A TLA+ Proof System

A TLA + Proof System Kaustuv Chaudhur i INRIA Damien Doligez INRIA Leslie Lamport Microsof t R esearc h Stephan Merz INRIA & Loria Abstract W e describe an extension to the TLA + specification language with c onstructs for writing proofs and a proof en vironm ent, called the Proof Manager (PM), to checks those proofs. The langu age and th e PM su pport the in cremental development and checking of hierarchica lly structured proofs. The PM tr anslates a proo f into a set of independ ent proof obligations and calls upon a collection o f back-en d p rovers to verify them . Di ff erent provers can be used to verif y di ff erent obligations. The currently supported back-ends are the tableau prover Zenon and Isabelle / TLA + , an axiomatisation of TLA + in Isabelle / Pu re. The proo f obligations for a complete TLA + 2 proof can also be u sed to certify the theorem in Isabelle / TL A + . 1 Introd uction TLA + is a langu age for specifying the beha vior of concurren t and dist rib uted systems and asser ting prop- erties of those systems [11 ]. Howe v er , it pro vides no way to write proof s of those prop erties. W e hav e design ed an exten ded vers ion of the lan guage that allo ws writing proo fs, and we ha ve begu n implement - ing a system c entered a round a Pr oof Mana ger (PM) that in vok es exi sting aut omated and interacti ve proof systems to check thos e proofs. For now , the new version of TLA + is call ed T LA + 2 to dist inguis h it from the current one. W e describe here the TLA + 2 proof constr ucts and the current state of the proof system. The primary g oal of TLA + 2 and the p roof system is the mechanical v erificatio n of systems speci- fications . The proo f system must not only suppor t the modal and temporal aspects of TL A need ed to reason a bout system prop erties, b ut must also su pport or dinary mat hematica l reasoning in the underlying logic. Pro ofs in TL A + 2 are natural deduction proofs written in a hierarchical style that we hav e found to be good for ordinary mathe matics [9] and crucial for managing the complexity of correc tness proof s of systems [6]. The PM computes proof obl igation s that estab lish the corr ectness of th e proof a nd send s them to one or more back-e nd prov ers to be verified. C urrentl y , the back-en d prov ers are Isabelle / TLA + , a faithful axiomati zation of T LA + in Isabelle / Pure , a nd Z enon [2], a tableau prove r for classic al first-order logic with equality . The PM fi rst sends a proof obligation to Z enon. If Zenon succeeds , it produc es an Isar script that the PM sends to Isab elle to check. Otherwise, the PM output s an Isar script that use s one of Isabel le’ s aut omated tacti cs. In both case s, the obligation s are certified by Isab elle / TLA + . The syst em archite cture easily accommod ates othe r back-end prove rs; if these are proof-prod ucing, then we can use their proofs to certif y the obligation s in Isabelle / TLA + , r esultin g i n high confiden ce in the ov erall correc tness of the proof. The TL A + 2 proof construct s are described in Section 2. S ection 3 describes the proof obligat ions genera ted by the P M, and Section 4 describes how the PM uses Zenon and Isabell e to verify them. T he conclu sion summarizes what we hav e done and not yet done and briefly discusses related work. 2 TLA + and its Pr oof Language 2.1 TLA The T LA + langua ge is bas ed on the T emporal Logic of Actions (TLA) [10], a lin ear -time temporal logic. The rigid varia bles of TLA are called constan ts and the flexible varia bles are calle d simply varia bles . TLA assumes an underlyi ng ordinary (non-moda l) logic for construct ing expre ssions . Operators of that logic are called constant operato rs. A stat e functio n is an expressi on built from constant operators and 1 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz TLA constants and v ariabl es. The elementar y (non-tempora l) formulas of TLA are actions , which are formulas b uilt with constan t opera tors, constants, v ariables, and express ions of the form f ′ , where f is a state funct ion. (TLA also has an enabled op erator that is used in expre ssing fair ness, b ut we ignore it for bre vity .) An action is interpre ted as a predicate on pairs of states that des cribes a set of possib le state transit ions, w here state func tions refer to the starting state and primed state functio ns refer to the ending state. Because primin g distrib utes over constant operat ors and becaus e c ′ is equ al to c for an y con stant c , an action can be reduced to a formul a b uilt from constant ope rators, consta nts, var iables, and primed v ariabl es. TLA is practical for describin g syst ems because all the complex ity of a specification is in the action formulas . T emporal opera tors are essen tially used only to assert liv eness prop erties, includi ng fair ness of sys tem actions. Most of the work in a TLA proof is in proving action formulas; temporal reaso ning occurs only in provi ng liv eness properti es and is limited to proposition al temporal logic and to applying a handful of proof rules whose main premise s are action formulas. Because temporal reas oning is such a small part of TL A proofs, w e hav e deferred its implementation. The PM no w handles only action formulas . W e hav e enough experi ence mecha nizing TLA ’ s temporal reasonin g [4] to be f airly confident that it will not be hard to exte nd the PM to support it. A formula built from constant operator s, const ants, varia bles, and primed v ariable s is valid i ff it is a valid formula of the underlyi ng logic when constants, v ariable s, and primed va riable s are treated as distinct vari ables of the logic—that is, if v and v ′ are considered to be two distinct v ariables of the underl ying logic, for any TLA v ariable v . S ince any act ion formul a is red ucible to such a formula, action reason ing is immediately reducible to reasoni ng in the underlying logic. W e therefore ignore vari ables and priming here and consid er only constant formulas. 2.2 TLA + The TLA + langua ge adds the follo wing to the TL A log ic: • An underlyin g logi c that is essentiall y ZFC set theory plus classical untyped first-order logic with Hilbert’ s ε [13]. The major di ff erence between this unde rlying logic and traditiona l ZF C is that functi ons are defined axiomatica lly rather than being represen ted as sets of ordered pairs. • A mechanism for defining opera tors, where a user -defined operator is essential ly a macro that is exp anded syntacti cally . (TLA + permits recursi ve function definitions, b ut they are transla ted to ordina ry definitions using Hilbert’ s ε . ) • Modules, where one module can import definitions and theorems from other modules. A m odule is paramete rized by its declar ed variab les and consta nts, and it may be instan tiated in another module by substituti ng expressi ons for its parameters . The combination of substitu tion and the enabled operator introduces some complications , b ut space limitati ons pre ven t us from discussing them, so we lar gely ignore modules in this paper . TLA + has been exten si vely documented [11]. Since we are concerned only w ith reasonin g about its underl ying logic, which is a very familiar one, we do not bothe r to desc ribe TLA + in an y detail. All of its nonstan dard notation that appears in our example s is explain ed. 2.3 The Pr oof Language The major new feature of T LA + 2 is its proof langu age. (For reasons having nothing to do with proofs, TLA + 2 also introduc es recursi ve operator definitions, which we ignore here for brev ity .) W e describ e the basic proof language , omitting a few construc ts that concern aspec ts such as module instan tiation that we are not di scussin g. TL A + 2 also adds cons tructs for naming sube xpres sions of a definition or theore m, which is importa nt in practice for writing proofs but is orth ogona l to the con cerns of this paper . 