HOL theorem-proving system

John, thanks for writing the code for me, but you only handled I think
my question about showing that the type of Tarski models is nonempty.
I should try to port your solution to Mizar.  Most of what else you
said was too advanced for me to respond to, but I'll work on it.

Makarius, I (following Freek) tend to think that Isabelle might be the
best language for high school teaching axiomatic proofs, but Isabelle
is intimidating, lots of programs to install & lots of dox.  If you
could start porting my Mizar code so I could see the pattern....

I'm gratified folks want to read my paper where I fixed a longstanding
combinatorial error in homotopy theory.  It's on my web page
http://www.math.northwestern.edu/~richter/RichterPAMS-Lambda.pdf Maybe
I don't teach at NWU, but I did long ago, and they let me use the
computers so I can write such papers.  I called the error a `serious
pedagogical gap', as the results were proved in the literature, but
newcomers might easily leave the subject when told these results were
trivial (their teachers didn't know the combinatorial proofs).  There
are much more serious problems.  Recently lots of top conjectures
fell: Fermat's Last Theorem, the Poincare conjecture, Bieberbach's
conjecture, the Kervaire invariant conjecture (in my subject, homotopy
theory), and I don't have any confidence in these proofs.  Nobody in
my subject buys the proof of the Immersion conjecture
http://en.wikipedia.org/wiki/Whitney_immersion_theorem 
So I'm really impressed by Tom Hales for saying, ``I'll show I really
have a proof by using HOL, Coq, Isabelle etc for 20 man years''.

Cris, thanks for sending me the link of new_axiom, which I misread.  I
see now that reference.pdf clearly says that `new_axiom' should only
be used basically to add in new axioms to ZFC, such as large
cardinals.  But `new_definition' looks fine:

   Evaluating `new_definition' ‘c v_1 ... v_n = t‘ where c is a
   variable [...]  returns the theorem:
      |- !x_1 ... x_m. c v_1 ... v_n = t

That looks like an axiom to me.  My only problem is that I don't know
how to write declarative code in HOL.  As I posted, I can't get any any
of the mizar modes to work for me, including Freek's latest miz3.miz.
But I contend that mizar modes should not be needed.  The main thing I
like about Mizar is just that it's declarative and I can break proofs
up into cases and do proofs by contradiction.  We really don't want a
powerful theorem prover in high school geometry!  We want the kids to
have to write down most of the steps.  And unless I'm really
misunderstanding Mizar, Mizar would not be a good language for the
kids to program in.   Any Mizar experts who want to explain 
http://www.math.northwestern.edu/~richter/RichterTarskiMizar.tar
how I'm doing it all wrong, I'd be grateful.  

Roger, thanks for the code.  Hartshorne explains this

   I do not have the impression that Hilbert was thinking much of
   Euclid's elements 

I read much of Greenberg's book with no idea whatsoever why Hilbert
came up with his axioms, but after reading Hartshorne's book, the
light went on: Hilbert was fixing Euclid!  I think this is well-known.
Hilbert made a lot more sense after I realized that.  Hartshorne's
book is great anyway, and I fixed some proofs of his in my paper.
http://www.math.northwestern.edu/~richter/hilbert.pdf

   or had any particular interest in improving on its rigour.

I'm sure that's wrong, but this probably isn't the place to discuss
it.  Read Greenberg, who explain that Euclid's angle-addition errors
weren't found until they discovered non-Euclidean geometry.

   Indeed, from the point of view of rigour it takes some forward and
   some backward steps.

I don't know what you mean by backward steps.  Greenberg & Hartshorne
don't mention any.

-- 
Best,
Bill

Hi Bill.

> Roger, if there's ``some cultural aversion to the use of axioms in the
> HOL community,'' then maybe HOL isn't the right proof-checker to use
> in high school geometry classes.  Does anyone think there is a better
> proof-checker?  My guess is that this is just an interface problem
> that HOL could easily solve, and I'm willing to work on it myself.
>    
I'm working on a formalisation of Hilbert's FoG, and am mostly using the 
Mizar Light mode in HOL Light.

Perhaps controversially, I've used "new_axiom" for every one of 
Hilbert's axioms. I could have defined a model of Euclidean geometry as 
John suggests, and obtained the axioms as theorems of the basic HOL 
logic. However, I wanted to remove the axiom of infinity from the core 
logic, preferring to derive this from Hilbert's geometric axioms. 
Without infinity, you're going to be stuck getting a model of Euclidean 
geometry.

Others have mentioned the more modular approach of defining a relation R 
on variables which stand for Hilbert's various primitive notions. Then a 
formula such as Group1(on_line, on_plane) can assert that the relations 
on_line and on_plane satisfy Hilbert's axioms. This would allow you to 
carry out metatheoretic proofs, at the expense of making all of 
Hilbert's theorems conditional on Group1(on_line, on_plane). The main 
issue I then have is that all definitions (and Hilbert needs many just 
to assert his axioms) need to carry the primitive notions as arguments. 
I think this would really uglify the proofs, but it should be possible 
to hide this away with some judicious syntactic sugar, as I believe is 
done with Isabelle's locales.

I'm generally all in favour of teaching rigorous mathematics to 
high-school students, getting them to use theorem provers and learning 
to code early. Here in the UK, we are falling ever further behind in 
terms of computer science at high-school level. That said, it seems that 
students would be faced with a huge learning curve if they were 
simultaneously studying a relatively poorly documented language such as 
Ocaml, a theorem prover such as HOL Light, and the axiomatic method. And 
my guess is they'll have trouble no matter which theorem prover you 
pick, though I'm very much interested in your thoughts on how to tackle 
this.

On 26/04/12 05:19, Bill Richter wrote:
> Nobody in
> my subject buys the proof of the Immersion conjecture
> http://en.wikipedia.org/wiki/Whitney_immersion_theorem
>    
Really? That's pretty scary!

>     Evaluating `new_definition' ‘c v_1 ... v_n = t‘ where c is a
>     variable [...]  returns the theorem:
>        |- !x_1 ... x_m. c v_1 ... v_n = t
>
> That looks like an axiom to me.

It's conservative, though. You won't be able to introduce a 
contradiction with this function.
> My only problem is that I don't know
> how to write declarative code in HOL.  As I posted, I can't get any any
> of the mizar modes to work for me, including Freek's latest miz3.miz.
> But I contend that mizar modes should not be needed.  The main thing I
> like about Mizar is just that it's declarative and I can break proofs
> up into cases and do proofs by contradiction.  We really don't want a
> powerful theorem prover in high school geometry!  We want the kids to
> have to write down most of the steps.

What sort of granularity do you want in the proof steps? If you're going 
all the way to natural deduction, I think the proofs are going to get 
massive even at the very beginning of Hilbert's geometry. Maybe Tarski's 
is more suitable.

Phil

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Hi Bill,

| John, thanks for writing the code for me, but you only handled I think
| my question about showing that the type of Tarski models is nonempty.

That's true, I didn't go into the details of the proofs and how to
present them in HOL Light. There are several different approaches one
might take, and perhaps seeing what Phil Scott and Lorenzo Mannini
have done would be a good starting-point. But if you really get stuck
I can try porting some of your stuff when I have a bit of spare time.

| I'm gratified folks want to read my paper where I fixed a longstanding
| combinatorial error in homotopy theory.  It's on my web page
| http://www.math.northwestern.edu/~richter/RichterPAMS-Lambda.pdf Maybe
| I don't teach at NWU, but I did long ago, and they let me use the
| computers so I can write such papers.  I called the error a `serious
| pedagogical gap', as the results were proved in the literature, but
| newcomers might easily leave the subject when told these results were
| trivial (their teachers didn't know the combinatorial proofs).

This is a nice example: even the question of whether a proof is
actually faulty or just leaves a huge "pedagogical gap" that the
original author was easily capable of filling is itself ambiguous.

| There are much more serious problems.  Recently lots of top
| conjectures fell: Fermat's Last Theorem, the Poincare conjecture,
| Bieberbach's conjecture, the Kervaire invariant conjecture (in my
| subject, homotopy theory), and I don't have any confidence in these
| proofs.  Nobody in my subject buys the proof of the Immersion
| conjecture http://en.wikipedia.org/wiki/Whitney_immersion_theorem So
| I'm really impressed by Tom Hales for saying, ``I'll show I really
| have a proof by using HOL, Coq, Isabelle etc for 20 man years''.

Interesting to hear you say that, since many mathematicians seem
quite blase' about correctness issues, even with the huge proofs that
few people could claim to follow in detail.

|       |- !x_1 ... x_m. c v_1 ... v_n = t
|
| That looks like an axiom to me.

There are two different approaches to definitions in a system like
HOL. One can consider them as "metatheoretic", where the definition
is just a kind of user interface convenience with no logical status.
HOL Light has only trivial cases of this (like "override_interface")
but some other systems like Nuprl have a more elaborate mechanism.
The "object-level" way is to actually introduce a new constant or
constants and a new axiom asserting the appropriate equivalence. This
is the main HOL Light mechanism as supported by "new_definition" etc.

So yes, in some sense a definition in HOL Light *is* indeed an axiom.
However, by virtue of the limited syntactic form it's a very special
case of an axiom. As Phil said, in contrast with an arbitrary axiom
a definitional axiom is guaranteed to be a conservative extension.
That is, if you can prove any theorem |- phi where the formula phi
doesn't involve the new constant, then you could have proved |- phi
without making the definition. In particular, this works for phi being
`false', so you cannot make the logic inconsistent by adding a
definition, whereas you can certainly do so by adding axioms.

The primitive definitional form is very restrictive, and some derived
definitional principles allow you to make, for example, recursive
definitions; under the surface these are derived from the primitive
form, so retain the conservativity property. For instance here we
define the Collatz function. Note that we are not saying anything
about the termination of this pattern of recursion, merely that adding
it as a new definition is conservative:

 define
  `!n. collatz(n) = if n <= 1 then n
                    else if EVEN(n) then collatz(n DIV 2)
                    else collatz(3 * n + 1)`;;

The aversion to arbitrary axioms in HOL probably arose because
computer scientists have in the past proposed various axiom systems
that have turned out to be inconsistent. If you are formalizing a
well-established field of mathematics using standard axiom systems,
then you are not very likely to make major conceptual errors setting
up your axioms formally. However, even then it's easy to make little
slips like forgetting degenerate cases. For example, I have seen an
axiomatization of real numbers as complete ordered fields in a prover
that stated the supremum property as "every set of reals that is
bounded above has a least upper bound". Since this forgets to rule out
the empty set, it implies that there is a least real number and so
leads to inconsistency when combined with the other axioms.

There are various stories about mathematicians who spend their entire
PhD research studying axiomatic systems that turn out to be
inconsistent, trivial or otherwise degenerate. One I remember is
"antimetric spaces" with axioms d(x,y) = 0 <=> x = y,  0 <= d(x,y) and
d(x,y) + d(y,z) <= d(x,z). I suspect most or all of these are
apocryphal, but it would be interesting to know if there is a real
documented example.

| My only problem is that I don't know how to write declarative code
| in HOL.  As I posted, I can't get any any of the mizar modes to
| work for me, including Freek's latest miz3.miz.

The diversity in approaches to declarative proofs in HOL Light
is perhaps a bit unfortunate, though they explore different tradeoffs
between syntactic elegance, practical usability, programmability and
degree of integration with other proof methods. Actually getting
any of them running should not be *too* hard anyway:

1. The original Mizar mode for HOL is still there and you can just
   load it from inside HOL Light:

        #use "Examples/mizar.ml";;

   There is a little example at the end of the file to look at,
   the Knaster-Tarski fixed point theorem.

2. Freek's "Mizar Light" needs one more step first: go into the
   Mizarlight directory and do "make" (or maybe to be safe, first
   "make clean" then "make") but then again you can just load it

        #use "Mizarlight/make.ml";;

   This also runs an example, which is somewhat relevant to
   your interests, setting up a model of projective geometry (the
   Fano plane) and deriving the duals of the axioms.

3. Freek's miz3 isn't distributed with HOL Light (maybe it should
   be) but you can download it from

      http://www.cs.ru.nl/~freek/miz3/miz3.tar.gz

   After untarring it into a subdirectory "miz3"

      tar xvfz ~/Downloads/miz3.tar.gz

   You need to have the Unix library loaded; if you don't already
   have this, then this works on many platforms:

      #load "unix.cma";;

   and then you can just load it

      #use "miz3/miz3.ml";;

   following which you can try any of the examples there, e.g.
   the Robbins conjecture proof:

      #use "miz3/Samples/robbins.ml";;

If you do decide to use one of these frameworks, you might be best
advised to follow what Phil and Jacques have done, since they have
quite a mature system, where they have nice readable proofs but
also integrate programming to deal with some gaps.

| But I contend that mizar modes should not be needed.  The main thing I
| like about Mizar is just that it's declarative and I can break proofs
| up into cases and do proofs by contradiction.

I agree. In fact, in the original paper I wrote promoting Mizar-like
proofs for our LCF community, I emphasized that there is not actually
such a deep conceptual difference, and there is almost a 1-to-1
correspondence between Mizar structuring steps and HOL tactics. (I
do not use the term "declarative" in this paper, though I was groping
for some appropriate word. The procedural/declarative terminology was
suggested by Mike Gordon when I presented the work in a talk.)

  http://www.cl.cam.ac.uk/~jrh13/papers/mizar.html

Freek's Mizar modes work hard to achieve a true integration of the
declarative and procedural styles. To some extent, you can get the
declarativity using traditional tactic scripts if you use a few more
intuitive tactics and take more care over labelling of assumptions and
referring to them by name. Marco Maggesi has been successfully honing
such a style and I am planning to incorporate more of those special
tactics into the core. Lorenzo's code may be a good illustration,
since he works with Marco, though I haven't seen his proofs yet
myself.

| We really don't want a powerful theorem prover in high school
| geometry!  We want the kids to have to write down most of the
| steps. And unless I'm really misunderstanding Mizar, Mizar would
| not be a good language for the kids to program in.

Certainly Mizar would not be the first choice for *programming*, but
in some ways it seems to be more accessible precisely because you
don't need to be a programmer to do proofs in the system. As Phil
said, with HOL you also have the additional barrier from confronting
the implementation language, even if you use it in quite superficial
ways. While it is empowering to have a full programming language
available, it can also be intimidating at first, especially to
non-programmers.

| Any Mizar experts who want to explain
| http://www.math.northwestern.edu/~richter/RichterTarskiMizar.tar
| how I'm doing it all wrong, I'd be grateful.

I'm not sure that so many real Mizar experts read this mailing list,
so you may also want to consider posting to mizar-forum.

John.

On Thu, 26 Apr 2012, Phil Scott wrote:

> Others have mentioned the more modular approach of defining a relation R 
> on variables which stand for Hilbert's various primitive notions. Then a 
> formula such as Group1(on_line, on_plane) can assert that the relations 
> on_line and on_plane satisfy Hilbert's axioms. This would allow you to 
> carry out metatheoretic proofs, at the expense of making all of 
> Hilbert's theorems conditional on Group1(on_line, on_plane). The main 
> issue I then have is that all definitions (and Hilbert needs many just 
> to assert his axioms) need to carry the primitive notions as arguments. 
> I think this would really uglify the proofs, but it should be possible 
> to hide this away with some judicious syntactic sugar, as I believe is 
> done with Isabelle's locales.

If you think of the "axiomatization" as a local context with parameters 
and assumptions (based on some predicate definition in the background), 
then your subsequent definitions become dependent on that context as 
abserved above.  The locale context of Isabelle manages exactly that by 
some extra-logical infrastructure, and this is a bit more than just 
syntactic sugar.

In fact, the modest locale concept of 1999/2002 has been refined and 
elaborated many times.  Around 2006/2007 we've turned it into so-called 
"local theory" infrastructure, where locales, type clases, overloading 
etc. are just particular targets, which means contexts that can absorb 
definitional specifications.  In the other dimension you have 
"definitional packages" that live in the local theory space: inductive 
sets and predicates, recursive functions, etc. Even what looks like plain 
definition or theorem statements in Isabelle are non-trivial local theory 
packages, and can thus depend on particular context elements without the 
user having to care about it very much.

What is conceptually also important here is that we have introduced a 
clear separation between the "foundation" level (actual definitional 
primitives) and the "user" view on that.  So user theories are no longer 
directly exposed to the bare metal of the logic.  For exmaple, the 
proverbial HOL problem from the other thread by Rob Arthan, which is 
called "hidden polymorphism" in Isabelle jargon, is absorbed by the local 
theory infrastructure:

   definition "unitary = (!x. x = x)"

This correctly defines a polymorphic boolean with an implicit type 
dependency in Isabelle/HOL.  This works out formally, but it might still 
be apt to confusion and surprises when used in practice.  (There are rare 
situations where this is really required in that form.)


 	Makarius

On Wed, 25 Apr 2012, Bill Richter wrote:

> Makarius, I (following Freek) tend to think that Isabelle might be the 
> best language for high school teaching axiomatic proofs, but Isabelle is 
> intimidating, lots of programs to install & lots of dox.

Some agreements and disagreements here:

  * High-school teaching: I don't think we are there yet.  Yes for certain
    university courses, say for logic, programming language semantics, and
    a bit more.

