <r,t>:W e:Exp, c:Cmd, el:Exp, cl:Cmd, r:S, s:S, t:S, W:WCls[e,c], <el,r,l>:ExpSem, <cl,r,s>:CmdSem, (<el.cl.WCmd> =<e.c.WCmd> 3 <s,t>:W) -> * (<el.cl.WCmd> =<e.c.WCmd> 3 <r,t>:W) el:Exp, cl:Cmd, r:S, s:S, t:S, <el,r,l>:ExpSem, <cl,r,s>:CmdSem, « e 1 .c 1 .WCmd>.s.t>:CmdSem -> « e l , c l , W C m d > , r , t > : C m d S e m e:Exp, c:Cmd, el:Exp, cl:Cmd, r:S, s:S, t:S, W:WCls[e,c], <el,r,l>:ExpSem, <cl,r,s>:CmdSem, (cl=<e,c,WCmd> 3 <r,s>:W), « e l , c l , W C m d > , s , t > : C m d S e m , (<el,cl,WCmd> =<e,c,WCmd> 3 <s,t>:W), -> *(<<el,cl,WCmd>,r,t>:CmdSem A (<el.cl.WCmd> =<e.c.WCmd> 3 <r,t>:W)) e:Exp, c:Cmd, el:Exp, cl:Cmd, r:S, s:S, t:S, W:WCls[e,c], <el,r,l>:ExpSem, *<cl,r,s>:T,  *<<el,cl,WCmd>,s,t>:T  -» * « e l , c l , W C m d > , r , t > : T e:Exp, c:Cmd, W:WCls[e,c] -> *[Ve:Exp]*[Vc:Cmd]*[Vr,s,t:S]*(<e,r,l>:ExpSem A <c,r,s>:T 3 («e,c.WCmd>.s.t>:T 3 «e,c,WCmd>,r,t>:T) .2.1.2.1  A derivation of (\)  el:Exp, r:S, <el,r,l>:ExpSem -> <el,r,l>:ExpSem cl:Cmd, r:S, s:S, <cl,r,s>:CmdSem -» <cl,r,s>:CmdSem <s,t>:W -> <s,t>:W <r,t>:W - » <r,t>:W el:Exp, cl:Cmd, r:S, s:S, t:S, * (<el,r,l>:ExpSem A <cl,r,s>:CmdSem A <s,t>:W 3 <r,t>:W), <el,r,l>:ExpSem, <c 1 ,r,s>:CmdSem, <s,t>:W -» <r,t>:W r:S -> r:S  Appendix E: Proof of Lemma 4.2.3.1  167.  s:S -> s:S t:S-»t:S el:Exp, cl:Cmd, r:S, s:S, t:S, * [Vr,s,t:S] (<el,r,l>:ExpSem A <cl,r,s>:CmdSem A <s,t>:W => <r,t>:W), <el,r,l>:ExpSem, <cl,r,s>:CmdSem, <s,t>:W -» <r,t>:W el:Exp, cl:Cmd, r:S, s:S, t:S, *W:WCls[el,cl], <el,r,l>:ExpSem, <cl,r,s>:CmdSem, <s,t>:W -» <r,t>:W .2.1.2.1  A derivation of (ii)  c:Cmd, el:Exp, W:WCls[el,c] -»W:WCls[el,c] el:Exp,cl:Cmd, W:WCls[el,cl] -+W:WCls[el,cl] c:Cmd,el:Exp,cl:Cmd, W:WCls[el,c], c=cl ^W:WCls[el,cl] e:Exp, c:Cmd, W:WCls[e,c] -> W:WCls[e,c] e:Exp, c:Cmd, el:Exp, cl:Cmd, W:WCls[e,c], e=el, c=cl ->W:WCls[el,cl] e:Exp, c:Cmd, el:Exp, cl:Cmd, W:WCls[e,c], e l = e ->W:WCls[el,cl] e:Exp, c:Cmd, el:Exp, cl:Cmd, W:WCls[e,c], <el.cl.WCmd> = <e.c.WCmd> -»W:WCls[el,cl] End of Proof of Lemma 4.2.3.1  thinning  Appendix F: Proof of Lemma 5.4.3  APPENDIX F Proof of Lemma 5.4.3  5.4.3. Lemma The sentences (1)  [Vg: Asgn[B,»] [Vw,w 1 ,w2:Lterm] (<w,w 1 >: ASubst[g] A <w,w2>:ASubst[g] 3 <wl,w2>:Bw)  (2)  [Vg: Asgn[D,«]] [Vx:Lvar] [Vw,w 1 ,v:Lterm] (~x:Free[w] A <w,wl>:ASubst[g] 3 <w,wl>:ASubst[[[v]/x]g])  (3)  [Vg: Asgn[D,«]] [Vx,y:Lvar] [Vw,u,v,wl ,v 1 ,u 1 :Lterm](~y :Free[w] A [Vu2:Free[w]][Vv2:Lterm](<u2,[v2]>:g 3 ~y:Free[v2]) A <u,x,w,v>:Subst A <v,vl>:ASubst[g] A <w,wl>:ASubst[[[y]/x]g] A <u,ul>:ASubst[g] 3 <ul,y,wl,vl>:Subst)  (4)  [Vg:Asgn[D,«]][Vx,yl,y2:Lvar][Vw,v,u:Lterm](~y 1 :Free[w] A ~yl:Free[w] A <w,v>:ASubst[[[yl]/x]g] A -y2:Free[v] A ~y2:Free[v] A <y2,yl,v,u>:Subst 3 <w,u>:ASubst[[[y2]/x]g]  (5)  [Vg: Asgn[D,«]] [Vx:Lvar] [ Vw,v,w 1 ,v 1 Lterm] [ Va,b:Lterm] (<w,w 1 >: ASubst[g] A <v,vl>:ASubst[g] A <w,v>:Cnv 3 <wl,vl>:Cnv)  are derivable. Proof of Lemma 5.4.3 Only a derivation of the sentence (5) is given. A proofs of the rest are similar to (as well as simpler than) that of (5) and are omitted. Let T for {<w,v> I [Vwl,vl:Lterm](<w,wl>:ASubst[g] A <v,vl>:ASubst[g] 3 <wl,vl>:Z)}. A derivation of (5) follows.  168  Appendix F: Proof of Lemma 5.4.3  169  w:Lterm, vrLterm, wl:Lterm, vkLterm, <w,wl>:ASubst[g], <v,vl>:ASubst[g], <w,v>:{<w,v> I [Vwl,vl:Lterm](<w,wl>:ASubst[g] A <v,vl>:ASubst[g] =><wl,vl>:Z)} -»<wl,vl>:Z w.Lterm, vrLterm, wl:Lterm, vLLterm, <w,wl>:ASubst[g], <v,vl>:ASubst[g], *<w,v>:T -»<wl,vl>:Z (a)  g:Asgn[D,«], Z:CnvCls -> T:CnvCls  g:Asgn[D,»], w:Lterm, v:Lterm, wlLterm, vl:Lterm, Z:CnvCls, <w,wl>:ASubst[g], <v,vl>:ASubst[g], *[Vz:CnvCls]<w,v>:z -» <wl,vl>:Z g:Asgn[D,«], w:Lterm, vrLterm, wl:Lterm, vl:Lterm, <w,wl>:ASubst[g], <v,vl>:ASubst[g], [Vz:CnvCls]<w,v>:z ^  *[Vz:CnvCls]<wl,vl>:z  g:Asgn[D,«], w:Lterm, v:Lterm, wlLterm, vl:Lterm, <w,wl>:ASubst[g], <v,vl>:ASubst[g], *<w,v>:Cnv -> *<wl,vl>:Cnv g:Asgn[D,*], w.Lterm, v.Lterm, wl:Lterm, vl:Lterm, -> *(<w,wl>:ASubst[g] A <v,vl>:ASubst[g] A <w,v>:Cnv z> <wl,vl>:Cnv) -> *[Vg:Asgn[D,«]][Vw,vwl,vl:Lterm](<w,wl>:ASubst[g] A <v,vl>:ASubst[g] A <w,v>:Cnv => <wl,vl>:Cnv) To complete the proof, a derivation of the sequent (a) used in the previous derivation is provided in the sequence. To show that the term T is Cnv-closed, it is sufficient to show that T satisfies the clauses of the definition of CnvCls. More specifically, it is necessary to show that for every i, l<i<9, the sequent g:Asgn[D,»], Z:CnvCls -> [T/z]CnvClSj where [T/z]CnvClSj is th sentence obtained by replacing z by T in the i-th sentence of the CnvCls definition. Derivations for the cases i=l, i=5 and i=8 are provided; the rest are similar and therefore are omitted.  