2 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz The goa l of th e lan guage is to make pro ofs easy to read and writ e for someone with no knowled ge of ho w the proofs are being chec ked . This leads to a mostly declara ti ve languag e, built aroun d the uses and proofs of assertio ns rather than around the applicatio n of proof-searc h tacti cs. It is therefo re more akin to Isabelle / Isar [17] than to more operational interacti ve languag es such as Coq’ s V erna cular [16]. Nev- erthele ss, the proof language does inclu de a few operationa l const ructs that can eliminate the repet ition of common idioms, albei t with some loss of perspicui ty . At any point in a TLA + proof, there is a current obligation that is to be prov ed. The obligation contai ns a conte xt of kno wn facts, definitions, and dec laratio ns, and a goal . T he obligation claims that the goal is logically entailed by the con text . S ome of the facts and definitions in the context are marked (ex plicitly or implicitly) as usable for reasoni ng, while the remaining facts and definitions are hidden . Proofs are structured hierarch ically . The leaf (lowes t-le vel) proof obvious asserts that the curren t goal follo ws easily from the usable facts and definition s. The leaf proof by e 1 , . . . , e m defs o 1 , . . . , o n asserts tha t the current goal fol lo ws eas ily from t he usab le fac ts and de finitions toge ther with (i) the fa cts e i that must themselv es follow easily from the context and (ii) the known definitio ns of o j . Whether a goal follows easily from definitio ns and facts depends on who is trying to pro ve it. For each leaf proof, the P M sends the correspondi ng leaf obliga tion to the back-end pro vers , so in practic e “follo w s easi ly” means that a back-end prove r can pro ve it. A non-leaf proof is a sequenc e of steps , each consisting of a be gin-st ep tok en and a proof construct. For some const ructs (including a simple assertion of a propo sition) the step takes a subpro of, which may be omitted. T he final step in the sequence simply asserts the curren t goal, w hich is repr esente d by the tok en qed . A begin- step token is either a level token of the form h n i or a label of the form h n i l , where n is a lev el number that is the same for all steps of this non-le af proo f, and l is an arbitrary name. T he hierarchic al structu re is deduced from the leve l numbers of the be gin-ste p tokens, a higher le vel numbe r begin ning a subproof. Some steps make declarat ions or definition s or chang e the curren t goal and do not require a proof. Other steps make asserti ons that become the current goals for their proofs. An omitted proof (or one consis ting of th e token omitted ) is con sidered to be a leaf p roof th at ins tructs th e ass ertion to be acce pted as true. Of course, the proof is then incomplete. F rom a logical point of view , an omitted step is the same as an additional assumption added to the theorem; from a practic al point of vie w , it doesn’ t ha ve to be lifted from its conte xt and stated at the start. Om itted steps are intend ed to be used only in the intermed iate stages of writing a proof. Follo wing a step that m ake s an assertion (and the step’ s proof), until the end of the current proof (after the qed step), the conte xts contain that assertion in their sets of kno w n facts. The assertion is marke d usable i ff the beg in-step token is a lev el token; otherwise it can be referred to by its label in a by proof or made usable with a use step. The hierarchical structu re of p roofs no t on ly aids in read ing the finis hed proof b ut is also quit e use ful in incremental ly writing proo fs. The steps of a non-leaf proof are first w ritten with all proofs b ut that of the qed step omitted. After checking the proof of the qed step, the proofs omitted for other steps in this or earlier lev els are written in any order . When writing the proof, one may disco ver facts that are needed in the proofs of multiple steps. Such a fact is then added to the proof as an earlier step, or added at a higher lev el. It can also be remov ed from the proof of the theorem and prov ed separately as a lemma. Howe ver , the hierarchica l proof langu age encourage s facts rele van t only for a particula r proof to be kept within the proo f, making the proof ’ s structure easie r to see and simplifying maintenan ce of the proof. For correct ness proofs of syste ms, the first fe w le ve ls of the hierarchy are generally d etermine d by the struct ure of the formula to be pro ved —for example, the proof that a formula implies a conju nction usuall y consists of steps asserting that it implies each conjunct . 3 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz As an example, w e incrementall y construct a hierarch ical proof of Cantor’ s theorem, w hich state s that there is no surjecti ve function from a set to its power set. It is written in TLA + as: theorem ∀ S : ∀ f ∈ [ S → subset S ] : ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A where function applicatio n is written using square brackets, subset S is the powers et of S , and [ S → T ] is the set of funct ions from S to T . The state ment of the theorem is the current goal for its top-le vel proof. A goal of the form ∀ v : e is prov ed by introd ucing a gene ric consta nt and pro ving the formula obtained by substituti ng it for the bound identi fier . W e expr ess this as follo ws, using the assume / pro ve construct of TLA + 2 : theorem ∀ S : ∀ f ∈ [ S → subset S ] : ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A h 1 i 1. assume new S , new f ∈ [ S → subs et S ] pr ove ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A h 1 i 2. qed by h 1 i 1 Although we could hav e used labels such as h 1 i one and h 1 i la st instead of h 1 i 1 and h 1 i 2, we hav e found that proofs are easier to read when steps at the same le vel are labeled with conse cuti ve numbers. O ne typica lly starts using conse cuti ve step numbers and then uses labels like h 3 i 2a for insertin g additio nal steps. When the proof is finished , steps are renumbe red consecut i vely . (A planned user interface will automate this renumbe ring.) Step h 1 i 1 ass erts that for an y const ants S and f w ith f ∈ [ S → subset S ], the pro positio n to the right of the pro ve is true . More precisely , the current conte xt for the (as yet unwritten) pro of of h 1 i 1 contains the declarati ons of S and f and the usabl e fac t f ∈ [ S → subset S ], and the pr o ve assertion is its goal. The qed step states that the origina l goal (the theorem) follo ws from the assertion in step h 1 i 1. W e te ll the PM to check this (in complete ) proof, which it does b y ha ving the ba ck-end pro vers v erify the proof obligation for the qed step. The verificatio n succeeds, and we now continue by writing the proof of h 1 i 1. (Had the verificat ion failed because h 1 i 1 did not imply the current goal, we would ha ve caugh t the error before attempting to prov e h 1 i 1, w hich we e xpect to be harder to do.) W e optimist ically start w ith the proo f obvious , b ut it is too hard for the back-end to pro ve, and the PM reports a timeout. Often this means that a neces sary fa ct or definition in the contex t is hidden and we merely ha ve to make it usable with a use step or a b y proof . In this case we hav e no such hidden assumpti ons, so we must refine the goal into simpler goals with a non-leaf proof. W e let this proof hav e le vel 2 (we can use any lev el greater than 1). Since the goal itself is existenti ally quantified, w e must supply a witness. In this case, the witness is the classic diagonal set, which we call T . h 1 i 1. assume new S , new f ∈ [ S → subs et S ] pr ove ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A h 2 i 1. define T , { z ∈ S : z < f [ z ] } h 2 i 2. ∀ x ∈ S : f [ x ] , T h 2 i 3. qed by h 2 i 2 Because definition s made w ithin a proo f are usable by defaul t, the definition of T is usable in the proofs of h 2 i 2 and h 2 i 3. Once again, the proof of the qe d step is automatica lly ver ified, so all that remains is to pro ve h 2 i 2. (The define step requires no proof.) The system accepts obvious as the proof of h 2 i 2 because the only di ffi cul ty in the proof of h 1 i 1 is finding the witness. Howe ver , suppose we want to add another le vel of proof for the benefit of a human reader . The uni versal quantificati on is pro ved as ab ov e, by introducin g a fresh con stant: 4 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz h 2 i 2. ∀ x ∈ S : f [ x ] , T h 3 i 1. assume new x ∈ S pro ve f [ x ] , T h 3 i 2. qed by h 3 i 1 Naturally , the qed step is verified. Although the syste m acce pts obvious as the proof of h 3 i 1 (remembe r that it cou ld verify h 2 i 2 by itself), w e can pro vide more detail with yet anot her lev el of proof. W e write this proof the way it wo uld seem natural to a person —by breaking it into two cases: h 3 i 1. assume new x ∈ S pro ve f [ x ] , T h 4 i 1. case x ∈ T h 4 i 2. case x < T h 4 i 3. qed by h 4 i 1, h 4 i 2 The (omitted ) proof of the case statement h 4 i 1 has as its