  * Intimidating Isabelle architecture: depends.  Do you find a Gothic
    Cathedral intimidating?  It is not something you build at home in your
    spare time, though.

  * Lots of programs to install: definitely not.  It is basically one piece
    of download with everything included, hardly any installation at all.
    Same for Coq, mostly.  I think it is a trait of the original HOL
    community to insist in the build-it-yourself-from-scratch model.

  * Isabelle documentation: diverse, potentially confusing, too many
    manuals.


 	Makarius

Thanks for the reply, John (and others)!  Let me make a quick response.

I mostly wrote my Mizar code to cite in my geometry paper
 http://www.math.northwestern.edu/~richter/hilbert.pdf If other folks
 have already done a better job, that's great, I should just cite
 their code instead of mine.  I haven't found their code yet.  If you
 think Mizar is the right language for axiomatic geometry proofs, I
 should use it, unless I can upgrade to Isabelle instead.

But I don't like that plan, and I think you don't either.  I think we
think that HOL can easily be tweaked to give axiomatic geometry proofs
that are just as readable as my Mizar proofs. How do we get started
working on this?  I can't yet use any mizar mode in HOL Light, and
maybe because I can only build an old version 3.09.

Your article sounded very interesting, but I couldn't find it: 
Szczerba The use of Mizar in a course in foundations of geometry

Your geometry links don't seem to jibe well with my paper above.
As Roger & Phil are posting about Hilbert & Euclid, let me expand:

I've barely looked at Hilbert's book FoG.  Hilbert does a better job
with angle addition than Greenberg.  It could be that FoG has gaps.
I've learned almost all my Hilbert from books by Jahren, Greenberg &
Hartshorne.  My paper explains the following clearly:

Euclid could not rigorously prove anything involving angle addition.
Euclid's errors can be fixed Hilbert's betweenness axioms.  Euclid
could not rigorously prove the triangle sum theorem (sum angles =
180).  I do, and I actually think I have the simplest rigorous proof,
as the other rigorous proof I've seen in Forder first prove the
non-Euclidean version (sum angles <= 180) which is a lot harder.
Phil, I also explain (following Moise's rigorous book) how to handle
the 3-dim part.  Basically, for all the 2-dim stuff you have to say
"in a plane" and in the 3-dim part you use the planar stuff.  Euclid's
book XI is a fantastic treatment of solid geometry, and Moise
simplifies some of Euclid's proofs.

There's an interesting AI angle: can robots visualize 3-dim space?
Well, by Hilbert's axioms and the Goedel's completeness theorem, they
can know everything we know about points, lines & planes in 3-space!
that's another reason to learn rigorous axiomatic geometry proofs.

   This is a nice example: even the question of whether a proof is
   actually faulty or just leaves a huge "pedagogical gap" that the
   original author was easily capable of filling is itself ambiguous.

Thanks.  In my case, I know that none of the folks who published that
there was a combinatorial proof of the two Lambda algebra results
actually knew a proof.

   Interesting to hear you say that, since many mathematicians seem
   quite blase' about correctness issues, even with the huge proofs
   that few people could claim to follow in detail.

That's excellent, John.  I think there's two disturbing factors:
1)The rewards in math are for getting credit for proving a cool
theorem, and not for writing up nice proofs that others can read.
2) Mathematicians prove theorems as a community, so no one person
understands the whole proof.  It's amazing that communities can work
together like this.  But it's a rejection of the Enlightenment value
``Understanding is Power.''  Understanding more or less means
understanding mathematical proofs.  

-- 
Best,
Bill

On 04/26/2012 03:02 PM, Makarius wrote:
> On Wed, 25 Apr 2012, Bill Richter wrote:
>
>> Makarius, I (following Freek) tend to think that Isabelle might be the
>> best language for high school teaching axiomatic proofs, but Isabelle is
>> intimidating, lots of programs to install&  lots of dox.
> Some agreements and disagreements here:
>
>    * High-school teaching: I don't think we are there yet.  Yes for certain
>      university courses, say for logic, programming language semantics, and
>      a bit more.
>
>    * Intimidating Isabelle architecture: depends.  Do you find a Gothic
>      Cathedral intimidating?  It is not something you build at home in your
>      spare time, though.
>
>    * Lots of programs to install: definitely not.  It is basically one piece
>      of download with everything included, hardly any installation at all.
>      Same for Coq, mostly.  I think it is a trait of the original HOL
>      community to insist in the build-it-yourself-from-scratch model.
>
>    * Isabelle documentation: diverse, potentially confusing, too many
>      manuals.
>
>
>   	Makarius
>
Yet the tutorial is a very nice place to start for documentation. =)

There is also a significant difference between learning to use a theorem 
prover vs taking one apart and putting one back together again.  We use 
compilers and development environments to teach computer science without 
teaching how to build compiler or development environments until later 
typically.  I argue that internal architectures are a separate issue 
from suitability for teaching.

Paul

On Fri, 27 Apr 2012, Paul Graunke wrote:

> There is also a significant difference between learning to use a theorem 
> prover vs taking one apart and putting one back together again.  We use 
> compilers and development environments to teach computer science without 
> teaching how to build compiler or development environments until later 
> typically.

Yes, that is an important point.  When I get on a train, I buy a train 
ticket, not the technical manuals to take it apart and rebuild it myself 
again.  Or when I want to run an operating system I download Ubuntu and 
spend maybe 30min with a few trivial clicks to get it working by itself. 
No need to understand X11 server configuration anymore, what that was 
commonplace 10 years ago.

Nonetheless, as I've said earlier on this thread, the different provers do 
have their own cultural traditions, and these are one of the reasons to 
have such a diversity.  I occasionally sit down with a student and take 
HOL-Light apart and re-assemble it in a few hours.  It helps to get some 
understanding of the bare-bones things, and also of the complex 
infrastructure that systems like Coq or Isabelle put around the raw 
material.


 	Makarius

Hi Bill,

| But I don't like that plan, and I think you don't either.  I think we
| think that HOL can easily be tweaked to give axiomatic geometry proofs
| that are just as readable as my Mizar proofs. How do we get started
| working on this?  I can't yet use any mizar mode in HOL Light, and
| maybe because I can only build an old version 3.09.

I have just tried things out myself with OCaml 3.09.2, and everything
seemed all right. Can you tell me what goes wrong when you try to
follow the instructions in my earlier message for running Mizar modes?

Once you get a Mizar mode working, I don't think it's difficult to
translate your proofs into any of them. For example, continuing the
little fragment I sent before where I set up some of the axioms,
here are miz3 versions of your first few proofs, which look fairly
similar to the originals:

  loadt "miz3/miz3.ml";;

  let EquivReflexive = thm `;
     !a b. a,b === a,b
     proof
      let a b be Plane;
      b,a === a,b by AXIOM_1;
      thus a,b === a,b by AXIOM_2;
     end`;;

  let EquivSymmetric = thm `;
     !a b c d. a,b === c,d ==> c,d === a,b
     proof
       let a b c d be Plane;
       assume a,b === c,d [1];
       a,b === a,b by EquivReflexive;
       thus c,d === a,b by 1, AXIOM_2;
     end`;;

  let EquivTransitive = thm `;
     !a b p q r s : Plane.  a,b === p,q /\ p,q === r,s ==> a,b === r,s
     proof
       let a b p q r s be Plane;
       assume a,b === p,q [1];
       assume p,q === r,s [2];
       p,q === a,b by 1, EquivSymmetric;
       thus a,b === r,s by 2, AXIOM_2;
     end`;;

  let Baaa_THM = thm `;
      !a b. Between (a,a,a) /\ a,a === b,b
      proof
       let a b be Plane;
       ?x. Between (a,a,x) /\ a,x === b,b by AXIOM_4;
       consider x such that Between (a,a,x) /\ a,x === b,b [1];
       a = x by 1, AXIOM_3;
       thus Between (a,a,a) /\ a,a === b,b by 1;
     end`;;

I don't think it would be hard to continue this translation, and
indeed I suspect it could be largely done with a bit of clever
editing. But perhaps first one should pause to get the precise formal
setup exactly the way you want. For example, maybe "Point" would be a
more intuitive name than "Plane" for the underlying type, and you
might want to use the same formulation as in your Mizar where
"TarskiModel" becomes a hypothesis instead of working in a specific
model of the axioms as I've been doing.

| Your article sounded very interesting, but I couldn't find it:
| Szczerba The use of Mizar in a course in foundations of geometry

Yes, it's somewhat obscure, and I don't know how to find it online.
I must have seen the original physical volume somewhere a long time
ago. But there are other papers about Mizar in education that are
easier to locate, e.g. "Mizar as a tool for teaching mathematics" or
"Mizar course in Logic and Set Theory".

| Your geometry links don't seem to jibe well with my paper above.

Well, there are lots of degrees of freedom over how to axiomatize
geometry, what level of automation you want and what your overall
goals are in mechanization and formalization. But in any case, I
just wanted to indicate how you might get started if you do want to
use HOL Light.

John.

Hi Makarius,

| Yes, that is an important point.  When I get on a train, I buy a train
| ticket, not the technical manuals to take it apart and rebuild it myself
| again.  Or when I want to run an operating system I download Ubuntu and
| spend maybe 30min with a few trivial clicks to get it working by itself.
| No need to understand X11 server configuration anymore, what that was
| commonplace 10 years ago.

This seems to be a common path with technology generally, where
initially there is a close correlation between the users of a machine
and experts in its internal workings, but over time the two things
diverge. It's certainly clear that programming and computer use were
initially closely linked but have now largely decoupled. One sees a
similar story with cars: in the early days most drivers had some
understanding of how they worked and how problems could be fixed (if
only from necessity because they were so unreliable), whereas now not
many drivers perform even basic maintenance themselves. I vaguely
remember an interview with Douglas Adams where he claimed that the
same was originally true of many domestic appliances, e.g. that there
were magazines aimed at refrigerator hobbyists. But I might have made
that up.

Of course, the ability to understand a system down to the bottom does
have real value for those whose intended use is a bit more radical and
outside the normal or expected usage model. Besides, I think many
people are interested in formalization precisely because they want to
have a clearly understood foundation, a kind of "search for
certainty". So those who are naturally drawn to formalization in the
first place may also appreciate being able to understand completely
the logical and software engineering foundations of a system.

John.

Thanks for replying and the code, John.  I'll send you a bug reports
on mizar modes in 3.0.9, and a bug report on the latest HOL Light as
well.  Right now I've been taking Freek's advice to try to learn
Isabelle.  It's been rough, and I'm ready for HOL Light again.

   | Your geometry links don't seem to jibe well with my paper above.

   Well, there are lots of degrees of freedom over how to axiomatize
   geometry, what level of automation you want and what your overall
   goals are in mechanization and formalization. But in any case, I
   just wanted to indicate how you might get started if you do want to
   use HOL Light.

John, I argued with folks on the isabelle newsgroup as well about
Euclid and Hilbert.  It'd be nice to settle this argument.  I say that
Euclid's work is well worth studying, very creative, and the basis of
non-Euclidean geometry.  But you can't code up Euclid proofs!
Euclid's axioms aren't strong enough to prove much.  With Hilbert's
axioms, you can prove all of Euclid's propositions.  Proof assistants
like HOL Light will show all those Hilbert proofs are correct, and
there's an interesting possibility of teaching a geometry course where
students code up their rigorous axiomatic Hilbert proofs.  Anyone
interested in this need to read Greenberg's book, or Hartshorne's or
my paper http://www.math.northwestern.edu/~richter/hilbert.pdf

Scott, Fleuriot & Meikle are instead using proof assistants like HOL
Light to read Hilbert's book FoG.  That's a worthy task, as FoG is
very hard to read.  But that's like reading a literal translation of
Euclid, where you find this incomprehensible statement of Prop I.7:

   ``On the same straight-line, two other straight-lines equal,
   respectively, to two (given) straight-lines (which meet) cannot be
   constructed (meeting) at a different point on the same side (of the
   straight-line), but having the same ends as the given
   straight-lines.''

It says if two circles intersect in two points, then the intersection
points are on opposite sides of the line connecting the centers of the
two circles :) See Heath, p 259--260, or p 16 of my paper.

When we talk of Euclid, we mean Euclid, Proclus, Pappus, and all the
other Euclid scholars up to Heath.  We don't mean just Euclid.
Similarly, when we talk of Hilbert, we have to talk about Hartshorne,
Greenberg etc.  We can't just read Hilbert's FoG in ``Greek.''

-- 
Best,
Bill

On Thu, 3 May 2012, John Harrison wrote:

> Of course, the ability to understand a system down to the bottom does 
> have real value for those whose intended use is a bit more radical and 
> outside the normal or expected usage model. Besides, I think many people 
> are interested in formalization precisely because they want to have a 
> clearly understood foundation, a kind of "search for certainty". So 
> those who are naturally drawn to formalization in the first place may 
> also appreciate being able to understand completely the logical and 
> software engineering foundations of a system.

This is a delicate and very interesting aspect.

A system like HOL-Light has the advantage that the reader gets quickly an 
impression what the basic logic functionality is meant to be.  This gives 
some certainty under additional assumptions, i.e. that the ML really is 
what it seems at first sight, and that certain bad things are not done in 
practice.  (Say someone taking apart terms and mutating the names of 
constants.)

When Mark Adams showed his new HOL0 system for in Cambridge in 2009, he 
did not know yet about these snags of OCaml.  Both type int and string are 
somehow insecure on this platform.  I've also done a tiny bit of OCaml 
implementation myself some weeks ago, and had to look a few days very 
closely what the basic operators mean, say equality on strings.

Sealing up such holes makes the implementation more complex.  For example, 
the Coq people have their own version of int and string that really mean 
int and string in a mathematical sense, without silent overflow or hidden 
mutation.

Driving this further and further, adding infrastructure to address 
weaknesses of the implementation and other side-conditions, you get to a 
highly complex system like Isabelle.  Here the idea is to provide a secure 
and fast environment to the end-user, like an operating system does, but 
the first impression that one could easily understand it is lost.


 	Makarius

Hi Bill,

| Thanks for replying and the code, John.  I'll send you a bug reports
| on mizar modes in 3.0.9, and a bug report on the latest HOL Light as
| well.  Right now I've been taking Freek's advice to try to learn
| Isabelle.  It's been rough, and I'm ready for HOL Light again.

OK, good luck! It can be a pain getting the right camlp5 support set
up, so you might want to just stick with OCaml 3.0.9 unless you have a
compelling reason to upgrade. In any case, it shouldn't be *too* hard
to get things up and running. I have machines with HOL Light running
on almost every recent OCaml from 3.06 to 3.12.

By the way, there is a debian package for HOL Light on the way (thanks
to Hendrik Tews), which should make HOL Light installation essentially
trivial for those using a debian-based Linux distro.

| John, I argued with folks on the isabelle newsgroup as well about
| Euclid and Hilbert.  It'd be nice to settle this argument.

This is indeed an interesting discussion, but I'm too ignorant to add
much to it; you might have more luck with others on this list, though.
While I'm very interested in the idea of formalizing geometry
axiomatically, and I'm happy people are doing it in HOL Light, my own
experience is mostly limited to proof of geometric properties in the
specific model R^n using largely algebraic reasoning. Here's a
characteristic example (from "Multivariate/geom.ml"):

  let CONGRUENT_TRIANGLES_SSS = prove             
   (`!A B C:real^M A' B' C':real^N.
          dist(A,B) = dist(A',B') /\                    
          dist(B,C) = dist(B',C') /\
          dist(C,A) = dist(C',A')
          ==> angle(A,B,C) = angle(A',B',C')`,
    REPEAT GEN_TAC THEN MAP_EVERY ASM_CASES_TAC
     [`dist(A':real^N,B') = &0`; `dist(B':real^N,C') = &0`] THEN
    ASM_REWRITE_TAC[] THEN STRIP_TAC THEN
    RULE_ASSUM_TAC(REWRITE_RULE[DIST_EQ_0]) THEN               
    ASM_SIMP_TAC[ANGLE_REFL_MID; ANGLE_REFL] THEN        
    ONCE_REWRITE_TAC[GSYM COS_ANGLE_EQ] THEN
    MP_TAC(ISPECL [`B:real^M`; `A:real^M`; `C:real^M`] LAW_OF_COSINES) THEN
    MP_TAC(ISPECL [`B':real^N`; `A':real^N`; `C':real^N`] LAW_OF_COSINES) THEN
    REPEAT(POP_ASSUM MP_TAC) THEN REWRITE_TAC[GSYM DIST_EQ_0; DIST_SYM] THEN
    CONV_TAC REAL_FIELD);;                      

This reminds me of Freek Wiedijk's nice pastiche of Intel's "Our
rock stars aren't like your rock stars" commercials:

  http://www.cl.cam.ac.uk/~jrh13/our_proofs.pdf
  
John.

Hi Makarius,

| A system like HOL-Light has the advantage that the reader gets quickly an
| impression what the basic logic functionality is meant to be.  This gives
| some certainty under additional assumptions, i.e. that the ML really is
| what it seems at first sight, and that certain bad things are not done in
| practice. (Say someone taking apart terms and mutating the names of
| constants.)

That is true. I actually had in mind not so much a practical metric of
ultimate certainty, but more the conceptual feeling that you
completely understand in principle what's going on when you prove a
theorem and know and trust the underlying logical rules.

