On Definitions of Constants and Types in HOL
 797 Downloads
 3 Citations
Abstract
This paper reports on a simpler and more powerful replacement for the principles for defining new constants that were previously provided in the various HOL implementations. We discuss the problems that the new principle is intended to solve and sketch the proofs that it is conservative and that it subsumes the earlier definitional principles. The new definitional principle for constants has been implemented in HOL4 and in ProofPower and has been adopted in OpenTheory and in the work of Kumar, Myreen and Owens on a fully verified implementation of HOL. Kumar et al. have formally verified that the new definitional principle is conservative with respect to the standard set theoretic semantics of HOL. We continue this line of thought with a look at the mechanisms for defining new types and consider potential improvements, one of which has now been adopted in OpenTheory.
Keywords
Higherorder logic Interactive theorem proving Conservative extension1 Introduction
Pitching specifications at an appropriate degree of precision and generality is an important aspect of systems engineering. In mathematics, it is vital to choose an appropriate set of abstract concepts on which to found a theory. Nonetheless, in the automated reasoning community we often seem to underplay the importance of clear, abstract definitions, with many developments being founded on rather crude axiomatisations. The widely used HOL logic contains some features intended to support abstract specifications. This paper discusses these features and some potential improvements to them.
The design of the HOL logic and of its definitional principles [2] evolved in the late 80s and early 90s. Some form of this design has been implemented in HOL4 [16, 17], HOL Light [8], HOL Zero [1], Isabelle/HOL [15], OpenTheory [11] and ProofPower [4]. While the definitional principles have stood the test of time in many practical applications, we believe there is still some room for improvement. We will discuss issues with the mechanisms for introducing new constants and types and consider new and more general mechanisms to address these issues.
The discussion of constant definitions in this paper is based on work originally presented at ITP2014 [3]. The discussion of type definitions is new for this special issue of the Journal of Automated Reasoning.
2 Definitional Principles in Logic
We begin by defining some terminology for use in discussing definitional principles in logic. This is largely technical and the reader may wish to skip it on a first reading referring back to it as necessary when later on we talk about consistency or conservativeness.
To discuss the notion of a definitional principle, we assume given a language equipped with an inference system or a semantics. We assume the language is parametrised by a signature defining a set of primitive constructs. In the sequel, we will solely be concerned with the HOL language and inference system as defined in [8]. Signatures will be as in [2] and comprise sets of type constructor names and associated arities and sets of constant names and associated types. The inference system of [8] can be shown to be equivalent to the somewhat different system used in HOL4 and ProofPower as defined in [2]. The judgments of the inference system are sequents \(t_1, \ldots , t_n \vdash t\), where t and the \(t_i\) are terms of type \({\mathsf {bool}}\).
A definitional principle is a generalised inference rule that includes a signature extension. An instance of such a principle has antecedents comprising a (possibly empty) list of judgments of some prescribed form over some signature \(\varSigma \) and has succedents comprising a list of judgments over some extended signature \(\varSigma '\). Intuitively, the succedents are axioms that specify the intended meaning of the new primitive constructs introduced in \(\varSigma '\), while the antecedents provide evidence that these axioms are consistent (or, even better, conservative, as discussed below). We define a context \(\varGamma = (\varSigma , A)\) to be a pair comprising a signature and a set of axioms. Definitional principles are applied sequentially to obtain new contexts from old ones starting from some initial context \(\varGamma _0\). It is only valid to apply a definitional principle to a context \(\varGamma = (\varSigma , A)\) if its antecedents are in the language over \(\varSigma \) and are derivable from the axioms A. The resulting context \(\varGamma '\) is \((\varSigma ', A \cup S)\) where \(\varSigma '\) is the extended signature and S is the set of succedent theorems associated with this instance of the definitional principle.
In later sections, we will usually think of a definitional principle operationally and hence refer to it as taking some inputs and introducing new primitives and associated axioms. In practice, an implementation will often require input parameters in addition to the antecedent theorems in order to describe the form of the signature extension, e.g., to give the name of a new constant.
We say that a definitional principle is consistent if, whenever it is validly applied to a context \(\varGamma = (\varSigma , A)\) to give a new context \(\varGamma ' = (\varSigma ', A')\), then \(A'\) is consistent if A is consistent.
We say that a definitional principle is modeltheoretically conservative with respect to a semantics, if, whenever it is validly applied to a context \(\varGamma \) to give a new context \(\varGamma '\), then any model of \(\varGamma \) may be expanded to a model of \(\varGamma '\).
We say that a definitional principle is prooftheoretically conservative if, whenever it is validly applied to a context \(\varGamma = (\varSigma , A)\) to give a new context \(\varGamma ' = (\varSigma ', A')\), then any judgment over \(\varSigma \) that is derivable from \(A'\) is also derivable from A.
Conservativeness, in either the modeltheoretic or prooftheoretic sense, implies consistency. In general, consistency is a much weaker property than either kind of conservativeness. The two notions of conservativeness coincide for a logic that is sound and complete for the semantics in question. However, HOL is sound but not complete for its standard semantics. In the sequel when we refer to modeltheoretic notions in HOL, we will always mean the standard semantics unless otherwise stated. See [2] for a readable and rigorous account of the standard semantics for HOL. Note that the standard semantics actually defines a proper class of standard models: “standard” means that function types are modelled by function spaces in the metalogic and does not imply any restriction on the cardinality of a model (hence the careful use of the phrase “a standard model” in [2]).
3 On Defining Constants
3.1 The Existing Mechanisms
 RJ1
 The mechanism does not support implicit definitions. As one example, it is pleasant to define the destructors of a data type as the left inverses of the constructors. Thus one wants to define \({\mathsf {Pre}}\) in terms of \({\mathsf {Suc}}\) by:As another example, the exponential function is naturally defined by a differential equation:$$\begin{aligned} {\mathsf {Pre}}({\mathsf {Suc}}(n)) = n. \end{aligned}$$In such cases, the mechanism can be used to define constants having the desired properties, but one has to use the Hilbert choice operator to give witnesses and then derive the implicit definitions as theorems. This results in a loss of abstraction and unintended identities, e.g., the naive way of defining two constants \(c_1\) and \(c_2\) both with the loose defining property \(c_i \le 10\) will result in an extension in which \(c_1 = c_2\) is provable.$$\begin{aligned} {\mathsf {exp}}(0)= & {} 1 \\ ({\mathsf {D}}\,{\mathsf {exp}})(x)= & {} {\mathsf {exp}}(x). \end{aligned}$$
 RJ2

