Reasoning about partial functions in the formal development of ...

AVoCS 2005

Reasoning about partial functions in the formal development of programs Cliff B. Jones 1 School of Computing Science University of Newcastle upon Tyne Newcastle, NE1 7RU, UK

Abstract Partial functions and operators are used extensively in the formal development of programs and thus development methods have to clarify how to reason about them. There are a number of approaches which cover up the fact that “First Order Predicate Calculus” does not handle undefined logical values. There is also at least one specific “Logic of Partial Functions” (LPF) which tackles the issue at its root by using a weaker logic. Recently, we have come to realise that LPF fits a particular way of developing programs. This paper explains why LPF is a suitable logic for “posit and prove” development and explores some problems that other approaches present. Key words: Logic, partial functions, formal development

1

Introduction

I want to argue that classical “First Order Predicate Calculus” (FOPC), though widely used, is not the best logic for reasoning about the development of programs (in fact, of digital systems more generally). There are many approaches to handling partial functions and Section 4 attempts to provide a structure within which alternatives can be understood. Before looking at alternative approaches, let’s first see that there is a problem: which of the following expressions do you expect to be true? 5/0 = 1 ∨ 5/0 6= 1 ∀i ∈ Z · fact(i ) ≥ 0 ∨ fact(−i ) ≥ 0 hd [ ] = 5 1

Email: [email protected] This paper is electronically published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs

Jones

The first of these is an instance of the “law of the excluded middle” (p ∨ ¬ p). Although Hamlet uttered an instance of this, the expression looks unconvincing with undefined arithmetic expressions embedded in the relations. Abandoning the law of the excluded middle leads us to a logic which is weaker than FOPC. In contrast, I should like to view the universally quantified expression about factorial as true: it is the case that (assuming fact is partial — only defined on the positive integers) that, for any i , one of the disjuncts is undefined; but, since the other is in those cases true, the overall expression should be true. It is shown below that attempts to “guard” terms do not cope with such expressions. The final expression is intended as a pointer to a problem with one specific approach to reasoning about undefined values (Section 4.4 indicates how it might come to be true). The point is not that one would choose to write this expression alone; but there are many cases in developing programs from descriptions in terms of abstract objects where partial operators like those on sequences or mappings arise (see Section 3). Some time ago, we proposed using “LPF” [BCJ84,CJ91,JM94]. I have come to realise that LPF fits rather closely my view of developing programs. This statement is not to be read as just “fit with VDM” [Jon90] but to apply more widely to “posit and prove” approaches. We’ll first look at this notion of development and then at this “weaker” logic (LPF) per se and, finally, some alternatives. John Reynolds [Rey98] argues “Such partial-function logics are an important topic of current research”. In addition, a number of Global Challenges 2 are being discussed: that on “The Program Verifier” 3 could result in shifting theorems between theorem proving systems: I’m not after a standard — more, an acknowledgement we might have to pass axiom systems about rather than just logical expressions. This point was reinforced at the IFIP TC2 organised VSTTE Working Conference 4 during discussions on a “Proof Bus”. 1.1

A key example

Many specification notations permit the definition of partial (recursive) functions like that at the beginning of Figure 1. The definition of subp (over pairs on integers) is contrived so as to deliberately introduce the problem of partiality in a simple enough guise to tease out the main issues below. 5 The function subp is intended to compute i − j for any pair of integers where i ≥ j ; for i < j , subp(i , j ) is a non-denoting term (i.e. a term which does not denote a values of the intended type); non-denoting terms are sometimes loosely referred to as “undefined terms” and where we need to represent them they are written as ⊥Z or ⊥B . 2

See http://www.ukcrc.org.uk/gcresearch.pdf See http://www.fmnet.info/gc6/fm05/ 4 See http://vstte.inf.ethz.ch/index.html 5 Simplified examples are always open to the objection that they can be handled by simple methods or at least do not justify complicated extensions of standard concepts. The reader should consider examples like the lack of cycles in a ‘bill of materials’ (cf. [Jon90, p156]) or the consistency of a database with its data dictionary before underestimating the problem of partiality. 3

