A domain is a structure modelling the notion of approximation and of computation. A computation performed using an algorithm proceeds in discrete steps. After each step there is more information available about the result of the computation. In this way the result obtained after each step can be seen as an approximation of the final result. This final result may be reached after finitely many steps as, for example, when computing the greatest common divisor of two positive integers using the Euclidean algorithm. However, it may also be the case that a computation never stops, in which case the final result is the sequence of approximations obtained from each step in the computation. The latter situation occurs by necessity when computing on infinite objects such as real numbers. Thus an appropriate model of approximation can provide a good model of computation.

To be somewhat more technically precise, a domain is a structure having one binary relation ⊑, a partial order, with the intended meaning that x ⊑y just in case x is an approximation of y or y contains at least as much information as x. We also require that a domain should include a least element modelling no information. This is not necessary, but is useful for establishing the existence of fixed points. To model infinite computations we require a domain to be complete in the sense that each increasing sequence of approximations should be represented by an element in the domain, that is, should have a supremum.

The class of partial recursive functions is the mathematical abstraction of the class of partial functions computable by an algorithm. In this chapter we present them in the form of the μ-recursive functions. We then state some basic results, the main motivation being to set the stage for the theory of effective domains. Finally we show that the partial μ-recursive functions can be obtained from some simple initial functions using substitution and the fixed point theorem for computable functional. This illuminates the central role of taking fixed points and supports the claim of Chapter 1 that the function computed by an algorithm or a program is the least fixed point of a computable functional.

Section 9.1 Partial Recursive Functions

An algorithm for a class K of problems is a method or procedure which can be described in a finite way (a finite set of instructions) and which can be followed by someone or something to yield a computation solving each problem in K. The computation should proceed in discrete steps. For a given problem in K the procedure should say exactly how to perform each step in the computation. After performing a step, the procedure should prescribe how to do the next step. This next step must only depend on the problem and on the then existing situation, that is what has been done during previous steps.

Very few mathematical statements can be judged to be true or false solely by means of direct observation. Some statements, the axioms, have to be accepted as true without too much further argument. Other statements, the theorems, are believed because they are seen as logical consequences of the axioms by means of a proof. Proofs constitute the only effective mechanism for revealing truth in mathematics. We would naturally hope that all provable statements are indeed true. Most of us would also optimistically believe that any true statement has a proof, but such is not the case. Gödel showed that for any reasonably powerful formal system of axioms and inference rules, there are statements that can neither be proved nor disproved on the basis of the axioms and inference rules, and are therefore undecidable. Gödel also showed that for such formal systems, there could be no absolute proof that all provable statements were in fact true. In his proof, Gödel described a machine that could check if a given construction constituted a valid proof. It was hoped that one could similarly define a machine to discover the proof itself, but Church and Turing showed that such a machine could not exist. We show in this book that a machine, the Boyer–Moore theorem prover, can be used to check Gödel's proof of the existence of undecidable sentences.

The construction of an undecidable sentence of Z2 will be completed in this chapter. This construction involves

1. Enumerating Z2 proofs using a one-to-one mapping from Z2 proofs to the natural numbers.

2. Defining a Lisp predicate that searches for the first proof or disproof (i.e., proof of the negation) of the given formula in this enumeration of proofs, and returns T or F, accordingly. Let this “theorem checker” be of the form (Theorem X), where X is the given formula.

3. Using the representability of the above predicate to construct a sentence U which can be seen to assert, “(Theorem u) = F,” where u is the Lisp representation of U. It will be shown that if U is either provable or disprovable in Z2, then it is both provable and disprovable.

The Enumeration of Proofs

Proofs in Z2 are Lisp data structures constructed using Lisp constructors such as Cons, Add1, F-Not, F-Or, Forsome. If we can enumerate all such data structures, then we can also enumerate all Z2 proofs. This enumeration is achieved by mapping these data structures (z-expressions) to n-expressions and, in turn, mapping n-expressions to natural numbers. The mapping from z-expressions to n-expressions is performed by the function GCODE discussed in the previous chapter (page 99). The resulting n-expressions are enumerated by the function Numcode below. If X is a number, (Numcode X) returns the odd number 2X+1.