The mechanism is unsound. The condition on the free variables of t is certainly necessary. Without it, we could take t to be a variable, \(y:\mathbb {N}\), and define a new constant c satisfying \( \vdash \forall y : \mathbb {N} {\cdot }\, c = y. \) Specialising this in two different ways, we could prove both \(c = 1\) and \(c = 2\). However, the condition is not sufficient. If \(\#\) is a polymorphic function such that \(\#X\) is the size of X when X is a finite set, then we can use the mechanism to define a constant \(c:\mathbb {N}\) satisfying the axiom \(c = \#\{x:\alpha \mathrel {}x = x\}\), where \(\alpha \) is a type variable. But then if \(\mathbf {1}\) and \(\mathbf {2}\) denote types with 1 and 2 members respectively, we can instantiate \(\alpha \) to prove both \(c = \#\{x:\mathbf {1}\mathrel {}x = x\} = 1\) and \(c = \#\{x:\mathbf {2}\mathrel {}x = x\} = 2\).
The fix for RJ2 was to change new_definition so as to check that all type variables appearing anywhere in the term t also appear in the type of the constant c that is being defined. HOL Light, HOL Zero, Isabelle/HOL and ProofPower were all implemented after the problem was known, so they incorporated this solution from scratch. The fix in Classic HOL was carried forward into HOL4.
 RA1
 Given new_specification, new_definition is redundant: what it does can easily be realised by a derived mechanism that given the list of variables \(x_1, \ldots , x_n\) and the term t, automatically proves:and then applies new_specification. Unfortunately, in order to prove existentially quantified statements, one needs a definition of the existential quantifier, and so new_definition seems necessary to avoid a bootstrapping problem^{3}. (Since it is only required for bootstrapping, the ProofPower implementation of new_definition only covers the simple case where the axiom has the form \(\vdash c = t\).)$$\begin{aligned} \vdash \exists y {\cdot }\, \forall x_1\,\ldots \,x_n {\cdot }\, y\;x_1\;\ldots \;x_n = t \end{aligned}$$
 RA2
 The condition on type variables imposed by new_specification is stronger than one would like. It is natural for certain “concrete” structures to be characterized by more “abstract” properties such as universal mapping properties. For example, data types can be characterized as initial algebras:However, the above characterization cannot be used as a defining property for the successor function with new_specification. Characterizing objects by universal properties is endemic in modern mathematics and computer science, so it is irritating to be compelled to resort to circumlocutions.$$\begin{aligned} \forall (z:\alpha ) (r : \alpha \rightarrow \alpha ) {\cdot }\, \exists ! f : \mathbb {N}\rightarrow \alpha {\cdot }\, f(0) = z \wedge \forall n {\cdot }\, f({\mathsf {Suc}}(n)) = r(f(n)). \end{aligned}$$
 JH1