2

Jones

The explicit definition of subp is: subp : Z × Z → Z subp(i , j ) 4 if i = j then 0 else subp(i , j + 1) + 1 The least fixed point is: subp = {((i , j ), i − j ) | i , j ∈ Z ∧ i ≥ j } Our “key implication”: ∀i , j ∈ Z · i ≥ j ⇒ subp(i , j ) = i − j Its contrapositive: ∀i , j : Z · subp(i , j ) 6= i − j ⇒ i < j An intuitive property: ∀i , j ∈ Z · subp(i , j ) = i − j ∨ subp(j , i ) = j − i Fig. 1. The function subp

We take meaning of the recursive definition of subp to be the least fixed point shown in Figure 1. This interpretation of recursive definitions corresponds with computational intuition in the sense that it defines all of the pairs that can be reached by terminating applications of subp and no others. We can write the earlier observation about subp as the plausible implication (which is referred to below as “the key implication”) in Figure 1. The truth of this seemingly innocent quantified formula depends on implications such as 1 ≥ 2 ⇒ subp(1, 2) = 1 − 2 Notice that the input tuple (1, 2) is not in the domain of the graph; in other words, subp(1, 2) does not –in the least fixed point– denote an integer. The preceding expression thus reduces to false ⇒ ⊥Z = −1 If one takes the equality (=) to be a computational or “weak” equality, this further reduces to false ⇒ ⊥B Since FOPC does not handle undefined, one is faced with some delicate questions: is the consequent of the implication evaluated if the antecedent is false? Is our key implication equivalent to its contrapositive? This last of course includes the evaluation of ⊥Z = 6 −1 ⇒ true ⊥B ⇒ true Finally, the analogue of the second formula at the start of Section 1 is the last expression in Figure 1: can it be proved? Some of the approaches considered in Section 4 come up with surprising answers to such questions but first Section 2.2 looks at how to prove and use the key implication in LPF and then discusses further challenges in Section 3). 1.2

“Posit and prove” development

Development methods like VDM [Jon90] and B [Abr96] provide ways of developing programs (digital systems) which correspond well with a developer’s intuition: 3

Jones

∀i , j : Z · i ≥ j ⇒ subp(i , j ) = i − j | {z } term §4.4 | {z } relation §4.3 | {z } expression §4.2 | {z } disallow §4.1 Fig. 2. Diagrammatic representation of how putative solutions contain undefinedness

steps of development by operation decomposition or data reification are “posited” which gives rise to proof obligations which the designer should justify. We choose here to illustrate the sort of proofs which arise on functions since this avoids most of the specific notation of one method or another. We look at function definitions, properties thereof, and the subsequent use of these properties. Looking at the “key implication” from Figure 1, one can ask where the problem of undefined is to be “caught”: the options can be pictured as in Figure 2 (fuller explanations and comments on pros/cons in Section 4). If one is prepared to abandon the normal notation for function application and write f (x ) = v as (x , v ) ∈ f , one might rewrite the key implication as membership of the graph of subp. ∀i , j : Z · i ≥ j ⇒ ((i , j ), i − j ) ∈ subp A key issue in reasoning about (recursive) functions is how to use their definitions in proofs. In this style, the intuition about the definition of subp is captured by ((i , i ), 0) ∈ subp ((i , j + 1), k ) ∈ subp ⇒ ((i , j ), k + 1) ∈ subp Another issue for a notation which handles partial functions is the use of established properties in further proofs. It is clear that the loss of the standard notation for application could result in heaviness. The circumlocutions to use the graph of the function become even more tedious where there in no expression for the expected value (see Section 4.1.1). The essential virtue of the graph notation is that (x , v ) ∈ f is false (for all v ) when x is not in the domain of f . This is a clue to the next approach which is to use various notions of equality: that in the function definition must be computational (or “weak”) in the sense that undefined if either (or both) operand is undefined; mathematically there is no difficulty in using non-strict equalities such as “Strong” or existential equality (which is false if either operand is undefined). 6 Thus, the key implication could be rewritten as: ∀i , j : Z · i ≥ j ⇒ subp(i , j ) =∃ i − j 6

See Section 4.3 for a discussion of alternative “equality” relations.