go al f [ x ] , T and has the addit ional usable fact x ∈ T in its conte xt. W e co ntinue refinin g the proof in thi s way , st opping with an obvious or by proof whe n a goal is o bvi - ous enough for the back-end prover or for a human reader , depend ing on who the proof is being written for . A by statement can g uide the pro ver o r the human rea der by listin g helpful obvio us consequen ces of kno wn facts. For ex ample, the proof of h 4 i 1 might be by x < f [ x ]. The proof is no w fi nished : it contain s no omitted sub-p roofs. For refer ence, the complete text of the proof is gi ven in Appendix B. Our expe rience w riting hand proofs makes us exp ect that proofs of systems could be ten or m ore le vels deep, with the first sev eral l e vels dictate d by the struc ture of th e p ropert y to be pro ved . Our me thod of number ing steps makes such proofs managea ble, and we are not aware of an y good alterna ti ve. This ex ample illu strates how the proof langu age supports the hier archica l, non-linear , and incre men- tal dev elopment of proofs. T he proof w riter can work on the most problematic unpro ved steps first, lea ving the easier ones for later . Finding that a step cannot be prov ed (for example, becaus e it is in val id) may require chang ing other steps, making proofs of those other steps wa sted e ff ort. W e intend to prov ide an inter face to the PM that will make it easy for the user to i ndicate which pro ofs should be ch eck ed and will a v oid unnecessar ily rechec king proofs. The ex ample also sho ws how already-pro ved facts are generally not made usable, but are in vok ed exp licitly in by proofs. Global definitions are also hidden by def ault and the user must expli citly make them usable. This makes proofs easi er to read by telling the reader w hat facts and definitions are being used to prov e each step. It also helps constrai n the search space for an automated back-end prov er , leadin g to more e ffi cient verifica tion. Facts and definitio ns can be switched between usab le and hidden by use and hide steps, which hav e the same syntax as by . As noted abo ve, omitt ing th e label from a step’ s startin g token (for example, writing h 4 i instead of h 4 i 2) makes the fact it asserts usable. This might be done for compact ness at the lowest l e vels of a proo f. The example also i ndicate s ho w the current proof ob ligatio n at ev ery st ep of the proof is cle ar , ha ving been written ex plicitl y in a paren t assertio n. T his clear structu re comes at the cost of introducin g man y le vels of proo f, which can be incon veni ent. One way of a voidin g these extra le vels is by using an assertion of the for m suffices A , which as serts that pro ving A pr ov es the current go al, and makes A the new curren t goal in subsequent steps. In our example proof, one le vel in the proof of step h 2 i 2 can be eliminated by writing the proof as: h 2 i 2. ∀ x ∈ S : f [ x ] , T h 3 i 1. suffices assume new x ∈ S pro ve f [ x ] , T pr o of o bvious h 3 i 2. case x ∈ T h 3 i 3. case x < T h 3 i 4. qed by h 3 i 2, h 3 i 3 5 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz where the proofs of t he case steps are t he same as before. The suffices state ment changes t he current goal of the lev el-3 proo f to f [ x ] , T after adding a declarati on of x and the usable fact x ∈ S to the con text . This way of provin g a univ ersally quantified formula is su ffi ciently common that TLA + 2 pro vides a t ake constr uct that allo w s the suffices assertion h 3 i 1 and its obvious proof to be written t ake x ∈ S . There is a similar construc t, witness f ∈ S for provin g an exis tential ly quantified goal ∃ x ∈ S : e , which changes the goal to e [ x : = f ] . For implicati onal goals e ⇒ f , the construct ha ve e chang es the goal to f . No other const ructs in the TLA + 2 proof langu age change the form of the current goal. W e advise that these constru cts be used only at the lowes t le vels of the proof, since the ne w goa l they create must be deri ved instea d of being a vailab le textuall y in a parent assertio n. (As a ch eck and an aid to the reader , one can at an y point insert a redunda nt suffices step that simply asser ts the current goal.) The final TLA + 2 proof construct is pick x : e , which intr oduces a new symbol x that satis fies e . The goal of the proof of this pick step is ∃ x : e , and it changes the context of subseque nt steps by adding a declar ation of x and the fact e . A more formal summary of the language appears in Appendix A. The semantics of a TL A + 2 proof is ind epende nt of an y back-end prove r . Di ff erent prove rs w ill hav e di ff erent notions of what “follows easily”, so an obvious proof may be verified by one pro ver and not anothe r . In practice, many prover s such as Isabelle must be directed to use decision procedu res or spe- cial tactics to prov e some assertion s. For this purpose, special standard modules will contain dummy theore ms for giving directi ves to the PM. U sing such a theorem (with a use step or b y proof) will cause the P M not to use it as a fac t, but instead to generate special directi ves for back-end pro ve rs. It could e ven cause the PM to use a di ff erent back-end prov er . (If possible , the dummy theorem w ill assert a true fac t that suggests the purpose of the directi ve.) For instan ce, using the theorem Arithmetic might be interp reted as an ins tructio n to use a d ecisio n procedur e for inte gers. W e hope t hat almost a ll us es of t his feature will lea ve the TLA + 2 proof independ ent of the back -end pro vers. The proo f will not hav e to be chang ed if the PM is reconfigure d to replace one decision procedure w ith a di ff ere nt one. 3 Pr oof Obligations The P M generates a separate pr oof obligation for each leaf proof and orchestr ates the back-end prove rs to verif y these obligation s. E ach obl igation is independe nt and can be pro ve d indi vidua lly . If the system canno t ve rify an obligation within a reasonable amount of time, the P M reports a failure. The user must then deter mine if it failed becau se it depend s on hidden fac ts or definitions , or if the goal is too comple x and needs to be refined with another lev el of proof. (Hiding fa cts or definitions might also help to cons train the search space of the back-end prov ers.) When the back -end pro vers f ail to find a proof, the user w ill kno w w hich obligation fai led—that is, she will be told the obligation’ s usabl e context and goal and the leaf proof from w hich it was genera ted. W e do not yet kno w if this will be su ffi cien t in practice or if the PM will need to pro vide the user with more informati on about w hy an obligati on fail ed. For exampl e, many SA T and SMT solvers produ ce counte rex amples for an unpro v able formula that can provid e useful debug ging information. The PM will also mediate t he certificatio n of th e T LA + 2 theore m in a f ormal axiomatizatio n of TLA + 2 in a trusted logical frame work, which in the curren t design is Isabelle / TLA + (descr ibed in Section 4.2). Although the P M is designed generical ly and can support other similar frame works, for the rest of this paper we will limit our atten tion to Isabelle / TLA + . A ssuming that Isabelle / TLA + is sound, once it has certified a theorem w e know that an error is possible only if the PM incorrectly tran slated the statement of the theor em into Isabelle / TLA + . After certify ing the proo f obligation s generat ed for the leaf proofs , called the leaf obligatio ns , cer- tification of the theo rem itself is achiev ed in two steps. First, the PM gener ates a struc tur e lemma (and its Isabelle / TLA + proof) that states simply that the collect ion of leaf obligat ions implies the theorem. 