The primitive inference system for HOL Light should be defined in terms of language primitives and equality alone and should not depend on the axiomatization of the logical connectives.
 MA1

If an LCF style system does not record all the axioms and definitions that have been introduced, the correctness claim for the system has to be defined in terms of a state and the sequence of operations which produced that state. This makes it impossible to implement a proof auditing procedure that works by analysing the current state of the system.
The equivalent of new_specification in Isabelle/HOL is its specification command. This is implemented using an equational definition and the choice function, but that definition only exists in a private namespace. Some aspects of the abstraction offered by new_specification are provided by the very popular locale mechanism in Isabelle.
Quantification over type variables as implemented in HOLOmega [10] obviates many of the problems discussed here. However, our present concern is with improvements that preserve the delightful simplicity of the Classic HOL logic.
3.2 Proposed Alternative

the \(v_i\) must be pairwise distinct;

the terms \(t_i\) must have no free variables;

the free variables of p must be contained in the \(v_i\);

any type variable occurring in the type of any subterm of a \(t_i\) must occur in the type of the corresponding \(v_i\).
Claim 1
gen_new_specification is a conservative definitional principle in both the prooftheoretic and modeltheoretic senses.
Proof
For prooftheoretical conservativeness, assume that a sequent \(\varGamma \vdash q\) containing no instances of the \(c_i\) is provable using the axiom \(\vdash p[c_1/v_1, \ldots , c_n/v_n] \) introduced using gen_new_specification. We will show how to transform a proof tree with conclusion \(\varGamma \vdash q\) into a proof tree with the same conclusion that does not use the new axiom. First, by simple equality reasoning, derive from the theorem \( v_1 = t_1, \ldots , v_n = t_n \vdash p \) that was passed to new_specification, the theorem \( \vdash p[t_1/v_1, \ldots , t_n/v_n]. \)
Now replace each type instance of a \(c_i\) in the proof tree with the corresponding type instance of \(t_i\) and wherever a type instance of the axiom \(\vdash p[c_1/v_1, \ldots , c_n/v_n]\) is used in the proof tree, replace it with the corresponding type instance of a proof tree for \(\vdash p[t_1/v_1, \ldots , t_n/v_n]\). By inspection of the primitive inference rules in [8], if one replaces instances of constants in a correct inference by closed terms of the same type in such a way that assumptions or conclusions of the sequents involved that were syntactically identical before the replacement remain syntactically identical, then the result is also a correct inference. As the condition on type variables imposed by gen_new_specification guarantees that two instances of a \(c_i\) are syntactically identical iff the corresponding instances of \(t_i\) are syntactically identical, we have constructed a correct proof tree whose conclusion is \(\varGamma \vdash q\). That concludes the proof of prooftheoretical conservativeness.