4

Jones

from E1 ∨ E2 ∧ E3 1

from E1

1.1

E1 ∨ E2

∨-I (h1)

1.2

E1 ∨ E3

∨-I (h1)

infer (E1 ∨ E2 ) ∧ (E1 ∨ E3 ) 2 2.1

∧-I (1.1, 1.2)

from E2 ∧ E3 (E1 ∨ E2 ) ∧ E3

∧-subs(∨-I )(h2)

infer (E1 ∨ E2 ) ∧ (E1 ∨ E3 ) ∧-subs(∨-I )(2.1) infer (E1 ∨ E2 ) ∧ (E1 ∨ E3 )

∨-E (h, 1, 2)

Fig. 3. A natural deduction proof in LPF

2

LPF

This section introduces and deploys my preferred approach. It is a key objective of this style of reasoning that formulae can be understood compositionally: that is, the meaning of an expression should depend only on the meaning of its parts. 2.1

Axiomatization and proofs

The difference between LPF and FOPC comes down to the absence/presence of the “law of the excluded middle”. Full axiomatizations are given elsewhere (for an untyped version in [Che86] and for the more commonly used typed version in [JM94]) but Table A.2 in Appendix A shows the essence of the deduction rules. The obvious difference from FOPC is rules like ¬ ∨ -I which are necessitated by the omission of the law of the excluded middle. A typical LPF proof is given in Figure 3. As one can see, this looks like a standard Natural Deduction proof. Implication is defined in the standard way and some rules about implication are given in Table A.3. The only surprise here is the rule for ⇒ -I : the deduction theorem does not hold. Knowing that E1 ` E2 does not permit the conclusion that ` E1 ⇒ E2 because ⊥Bool ` ⊥Bool is not the same as ` ⊥Bool ⇒ ⊥Bool . A selection of predicate rules is given in Table A.4. It is worth noting that LPF can be made to coincide exactly with FOPC if one records (on the left of the turnstile) that all predicates are in fact defined. 2.2

Proofs about recursive functions in LPF

It is possible to use definitions of (recursive) functions directly in LPF but this can lead straight back to reasoning about multiple notions of equality. It is much better 5

Jones

from i , j ∈ Z 1

i −0=i

2

subp(i , i ) = 0

3

subp(i , i − 0) = 0

4

from n ∈ N; subp(i , i − n) = n

h, Z h, subp-b = -subs(1, 2)

4.1

i − (n + 1) ∈ Z

h, h4, Z

4.2

i 6= i − (n + 1)

h, h4, Z

infer subp(i , i − (n + 1)) = n + 1 h, 4.1, 4.2, h4, subp-i 5

∀n ∈ N · subp(i , i − n) = n

6

from i ≥ j

6.1

∀-I (N-ind (3, 4))

(i − j ) ∈ N

N, h6

infer subp(i , j ) = i − j 7

∀-E (5, 6.1), Z

δ(i ≥ j )

h, Z

infer i ≥ j ⇒ subp(i , j ) = i − j

⇒ -I (6, 7)

Fig. 4. Proof of key subp Lemma

to follow the idea used above with graphs of functions and, as explained in [JM94], reason about the definition of subp via two inference rules: i ∈Z subp-b

subp(i , i ) = 0

i , j ∈ Z; i 6= j ; subp(i , j + 1) = k subp-i

subp(i , j ) = k + 1

Notice that these rules are a syntactic rewrite of the definition in Figure 1. An LPF proof of the key subp Lemma is given in Figure 4. In subsequent developments, we want to use such properties. Again, this works naturally in LPF. For example, the proof of the property given last in Figure 1 is presented in Figure 5.

