User:GrafZahl/Definitions in JHilbert

Manual definitions in metamath
In metamath, definitions are a priori just axioms whose name happens to begin with "df-". Their definition nature stems from two things:
 * 1) They somehow encode a definiendum, that is, a new functor being defined, and a definiens, that is, the expression which defines the new functor. Often, this is rather obvious, as in df-or, where   is the definiendum and   is the definiens. However, it may be more obscure, such as in df-bi, where the definiendum   and the definiens   are not immediately obvious from the assertion  . (In this latter case, the reason for the involuntary obfuscation is that   cannot be defined through itself.)
 * 2) The axiomatic framework allows for arbitrary folding and unfolding of (sub-)expressions according to the definition. For example, if in a proof, we have   on the top of stack, it is possible in a finite number of proof steps to obtain the same stack, except that the top now reads , using   and other axioms/theorems allowing the building of complex expressions around the definition.

Automatic definitions in JHilbert
In JHilbert, definitions are intended to capture these properties (creation of a new functor and the arbitrary folding and unfolding) and make them automatic. This makes definitions very powerful. But it also makes them potentially dangerous. Essentially, a JHilbert user making a definition promises that the described behaviour does not give rise to logic errors such as contradictions. This promise might be broken in subtle ways, and it should be the task of JHilbert to preclude any such subtleties. Problems mainly arise from the interplay of two things:
 * 1) The definiens of a definition may contain variables not apparent in the definiendum. Such variables are called dummy variables.
 * 2) Metamath does not have a concept of free and bound variables. Instead, it uses the simple and innovative concept of disjoint variable constraints. Such constraints can and do appear in definitions ("df-" axioms) and, what's worse, possibly even in the framework supporting the definitions.

Problems with automatic definitions
Let us enumerate some of the concrete problems that may occur.
 * Definitions create an equivalence relation on expressions. Two expressions are equivalent if one can be transformed into the other by repeated folding/unfolding. A proper substitution should be well-defined with respect to this equivalence relation. However, this can be difficult to implement because dummy variables are not apparent in folded definitions (this can also happen the other way round: parameters to a definiendum not appearing in the definiens). This may cause a substitution to be "lost". For example, assume  is defined by  . Here,   is a dummy variable. Now assume that in an actual instance of expressions, you have , fold to  , make a substitution   and get  , unfolds to  , yielding an improper substitution because the substitution above overlooked the   in place of the dummy variable.
 * Some definition axioms in metamath legitimately carry disjoint variable constraints. Unfortunately, such a constrain may cause naïve folding/unfolding to be invalid. The reason is that a statement needs to observe only those disjoint variable constraints which involve the statement's mandatory variables (i.e. those variables which are apparent in its hypotheses and its consequent), as defined in the reduction step from pre-statements to statements in Appendix C.2.4 of the metamath book. However, since folding/unfolding can change the set of apparent variables, so can the set of mandatory variables of a statement and thus the reduct of a pre-statement. This means that even in metamath, it is not always possible to just replace some subexpression in the hypotheses or the consequent of some theorem with something equivalent by definition and insert the necessary proof steps. The disjoint variable constraints may have to be updated as well.
 * When a definition is used in a metamath proof, it is usually not sufficient to just invoke the necessary "df-" axiom. Additional "builder" axioms and/or theorems are required to (un)fold a definition buried deep somewhere in an expression. These builder statements might carry disjoint variable constraints (example:  in Interface:First-order logic). Automatic (un)folding in JHilbert would "forget" to add such a constraint because there is no easy way of knowing what constraints some a priori unrelated statement might have. Now, there might be cases in which the onus of checking for unwanted constraint creep can be safely left with the user. In propositional logic for example, there is only a small number of truth functions all of whose builders do not need constraints. Hence, definitions instead of "df-" axioms with   as their head symbol might be safe in some cases. For other head symbols (read:  ), however, the number of functors involved may be too great for a user to check. What's worse, even if a safe definition is made, some new functor defined afterwards may break everything without warning. This potentially nonlocal behaviour, though it may not often appear in practice, may well be the most frustrating problem with automatic definitions.

Why automatic definitions seemed nice
There was a concrete reason why I wanted to have automatic definitions in JHilbert. I was trying to implement Nicod's reduction of Principia Mathematica in metamath, a version of propositional logic which uses only one indefinable truth function (the Sheffer stroke), using definitions to create all the others. With  unavailable, I implemented the "Df." symbol from Nicod's article by creating a replacement axiom along with builders. The upshot was that proofs consisted mostly of building and replacing definitions instead of actual logic, while in the original article, the definitions were simply treated as abbreviations. It was horrible.

In JHilbert, everything was suddenly easy and simple. The problem is that I totally overshot my goal and, moreover, I didn't realise it at first because I gave a JHilbert soundness proof a very low priority. So, what do I mean with "overshot"? The thing is, in metamath's, definitions aren't really horrible (except possibly some mild horribility in the definition of the biconditional) because at the point where definitions come in, the framework is already strong enough to make the application of definitions relatively simple. They simply don't clutter 90% of the proof. Their application might be somewhat tedious for very deeply nested expression, but even deeply nested expressions become rarer once the more technical part of some framework are established and the proofs become more natural. Essentially, definition horribility is caused by framework weakness, when you're at the very beginning of your journey through proofland.