For modeltheoretic conservativeness, note that \(\exists v_1\,\ldots \,v_n {\cdot }\, p\) is provable using the new axiom by taking the \(c_i\) as witnesses, hence by prooftheoretic conservativeness \(\exists v_1\,\ldots \,v_n {\cdot }\, p\) is provable without using the new axiom and hence is true in any standard model. Therefore in any standard model, there exist \(v_1, \ldots , v_n\) satisfying p and these elements may be used to expand the model to a model of the new axiom. \(\square \)
Claim 2
gen_new_specification subsumes new_definition.
Proof
In the simplest case, to define c with axiom \(\vdash c = t\), where t has no free variables and contains no type variables that do not appear in its type, apply gen_new_specification to the axiom \(v = t \vdash v = t\). This is all we need to define the logical connectives [8].
For the general case, to define c with axiom \( \vdash \forall x_1\,\ldots \,x_n {\cdot }\, c\;x_1\ldots \;x_n = t, \)
take the axiom \(v = (\lambda x_1\,\ldots \,x_n {\cdot }\, t) \vdash v = (\lambda x_1\,\ldots \,x_n {\cdot }\, t)\), derive \(v = (\lambda x_1\,\ldots \,x_n {\cdot }\, t) \vdash \forall x_1\,\ldots \,x_n {\cdot }\, v\;x_1\ldots \;x_n = t\) from it and then apply gen_new_specification. \(\square \)
Claim 3
gen_new_specification subsumes new_specification.
Proof
Given the theorem \( \vdash \exists v_1\,\ldots \,v_n {\cdot }\,p \), we can derive from it the theorem \( v_1 = \varepsilon v_1 {\cdot }\, \exists v_2\,\ldots \,v_n {\cdot }\,p \vdash \exists v_2\,\ldots \,v_n {\cdot }\, p \) and apply gen_new_specification to define a constant \(c_1\) with defining axiom \( \vdash \exists v_2\,\ldots \,v_n {\cdot }\,p[c_1/v_1] \). Iterating this process we can define \(c_2, \ldots , c_n\) such that the defining axiom of \(c_n\) is \( \vdash p[c_1/v_1, \ldots , c_n/v_n] \). Thus we can achieve the same effect as \(\mathtt{new\_specification}\) at the expense of additional intermediate definitions. This is sufficient to define the constructor and destructors for binary products.
Once we have binary products, we can simulate ntuples by iterated pairing. This means that given the theorem \( \vdash \exists v_1\,\ldots \,v_n {\cdot }\, p \), we can derive the theorem \( \vdash \exists z {\cdot }\, p[\pi _1(z)/v_1, \ldots , \pi _n(z)/v_n] \)
in which the n bound variables \(v_1, \ldots , v_n\) have been collected into a single ntuple denoted by the fresh variable z (here \(\pi _i\) denotes the projection onto the ith factor). Now we can derive from that the theorem \( v_1 = t_1, \ldots , v_n = t_n \vdash p \)
where \(t_i\) is \(\pi _i(\varepsilon z {\cdot }\, p[\pi _1(z)/v_1, \ldots , \pi _n(z)/v_n])\). Given this theorem as input, gen_new_specification has exactly the same effect as new_specification given the input theorem \(\vdash \exists v_1 \ldots , v_n {\cdot }\, p\). \(\square \)
3.3 Assessment
 RJ1

By claim 3, the support for implicit definitions is at least as good with gen_new_specification as with new_specification. In fact it is better: using gen_new_specification one can define new constants \(f : \alpha \rightarrow \mathbb {N}\) and \(n : \mathbb {N}\) with defining property \(\forall x {\cdot }\, \lnot f\,x = n\), but this is impossible using new_specification.
 RJ2

By claim 1, the proposed alternative is sound. What is more, this proof has been formalised in HOL4: Ramana Kumar, Scott Owens and Magnus Myreen have recently completed a formal proof of soundness for the HOL logic and its definitional principles including gen_new_specification [14].
 RA1