The question of providing ultimate assurance is a bit different, but I
think any system with a small kernel of simple logical steps provides
a relatively easy path to such certainty for those that care enough.
In particular, one can generate a proof trace and check it in a
specially designed system like HOL Zero or even write one's own proof
checker. This certainly applies to HOL Light and Isabelle, with Coq a
more arguable case. (Although it has a small kernel, this involves a
quite complex evaluation mechanism.)

| Driving this further and further, adding infrastructure to address
| weaknesses of the implementation and other side-conditions, you get to a
| highly complex system like Isabelle.  Here the idea is to provide a secure
| and fast environment to the end-user, like an operating system does, but
| the first impression that one could easily understand it is lost.

Yes, I think the two approaches are nicely complementary and probably
appeal to different people. So there is room for both styles.

John.

Hi John and Makarius,

This is not very much about HOL as such, so if this reply
is inappropriate for the HOL list, I apologise:

>>mutating the names of constants.

I always found this "mutable constants" complaint silly.
Many people make it, but it never struck me as significant.

Surely in every practical programming language you can
"cheat" in some way if you try hard enough.  For instance by
poking the memory, either internally through some Obj.magic
like interface, or if you don't get that from your language
by poking in /dev/mem?

So the possibility of cheating if you really try does not
seem an interesting one to me.  What's important is that
you won't "cheat" accidentally, by misunderstanding how
things work.

For example there is the story of someone who thought that
some system had a superefficient automated prover, which
made him super excited.  Only later he found out that that
"automation" had been the system's equivalent of what in
HOL Light is called CHEAT_TAC (adding the thing to be proved
as an axiom.)

>In particular, one can generate a proof trace and check
>it in a specially designed system like HOL Zero or even
>write one's own proof checker. This certainly applies
>to HOL Light and Isabelle, with Coq a more arguable
>case. (Although it has a small kernel, this involves a
>quite complex evaluation mechanism.)

I think Matita started its life that way?  So about Coq
having a small kernel: I seem to remember that the source
of Coq's latest kernel is larger than the source of the
full Mizar system.

Also, I always think that the _full_ "logic" of Coq (the
thing called "pCIC") has nowhere been precisely written down.
If I'm wrong about that, I _very_ much would like to know.
(I know about the Coq manual, but that certainly is not
the full story, nor is it written in a very precise style.)

Freek

On Thu, 3 May 2012, Freek Wiedijk wrote:

> This is not very much about HOL as such, so if this reply is 
> inappropriate for the HOL list, I apologise:

I am also a guest here, so we try to behave as best as we can.


>>> mutating the names of constants.
>
> I always found this "mutable constants" complaint silly. Many people 
> make it, but it never struck me as significant.

The question is what is the name of the game you want to play.  Mutable 
term language is not quite "LCF approach", where the static type 
discipline is supposed to ensure "correctness-by-construction".

For HOL-Light, John always keeps an eye on his sources -- static check by 
human inspection.  The ACL2 guys also manage that by hand in their weakly 
typed language, by restricting the number of people who work on the 
code-base to two. For a huge system with many contributors you can't do 
that.  This is where a robust LCF approach really helps.

Mark Adams occasionally promotes an even more aggressive scenario for HOL 
Zero where he wants to admit potentially malicious users, an army of paid 
proof-workers who want to cheat. (I am not really following him here, we 
are not that far yet.)


> Surely in every practical programming language you can "cheat" in some 
> way if you try hard enough.  For instance by poking the memory, either 
> internally through some Obj.magic like interface

This Obj stuff is absent in SML.  You can make nonsense with some 
implementations, but we reduce that danger by running with more than one, 
so it is essentially the intersection of the semantics.

Moreover, as I have explained to Mark Adams already in a similar 
discussion, one can seal up the toplevel interpreter loop, to isolate user 
scripts from any such built-in nonsense.  I think the original LCF by 
Milner actually did work like that, since ML was a closed interpreter 
within LISP.  (Unfortunetely, I've only ever seen the sources of Cambridge 
LCF.  Does anybody happen to have the older ones from Edinburgh or 
Standard?)

A managed ML toplevel is again one of these layers that would complicate a 
prover implementation, but make it more reliable.  We don't have that in 
Isabelle, because the malicous scenario is a bit artificial, but there is 
some runtime compiler support to allow the user to work with ML bindings 
in a stateless manner.


> or if you don't get that from your language by poking in /dev/mem?

That's another game.  A computing system consists of many layers.  If you 
have full physical or logical access to critical ones, you can do whatever 
nonsense you want.

Milner had some very important ideas in the 1970-ies how to organize the 
chaos, such that you get mostly real theorems out of it -- by restricting 
to certain layers, and some infrastructure to enforce that.


> What's important is that you won't "cheat" accidentally, by 
> misunderstanding how things work.

I've recently made my first practical steps in OCaml and was a bit scared 
by its proximity to C.  After 20 years of SML I am probably spoilt by too 
clean programming language semantics.

I did "cheat" by accident, stumbling over standard semantic traps of 
low-level languages.  Most languages have that, but it does not mean one 
cannot do better.

Again, these oberservations are more relevant to a project like HOL Zero 
than for HOL-Light.  I've looked at holzero-0.4.1 before and just today at 
holzero-0.5.4.  (I am still hoping to see a really convincing independent 
proof checker for the HOL family of systems.) My impression is now that he 
*is* piling up more and more stuff to make up for the semantic weaknesses 
of OCaml for his project.


 	Makarius

Thanks, John!  Sorry I don't have my bug reports yet.  I'm using
Scientific Linux, not Debian, so I can't use Hendrik's package. 

   While I'm very interested in the idea of formalizing geometry
   axiomatically, and I'm happy people are doing it in HOL Light,

What I'm trying to do is much simpler than what Phil etc are doing.
It should be trivial in HOL Light.  It shouldn't require the full
strength of Freek's ambitious miz3.  I just want 2-column high school
Geometry proofs.  I'll use Hilbert's or Tarski's axioms, which
actually give rigorous proofs, but it's still 2-column proofs.  Phil
is trying to get HOL Light to fix profs from Hilbert's arcane book,
that takes a real theorem prover.  BTW what do you call HOL Light?  Is
it a proof assistant, or a theorem prover, or a proof checker?

-- 
Best,
Bill

Hi all,

On 05/03/2012 07:52 PM, John Harrison wrote:
> It can be a pain getting the right camlp5 support set
> up, so you might want to just stick with OCaml 3.0.9 unless you have a
> compelling reason to upgrade.

I also experienced these problems recently. Some versions of camlp5 are 
not supported by HOL Light, and you also have to compile with the right 
options. Even worse, some distributions even ship packages of 
ocaml/camlp5 that are incompatible to each other.

My solution was to build everything from sources, which makes me 
independent from distro packaging issues. I automated all this in a 
little script, which is very convenient if I quickly have to get HOL 
Light up and running on a new machine.

For anyone suffering these issues, here is my script (for linux).

https://bitbucket.org/akrauss/hol-light-workbench/

Of course now you need the build dependencies for ocaml (gcc etc.), but 
this is usually easy to get from your distribution...

Comments and patches are of course welcome...

Alex

Phil, I'm sorry, I lost your message and just found it.

   What sort of granularity do you want in the proof steps? 

The proofs in my Mizar code skip more steps than I'd like
http://www.math.northwestern.edu/~richter/RichterTarskiMizar.tar

   I think the proofs are going to get massive even at the very
   beginning of Hilbert's geometry.  Maybe Tarski's is more suitable.

I think my Mizar Tarski proofs are about like my Latex Hilbert proofs
http://www.math.northwestern.edu/~richter/hilbert.pdf 
and they're both a nice size for me.  You have to remember that my
sources (Hartshorne & Greenberg) are much nicer expositions than FoG.

   I'm generally all in favour of teaching rigorous mathematics to
   high-school students, getting them to use theorem provers and
   learning to code early. Here in the UK, we are falling ever further
   behind in terms of computer science at high-school level. That
   said, it seems that students would be faced with a huge learning
   curve if they were simultaneously studying a relatively poorly
   documented language such as Ocaml, a theorem prover such as HOL
   Light, and the axiomatic method. 

The proof assistants will just check 2-column geometry proofs.  My
students (right now just my 13yo son) will learn next to nothing about
Ocaml or any proof assistant.  So good documentation is needed, and
quite likely a better interface.  I always get a rush when Mizar tells
me I've got a rigorous proof, and I think the kids will too.

   And my guess is they'll have trouble no matter which theorem prover
   you pick, though I'm very much interested in your thoughts on how
   to tackle this.

I'm mostly interested in the rigorous axiomatic method, and I'm mostly
using proof assistants as a selling point: you should learn math
proofs to get a good job programming computers later in the new hot
field of proof assistants checking software.  

Your project is much more ambitious programming, filling in the gaps
of the first thing ever written on Hilbert's axioms, written long ago
(do you have the latest edition BTW?  The axioms are weaker).  To go a
little off the deep end, it's like the difference between listenin to
the Sweet Honey and Rock version of the Beatitudes
http://www.youtube.com/watch?v=NrmhRoS-XE4 
and reading the Gospels in the original Greek or Aramaic.  You &
Jacques need real proof assistants and ML skills, but I shouldn't.

-- 
Best,
Bill

John, I was wrong, and all the mizar modes work fine with ocaml-3.09.3
and hol_version 2.20++.  I can successfully paste in these 5 commands:

hol_light> ocaml
#use "hol.ml";;
#load "unix.cma";;
#use "miz3/miz3.ml";;
#use "JohnTarskiGeometry.ml";;

where JohnTarskiGeometry.ml (incl below) is the combination of your
two code fragments, included below.  Thanks, that's real progress!
But I have serious questions about the coding below.  

It didn't work to substitute your Mizar mode Examples/mizar.ml.  Your
Tarski code chugged away but hung for hours.  Mizarlight/make.ml also
didn't work, failing to prove your EquivReflexive, with error message 
Unbound value thm.
So Freek's miz3 was the big winner!

My only bug report (for Mizarlight) is from the older
hol_version 2.20, included below.

Thanks for your new miz3 code, which is quite readable, and runs fine,
together with your (not so readable) earlier code, which amounts to

1) Proving Tarski's axioms as theorems in the coordinate plane R^2
2) using these axiom-theorems to prove Tarski's theorems.

We're not actually deducing consequences of Tarski's axioms here.
We're proving theorems in R^2, where all of Tarski's theorems (or
Hilbert's) are clearly true.  That's not what want.  For one thing, we
miss out on applying Tarski's axioms to hyperbolic geometry, as Tim
did on the Isabelle list (I can't read his code).

You and Freek didn't define the Mizar datatype `struct', which is what
I use: A Plane is a struct, a set with a 4-ary Betweenness relation
and 3-ary Equidistant relation.  

BTW Hilbert and Birkhoff both prove that with enough axioms including
the parallel postulate, there's a unique model R^2, so there's nothing
unrigorous about working in coordinates, at least if you understand
this result, which Hartshorne does a pretty good job explaining.

I don't know what the plan to do this in miz3 is, though.  Do we still
use newdefinition to define the axioms?  Can we stack the axioms and
definitions together into something like a Isabelle locale and invoke
it when we want to prove theorems?  BTW my first Mizar success was
really ugly: I had one theorem

AXIOM_1 and ... AXIOM_1 implies lemma1, lemma2, ... lemma17

and the proof was a mile long.  I finally stumbled on my also
inelegant solution of making each axioms into a theorem.

  
-------------- hol_version 2.20 mizar bug report --------------

hol_light> make
hol_light> ocaml
#use "hol.ml";;
It took 5 minutes, and I got the message 
        Camlp4 Parsing version 3.09.3
#use "Mizarlight/make.ml";;

This didn't work, and I got the error message

Warning: inventing type variables
0..0..solved at 2
- : thm = |- ?x. !y. P x ==> P y
- : unit = ()
val holby_prover : thm list -> (string * thm) list * term -> goalstate =
  <fun>
File "/home/richter/HOL/SOURCE/hol_light/Mizarlight/duality_holby.ml", line 8, characters 0-14:
Unbound value current_prover
Error in included file /home/richter/HOL/SOURCE/hol_light/Mizarlight/duality_holby.ml
- : unit = ()

Yours worked fine, and I wasn't before smart enough to try this:

hol_light> ocaml
#use "hol.ml";;
#use "Examples/mizar.ml";;

Freek's miz3 works fine, with your unix.cma trick above.


----------- Your miz3 Tarski geometry code JohnTarskiGeometry.ml -----------

  (* ----------------------------------------------------------------------- *)
  (* Define a new type "Plane" in bijection with real^2.                     *)
  (* ----------------------------------------------------------------------- *)

  needs "Multivariate/determinants.ml";;

  let Plane_TYBIJ =
    let th = prove(`?x:real^2. T`,REWRITE_TAC[]) in
    let def = new_type_definition "Plane" ("planify","coords") th in
    REWRITE_RULE[] def;;

  (* ----------------------------------------------------------------------- *)
  (* Define notions of congruence and between-ness as Euclidean equivalents. *)
  (* ----------------------------------------------------------------------- *)

  parse_as_infix("===",(12, "right"));;

  let Congruent_DEF = new_definition
   `a,b === c,d <=> dist(coords a,coords b) = dist(coords c,coords d)`;;

  let Between_DEF = new_definition
   `Between (a,b,c) <=> between (coords b) (coords a,coords c)`;;

  (* ----------------------------------------------------------------------- *)
  (* Simple tactic to switch variables from "Plane" to "real^2".             *)
  (* ----------------------------------------------------------------------- *)

  let PLANE_COORD_TAC =
    let PLANE_QUANT_THM = MESON[Plane_TYBIJ]
      `((!x. P x) <=> (!x. P(planify x))) /\
       ((?x. P x) <=> (?x. P(planify x)))`
    and PLANE_EQ_THM = MESON[Plane_TYBIJ] `planify x = planify y <=> x = y` in
    REWRITE_TAC[PLANE_QUANT_THM; Congruent_DEF; Between_DEF; PLANE_EQ_THM;
                Plane_TYBIJ];;

  (* ----------------------------------------------------------------------- *)
  (* Derivation of the axioms.                                               *)
  (* ----------------------------------------------------------------------- *)

  let AXIOM_1 = prove
   (`!a b. a,b === b,a`,
    PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

  let AXIOM_2 = prove
   (`!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`,
    PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

  let AXIOM_3 = prove
   (`!a b c. a,b === c,c ==> a = b`,
    PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

  let AXIOM_4 = prove
   (`!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`,
    PLANE_COORD_TAC THEN GEOM_ORIGIN_TAC `a:real^2` THEN REPEAT GEN_TAC THEN
    REWRITE_TAC[DIST_0] THEN ASM_CASES_TAC `q:real^2 = vec 0` THENL
     [ASM_SIMP_TAC[BETWEEN_REFL; VECTOR_CHOOSE_SIZE; DIST_POS_LE];
      EXISTS_TAC `--(dist(b:real^2,c) / norm(q) % q):real^2` THEN
      REWRITE_TAC[between; DIST_0] THEN
      REWRITE_TAC[dist; NORM_MUL; NORM_NEG; REAL_ABS_DIV; REAL_ABS_NORM;
                  VECTOR_ARITH `q - --(a % q) = (&1 + a) % q`] THEN
      CONJ_TAC THENL
       [MATCH_MP_TAC(REAL_RING `a = &1 + b ==> a * q = q + b * q`) THEN
        SIMP_TAC[REAL_ABS_REFL; REAL_POS; REAL_LE_ADD; REAL_LE_DIV; NORM_POS_LE];
        ASM_SIMP_TAC[REAL_DIV_RMUL; NORM_EQ_0]]]);;

  let EquivReflexive = thm `;
     !a b. a,b === a,b
     proof
      let a b be Plane;
      b,a === a,b by AXIOM_1;
      thus a,b === a,b by AXIOM_2;
     end`;;

  let EquivSymmetric = thm `;
     !a b c d. a,b === c,d ==> c,d === a,b
     proof
       let a b c d be Plane;
       assume a,b === c,d [1];
       a,b === a,b by EquivReflexive;
       thus c,d === a,b by 1, AXIOM_2;
     end`;;

  let EquivTransitive = thm `;
     !a b p q r s : Plane.  a,b === p,q /\ p,q === r,s ==> a,b === r,s
     proof
       let a b p q r s be Plane;
       assume a,b === p,q [1];
       assume p,q === r,s [2];
       p,q === a,b by 1, EquivSymmetric;
       thus a,b === r,s by 2, AXIOM_2;
     end`;;

  let Baaa_THM = thm `;
      !a b. Between (a,a,a) /\ a,a === b,b
      proof
       let a b be Plane;
       ?x. Between (a,a,x) /\ a,x === b,b by AXIOM_4;
       consider x such that Between (a,a,x) /\ a,x === b,b [1];
       a = x by 1, AXIOM_3;
       thus Between (a,a,a) /\ a,a === b,b by 1;
     end`;;

Hi Bill,

|    The first thing I did with your Mizar code was to remove them.
| 
| Wow, you were really working, I feel guilty.  The file joe.miz has the
| fancy character turned into Mizar, for, ex, st, implies, etc.

