HOL Light: An Overview

HOL Light is an interactive proof assistant for classical higherorder logic, intended as a clean and simplified version of Mike Gordon’s original HOL system. Theorem provers in this family use a version of ML as both the implementation and interaction language; in HOL Light’s case this is Objective CAML (OCaml). Thanks to its adherence to the so-called ‘LCF approach’, the system can be extended with new inference rules without compromising soundness. While retaining this reliability and programmability from earlier HOL systems, HOL Light is distinguished by its clean and simple design and extremely small logical kernel. Despite this, it provides powerful proof tools and has been applied to some non-trivial tasks in the formalization of mathematics and industrial formal verification. 1 LCF, HOL and HOL Light Both HOL Light and its implementation language OCaml can trace their origins back to Edinburgh LCF, developed by Milner and his research assistants in the 1970s [6]. The LCF approach to theorem proving involves two key ideas: – All proofs are ultimately performed in terms of a small set of primitive inferences, so provided this small logical ‘kernel’ is correct the results should be reliable. – The entire system is embedded inside a powerful functional programming language, which can be used to program new inference rules. The type discipline of the programming language is used to ensure that these ultimately reduce to the primitives. The original Edinburgh LCF was a theorem prover for Scott’s Logic of Computable Functions [16], hence the name LCF. But as emphasized by Gordon [4], the basic LCF approach is applicable to any logic, and now there are descendents implementing a variety of higher order logics, set theories and constructive type theories. In particular, members of the HOL family [5] implement a version of classical higher order logic, hence the name HOL. They take the LCF approach a step further in that all theory developments are pursued ‘definitionally’. New mathematical structures, such as the real numbers, may be defined only by exhibiting a model for them in the existing theories (say as Dedekind cuts of rationals). New constants may only be introduced by definitional extension (roughly speaking, merely being a shorthand for an expression in the existing theory). This fits naturally with the LCF style, since it ensures that all extensions, whether of the deductive system or the mathematical theories, are consistent per construction. 2 HOL Light’s logical foundations HOL Light’s logic is simple type theory [2, 1] with polymorphic type variables. The terms of the logic are those of simply typed lambda calculus, with formulas being terms of boolean type, rather than a separate category. Every term has a single welldefined type, but each constant with polymorphic type gives rise to an infinite family of constant terms. There are just two primitive types: bool (boolean) and ind (individuals), and given any two types σ and τ one can form the function type σ → τ . For the core HOL logic, there is essentially only one predefined logical constant, equality (=) with polymorphic type α→ α→ bool. However to state one of the mathematical axioms we also include another constant ε : (α→ bool)→ α, explained further below. For equations, we use the conventional concrete syntax s = t, but this is just surface syntax for the λ-calculus term ((=)s)t, where juxtaposition represents function application. For equations between boolean terms we often use s⇔ t, but this again is just surface syntax. The HOL Light deductive system governs the deducibility of one-sided sequents Γ ` p where p is a term of boolean type and Γ is a set (possibly empty) of terms of boolean type. There are ten primitive rules of inference, rather similar to those for the internal logic of a topos [14].