By claim 2, new_definition is no longer required. (The definitions of the connectives as given in [8] only require the simple case in the proof of that claim, so no reasoning about the connectives is needed to define them and there is no bootstrapping issue.)
 RA2

The restriction on type variables now applies only to the equations that give the witnesses to the consistency of the definition. Defining properties such as initial algebra conditions are supported.
 JH1

gen_new_specification is defined solely in terms of equality and primitive language constructs.
 MA1

The unintended identities arising as a result of recording definitions in HOL Light will not occur if gen_new_specification is adopted as the primitive mechanism for defining constants.
gen_new_specification has now been implemented in HOL4 and ProofPower. In both cases it is a replacement for new_definition: the existing new_specification has been retained for pragmatic reasons^{4}. The ProofPower implementation includes an implementation of the proof of claim 3 above and this completely replaces new_specification in the development of many of the theories supplied with the system, including all the “pervasive” theories such as the theories of pairs and natural numbers that form part of the logical kernel. gen_new_specification is included in version 6 of OpenTheory as the defineConstList command and is supported by the opentheory tool.
4 On Defining Types
For constant definitions, we have offered in section 3 a definite proposal that has been formally verified and adopted in several systems. For type definitions, we feel that there is still work to be done, both on the theory and how to implement it. Nonetheless, we believe that there are definitely some worthwhile alternatives to the existing mechanisms to be considered. In this section we discuss the existing mechanisms and discuss some possible alternatives.
 XX1

Typically the existence of the representation function is irrelevant once one has proved some abstract characterisation of the new type, e.g., by the existence of constructors satisfying some closure property. It would be more elegant if one could introduce a new type with the abstract characterisation as the defining property.
There are (admittedly somewhat recondite) cases in which the lack of abstractness reported in XX1 actually results in a real loss of expressiveness. This occurs, for example, in John Harrison’s work on selfverification of HOL Light [7]. To explain this, if X and Y are sets represented in the usual way as predicates in HOL, let me write \(X \preceq Y\) to mean there is a onetoone mapping of X into Y and \(X \prec Y\) to mean \(X \preceq Y \wedge \lnot Y \preceq X\). Harrison needs to introduce a new type \(\varUpsilon \) with universe U, say, such that for any set X, if \(X \prec U\), then \(\mathbb {P}(X) \prec U\). Now any countably infinite set enjoys this closure property (since powersets of finite sets are finite), so one can define \(\varUpsilon \) as a subtype of \(\mathbb {N}\). However, that leaves open the possibility that what is subsequently proved depends on \(\varUpsilon \) being countable. This is rather unsatisfactory in the context of [7]: Harrison’s script (Model/modelset.ml in the HOL Light distribution) actually allows one to rearrange comments to replace the type definition with an axiom asserting the closure property, giving some evidence that the unwanted information given by the type definition is not actually used.
A proof of the modeltheoretic conservativness of new_type_specification is given in [2]. The modeltheoretic conservativeness of new_type_definition follows from this, since the effect of the latter can be achieved with the former if we take q to be \(\exists rep :\beta \rightarrow \sigma {\cdot }\, {\mathsf {Type\_Definition}}\,p\, rep \). However, because HOL is not complete with respect to the standard semantics, we cannot deduce from this that new_type_specification is conservative in the prooftheoretic sense. It can be shown that new_type_specification is prooftheoretically conservative using the method of Henkin models [9] (since, \(\mathtt{new\_type\_specification}\) is conservative in the modeltheoretic sense under the Henkin semantics, but then as the proof system is complete for the Henkin semantics, we can conclude that \(\mathtt{new\_type\_specification}\) and hence \(\mathtt{new\_type\_definition}\) are prooftheoretically conservative). A direct syntactic proof of the conservativeness of new_type_specification seems much more difficult: an analogous principle for introducing new sorts in manysorted firstorder logic is easily justified using relativisation of quantifiers, but this line of argument does not generalise straightforwardly to the full typed \(\lambda \)calculus.
Used in the context of Harrison’s work on selfverification of HOL Light, new_type_specification would have allowed Harrison to achieve the same effect as achieved with new axiom: the defining property of the new type would comprise only the desired closure properties and would give no upper bound on the cardinality.
Objection XX1 applies even more strongly for a type definition principle that forces the definition of the representation and abstraction functions as new constants. Once one has an abstract characterisation of a new type, these constants are no longer of any use and so they are potentially misleading clutter (a naive user may be tempted to use them instead of the abstract characterisation).
 MC1