6 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz Then, the PM generates a proof of the theorem usin g the already-cert ified obliga tions and structure lemma. If Isabelle accepts that proof, w e are assured that the translated versio n of the theorem is true in Isabel le / TLA + , regar dless of any erro rs made by the PM . Of course , we expec t the PM to be correct . W e no w exp lain why it should be by describing how it gene rates the leaf obligatio ns from the proof of a theorem. (Remember that we are conside ring only TLA + 2 formulas with no tempora l operator s.) Formally , a theorem in TL A + 2 repres ents a closed proof obliga tion in the TLA + 2 meta-log ic of the form ( Γ  e ) , where Γ is a conte xt containing all the dec- laratio ns, definitions, facts (prev ious assumpti ons or theorems) and the assumptions introduced in the theore m using an assume clause (if present), and e is a T LA + 2 formula that is the goal of the theorem. A closed obligation ( Γ  e ) is true if e is entaile d by Γ in the formal semantics of TLA + [11]. It is said to be pr ovable if we hav e a proof of e from Γ in Isabelle / TLA + . Because we assume Isabelle / TLA + to be sound, we consider any p rov able obli gation to be true. A claim is a sent ence of th e for m π : ( Γ  e ) , where π is a TLA + 2 proof. Thi s claim represents the verification task that π is a proo f of the proo f obliga tion ( Γ  e ) . The PM generates the leaf oblig ations of a claim by recursi vely trav ersing its proof, using its structure to refine the obligatio n of the claim. For a non-leaf proof , each proof step modifies the conte xt or the goal of its oblig ation to produce an obliga tion for its follo wing step, and the final qed step prov es the final form of the obligatio n. More precisely , e very step defines a transf ormation , written σ . τ : ( Γ  e ) − → ( ∆  f ) , whic h sta tes that th e inp ut obligat ion ( Γ  e ) is r efined to th e obl igation ( ∆  f ) by the step σ . τ . A step is said to be meani ngful if the input obligati on matches the form of the step. (An exa mple of a meaningless claim is one that in volv es a t ake step w hose input obli gation does not ha ve a uni versally quantified goal.) A claim is meaningful if ev ery step in it is meaningful. The recursi ve generati on of leaf oblig ations for meaningful claims and transfor mations is spec ified using infe rence rules, with the interpr etation that the leaf oblig ations generated for the claim or trans for - mation at the conclusion of a rule is the union of those generated by the claims and transf ormation s in the premises of the rule. For examp le, the followin g rule is applied to generate the leaf obligatio ns for a claim π : ( Γ  e ) when π is a sequence of n steps, for n > 1. σ 1 . τ 1 : ( Γ  e ) − → ( ∆  f ) σ 2 . τ 2 · · · σ n . τ n : ( ∆  f ) σ 1 . τ 1 σ 2 . τ 2 · · · σ n . τ n : ( Γ  e ) The lea f obli gation s of the cla im in the conclu sion are the u nion of those of t he claim and transf ormation in the premises. As an exampl e of leaf obligatio ns generated by a transformatio n, here is a rule for the step σ . τ where σ is the begin- step lev el token h n i and τ is the propositi on p with proof π . π : ( Γ , [ ¬ e ]  p ) h n i . p pr oof π : ( Γ  e ) − → ( Γ , p  e ) The rule conc ludes that the refinemen t in this step is to add p to the con text of the obligat ion, assumin g that the sub -proof π is able to establ ish it. T he leaf oblig ations gener ated by this transformatio n are the same as those of the claim in the premise of the rule. The goal e is negated and added to the conte xt as a hidden fact (the square bracke ts indicate hiding). W e can use ¬ e in a by proof or use statemen t, and doing so can simplify subp roofs. (Because w e are usin g classical logi c, it is sound to add ¬ e to the kno wn fact s in this way .) The full set of suc h rules for e very construc t in the TL A + 2 proof langu age is gi ven in appendix A. A clai m is said to be complete it its proof cont ains no omitte d subpro ofs. Starting from a comple te meaning ful claim, the PM first genera tes its leaf obliga tions and filters the hidden assumption s from their conte xts. (F iltrati on amou nts t o deleting hidd en f acts an d replacing hid den ope rator definitions with declar ations.) The P M then asks t he back-end pro vers to find proofs o f t he filter ed ob ligatio ns, which are used to certi fy th e o bligat ions in Isabelle / TLA + . The PM ne xt writes an Isa r p roof of the obligati on of the 7 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz complete meanin gful claim that uses its certified filtered leaf obligatio ns. The follo wing meta-th eorem (pro ved in Append ix A.4) ensures that the PM can do this for all complete meaningful claims. Theor em 1 (Struc tural Soun dness Theo rem) . If π : ( Γ  e ) is a co mplete m eaning ful clai m an d every leaf obliga tion it gener ates is pr ovable after filtering hidden assumption s , the n ( Γ  e ) is pr ovab le. Isabel le / TLA + then uses this proof to certify the obli gation of the claim. From the assumption s that the Isabel le / TLA + axiomati zation is f aithfu l to th e seman tics of TL A + 2 and t hat t he embe dding of T LA + 2 into Isabel le / TLA + is soun d, it follo ws that the o bligati on is true. 4 V erifying Pr oof Obligations Once the PM generates the leaf obliga tions, it must send them to the back-end prover s. The one non- obv ious part of doing this is deciding w hether definition s should be exp anded by the PM or by the pro ver . This is discussed in Section 4.1. W e then describe the state of our two curren t back-end prove rs, Isabel le / TLA + and Zenon. 4.1 Expanding Definitions Expansio n of usable definitions canno t be left entirely to the back-end pro ver . The PM itself must do it for two reas ons: • It must check that the current goal has the right form for a t ake , witness , or h a ve step to be meaning ful, and this can require expand ing definitions. • The encodin g of TLA + in the back-end prov er’ s logic wou ld be uns ound if a m odal ope rator like prime ( ′ ) were encoded as a no n-modal ope rator . Hence, encodin g a definitio n like O ( x ) , x ′ as an ordina ry definition in the pro ver ’ s logic would be unsound. All instance s of such operators must be remov ed by expan ding thei r definitio ns before a leaf obligation is sent to the back-end prov er . Such operator definitions seldom occur in actual TLA + specifica tions, b ut the PM must be able to deal with them. Another reason for the PM to handle definition exp ansion is that the Isabelle / TLA + object logic does not pro vide a direct enco ding of definition s made within proof s. W e plan to reduce the amoun t of trusted code in the PM by lambd a-lifti ng all usable definitions out of each leaf obl igation and int roduci ng exp licit operator definit ions using Isab elle’ s meta equality ( ≡ ). These defini tions will b e e xpanded before interac ting with Isabelle. 4.2 Isabelle / TLA + The core of TLA + 2 is being encoded as a ne w obje ct logic Isabelle / TLA + in the proof assistan t Is- abelle [14]. One of Isabelle’ s distincti ve featur es that similar proof assistants such as Coq [16 ] or HOL [7, 8] lack is genericity with respec t to di ff erent logics. The base system Isabel le / Pure provides the trusted kern el and a frame work in which the syntax and proof rules of object logic s can be defined. W e hav e chosen to encode TLA + 2 as a separ ate object logic rathe r than add it on top of one of the ex- isting logics (such as ZF or H OL). This simplifies the translation and makes it easier to interpret the error mess ages when Isab elle fail s to pr ov e obligations . A strongly typ ed logic suc h as HOL would ha ve been unsu itable for represe nting TLA + 2 , which is untype d. Isabelle / ZF might seem like a nat ural choice, b ut di ff erences between the way it and TL A + define function s and tuples would hav e made the enco d- ing awkward and would hav e prev ented us from reusing existing theories . Fortunat ely , the genericity of Isabell e help ed us not only to define the ne w logic, b ut also to instant iate the main auto mated proof 8 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz methods , includi ng re w riting, resolutio n- and tableau prov ers, and case-based and inducti ve reas oning. Adding suppo rt for more special ized reaso ning tools such as proof-produ cing SA T solvers [5] or SMT solv ers such as haR V e y [3] will be simila rly helped by existing generi c interfaces . The current encodin g supports only a core subset of TL A + 2 , including prop osition al and first-ord er logic, elementary set theory , functions , and the construc tion of natural numbers. Support for arithmetic, string s, tuples, sequence s, and records is no w being added ; support for the modal part of TLA + 2 (v ari- ables, priming, and temporal logic) will be add ed late r . Nev erthele ss, the existin g fragment can already be used to test the interaction of the P M with Isabelle and other back- end pro vers. As expla ined abo ve, Isabel le / TLA + is used both as a back-end prove r and to check proof scrip ts produced by othe r back-end pro vers such as Zenon. If it turns out to be necessary , we will ena ble the user to in vok e one of Isabelle ’ s automate d proof methods (such as auto or b last ) by using a dummy theo rem, as expla ined at the end of Section 2.3. If the method succeeds , one agai n obtains an Isabelle theorem. Of cou rse, Isabelle / TLA + can also be used indepe ndent ly of the PM, which is helpfu l w hen deb ugging tactics. 