Lecture notes 20190507

Denotations Versus Triples 5

Require Import Coq.Lists.List.
Require Import PL.Imp9.
Import OneBinRel_FOL.
Local Open Scope FOL.

FOL Completeness: The definition

Definition complete: Prop :=
∀P: prop, ⊨ P → ⊢ P.

This definition of completeness is also called weak completeness. What is strong completeness instead?

Definition derive (Gamma: prop → Prop) (P: prop): Prop :=
∃l, Forall Gamma l ∧ ⊢ fold_right PImpl P l.

Notation "Gamma ⊢ P" := (derive Gamma P) (at level 90, no associativity): FOL_scope.

Here, Forall Gamma l says that all elements in l are elements in Gamma. Here is the definition of Forall in Coq standard library. Intuitively, if propositions Gamma derive P, there is one Gamma's finite subset, such that the conjunction of this subset implies P.

Print Forall.

If derive is a generalization of provable, then entail is a generalization of valid.

Definition entail (Gamma: prop → Prop) (P: prop): Prop :=
∀J, (∀Q, Gamma Q → J ⊨ Q) → J ⊨ P.

Notation "Gamma |= P" := (entail Gamma P) (at level 90, no associativity): FOL_scope.

In logic, if a set of propositions Gamma entails P, we say that P is a consequence (语义后承) of Gamma. The double turnstile symbol is usually overloaded in logic text books. Here is its different meaning.

J ⊨ P, in which J is an interpretation and P is a proposition. It says J satisfies P, or satisfies J P in our Coq definition;
⊨ P, in which P is a proposition. It says that P is valid. In other words, for any J, J ⊨ P;
J ⊨ Gamma, in which J is an interpretation and Gamma is a set of propositions. It says that J satisfies every proposition in Gamma;
Gamma ⊨ P, in which Gamma is a set of propositions and P is one single proposition. It says that P is a consequence of Gamma.

In this course, we only use ⊨ for the first two notation definitions but use |= for the last one.

After defining derive and entail, we are ready to state the strong completeness property.

Definition strongly_complete: Prop :=
∀Gamma P,
Gamma |= P → Gamma ⊢ P.

Obvious, if a logic is strongly complete, it must be complete. To prove this theorem, we only need to let the proposition set Gamma to be empty. In Coq, an empty set is defined by "no element is in it".

Definition Empty_pset: prop → Prop := fun P ⇒ False.

It is easy to prove that an empty set derives an assertion P if and only if this assertion P is provable.

Lemma Empty_derive_spec: ∀P, Empty_pset ⊢ P ↔ ⊢ P.
Proof.
  intros.
  split; intros.
  + destruct H as [l [? ?]].
    inversion H; subst.
    - simpl in H₀.
      exact H₀.
    - unfold Empty_pset in H₁.
      destruct H₁.
  + ∃nil.
    split.
    - apply Forall_nil.
    - simpl.
      exact H.
Qed.

Also, being a consequence of the empty proposition set is equivalent with being valid.

Lemma Empty_entail_spec: ∀P, Empty_pset |= P ↔ ⊨ P.
Proof.
  intros.
  unfold entail, valid.
  unfold Empty_pset.
  firstorder.
Qed.

Theorem strong_completeness_is_stronger: strongly_complete → complete.
Proof.
  unfold strongly_complete, complete.
  intros SC.
  specialize (SC Empty_pset).
  intros.
  apply Empty_derive_spec.
  apply Empty_entail_spec in H.
  apply SC.
  apply H.
Qed.

Important FOL theorems

We directly state the following theorems and omit proofs. Interested students can try proving them as exercises.

Lemma IMPLY_refl: ∀P, ⊢ P IMPLY P.
Admitted.

Lemma IMPLY_trans: ∀P Q R, ⊢ P IMPLY Q → ⊢ Q IMPLY R → ⊢ P IMPLY R.
Admitted.

Lemma IMPLY_swap: ∀P Q R, ⊢ P IMPLY Q IMPLY R → ⊢ Q IMPLY P IMPLY R.
Admitted.