3

Further challenges

Some indication of the difficulty of the problem is I tried three distinct “solutions” before settling on LPF. A special workshop at the 1996 Conference on Automated Deduction (CADE) conference was dedicated to mechanisation issues surrounding 6

Jones

from i , j ∈ Z 1

i ≥j ∨i j ⇒ subp(i , j ) > 0 ∀i , j ∈ Z · i ≥ j ⇒ subp(i , j ) ∈ N ∀i , j ∈ Z · i ≥ j ⇒ subp(i + 1, j ) 6= subp(i , j ) etc. would all need to be reformulated before proof could be considered. The redefinition of operators in the case of subp(i , j ) < i − j ∨ subp(i , j ) ≥ i − j is even less clear because there are various ways to view the operators: x < y ⇔ ¬ (x ≥ y) ⇔ (x ≤ y ∧ x 6= y) x ≤ y ⇔ (x < y ∨ x = y) ⇔ ¬ (x > y) Finally it must be added that the subp example has caused this discussion to focus on relational operators; in general this approach needs to take a non-strict approach to predicates. 4.4

Making all function applications denote

One way to eliminate difficulties caused by terms that fail to denote is to insist that all terms do in fact denote something. If the problem of ‘non-denoting’ terms is handled at the term level, unconventional interpretations of predicates or logical operators can be avoided. Thus: 1 ≥ 2 ⇒ subp(1, 2) = 1 − 2 | {z } ∈Z | {z } ∈B | {z } ∈B

The question then, of course, is what should subp(1, 2) denote? One approach is to answer that it denotes an arbitrary value in the range of the function. Thus, for example, one would say that subp(1, 2) denotes an arbitrary integer. This ensures that the consequent of the implication denotes a truth value — whether this is true or false is of no import since the fact that the consequent of the implication is false ensures that the overall value of the implication is true. This is all standard FOPC. This approach is espoused in [GS95,GS96], together with some versions of Z [Wor92,WB92,Woo91] and of Lambda [FFL96]; it appears to be the norm which has evolved for Z. What are the disadvantages of this approach? First, the interpretation of the definition of subp as denoting the least fixed point has been abandoned. The decision 14

Jones

to let subp(1, 2) denote an arbitrary value means that some extension of the graph of subp is required. Such arbitrary extensions bring problems. For example, there is a subtle distinction between under-determined functions and non-determinacy (cf. [LH96]) to be considered — is it true that: subp(1, 2) = subp(1, 2) There is a quagmire of implications for a notion of implementing such functions: is an implementor of subp forced to implement surprising “identities” such as: subp(1, 2) = subp(1, 3) + 1 Some authors –notably [GS96]– wisely try to circumvent this question by insisting that recursive functions are defined in a way which reflects where they denote. Thus the earlier definition is replaced by (∀i ·: Z |: subp(i , i ) = 0) (∀i ·, j : Z | i > j : subp(i , j ) = subp(i , j + 1) + 1) On the positive side, this proposal facilitates a pleasant proof style (cf. [GS96]); but unfortunately it also has its own problems. Abandoning the normal style of recursive definition could be regarded as a disadvantage. Furthermore this is followed by the question of how –in general– to identify the cases given in such definitions. Notice that the original definition of subp had a test of i 6= j (and that this gave rise to a defined least fixed point); the condition (i > j ) in the Gries/Schneider style has to be deduced; although this is straightforward here, it will be difficult in many cases and undecidable in general. (The same problem remains with Leavens’ Larch-based ‘rebuttal’ [Lea96] of [Jon95].) This approach shares with the ‘order sorted algebra’ the difficulty of defining the precise conditions of definition. Further warnings about the consequences of this approach are given in [Jon95]: basically it is pointed out that, in a specification language in which one element types can be defined, the notion of an “arbitrary result” in a range type appears to result in unintended over-specification. For example, if it is possible to define a sub-class of the integers which has only one element (say 5), then for a list of such a type, one might be forced to conclude that hd [ ] = 5!