Thanks! Yes, it was actually more work doing that than porting the first
few ASCII-fied proofs to miz3, which is some sort of tribute to Freek.

|    | It sure makes the code more readable.
| 
|    That's a matter of opinion.
| 
| It's definitely my opinion, and I know when I came to it.  I was
| staring at my proof of Gupta's theorem and I said to myself, I can't
| read this, I have no idea what I'm writing.  After I wrote my Emacs
| code and stuck in (the top-level bits?) =E2=87=92, =C2=AC, =E2=88=A8, =E2=88=A7, =E2=89=A1, =E2=88=80, =E2=88=83 and =E2=87=94, it
| was so much more readable.  That's the way mathematicians actually
| write, of course, so it's hard for me to read anything else.

Obviously the full range of mathematical notation can make things much
easier to read, but personally I can't get very excited about the use
or non-use of a few special characters. I find that I rapidly reach
the stage where I map between them without thinking, and sometimes the
use of special characters instead of combinations of traditional ones
makes things needlessly obscure to outsiders. Anyway I am quite
surprised and a little shocked to find a Scheme programmer caring
about concrete syntax :-)

|    I would discourage it and advise you to set up some additional
|    interface layer.
| 
| I'll do it your way, you're the expert.  What do you mean?  Something
| like my Emacs stunt to rewrite the file before compiling it?  Is there
| a clean way to do that?  I wasn't too happy with my solution.

I'm certainly not the expert on this topic, but yes something like your
existing emacs tricks seem reasonable. Anway it's one of those problems
that is obviously trivial, though not necessarily easy.

| That's great, and I modified Andrzej Mizar code to write mine.  , We
| should use the machine to enhance the pleasure of proving things.  I
| get a great rush when Mizar says I have a correct proof.  There's a
| democracy/PoMo angle: I haven't yet talked to a grownup about Tarksi
| axiom proofs, and I completely believe my proofs, because Mizar
| checked them.  I don't need to be part of a system that tells me I'm
| right.  And there's no Post Modernist talk about how proofs are social
| constructs, it's up to every community to decide what a proof is.

Yes, this is one of the very appealing things about formalization, that
the question of the correctness of a proof becomes an objective one.

| The middle school math coordinator where I live told me to read an
| article by an education prof Stylianides
| The Notion of Proof in the Context of Elementary School Mathematics
| who claimed that a 3rd grade girl Betsy failed to give a proof that
| odd + odd = even, on the grounds that the other 3rd graders didn't buy
| her proof.  Betsy's proof was fine, and the objections were silly (you
| can't even say all the numbers!).  If Betsy has a` good proof
| assistant to code her proof in, these PoMo objections disappear.

That's not good, indeed. Thanks for the pointer --- I found the paper
online and I'll be interested to see the details.

John.

Anyway I am quite surprised and a little shocked to find a Scheme
   programmer caring about concrete syntax :-)

That's an excellent point about subjectivity, John!  I spent enough
time in the Scheme culture to easily read Scheme code, with all the
ridiculous extra parentheses and prefix notation, and I also spent
enough time in the math culture to want to see code like
  a,b ≡ p,q ∧ p,q ≡ r,s ⇒ a,b ≡ r,s
It's subjective, not objective, but I'm really happy you're with me on
the objective point:

   | And there's no Post Modernist talk about how proofs are social
   | constructs, it's up to every community to decide what a proof is.

   Yes, this is one of the very appealing things about formalization,
   that the question of the correctness of a proof becomes an
   objective one. --- I found the paper online and I'll be interested
   to see the details.

Excellent, John.  I wrote the to the middle school math coordinator:

Ms. Farrand, here's a longer letter about Stylianides's article The
Notion of Proof in the Context of Elementary School Mathematics,
published in Educational Studies in Mathematics, 2007
http://www.jstor.org/stable/27822668 .

Stylianides makes this astonishing claim about a nice proof that a
third-grade girl gave of odd + odd = even:

   p 15: First, Betsy's argument cannot count as proof, because it was
   not accepted as such by the classroom community.

The only sensible action would have been for (p. 16) 

   the teacher [the author's advisor Deborah Ball] to ratify Betsy's
   argument as a proof at the end of the episode, explaining to the
   students why this argument qualified as proof

I give evidence now that the author does not explain clearly what a
proof is or why they're important.

  p 1: Proofs should be incorporated into the mathematical experiences
  of even elementary students (e.g., Ball and Bass...)

Hyman Bass is a good mathematician, so we should take this seriously.
The article says nothing about why we should teach proofs.  I say we
should teach real proofs because math is all about proofs, and some
students (like my son) refuse to memorize stuff that hasn't been
explained, and require real proofs to continue.

   p 2: students' transition from elementary to secondary school
   mathematics is abrupt and is linked to a 'didactical break'
   represented by the introduction of the new requirement for proof.

I say this is irrelevant.  I taught Calculus, MV Calculus, ODE &
Linear Algebra for many years at universities.  And I say high school
Geometry is the one math class ever get where they must understand
mathematical proofs.  I was told over & over at universities, ``Don't
give proofs.  If you're at the blackboard writing down a proof, you're
just doing it for yourself.  Nobody's listening.''

   p 4: Most students first --- and sometimes only --- encounter proof
   in high school courses on Euclidean geometry, and, when this
   happens, proof seems alien and unfamiliar to them...

Here the author agrees with my point: proofs are not an essential part
of math education.  So why is he writing about proofs at all?

Section 1 ends with the misleading claim

   Furthermore, the process of accepting an argument as proof relies
   heavily on the social mechanisms of the mathematical community
   (cf. social dimension) (e.g., Ernest, 1998; Tymoczko, 1986/1998).

Mathematicians are in complete agreement about what a proof is.  But
proofs are often extremely complicated and skip many steps.  So
`accepting an argument as proof' then turns into a political circus.

The author repeats versions of his misleading claim many times.  So
let me explain more.

All mathematicians agree that a mathematical proof is something that
could eventually be written as an axiomatic proof using the accepted
set theory axioms (ZFC: the Zermelo-Frankel axioms plus the axiom of
choice).  These axiomatic proofs could then be checked for correctness
by a computer program.  These axiomatic proofs are very similar to the
rigorous Hilbert proofs that my son learned.  The ETHS book follows
standard practice by giving ``picture-proofs'' instead of axiomatic
proofs, and the ETHS axioms are not strong enough to prove much.

In practice, mathematicians never give axiomatic set theory proofs, as
they would be too complicated, and they often give ``picture-proofs''.
So my objection to the ETHS course isn't ``picture-proofs'' per se,
but that the students are not being taught what an axiomatic proof is,
nor what axioms they are actually using.  Most of the students
wouldn't even care, as this course is their one exposure to proofs, so
the less proofs the better.  Some students however will want real
proofs like the Hilbert proofs my son learned.

A mathematical community can work faster and define `hot areas' by
agreeing to skip steps.  This is a dangerous practice, and has nothing
to do with teaching children.  None of this `knowledge construction'
stuff has any relevance to teaching junior level math classes for
college math majors.  That's the important point, because I've taught
my son a great deal of Algebra & Geometry from junior level math
courses.

-- 
Best,
Bill

Hi Bill,

| John, thank you very much for writing the Tarski geometry miz3 code!

You're welcome, though I'm not quite satisfied with it for exactly the
reasons you mentioned:

| I don't mind quantifying over free variables.  I prefer to.  But these
| 6 lines in every theorem/proof hurt readability.

They do, although maybe in larger proofs later on the relative
uglification is less. I'm sure there is a nicer solution, possibly
using assumptions on the theorems instead of antecedents of
implications, though I would need to experiment a bit, and possibly
tweak miz3 or use a less obvious entry point to it.

Actually, I still incline towards the direct approach. If you start
with that, the day-to-day proofs will be much nicer, and it certainly
won't be difficult to generalize it afterwards. I'll even volunteer
to do it for you :-) In case you are tempted, the extract below is
how I would start. I now prove all the axioms (you'll need the latest
HOL Light svn version though to get a critical lemma) and then
launch into a direct port of your proof, and the result is pretty
clear and uncluttered.

| What if we go to the mile long theorem, so we'd only state these 6
| lines once.  Or can me make some, uh, global declaration?

That's possible, but you'd need to do all the proofs together as a
single Mizar block, I think. It's still not a completely satisfying
solution, as far as I can see, and I'm sure we can do better.

| Thanks, that's nice, and I should read your book.  But of course using
| such a simple self-coded basic proof checker defeats my selling point
| of propelling my students into the new hot world of proof assistants.

Yes, that's true.

John.

(* ========================================================================= *)
(* Model for Tarski axioms and port of Bill Richter's geometry proofs.       *)
(* ========================================================================= *)

needs "Multivariate/convex.ml";;

(* ------------------------------------------------------------------------- *)
(* Define a new type "point" in bijection with real^2.                       *)
(* ------------------------------------------------------------------------- *)

let Plane_TYBIJ =
  let th = prove(`?x:real^2. T`,REWRITE_TAC[]) in
  let def = new_type_definition "point" ("planify","coords") th in
  REWRITE_RULE[] def;;

(* ------------------------------------------------------------------------- *)
(* Define notions of congruence and between-ness as Euclidean equivalents.   *)
(* ------------------------------------------------------------------------- *)

parse_as_infix("===",(12, "right"));;

let Congruent_DEF = new_definition
 `a,b === c,d <=> dist(coords a,coords b) = dist(coords c,coords d)`;;

let Between_DEF = new_definition
 `Between (a,b,c) <=> between (coords b) (coords a,coords c)`;;

(* ------------------------------------------------------------------------- *)
(* The derived notion of triangle congruence.                                *)
(* ------------------------------------------------------------------------- *)

parse_as_infix("cong",(12, "right"));;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

(* ------------------------------------------------------------------------- *)
(* Simple tactic to switch variables from "point" to "real^2".               *)
(* ------------------------------------------------------------------------- *)

let PLANE_COORD_TAC =
  let PLANE_QUANT_THM = MESON[Plane_TYBIJ]
    `((!x. P x) <=> (!x. P(planify x))) /\
     ((?x. P x) <=> (?x. P(planify x)))`
  and PLANE_EQ_THM = MESON[Plane_TYBIJ] `planify x = planify y <=> x = y` in
  REWRITE_TAC[PLANE_QUANT_THM; Congruent_DEF; Between_DEF; PLANE_EQ_THM;
              Plane_TYBIJ];;

(* ------------------------------------------------------------------------- *)
(* Derivation of the axioms.                                                 *)
(* ------------------------------------------------------------------------- *)

let A1 = prove
 (`!a b. a,b === b,a`,
  PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

let A2 = prove
 (`!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`,
  PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

let A3 = prove
 (`!a b c. a,b === c,c ==> a = b`,
  PLANE_COORD_TAC THEN NORM_ARITH_TAC);;

let A4 = prove
 (`!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`,
  PLANE_COORD_TAC THEN GEOM_ORIGIN_TAC `a:real^2` THEN REPEAT GEN_TAC THEN
  REWRITE_TAC[DIST_0] THEN ASM_CASES_TAC `q:real^2 = vec 0` THENL
   [ASM_SIMP_TAC[BETWEEN_REFL; VECTOR_CHOOSE_SIZE; DIST_POS_LE];
    EXISTS_TAC `--(dist(b:real^2,c) / norm(q) % q):real^2` THEN
    REWRITE_TAC[between; DIST_0] THEN
    REWRITE_TAC[dist; NORM_MUL; NORM_NEG; REAL_ABS_DIV; REAL_ABS_NORM;
                VECTOR_ARITH `q - --(a % q) = (&1 + a) % q`] THEN
    CONJ_TAC THENL
     [MATCH_MP_TAC(REAL_RING `a = &1 + b ==> a * q = q + b * q`) THEN
      SIMP_TAC[REAL_ABS_REFL; REAL_POS; REAL_LE_ADD; REAL_LE_DIV; NORM_POS_LE];
      ASM_SIMP_TAC[REAL_DIV_RMUL; NORM_EQ_0]]]);;

let A5 = prove
 (`!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`,
  let lemma = prove
   (`!a b x:real^N.
          between b (a,x) /\ ~(b = a) ==> ?d. &0 <= d /\ x = b + d % (b - a)`,
    REPEAT GEN_TAC THEN REWRITE_TAC[BETWEEN_NORM] THEN STRIP_TAC THEN
    EXISTS_TAC `norm(x - b:real^N) / norm(b - a)` THEN
    SIMP_TAC[REAL_LE_DIV; NORM_POS_LE] THEN FIRST_X_ASSUM
     (MP_TAC o AP_TERM `(%) (inv(norm(b - a:real^N))):real^N->real^N`) THEN
    ASM_SIMP_TAC[VECTOR_MUL_ASSOC; REAL_MUL_LINV; NORM_EQ_0; VECTOR_SUB_EQ] THEN
    VECTOR_ARITH_TAC) in
  REWRITE_TAC[cong_DEF] THEN PLANE_COORD_TAC THEN REPEAT STRIP_TAC THEN
  MP_TAC(ISPECL [`a:real^2`; `b:real^2`; `c:real^2`;
                 `a':real^2`; `b':real^2`; `c':real^2`]
        RIGID_TRANSFORMATION_BETWEEN_3) THEN
  ANTS_TAC THENL [ASM_MESON_TAC[DIST_EQ_0; DIST_SYM]; ALL_TAC] THEN
  DISCH_THEN(X_CHOOSE_THEN `k:real^2`
   (X_CHOOSE_THEN `f:real^2->real^2` (CONJUNCTS_THEN2 ASSUME_TAC MP_TAC))) THEN
  DISCH_THEN(REPEAT_TCL CONJUNCTS_THEN SUBST_ALL_TAC) THEN
  MP_TAC(ISPECL [`a:real^2`; `b:real^2`; `x:real^2`] lemma) THEN
  MP_TAC(ISPECL [`k + (f:real^2->real^2) a`;
                 `k + (f:real^2->real^2) b`; `x':real^2`] lemma) THEN
  ASM_REWRITE_TAC[VECTOR_ARITH `k + a:real^N = k + b <=> a = b`;
                  VECTOR_ARITH `(k + a) - (k + b):real^N = a - b`] THEN
  ANTS_TAC THENL
   [ASM_MESON_TAC[ORTHOGONAL_TRANSFORMATION_INJECTIVE]; ALL_TAC] THEN
  DISCH_THEN(X_CHOOSE_THEN `d':real` STRIP_ASSUME_TAC) THEN
  DISCH_THEN(X_CHOOSE_THEN `d:real` STRIP_ASSUME_TAC) THEN
  UNDISCH_TAC `dist(b:real^2,x) = dist (k + f b:real^2,x')` THEN
  ASM_REWRITE_TAC[GSYM VECTOR_ADD_ASSOC;
        NORM_ARITH `dist(a + b:real^N,a + c) = dist(b,c)`] THEN
  FIRST_ASSUM(ASSUME_TAC o MATCH_MP ORTHOGONAL_TRANSFORMATION_LINEAR) THEN
  ASM_SIMP_TAC[GSYM LINEAR_SUB; GSYM LINEAR_CMUL; GSYM LINEAR_ADD] THEN
  RULE_ASSUM_TAC(REWRITE_RULE[ORTHOGONAL_TRANSFORMATION_ISOMETRY]) THEN
  ASM_REWRITE_TAC[NORM_ARITH `dist(a:real^N,a + c) = norm c`] THEN
  ASM_REWRITE_TAC[NORM_MUL; REAL_EQ_MUL_RCANCEL; NORM_EQ_0; VECTOR_SUB_EQ] THEN
  ASM_SIMP_TAC[real_abs]);;

let A6 = prove
 (`!a b. Between(a,b,a) ==> a = b`,
  PLANE_COORD_TAC THEN SIMP_TAC[between] THEN NORM_ARITH_TAC);;