4.3 Zenon Zenon [2] is a tableau prov er for class ical fi rst-or der logic with equalit y that was initially designed to outpu t formal p roofs checkable by Coq [16]. Zenon outputs pr oofs in an a utomatic ally-ch eckable format and it is easily extensi ble w ith ne w inferen ce rules. One of its design goals is predicta bility in solving simple problems, rather than high performan ce in solvin g some hard problems. T hese characteris tics make it well-s uited to our needs. W e ha ve extended Zenon to output Isar proof scripts for Isabelle / TLA + theore ms, and the PM uses Zenon a s a back- end prov er , shipping the proofs it produces to Isabelle to certify the obligatio n. W e h a ve also ex tende d Zenon with dire ct suppor t for the T LA + 2 logic, including definitions and rules about sets and functions. Adding support in the form of rules (instead of axioms) is necessar y because some rules are not expr essible as first-order axioms, notably the rules about the set construct s: e ∈ S P [ x : = e ] e ∈ { x ∈ S : P } subsetOf ∃ y ∈ S : e = d [ x : = y ] e ∈ { d : x ∈ S } setOfAll Even for the rule s that are e xpressible as first-ord er axioms, addi ng them as ru les mak es the pro of searc h proced ure much more e ffi cient in practice. The most important exampl e is exte nsiona lity: w hen set ext ension ality and functio n extensi onality are added as axioms, they apply to ev ery equality deduced by the system, and pollute the search space with lar ge numbers of irrelev ant formulas. By adding them as rules inst ead, we can use heuristics to apply them only in cases where the y ha ve some chanc e of being useful . Adding supp ort fo r arithmeti c, strin gs, tuples, s equen ces, and record s w ill be done in parallel with the corres pondin g work on Isabe lle / TLA + , to ensure that Zenon will produce proof s cripts that Isabelle / TLA + will be able to check. T emporal logic will be added later . W e also plan to interface Zenon w ith Isabelle , so it can b e called by a sp ecial Isabe lle tactic the same way o ther tools are. This will simpl ify the PM by gi ving it a uniform interface to the back-end prov ers. It w ill also allo w using Zenon as an Isabelle tactic indepe ndent ly of TLA + . 5 Conclusions and Futur e W ork W e ha ve pre sented a hie rarchic ally structured proof lan guage for TLA + . It has sev eral impor tant feature s that help in m anagi ng the complexity of proofs. The hierarchica l structure means that change s made at an y le vel of a proof are contain ed inside that le vel, which helps constr uct and maintain proof s. L eaf 9 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz proofs can be omitted and the resulting incomplet e proof can be checked. T his allo ws di ff erent parts of the proof to be w ritten separatel y , in a non-linear fas hion. The more traditional linear proof style, in which s teps tha t ha ve not yet been prov ed can be used only if e xplicitly added as hypoth eses, encourage s proofs that use many separat e lemmas. S uch proo fs lack the cohere nt structure of a single hiera rchical proof. The proo f language lets the user freel y and repeatedl y mak e facts and definitions usable or hidd en. Explicitl y sta ting wh at is being used to pro ve each s tep makes the proof easier fo r a human to unde rstand . It also aids a back-en d prov er by limiting its search for a proof to ones that use only necess ary facts. There are other declara ti ve proof lang uages that are similar to TLA + 2 . Isar [17] is one such l anguag e, b ut it has signi ficant di ff erences that encourage a di ff erent style of proof de velopment. For example, it pro vides an accumulator faci lity to av oid e xplici t reference s to proof steps. This is fine for short proofs, b ut in our expe rience does not work well for long proofs that are typical of algorit hm verificat ion that TLA + 2 tar gets. Moreov er , because Isabelle is designed for intera cti ve use, the e ff ects of the Isar proo f commands are not always easily predic table, and this encour ages a linear rathe r than hierarchi cal proof de velopment style. The Focal Proof Language [1] is essentially a subset of the TL A + 2 proof language . Our experien ce with hierarchical proofs in Focal pro vides addition al confidence in the attrac ti ven ess of our approac h. W e kno w of no declarat i ve proof language that has as flexible a m ethod of using and hiding fac ts and definitions as that of TL A + 2 . The PM tra nsforms a proo f into a col lection of proof oblig ations to be v erified by a back-end prov er . Its curre nt versi on handles proofs of th eorems in the non- temporal fragment of TLA + that do n ot in vo lve module instantiat ion (import ing of modules with substituti on). Even with this limitation, the system can be useful for many enginee ring applicatio ns. W e are therefore concentratin g on making the PM and i ts back-end pro ver s han dle this fragment of TLA + e ff ecti vely befo re e xtending them to the complete langua ge. The major work that remain s to be don e on this i s to complete the Zenon and Is abelle inferen ce rules for reasoning about the bui lt-in constant operato rs of TLA + . There are also a few non-te mporal aspect s of the TLA + 2 langua ge that the PM does not yet handle , such as subexp ression naming. W e also expect to exte nd the PM to suppo rt additiona l back-end prov ers, including decis ion proce dures for arithmeti c and for proposit ional tempo ral logic. W e do not antici pate that any major changes will be needed to the TLA + 2 proof langua ge. W e do exp ect some minor tunin g as we get m ore experien ce using it. For example, we are not sure w hethe r local definition s should be usable by defau lt. A graphical user interfa ce is being planned for the TLA + tools, includi ng the PM. It will support the non-lin ear dev elopment of proofs that the lang uage and the proof system allo w . Refer ences [1] P . A yrault, M. Carlier , D. Delahay e, C. Dubo is, D. Do ligez, L. Hab ib, T . Hard in, M. Jaum e, C. Mo risset, F . Pessaux, R. Riob oo, and P . W eis. Secure software within Focal. In Computer & Electr onics Security Application s Rendez-vous , December 2008. [2] Richar d Bonichon, Da vid Delahaye, and Damien Doligez. Z enon : An extensible automated theorem prover produ cing checkab le proof s. In N. Dershowitz and A. V o ronkov , editors, Pr o c. 14 th LP AR , p ages 1 51–16 5, 2007. [3] David D ´ eharbe, Pascal Fontaine, Silvio Ranise, and Christophe Ringeissen. Decision p rocedu res for the formal an alysis of software. I n K. Barkaou i, A. Cav alcan ti, and A. Cerone, editors, Intl. Co ll. The or etica l Aspects of Computing (ICT AC 200 7) , volume 428 1 o f Lectur e Notes in Comp uter Science , p ages 36 6–370 , T unis, T u nisia, 2007. Springer . See also http ://har vey.lo ria.fr/ . 10 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz [4] Ur ban En gberg, Peter Grønning, and Leslie Lamport. Mecha nical verification of concurren t systems with TLA. In G. v . Boch mann a nd D. K. Probst, editors, Pr o c. 4th CA V , v olume 663 of Lectu r e Notes in Compute r Science , pages 44–5 5. Springer-V erlag, Jun e 1992. [5] Pascal Fontaine, Jean-Yves Marion, Steph an Merz, Leon or Pren sa Nieto , a nd Alwen Tiu. Exp ressi veness + au tomation + sou ndness: T owards combin ing SMT solvers and interac ti ve proo f assistants. In Holger Hermanns and Jens Palsberg, editors, Pr oc. 12th T AC AS , volume 3 920 of Lectur e Notes in Compu ter Science , pages 167– 181, V ienna, Austria, 2006. Springer V erlag . [6] Eli Gafni and Leslie L amport. Disk Pax os. Distrib u ted Computing , 16(1) :1–20, 2003. [7] Mich ael J. C. Gordo n and Tho mas F . Melham. Intr oduction to HOL: a theor em pr oving envir onment for higher-or der logic . Cam bridge Uni versity Press, 1993 . [8] Joh n Harrison. The HOL L ight theorem prover . http:/ /www. cl.cam.ac.uk/ ˜ jrh13/ hol- lig ht/index.html . [9] Le slie Lamport. How to write a proof. American Mathematical Monthly , 102(7 ):600–6 08, August 1993 . [10] Leslie La mport. The temporal logic of actions. ACM T ransactions on Pr ogramming Languages an d S ystems , 16(3) :872–9 23, May 199 4. [11] Leslie Lampo rt. Specifying Systems: The TLA + Language and T ools for Ha r dware and S oftwar e E ngineers . Addison-W e sley , 2003. [12] Leslie Lamport. TLA + 2 : A prelimin ary guide. Draft manu script, April 2008. http:/ /rese arch.microsoft.com/users/lamport/tla/tla2- guide.pdf . [13] A. C. Leisenring. Math ematical Logic and Hilbert’ s ε -Symbol . Gordon and Breach, Ne w Y o rk, 1969. [14] Lawrence C. Paulson. Isabelle: A Generic Theorem Pr over , volume 828 of Lectur e Notes in Computer Science . Springer, Berlin, Germ any , 1994. [15] Piotr Rudnicki. An overview of the mizar pr oject. I n W orkshop on T yp es for Pr oofs and Pr ograms , Gothen- burg, Swed en, 1992. Bastad. http:// www.m izar.org . [16] The Coq De velop ment T eam (Project T ypiCal). The Coq proof assistant referen ce manual, 2008. http:/ /coq. inria.fr/V8.1pl3/refman/index.html . [17] Makarius W enzel. The Isabelle / Isar reference manual, June 2008. http:/ /www. cl.cam.ac.uk/research/hvg/Isabelle/dist/Isabelle/doc/isar- ref.pdf . A Details of the PM W e shall n o w giv e a so mewh at more formal s pecificati on of the PM an d pro ve th e ke y Structural Sound- ness Theorem 1. W e begi n with a quick summary of the abstr act syntax of TL A + 2 proofs , ignorin g the stylist ic aspects of their concrete represent ation. (See [12 ] for a m ore detailed presentatio n of the proof langua ge.) Definition 2 (TLA + 2 Proof Language ) . TLA + 2 proofs , non-leaf proofs , proof steps and be gin-step tokens have the following syntax, wher e n range s o ver natu ral number s, l o ver la bels, e over expr essio ns, Φ over lists of ex pr essions, o over operato r definitions , Ψ over sets of operato r names, ~ β over lists of bind ers (i.e., construct s of the form x and x ∈ e used to bu ild quantified e xpr essions ), and α over e xpr essions or assume . . . pr o ve forms. (Pr oofs) π F obvious | omitted | by Φ defs Ψ | Π (Non-lea f pr oofs) Π F σ . qed pr oof π | σ . τ Π (Pr oof steps) τ F use Φ de fs Ψ | hide Φ defs Ψ | define o | ha ve e | t ake ~ β | witness Φ | α pro of π | suffices α pr oof π | pick ~ β : e pr oof π (Be gin-step tokens ) σ F h n i | h n i l 11 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz A pr oof that is not a non-lea f pr oof is called a leaf proof . The level number s of a non-leaf pr oof must all be the same, and those in the subpr oof of a step (that is, the π in α pr oof π , etc.) must be strictly gr eater than that of the step itself . A.1 The Meta-Language The PM uses proofs in the T LA + 2 proof language (Definition 2) to manipulate constructs in the meta- langua ge of TLA + 2 . This meta-languag e naturally has no repres entatio n in TLA + 2 itself; we define its syntax formally as follo ws. Definition 3 (Meta- Language ) . The TLA + 2 meta-lan gua ge consists of obliga tions , assumpti ons and de- finables with the following s yntax, w her e e ran ges over TLA + 2 e xpr essions , x and o over TLA + 2 identi fiers , and ~ x ove r lists of TL A + 2 identi fiers . (Obligat ions) φ F ( h 1 , . . . , h n  e ) (n ≥ 0 ) (Assumptio ns) h F new x | o , δ | φ |  o , δ  |  φ  (Definab les) δ F φ | lambda ~ x : e The expr essio n after  in an obligation is called its goal . An assumption written inside squa r e brac kets [ ] i s sai d to be hidden ; other wise it is usable . F or any assumpti on h, we w rite h (re ad: h made usable ) to stand for h with its br ac kets re moved if it is a hid den assumption , and to sta nd for h if it is not hidden . A list of assumption s is called a context , with the empty conte xt written as q ; we let Γ , ∆ and Ω rang e ov er conte xts, with Γ , ∆ standing for the contex t that is the concatenat ion of Γ and ∆ . The conte xt Γ is Γ with all its hidden assumpti ons made usable . The obligat ion ( q  e ) is written simply as e. The assump tions new x, o , δ and  o , δ  bind the identi fier s x and o r espectiv ely . W e write x ∈ Γ if x is bound in Γ and x < Γ if x is not bound in Γ . The conte xt Γ , h is consider ed syntactica lly well-formed i ff h doe s not bin d an identifi er alr eady bound in Γ . An obliga tion is a statement that its goal follo w s from the assumptions in its context . TLA + 2 alread y de- fines such a statement using assume . . . pro ve , bu t t he conte xts i n such statements hav e no hid den a ssump- tions or definitions. (T o simplify the prese ntatio n, we gi ve the semantics of a slightly enhanc ed proof langua ge w here proof steps are allo wed to mention obligatio ns instead of just TLA + 2 assume . . . pro ve statemen ts.) W e define an embedding of obligations into Isabelle / TLA + propo sitions , which we take as the ultimate primiti ves of the TL A + 2 meta-log ic. Definition 4. The Isabelle / TLA + embeddi ng ( − ) Isa of oblig ations , conte xts and definables is as follows: ( Γ  e ) Isa = ( Γ ) Isa e  lambd a ~ x : e  Isa = λ ~ x . e ( q ) Isa = ( Γ , new x ) Isa = ( Γ ) Isa V x . ( Γ , o , δ ) Isa = ( Γ ) Isa V o .  o ≡ ( δ ) Isa  = ⇒ ( Γ , φ ) Isa = ( Γ ) Isa  ( φ ) Isa  = ⇒ For ex ample, ( new P , [ ( new x  P ( x ) ) ]  ∀ x : P ( x ) ) Isa = V P . ( V x . P ( x ) ) = ⇒ ∀ x : P ( x ) . Note that usable and hidden assumpt ions are treated identica lly for the pro v ability of an obligatio n. The embed ding of ordina ry TL A + 2 exp ressio ns is the iden tity because Isabelle / TLA + contai ns TL A + 2 exp ressio ns as part of its object syntax. Thus, w e do not hav e to trust the embedding of ordinary TL A + 2 exp ressio ns, just that of the obligatio n lang uage. In practic e, some aspects of TLA + 2 exp ressio ns, such as the indentat ion-sen siti ve conjunction and disjunct ion lists, are sent by the P M to Isabelle using an indent ation- insensiti ve encoding .While Isabelle / TLA + can implicitly gener alize ov er the free identifiers in a lemma, we shall be exp licit about binding and consider obligati ons prov able only if they are close d. 12 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz Definition 5 (W ell-Formed Obligation s) . The obligati on ( Γ  e ) is said to be w ell-for med i ff it is closed and ( Γ  e ) Isa is a well-typ ed pr opositio n of Isa belle / TLA + . Definition 6 (Pro v abilit y) . The obligation ( Γ  e ) is said to be pr ov able i ff it i s wel l-formed and ( Γ  e ) Isa is certifi ed by the Isabelle kernel to follo w fr om the axioms of the Isabelle / TLA + object log ic. W e trust Isabelle / TLA + to be soun d with respect to the semantics of T LA + 2 , and therefore prov ability to imply truth. Formally , we work under the follo wing trust axiom. Axiom 7 (T rust) . If φ is pr ovable , then it is true. W e state a numbe r of useful f acts about obligations (which are all theorems in Isabelle / TLA + ), omitting their tri vial proofs. T he last one (Fac t 13) is true because TLA + is based on classic al logic. Fac t 8 (Definition ) . If ( Γ , new o , ∆  e ) is pr ov able , then ( Γ , o , δ , ∆  e ) is pr ovab le if it is well-formed. Fac t 9 (W eak ening) . If ( Γ , ∆  e ) is pr ovab le, then ( Γ , h , ∆  e ) is pr ovab le if it is well-formed. Fac t 10 (Expansio n) . If ( Γ , o , δ , ∆  e ) is pr ov able , then ( Γ , o , δ , ∆ [ o : = δ ]  e [ o : = δ ] ) is pr ov able . Fac t 11 (Streng thenin g) . If ( Γ , new o , ∆  e ) or ( Γ , o , δ , ∆  e ) is pr ovable and o is not fr ee in ( ∆  e ) , then ( Γ , ∆  e ) is pr ov able . Fac t 12 (Cut) . If ( Γ , ∆  e ) is pr ovab le and ( Γ , ( ∆  e ) , Ω  f ) is pr ovab le, then ( Γ , Ω  f ) is pr ov able . Fac t 13. If ( Γ , ¬ e , ∆  e ) is pr ovab le, then ( Γ , ∆  e ) is pr ov able . The use / hide defs steps change the visib ility of definitions in a context (Defi nition 14 below). Note that chang ing the visibili ty of a definit ion does no t a ff ect the prov ability of an oblig ation because the I sabelle embeddi ng (Definition 4) makes all hidden definition s usable. Definition 14. If Γ is a conte xt and Ψ a set of opera tor names, then: 1. Γ with Ψ made usable , written Γ using Ψ , is constructe d fr om Γ by r eplac ing all assu mptions of the form  o , δ  in Γ with o , δ for every o ∈ Ψ . 2. Γ with Ψ made hidden , written Γ hiding Ψ , is const ructed fr om Γ by r eplacing all assumpti ons of the form o , δ in Γ with  o , δ  for e very o ∈ Ψ . A seque nce of binders ~ β in the TLA + 2 exp ressio ns ∀ ~ β : e or ∃ ~ β : e can be reflected as assumpti ons. Definition 1 5 (Binding Reflectio n) . If ~ β is a list of binder s with eac h element of the f orm x o r x ∈ e, the n the reflection of ~ β as assumptions , writte n    ~ β    , is given indu ctively as follows.    