Appendix F: Proof of Lemma 5.4.3 Case i=l:  In this derivation, sequence (i) is a direct consequence of lemma 5.2.1 while (ii) is  a consequence of this lemma. <wl,vl>:z '-><wl,vl>:Z Z:CnvCls ->Z:CnvCls Z:CnvCls, *[Vz:CnvCls] <wl,vl>:z -> <wl,vl>:Z Z:CnvCls, *<wl,vl>:Cnv -»<wl,vl>:Z (i)  w 1 :Lterm, v 1 :Lterm, <w 1 ,v 1 >:Bw -> <wl,vl>:Cnv cut wl:Lterm, vl:Lterm, Z:CnvCls, <wl,vl>:Bw -><wl,vl>:Z  (ii)  g:Asgn[D,«], w:Lterm, w 1 :Lterm, v 1 :Lterm, <w,wl>:ASubst[g], <w,vl>:ASubst[g] -»<wl,vl>:Bw :  .  cu  g:Asgn[D,«], w:Lterm, wl:Lterm, vl:Lterm, Z:CnvCls, <w,w 1 >:ASubst[g], <w,v 1 >:ASubst[g] -*<wl,vl>:Z g:Asgn[D,=], w:Lterm, wl:Lterm, vl:Lterm, Z:CnvCls -» *(<w,wl>:ASubst[g] A <w,vl>:ASubst[g] => <wl,vl>:Z) g:Asgn[D,«], w:Lterm, Z:CnvCls _> *[vw 1 ,v 1 :Lterm](<w,w 1 >:ASubst[g] A <w,vl>:ASubst[g] 3 <wl,vl>:Z) g:Asgn[D,»], w:Lterm, Z:CnvCls -> *<w,w>: {<w,v> I [Vwl,vl:Lterm](<w,wl>:ASubst[g] A <v,vl>:ASubst[g] 3 <wl,vl>:Z)} g:Asgn[D,«], w:Lterm , Z:CnvCls  *<w,w>:T  g:Asgn[D,«], Z:CnvCls -> *[Vw:Lterm]<w,w>:T  t  Appendix F: Proof of Lemma 5.4.3  Case i=5:  171  Sequent (b) in the following derivation is a direct consequence of the sentence (2)  of this lemma. <u2,y,w2,vl>:Subst -» <u2,y,w2,vl>:Subst « « 3 . , y > , w 2 > , u 2 > , v l > : Z -> « « X , y > , w 2 > , u 2 > , v l > : Z *( <u2,y,w2,vl>:Subst => « « X , y > , w 2 > , u 2 > , v l > : Z ) <u2,y,w2,vl>:Subst -» « « X , y > , w 2 > , u 2 > , v l > : Z w2:Lterm -> w2:Lterm u2:Lterm -> u2:Lterm v 1 :Lterm -> v 1 :Lterm yrLvar-»y:Lvar vl:Lterm, y:Lvar, w2:Lterm, u2:Lterm, *[Vw,u,v:Lterm]*[Vx:Lvar](<u,x,w,v>:Subst => « « X , x > , w > , u > , v > : Z ) <u2,y,w2,vl>:Subst ->««a,y>,w2>,u2>,vl>:Z thinning vlrLterm, y:Lvar, w2:Lterm, u2:Lterm, *Z:CnvCls, <u2,y,w2,vl>:Subst -» « « A , , y > , w 2 > , u 2 > , v l > : Z (b)  g:Asgn[B,«], w:Lterm, urLterm, v.Lterm, x:Lvar, vlrLterm, y:Lvar, w2:Lterm, u2:Lterm, ~y:Free[w], [Vu:Free[w]][Vv:Lterm](<u,[v]>:g z> ~y:Free[v]), <u,x,w,v>:Subst, <v,vl>:ASubst[g], • <w,w2>:ASubst[[[y]/x]g], <u,u2>:ASubst[g] -» <u2,y,w2,vl>:Subst cut g:Asgn[D,=], ZrCnvCls, w:Lterm, u:Lterm, v:Lterm, x:Lvar, vlrLterm, y:Lvar, w2:Lterm, u2:Lterm, -y:Free[w], <u,x,w,v>:Subst, <v,vl>:ASubst[g], [Vu:Free[w]][Vv:Lterm](<u,[v]>:g z> -y:Free[v]), <w,w2>:ASubst[[[y]/x]g], <u,u2>:ASubst[g]  172  Appendix F: Proof of Lemma 5.4.3 -> « « X , y > , w 2 > , u 2 > , v l > : Z w 1 = < « X , y > , w 2 > , u 2 > , « « A . , y > , w 2 > , u 2 > , v 1 >:Z -»<wl,vl>:Z cut g:Asgn[B,«], Z:CnvCls, w:Lterm, urLterm, vrLterm, xrLvar, w 1 rLterm, v 1 rLterm, yrLvar, w2:Lterm, u2:Lterm, -y:Free[w], <u,x,w,v>:Subst, <v,vl>:ASubst[g], [Vu:Free[w]][Vv:Lterm](<u,[v]>:g 3 ~y:Free[v]), <w,w2>:ASubst[[[y]/x]g], <u,u2>:ASubst[g], w 1 = < « X , y >,w2>,u2> -» <wl,vl>:Z g:Asgn[D,»], Z:CnvCls, w:Lterm, u:Lterm, v:Lterm, x:Lvar, wlrLterm, vlrLterm, <u,x,w,v>:Subst, <v,vl>:ASubst[g], *[3y:Lvar]*[3w2,u2:Lterm]*( ~y:Free[w] A [Vu:Free[w]][Vv:Lterm](<u,[v]>:g 3 ~y:Free[v]) A <w,w2>:ASubst[[[y]/x]g] A <u,u2>:ASubst[g] A wl=<«X,y>,w2>,u2>) -» <wl,vl>:Z g:Asgn[D,»], Z:CnvCls, w:Lterm, u:Lterm, vrLterm, x:Lvar,  using lemma 5.4.2  w 1 rLterm, vlrLterm, <u,x,w,v>:Subst, <v,vl>:ASubst[g], * « « X , x > , w > , u > , w 1 >: AS ubst[g] -»<wl,vl>:Z g:Asgn[D,»], ZrCnvCls, wrLterm, urLterm, vrLterm, xrLvar, wlrLterm, vlrLterm, <u,x,w,v>:Subst * ( « « X , x > , w > , u > , w l > : A S u b s t [ g ] A <v,vl>:ASubst[g] 3 <wl,vl>:Z)} g:Asgn[D,=], ZrCnvCls, wrLterm, urLterm, vrLterm, xrLvar, <u,x,w,v>:Subst -> *[Vw 1 ,v 1 r L t e r m ] ( « « A . , x > , w > , u > , w 1 >:ASubst[g] A <v,vl>:ASubst[g] 3 <wl,vl>:Z)} g:Asgn[D,=], ZrCnvCls, wrLterm, urLterm, vrLterm, xrLvar, <u,x,w,v>:Subst -> * « « X , x > , w > , u > , v > : { < w , v > I [Vwl,vl:Lterm](<w,wl>:ASubst[g] A <v,vl>:ASubst[g] 3 <wl,vl>:Z)} g:Asgn[D,«], ZrCnvCls, wrLterm, urLterm, vrLterm, xrLvar,  Appendix F: Proof of Lemma 5.4.3 <u,x,w,v>:Subst -»*««X,x>,w>,u>,v>:T g:Asgn[B,«], Z:CnvCls -> *[Vw,u,v:Lterm]*[Vx:Lvar]*(<u,x,w,v>:Subst 