Lemma EM_assu: ∀P Q, ⊢ P IMPLY Q → ⊢ NOT P IMPLY Q → ⊢ Q.
Admitted.

Lemma FORALL_rename: ∀P (x y: logical_var),
prop_free_occur y P = O →
⊢ (FORALL x, P) IMPLY (FORALL y, P [x ⟼ y]).
Admitted.

Lemma PEq_trans: ∀t₁ t₂ t₃,
⊢ t₁ == t₂ IMPLY t₂ == t₃ IMPLY t₁ == t₃.
Admitted.

Lemma derive_assu: ∀(Gamma: prop → Prop) P,
Gamma P →
Gamma ⊢ P.
Admitted.

Definition pset_included (Gamma Gamma': prop → Prop): Prop :=
∀P, Gamma P → Gamma' P.

Lemma derive_expand: ∀Gamma Gamma' P,
  pset_included Gamma Gamma' →
  Gamma ⊢ P →
  Gamma' ⊢ P.
Admitted.

Definition pset_snoc (Gamma: prop → Prop) (P: prop): prop → Prop :=
fun Q ⇒ Gamma Q ∨ P = Q.

Notation "Gamma ':;' P" := (pset_snoc Gamma P) (at level 81, left associativity): FOL_scope.

Lemma deduction_theorem: ∀Gamma P Q,
Gamma:; P ⊢ Q ↔ Gamma ⊢ P IMPLY Q.
Admitted.

Lemma derive_modus_ponens: ∀Gamma P Q,
  Gamma:; P ⊢ Q →
  Gamma ⊢ P →
  Gamma ⊢ Q.
Admitted.

Lemma derive_NOT_NOT: ∀Gamma P,
Gamma ⊢ P ↔ Gamma ⊢ NOT NOT P.
Admitted.

Lemma derive_EXISTS_intros: ∀Gamma P Q x,
  (∀R, (Gamma:; Q) R → prop_free_occur x R = O) →
  Gamma:; P ⊢ Q →
  Gamma:; EXISTS x, P ⊢ Q.
Admitted.

Lemma PRel_congr: ∀Gamma t₁ t₂ t₃ t₄,
Gamma:; t₁ == t₂:; t₃ == t₄:; PRel t₁ t₃ ⊢ PRel t₂ t₄.
Admitted.

Proof By Contraposition: Satisfiability and Consistency

We prove strong completeness by contraposition. In other words, we prove that, if P is not derivable from Gamma then P is not a consequence of Gamma. The negation of derive and entail are strongly connected with two other concepts: consistent (一致) and satisfiable (可满足).

Definition consistent (Gamma: prop → Prop): Prop :=
¬(Gamma ⊢ PFalse).

A proposition set is consistent if we cannot derive false from it. For any Gamma and P, Gamma do not derive P if and only if Gamma and NOT P are consistent.

Lemma not_derive_spec: ∀Gamma P,
¬(Gamma ⊢ P) ↔ consistent (Gamma:; (NOT P)).

Proof.
  intros.
  unfold consistent.
  rewrite deduction_theorem.
  pose proof derive_NOT_NOT Gamma P.
  unfold PNot.
  unfold PNot in H.
  tauto.
Qed.

A proposition set is satisfiable if there is an interpretation that satisfies all propositions in the set. For any Gamma and P, P is not Gamma's consequence if and only if Gamma and NOT P are satisfiable.

Definition satisfiable (Gamma: prop → Prop): Prop :=
∃J, ∀P, Gamma P → J ⊨ P.

Lemma not_entail_spec: ∀Gamma P,
¬(Gamma |= P) ↔ satisfiable (Gamma:; (NOT P)).

Proof.
  intros.
  unfold satisfiable, entail.
  split; intros.
  + apply not_all_ex_not in H.