let A7 = prove
 (`!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`,
  PLANE_COORD_TAC THEN REPEAT GEN_TAC THEN GEOM_ORIGIN_TAC `z:real^2` THEN
  REPEAT GEN_TAC THEN REWRITE_TAC[BETWEEN_IN_SEGMENT] THEN
  GEN_REWRITE_TAC (LAND_CONV o ONCE_DEPTH_CONV) [SEGMENT_SYM] THEN
  GEN_REWRITE_TAC (RAND_CONV o BINDER_CONV o RAND_CONV o RAND_CONV)
   [SEGMENT_SYM] THEN
  REWRITE_TAC[IN_SEGMENT] THEN
  REWRITE_TAC[VECTOR_MUL_RZERO; VECTOR_ADD_LID] THEN DISCH_THEN(CONJUNCTS_THEN2
   (X_CHOOSE_THEN `p:real` STRIP_ASSUME_TAC)
   (X_CHOOSE_THEN `q:real` STRIP_ASSUME_TAC)) THEN
  REPEAT(FIRST_X_ASSUM SUBST_ALL_TAC) THEN
  REWRITE_TAC[MESON[]
   `(?x. (?u. &0 <= u /\ u <= &1 /\ x = f u) /\
         (?u. &0 <= u /\ u <= &1 /\ x = g u)) <=>
    ?u v. (&0 <= u /\ &0 <= v) /\ (u <= &1 /\ v <= &1) /\ f u = g v`] THEN
  SUBGOAL_THEN `p * q <= &1` MP_TAC THENL
   [GEN_REWRITE_TAC RAND_CONV [GSYM REAL_MUL_LID] THEN
    MATCH_MP_TAC REAL_LE_MUL2 THEN ASM_REWRITE_TAC[];
    DISCH_THEN(fun th -> ASSUME_TAC th THEN MP_TAC th)] THEN
  REWRITE_TAC[REAL_ARITH `p * q <= &1 <=> p * q = &1 \/ p * q < &1`] THEN
  STRIP_TAC THENL
   [FIRST_ASSUM(SUBST_ALL_TAC o SYM o MATCH_MP REAL_MUL_LINV_UNIQ) THEN
    SUBGOAL_THEN `q = &1` SUBST_ALL_TAC THENL
     [ASM_REWRITE_TAC[GSYM REAL_LE_ANTISYM] THEN
      UNDISCH_TAC `inv q <= &1` THEN
      REWRITE_TAC[GSYM REAL_NOT_LT; CONTRAPOS_THM] THEN
      DISCH_TAC THEN MATCH_MP_TAC REAL_LT_RINV THEN
      ASM_CASES_TAC `q = &0` THENL
       [UNDISCH_TAC `inv q * q = &1` THEN ASM_REWRITE_TAC[]; ALL_TAC] THEN
      ASM_REAL_ARITH_TAC;
      REPEAT(EXISTS_TAC `&1 / &2`) THEN CONV_TAC REAL_RAT_REDUCE_CONV THEN
      VECTOR_ARITH_TAC];
    EXISTS_TAC `q * (&1 - p) / (&1 - p * q)` THEN
    EXISTS_TAC `(&1 - p) / (&1 - p * q)` THEN CONJ_TAC THENL
     [CONJ_TAC THENL
       [MATCH_MP_TAC REAL_LE_MUL THEN ASM_SIMP_TAC[]; ALL_TAC] THEN
      MATCH_MP_TAC REAL_LE_DIV THEN ASM_REWRITE_TAC[REAL_SUB_LE];
      ALL_TAC] THEN
    CONJ_TAC THENL
     [CONJ_TAC THENL
       [GEN_REWRITE_TAC RAND_CONV [GSYM REAL_MUL_LID] THEN
        MATCH_MP_TAC REAL_LE_MUL2 THEN ASM_REWRITE_TAC[] THEN CONJ_TAC THENL
         [MATCH_MP_TAC REAL_LE_DIV THEN ASM_REWRITE_TAC[REAL_SUB_LE]; ALL_TAC];
        ALL_TAC] THEN
      ASM_SIMP_TAC[REAL_LE_LDIV_EQ; REAL_SUB_LT] THEN
      REWRITE_TAC[REAL_ARITH `&1 - p <= &1 * (&1 - p * q) <=>
                              p * q <= p * &1`] THEN
      MATCH_MP_TAC REAL_LE_LMUL THEN ASM_REAL_ARITH_TAC;
      REWRITE_TAC[VECTOR_MUL_ASSOC] THEN
      BINOP_TAC THEN AP_THM_TAC THEN AP_TERM_TAC THEN
      UNDISCH_TAC `p * q < &1` THEN CONV_TAC REAL_FIELD]]);;

(* ------------------------------------------------------------------------- *)
(* Now miz3 versions of the actual proofs.                                   *)
(* ------------------------------------------------------------------------- *)

loadt "miz3/make.ml";;

let EquivReflexive = thm `;
   !a b. a,b === a,b
   proof
    let a b be point;
    b,a === a,b by A1;
    thus a,b === a,b by A2;
   end`;;

let EquivSymmetric = thm `;
   !a b c d. a,b === c,d ==> c,d === a,b
   proof
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by EquivReflexive;
     thus c,d === a,b by 1, A2;
   end`;;

let EquivTransitive = thm `;
   !a b p q r s : point.  a,b === p,q /\ p,q === r,s ==> a,b === r,s
   proof
     let a b p q r s be point;
     assume a,b === p,q [1];
     assume p,q === r,s [2];
     p,q === a,b by 1, EquivSymmetric;
     thus a,b === r,s by 2, A2;
   end`;;

let Baaa_THM = thm `;
    !a b. Between (a,a,a) /\ a,a === b,b
    proof
     let a b be point;
     ?x. Between (a,a,x) /\ a,x === b,b by A4;
     consider x such that Between (a,a,x) /\ a,x === b,b [1];
     a = x by 1, A3;
     thus Between (a,a,a) /\ a,a === b,b by 1;
   end`;;

let Bqaa_THM = thm `;
   !a q. Between(q,a,a)
   proof
     let a q be point;
     ? x : point . Between(q,a,x) /\ a,x === a,a by A4;
     consider x such that Between(q,a,x) /\ a,x === a,a [1];
     a = x by 1, A3;
     thus Between(q,a,a) by 1;
   end`;;

John, thanks for writing the R^2 = Tarski-model code!  I could not
have done it.  You're the boss, so I'll use your new code.  BTW did
you see that I proved your equation responding to Josef? 
(x1^2 + x2^2 + x3^2 + x4^2) (y1^2 + y2^2 + y3^2 + y4^2) 
= ... 

Your other code works quite well, and I ported Bqaa, but I'm stuck on
C1.  I assumed you had a typo
loadt "miz3/make.ml";;
and changed it to loadt "miz3/miz3.ml";;

So I paste in 3 commands 
   hol_light> ocaml
   #use "hol.ml";;
   #load "unix.cma";;

and then paste in the file below, JohnTarski.ml (I couldn't figure out
how to #use it), and everything compiles, where I got the C1 error

(`;
     !(===) (Between:point#point#point->bool) (cong).
          TarskiModel((===),(Between:point#point#point->bool),(cong))
          ==> !a b x y : point. 
     ~(a = b) /\ Between (a,b,x) /\ Between (a,b,y) /\ b,x === b,y
     ==> y = x
  
     proof
       let (===) be point#point->point#point->bool;
       let (Between) be point#point#point->bool;
       let (cong) be  point#point#point->point#point#point->bool;
       assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];
  
       let a b x y be point;
       assume ~(a = b) [1];
       assume Between (a,b,x) [2];
       assume Between (a,b,y) [3];
       assume b,x === b,y [4];
       a,b === a,b /\ a,y === a,y /\ b,y === b,y by 0, EquivReflexive;  then
       a,b,y cong a,b,y by 0, cong;  then
       y,x === y,y by 0, 1, 2, 3, 4, A5;  thus
       y = x by 0, A3;  
  ::                              #8   #8#2
  :: 8: syntax or type error hol
  :: 2: inference time-out
     end
  ;`,
 (2, 1, 0)).

It's interesting that the one I couldn't get to work was the one with
your clever cong definition.  Maybe it's my version 2.20++ (I asked my
syasadmin to install svn (crazy thing about rpm is (I think) that you
can't install anything without being root), and maybe this is a
complicated inference that Mizar can perform due to better automation.
And maybe I did something really stupid, I could believe that.


------------- JohnTarski.ml ------------- 

(* ------------------------------------------------------------------------- *)
(* Infix status for a couple of the geometric predicates.                    *)
(* ------------------------------------------------------------------------- *)

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;

(* ------------------------------------------------------------------------- *)
(* Constant saying that three predicates satisfy the Tarski axioms.          *)
(* ------------------------------------------------------------------------- *)

let TarskiModel = new_definition
 `TarskiModel((===),(Between:point#point#point->bool),(cong)) <=>
        (!a b. a,b === b,a) /\
        (!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s) /\
        (!a b c. a,b === c,c ==> a = b) /\
        (!a q b c. ?x. Between(q,a,x) /\ a,x === b,c) /\
        (!a b c x a' b' c' x'.
                ~(a = b) /\ a,b,c cong a',b',c' /\
                Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
                ==> c,x === c',x') /\
        (!a b. Between(a,b,a) ==> a = b) /\
        (!a b p q z.
            Between(a,p,z) /\ Between(b,q,z)
            ==> ?x. Between(p,x,b) /\ Between(q,x,a)) /\
        (!a b c x y z.
            a,b,c cong x,y,z <=>
            a,b === x,y /\ a,c === x,z /\ b,c === y,z)`;;

let [A1;A2;A3;A4;A5;A6;A7;cong] =
  map DISCH_ALL (CONJUNCTS(UNDISCH(fst(EQ_IMP_RULE(SPEC_ALL TarskiModel)))));;

(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

loadt "miz3/miz3.ml";;

let EquivReflexive = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a b. a,b === a,b
   proof
    let (===) be point#point->point#point->bool;
    let (Between) be point#point#point->bool;
    let (cong) be  point#point#point->point#point#point->bool;
    assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];
    let a b be point;
    b,a === a,b by 0,A1;
    thus a,b === a,b by 0,A2;
   end`;;

let EquivSymmetric = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a b c d. a,b === c,d ==> c,d === a,b
   proof
     let (===) be point#point->point#point->bool;
     let (Between) be point#point#point->bool;
     let (cong) be  point#point#point->point#point#point->bool;
     assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by 0,EquivReflexive;
     thus c,d === a,b by 0, 1, A2;
   end`;;

let EquivTransitive = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a b p q r s : point.  a,b === p,q /\ p,q === r,s ==> a,b === r,s
   proof
     let (===) be point#point->point#point->bool;
     let (Between) be point#point#point->bool;
     let (cong) be  point#point#point->point#point#point->bool;
     assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];
     let a b p q r s be point;
     assume a,b === p,q [1];
     assume p,q === r,s [2];
     p,q === a,b by 0, 1, EquivSymmetric;
     thus a,b === r,s by 0, 2, A2;
   end`;;

let Baaa_THM = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a b. Between (a,a,a) /\ a,a === b,b

    proof
     let (===) be point#point->point#point->bool;
     let (Between) be point#point#point->bool;
     let (cong) be  point#point#point->point#point#point->bool;
     assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];

     let a b be point;
     ?x. Between (a,a,x) /\ a,x === b,b by 0,A4;
     consider x such that Between (a,a,x) /\ a,x === b,b [1];
     a = x by 0,1, A3;
     thus Between (a,a,a) /\ a,a === b,b by 0,1;
   end`;;

let Bqaa_THM = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a q. Between (q,a,a)

    proof
     let (===) be point#point->point#point->bool;
     let (Between) be point#point#point->bool;
     let (cong) be  point#point#point->point#point#point->bool;
     assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];

     let a q be point;
     ?x. Between (q,a,x) /\ a,x === a,a by 0,A4;
     consider x such that Between (q,a,x) /\ a,x === a,a [1];
     a = x by 0,1, A3;  
     thus Between (q,a,a) by 0,1;
   end`;;

let C1_THM = thm `;
   !(===) (Between:point#point#point->bool) (cong).
        TarskiModel((===),(Between:point#point#point->bool),(cong))
        ==> !a b x y : point. 
   ~(a = b) /\ Between (a,b,x) /\ Between (a,b,y) /\ b,x === b,y
   ==> y = x

   proof
     let (===) be point#point->point#point->bool;
     let (Between) be point#point#point->bool;
     let (cong) be  point#point#point->point#point#point->bool;
     assume TarskiModel((===),(Between:point#point#point->bool),(cong)) [0];

     let a b x y be point;
     assume ~(a = b) [1];
     assume Between (a,b,x) [2];
     assume Between (a,b,y) [3];
     assume b,x === b,y [4];
     a,b === a,b /\ a,y === a,y /\ b,y === b,y by 0, EquivReflexive;  then
     a,b,y cong a,b,y by 0, cong;  then
     y,x === y,y by 0, 1, 2, 3, 4, A5;  thus
     y = x by 0, A3;  
   end`;;

Hi Bill,

| John, thanks for writing the R^2 = Tarski-model code!  I could not
| have done it.  You're the boss, so I'll use your new code.

OK, sounds good. For now, there would be no problem just replacing the
first part with axioms, since that would be faster to load and
wouldn't require the latest HOL Light. See below for this version. I
know I discouraged you from using axioms before, but now it's clear
from the model that they are consistent and you can replace the
axioms by the derivation at any point without needing to make any
changes to your proofs.

| BTW did you see that I proved your equation responding to Josef? 
| (x1^2 + x2^2 + x3^2 + x4^2) (y1^2 + y2^2 + y3^2 + y4^2) 

Well yes, that looks reasonable, though I wouldn't quite characterize
it as an axiomatic proof, since there are some implicit assumptions
that are not boiled down to axioms. BTW, this (or to be more precise
its counterpart over the integers) comes from a proof that every
nonnegative integer is the sum of 4 integer squares. This identity
lets you reduce it to primes.

| Your other code works quite well, and I ported Bqaa, but I'm stuck on
| C1.  I assumed you had a typo
| loadt "miz3/make.ml";;
| and changed it to loadt "miz3/miz3.ml";;

Yes, sorry, this "make.ml" was something I added to Freek's package
now that I actually distribute miz3 with HOL Light. Which I do, by the
way: it's now there in revision 135.

| So I paste in 3 commands 
|    hol_light> ocaml
|    #use "hol.ml";;
|    #load "unix.cma";;

So far so good...

| and then paste in the file below, JohnTarski.ml (I couldn't figure out
| how to #use it), and everything compiles, where I got the C1 error

The problem just arises from the use of "then", which isn't in the
miz3 grammar. Although miz3 sticks pretty close to Mizar, you don't
use "then" to link to the previous fact. Instead you can use "-" in a
justification list to refer to it explicitly, or rely on a settable
"horizon" of facts that are automatically used. For more details, see
Freek's paper, in particular the list of differences with Mizar on
page 17:

  http://arxiv.org/abs/1201.3601

Anyway, if you delete those two instances of "then" it works fine for
me. But anyway, I'd still recommend working in the cleaner world
without the modularity, as in the fragment I append below.

John.

(* ========================================================================= *)
(* Model for Tarski axioms and port of Bill Richter's geometry proofs.       *)
(* ========================================================================= *)

new_type("point",0);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;

(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

let EquivReflexive = thm `;
   !a b. a,b === a,b
   proof
    let a b be point;
    b,a === a,b by A1;
    thus a,b === a,b by A2;
   end`;;

let EquivSymmetric = thm `;
   !a b c d. a,b === c,d ==> c,d === a,b
   proof
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by EquivReflexive;
     thus c,d === a,b by 1, A2;
   end`;;

let EquivTransitive = thm `;
   !a b p q r s : point.  a,b === p,q /\ p,q === r,s ==> a,b === r,s
   proof
     let a b p q r s be point;
     assume a,b === p,q [1];
     assume p,q === r,s [2];
     p,q === a,b by 1, EquivSymmetric;
     thus a,b === r,s by 2, A2;
   end`;;

let Baaa_THM = thm `;
    !a b. Between (a,a,a) /\ a,a === b,b
    proof
     let a b be point;
     ?x. Between (a,a,x) /\ a,x === b,b by A4;
     consider x such that Between (a,a,x) /\ a,x === b,b [1];
     a = x by 1, A3;
     thus Between (a,a,a) /\ a,a === b,b by 1;
   end`;;

let Bqaa_THM = thm `;
   !a q. Between(q,a,a)
   proof
     let a q be point;
     ? x : point . Between(q,a,x) /\ a,x === a,a by A4;
     consider x such that Between(q,a,x) /\ a,x === a,a [1];
     a = x by 1, A3;
     thus Between(q,a,a) by 1;
   end`;;

Hmmmm,

>
> All mathematicians agree that a mathematical proof is something that
> could eventually be written as an axiomatic proof using the accepted
> set theory axioms (ZFC: the Zermelo-Frankel axioms plus the axiom of
> choice).  These axiomatic proofs could then be checked for correctness
> by a computer program.

Is this really true?

No doubt, an axiomatic proof is a pretty convincing mathematical model
of proof.  (Oh, and such things can be checked by computer program,
yep.)

But, is it the case that every thing which constitutes a proof could
be expressed as a ZFC-axiomatic proof instead?  (I suppose that if
all mathematicians really agreed on this point, then this would be true
on the "accepted by the community" notion of proof.  But that's probably
not what was meant by the claim.  [and perhaps I found the joke too
tempting....]).

I've got two levels of concern:

1) at the connection between pure and applied mathematics.  Does everything
which convinces (mathematically) in practice have a reduction (or should
that be expansion) to some formal system of proof?

2) just within pure math:  Can every object which is a valid formal proof
be converted to a ZFC proof?

Just to be clear, I think proof is still a useful thing.  Something
we should probably teach to kids more often.  And a nice ZFC proof does
give me a warm glow.  But the quoted claim just struck me as too strong.

Maybe, I've been a distant spectator for too long...and I've forgotten
some important stuff.

mew

John, thanks for the advice and new code!  I'll try it tonight on the
latest hol_light subversion, as my sysadmin installed svn and:

svn checkout http://hol-light.googlecode.com/svn/trunk/ hol_light
[...]
Checked out revision 135.
(poisson)richter> du -s hol_light/
47772   hol_light/
I see you added Freek's miz3, and hol.ml still reads 
let hol_version = "2.20++";;
(poisson)richter> tar zcvf HOL-L135.tar.gz hol_light
(poisson)richter> du -s HOL-L135.tar.gz 
7372    HOL-L135.tar.gz

I trust these numbers look all right.  I'm really happy to be working
with your on this Tarski geometry hol_light/miz3 project.

Yes, I didn't give an axiomatic proof of your equation, and such an
axiomatic proof sounds pretty dismal.  I wouldn't know where to start.