3 ««X,x>,w>,u>,v>:T) Case i=8:  In the following derivation, sequents (i) and (ii) are direct consequence of the  definition of Cnv and lemma 5.2.1. « w l , u l > , < w l , v l » : Z -> « w l , u l > , < w l , v l » : Z « w l , v l > , < w 2 , v l » : Z -> « w l , v l > , < w 2 , v l » : Z « w l , u l > , < w 2 , v l » Z -» « w l , u l > , < w 2 , v l » Z . *(«wl,ul>,<wl,vl»:Z A «wl,vl>,<w2,vl»:Z => « w l , u l > , < w 2 , v l » Z ) , « w 1 ,v 1 >,<w2,v 1 » : Z , «wl,ul>,<wl,vl»:Z -» « w l , u l > , < w 2 , v l » : Z wlrLterm, ul:Lterm -> <wl,ul>:Lterm wl:Lterm, vlrLterm -» <wl,vl>:Lterm w2:Lterm, vlrLterm -><w2,vl>:Lterm wl:Lterm, ul:Lterm, w2:Lterm, vl:Lterm, *[Vw,u,v:Lterm](<w,u>:Z A <U,V>:Z Z> <w,v>Z), « w 1 ,v 1 >,<w2,v 1 »:Z, «wl,ul>,<wl,vl»:Z -> « w l , u l > , < w 2 , v l » : Z <w2,vl»:Z -> <w2,vl»:Z wl:Lterm, ulrLterm, w2:Lterm, vl:Lterm, [Vw,u,v:Lterm](<w,u>:Z A <u,v>:Z -> <w,v>Z), *(<wl,w2>:Z  «wl,vl>,<w2,vl»:Z),  « w l , u l > , < w l , v l » : Z , <wl,w2>:Z -» « w l , u l > , < w 2 , v l » : Z w 1 :Lterm  w l :Lterm  173  Appendix F: Proof of Lemma 5.4.3 w2:Lterm -»w2:Lterm v 1 :Lterm - » v 1 :Lterm w 1 :Lterm, u 1 :Lterm, w2:Lterm, v 1 :Lterm, [Vw,u,v:Lterm](<w,u>:Z A <U,V>:Z => <w,v>Z), *[Vw,u,v:Lterm](<w,u>:Z => « w , v > , < u , v » : Z ) , « w l , u l > , < w l , v l » : Z , <wl,w2>:Z -»«wl,ul>,<w2,vl»:Z thinning wlrLterm, ul:Lterm, w2:Lterm, vl:Lterm, *Z:CnvCls, « w l , u l > , < w l , v l » : Z , <wl,w2>:Z ->«wl,ul>,<w2,vl»:Z (i)  wl:Lterm, w2:Lterm, Z:CnvCls, <wl,w2>:Bw -><wl,w2>:Z cut wl:Lterm, ul:Lterm, w2:Lterm, vl:Lterm, Z:CnvCls, <wl,w2>:Bw, « w l , u l > , < w l , v l » : Z -» « w l , u l > , < w 2 , v l » : Z  (ii)  w 1 :Lterm, u 1 :Lterm, v 1 :Lterm, *Z:CnvCls, <ul,vl>:Z -»«wl,ul>,<wl,vl»:Z cut wlrLterm, ulrLterm, w2:Lterm, vl:Lterm, Z:CnvCls, <ul,vl>:Z, <wl,w2>:Bw -> « w l , u l > , < w 2 , v l » : Z <u,ul>:ASubst[g] -> <u,ul>:ASubst[g] <v,vl>:ASubst[g] -» <v,vl>:ASubst[g] thinning g:Asgn[D,«], u:Lterm, vrLterm, wlrLterm, ul:Lterm, w2:Lterm, vl:Lterm, ZrCnvCls, *(<u,ul>:ASubst[g] A <v,vl>:ASubst[g] 3 <ul,vl>:Z) <u,ul>:ASubst[g], <v,vl>:ASubst[g], <wl,w2>:Bw -> « w l , u l > , < w 2 , v l » : Z u 1 :Lterm - » u 1 :Lterm vLLterm -» vl:Lterm  Appendix F: Proof of Lemma 5.4.3  175  g:Asgn[B,«], u:Lterm, vrLterm, w l rLterm, u 1 rLterm, w2:Lterm, v 1 rLterm, ZrCnvCls, *[Vul,vl:Lterm](<u,ul>:ASubst[g] A <v,vl>:ASubst[g] => <ul,vl>:Z) <u,ul>:ASubst[g], <v,vl>:ASubst[g], <wl,w2>:Bw -» « w l , u l > , < w 2 , v l » : Z grAsgn[B,«], wrLterm, wlrLterm, w2:Lterm, <w,wl>:ASubst[g], <w,w2>:ASubst[g] -»<wl,w2>:Bw cu  t  g:Asgn[D,«], wrLterm, urLterm, vrLterm, wlrLterm, ulrLterm, w2:Lterm, vlrLterm, ZrCnvCls, [Vul,vl:Lterm](<u,ul>:ASubst[g] A <v,vl>:ASubst[g] => <ul,vl>:Z) <w,w 1 >:ASubst[g], <u,u 1 >:ASubst[g], <w,w2>:ASubst[g], <v,vl>:ASubst[g] «wl,ul>,<w2,vl»:Z s=<wl,ul>, t=<w2,vl>, « w l , u l > , < w 2 , v l » : Z -> <s,t>:Z cut, thinning g:Asgn[D,«], wrLterm, urLterm, vrLterm, srLterm, trLterm, w 1 rLterm, u 1 rLterm, w2:Lterm, v 1 rLterm, Z: CnvCls, [Vul,vl:Lterm](<u,ul>:ASubst[g] A <v,vl>:ASubst[g] 3 <ul,vl>:Z) <w,wl>:ASubst[g], <u,ul>rASubst[g], s=<wl,ul>, <w,w2>:ASubst[g], <v,vl>:ASubst[g], t=<w2,vl> -> <s,t>:Z g:Asgn[D,«], wrLterm, urLterm, vrLterm, srLterm, trLterm, ZrCnvCls, [Vul.vlrLterm](<u,ul>:ASubst[g] A<v,vl>:ASubst[g] =><ul,vl>:Z) *[3wl,ul:Lterm]*(<w,wl>:ASubst[g] A <u,ul>:ASubst[g] A s=<wl,ul>) *[3w2,vl:Lterm]*(<w,w2>:ASubst[g] A <v,vl>:ASubst[g] A t=<w2,vl>) -^<s,t>:Z using lemma 5.4.2 g:Asgn[D,«], wrLterm, urLterm, vrLterm, srLterm, trLterm, ZrCnvCls, [Vul.vlrLterm](<u,ul>:ASubst[g] A <v,vl>:ASubst[g] 3 <ul,vl>:Z) * « w , u > , s > : A S u b s t [ g ] , *«w,v>,t>:ASubst[g]  Appendix F: Proof of Lemma 5.4.3 -> <s,t>:Z g:Asgn[B,»], wrLterm, urLterm, vrLterm, ZrCnvCls, [Vul,vlrLterm](<u,ul>:ASubst[g] A <v,vl>:ASubst[g] => <ul,vl>:Z) -» *[Vs,t:Lterm]*(«w,u>,s>:ASubst[g] A «w,v>,t>:ASubst[g] 3 <s,t>:Z) g:Asgn[D,«], wrLterm, urLterm, vrLterm, ZrCnvCls, *<u,v>:T -> * « w , u > , < w , v » : T g:Asgn[D,«], ZrCnvCls -» *[Vw,u,v:Lterm]*(<u,v>:T z> « w , u > , < w , v » : T ) End of proof of lemma 5.4.3  176  Appendix G: Proof of Theorem 5.4.4  177  APPENDIX G Proof of Theorem 5.4.4  5.4.4. Theorem The sequent -> <D,«,°,r>:XModel is derivable. Proof of Theorem 5.4.4 Let