In existing implementations of define_ty_op, the names of the free variables a and r that appear in the axioms it introduces are fixed by the implementation, while in all the other rules the choice of free variable names is determined by the inputs to the rule.
 RA3

Particularly when defining syntax, mutually recursive types are common, but new_type_definition etc. only allow introduction of one type at a time.
 for \(1 \le i \le m\):

\(p_i\) is a closed term of type \(\sigma _i \rightarrow {\mathsf {bool}}\);

\(w_i\) is a term of type \(\sigma _i\):

the type variables occurring in \(p_i\) are contained in \(\alpha _{i1}, \ldots , \alpha _{in_i}\);

\( abs _i\) is a free variable of type \(\sigma _i \rightarrow \beta _i\);

\( rep _i\) is a free variable of type \(\beta _i \rightarrow \sigma _i\);


\(\alpha _{11}, \ldots , \alpha _{1n_1}, \ldots , \alpha _{m1}, \ldots , \alpha _{mn_m}, \beta _1, \ldots , \beta _m\) are distinct type variables;

q is a closed term of type \({\mathsf {bool}}\).
The general form of simple_new_type_specification described above certainly addresses all the technical objections to the existing mechanisms. However, type definitions are much less frequent than constant definitions and are often made using a package, e.g., to define programming language syntax. It is conceivable that the form of simple_new_type_specification that introduces just one new type may be a good compromise between the complexity of the logical principle and its use in practice, given that most users do not interact directly with the underlying definitional principle. An experiment to port one of the existing type definition packages to work with simple_new_type_specification would be a sensible next step in the evaluation of these proposals.
5 Concluding Remarks
The reader may have noted that the approach discussed in section 4 will typically introduce a new type whose defining property asserts the existence of various constructor and destructor functions immediately followed by an application of gen_new_specification to introduce constants for those functions. It is certainly possible to give a definitional principle that combines the features of gen_new_specification and simple_new_type_specification, simultaneously introducing new constants and new types (the variables representing abstraction and representation function would be permitted in the witnesses for the new constants). Details are left to the reader. The resulting definitional principle would subsume all the others considered in this paper. However it is not clear whether the extra complexity of such a rule merits the relatively modest reduction in clutter.
This paper has been concerned with definitions in higherorder logic, but definitional principles like \(\mathtt{new\_specification}\) are also of interest in implementations of firstorder logic. ACL2’s encapsulate command [12] has much in common with \(\mathtt{new\_specification}\). From an historical perspecive, it is interesting that the development of the precursor of encapsulate, the CONSTRAIN facility in NQTHM [5], was contemporary with the introduction of \(\mathtt{new\_specification}\) into HOL.
To return to higherorder logic, our new principle of constant definition seens to have been accepted by HOL developers and we believe it will prove a useful tool in improving the quality of specifications in HOL. The problem of reconciling the differences in the facilities offered for type definition between the various HOL implementations via a common abstraction of what they provide that meets the design desiderata of all the systems is a harder one, but we believe the work reported in this paper has made some useful progress in that direction.
Footnotes
 1.
The details of the mechanism for specifying the names of new constants are not important for present purposes.