Possible solutions
Attempts to salvage the situation have been made. I, myself, wrote JHilbert definition soundness (better don't read it) in an attempt at a soundness proof but as Carl Witty has pointed out, among other errors, the definition model presented there would be difficult to implement efficiently (once you have a definition depth of 10 or so, unfolding everything can really blow things up, not to mention to have to carry DV constraints around for every single expression).

Raph Levien has suggested to implement metalogic to keep track of free variables and disallow (un)folding where the set of free variables would change. He didn't specify details. It always seems the most difficult problem to solve is to keep track of the infamous nonlocal builder DVs without incurring runtime pessimisations in the order of $$\Omega(n^2)$$. But then, maybe this problem should be properly of "let the user beware" class anyhow. Similarly, Carl Witty made a more concrete suggestion where the structure of bound variables and what binds them would already be encoded at the time of the definition of term functors. For definition functors, binding data would have to be consistent with the definiens (again, nonlocality lurks).

However, since the main purpose of JHilbert should be to make metamath fit for collaboration and not to get immensely frustrated over a possible definition mechanism, I would like to make a more radical suggestion: make definitions "both simple and sound" (Raph's words), that is, simple enough that the soundness proof is almost trivial (I hope), and everything definitions are not powerful enough for is done in the metamath way, with definition axioms and builders. In particular, I suggest the following:
 * Disallow disjoint variable constraints in definitions (they're currently not enabled in the JHilbert parser anyway).
 * For definitions in interface modules, apparent variables in the definiendum must equal apparent variables in the definiens. This means no more dummy variables. Apparent variables in expressions would never change due to (un)folding.
 * For definitions in proof modules, apparent variables in the definiens are allowed to be a proper superset of the apparent variables in the definiendum. However, the surplus variables are not dummy variables. Instead, internally a sufficient number of "hidden" parameters are added to the definiendum. These hidden parameters are always set to the surplus variables used in the definiens. This formally trivial feature can go a long way to make proofs more readable through the use of simple abbreviations.
 * For aesthetic reasons, a new keyword, formally equivalent to  , is introduced for interface modules, to distinguish definitions from axioms. It would be used to create "df-" axioms in cases where definitions are not powerful enough. In fact, users should be educated to use definitions only in cases where it would be too much of a hassle to use   instead (such as in the case of Nicod's system or when otherwise building propositional logic from scratch).

OK, it's discussion time!--GrafZahl (talk) 22:55, 11 February 2010 (UTC)


 * I haven't thought about this stuff anywhere near as hard as you, Norm, Raph, etc, and hope I don't need to, but here are my thoughts. The weakened mechanism you suggest sounds OK but perhaps only because I don't have many concrete examples of definitions which would be affected (⊤ and ⊥ at Principia Mathematica propositional logic use dummies, but they aren't interesting enough to give me a clear idea of what dummies are for and whether they are easy to replace).  The one part of the proposal which I don't like is , which unless I'm missing something amounts to giving up on safe definitions. I don't know if I should attempt an extended essay on the virtue of safe definitions, but in a nutshell if someone shows up with a purported proof of, say, the Riemann hypothesis and it contains thousands of unsafe definitions (spread out over dozens of modules), it becomes very hard to know whether the proof is correct or not. Is it true that dstmt means giving up on safe definitions? Is there some reason which makes this not a huge hole in the whole concept of having "all of mathematics" derived from a few axioms (say, the axioms of set theory) and that derivation machine-checkable? Kingdon 00:21, 12 February 2010 (UTC)


 * Kingdon, dummy variables are extremely common in metamath's set.mm, and I think they would be common in any formalization of an object language with binding structure. For example, most function definitions in set.mm are of the form "the set of ordered pairs  where [... some formula involving x and y ...]", where x and y are dummy variables.  I agree that having a conservative (safe) definition mechanism (including dummy variables) is vital.  I've been thinking about this problem myself, and I have a proposal I'll be putting on my user page soon; I'll add a link here when I'm done. CarlWitty 06:46, 12 February 2010 (UTC)


 * OK, I'll await your proposal and other future discussion. I didn't discuss before whether it is important for definitions to be automatic.  I'm not sure on the subject.  I was struck by the number of times that I ended up writing in a comment "here we are implicitly applying the definition of xxx" in Principia Mathematica propositional logic which I take to mean that automatic definitions don't always enhance clarity. On the flip side, though, we should be vigilent about clutter in our proofs, which obscure the interesting parts. Kingdon 16:58, 12 February 2010 (UTC)


 * My proposal is up at User:CarlWitty/Definitions_proposal. CarlWitty 19:41, 12 February 2010 (UTC)

I just did a reasonably detailed writeup of the new definition mechanism in Ghilbert:. Hopefully this will add to the discussion here. I _do_ believe that it's possible to reconcile soundness (and reasonable simplicity) with enough power and expressiveness that the definition mechanism won't get seriously in the way of doing mathematical work. Btw, feel free to ask me for edit permissions over there if you want them. It's still nowhere nearly fully set up yet, but one must start somewhere. Raph 08:38, 25 February 2010 (UTC)