Rob, that's very cool that John's equation comes from quaternions!
I'll look at your Wiki Lagrange's_four-square_theorem link.

Freek, thanks for jumping in!  And thanks for writing miz3!  I took
your advice (and Makarius's) and tried Isabelle.  You should try it,
as it's just one download, and has a nice integrated editor jedit.
But I couldn't understand Isabelle proofs, so miz3 looks great.

Josef, that's interesting that you vampired my code. 

   Your Mizar formalization (joe.miz). The 5 theorems that Vampire
   could not solve were the longer ones, like Gupta, I1part1, etc .

Cool.  I think that's a tribute to the Coq skill of Julien's Narboux,
from whom I learned the proof of Gupta.

mew (woodcock), all mathematicians accept is that math is nothing but
corollaries of the ZFC set theory axioms in a model of ZFC, which is
presumed to exist.  That is, we use the set theory axioms on sets that
we assume actually exist.  In practice, mathematicians don't
understand ZFC very well, and Halmos's book Naive Set Theory explains
how hard it is to get the real line out of ZFC.  I'm sure John
understands ZFC better than I do, and I assume he coded the ZFC axioms
in some first order logic way in HOL LIGHT.  And I assert that no
mathematician would quarrel with John's HOL LIGHT formulation of ZFC.

Now the ZFC model proofs that mathematicians create are much nicer to
read than FOL proofs, but set theorists proved that such ZFC FOL
proofs must exist.  The theorem (I forget what it's called) is that if
a theorem is true in every model of a first order theory, then there
exists an axiomatic FOL proof of the theorem.

-- 
Best,
Bill

Hi Freek,

| Couldn't you set up things in a way that all the theorems
| would have the form "TarskiModel((===),Between) |- P"?
| I think I would find that more attractive.

Yes, I was wondering about that. Generally HOL inference rules will
happily propagate additional assumptions through them, and so the core
logical inferences should work smoothly, I think. So you'd give the
axioms too the form "TarskiModel((===),Between) |- P" by slightly
changing the line I gave, to:

  let [A1;A2;A3;A4;A5;A6;A7;cong] =
    CONJUNCTS(UNDISCH(fst(EQ_IMP_RULE(SPEC_ALL TarskiModel))));;

Then there is the question of how to force an initial environment of
variables into the beginning of a miz3 proof. Specifically, you'd like
to have "env" augmented with

  let initial_env =
   [`(===):point#point->point#point->bool`;
    `(Between):point#point#point->bool`;
    `(cong):point#point#point->point#point#point->bool`];;

I can probably figure this out for myself, but as the miz3 author I
will defer to you :-)

Perhaps if one can do both of the above, it would all work smoothly
and the proofs would look the same, but with the additional hypothesis
being automatically tacked on to any theorems that result. It would
certainly be interesting to try.

John.

Hi Bill,

| svn checkout http://hol-light.googlecode.com/svn/trunk/ hol_light
| [...]
| Checked out revision 135.
| (poisson)richter> du -s hol_light/
| 47772   hol_light/
| I see you added Freek's miz3, and hol.ml still reads
| let hol_version = "2.20++";;
| (poisson)richter> tar zcvf HOL-L135.tar.gz hol_light
| (poisson)richter> du -s HOL-L135.tar.gz
| 7372    HOL-L135.tar.gz

That looks fine. I think every version or revision of HOL after 2.20
has just been called 2.20++. I should probably start labelling them in
a more discerning way.

| mew (woodcock), all mathematicians accept is that math is nothing but
| corollaries of the ZFC set theory axioms in a model of ZFC, which is
| presumed to exist.  That is, we use the set theory axioms on sets that
| we assume actually exist.  In practice, mathematicians don't
| understand ZFC very well, and Halmos's book Naive Set Theory explains
| how hard it is to get the real line out of ZFC.

Yes, I think there is a striking difference between how mathematicians
think about proofs in practice and the widespread assumption that they
can "in principle" be formalized in set theory. The following talk I
gave a while ago talks a bit about this distinction, among other
things.

  http://www.cl.cam.ac.uk/~jrh13/slides/principia-27nov10/slides.pdf

| I'm sure John understands ZFC better than I do, and I assume he
| coded the ZFC axioms in some first order logic way in HOL LIGHT.
| And I assert that no mathematician would quarrel with John's HOL
| LIGHT formulation of ZFC.

Actually the HOL Light set theory is built basically by just adding
the axiom of infinity to the core higher-order logic, treating sets
over a type A as predicates on A, i.e. functions of type A->bool. The
resulting set-theoretic universe has a more "typed" character, and it
can be interpreted in a fairly straightforward way inside ZFC. If you
ignore complications from polymorphism, all the types you can talk
about in HOL naturally live in V_{omega+omega} in the Zermelo
hierarchy because you can only use the function space constructor
finitely many times starting with some infinite type, which you could
assume countable.

| Now the ZFC model proofs that mathematicians create are much nicer to
| read than FOL proofs, but set theorists proved that such ZFC FOL
| proofs must exist.  The theorem (I forget what it's called) is that if
| a theorem is true in every model of a first order theory, then there
| exists an axiomatic FOL proof of the theorem.

This is usually just called the "completeness theorem" for first-order
logic and, at least in this explicit form, is generally attributed to
Goedel. If you abstract from the details of a particular first-order
proof system, you might say that the essential content is that the set
of FOL-provable formulas is recursively enumerable (semicomputable).
In that form you can also find it implicit in work of other logicians
like Skolem and Herbrand, even if the concept of an r.e. set was not
clear at the time.

John.

John & Freek, I have miz3 comments, based on John's miz3 axiom port of
my Tarksi geometry code, below.  It would be great to write good miz3
dox, because there are no good Mizar dox.  Maybe I can help.

 ********************************
A misfeature of my Mizar code was duplicating the thm assumptions at
the top of the proof.  1201.3601v2.pdf had a way to avoid that:

let CongruenceDoubleSymmetry_THM = thm `;
   let a b c d be point;
   assume a,b === c,d [H1];
   thus   b,a === d,c

   proof
     b,a === a,b /\ c,d === d,c [X1] by H1, A1;
     a,b === d,c by H1, X1, EquivTransitive;   
     qed by -, X1, EquivTransitive`;;

I also used Freek's qed feature to get rid of a useless line.
Improvements like this are really important to pull kids in.

 ********************************
I'd like a Mizar feature which reduces duplication.  In miz3 we write

     ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
     consider x such that
     Between (b,x,b) /\ Between (a,x,a) [X1];

But in Mizar we can also write more simply

     consider x such that
     Between (b,x,b) /\ Between (a,x,a) by -, H1, A7 [X1];

********************************
If a statement has a label, the label must precede `by ...'  I don't
know where this is explained, and it seems to be contradicted on p 17:

   The labels are behind the statements in brackets, instead of in front
   with a colon.

This caused me a lot of trouble, but I would have known if I'd read
Freek's examples, as the correct behavior is showne.g. on p 13:

  consider x such that ~P x [3] by 2;
  take x;
  assume P x [4];
  F [5] by 3,4;
  thus !y. P y [6] by 5;

********************************
I'd prefer statement labels at the beginning of a line, as in Mizar.
That seems more readable, and in the tradition of 2-column proofs.

********************************
On p 17 of 1201.3601v2.pdf, Freek writes 

   The label `-' refers to the previous statement. Also, the last
   ‘horizon’ statements are visible without reference, where horizon is
   a variable of the miz3 server that is usually set to 1.

That seems to mean that the previous statement is always visible, and
that we never need `-'.  I want to need a `-' to refer to the previous
statement, so (this works fine so far) I set 
horizon := 0;; 
but it makes the there-exists/consider even more cluttered:

     ? x . Between (a,c,x) /\ c,x === c,d by A4;
     consider x such that 
     Between (a,c,x) /\ c,x === c,d [X1] by -;

******************************** 
I think the miz3 error message are not nearly as good as the Mizar
error message, which are often baffling, but obey one principle: on
the first offending line, there is an error message, and it's indented
to mark the offending expression.  I don't have a good example yet. 

I have a serious problem the miz3 error message aren't helping me fix,
but that requires the Tarski code, so I'll write a separate message.

******************************** 
Freek's `cases' discussion does not point out that in sufficiently trivial
cases, no `by' is needed, as in 

let B124and234Ordered_THM = thm `;
   ! a b c d .
   Between (a,b,d) /\ Between (b,c,d) ==> is_ordered (a,b,c,d)

proof
     let a b c d be point;
     assume Between (a,b,d) [H1];
     assume Between (b,c,d) [H2];
      cases;
     suppose b = c [P1];
       Between (a,b,c) [P2] by -, Bqaa_THM;
       Between (a,c,d) by P1, H1;   
       thus is_ordered (a,b,c,d) by P2, H1, -, H2, is_ordered_DEF;
     end;
     suppose ~(b = c) [Q1];
       Between (a,b,c) by H1, H2, B124and234then123_THM;   
       thus is_ordered (a,b,c,d) by -, Q1, H2, BTransitivityOrdered_THM;
     end;
    end`;;

-- 
Best,
Bill

John, I had a blast continuing your port of my Tarksi geometry code,
included below.  I'm about 1/3 done (below), and I have a serious
problem, which I think underscores the lack of Mizar dox.

I can't understand what's wrong with this proof below.  This is the
only thm I wrote where the conclusion is there-exists statement, and
I'm guessing that's the problem.

******************************** 
let EasyAngleTransport_THM = thm `;
   ! a o b . (~(o = a) ==>
   (? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))

   proof
     let a o b be point;
     assume ~(o = a) [X1];
     ? x . Between (b,o,x) /\ o,x === o,a by A4;
     consider x such that
     Between (b,o,x) /\ o,x === o,a [X2] by -;
     x,o === a,o [X3] by -, CongruenceDoubleSymmetry_THM;
     a,o === x,o [X4] by -, EquivSymmetric;
     a,x === x,a by A1;
     a,o,x cong x,o,a [X5] by X4, -, X2, cong_DEF;
     ? y . Between (a,o,y) /\ o,y === o,b by A4;
     consider y such that
     Between (a,o,y) /\ o,y === o,b [X6] by -;
     Between (x,o,b) by X2 ,Bsymmetry_THM;
     x,y === a,b [X7] by X1, X5, X6, -, A5;
     y,o === b,o by X6, CongruenceDoubleSymmetry_THM;
     x,y,o cong a,b,o by X7, X3, -, cong_DEF;
     thus Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o) by X2, X6, -;
   end`;;


The to-me incomprehensible Mizar_error:

 (`;
     ! a o b . (~(o = a) ==>
     (? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))
  ::                                                                     #8
  :: 8: syntax or type error hol
  
     proof
       let a o b be point;
       assume ~(o = a) [X1];
  ::                       #8
       ? x . Between (b,o,x) /\ o,x === o,a by A4;
  ::                                             #8
       consider x such that
       Between (b,o,x) /\ o,x === o,a [X2] by -;
  ::                                           #8
       x,o === a,o [X3] by -, CongruenceDoubleSymmetry_THM;
  ::                                                      #8
       a,o === x,o [X4] by -, EquivSymmetric;
  ::                                        #8
       a,x === x,a by A1;
  ::                    #7
  :: 7: unbound free variables hol
       a,o,x cong x,o,a [X5] by X4, -, X2, cong_DEF;
  ::                                               #8
       ? y . Between (a,o,y) /\ o,y === o,b by A4;
  ::                                             #8
       consider y such that
       Between (a,o,y) /\ o,y === o,b [X6] by -;
  ::                                           #8
       Between (x,o,b) by X2 ,Bsymmetry_THM;
  ::                                       #8
       x,y === a,b [X7] by X1, X5, X6, -, A5;
  ::                                        #7
       y,o === b,o by X6, CongruenceDoubleSymmetry_THM;
  ::                                                  #8
       x,y,o cong a,b,o by X7, X3, -, cong_DEF;
  ::                                          #8
       thus Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o) by X2, X6, -;
  ::                                                                             #8
     end
  ;`,
 (15, 0, 0)).

**********************************************************



-- 
Best,
Bill 

(* ================================================================= *)
(* HOL Light Tarski geometry axiomatic proofs up to Gupta's theorem. *)
(* ================================================================= *)

(* Proof assistants like HOL Light can be used to help teach rigorous
   axiomatic geometry in high school using Hilbert's axioms, and
   introduce students to the world of formal proofs, which should
   become a hot area in debugging computer software.

   This is a port, mostly due to John Harrison, of Mizar code, which
   was heavily influenced by Julien Narboux's Coq pseudo-code
   http://dpt-info.u-strasbg.fr/~narboux/tarski.html and Wojciech
   A. Trybulec's incsp_1.miz in the MML library on axioms of incidence
   geometry.  We partially prove the theorem of the 1983 book
   Metamathematische Methoden in der Geometrie by Schwabhäuser,
   Szmielew, and Tarski, that Tarski's (extremely weak!) plane
   geometry axioms imply Hilbert's axioms.  We get about as far as
   Narboux, with Gupta's amazing proof which implies Hilbert's axiom
   I1 that two points determine a line.  

   Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework of porting my axiomatic proofs to HOL Light.  *)


new_type("point",0);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
(* parse_as_infix("is_ordered",(12, "right"));; *)

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;


(* I want to define is_ordered as a postfix operator, but didn't know how
to do it.  So I tried to make it a prefix, but this didn't work: 
parse_as_prefix("ORDERED");;

let ORDERED_DEF = new_definition
 `ORDERED a,b,c,d <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;
*)


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;

(* A4 is the Segment Construction axiom, A5 is the SAS axiom and A7 is
   the Inner Pasch axiom.  There are 4 more axioms we're not using yet:
   there exist 3 non-collinear points;
   3 points equidistant from 2 distinct points are collinear;
   Euclid's parallel postulate;
   a first order version of Hilbert's Dedekind Cuts axiom.

   We shall say we apply SAS to a+cbx and a'+c'b'x'.  Normally one
   applies SAS by showing cb = c'b' bx = b'x' (which we assume) and
   angle cbx cong angle c'b'x'.  One might prove the angle congruence
   by showing that the triangles abc /\ a'b'c' were congruent by SSS
   (which we also assume) and then apply the theorem that complements
   of congruent angles are congruent.  Hence Tarski's axiom. *)


(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let EquivReflexive = thm `;
   !a b. a,b === a,b

   proof
    let a b be point;
    b,a === a,b by A1;
    qed by -, A2`;;


let EquivSymmetric = thm `;
   !a b c d. a,b === c,d ==> c,d === a,b

   proof
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by EquivReflexive;
     qed by -, 1, A2`;;


let EquivTransitive = thm `;
   !a b p q r s : point.  a,b === p,q /\ p,q === r,s ==> a,b === r,s

   proof
     let a b p q r s be point;
     assume a,b === p,q [1];
     assume p,q === r,s [2];
     p,q === a,b by 1, EquivSymmetric;
     qed by -, 2, A2`;;


let Baaa_THM = thm `;
    !a b. Between (a,a,a) /\ a,a === b,b

    proof
     let a b be point;
     ?x. Between (a,a,x) /\ a,x === b,b by A4;
     consider x such that Between (a,a,x) /\ a,x === b,b [1] by - ;
     a = x by 1, A3;
     qed by -, 1`;;


let Bqaa_THM = thm `;
   !a q. Between(q,a,a)

   proof
     let a q be point;
     ? x : point . Between(q,a,x) /\ a,x === a,a by A4;
     consider x such that Between(q,a,x) /\ a,x === a,a [1] by -;
     a = x by 1, A3;
     qed by -, 1`;;


let C1_THM = thm `;
   !a b x y . ~(a = b) /\ Between (a,b,x) /\ Between (a,b,y) /\ b,x === b,y
   ==> y = x

   proof
     let a b x y be point;
     assume ~(a = b) [1];
     assume Between (a,b,x) [2];
     assume Between (a,b,y) [3];
     assume b,x === b,y [4];
     a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
     a,b,y cong a,b,y by -, cong_DEF;  
     y,x === y,y by -, 1, 2, 3, 4, A5;  
     qed by -, A3`;;


let Bsymmetry_THM = thm `;
   ! a p z .
   Between (a,p,z) ==> Between (z,p,a)

   proof
     let a p z be point;
     assume Between (a,p,z) [H1];
     Between (p,z,z) by Bqaa_THM;  
     ?x . Between (p,x,p) /\ Between (z,x,a) by -, H1, A7;
     consider x such that
     Between (p,x,p) /\ Between (z,x,a) [X1] by -;
     x = p by -, A6;  
     qed by -, X1`;;


let Baaq_THM = thm `;
   ! a q . Between (a,a,q)

proof
     let a q be point;
     Between (q,a,a) by Bqaa_THM;  
     qed by -, Bsymmetry_THM`;;


let BEquality_THM = thm `;
   ! a b c . Between (a,b,c) /\ Between (b,a,c) ==> a = b

   proof
     let a b c be point;
     assume  Between (a,b,c) [H1];
     assume Between (b,a,c);  
     ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
     consider x such that
     Between (b,x,b) /\ Between (a,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (a,b,a) by -, X1;  
     qed by -, A6`;;


let B124and234then123_THM = thm `;
   ! a b c d .
   Between (a,b,d) /\ Between (b,c,d) ==> Between (a,b,c)

proof
     let a b c d be point;
     assume   Between (a,b,d) [H1];
     assume Between (b,c,d);  
     ? x . Between (b,x,b) /\ Between (c,x,a) by -, H1, A7;
     consider x such that
     Between (b,x,b) /\ Between (c,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (c,b,a) by -, X1;   
     qed by -, Bsymmetry_THM`;;


let BTransitivity_THM = thm `;
   ! a b c d .
   ~(b = c) /\ Between (a,b,c) /\ Between (b,c,d) ==> Between (a,c,d)

   proof
     let a b c d be point;
     assume   ~(b = c) [H1];
     assume Between (a,b,c) [H2];
     assume Between (b,c,d) [H3];
     ? x . Between (a,c,x) /\ c,x === c,d by A4;
     consider x such that 
     Between (a,c,x) /\ c,x === c,d [X1] by -;
     Between (x,c,a)  [X2] by -, Bsymmetry_THM;
     Between (c,b,a) by H2, Bsymmetry_THM;
     Between (x,c,b) by -, X2, B124and234then123_THM;
     Between (b,c,x) by -, Bsymmetry_THM;
     x = d by -, H1, H3, X1, C1_THM;   
     qed by -, X1`;;


let BTransitivityOrdered_THM = thm `;
   ! a b c d .
   ~(b = c) /\ Between (a,b,c) /\ Between (b,c,d) ==> is_ordered (a,b,c,d)

   proof
     let a b c d be point;
     assume   ~(b = c) [H1];
     assume Between (a,b,c) [H2];
     assume Between (b,c,d) [H3];
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     qed by H2, -, X1, H3, is_ordered_DEF`;;