In case that you are curious about what this theorem not_all_ex_not is:

        not_all_ex_not
         : ∀(U : Type) (P : U → Prop),
           ¬(∀n : U, P n) → ∃n : U, ¬P n

    destruct H as [J ?].
    assert ((∀Q : prop, Gamma Q → J ⊨ Q) ∧ ¬(J ⊨ P)).
    { tauto. }
    clear H.
    destruct H₀.
    ∃J.
    unfold pset_snoc.
    intros.
    destruct H₁.
    - apply H.
      exact H₁.
    - subst P₀.
      simpl.
      tauto.
  + unfold not.
    intros.
    destruct H as [J ?].
    specialize (H₀ J).
    assert (∀Q : prop, Gamma Q → J ⊨ Q).
    {
      intros.
      apply H.
      unfold pset_snoc.
      tauto.
    }
    assert (¬(J ⊨ P)).
    {
      assert ((Gamma:; NOT P) (NOT P)).
      { unfold pset_snoc. right. reflexivity. }
      specialize (H _ H₂).
      simpl in H.
      tauto.
    }
    tauto.
Qed.

Thus, in order to build completeness, it suffices to prove that every consistent set is satisfiable.

Lemma proof_by_contraposition:
  (∀Gamma, consistent Gamma → satisfiable Gamma) →
  strongly_complete.
Proof.
  intros.
  unfold strongly_complete.
  intros Gamma P.
  assert (¬(Gamma ⊢ P) → ¬(Gamma |= P)); [| tauto].
  intros.
  apply not_derive_spec in H₀.
  apply not_entail_spec.
  apply H.
  exact H₀.
Qed.

Henkin Style Proof and Maximal Consistent Set

The following part of our proof is of a famous proof style for logic completeness, the Henkin style proof. It contains two steps: (1) expanding a consistent set of propositions to a maximal consistent set (MCS) (极大一致集); and (2) constructing an interpretation (usually called canonical model) (典范模型) that satisfies all propositions in the MCS.

Definition maximal_consistent (Gamma: prop → Prop): Prop :=
  consistent Gamma ∧
  (∀Gamma', pset_included Gamma Gamma' →
                  consistent Gamma' →
                  pset_included Gamma' Gamma).

In a simplest Henkin style proof, MCS is enough for canonical model construction. For first order logics's completeness, we need to use maximal consistent set with witnesses.

Definition witnessed (Gamma: prop → Prop): Prop :=
  ∀(x: logical_var) (P: prop),
    Gamma (EXISTS x, P) →
    ∃(t: term), Gamma (P [ x ⟼ t ]).

Here is the proof skeleton of our Henkin style proof.

Lemma Henkin_FOL:
  (∀Gamma, consistent Gamma →
     ∃Gamma',
       maximal_consistent Gamma' ∧
       witnessed Gamma' ∧
       (satisfiable Gamma' → satisfiable Gamma)) →
  (∀Gamma,
     maximal_consistent Gamma →
     witnessed Gamma →
     satisfiable Gamma) →
  (∀Gamma, consistent Gamma → satisfiable Gamma).
Proof.
  intros.
  specialize (H Gamma H₁).
  destruct H as [Gamma' [? [? ?]]].
  specialize (H₀ Gamma' H H₂).
  pose proof H₃ H₀.
  exact H₄.
Qed.

Lindenbaum Lemma: Constructing MCS with witness

In this part, we prove: if Gamma is consistent, we can "expand" it to a witnessed MCS. The construction here is not real expansion. Remark: suppose Gamma' is an expansion of Gamma, then we immediately know that: if Gamma' is satisfiable, then Gamma is satisfiable.

Step 1.

Let Gamma(0) be the renaming result of Gamma. Specifically, every proposition P' in Gamma(0) corresponds to a proposition P in Gamma. {P'] is the resulting of replacing the n-th variable with the 2n + 1-th variable for all n.

Thus, Gamma is satisfiable if and only if Gamma(0) is satisfiable. Also, since Gamma is consistent, Gamma(0) is also consistent. Moreover, variables with even indices do not occur in Gamma(0)'s elements.

Step 2.

Obviously, first order propositions are countable. Suppose they are

P(1), P(2), ...