5

Conclusions

My preference for handling undefined values –as they arise, for example, from partial function application– is to use a non-standard logic. Given appropriate tool support (e.g. [JJLM91]), reasoning is no less natural than in FOPC. Precisely the hope (in various “Grand Challenges”) that we are about to see coherent effort on linking tools for reasoning about digital designs makes it important to face the question of moving logical expressions between different logical systems. 15

Jones

There is a hint in Section 1.2 that it ought be possible to prove that there is a precise relationship between those statements which can be reformulated using the notation of membership of the graph of a function and those using existential equality. Michael Goldsmith asked a question at AVoCS which points to a more interesting conjecture: are the statements which can be written with existential equality also (under a fixed rewriting) the same as those which can be proved with LPF?

Acknowledgements A paper with some of this content was initiated after a discussion at an IFIP Working Group 2.3 meeting in July 1995 at Cornell University. David Gries and Fred Schneider have a different (from LPF) preference as to the best way to handle undefined values. Our intention was to write joint “comparative” paper but this never made progress beyond a (one sided) draft that was presented at the CADE Workshop on Partial Functions in July 1996. The kind invitation to give an invited talk at AVoCS prompted me to reconsider the questions in the light of the “grand challenge” debate. 9 I am grateful for stimulating discussions on the topics of this paper with John Fitzgerald and Michael Goldsmith. My research is supported by EPSRC (UK) funding for the “Dependability IRC” (DIRC — see www.dirc.org.uk) and for “Splitting Atoms Safely”; and by EU-IST funding for “Rodin” (see rodin.cs.ncl.ac.uk).

References [Abr96] J.-R. Abrial. The B-Book: Assigning programs to meanings. University Press, 1996.

Cambridge

[Art96] R. Arthan. Undefidness in Z: Issues in specification and proof. In Farmer et al. [FKK96], pages 3–12. [BCJ84] H. Barringer, J.H. Cheng, and C. B. Jones. A logic covering undefinedness in program proofs. Acta Informatica, 21:251–269, 1984. [BFL+ 94] J. C. Bicarregui, J. S. Fitzgerald, P. A. Lindsay, R. Moore, and B. Ritchie. Proof in VDM: A Practitioner’s Guide. FACIT. Springer-Verlag, 1994. ISBN 3-54019813-X. [Bla80] S.R. Blamey. Partial Valued Logic. PhD thesis, Oxford University, 1980. [Bla86] S. Blamey. Partial logic. In D. Gabbay and F. Guenthuer, editors, Handbook of Philosophical Logic, Volume III, chapter 1. Reidel, 1986. 9

This statement is being typed while at the IFIP TC2 Working Conference on “Verified Software: Theories, Tools, Experiments”.

16

Jones

[Bli88] A. Blikle. Three-valued predicates for software specification and validation. In R. Bloomfield, L. Marshall, and R. Jones, editors, VDM—The Way Ahead, pages 243–266. Springer-Verlag, 1988. Lecture Notes in Computer Science, Vol. 328. [Che86] J.H. Cheng. A Logic for Partial Functions. Manchester, 1986.