 2.
At various places in this note, I sketch observations made by other people. The wording used is mine and not theirs and any misrepresentation is my responsibility.
 3.One of the referees made the interesting suggestion that one could get rid of the existential quantifier by expanding it using the definition given in [8]. However, one would also have to expand out the universal quantifiers, conjunctions and implications on which that definition depends. The resulting term:contains 118 subterms: 32 variable occurrences, 12 occurrences of the equality constant, 43 applications and 31 \(\lambda \)abstractions. To include such a monster in the definition of the logic seems far worse than accepting a oneoff definitional principle for bootstrapping. Moreover, an implementation would be required to include in its logical kernel some trustworthy means for recognising instances of this term.$$\begin{aligned}&\lambda p {\cdot }\, \left( \lambda P {\cdot }\, P = \left( \lambda x {\cdot }\, (\lambda p {\cdot }\, p) = (\lambda p {\cdot }\, p)\right) \right) \left( \lambda q {\cdot }\, \left( \lambda p {\cdot }\, \lambda q {\cdot }\, \left( \lambda p {\cdot }\, \lambda q {\cdot }\, \left( \lambda f {\cdot }\, f\,p\,q\right) = \left( \lambda f {\cdot }\, f \left( (\lambda p {\cdot }\, p) \right. \right. \right. \right. \right. \\&\left. \left. \left. \left. \left. \quad = (\lambda p {\cdot }\, p)\right) \left( (\lambda p {\cdot }\, p) = (\lambda p {\cdot }\, p)\right) \right) \right) p\,q = p\right) \left( \left( \lambda P {\cdot }\, P = \left( \lambda x {\cdot }\, (\lambda p {\cdot }\, p)\right. \right. \right. \right. \\&\left. \left. \left. \left. \quad = (\lambda p {\cdot }\, p)\right) \right) \left( x \left( \lambda p {\cdot }\, \lambda q {\cdot }\, \left( \lambda p {\cdot }\, \lambda q {\cdot }\, (\lambda f {\cdot }\, f\,p\,q)\right. \right. \right. \right. \right. \\&\left. \left. \left. \left. \left. \quad = \left( \lambda f {\cdot }\, f \left( (\lambda p {\cdot }\, p) = (\lambda p {\cdot }\, p)\right) \left( (\lambda p {\cdot }\, p) = (\lambda p {\cdot }\, p)\right) \right) \right) p\,q = p\right) (p\,x) q\right) \right) q\right) \end{aligned}$$
 4.
In ProofPower, certain performancecritical aspects of the implementation of the semantic embedding of Z [18] have been finetuned around new_specification and an opportunity to rework this code has not yet arisen. In HOL4, some significant refactoring would be required to avoid a use of new_specification prior to the point in the system build where new_specification is defined in terms of gen_new_specification and the best way to go about that refactoring is still under discussion.
 5.
The means for specifying the name of the new type constructor \({\mathsf {op}}\) and the list \(\alpha _1, \ldots , \alpha _n\) are not important here. ProofPower is slightly more general than HOL4 in allowing \(\alpha _j\) that do not appear in \(\sigma \) or p. However, the extra generality appears to be of no practical importance.
 6.
Note that with gen_new_specification, we could now take this as the definition of 0 and \({\mathsf {Suc}}\) if we wished, as suggested in observation RA2.
 7.
The principle as described in [2] allows both theorems to have additional closed formulas in the assumptions, but this does not add any extra generality, so we prefer the simpler form.
 8.
The means for specifying the name of the new type constructor \({\mathsf {op}}\) and the list of type variables \(\beta , \alpha _1, \ldots , \alpha _n\) are not important here.
 9.