LIAxiomj[D,=,»,I,g], l<i<17, be the i-th sentence in the definition of the X-interpretation. It is sufficient to show that for each i , l<i<17, the sequent g:Asgn[D « ] -» LIAxiom|[D,=,°J'] where g is a second order parameter, is derivable. Only the cases for i=9,l 1, 13,17 shall be presented. The other cases are either similar or simpler than these and are omitted. Case i=9. The first sequent in the following derivation is a direct consequence of lemma 5.2.1. a:Lterm, b:Lterm, d:Lterm, w:Lterm, « a , b > , d > : C n v . , < w , < a , b » : C n v -> <w,d>:Cnv  *[a]:D, *[b]:D, *[d]:D, w:Lterm, « a , b > , d > : C n v , w:[<a,b>] ->w:[d] [a]:D, [b]:D, [d]:D,w:Lterm, « a , b > , d > : C n v , w:[d] - » w : [ < a , b > ]  [a]:D, [b]:D, [d]:D, w:Lterm, « a , b > , d > : C n v -> *(w:[<a,b>] = w:[d]) [a]:D, [b]:D, [d]:D, « a , b > , d > : C n v -> *[Vw:Lterm](w:[<a,b>] s w:[d])  similarly  Appendix G: Proof of Theorem 5.4.4  [a]:D, [b]:D, [d]:D, *<[a],[b],[d]>:° ->• *[<a,b>]»[d]) [a]:D, [b]:D, [d]:D -> *(<[a],[b],[d]>:° 3 [<a,b>]=[d])  [a]:D, [b]:D -» *[Vd:D](<[a],[b],d>:° => [<a,b>]«d) [a]:D, [b]:D -><[a],[b],[<a,b>]>:° [a]:D, [b]:D ->*(<[a],[b],[<a,b>]>:° A [Vd:B](<[a],[b],d>:° => [<a,b>]«d)) [a]:D, [b]:D->[<a,b>]:D  [a]:D, [b]:D -> *[3c:D](<[a],[b],c>:° A [Vd:D]«a],[b],d>:° 3 c«d)) -> *[Va,b:B][3c:D](<a,b,c>:° A [Vd:D](<a,b,d>:° 3 c=d)) Case i = l l . In this derivation, sequent (i) is implied by lemma 5.2.1 and sequent (ii) is a direct consequence of lemma 5.4.2. (i)  a:Lterm, b:Lterm, d:Lterm, <b,d>Cnv, <a,d>Cnv -»<a,b>Cnv *[a]:D, *[b]:D, *[d]:D,*[b]«[d], *[a]»[d] -> *[a]»[b] <x,[b]>:g -> <x,[b]>:g [a] :D, [b]:D, [d]:D, <x,[d]>:g, *(<x,[b]>:g 3 [b]«[d]),  [a]-[d],<x,[b]>:g->[a]»rb] [b] :D-> [b]:D  [a]:D, [b]:D, [d]:D, <x,[d]>:g, *[Vdl:D](<x,dl>:g 3 dl«[d]), [a]-[d],<x,rb]>:g->[aMb] <x,[a]>:g-> <x,[a]>:g  [a]:D, [b]:D, [d]:D, <x,[d]>:g, [Vdl:D](<x,dl>:g 3 dl«[d]), *(<x,[a]>:g3[a]«[d]), <x,[a]>:g, <x,[b]>:g -> [a]«[b] [a]:D-*[a]:D  178  Appendix G: Proof of Theorem 5.4.4  179 thinning  [a]:D, [b]:D, [d]:D, <x,[d]>:g, *[Vdl:D](<x,dl>:g = dl=[d]), <x,[a]>:g, <x,[b]>:g -> [a]«[b]  [a]:D, [b]:D, *[3d:D]*(<x,d>:g A [Vdl:D](<x,dl>:g 3 dl«d)), <x,[a]>:g, <x,[b]>:g -> [a]»[b] xrLvar -> xrLvar x:Lvar, [a]:D, [b]:D, *[Vx:Lvar][3d:D](<x,d>:g A [Vdl:D](<x,dl>:g 3 dl«d)), <x,[a]>:g, <x,[b]>:g -> [a]»[b]  *g:Asgn[D,»], x:Lvar, [a]:D, [b]:D, <x,[a]>:g, <x,[b]>:g -> [a]«[b] £ii)  g:Asgn[B,«], x:Lvar, [b]:D, <x,b>:ASubst[g] -> <x,[b]>:g cut g:Asgn[B>,»], x:Lvar, [a]:D, [b]:D, <x,[a]>:g, <x,b>:ASubst[g] -> [a]=[b] g:Asgn[D,»], x:Lvar, [a]:D, [b]:D, <x,[a]>:g, *<x,[b]>:I[g] -> [a]«[b] g:Asgn[D,»], xrLvar, [a]:D, [b]:D -> *(<x,[a]>:g A <x,[b]>:I[g] => [a]-[b]) g:Asgn[D ,»] -> *[Vx:Lvar]*[Va,b:D](<x,a>:g A <x,b>:I[g] => a«b)  Case i=13. The sequences (i) and (ii) in the following derivation are direct consequences of lemma 5.4.3. (i)  g:Asgn[D ~], w:Lterm, x:Lvar, a:Lterm, b:Lterm, c:Lterm, <w,c>:ASubst[[[b]/x]g], « « X , x > , w > , x > , < a , b » : A S u b s t [ [ [ b ] / x ] g ] , ««A.,x>,w>,x>,w>:Cnv -» « a , b > , c > : C n v w:Lterm, x:Lvar  Appendix G: Proof of Theorem 5.4.4  180  -»««X,x>,w>,x>,w>:Cnv cut g:Asgn[B,«], wrLterm, xrLvar, arLterm, brLterm, crLterm, <w,c>rASubst[[[b]/x]g], « « X , x > , w > , x > , < a , b » : A S u b s t [ [ [ b ] / x ] g ] -»«a,b>,c>:Cnv (ii)  g:Asgn[B,»], wrLterm, xrLvar, arLterm, brLterm, «<X,x>,w>,a>:ASubst[g] -^««A.,x>,w>,x>,<a,b»:ASubst[[[b]/x]g] ••  cut  g:Asgn[D,«], wrLterm, xrLvar, arLterm, brLterm, crLterm, « < X , x > , w > , a > : A S u b s t [ g ] , <w,c>:ASubst[[[b]/x]g] «a,b>,c>:Cnv g:Asgn[D,»], wrLterm, xrLvar, arLterm, brLterm, crLterm, * « < X , x > , w > , [ a ] > : r [ g ] , *<w,[c]>:r[[[b]/x]g] -»*<a],[b],[c]>:° g:Asgn[D,»], wrLterm, xrLvar, *[a]:D, *[b]:D, *[c]:D -» *(«<X,x>,w>,[a]>:r[g] A <w,[c]>:r[[[b]/x]g] 3 <[a],[b],[c]>:°) g:Asgn[D,«] -> *[Vw:Lterm]*[Vx:Lvar]*[Va,b,c:D](«<X,x>,w>,a>:r[g] A <w,c>:I'[[b/x]g] 3 < a , b , c > : ° )  Case i=17. In the next derivation, sequent (i) is a consequence of lemma 5.2.1, sequents (ii) and (iii) are implied by theorem 5.1.4.2 and sequents (iv) and (v) are consequences of lemma 5.4.3. (i)  ylrLvar, y2:Lvar, y3:Lvar, wlrLterm, w2:Lterm, vlrLterm, v2:Lterm, ulrLterm, u2:Lterm, «<X,y3>,ul>,«A.,y3>,u2»:Cnv, «<X,yl>,vl>,«A.,y3>,ul»:Bw, <«X,y2>,v2>,«)t,y3>,u2»:Bw -> < « X . , y l > , v l > , « A . , y 2 > , v 2 » : C n v  (ii)  y2:Lvar, y3:Lvar, v2:Lterm, u2:Lterm, -y3:Free[v2], <y3,y2,v2,u2>:Subst, -> « < X , y 2 > , v 2 > , « X , y 3 > , u 2 » : B w  Appendix G: Proof of Theorem 5.4.4  181 cut  yl:Lvar, y2:Lvar, y3:Lvar, wl:Lterm, w2:Lterm, vlrLterm, v2:Lterm, ul:Lterm, u2:Lterm, -y3:Free[v2], <y3,y2,v2,u2>:Subst, « < X , y 3 > , u 1 > , « A , , y 3 > , u 2 » : C n v , « < X , y 1 >,v l > , « X , y 3 > , u 1 » : B w -> « < X , y l > , v l > , « X , y 2 > , v 2 » : C n v (iii)  yl:Lvar, y3:Lvar, vl:Lterm, ul:Lterm, ~y3:Free[vl],<y3,yl,vl,ul>:Subst -> <<<X,yl>,vl>,<<X,y3>,ul>>:Bvv cut yl:Lvar, y2:Lvar, y3:Lvar, wl:Lterm, w2:Lterm, vl:Lterm, v2:Lterm, ul:Lterm, u2:Lterm, -y3:Free[vl], <y3,yl,vl,ul>:Subst, -y3:Free[v2], <y3,y2,v2,u2>:Subst, «<X,y3>,ul>,«X,y3>,u2»:Cnv -» « < X , y l > , v l > , « A , , y 2 > , v 2 » : C n v y3:Lvar, ul:Lterm, u2:Lterm, <ul,u2>:Cnv -> « < X , y 3 > , u l > , « A , , y 3 > , u 2 » : C n v cut yl:Lvar, y2:Lvar, y3:Lvar, wl:Lterm, w2:Lterm, vlrLterm, v2:Lterm, ulrLterm, u2:Lterm, -y3:Free[vl], <y3,yl,vl,ul>:Subst, ~y3:Free[v2], <y3,y2,v2,u2>:Subst, <ul,u2>:Cnv  <<<X,yl>,vl>,<<X,y2>,v2>>:Cnv  yl:Lvar, y2:Lvar, y3:Lvar, wl:Lterm, w2:Lterm, vl:Lterm, v2:Lterm, ul:Lterm, u2:Lterm, -y3:Free[vl], <y3,yl,vl,ul>:Subst, ~y3:Free[v2], <y3,y2,v2,u2>:Subst, *[ul]«[u2] -» « < X , y l > , v l > , « X , y 2 > , v 2 » : C n v g:Asgn[D,=], x:Lvar, y3:Lvar, wl:Lterm, ulrLterm, <wl,ul>:ASubst[[[y3]/x]g] -> <wl,[ul]> r[[[y3]/x]g] :  g:Asgn[D,«], x:Lvar, y3:Lvar, w2:Lterm, u2:Lterm, <w2,u2>:ASubst[[[y3]/x]g] -> <w2,[u2]>:r[[[y3]/x]g]  g:Asgn[D,«], x:Lvar, yl:Lvar, y2:Lvar, y3:Lvar, wl:Lterm, w2:Lterm, vl:Lterm, v2:Lterm, ul:Lterm, u2:Lterm,  Appendix G: Proof of Theorem 5.4.4  182  *(<wl,[ul]>:r[[[y3]/x]g] A <w2,[u2]>:r[[[y3]/x]g] 3 [ul]«[u2]), -y3:Free[vl], <y3,yl,vl,ul>:Subst, ~y3:Free[v2], <y3,y2,v2,u2>:Subst, <wl,ul>:ASubst[[[y3]/x]g],<w2,u2>:ASubst[[[y3]/x]g] -> < « A . , y l > , v l > , « A , , y 2 > , v 2 » : C n v u l : L t e r m - » [ul]:D u2:Lterm->[u2]:0 y3:Lterm -> [y3]:D  g:Asgn[B,«], xrLvar, yl:Lvar, y2:Lvar, y3:Lvar, wlrLterm, w2:Lterm, vl:Lterm, v2:Lterm, ul.Lterm, u2:Lterm, *[Val,a2,d:D](<wl,al>:r[[o7x]g] A <w2,a2>:r[[d/x]g] 3 a l « a 2 ) , -y3:Free[vl], <y3,yl,vl,ul>:Subst, ~y3:Free[v2], <y3,y2,v2,u2>:Subst, <wl,ul>:ASubst[[[y3]/x]g],<w2,u2>:ASubst[[[y3]/x]g] -> « < J i , y l > , v l > , « X , y 2 > , v 2 » : C n v (iv)  g:Asgn[D,»], x:Lvar, y2:Lvar, y3:Lvar, w2:Lterm, v2:Lterm, u2:Lterm, -y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 -y2:Free[v]), <w2,v2>:ASubst[[[y2]/x]g], -y3:Free[w2], -y3:Free[v2], <y3,y2,v2,u2>:Subst ->  <w2,u2>:ASubst[[[y3]/x]g] cut  g:Asgn[D,«], x:Lvar, yl:Lvar, y2:Lvar, y3:Lvar, wlrLterm, w2:Lterm, vltLterm, v2:Lterm, ulrLterm, u2:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:r[[d/x]g] 3 a l » a 2 ) , -y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 -y2:Free[v]), -y3:Free[vl], <y3,yl,vl,ul>:Subst, <w2,v2>:ASubst[[[y2]/x]g], -y3:Free[w2], ~y3:Free[v2], <y3,y2,v2,u2>:Subst, <w 1 ,ul >: ASubst[[[y3]/x]g] -> « < A . , y l > , v l > , « X , y 2 > , v 2 » : C n v (v)  g:Asgn[D,=], x:Lvar, yl:Lvar, y3:Lvar, wLLterm, vl:Lterm, ul rLterm, ~yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 -yl:Free[v]), <wl,vl>:ASubst[[[yl]/x]g], -y3:Free[wl], ~y3:Free[vl], <y3,yl,vl,ul>:Subst -» <wl,ul>:ASubst[[[y3]/x]g] cut g:Asgn[D,«], xrLvar, yl:Lvar, y2:Lvar, y3:Lvar, w 1 :Lterm, w2:Lterm, v 1 :Lterm, v2:Lterm, u 1 :Lterm, u2:Lterm,  Appendix G: Proof of Theorem 5.4.4  183  [Val,a2,d:D](<wl,al>:r[[d7x]g] A <w2,a2>:F[[d/x]g] 3 a l « a 2 ) , ~yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]), ~y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 -y2:Free[v]), <wl,vl>:ASubst[[[yl]/x]g],<w2,v2>:ASubst[[[y2]/x]g], ~y3:Free[wl], ~y3:Free[vl], <y3,yl,vl,ul>:Subst, -y3:Free[w2], -y3:Free[v2], <y3,y2,v2,u2>:Subst -> < « X , y l > , v l > , « A . , y 2 > , v 2 » : C n v  g:Asgn[D,«], x:Lvar, wl:Lterm, w2:Lterm, yl:Lvar, vl:Lterm, y2:Lvar, v2:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l « a 2 ) , ~yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]), ~y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 ~y2:Free[v]), <wl,vl>:ASubst[[[yl]/x]g],<w2,v2>:ASubst[[[y2]/x]g], *[3y3:Lvar]*[3ul,u2:Lterm]*(~y3:Free[wl] A -y3:Free[vl] A <y3,yl,vl,ul>:Subst A ~y3:Free[w2] A -y3:Free[v2] A <y3,y2,v2,u2>:Subst) -> « < X , y l > , v l > , « X . , y 2 > , v 2 » : C n v wl:Lterm, w2:Lterm, yl:Lvar, vl:Lterm, y2:Lvar, v2:Lterm -> [3y3:Lvar][3ul,u2:Lterm] (~y3:Free[wl] A -y3:Free[vl] A <y3,yl,vl,ul>:Subst A ~y3:Free[w2] A -y3:Free[v2] A <y3,y2,v2,u2>:Subst) cut g:Asgn[D,«]» x:Lvar, wl:Lterm, w2:Lterm, yl:Lvar, vl:Lterm, y2:Lvar, v2:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I*[[d/x]g] 3 a l « a 2 ) , ~yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]), -y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 ~y2:Free[v]), <wl,vl>:ASubst[[[yl]/x]g],<w2,v2>:ASubst[[[y2]/x]g] -> < « A . , y l > , v l > , « A , , y 2 > , v 2 » : C n v yl:Lvar, y2:Lvar, b:Lterm, c:Lterm, vl:Lterm, v2Lterm, b=«X,yl>,vl>, c=«X,y2>,v2>, «<X,yl>,vl>,«X,y2>,v2»:Cnv -» <b,c>:Cnv cu  t  184  Appendix G: Proof of Theorem 5.4.4 g:Asgn[D,«], x:Lvar, wl:Lterm, w2:Lterm, brLterm, c:Lterm, yl:Lvar, vlrLterm, y2:Lvar, v2:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:r[[d/x]g] 3 a l « a 2 ) , -yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]), <w 1 ,v 1 >:ASubst[[[y 1 ]/x] g], b=«A.,y 1 >,v 1 >, -y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g=>  ~y2:Free[v]),  <w2,v2>:ASubst[[[y2]/x]g],c=«X,y2>,v2> -» <b,o:Cnv g: Asgn[D =], xrLvar, w 1 :Lterm, w2:Lterm, b.Lterm, c.Lterm, yl:Lvar, vl:Lterm, y2:Lvar, v2:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l « a 2 ) , -yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]), <w 1 ,v 1 >:ASubst[[[y 1 ]/x] g], b = « \ , y 1 >,v 1 >, ~y2:Free[w2], [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 -y2:Free[v]), <w2,v2>:ASubst[[[y2]/x]g], ^*[b]«[c]  c=«X,y2>,v2>  g:Asgn[D,«], x:Lvar, wlLterm, w2:Lterm, b:Lterm, c:Lterm, yl:Lvar, vl:Lterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l « a 2 ) , -yl:Free[wl], [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3-yl:Free[v]), <w 1 ,v 1 >:ASubst[[[y 1 ]/x]g], b=«k,y  1 >,v 1 >,  *[3y2:Lvar] *[3v2:Lterm]*( ~y2:Free[w2] A [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 ~y2:Free[v]) A <w2,v2>:ASubst[[[y2]/x]g] A c = « X , y 2 > , v 2 > ) [b]«[c] g:Asgn[D,=], xrLvar, wlLterm, w2:Lterm, brLterm, crLterm, [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l » a 2 ) , * [3yl:Lvar]*[3vl rLterm] *( ~yl:Free[wl] A [Vu:Free[wl]][Vv:Lterm](<u,[v]>:g 3 ~yl:Free[v]) A <wl,vl>:ASubst[[[yl]/x]g] A b = « X , y l > , v l > ) [3y2:Lvar][3v2:Lterm](~y2:Free[w2] A [Vu:Free[w2]][Vv:Lterm](<u,[v]>:g 3 ~y2:Free[v]) A <w2,v2>:ASubst[[[y2]/x]g] A c = « X , y 2 > , v 2 > )  using lemma  Appendix G: Proof of Theorem 5.4.4  185  -> [b]*[c] g:Asgn[D « ] , x:Lvar, wl:Lterm, w2:Lterm, brLterm, c:Lterm,  using lemma 5.4.2  [Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:r[[d/x]g] 3 a l « a 2 ) , * « < & , x > , w l > , b > : A S u b s t [ g ] , *«<A.,x>,w2>,c>:ASubst[g] ->[b]-[c] g:Asgn[D,»], xrLvar, wlLterm, w2:Lterm, *[b]:D, *[c]:D] [Val,a2,d:D](<wl,al>:F[[d/x]g] A <w2,a2>:r[[d/x]g] 3 a l « a 2 ) , *«<X,x>,wl>,[b]>:r[g],*«<A.,x>,w2>,[c]>:r[g] ->-[b]«[c] g:Asgn[B,«], x:Lvar, wlLterm, w2:Lterm, [b]:D, [c]:D] -> *([Val,a2,d:D](<wl,al>:r[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l « a 2 ) A «<X,x>,wl>,[b]>:I'[g] A <«X,x>,w2>,[c]>:I'[g] 3 [b]«[c]) g:Asgn[D,«] -> *[Vx:Lvar]*[Vwl,w2:Lterm]*[Vb,c:D]( [Val,a2,d:D](<wl,al>:I'[[d/x]g] A <w2,a2>:I'[[d/x]g] 3 a l « a 2 ) A <«X,x>,wl>,b>:I'[g] A «<X.,x>,w2>,c>:]T[g] 3 b«c) End of proof of theorem 5.4.4  Appendix H: Proof of Theorem 55.1  186  APPENDIX H Proof of Theorem 5.5.1  5.5.1. Theorem The sequent -> <D,=,°,e>:StrictSMModel is derivable. Proof of theorem 5.5.1 Let SMAxiomj[D,=,«,e], l<i<13, be the i-th sentence in the definition of the SM-model. It is sufficient to show that for each i, l<i<13, the sequent SMAxiom^[D,»,°,e] is derivable. Only the cases for i=8, 9 and 13 shall be presented. Cases (1) to (7) are the same as in theorem 5.4.4 while the rest are similar (even simpler) to case (13) and are omitted. In the following derivations, the symbols x, y, z are used for the constant NaDSet terms that represent the natural numbers 2, 4, 6 respectively. Therefore, according to section 5.1.1 the sequents (i)  -»x:Lvar  (ii)  -»y:Lvar  (iii)  -»z:Lvar  are derivable, which implies that the sequents (iv)  -»«X,x>,«X,y>,x»:Lterm  (v)  -»«X,x>,«X,,y.