In the previous chapter we defined a proof-checking program to check formal proofs constructed according to the axioms and rules of inference of the formal system Z2. In order to make progress towards the goal of proving the incompleteness of Z2, we need to formally develop a small amount of mathematics within Z2. While it is true that constructing formal proofs is very tedious, we have no intention of abandoning formalized mathematics. We will show in this chapter that formal proofs can be constructed in bigger and more natural steps by using powerful derived inference rules. These are inference rules whose application can always be eliminated in favor of the primitive axioms and inference rules of Z2. In other words, the soundness of these rules can be proven as a metatheorem. These derived rules do not yield any new theorems but they make the process of formal proof construction more natural and less laborious.

We demonstrate how the Boyer–Moore theorem prover can be used to prove and use derived inference rules to construct nontrivial formal proofs. Most of this chapter is an exposition of one powerful derived inference rule which states that all propositional tautologies are theorems of Z2. We also list several other derived inference rules that were similarly proved.

Metamathematical Extensibility

While it is, in principle, possible to use the proof checker Proves to construct and check formal proofs of interesting theorems, it would require an unrealistic amount of labor.

The Church–Rosser theorem is a central metamathematical result about the lambda calculus. This chapter presents a formalization and proof of the Church–Rosser theorem that was verified using the Boyer–Moore theorem prover. The proof presented in this chapter is based on that of Tait and Martin-Löf. The mechanical proof illustrates the effective use of the Boyer–Moore theörem prover in proof-checking difficult metamathematical proofs. The syntactic representation of terms turns out to be crucial to the mechanical verification. The form of the formalization often significantly influences the ease or difficulty of a verification. We also compare the length of the proof input to the Boyer–Moore prover with the lengths of various informal presentations of proofs of the Church–Rosser theorem.

The lambda calculus was introduced by Church [Bar78a, Chu41] in order to study functions as rules of computation rather than as graphs of argument–value pairs. It was hoped that the lambda calculus would provide an alternative foundation for logic and mathematics. This aim has remained unfulfilled due to the appearance of contradictions when the lambda calculus was extended with logical notions. The lambda calculus has nevertheless been a fruitful medium for the study of functions and computations. The programming language in which the mechanical proof was formalized, a variant of pure Lisp [MAE+65], was one of the first languages whose design was influenced by the lambda calculus.

Specific conclusions associated with individual proofs have already been presented in the precedings chapters. In this chapter, we state some general conclusions and advance some specific comments on the Boyer–Moore theorem prover.

The social process by which mathematical arguments are scrutinized and accepted or rejected remains important even with the introduction of mechanized proof checking. The paper [MLP79] that we have quoted above, argues that mathematical proofs are interesting to mathematicians and are therefore examined with great care by means of the social process. The authors contend that proofs of computer programs are unlikely to be of similar interest to the social process. They express skepticism as to whether machine-assisted verification of programs and proofs could ever be feasible or illuminating. Though these arguments carry considerable weight, they are founded on some serious misconceptions on the role of proofs, formal proofs, and of mechanical verification. Proofs are not a means to obtaining certitude. As Lakatos [Lak76, page 48] writes, “the virtue of a logical proof is not that it compels belief, but that it suggests doubts.” While formalism might not always serve as a mechanism for the discovery of proofs or counterexamples, it can be used to expose the weaknesses in an argument and to isolate the assumptions on which an argument rests. Formalism is also useful in observing (and mechanizing) patterns of proofs.

The climactic step in Gödel's proof of the incompleteness theorem is the construction of a sentence asserting its own unprovability. Since provability is a metatheoretic notion, the construction of such a sentence within Z2 requires that some part of the metatheory of Z2 be represented within Z2 itself. The main result of this chapter is an outline of the proof of the representability of the metatheory of Z2 (as described in Chapter 2) within Z2. The formalization of the representability theorem is perhaps the single most substantial and difficult part of our mechanical verification. The machinery of derived inference rules developed in Chapter 3 is heavily exploited in the representability proofs. The representability theorem is used in the construction of the undecidable sentence in Chapter 5.

The contents of this and the succeeding chapter are quite complicated since they define and use a seemingly unmanageable variety of encodings. One encoding represents the syntax of Z2 expressions using only numbers and the pairing operation of Lisp, and another encoding represents these latter Lisp data structures as sets in Z2. The representability theorem then shows the correspondence (under the encoding) between the metatheoretic Lisp computations and certain kinds of proofs in Z2.