PhD thesis, University of

[CJ91] J. H. Cheng and C. B. Jones. On the usability of logics which handle partial functions. In C. Morgan and J. C. P. Woodcock, editors, 3rd Refinement Workshop, pages 51–69. Springer-Verlag, 1991. [Dij76] E. W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976. [Dri88] D. Driankov. Towards a many-valued logic of quantified belief. Technical Report 192, Link¨oping Studies in Science and Technology, 1988. [Far96] W. Farmer. Mechanizing the traditional approach to partial functions. In Farmer et al. [FKK96], pages 27–32. [FF90] S. Finn and M. P. Fourman. Logic manual for the Lambda system. Technical Report Version 3.2, Abstract Hardware Limited, 1990. [FFL96] S. Finn, M. P. Fourman, and J. Longley. Partial functions in a total setting. Journal of Automated Reasoning, accepted for publication, 1996. [FKK96] William Farmer, Manfred Kerber, and Michael Kohlhase, editors. Proceedings of the Workshop on the Mechanization Of Partial Functions, 1996. [GM92] J. Goguen and J. Meseguer. Order-sorted algebra I: Equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theoretical Computer Science, 105:217–273, 1992. [Gri81] D. Gries. The Science of Programming. Springer-Verlag, 1981. [Gro92] The RAISE Language Group. The RAISE Specification Language. Practitioner Series. Prentice Hall, 1992. ISBN 0-13-752833-7.

BCS

[GS95] David Gries and Fred B Schneider. Avoiding the undefined by underspecification. In Jan van Leeuwen, editor, Computer Science Today: Recent Trends and Developments, volume 1000 of Lecture Notes in Computer Science, pages 366–373. Springer-Verlag, 1995. [GS96] David Gries and Fred B Schneider. A Logical Approach to Discrete Math. Springer-Verlag, second edition, 1996. [JJLM91] C. B. Jones, K. D. Jones, P. A. Lindsay, and R. Moore. mural: A Formal Development Support System. Springer-Verlag, 1991. ISBN 3-540-19651-X. [JM94] C.B. Jones and C.A. Middelburg. A typed logic of partial functions reconstructed classically. Acta Informatica, 31(5):399–430, 1994. [Jon72] C. B. Jones. Formal development of correct algorithms: an example based on Earley’s recogniser. In SIGPLAN Notices, Volume 7 Number 1, pages 150–169. ACM, January 1972.

17

Jones

[Jon90] C. B. Jones. Systematic Software Development using VDM. Prentice Hall International, second edition, 1990. ISBN 0-13-880733-7. [Jon95] C.B. Jones. Partial functions and logics: A warning. Information Processing Letters, 54(2):65–67, 1995. [KK96] Manfred Kerber and Michael Kohlhase. Partiality without the cost. In Farmer et al. [FKK96], pages 65–76. [Kle52] S. C. Kleene. Introduction to Metamathematics. Van Nostrad, 1952. [Kol76] G. Koletsos. Sequent calculus and partial logic. Master’s thesis, Manchester University, 1976. [Kri88] B. Krieg-Br¨uckner. The PROSPECTRA methodology of program development. In J Zalewski, editor, IFIP/IFAC Working Conference on Hardware and Software for Real-Time Process Control, pages 257–271. North Holland, 1988. [Lea96] Gary T Leavens. Protection from the unspecified. Submitted to ACM SIGSOFT Symposium on Foundations of Software Engineering, 1996. [LH96] Peter Gorm Larse and Bo Stig Hansen. Semantics of under-determined expressions. Formal Aspects of Computing, 8(1):47–66, 1996. [Luc69] P. Lucas. Note on strong meanings of logical operators. Technical Report LN 25.3.051, IBM Laboratory Vienna, 1969. [Łuk20] J. Łukasiewicz. O logice tr´ojwarto´sciowej. Ruch Filozoficzny, pages 169–171, 1920. Translated as (On three-valued logic) in Polish Logic 1920–39, S. McCall (ed.), Oxford U.P., 1967. [LW69] P. Lucas and K. Walk. On The Formal Description of PL/I, volume 6 of Annual Review in Automatic Programming Part 3. Pergamon Press, 1969. [McC63] J. McCarthy. Predicate calculus with ’undefined’ as a truth-value. Technical Report AI Memo 1, Stanford Artificial Intelligence Project, March 22nd 1963. [McC67] J. McCarthy. A basis for a mathematical theory for computation. In P. Braffort and D. Hirschberg, editors, Computer Programming and Formal Systems, pages 33–70. North-Holland Publishing Company, 1967. [MM69] Z. Manna and J. McCarthy. Properties of programs and partial function logic. In B. Meltzer and D. Michie, editors, Machine Intelligence, 5, pages 27–37. Edinburgh University Press, 1969. [Rey98] John C. Reynolds. Theories of Programming Languages. University Press, 1998. ISBN 0-521-5914-6.