(*
let BTransitivityOrdered_THM = thm `;
   ! a b c d .
   ~(b = c) /\ Between (a,b,c) /\ Between (b,c,d) ==> ORDERED a,b,c,d

   proof
     let a b c d be point;
     assume   ~(b = c) [H1];
     assume Between (a,b,c) [H2];
     assume Between (b,c,d) [H3];
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     thus ORDERED a,b,c,d by H2, -, X1, H3, ORDERED_DEF;
   end`;;
*)


let B124and234Ordered_THM = thm `;
   ! a b c d .
   Between (a,b,d) /\ Between (b,c,d) ==> is_ordered (a,b,c,d)

   proof
     let a b c d be point;
     assume Between (a,b,d) [H1];
     assume Between (b,c,d) [H2];
      cases;
     suppose b = c [P1];
       Between (a,b,c) [P2] by -, Bqaa_THM;
       Between (a,c,d) by P1, H1;   
       qed by P2, H1, -, H2, is_ordered_DEF;
     suppose ~(b = c) [Q1];
       Between (a,b,c) by H1, H2, B124and234then123_THM;   
       qed by -, Q1, H2, BTransitivityOrdered_THM;
    end`;;


let SegmentAddition_THM = thm `;
   ! a b c a' b' c' .
   Between (a,b,c) /\ Between (a',b',c') /\ a,b === a',b' /\ b,c === b',c'
   ==> a,c === a',c'

   proof
     let a b c a' b' c' be point;
     assume Between (a,b,c) [H1];
     assume Between (a',b',c') [H2];
     assume a,b === a',b' [H3];
     assume b,c === b',c' [H4];
     cases;
     suppose a = b [Y1];
       a,a === a',b' by H3, Y1;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       b,a === a,b by A1;
       b,a === a',b' [Z2] by -, H3, EquivTransitive;
       a',b' === b',a' by A1;
       b,a === b',a' [Z3] by -, Z2, EquivTransitive;
       a,a === a',a' by Baaa_THM;
       a,b,a cong a',b',a' by -, H3, Z3, cong_DEF;  
       qed by -, Z1, H1, H2, H4, A5;
   end`;;


let CongruenceDoubleSymmetry_THM = thm `;
   let a b c d be point;
   assume a,b === c,d [H1];
   thus   b,a === d,c

   proof
     b,a === a,b /\ c,d === d,c [X1] by H1, A1;
     a,b === d,c by H1, X1, EquivTransitive;   
     qed by -, X1, EquivTransitive`;;


let C1prime_THM = thm `;
   let a b x y be point;
   assume			~(a = b)		[H1];
   assume 			Between (a,b,x) 	[H2];
   assume 			Between (a,b,y) 	[H3];
   assume 			a,x === a,y 		[H4];
   thus         x = y

   proof
     ? m . Between (b,a,m) /\ a,m === a,b by A4;
     consider m such that
     Between (b,a,m) /\ a,m === a,b [X1] by -;
     Between (m,a,b) [X2] by X1, Bsymmetry_THM;
     ~(m = a) [X3] by X1, EquivSymmetric, A3, H1;
     is_ordered (m,a,b,x) by H1, X2, H2, BTransitivityOrdered_THM;
     Between (m,a,x) [X4] by -, is_ordered_DEF;
     is_ordered (m,a,b,y) by H1, X2, H3, BTransitivityOrdered_THM;
     Between (m,a,y) by -, is_ordered_DEF;   
     qed by -, X3, X4, H4, C1_THM`;;


let SegmentSubtraction_THM = thm `;
   let a b c a' b' c' be point;
   assume    	     	   Between (a,b,c)		[H1];
   assume   		   Between (a',b',c') 		[H2];
   assume   		   a,b === a',b' 		[H3];
   assume   		   a,c === a',c' 		[H4];
   thus    b,c === b',c'

   proof
     cases;
     suppose a = b [Y1];
       a,a === a',b' by -, H3;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;   
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       consider x such that
       Between (a,b,x) /\ b,x === b',c' [Z2] by A4;
       a,x === a',c' [Z3] by Z2, H2, H3, SegmentAddition_THM;
       a',c' === a,c by H4, EquivSymmetric;
       a,x === a,c by -, Z3, EquivTransitive;
       x = c by -, Z1, Z2, H1, C1prime_THM;   
       qed by -, Z2;
   end`;;




(* this doesn't work:

let EasyAngleTransport_THM = thm `;
   ! a o b . (~(o = a) ==>
   (? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))

   proof
     let a o b be point;
     assume ~(o = a) [H1];
     ? x . Between (b,o,x) /\ o,x === o,a by A4;
     consider x such that
     Between (b,o,x) /\ o,x === o,a [X2] by -;
     x,o === a,o [X3] by -, CongruenceDoubleSymmetry_THM;
     a,o === x,o [X4] by -, EquivSymmetric;
     a,x === x,a by A1;
     a,o,x cong x,o,a [X5] by X4, -, X2, cong_DEF;
     ? y . Between (a,o,y) /\ o,y === o,b by A4;
     consider y such that
     Between (a,o,y) /\ o,y === o,b [X6] by -;
     Between (x,o,b) by X2 ,Bsymmetry_THM;
     x,y === a,b [X7] by H1, X5, X6, -, A5;
     y,o === b,o by X6, CongruenceDoubleSymmetry_THM;
     x,y,o cong a,b,o by X7, X3, -, cong_DEF;
     thus Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o) by X2, X6, -;
   end`;;


The first Mizar_error is:

     (? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))
  ::                                                                     #8
  :: 8: syntax or type error hol

This modification doesn't work either:

let EasyAngleTransport_THM = thm `;
   let a o b be point;
   assume ~(o = a) [H1];
   thus ? x y . Between (b,o,x) /\ Between (a,o,y) /\ x,y,o cong a,b,o

   proof
     ? x . Between (b,o,x) /\ o,x === o,a by A4;
     consider x such that
     Between (b,o,x) /\ o,x === o,a [X2] by -;
     x,o === a,o [X3] by -, CongruenceDoubleSymmetry_THM;
     a,o === x,o [X4] by -, EquivSymmetric;
     a,x === x,a by A1;
     a,o,x cong x,o,a [X5] by X4, -, X2, cong_DEF;
     ? y . Between (a,o,y) /\ o,y === o,b by A4;
     consider y such that
     Between (a,o,y) /\ o,y === o,b [X6] by -;
     Between (x,o,b) by X2, Bsymmetry_THM;
     x,y === a,b [X7] by H1, X5, X6, -, X6, A5;
     y,o === b,o by X6, CongruenceDoubleSymmetry_THM;
     x,y,o cong a,b,o by X7, X3, -, cong_DEF;
     qed by X2, X6, -`;;


*)


let B123and134Ordered_THM = thm `;
   let a b c d be point;
   assume Between (a,b,c) [H1];
   assume Between (a,c,d) [H2];
   thus Between (a,b,c) /\ Between (a,c,d) ==> is_ordered (a,b,c,d)

   proof
     Between (d,c,a) /\ Between (c,b,a) by H2, H1, Bsymmetry_THM;
     is_ordered (d,c,b,a) by -, B124and234Ordered_THM;
     Between (d,b,a) /\ Between (d,c,b) by -, is_ordered_DEF;
     Between (a,b,d) /\ Between (b,c,d) by -, Bsymmetry_THM;   
     thus is_ordered (a,b,c,d) by -, H1, H2, is_ordered_DEF;
   end`;;


let BextendToLine_THM = thm `;
   let a b c d be point;
   assume ~(a = b)        [H1];
   assume Between (a,b,c) [H2];
   assume Between (a,b,d) [H3];
   thus ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x)

   proof
     ? u . Between (a,c,u) /\ c,u === b,d by A4;
     consider u such that
     Between (a,c,u) /\ c,u === b,d [X1] by -;
     is_ordered (a,b,c,u) [X2] by H2, X1, B123and134Ordered_THM;
     Between (b,c,u) by X2, is_ordered_DEF;
     Between (u,c,b) [X3] by -, Bsymmetry_THM;
     u,c === c,u by A1;
     u,c === b,d [X4] by -, X1, EquivTransitive;
     Between (a,b,u) [X5] by X2, is_ordered_DEF;
     ? x . Between (a,d,x) /\ d,x === b,c by A4;
     consider x such that
     Between (a,d,x) /\ d,x === b,c [Y1] by -;
     is_ordered (a,b,d,x) [Y2] by H3, Y1, B123and134Ordered_THM;
     Between (b,d,x) [Y3] by -, is_ordered_DEF;
     b,c === d,x [Y4] by Y1, EquivSymmetric;
     c,b === b,c by A1;
     c,b === d,x [Y5] by -, Y4, EquivTransitive;
     Between (a,b,x) [Y6] by Y2, is_ordered_DEF;
     u,b === b,x [X6] by X3, Y3, X4, Y5, SegmentAddition_THM;
     b,u === u,b by A1;
     b,u === b,x by -, X6, EquivTransitive;
     u = x by -, H1, X5, Y6, C1_THM;
     thus thesis by -, X2, Y2;
   end`;;


let GuptaEasy_THM = thm `;
     let a b c d be point;
     assume ~(a = b) [H1];
     assume Between (a,b,c) [H2];
     assume Between (a,b,d) [H3];
     assume ~(b = c) [H4];
     assume ~(b = d) [H5];
     thus ~ Between (c,b,d)

   proof
     ~ Between (c,b,d) \/  Between (c,b,d) [1];
     cases by 1; 
     suppose ~ Between (c,b,d);
        qed by -;
     suppose Between (c,b,d) [H6];
       ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) 
       by H1, H2, H3, BextendToLine_THM;
       consider x such that
       is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) [X1] by -;
       Between (b,d,x) by X1, is_ordered_DEF;
       is_ordered (c,b,d,x) by -, H5, H6, BTransitivityOrdered_THM;
       Between (b,c,x) /\ Between (c,b,x) by -, X1, is_ordered_DEF;
       b = c [X2] by -, BEquality_THM;
       F by -, H4, X2;
       qed by -;
   end`;;


(* The next result is like SAS: there are 5 pairs of segments 4
   equivalent.  We say we apply Inner5Segments to abc-x and a'b'c'-x' *)


let Inner5Segments_THM = thm `;
   let a b c x a' b' c' x' be point;
   assume      	     	a,b,c cong a',b',c'	[H1];
   assume 		Between (a,x,c) 	[H2];
   assume 		Between (a',x',c') 	[H3];
   assume 		c,x === c',x' 		[H4];
   thus   b,x === b',x'

   proof
     a,b === a',b' /\ a,c === a',c' /\ b,c === b',c' [X1] by H1, cong_DEF;
     cases;
     suppose x = c [Case1];
       c',x' === c,c by H4, Case1, EquivSymmetric;
       x' = c' by -, A3;
       qed by -, Case1, X1;
     suppose ~(x = c) [Case2];
       ~(a = c) [X2] by H2, A6, Case2;
       consider y such that
       Between (a,c,y) /\ c,y === a,c [X3] by A4;
       consider y' such that
       Between (a',c',y') /\ c',y' === a,c [X4] by A4;
       a,c === c',y' by X4, EquivSymmetric;
       c,y === c',y' [X5] by -, X3, EquivTransitive;
       c,b === c',b' [X6] by X1, CongruenceDoubleSymmetry_THM;
       a,c,b cong a',c',b' by cong_DEF, X1, X6;
       b,y === b',y' [X7] by -, X2, X3, X4, X5, A5;
       ~(y = c) [X8] by X3, EquivSymmetric, A3, X2;
       Between (y,c,a) /\ Between (c,x,a) by X3, H2, Bsymmetry_THM;
       Between (y,c,x) [X9] by -, B124and234then123_THM;
       Between (y',c',a') /\ Between (c',x',a') by -, X4, H3, Bsymmetry_THM;

       Between (y',c',x') [X10] by -, B124and234then123_THM;
       y,c === y',c' /\ y,b === y',b' by X5, X7, CongruenceDoubleSymmetry_THM;
       y,c,b cong y',c',b' by -, cong_DEF, X6;   
       qed by -, X8, X9, X10, H4, A5;
   end`;;


let RhombusDiagBisect_THM = thm `;
   let b c d c' d' be point;
   assume    	     Between (b,c,d')		[H1];
   assume   	     Between (b,d,c') 		[H2];
   assume   	     c,d' === c,d 		[H3];
   assume   	     d,c' === c,d 		[H4];
   assume   	     d',c' === c,d 		[H5];
   thus 
   ? e . Between (c,e,c') /\ Between (d,e,d') /\
   c,e === c',e /\ d,e === d',e

   proof
     Between (d',c,b) /\ Between (c',d,b) [X1] by H1, H2, Bsymmetry_THM;
     ? e . Between (c,e,c') /\ Between (d,e,d') by X1, A7;
     consider e such that
     Between (c,e,c') /\ Between (d,e,d') [X2] by -;
     c,d === c,d' [X3] by H3, EquivSymmetric;
     c,c' === c,c' [X4] by EquivReflexive;
     c,d === d',c' by H5, EquivSymmetric;
     d,c' === d',c' by -, H4, EquivTransitive;
     c,d,c' cong c,d',c' by -, X3, X4, cong_DEF;
     d,e === d',e [X5] by -, X2, EquivReflexive, Inner5Segments_THM;

     d,c === c,d [X6] by A1;
     c,d === d,c' by H4, EquivSymmetric;
     d,c === d,c' [X7] by -, X6, EquivTransitive;
     d,d' === d,d'  [X8] by EquivReflexive;
     c,d === d',c' [X9] by H5, EquivSymmetric;
     d',c' === c',d' by A1;
     c,d === c',d' by -, X9, EquivTransitive;
     c,d' === c',d' [X10] by -, H3, EquivTransitive;
     d,d' === d,d' by EquivReflexive;
     d,c,d' cong d,c',d' by -, X7, X8, X10, cong_DEF;
     c,e === c',e by -, X2, EquivReflexive, Inner5Segments_THM;
     thus thesis by -, X2, X5;
   end`;;


(* can't work without EasyAngleTransport

let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume      	       Between (b,c,d')		[H1];
   assume   	       Between (d,e,d') 	[H2];
   assume   	       c,d' === c,d 		[H3];
   assume   	       d,e === d',e 		[H4];
   assume   	       ~(c = d) 		[H5];
   assume   	       ~(e = d) 		[H6];
   thus    
   ? p,r,q . Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric A3;
     ? p r . Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c by
     EasyAngleTransport;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by -;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1 cong_DEF;
     d',e === d,e by H4 EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     ? q . Between (p,r,q) /\ r,q === e,d by A4;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by -;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
::   Apply SAS to p+crq ∧ d'+ced
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between r,c,d' [X12] by X1, Bsymmetry;
     thus thesis by X5, X11, X12, X2, X1, X3;
   end`;;

*)


(*   a /\ b are equidistant from p /\ q.  Apply SAS to a+pbc /\ a+qbc. *)

let EqDist2PointsBetween_THM = thm `;
   let a b c p q be point;
   assume               ~(a = b)                        [H1];
   assume               Between (a,b,c)                 [H2];
   assume               a,p === a,q /\ b,p === b,q      [H3];
   thus    c,p === c,q

   proof
     a,b  === a,b /\ b,c === b,c [X1] by EquivReflexive;
     a,b,p cong a,b,q by -, H3, cong_DEF;
     p,c === q,c by H1, -, H2, X1, A5;   
     qed by -, CongruenceDoubleSymmetry_THM`;;


(* a and c are equidistant from p and q.  Apply Inner5Segments to
   apb-x /\ aqb-x. *)
 
let EqDist2PointsInnerBetween_THM = thm `;
   let a x c p q be point;
   assume   Between (a,x,c) [H1];
   assume   a,p === a,q /\ c,p === c,q [H2]; 
   thus x,p === x,q

   proof
    a,c === a,c /\ c,x === c,x [X1] by EquivReflexive;
     p,c === q,c by H2, CongruenceDoubleSymmetry_THM;
     a,p,c cong a,q,c by -, H2, X1, cong_DEF;
     p,x === q,x by -, H1, X1, Inner5Segments_THM;   
     thus x,p === x,q by -, CongruenceDoubleSymmetry_THM;
   end`;;

Yes, I think there is a striking difference between how
   mathematicians think about proofs in practice and the widespread
   assumption that they can "in principle" be formalized in set
   theory. The following talk I gave a while ago talks a bit about
   this distinction, among other things.

     http://www.cl.cam.ac.uk/~jrh13/slides/principia-27nov10/slides.pdf

John, that looks like a great article! 