We construct

Gamma(1), Gamma(2), ...

in order. Specifically, for every natural number n, we construct Gamma(n+1) from Gamma(n) according to the following rules:

case a. if Gamma(n):; P(n+1) is consistent and P(n+1) has a form of EXISTS x. Q, then let Gamma(n+1) be Gamma(n) :; Q[x ⟼ y] :; P(n+1) in which y is a variable that does not occur in Gamma(n) or P(n+1).
case b. if Gamma(n):; P(n+1) is consistent and P(n+1) does not have a form of EXISTS x. Q, then let Gamma(n+1) be Gamma(n):; P(n+1).
case c. if Gamma(n):; P(n+1) is inconsistent, then let Gamma(n+1) be Gamma(n).

First of all, such construction is legal (especially case a). Because for every natural number n, Gamma(n) only uses finite number of variables with even indices.

Moreover, this sequence of proposition sets satisfies the following properties:

Gamma(n) is consistent for all n;
P(n) is an element of Gamma(m) if and only if P(n) is in Gamma(n) for any n < m;
Gamma(0) is a subset of Gamma(n) for all n.

We can prove them by induction over n. Almost all of these proof steps are trivial. The only interesting case is the following one:

Suppose Gamma(n):; P(n+1) is consistent and P(n+1) = EXISTS x. Q. Prove that Gamma(n) :; Q[x ⟼ y] :; P(n+1) is also consistent in which y is a variable that does not occur in Gamma(n) or P(n+1).

We prove it by contradiction. If it were not consistent, then

Gamma(n) :; Q[x ⟼ y] :; EXISTS x. Q ⊢ PFalse.

Since ⊢ Q [x ⟼ y] IMPLY EXISTS x. Q, we have

Gamma(n) :; Q [x ⟼ y] ⊢ PFalse.

But y does not appear in Gamma(n). So,

Gamma(n) :; EXISTS y. Q [x ⟼ y] ⊢ PFalse.

It is equivalent to say:

Gamma(n) :; EXISTS x. Q ⊢ PFalse.

This contradicts with the fact that Gamma(n):; P(n+1) is consistent.

Step 3

Let Gamma' be the union of all Gamma(n)'s. Now, let's check whether Gamma' is indeed an MCS with witnesses.

First, Gamma' is consistent. If not, there is a finite subset of it which can derive false. Formally, we can find P(n(1)), P(n(2)), ..., P(n(k)) such that,

P(n(1)) IMPLY P(n(2)) IMPLY ... IMPLY P(n(k)) IMPLY PFalse

is provable. Without loss of generality, we can assume that

n(1) < n(2) < ... < n(k).

Thus, these k propositions must all be Gamma(n(k))'s elements! So,

Gamma(n(k)) ⊢ PFalse

which contradicts with the fact that Gamma(n(k)) is consistent.

Second, adding any more proposition to Gamma' makes it inconsistent. Suppose P(n) is not an element of Gamma'. We know that P(n) must not be an element of Gamma(n). Thus, Gamma(n-1) :; P(n) is inconsistent. Since Gamma':; P(n) is a superset of it, Gamma':; P(n) is also inconsistent.

Third, Gamma' is witnessed. Suppose P(n) = EXISTS x. Q is an element of Gamma'. Then according to the construction of Gamma(n) there must be an logical variable y such that Q [ x ⟼ y] is an element of Gamma'.

Summary

Now, we have shown that Gamma' is witnessed and maximally consistent. Also, it is a superset of Gamma(0) by definition. Thus, if Gamma' is satisfiable, Gamma(0) is satisfiable, which is equivalent to say that Gamma is satisfiable.

Canonical Model Construction and Truth Lemma

We first state and prove two important properties of MCS.

Property 1. A maximally consistent set Gamma is always closed under the derive relation. This is obvious. Suppose Gamma ⊢ P. Since Gamma is consistent, i.e. Gamma |-/- PFalse, we know that Gamma :; P |-/- PFalse. But any expansion of Gamma is inconsistent. Thus, P must be an element of Gamma.