>,«X,z>,«x,z>,<y,z>»»:Lterm  (vi)  -»«X,x>,«X,y>,<x,y»>:Lterm  are derivable as well. As an illustration, a derivation of (iv) is shown next. In this, the sequent (vii)  -> x:Lterm  which is a direct consequence of the Lterm definition is used. (ii)  -»y:Lvar  Appendix H: Proof of Theorem 55.1 (vii)  187  -»x:Lterm «X,y>,x>:Z -»«X,y>,x>:Z *[Vu:Lvar]*[Vw:Z]«X,u>,w>:Z, -* « X , y > , x > : Z <<X,x>,<<X,y>,x>>:Z -» <<X,x>,<<X,y>,x>>:Z [Vu:Lvar][Vw:Z]«X,u>,w>:Z, *[Vw:Z]«X,x>,w>:Z -> « X , x > , « A . , y > , x » : Z  (i)  -» x:Lvar contraction *[Vu:Lvar] [ V w : Z ] « X , u > , w > : Z -> « X , x > , « X , v . > , x » : Z *Z:LtermCls - » « X , x > , « X , y > , x » : Z  thinning  -> *[Vz:LtermCls] « X , x > , « X , y > , x » : z -> * « A , , x > , « A . , y . > , x » : L t e r m Finally, for convenience the abbreviations k for « X , x > , « X , y . > , x » S for « X , x > , « X , y > , « A . , z > , « x , z > , < y , z » » > e_ for <<X,x>,<<a,y>,<x,y>>. will be used in the proof. Consequently, the sequents (iv')  ->[k]:D  (v )  ^[s]:D  (vi )  ->[e]:B  1  1  can be obtained from (iv), (v) and (vi) by a single application of the ->{} rule. Moreover, since e is identical to [gj, -»[e]:D is derivable as well. The proof of the theorem can now resume. Case i=8. The first sequent in the following derivation is a consequence of sentence (5) of theorem 5.1.3.1. a:LTerm, b:LTerm, y 1 :Lvar, ~y 1 :Free[a],  188  Appendix H: Proof of Theorem 55.1 -» <b,yl, a,a>:Subst ««a,yl>,a>,b>,a>:Z -> ««a,yl>,a>,b>,a>:Z a:LTerm, b:LTerm, ylrLvar, -yl:Free[a], *(<b,yl, a,a>:Subst => « « X , y l > , a > , b > , a > : Z ) , -» « « A , , y l > , a > , b > , a > : Z a:LTerm  a:Lterm  b:LTerm -»b:LTerm a:LTerm -> a:LTerm yl:Lvar -> ylrLvar a:LTerm, b:LTerm, y 1 :Lvar, -y 1 :Free[a], *[Vw,u,v:Lterm]*[Vx:Lvar](<u,x,w,v>:Subst 3  ««A.,X>,W>,U>,V>:Z),  -> ««A,,yl>,a>,b>,a>:Z thinning a:LTerm, brLTerm, yl:Lvar, -yl:Free[a], *Z:CnvCls, ««X,yl>,a>,b>,a>:Z «ka,b>,<«X,yl>,a>,b»:Z -> «ka,b>,«<X,yl>,a>,b»:Z «ka,b>,a>:Z -» «ka,b>,a>:Z a:LTerm, b:LTerm, ylrLvar, -yl:Free[a], Z:CnvCls, * ( « k a , b > , « < X , y > , a > , b » : Z A « « X , y > , a > , b > , a > : Z => « k a , b > , a > : Z ) , « k a , b > , « < X , y l > , a > , b » : Z -> « k a , b > , a > : Z ka:LTerm, b:LTerm -> <ka,b>:LTerm a:LTerm, brLTerm, ylrLvar -» « < X , y l > , a > , b > : L t e r m a:LTerm -» a:Lterm arLTerm, b:LTerm, ka:LTerm, yl:Lvar, -yl:Free[a], ZrCnvCls, *[Vw,u,v:Lterm](<w,u>:Z A <U,V>:Z 3 <w,v>:Z), « k a , b > , « < A , , y l > , a > , b » : Z -> « k a , b > , a > : Z contraction a:LTerm, brLTerm, ka:LTerm, ylrLvar, -yl:Free[a], *Z:CnvCls, « k a , b > , « < X . , y l > , a > , b » : Z -> « k a , b > , a > : Z < k a , « X , y l > , a » : Z -> <ka,«A,,yl>,a»:Z  Appendix H: Proof of Theorem 55.1  189  ka:LTerm -» ka:LTerm a:LTerm, yl:Lvar - » « X , y l > , a > : L t e r m brLTerm -> b:Lterm a:LTerm, brLTerm, ka:LTerm, ylrLvar, -yl:Free[a], Z:CnvCls, *[Vw,u,v:Lterm]*(<w,u>:Z 3 « w , v > , < u , v » : Z ) < k a , « X , y l > , a » : Z -> « k a , b > , a > : Z contraction a:LTerm, b:LTerm, ka:LTerm, yl:Lvar, -yl:Free[a], *Z:CnvCls, < k a , « a , y l > , a » : Z -» « k a , b > , a > : Z <ka, < k , a » : Z - » < k a , < k , a » : Z <<k,a>,<<X,yl>,a>>:Z -> « k , a > , « X , y l > , a » : Z ka:LTerm -» kaLTerm a:LTerm —> <k,a>:Lterm a:LTerm, yl:Lvar -» « X , y l > , a > rLterm a:LTerm, b:LTerm, ka:LTerm, yl:Lvar, ~yl:Free[a], Z:CnvCls, *[Vw,u,v:Lterm]*(<w,u>:Z A <U,V>:Z 3 <w,v>:Z), <ka, <k,a»:Z, «k,a>,«X,yl>,a»:Z -> «ka,b>,a>:Z «k,a>,ka>:Z -> «k,a>,ka>:Z a:LTerm -> <k,a>:Lterm ka:LTerm -» kaLTerm a:LTerm, b:LTerm, ka:LTerm, ylrLvar, ~yl:Free[a], ZrCnvCls, *[Vw,u:Lterm]*(<w,u>:Z 3 <u,w>:Z), [Vw,u,v:Lterm](<w,u>:Z A <U,V>:Z 3 <w,v>:Z), « k , a > , k a > : Z , < < k , a > , « X , y l > , a » : Z -> « k a , b > , a > : Z contraction arLTerm, b:LTerm, karLTerm, ylrLvar, ~yl:Free[a], *Z:CnvCls, « k , a > , k a > : Z , « k , a > , « X , y l > , a » : Z -> « k a , b > , a > : Z < a , x , « A , , y > , x > , « X , y 1 > , a » : S ubst -» < a , x , « A . , y > , x > , « X , y l > , a » : S u b s t a:LTerm, brLTerm, karLTerm, ylrLvar, -yl:Free[a], < a , x , « X , y > , x > , « X , y l > , a » : S u b s t ,  ZrCnvCls,  Appendix H: Proof of Theorem 55.1  190  *(<a,x,<<X,y>,x>,<<a,yl>,a>>:Subst 3 « k , a > , « X , y l > , a » : Z ) , « k , a > J c a > : Z -> « k a , b > , a > : Z arLTerm, brLTerm, karLTerm, ylrLvar, -yl:Free[a], < a , x , « X , y > , x > , « X , y l > , a » r S u b s t ,  ZrCnvCls,  (<a,x,«X,y.