User:Hakerh400/Theorem prover

Introduction

In this tutorial we explain how to create a very simple theorem prover in Haskell using generalised algebraic data types. We first define axioms and inference rules, then write a formal proof of a theorem and then write a program to check whether the proof is valid.

Formal system

The formal logic system that we use in this example is a simplified version of Łukasiewicz system. We define the following inference rules (the first two are axioms because they have no premises and the third one is Modus ponens):

${\displaystyle {\begin{aligned}&\vdash x\to (y\to x)\\&\vdash (x\to (y\to z))\to ((x\to y)\to (x\to z))\\x,x\to y&\vdash y\end{aligned}}}$

We call the first one Ax1, the second one Ax2 and the third one MP. Implication is represented by -> and the inference symbol is |-. We want to prove that ${\displaystyle (x\to x)}$ for any predicate ${\displaystyle x}$ (the theorem of the reflexivity of the implication).

Before we start, we want to make sure that x,y,z must be well-formed formulas. A well-formed formula in our system is only a predicate. A predicate is either an implication, or some contant predicate P (just as an example to reduce the generality). We can construct an implication only if both arguments are WFFs (well-formed formulas). The constant predicate P is a WFF by definition.

The program

Explanation

Data types

We define four data types. The first data type is Pred, which stands for predicate. It represents predicate WFF (currently the only type of WFF in our system). It is an "abstract" data type in the sense that it just represents a label that we assign to already constructed other data types. In particular, it says that we can label P as a predicate, or we cal label an implication as a predicate. It is like an abstract class in OOP languages.

The next data type is P, which does not have any particular meaning in the system. It is just there for us to be able to examine the result of the proof (otherwise, any attemp to construct a predicate would not terminate).

The third data type is Impl, which stands for implication. As we explained, it "asserts" that both of its arguments must be predicates.

The last data type is Infer, which represents a proof of a predicate. We can construct it using three different constructors. We can either use one of the axioms (Ax1 or Ax2), or we can apply Modus ponens.

Next, we have some functions for stringifying our data types. They are just for analyzing the results.

Theorem

Finally, we define and prove theorem th_impl_refl, which states that for any predicate a, the statement ${\displaystyle (a\to a)}$ is true. We prove it in six steps. The first step proves that if a is a predicate, then Impl a a is also a predicate (types T1..T4 are defined just as aliases to save space). Steps 2 and 3 apply axiom Ax1, step 4 applies axiom Ax2 and steps 5 and 6 apply Modus ponens. The type signature of each step is used for correctness check.

Verifying the proof

If the program does not compile, either the proof is wrong, or you have syntax errors. If the program compiles, it still does not mean that the proof is correct, because you may have a cyclic theorem dependency in your proof. You need to run the program and make sure the program halts. If the program does not halt, it probably means you have a cyclic dependency somewhere.

The output of the program is the proof of the theorem for sample statement P that we introduced just for this purpose. The program show the following output:

(MP (MP (Ax2 P (P -> P) P) (Ax1 P (P -> P))) (Ax1 P P))

Adding new features

It is very easy to add new features (axioms, inference rules, definitions, data types, theorems, etc). For example, if we want to add new axiom Ax3 that defines negation:

${\displaystyle \vdash (\lnot x\to \lnot y)\to (y\to x)}$

and we want to prove that ${\displaystyle \lnot \lnot x\to (\lnot x\to x)}$ for any statement ${\displaystyle x}$, then we need update the program by adding a new data type Not for negation, new axiom Ax3 as an Infer constructor, and finally theorem th_2 that proves what we need.

Explanation

We renamed some of the steps to separate "WFF" proofs from "Infer" proofs (we also updated th_impl_refl). The program outputs the following proof:

(MP (MP (Ax2 ~~P (~P -> ~~P) (~P -> P)) (MP (Ax1 ((~P -> ~~P) -> (~P -> P)) ~~P) (Ax3 P ~P))) (Ax1 ~~P ~P))

Notice that WFF steps are almost half of the total steps. If we remove the WFF checks, we can make the proof of the theorem a lot simpler. However, forcing a formula to be well-formed is important, because the system can be expanded to include other types of expressions (such as sets and proper classes). We want to make sure that the arguments of an implication are predicates, and not for example sets. Also, WFF can be generalized to any level of abstraction, so if we decide to introduce quantifiers, we can use WFF checks to ensure that there are no free identifiers in the top-level expression (each identifier must be bound to a quantifier parameter name). When we talk about identifiers, they can be implemented as De Bruijn indices and substitutions can be achieved by a recursive constraint that ensures that all occurrences of the bound variable are replaced.