A Brief Overview

We saw in Chapter 2 how the metatheory of Z2 could be formalized in terms of Lisp functions such as Collect-Free, Subst, Prf, and Proves.

Thus began Gödel's 1931 paper [Göd67b] in which he demonstrated the existence of formally undecidable sentences in a wide class of formal systems. The first part of this book describes a formalization and proof of this theorem that was carried out according to a “few mechanical rules.” The proof here is not a direct mechanization of any particular previously published version of the incompleteness proof. The statement of the theorem differs from Gödel's original statement which involved the notion of w-consistency. The statement here only involves the weaker notion of consistency and this form of the theorem was first proved by Rosser [Ros36]. The theorem we establish asserts the incompleteness of cohen's Z2 [Coh66]. The first-order logic of Z2 is taken from that of Shoenfield [Sho67]. Various metatheorems about Z2 are formalized and proved using the Boyer–Moore theorem prover.

This chapter presents a complete description of the formal statement of the incompleteness theorem. The main part of this description is the definition of the metatheory of Z2 in terms of a Lisp representation for the formulas and proofs of Z2, and a Lisp predicate that checks the validity of Z2 proofs represented in this manner. The representation of the symbols (variables, functions, predicates) and expressions (terms, atomic formulas, negation, disjunction, quantification) is first described. Various operations are defined for checking the well-formedness of expressions along with the important operation of substitution.

Electronic computers are mostly used to automate clerical tasks, but it is well known that they can also be programmed to play chess, compose music, and prove mathematical theorems. Since logical, mathematical reasoning is one of the purer forms of human, intellectual thought, the automation of such reasoning by means of electronic computers is a basic and challenging scientific problem. This book is about how computers can be used to construct and check mathematical proofs. This use of computers relies on their symbolic and deductive capabilities and is radically different from their use as fast numerical calculators. The impact of computers as intellectual, rather than clerical, tools is likely to be quite profound. This book tries to demonstrate in a concrete way that the capabilities of computing machines in this regard are quite powerful. It describes proofs of some significant theorems of mathematical logic that were completely checked by means of a computer.

This chapter gives an example to illustrate the idea of an abstraction relationship between two hardware models which was introduced in chapter 4. The two models considered are the threshold switching model of CMOS transistor behaviour defined in chapter 5 and the simpler switch model defined in chapter 2.

Both of these models of the CMOS technology are, of course, abstractions of the physical reality they represent, and both models are therefore bound to be inaccurate in some respects. But the switch model is also an abstraction of the threshold switching model, in the sense that both models describe the same set of primitive components—power, ground, N-type and P-type transistors—but the switch model presents a more abstract view of these components. The threshold switching model reflects the fact that real CMOS transistors do not pass both logic levels equally well. But in the more abstract (and therefore simpler) switch model, this aspect of transistor behaviour is ignored.

The switch model is less accurate than the threshold switching model; a circuit that can be proved correct using the switch model may in fact be incorrect according to the threshold switching model. For certain circuits, however, the two models are effectively equivalent. For these circuits, a proof of correctness in the switch model amounts to a proof of correctness in the threshold switching model. The switch model is an adequate basis for verification of these circuits, and the extra accuracy of the more complex threshold switching model is not needed.

This book shows how formal logic can be used to reason about the behaviour of digital hardware designs. The main focus is on a fundamental tool for dealing with the complexity of this activity—namely the use of abstraction in bridging the gaps between logical descriptions of hardware at different levels of detail.

The text of this book was adapted from a Ph.D. dissertation on abstraction mechanisms for reasoning about hardware, written at the University of Cambridge Computer Laboratory. This work was originally motivated by my experience with using the LCF_LSM theorem prover to verify the correctness of an associative memory device intended for use in a local area network. This device comprised 37 SSI and MSI TTL chips, the most complex of which was an AM 2910 microprogram controller. Although the design was straightforward, its verification using the LCF_LSM system was remarkably difficult. The main problem was simply the almost intractably large size of the intermediate theorems generated during the proof. Single theorems were generated that were hundreds of lines long, and several minutes or even several hours of CPU time were needed to manipulate them. The proof was completed only with considerable difficulty—unfortunately, some time after the LCF_LSM system had become obsolete.

These difficulties were for the most part due not to problems with the LCF_LSM theorem prover itself, but to deficiencies in the underlying formalism for hardware verification supported by the system.