>,x>,«X,yl>,a»:Subst 3 *««X,x>,«X,y.>,x»,a>,«X,yl>,a»:Z), «k,a>,ka>:Z ->«ka,b>,a>:Z -» <<X,y>,x>:LTerm arLTerm -» arLTerm arLTerm, ylrLvar - » « X , y l > , a > : L T e r m -> xrLvar arLTerm, brLTerm, karLTerm, ylrLvar, ~ylrFree[a], < a , x , « X , y > , x > , « X , y l > , a » : S u b s t ,  ZrCnvCls,  *[Vw,u,v:LTerm]*[Vx:Lvar (<u,x,w,v>:Subst 3 ««A.,x>,w>,u>,v>:Z), « k , a > , k a > : Z -» « k a , b > , a > : Z arLTerm, brLTerm, karLTerm, ZrCnvCls, [Vw,u,v:LTerm] [VxrLvar (<u,x,w,v>:Subst 3 ««A.,X>,W>,U>,V>:Z), * [3y 1 rLvar] *(~y 1 :Free[a] A < a , x , « X , y > , x > , « X , y 1 > , a » : Subst), «k,a>,ka>:Z -»«ka,b>,a>:Z arLTerm -> [3yl:Lvar](~yl:Free[a] A <a,x,«X,y>,x>,«X,yl>,a»:Subst) cut arLTerm, brLTerm, karLTerm, ZrCnvCls, [Vw,u,v:LTerm] [VxrLvar (<u,x,w,v>:Subst 3 <«<l,x>,w>,u>,v>:Z), « k , a > , k a > : Z -> « k a , b > , a > : Z contraction arLTerm, brLTerm, karLTerm, *Z:CnvCls, «k,a>,ka>:Z -»«ka,b>,a>:Z  Appendix H: Proof of Theorem 55.1  191  Z:CnvCls -> ZrCnvCls arLTerm, brLTerm, karLTerm, *[Vz:CnvCls]«k,a>,ka>:z ZrCnvCls -» « k a , b > , a > : Z arLTerm, brLTerm, karLTerm, [Vz:CnvCls]«k,a>,ka>:z -> *[Vz:CnvCls]«ka,b>,a>:z arLTerm, brLTerm, karLTerm, * « k , a > , k a > : C n v -> * « k a , b > , a > : C n v [a]:D, [b]:D, [ka]:D, *<[k],[a],[ka]>:° -> *<[ka],[b],[a]>r° [a]:D, [b]:D, [ka]:D -> *(<Od,[a],[ka]>:o 3 <[ka],[b],[a]>:o)  -» *[Va,b,ka:D](<[k],a,ka>:o 3 <ka,b,a>:°) (<!*)  -> [k]:D -> *[3k:D][Va,b,ka:D](<k,a,ka>:° 3 <ka,b,a>:°)  Case i-9. It is similar to the previous case with the exception that the term [s] (that is the term [ « X , x > , « X , y . > , « X , z > , « x , z > , < y , z » » > ] ) is used to instanciate the existentially quantified variable s in the present case. Case i=13.  This is the only case whose derivation needs the n-conversion rule given by  clause (6) in the definition of CnvCls. This is expected since case (13) is the only clause in the definition of the model that forces the model to be an extensional model (definition 10.7 and theorem 11.30 of [Hindley&Seldin86]). In the following derivation, sequent (a) is implied by the definition "Free" and sequent (b) is a consequent of theorem 5.1.3.1. <<e,e>,<<X,y>,<e,y>>>:Z -> « e , e > , « X , y > , < e , y » > : Z « < A . , y > , < e , y » , e > : Z -> « < X , y > , < e , y » , e > : Z «e,e>,e>:Z  <<e,e>,e>:Z  *(«e,e>,«X.,y>,<e,y>»:Z A«<X,y>,<e,y»,e>:Z 3 «e,e>,e>:Z) « e , e > , « X , y > , < e , y » > : Z , «<A,,y>,<e,y»,e>:Z -» « e , e > , e > : Z  Appendix H: Proof of Theorem 55.1 -> <£,£>:Lterm -> <<&,y>,<£,y>>:Lterm -» £:Lterm *[Vw,u,v:Lterm](<w,u>:Z A <u,v>:Z 3 <w,v>:Z) « £ , £ > , « X , y > , < £ , y » > . Z , <«A,y>,<e.,v>>,£>:Z ->«£,£>,£>:Z thinning *Z:CnvCls, <<<X,y>,<£,y>>,£>:Z, «£,£>,«X,y>,<£,y>»:Z -> « £ , £ > , £ > : Z (a)  ~y:Free[e] Z:CnvCls, *(~y:Free[£] 3 < « X , y > , < £ , y » , £ > : Z ) «£,£>,«X,y>,<£,y»>:Z -> « £ , £ > , £ > : Z -> £:Lterm -> y:Lvar Z:CnvCls, *[Vw:Lterm]*[Vx:Lvar]( ~x:Free[w] 3 «<A,,X>,<W,X»,W>:Z) «£,£>,«X,y>,<£,y»>:Z ->«£,£>,£>:Z *Z:CnvCls, < £ , £ > , « A , , y > , < £ , y > » : Z -> « £ , £ > , £ > : Z ZrCnvCls, * « « X , x > , « X , y > , < x , y » > , £ > , « X , y > , < £ , y » > : Z -» * « « X , x > , « A . , y > , < x , y » > , £ > , £ > : Z  (b)  -> < £ , x , « X , y > , < x , y » , « X , y > , < £ , y > » : S u b s t ZrCnvCls, * ( < £ , x , « X , y > , < x , y » , « X , y > , < £ , y > » : S u b s t 3 ««X,x>,«X,y>,<x,y»>,£>,«X,y>,<£,y»>:Z) ««A,,x>,«X,y>,<x,y»>,£>,£>:Z -> « X , y > , < x , y » : L t e r m -» £:Lterm  contraction  193  Appendix H: Proof of Theorem 55.1 -»<<X,v>,<£,y>>:Lterm -» x:Lvar Z:CnvCls, *[Vw,u,v:Lterm]*[Vx:Lvar](<u,x,w,v>:Subst z> « « A . , x > , w > , u > , v > : Z ) -» « « X , x > , « X , y > , < x , y » > , £ > , £ > : Z *Z:CnvCls -> * « £ , £ > , £ > : Z * [VzrCnvCls] « £ , £ > , £ > : z -> * « £ , £ > , £ > : C n v -»*«[el,[e>,[el>:° -> *[Vx,y:Lvar]<e,e,e>:° E n d of proof of theorem 5.5.1  contraction  

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
http://iiif.library.ubc.ca/presentation/dsp.831.1-0302117/manifest

Comment

Related Items