Very few mathematical statements can be judged to be true or false solely by means of direct observation. Some statements, the axioms, have to be accepted as true without too much further argument. Other statements, the theorems, are believed because they are seen as logical consequences of the axioms by means of a proof. Proofs constitute the only effective mechanism for revealing truth in mathematics. We would naturally hope that all provable statements are indeed true. Most of us would also optimistically believe that any true statement has a proof, but such is not the case. Gödel showed that for any reasonably powerful formal system of axioms and inference rules, there are statements that can neither be proved nor disproved on the basis of the axioms and inference rules, and are therefore undecidable. Gödel also showed that for such formal systems, there could be no absolute proof that all provable statements were in fact true. In his proof, Gödel described a machine that could check if a given construction constituted a valid proof. It was hoped that one could similarly define a machine to discover the proof itself, but Church and Turing showed that such a machine could not exist. We show in this book that a machine, the Boyer–Moore theorem prover, can be used to check Gödel's proof of the existence of undecidable sentences.

The construction of an undecidable sentence of Z2 will be completed in this chapter. This construction involves

1. Enumerating Z2 proofs using a one-to-one mapping from Z2 proofs to the natural numbers.

2. Defining a Lisp predicate that searches for the first proof or disproof (i.e., proof of the negation) of the given formula in this enumeration of proofs, and returns T or F, accordingly. Let this “theorem checker” be of the form (Theorem X), where X is the given formula.

3. Using the representability of the above predicate to construct a sentence U which can be seen to assert, “(Theorem u) = F,” where u is the Lisp representation of U. It will be shown that if U is either provable or disprovable in Z2, then it is both provable and disprovable.

The Enumeration of Proofs

Proofs in Z2 are Lisp data structures constructed using Lisp constructors such as Cons, Add1, F-Not, F-Or, Forsome. If we can enumerate all such data structures, then we can also enumerate all Z2 proofs. This enumeration is achieved by mapping these data structures (z-expressions) to n-expressions and, in turn, mapping n-expressions to natural numbers. The mapping from z-expressions to n-expressions is performed by the function GCODE discussed in the previous chapter (page 99). The resulting n-expressions are enumerated by the function Numcode below. If X is a number, (Numcode X) returns the odd number 2X+1.

In the previous chapter we defined a proof-checking program to check formal proofs constructed according to the axioms and rules of inference of the formal system Z2. In order to make progress towards the goal of proving the incompleteness of Z2, we need to formally develop a small amount of mathematics within Z2. While it is true that constructing formal proofs is very tedious, we have no intention of abandoning formalized mathematics. We will show in this chapter that formal proofs can be constructed in bigger and more natural steps by using powerful derived inference rules. These are inference rules whose application can always be eliminated in favor of the primitive axioms and inference rules of Z2. In other words, the soundness of these rules can be proven as a metatheorem. These derived rules do not yield any new theorems but they make the process of formal proof construction more natural and less laborious.

We demonstrate how the Boyer–Moore theorem prover can be used to prove and use derived inference rules to construct nontrivial formal proofs. Most of this chapter is an exposition of one powerful derived inference rule which states that all propositional tautologies are theorems of Z2. We also list several other derived inference rules that were similarly proved.

Metamathematical Extensibility

While it is, in principle, possible to use the proof checker Proves to construct and check formal proofs of interesting theorems, it would require an unrealistic amount of labor.

The Church–Rosser theorem is a central metamathematical result about the lambda calculus. This chapter presents a formalization and proof of the Church–Rosser theorem that was verified using the Boyer–Moore theorem prover. The proof presented in this chapter is based on that of Tait and Martin-Löf. The mechanical proof illustrates the effective use of the Boyer–Moore theörem prover in proof-checking difficult metamathematical proofs. The syntactic representation of terms turns out to be crucial to the mechanical verification. The form of the formalization often significantly influences the ease or difficulty of a verification. We also compare the length of the proof input to the Boyer–Moore prover with the lengths of various informal presentations of proofs of the Church–Rosser theorem.

The lambda calculus was introduced by Church [Bar78a, Chu41] in order to study functions as rules of computation rather than as graphs of argument–value pairs. It was hoped that the lambda calculus would provide an alternative foundation for logic and mathematics. This aim has remained unfulfilled due to the appearance of contradictions when the lambda calculus was extended with logical notions. The lambda calculus has nevertheless been a fruitful medium for the study of functions and computations. The programming language in which the mechanical proof was formalized, a variant of pure Lisp [MAE+65], was one of the first languages whose design was influenced by the lambda calculus.

Specific conclusions associated with individual proofs have already been presented in the precedings chapters. In this chapter, we state some general conclusions and advance some specific comments on the Boyer–Moore theorem prover.