q    = q    ~ β, x    =    ~ β    , new x    ~ β, x ∈ e    =    ~ β    , new x , x ∈ e A.2 Interp r eting Proofs Let us recal l some definitions from section 3. Definition 16 (Claims and Tra nsformati ons) . A claim is a judge ment of the form π : ( Γ  e ) wher e π is a TLA + 2 pr oof . A transformat ion is a judg ement of the form σ . τ : ( Γ  e ) − → ( ∆  f ) wher e σ is a be gin- step toke n and τ a pr oof step. A claim (r espect ively , trans formation ) is said to be complete if its pr oof (r espective ly , pr oof step) does not contain any occurr ence of the leaf pr oof omitted . The PM generates leaf obligatio ns for a claim usin g two mutually recursi ve procedu res, che c king and tra nsformat ion , spe cified belo w using the formalism of a primitive derivation . 13 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz Definition 17. A primiti ve deri vatio n is a derivatio n constructe d usin g infer ences of the form D 1 · · · D n E ( n ≥ 0) wher e E is either a claim or a transfor mation, and D 1 , . . . , D n ar e primiti ve deriva tions or oblig ations . An obliga tion at the leaf of a primitive derivati on is called a leaf obligation . Definition 18 (Checkin g and T ransformation) . The primitive derivat ions of a claim or transfor mation ar e constructed using the following checking and trans formation rules. 1. Check ing rules ( Γ  e ) obvious : ( Γ  e ) obvious omitted : ( Γ  e ) omitted h 0 i . use Φ defs Ψ : ( Γ  e ) − → ( ∆  f ) ( ∆  f ) by Φ defs Ψ : ( Γ  e ) by π : ( Γ  e ) σ . qed pr oof π : ( Γ  e ) qed σ . τ : ( Γ  e ) − → ( ∆  f ) Π : ( ∆  f ) σ . τ Π : ( Γ  e ) non- qed 2. Transformation σ . use Φ : ( Γ using Ψ  e ) − → ( ∆  f ) σ . use Φ defs Ψ : ( Γ  e ) − → ( ∆  f ) use defs σ . hide Φ : ( Γ  e ) − → ( ∆  f ) σ . hide Φ defs Ψ : ( Γ  e ) − → ( ∆ hiding Ψ  f ) hide defs σ . define o , δ : ( Γ  e ) − →  Γ ,  o , δ   e  define ( o < Γ ) σ . use q : ( Γ  e ) − → ( Γ  e ) use 0 σ . hide q : ( Γ  e ) − → ( Γ  e ) hide 0 σ . use Φ : ( Γ  e ) − → ( ∆  f ) ( ∆ , Γ 0  e 0 ) σ . use Φ , ( Γ 0  e 0 ) : ( Γ  e ) − → ( ∆ , ( Γ 0  e 0 )  f ) use 1 σ . hide Φ :  Γ 0 ,  φ  , Γ 1  e  − → ( ∆  f ) σ . hide Φ , φ : ( Γ 0 , φ, Γ 1  e ) − → ( ∆  f ) hide 1 σ . t ake q : ( Γ  e ) − → ( Γ  e ) t ake 0 σ . witness q : ( Γ  e ) − → ( Γ  e ) witness 0 σ . t ake ~ β : ( Γ , new u  e [ x : = u ] ) − → ( ∆  f ) σ . t ake u , ~ β : ( Γ  ∀ x : e ) − → ( ∆  f ) t ake 1 ( Γ  S ⊆ T ) σ . t ake ~ β : ( Γ , new u , u ∈ T  e [ x : = u ] ) − → ( ∆  f ) σ . t ake u ∈ T , ~ β : ( Γ  ∀ x ∈ S : e ) − → ( ∆  f ) t ake 2 σ . witness Ω : ( Γ  e [ x : = w ] ) − → ( ∆  f ) σ . witness w , Ω : ( Γ  ∃ x : e ) − → ( ∆  f ) witness 1 ( Γ  T ⊆ S ) ( Γ  w ∈ T ) σ . witness Ω : ( Γ , w ∈ T  e [ x : = w ] ) − → ( ∆  f ) σ . witness w ∈ T , Ω : ( Γ  ∃ x ∈ S : e ) − → ( ∆  f ) witness 2 ( Γ , e  g ) σ . ha ve g : ( Γ  e ⇒ f ) − → ( Γ , g  f ) ha ve π : ( Γ , [ ¬ e ] , ∆  f ) h n i . ( ∆  f ) pr o of π : ( Γ  e ) − → ( Γ , ( ∆  f )  e ) asser t 1 14 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz π : ( Γ , h n i l , ( ∆  f ) , [ ¬ e ] , ∆  f ) h n i l . ( ∆  f ) pr o of π : ( Γ  e ) − → ( Γ , h n i l , ( ∆  f ) , [ h n i l ]  e ) asser t 2 σ . ( g  e ) pr o of π : ( Γ  e ) − → ( ∆  f ) σ . case g pr oof π : ( Γ  e ) − → ( ∆  f ) case π : ( Γ , ( ∆  f )  e ) h n i . suffices ( ∆  f ) pr o of π : ( Γ  e ) − → ( Γ , [ ¬ e ] , ∆  f ) suffices 1 π : ( Γ , h n i l , ( ∆  f ) , [ h n i l ]  e ) h n i l . suffices ( ∆  f ) pr o of π : ( Γ  e ) − → ( Γ , h n i l , ( ∆  f ) , [ ¬ e ] , ∆  f ) suffices 2 π :  Γ  ∃ ~ β : p  σ . pick ~ β : p pr oo f π : ( Γ  e ) − →  Γ ,    ~ β    , p  e  pick The inference rules in the above definition are deterministic : the conclusion of each rule uniqu ely de- termines the premises. Ho weve r , the rules are partial; for example, there is no rule that conclu des a transfo rmation of the form σ . t ake x ∈ S : ( Γ  B ∧ C ) − → ( ∆  f ) . Definition 19. A claim or a transfor mation is said to be meaningfu l if it has a primitive derivation. Definition 20 (Generating Leaf Obligation s) . A m eanin gful claim or tra nsfor mation is said to generate the leaf obliga tions of its primitive derivatio n. In the rest of this append ix we limit our attention to complete meaningfu l claims and transformatio ns. A.3 Corr ectness If the leaf obligatio ns generated by a complete meaningfu l claim are prov able, then the obligation in the claim itself ought to be prov able. In this section we prov e this theorem by analy sis of the checking and transfo rmation rules. Definition 21 (Prov ability of Claims and Tran sformatio n) . 1. The claim π : ( Γ  e ) is pr ov able i ff it is complete and mean ingful and the leaf obliga tions it gene r - ates ar e all pr ovable . 2. The tra nsforma tion σ . τ : ( Γ  e ) − → ( ∆  f ) is prov able i ff it is comple te and meaningful and the leaf obliga tions it gener ates ar e all pr ovable . Theor em 22 (Correctne ss) . (1) If π : ( Γ  e ) is pr ov able , then ( Γ  e ) is pr ovab le. (2) If σ . τ : ( Γ  e ) − → ( ∆  f ) is pr ovab le and ( ∆  f ) is pr ovab le, then ( Γ  e ) is pr ov able . Pr oof. Let D be the p rimitiv e deriv a tion fo r the claim in (1) and let E b e the primitive derivation fo r the tra ns- formation in (2). Th e p roof will be b y lexicographic induction on the structures of D and E , w ith a p rovable transform ation allo wed to justify a provable claim. h 1 i 1. If π : ( Γ  e ) is provable, then ( Γ  e ) is provable. h 2 i 1. Case π is obvious , i.e. , D = ( Γ  e ) obvious : ( Γ  e ) obvious . Obvious h 2 i 2. Case π is omitted is impossible because π : ( Γ  e ) is comp lete. h 2 i 3. Case π is by Φ defs Ψ , i.e. , D = E 0 h 0 i . use Φ defs Ψ : ( Γ  e ) − → ( ∆  f ) ( ∆  f ) by Φ defs Ψ : ( Γ  e ) by . 15 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz h 3 i 1. ( ∆  f ) is provable By Definition 21. h 3 i 2. Qed By h 3 i 1, i.h. (in ductive hypothesis) for E 0 . h 2 i 4. Case π is σ . qed pr o of π 0 , i.e. , D = D 0 π 0 : ( Γ  e ) σ . qed pr oof π 0 : ( Γ  e ) qed . By i.h. fo r D 0 . h 2 i 5. Case π is σ . τ Π , i.e. , D = E 0 σ . τ : ( Γ  e ) − → ( ∆  f ) D 0 Π : ( ∆  f ) σ . τ Π : ( Γ  e ) non- qed . h 3 i 1. ( ∆  f ) is provable By i.h. fo r D 0 . h 3 i 3. Qed By h 3 i 1, i.h. fo r E 0 . h 2 i 6. Qed By h 2 i 1, . . . , h 2 i 5. h 1 i 2. If σ . τ : ( Γ  e ) − → ( ∆  f ) is provable an d ( ∆  f ) is provable, then ( Γ  e ) is provable. h 2 i 1. Case τ is use Φ defs Ψ , i.e. , E = E 0 σ . use Φ : ( Γ using Ψ  e ) − → ( ∆  f ) σ . use Φ defs Ψ : ( Γ  e ) − → ( ∆  f ) use defs . h 3 i 1. ( Γ using Ψ  e ) is provable By i.h. fo r E 0 . h 3 i 2. Qed By h 3 i 1, Definition 14. h 2 i 2. Case τ is hide Φ defs Ψ , i.e. , E = E 0 σ . hide Φ : ( Γ  e ) − → ( ∆  f ) σ . hide Φ defs Ψ : ( Γ  e ) − → ( ∆ hiding Ψ  f ) hide defs . h 3 i 1. ( ∆  f ) is provable By provability o f ( ∆ hiding Ψ  f ) and Definition 14. h 3 i 2. Qed By h 3 i 1, i.h. fo r E 0 . h 2 i 3. Case τ is define o , δ with o < Γ , i.e. , E = σ . define o , δ : ( Γ  e ) − →  Γ ,  o , δ   e  define . h 3 i 1. o is not free in e By o < Γ an d closedness of ( Γ  e ) . h 3 i 2. Qed By h 3 i 1, strengthenin g (Fact 11). h 2 i 4. Case τ is use q , i.e. , E = σ . use q : ( Γ  e ) − → ( Γ  e ) use 0 . Obvious h 2 i 5. Case τ is hide q , i.e. , E = σ . hide q : ( Γ  e ) − → ( Γ  e ) hide 0 . Obvious h 2 i 6. Case τ is use Φ , φ , i.e. , E = E 0 σ . use Φ : ( Γ  e ) − → ( ∆ 0  f ) ( ∆ 0 , Γ 0  e 0 ) σ . use Φ , ( Γ 0  e 0 ) : ( Γ  e ) − → ( ∆ 0 , ( Γ 0  e 0 )  f ) use 1 h 3 i 1. ( ∆ 0 , Γ 0  e 0 ) is provable By Definition 21. h 3 i 2. ( ∆ 0 , Γ 0  e 0 ) is provable By h 3 i 1, Definition 4. h 3 i 3. ( ∆ 0  f ) is provable By provability o f ( ∆ 0 , ( Γ 0  e 0 )  f ) , h 3 i 2, cut (Fact 12). h 3 i 4. Qed By h 3 i 3, i.h. fo r E 0 h 2 i 7. Case τ is hide Φ , φ , i.e. , E = E 0 σ . hide Φ :  Γ 0 ,  φ  , Γ 1  e  − → ( ∆  f ) σ . hide Φ , φ : ( Γ 0 , φ, Γ 1  e ) − → ( ∆  f ) hide 1 . 16 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz h 3 i 1.  