Freek Wiedijk has proposed three axioms for the representation function that are intuitionistically acceptable and are classically equivalent to the axioms returned by define_ty_op. These axioms are \(\mathsf {rep}\,a = \mathsf {rep}\,b \vdash a = b\) (giving that \(\mathsf {rep}\) is onetoone), \(\vdash p(\mathsf {rep}\,a)\) (giving that the range of \(\mathsf {rep}\) is contained in the extent of p) and \(p\,r, (\lambda a {\cdot }\, r = \mathsf {rep}\,a) = (\lambda a {\cdot }\, t) \vdash t\) (implying, taking \(t = \bot \), that the range of \(\mathsf {rep}\) contains the extent of p in classical logic). Unfortunately, in intutionistic logic, these axioms do not seem to imply the result \(\vdash \forall r {\cdot }\, p\,r \Rightarrow (\exists a {\cdot }\, r = \mathsf {rep}\,a)\) that one would wish to hold when defining a new type in the intuitionistic fragment of HOL.
Notes
Acknowledgments
I would like to thank Gerwin Klein and Ruben Gamboa (the ITP 2014 Programme Chairs) and the ITP2014 and JAR referees as well as Mark Adams, Mario Carneiro, John Harrison, Joe Hurd, Roger Jones, Matt Kaufmann, Ramana Kumar, Ursula Martin, Magnus Myreen, Paulo Oliva, Scott Owens, Konrad Slind, Freek Wiedijk, and Makarius Wenzel for their kind assistance in divers ways in the preparation and publication of this paper.
References
 1.Adams, M.: HOL Zero, http://www.prooftechnologies.com/holzero/
 2.Andrew Pitts et al.: The HOL System: Logic, 3rd edn. http://hol.sourceforge.net/documentation.html
 3.Arthan, R.: HOL constant definition done right. In: Klein, G., Gamboa, R. (eds.) pp. 531–536. doi: 10.1007/9783319089706_34
 4.Arthan, R., Jones, R.B.: Z in HOL in ProofPower. BCS FACS FACTS (20051). http://www.lemmaone.com/ProofPower/index/
 5.Boyer, R.S., Goldschlag, D.M., Kaufmann, M., Moore, J.S.: Functional instantiation in first order logic. In: Lifschitz, V. (ed.) Artificial Intelligence and Mathematical Theory of Computation: Papers in Honor of John McCarthy, pp. 7–26. Academic Press, Boston (1991)CrossRefGoogle Scholar
 6.Diaconescu, R.: Axiom of choice and complementation. Proc. Am. Math. Soc. 51, 176–178 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
 7.Harrison, J.: Towards selfverification of HOL Light. In: International Joint Conference on Automated Reasoning (IJCAR). LNCS, vol. 4130. Springer (2006)Google Scholar
 8.Harrison, J.: HOL Light: an overview. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs. LNCS, pp. 244–259. Springer (2009)Google Scholar
 9.Henkin, L.: Completeness in the theory of types. J. Symb. Log. 15, 81–91 (1950)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Homeier, P.V.: The HOLomega logic. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs. LNCS, pp. 244–259. Springer (2009)Google Scholar
 11.Hurd, J.: The OpenTheory standard theory library. In: Bobaru, M.G., Havelund, K., Holzmann, G.L., Joshi, R. (eds.) NASA Formal Methods. LNCS, vol. 6617, pp. 177–191. Springer, Berlin (2011)CrossRefGoogle Scholar
 12.Kaufmann, M., Moore, J.S.: Structured theory development for a mechanized logic. J. Autom. Reason. 26(2), 161–203 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
 13.Klein, G., Gamboa, R. (eds.): Interactive Theorem Proving—5th International Conference, ITP 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 14–17, 2014. Proceedings, Lecture Notes in Computer Science, vol. 8558. Springer (2014). doi: 10.1007/9783319089706
 14.Kumar, R., Arthan, R., Myreen, M.O., Owens, S.: HOL with definitions: semantics, soundness, and a verified implementation. In: Klein, G., Gamboa, R., pp. 308–324. doi: 10.1007/9783319089706_20
 15.Wenzel, M. et al.: The Isabelle/Isar Reference Manual. http://isabelle.in.tum.de/
 16.Norrish, M et al.: and many others: The HOL System: Description, 3rd edn. http://hol.sourceforge.net/documentation.html
 17.Slind, K., Norrish, M.: A brief overview of HOL4. In: Theorem Proving in Higher Order Logics (TPHOLs). LNCS, vol. 5170. Springer (2008)Google Scholar
 18.Spivey, J.: The Z Notation: A Reference Manual, 2nd edn. PrenticeHall, Upper Saddle River (1992)zbMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.