The social process by which mathematical arguments are scrutinized and accepted or rejected remains important even with the introduction of mechanized proof checking. The paper [MLP79] that we have quoted above, argues that mathematical proofs are interesting to mathematicians and are therefore examined with great care by means of the social process. The authors contend that proofs of computer programs are unlikely to be of similar interest to the social process. They express skepticism as to whether machine-assisted verification of programs and proofs could ever be feasible or illuminating. Though these arguments carry considerable weight, they are founded on some serious misconceptions on the role of proofs, formal proofs, and of mechanical verification. Proofs are not a means to obtaining certitude. As Lakatos [Lak76, page 48] writes, “the virtue of a logical proof is not that it compels belief, but that it suggests doubts.” While formalism might not always serve as a mechanism for the discovery of proofs or counterexamples, it can be used to expose the weaknesses in an argument and to isolate the assumptions on which an argument rests. Formalism is also useful in observing (and mechanizing) patterns of proofs.

The climactic step in Gödel's proof of the incompleteness theorem is the construction of a sentence asserting its own unprovability. Since provability is a metatheoretic notion, the construction of such a sentence within Z2 requires that some part of the metatheory of Z2 be represented within Z2 itself. The main result of this chapter is an outline of the proof of the representability of the metatheory of Z2 (as described in Chapter 2) within Z2. The formalization of the representability theorem is perhaps the single most substantial and difficult part of our mechanical verification. The machinery of derived inference rules developed in Chapter 3 is heavily exploited in the representability proofs. The representability theorem is used in the construction of the undecidable sentence in Chapter 5.

The contents of this and the succeeding chapter are quite complicated since they define and use a seemingly unmanageable variety of encodings. One encoding represents the syntax of Z2 expressions using only numbers and the pairing operation of Lisp, and another encoding represents these latter Lisp data structures as sets in Z2. The representability theorem then shows the correspondence (under the encoding) between the metatheoretic Lisp computations and certain kinds of proofs in Z2.

A Brief Overview

We saw in Chapter 2 how the metatheory of Z2 could be formalized in terms of Lisp functions such as Collect-Free, Subst, Prf, and Proves.

Thus began Gödel's 1931 paper [Göd67b] in which he demonstrated the existence of formally undecidable sentences in a wide class of formal systems. The first part of this book describes a formalization and proof of this theorem that was carried out according to a “few mechanical rules.” The proof here is not a direct mechanization of any particular previously published version of the incompleteness proof. The statement of the theorem differs from Gödel's original statement which involved the notion of w-consistency. The statement here only involves the weaker notion of consistency and this form of the theorem was first proved by Rosser [Ros36]. The theorem we establish asserts the incompleteness of cohen's Z2 [Coh66]. The first-order logic of Z2 is taken from that of Shoenfield [Sho67]. Various metatheorems about Z2 are formalized and proved using the Boyer–Moore theorem prover.

This chapter presents a complete description of the formal statement of the incompleteness theorem. The main part of this description is the definition of the metatheory of Z2 in terms of a Lisp representation for the formulas and proofs of Z2, and a Lisp predicate that checks the validity of Z2 proofs represented in this manner. The representation of the symbols (variables, functions, predicates) and expressions (terms, atomic formulas, negation, disjunction, quantification) is first described. Various operations are defined for checking the well-formedness of expressions along with the important operation of substitution.

Electronic computers are mostly used to automate clerical tasks, but it is well known that they can also be programmed to play chess, compose music, and prove mathematical theorems. Since logical, mathematical reasoning is one of the purer forms of human, intellectual thought, the automation of such reasoning by means of electronic computers is a basic and challenging scientific problem. This book is about how computers can be used to construct and check mathematical proofs. This use of computers relies on their symbolic and deductive capabilities and is radically different from their use as fast numerical calculators. The impact of computers as intellectual, rather than clerical, tools is likely to be quite profound. This book tries to demonstrate in a concrete way that the capabilities of computing machines in this regard are quite powerful. It describes proofs of some significant theorems of mathematical logic that were completely checked by means of a computer.

This chapter explains the concept of a structure as a collection of variables, this collection including nested structures if desired.

A structure can be handled in much the same way as a variable; you can copy a structure, assign to a structure, take the address of a structure with &, access the members of a structure. You may declare arrays of structures. You can nominate a structure as a parameter of a function or write a function that returns a structure.

This chapter introduces structures by analogy with arrays. The operators for accessing members are defined and their use explained Concepts are illustrated by an example of a library list in which to search for a book if you know its title or can remember only part of its title.

Unions and bitfields are introduced (a union is a structure in which members share storage space).

Having described structures and unions it is possible to define, fully, the syntax terms type and declaration. The allowable syntax of declaration differs according to context, so a separate diagram is drawn for each context.

Finally the chapter explains the idea of stacks and gives an example of their use in converting simple algebraic expressions to reverse Polish notation.

INTRODUCING STRUCTURES

Much of information handling is about updating and sorting lists of names and addresses. With each name and address may come other information: an amount of money owing, a list of diseases survived, a code indicating the subject's purchasing power or likelihood of signing an order.

This chapter contains summaries of information designed for quick reference. It contains:

• Operator summary, including a table showing the relative precedence of operators.

• Syntax summary, showing all syntax diagrams included in the text

• Library summary, listing alphabetically the prototypes of all library functions except those concerned with multi-byte characters and foreign locales.