Γ 0 ,  φ  , Γ 1  e  is provable By provability o f ( ∆  f ) , i.h. for E 0 . h 3 i 2. Qed By h 3 i 1,  Γ 0 ,  φ  , Γ 1  e  Isa = ( Γ 0 , φ, Γ 1  e ) Isa (Definition 4). h 2 i 8. Case τ is t ake q , i.e. , E = σ . t ake q : ( Γ  e ) − → ( Γ  e ) t ake 0 . Obvious h 2 i 9. Case τ is witness q , i.e. , E = σ . witness q : ( Γ  e ) − → ( Γ  e ) witness 0 . Obvious h 2 i 10. Case τ is t ake u , ~ β , i.e. , E = E 0 σ . t ake ~ β : ( Γ , new u  e [ x : = u ] ) − → ( ∆  f ) σ . t ake u , ~ β : ( Γ  ∀ x : e ) − → ( ∆  f ) t ake 1 . h 3 i 1. ( Γ , new u  e [ x : = u ] ) is provable By i.h. fo r E 0 . h 3 i 2. Qed By h 3 i 1 and predicate logic. h 2 i 11. Case τ is σ . t ake u ∈ T , i.e. , E = ( Γ  S ⊆ T ) E 0 σ . t ake ~ β : ( Γ , new u , u ∈ T  e [ x : = u ] ) − → ( ∆  f ) σ . t ake u ∈ T , ~ β : ( Γ  ∀ x ∈ S : e ) − → ( ∆  f ) t ake 2 . h 3 i 1. ( Γ , new u , u ∈ T  e [ x : = u ] ) is provable By i.h on E 0 . h 3 i 2. ( Γ , new u , u ∈ S  u ∈ T ) is provable h 4 i 1. ( Γ , new u  S ⊆ T ) is provable By Definition 21, weakening (F a ct 9). h 4 i 2. Qed By h 4 i 1, Definition of ⊆ . h 3 i 3. ( Γ , new u , u ∈ S  e [ x : = u ] ) is provable By h 3 i 1, h 3 i 2, cut (Fact 12). h 3 i 4. Qed By h 3 i 3 and predicate logic. h 2 i 12. Case τ is witness w , Ω , i.e. , E = E 0 σ . witness Ω : ( Γ  e [ x : = w ] ) − → ( ∆  f ) σ . witness w , Ω : ( Γ  ∃ x : e ) − → ( ∆  f ) witness 1 . h 3 i 1. ( Γ  e [ x : = w ] ) is provable By i.h. fo r E 0 . h 3 i 2. Qed By h 3 i 1. h 2 i 13. Case τ is witness w ∈ T , Ω and: E = ( Γ  T ⊆ S ) ( Γ  w ∈ T ) E 0 σ . witness Ω : ( Γ , w ∈ T  e [ x : = w ] ) − → ( ∆  f ) σ . witness w ∈ T , Ω : ( Γ  ∃ x ∈ S : e ) − → ( ∆  f ) witness 2 . h 3 i 1. ( Γ , w ∈ T  e [ x : = w ] ) is provable By i.h. fo r E 0 . h 3 i 2. ( Γ  w ∈ T ) is provable By Definition 21. h 3 i 3. ( Γ  e [ x : = w ] ) is provable By h 3 i 1, h 3 i 2, cut (Fact 12). h 3 i 4. ( Γ  w ∈ S ) is provable h 4 i 1. ( Γ , w ∈ T  w ∈ S ) is provable By Definition 21, Definition of ⊆ . h 4 i 2. Qed By h 4 i 1, h 3 i 2, cut (Fact 12). h 3 i 5. Qed By h 3 i 3, h 3 i 4, and predicate logic. h 2 i 14. τ is ha ve g , i.e. , E = ( Γ , e  g ) σ . ha ve g : ( Γ  e ⇒ f ) − → ( Γ , g  f ) ha ve . h 3 i 1. ( Γ , e , g  f ) is provable By weakening (F act 9). h 3 i 2. ( Γ , e  g ) is provable By Definition 21. 17 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz h 3 i 3. ( Γ , e  f ) is provable By h 3 i 1, h 3 i 2, cut (Fact 12). h 3 i 4. ( Γ  e ⇒ f ) is provable By h 3 i 3. h 2 i 15. σ . τ is h n i . ( Ω  g ) pr o of π , i.e. , E = D 0 π : ( Γ , [ ¬ e ] , Ω  g ) h n i . ( Ω  g ) pr o of π : ( Γ  e ) − → ( Γ , ( Ω  g )  e ) asser t 1 . h 3 i 1. ( Γ , [ ¬ e ] , ( Ω  g )  e ) is provable By weakening (F act 9). h 3 i 2. ( Γ , [ ¬ e ] , Ω  g ) is provable By i.h. fo r D 0 . h 3 i 3. ( Γ , [ ¬ e ]  e ) is provable By h 3 i 1, h 3 i 2, cut (Fact 12). h 3 i 4. Qed By h 3 i 3, Fact 13. h 2 i 16. Case σ . τ is h n i l . ( Ω  g ) pr o of π , i.e. , E = D 0 π : ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , Ω  g ) h n i l . ( Ω  g ) pr o of π : ( Γ  e ) − → ( Γ , h n i l , ( Ω  g ) , [ h n i l ]  e ) asser t 2 . h 3 i 1. ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , [ h n i l ]  e ) is provable By provability o f ( Γ , h n i l , ( Ω  g ) , [ h n i l ]  e ) , weakening (Fact 9). h 3 i 2.  Γ , h n i l , ( Ω  g ) , [ ¬ e ] ,  ( Ω  g )   e  is provable By h 3 i 1, expansion (F act 10). h 3 i 3. ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , Ω  g ) is provable By i.h. fo r D 0 . h 3 i 4. ( Γ , h n i l , ( Ω  g ) , [ ¬ e ]  e ) is provable By h 3 i 2, h 3 i 3, cut (Fact 12). h 3 i 5. ( Γ , [ ¬ e ]  e ) is provable By h 3 i 4, strengthenin g (Fact 11). h 3 i 6. Qed By h 3 i 5, Fact 13. h 2 i 17. τ is case g pr oof π , i.e. , E = E 0 σ . ( g  e ) pr o of π : ( Γ  e ) − → ( ∆  f ) σ . case g pr oo f π : ( Γ  e ) − → ( ∆  f ) case . By i.h. fo r E 0 . h 2 i 18. τ is h n i . suffices ( Ω  g ) pr o of π , i.e. , E = D 0 π : ( Γ , ( Ω  g )  e ) h n i . suffices ( ∆  f ) pr o of π : ( Γ  e ) − → ( Γ , [ ¬ e ] , Ω  g ) suffices 1 . h 3 i 1. ( Γ , [ ¬ e ] , ( Ω  g )  e ) is provable By i.h. for D 0 , weakening (Fact 9). h 3 i 2. ( Γ , [ ¬ e ]  e ) is provable By provability o f ( Γ , [ ¬ e ] , Ω  g ) , h 3 i 1, cut (Fact 12). h 3 i 3. Qed By h 3 i 2, Fact 13. h 2 i 19. σ . τ is h n i l . suffices ( Ω  g ) pr o of π , i.e. , E = D 0 π : ( Γ , h n i l , ( Ω  g ) , [ h n i l ]  e ) h n i l . suffices ( Ω  g ) pr o of π : ( Γ  e ) − → ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , Ω  g ) suffices 2 . h 3 i 1. ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , [ h n i l ]  e ) is provable By i.h. for D 0 , weakening (Fact 9). h 3 i 2.  Γ , h n i l , ( Ω  g ) , [ ¬ e ] ,  ( Ω  g )   e  is provable By h 3 i 1, expansion (F act 10). h 3 i 3. ( Γ , h n i l , ( Ω  g ) , [ ¬ e ]  e ) is provable By h 3 i 2, provability o f ( Γ , h n i l , ( Ω  g ) , [ ¬ e ] , Ω  g ) , cut (Fact 12). h 3 i 4. ( Γ , [ ¬ e ]  e ) is provable By h 3 i 3, strengthenin g (Fact 11). h 3 i 5. Qed By h 3 i 4, Fact 13. h 2 i 20. Case τ is pick ~ β : p pr oof π , i.e. , E = D 0 π :  Γ  ∃ ~ β : p  σ . pick ~ β : p pr oof π : ( Γ  e ) − →  Γ ,    ~ β    , p  e  pick . 18 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz h 3 i 1.  Γ , ∃ ~ β : p  e  is provable By provability o f  Γ ,    ~ β    , p  e  , predica te logic. h 3 i 2.  Γ  ∃ ~ β : p  is provable By i.h. fo r D 0 . h 3 i 3. Qed By h 3 i 1, h 3 i 2, cut (Fact 12). h 2 i 21. Qe d By h 2 i 1, . . . , h 2 i 20 h 1 i 3. Qed By h 1 i 1, h 1 i 2.  A.4 Constrained Sear ch The correctn ess theorem (22) establish es an implication from the leaf oblig ations generated by a com- plete meani ngful claim to the obli gation of the claim. It is alw ays true, re gardle ss of the prov ability of any indi vidual leaf oblig ation. While changing the visibi lity of assumptions in an obli gation does not chang e its prov ability , a back-e nd prov er may fail to prov e it if important assumptions are hidden. As alread y mentioned in Section 3, the PM remov es these hidden assu mptions before send ing a leaf obli- gation to a bac k-end pro ver . Therefo re, in orde r to estab lish the S tructur al Soundne ss Theorem (1), we must prov e a property about the result of this remov al. Definition 23 (Filtration) . The fi ltered form of any obligati on φ , written ( φ ) f , is obtained by deleting all assumption s of the form  φ 0  and rep lacing all assumptions of the form  o , δ  with ne w o anywher e inside φ . For example ,  new x ,  y , x   x = y  f = ( new x , ne w y  x = y ) . W e thus see that filtration can render a true obliga tion false; howe ver , if the filtered form of an obligatio n is true, then so is the obligation . Lemma 24 (V erification Lemma) . If ( φ ) f is pr ov able , then φ is pr ovable . Pr oof Sketc h. B y inductio n on the structure of the obligatio n φ , with each case a straightfo rward conse- quenc e of facts 8 and 9.  Definition 25 (V erifiability) . The oblig ation φ is said to be ver ifiable if ( φ ) f is pr ovab le. W e no w prov e the Structura l S oundn ess Theorem (1). Theor em 1. If π : φ is a complete meaningful claim and every leaf obligat ions it genera tes is verifiable , then φ is true . Pr oof. h 1 i 1. For e very leaf obligation φ 0 generated by π : φ , it must be that φ 0 is provable. h 2 i 1. T ake φ 0 as a leaf obligation generated by π : φ . h 2 i 2. ( φ 0 ) f is provable By assumption and Definition 25. h 2 i 3. Qed By h 2 i 2, V erification Lemma 24. h 1 i 2. φ is provable By h 1 i 1, Correctn ess Theorem 22. h 1 i 3. Qed By h 1 i 2, T r ust Axiom 7.  19 A TLA + Proof System Chaudhu ri, D oligez , L amport, and Merz B A TLA + 2 Pr oof of Cantor’ s Theorem The follo wing is the complete TLA + 2 proof of Cantor’ s theorem referenc ed in Section 2.3. theorem ∀ S : ∀ f ∈ [ S → subset S ] : ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A h 1 i 1. assume new S , new f ∈ [ S → subset S ] pr ove ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A h 2 i 1. define T , { z ∈ S : z < f [ z ] } h 2 i 2. ∀ x ∈ S : f [ x ] , T h 3 i 1. assume new x ∈ S pr ove f [ x ] , T h 4 i 1. case x ∈ T obvious h 4 i 2. case x < T obvious h 4 i 3. qed by h 4 i 1 , h 4 i 2 h 3 i 2. qed by h 3 i 1 h 2 i 3. qed by h 2 i 2 h 1 i 2. qed by h 1 i 1 As an ex ample, the leaf obligati on generated (see Appendix A. 3) fo r the proof of h 4 i 1 is:  h 1 i 1 , ( new S , new f , f ∈ [ S → subset S ]  ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A ) , new S , new f , f ∈ [ S → subset S ], T , { z ∈ S : z < f [ z ] } ,  ¬ ( ∃ A ∈ subset S : ∀ x ∈ S : f [ x ] , A )  , h 2 i 2 , ∀ x ∈ S : f [ x ] , T ,  ¬ ( ∀ x ∈ S : f [ x ] , T )  , h 3 i 1 , ( new x , x ∈ S  f [ x ] , T ) , new x , x ∈ S ,  ¬ ( f [ x ] , T )  , h 4 i 1 , ( x ∈ T  f [ x ] , T ) , x ∈ T  f [ x ] , T  . Filtering its obligat ion (see Definition 23) and expa nding all definitions giv es:  new S , new f , f ∈ [ S → subset S ], new x , x ∈ S , x ∈ { z ∈ S : z < f [ z ] }  f [ x ] , { z ∈ S : z < f [ z ] }  . In Isabe lle / TLA + , this is the follo wing lemma: lemma V S . V f . f ∈ [ S → subset S ] = ⇒  V x .  x ∈ S ; x ∈ { z ∈ S : z < f [ z ] }  = ⇒ f [ x ] , { z ∈ S : z < f [ z ] }  20