Property 2. If Gamma is maximally consistent and P is a proposition, exact one of P and NOT P are in Gamma. This is also obvious. On one hand, if both P and NOT P are in Gamma, Gamma must be inconsistent since

⊢ NOT P IMPLY P IMPLY PFalse.

On the other hand, if neither P nor NOT P is in Gamma, we know

Gamma :; P ⊢ PFalse

by the definition of maximal consistency. It tells us, P IMPLY PFalse, i.e. NOT P, is an element of Gamma (according to the deduction theorem and the fact that Gamma is derive-closed). This contradicts with the fact that NOT P is not in Gamma.

Now, we are ready to prove:

Given Gamma which is witnessed and maximally consistent, we can construct an interpretation J satisfying all propositions in Gamma.

We construct this interpretation step by step and prove the satisfaction relation in the end.

Constructing the domain

First, we claim that the pairs of variables x, y such that x == y is a proposition in Gamma forms an equivalent relation. Then, we define the domain D to be the equivalent classes of this relation.

Constructing the relation symbol's interpretation

We define the relation symbol PRel's interpretation Rel as follows. Suppose x* and y* are two equivalent classes in the domain D. The pair x*, y* is an element of Rel if and only if PRel x y is a proposition in Gamma. Here x and y represent elements of x* and y*.

It is critical that Rel is well defined. In fact, if x₁ == x₂, y₁ == y₂ and PRel x₁ y₁ are elements of Gamma, PRel x₂ y₂ must be its element too.

Constructing variables' interpretation

We simply let La be the function that La(x) = x*. Here, x* represents the equivalent class in D such that x is in it.

Truth lemma

We prove by induction over P's syntax tree that P is an element of Gamma if and only if J = (D, Rel, La) satisfies P.

Case 1: P is x₁ == x₂.

P is an element of Gamma if and only if x₁ and x₂ are in the same equivalent class in D, which is equivalent to say that x₁ and x₂ has the same denotation in J.

Case 2: P is PRel x₁ x₂.

It is obvious by Rel's definition.

Case 3: P is PFalse.

On one hand, PFalse cannot be Gamma's element since it is consistent. On the other hand, PFalse is not satisfied by any interpretation, including J.

Case 4. P is P₁ IMPLY P₂.

By semantic definition, J satisfies P₁ IMPLY P₂ if and only if J does not satisfy P₁ or J satisfies P₂. By induction hypothesis, it is equivalent to say that P₁ is not an element of Gamma or P₂ is an element of Gamma.

If P₁ is not an element of Gamma, NOT P₁ must be an element of Gamma. Thus, P₁ IMPLY P₂ is also an element of Gamma.
If P₂ is an element of Gamma, obviously, P₁ IMPLY P₂ is also an element of Gamma.
If P₁ is an element of Gamma and P₂ is not an element of Gamma, then NOT P₂ must be an element of Gamma. Thus, NOT (P₁ IMPLY P₂) is also an element of Gamma which means P₁ IMPLY P₂ is not in Gamma.

This tells us that P₁ IMPLY P₂ is in Gamma if and only if P₁ is not in Gamma or P₂ is in Gamma.

Case 5. P is FORALL x. P₁.

On one hand, suppose FORALL x. P₁ is an element Gamma. We know that for any variable y, P₁ [x ⟼ y] will also be Gamma's element. By induction hypothesis, J satisfies P₁ [x ⟼ y] . Thus, no matter what value in D is reassigned to the interpretation of x, the new interpration will satisfy P₁. So, J satisfies FORALL x. P₁.

On the other hand, suppose FORALL x. P₁ is not an element Gamma. Then, EXISTS x, NOT P₁ will be an element of Gamma. According to the fact that Gamma is witnessed, there must exist a variable y such that NOT P₁ [x ⟼ y] is in Gamma. Thus P₁ [x ⟼ y] is not an element of Gamma. By induction hypothesis, J does not satisfy P₁ [x ⟼ y] . So,

( D, Rel, La [x ⟼ y*] ) |=/= P₁

which tells us that J does not satisfy FORALL x. P₁.

(* Mon May 6 16:26:04 UTC 2019 *)