Cambridge

[Sco79] D. S. Scott. Identity and existence in intuitionistic logic. In Lecture Notes in Mathematics (Volume 735). Springer-Verlag, 1979. [Spi88] J.M. Spivey. Understanding Z—A Specification Language and its Formal Semantics. Cambridge Tracts in Computer Science 3. Cambridge University Press, 1988.

18

Jones

[Ten87] R.D. Tennent. A note on undefined expression values in programming logic. Information Processing Letters, 24(5), March 1987. [Urq86] A. Urquhart. Many-valued logic. In D. Gabbay and F. Guenthuer, editors, Handbook of Philosophical Logic, Volume III, chapter 2. Reidel, 1986. [WB92] J.C.P. Woodcock and S.M. Brien. W: A logic for Z. In J.E. Nicholls, editor, Z User Workshop, York 1991, Workshops in Computing, pages 77–96. SpringerVerlag, 1992. [Woo91] J. C. P. Woodcock. A primer on proof in Z, 1991. [Wor92] J. B. Wordsworth. Software Development with Z. Addison-Wesley, 1992.

A

LPF

A.1

Truth tables of some propositional operators ∧

true ⊥B

false

∨

true true ⊥B

false

true true true true

⊥B

false

⊥B

⊥B

⊥B

false false false false

true ⊥B false

true ⊥B ⊥B

false true ⊥B false

⇒ true ⊥B false true true ⊥B false ⊥B

true ⊥B ⊥B

false true true true Table A.1 Truth tables

19

Jones

A.2

Axioms Ei ∨-I

E1 ∨ · · · ∨ En

1≤i ≤n

E1 ∨ · · · ∨ En ; E1 ` E ; · · · ; En ` E ∨-E

E ¬ E1 ; · · · ; ¬ En ¬ ∨ -I

¬ (E1 ∨ · · · ∨ En )

¬ (E1 ∨ · · · ∨ En ) ¬ ∨ -E

1≤i ≤n

¬ Ei E1 ; · · · ; En ∧-I

E1 ∧ · · · ∧ En

E1 ∧ · · · ∧ En ∧-E

1≤i ≤n

Ei ¬ Ei

¬ ∧ -I

¬ (E1 ∧ · · · ∧ En )

1≤i ≤n

¬ (E1 ∧ · · · ∧ En ); ¬ E1 ` E ; · · · ; ¬ En ` E ¬ ∧ -E

E E1 ∧ · · · ∧ Ei ∧ · · · ∧ En ; Ei ` E

∧-subs

E1 ∧ · · · ∧ E ∧ · · · ∧ En E ¬ ¬ -I /E

¬¬E

E1 ; ¬ E1 contr

E2

Table A.2 Axiomatization of LPF propositional logic

20

1≤i ≤n

Jones

¬ E1 ∨ E2 ⇒ -defn

E1 ⇒ E2

E1 ` E2 ; δ(E1 ) ⇒ -I

E1 ⇒ E2 E1 ⇒ E2 ; E1

⇒ -E

E2 ¬ E1

⇒ -vac

E1 ⇒ E2 E2

⇒ -vac

E1 ⇒ E2

Table A.3 Rules about implication in LPF

s ∈ X ; E (s/x ) ∃-I

∃x ∈ X · E (x )

∃x ∈ X · E (x ); y ∈ X , E (y/x ) ` E1 ∃-E

y is arbitrary

E1 x ∈ X ` E (x ) ∀-I

∀x ∈ X · E (x )

∀x ∈ X · E (x ); s ∈ X ∀-E

E (s/x )

Table A.4 Axiomatization of LPF predicate logic

21