   Mathematical proofs are subjected to peer review, but errors often
   escape unnoticed.

Here's one relevant example.  Birkhoff in the top US journal (Annals
of Math) gave his own rigorous axioms for Euclidean Geometry, never
mentioning Hilbert's work 30 years earlier.  He had one axiom that
requires a function taking values in R/ 2pi to be continuous.  He only
used it to show that all 3 angles in a triangle are either clockwise
or counterclockwise.  He publised an erratum for that proof, which I
can't read.  MacLane wrote up 20 years late a rigorous version of
Birkhoff's proof, and I think I simplified MacLane's proof, taking out
the continuous functions, which no Geometry student could understand.

   Arguably, HOL Light is the computer-age version of Principia:
   . The logical basis is simple type theory, which was distilled
   (Ramsey, Chwistek, Church) from PM’s original logic.
   . Everything, even arithmetic on numbers, is done from first
   principles by reduction to the primitive logical basis.

This is really cool, and I'd like to understand it.  It must be
discussed in reference.pdf.  I never got the point of Principia, but
I'd like to, and Greenberg's book has a great quote from Russell:

MG>   The value of Euclid's work as a masterpiece of logic has been
MG>   very grossly exaggerated.

   Three notable recent formal proofs in pure mathematics:
   . Prime Number Theorem — Jeremy Avigad et al (Isabelle/HOL),
   John Harrison (HOL Light)

Cool!  Jeremy was posting on the Isabelle group about his 69 page
paper giving a rigorization of Euclid quite different from Hilbert &
Tarski: not fixing the axioms, but formalizing Euclid's diagrams.

   Some successes for verification using theorem proving technology:
   • Microcode algorithms for floating-point division, square root and
   several transcendental functions on Intel® Itanium® processor
   family (John Harrison, HOL Light)

I'd like to know more about your success here.  You must have written
papers about this for Intel folks.  Probably most of what you do is
too technical for me to follow, but I'd really like to understand the
connection between theorems, floating point algorithms, and HOL Light.

   After a full four years of deliberation, [Hales's] reviewers returned:
   “The news from the referees is bad, from my perspective.
   They have not been able to certify the correctness of the
   proof, and will not be able to certify it in the future, because
   they have run out of energy to devote to the problem. This is
   not what I had hoped for.

Hah!  Tom put a much better spin in his Notices article about the
Annals referees.  

   Hales’s proof was eventually published, and no significant error
   has been found in it. Nevertheless, the verdict is disappointingly
   lacking in clarity and finality.

I've got a better spin: that's why Tom is working so hard on proof
assistants to formalize his proof.  If Tom had gotten full credit for
solving the Kepler conjecture, he'd be resting on his laurels!

   Indeed, I see formal methods as fundamental to the long-term growth
   of mathematics. (Hales, The Kepler Conjecture)

Uh, maybe I was wrong.  But still, the credit Tom didn't get is a
powerful goad to keep him working on formal methods.

Anyway, that was modest of you to not point out that you (and Nipkow
the Isabelle author!) are a coauthor of Tom's:

Hales, Thomas C.; Harrison, John; McLaughlin, Sean; Nipkow, Tobias;
Obua, Steven; Zumkeller, Roland A revision of the proof of the Kepler
conjecture. Discrete Comput. Geom. 44 (2010), no. 1, 1–34.

-- 
Best,
Bill

Hi Bill,

First a reply to your other mail:

>I can't understand what's wrong with this proof below.  This is the
>only thm I wrote where the conclusion is there-exists statement, and
>I'm guessing that's the problem.

Nah, there's nothing special about that.

>The to-me incomprehensible Mizar_error:
>
> (`;
>     ! a o b . (~(o = a) ==>
(? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))
>  ::                                                                     #8
>  :: 8: syntax or type error hol

It says "syntax or type error hol", so it's a HOL syntax
or type error :-)  If you copy-paste the statement into
the HOL session, you indeed get:

  # `! a o b . (~(o = a) ==>
    (? x y . (Between (b,o,x) /\ Between (a,o,y) /\ (x,y,o cong a,b,o))))`;;
  Exception: Noparse.

This error has nothing to do with miz3, but with the fact
that in HOL Light you aren't allowed to use the variable
name "o".  The constant "o" already is an infix operator.
You write "f o g" for the composition of functions:

  # `o`;;
  Warning: inventing type variables
  val it : term = `(o)`
  # type_of it;;
  val it : hol_type = `:(?88022->?88024)->(?88023->?88022)->?88023->?88024`

Therefore, already "o = a" is a HOL syntax error:

  # `o = a`;;
  Exception: Noparse.


And then this mail:

>I'd like a Mizar feature which reduces duplication.  In miz3 we write
>
>     ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
>     consider x such that
>     Between (b,x,b) /\ Between (a,x,a) [X1];
>
>But in Mizar we can also write more simply
>
>     consider x such that
>     Between (b,x,b) /\ Between (a,x,a) by -, H1, A7 [X1];

And in miz3 you should write it just like that!  Why do you
think you have to use the more convoluted route?  The "by"
justification for the ?... statement and the one for the
consider have to justify exactly the same statements.
I don't understand this point.

>********************************
>If a statement has a label, the label must precede `by ...'  I don't
>know where this is explained, and it seems to be contradicted on p 17:
>
>   The labels are behind the statements in brackets, instead of in front
>   with a colon.

The statement _to me_ is the HOL formula, not the whole
"proof step".  I don't see why this quote from me is wrong.
The label _is_ right behind the "statement"!

>I'd prefer statement labels at the beginning of a line, as in Mizar.
>That seems more readable, and in the tradition of 2-column proofs.

The reason I replaced the "then" with the "by -",
and put the labels behind the statements (ahem), is
because I wanted to have the part of the proof step
that belongs to the "Formal Proof Sketch" of the thing
(see <http://www.cs.ru.nl/~freek/pubs/sketches2.pdf>),
to be all in front of the part that doesn't belong there.
Labels and references (which "then" implicitly is) don't
belong in a Formal Proof Sketch, so should be at the end.

(By the way, please don't refer to Formal Proof Sketches
as "proof sketches".  I feel strongly that they should
be called _formal_ proof sketches.  They have a notion of
correctness that's _formal,_ even if it's undecidable.)

Also, I thought at some point that it was a bit easier to
shallowly parse proof steps with the bracketed label syntax.
However, that's probably not true.   miz3 is quite close
to John's original Mizar mode - apart from the "tactics in
justifications" and "automatically growing the proof parts -
and John _did_ have the thens and the labels in Mizar style.

Still, I certainly won't change the syntax.  And I even
less would like to allow both label styles simultaneously.

Furthermore, I don't know what "2-column proofs" are, sorry.
Is there a separate column for the labels?

>but it makes the there-exists/consider even more cluttered:
>
>     ? x . Between (a,c,x) /\ c,x === c,d by A4;
>     consider x such that 
>     Between (a,c,x) /\ c,x === c,d [X1] by -;

Again, _if_ you write it like this the "by -" seems to
belong in it?  But, again, there is no reason at all to
write it like this.

>I think the miz3 error message are not nearly as good as the Mizar
>error message, which are often baffling, but obey one principle: on
>the first offending line, there is an error message, and it's indented
>to mark the offending expression.  I don't have a good example yet. 

I try to obey the same principle.  However, error recovery
probably is less developed than in the real Mizar system.
Also, with HOL syntax errors, I don't get good information
for positioning the error message.  (I think that the miz3
error messages should be seen as firmly in the HOL Light
error message tradition :-))

>Freek's `cases' discussion does not point out that in
>sufficiently trivial cases, no `by' is needed.

A "by" without labels is always implicit.  So if the
automated prover can prove something without references, then
yes, indeed no "by" is needed.  But this is not specific to
"cases".

If you do the same thing with the "cases" as you did with
the "consider", your proof would look like:

      b = c \/ ~(b = c);  :: this is provable without references,
                          :: hence no "by" is needed
      cases by -;
      suppose b = c [P1];
        ...
      suppose ~(b = c) [Q1];
        ...

But, just like with the "consider", miz3 synthesizes the
proof obligation for you, and having a separate statement
in front of it is not needed at all.

Freek

Thanks a lot Freek!  I'll go fix my `o's.  I'm completely satisfied
with your explanation of miz3 error messages.  I sure thought this
didn't work in miz3, but maybe I goofed, and I'll go check:

>But in Mizar we can also write more simply
>
>     consider x such that
>     Between (b,x,b) /\ Between (a,x,a) by -, H1, A7 [X1];

2-column proofs are what kids do in a US high school Geometry class,
so the statements are numbered in the left margin 1, 2, 3, ...  and in
the right hand column you give reasons that are often earlier numbers.
It would be nice to be able to use that convention in miz3.  BUT:

I think you can't change the position of labels, and I withdraw my
request.  Your 1201.3601v2.pdf precisely explains the miz3 grammar
(Fig 1 on p 16), and in particular

<proof step>  ::= <formula> <labels> <proof> | ... 

That looks great, and I can't ask you to change that.  I have other
three other problems with 1201.3601v2.pdf.

1) Minor cases problem:  The cases fork in <proof step> says 

cases <by refs> ; .... 

and <by refs> is defined to always begin with `by'.  As we agree, this
isn't always true.

2) You write <proof step>* twice in your grammar, which I think means
any non-negative number of proof steps.  But I think you need at least
on proof step, so that you should have written <proof step>+, as you
do in the `now' fork of <proof step>.  Maybe I'm wrong about * & +
(that's the Emacs regexp convention), and maybe I'm wrong about miz3.

3) More substantively, on p 14 you write

     We now present the meaning of the miz3 language. 

I'd like to see that explained much better.  The problem is that there
isn't, I think, any good explanation of the meaning of Mizar.  You continue:

   It is almost exactly the same as that of the Mizar language [20]. 
   
That's a 93 page article I've gleaned lots of important bits from, but
I did not see the meaning of Mizar.  Maybe I missed it.

   At every step in a proof there is a designated statement called the
   thesis. This is the statement that is being proved (the goal of a
   procedural prover). Subproofs have their own local thesis. Now
   steps can add extra variables and statements to the proof context,
   but can also change the thesis. If that happens the step is called
   a skeleton step. 

I didn't know any of this.  Thanks for explaining. 

   Here is a table that summarizes the main miz3 proof steps:

I didn't get much out of the table, but I've certainly seen similar
Mizar tables.

   This then is the basic miz3 proof language. 

Well, I'd like to see more.  Now that I pretty much understand the
grammar and your thesis discussion, I can take a hack at it myself.

-- 
Best,
Bill

John, using your new axiom framework, with help from Freek, I ported
my Tarski geometry Mizar code up to Gupta's theorem (code below).
Thanks again for your three frameworks!  Can you look at the top of my
code?  I could not see how to define the predicates
ORDERED a,b,c,d 
x on_line a,b 
I failed to modify your `parse_as_infix' defs of === and cong.

BTW Bob Bruner, the mathematician at Wayne State in my subject
homotopy theory who  got me interested in HOL Light, wrote this:

   I just read Harrison's talk and the first thing that comes to my
   mind is to get started on algebraic topology in a systematic way.
   Let's forget proving just the big theorems and build the whole
   thing.

   I wish I had the time to say I am volunteering, but I cannot right
   now. Of course, I guess you first need to build some algebra and
   either topological spaces or simplicial sets.

-- 
Best,
Bill 


(* ================================================================= *)
(* HOL Light Tarski geometry axiomatic proofs up to Gupta's theorem. *)
(* ================================================================= *)

(* Proof assistants like HOL Light can be used to help teach rigorous
   axiomatic geometry in high school using Hilbert's axioms, and
   introduce students to the world of formal proofs, which should
   become a hot area in debugging computer software.

   This is a port, mostly due to John Harrison, of Mizar code, which
   was heavily influenced by Julien Narboux's Coq pseudo-code
   http://dpt-info.u-strasbg.fr/~narboux/tarski.html and Wojciech
   A. Trybulec's incsp_1.miz in the MML library on axioms of incidence
   geometry.  We partially prove the theorem of the 1983 book
   Metamathematische Methoden in der Geometrie by Schwabhäuser,
   Szmielew, and Tarski, that Tarski's (extremely weak!) plane
   geometry axioms imply Hilbert's axioms.  We get about as far as
   Narboux, with Gupta's amazing proof which implies Hilbert's axiom
   I1 that two points determine a line.  

   Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework of porting my axiomatic proofs to HOL Light.  *)


new_type("point",0);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
(* parse_as_infix("is_ordered",(12, "right"));; *)

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;


(* I want to define is_ordered as a postfix operator, but didn't know how
to do it.  So I tried to make it a prefix, but this didn't work: 
parse_as_prefix("ORDERED");;

let ORDERED_DEF = new_definition
 `ORDERED a,b,c,d <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;
*)

let Collinear_DEF = new_definition
  `Collinear(a,b,c) <=>
  Between (a,b,c) \/ Between (b,c,a) \/ Between (c,a,b)`;;

(* this doesn't work either 
parse_as_infix("on_line",(12, "right"));;

let Line_DEF = new_definition
  `x on_line a,b <=> 
  ~(a = b) ∧ (Between (a,b,x) \/ Between (b,x,a) \/ Between (x,a,b))`;;
*)


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;


(* A4 is the Segment Construction axiom, A5 is the SAS axiom and A7 is
   the Inner Pasch axiom.  There are 4 more axioms we're not using yet:
   there exist 3 non-collinear points;
   3 points equidistant from 2 distinct points are collinear;
   Euclid's parallel postulate;
   a first order version of Hilbert's Dedekind Cuts axiom.

   We shall say we apply SAS to a+cbx and a'+c'b'x'.  Normally one
   applies SAS by showing cb = c'b' bx = b'x' (which we assume) and
   angle cbx cong angle c'b'x'.  One might prove the angle congruence
   by showing that the triangles abc /\ a'b'c' were congruent by SSS
   (which we also assume) and then apply the theorem that complements
   of congruent angles are congruent.  Hence Tarski's axiom. *)


(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let EquivReflexive = thm `;
   !a b. a,b === a,b

   proof
    let a b be point;
    b,a === a,b by A1;
    qed by -, A2`;;


let EquivSymmetric = thm `;
   !a b c d. a,b === c,d ==> c,d === a,b

   proof
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by EquivReflexive;
     qed by -, 1, A2`;;


let EquivTransitive = thm `;
   !a b p q r s .  a,b === p,q /\ p,q === r,s ==> a,b === r,s

   proof
     let a b p q r s be point;
     assume a,b === p,q [H1];
     assume p,q === r,s [H2];
     p,q === a,b by H1, EquivSymmetric;
     qed by -, H2, A2`;;


let Baaa_THM = thm `;
    !a b. Between (a,a,a) /\ a,a === b,b

    proof
     let a b be point;
     consider x such that Between (a,a,x) /\ a,x === b,b [X1] by A4;
     a = x by -, A3;
     qed by -, X1`;;


let Bqaa_THM = thm `;
   !a q. Between(q,a,a)

   proof
     let a q be point;
     consider x such that Between(q,a,x) /\ a,x === a,a [X1] by A4;
     a = x by -, A3;
     qed by -, X1`;;


let C1_THM = thm `;
     let a b x y be point;
     assume             ~(a = b)                                        [H1];
     assume             Between (a,b,x)                                 [H2];
     assume             Between (a,b,y)                                 [H3];
     assume             b,x === b,y                                     [H4];
     thus    y = x
 
   proof
     a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
     a,b,y cong a,b,y by -, cong_DEF;  
     y,x === y,y by -, H1, H2, H3, H4, A5;  
     qed by -, A3`;;


let Bsymmetry_THM = thm `;
    let a p z be point;
    thus Between (a,p,z) ==> Between (z,p,a)

   proof
     assume Between (a,p,z) [H1];
     Between (p,z,z) by Bqaa_THM;  
     consider x such that
     Between (p,x,p) /\ Between (z,x,a) [X1] by -, H1, A7;
     x = p by -, A6;  
     qed by -, X1`;;


let Baaq_THM = thm `;
   let a q be point;
   thus Between (a,a,q)

proof
     Between (q,a,a) by Bqaa_THM;  
     qed by -, Bsymmetry_THM`;;


let BEquality_THM = thm `;
   let a b c be point;
   thus Between (a,b,c) /\ Between (b,a,c) ==> a = b

   proof
     assume  Between (a,b,c) [H1];
     assume Between (b,a,c);  
     ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
     consider x such that
     Between (b,x,b) /\ Between (a,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (a,b,a) by -, X1;  
     qed by -, A6`;;


let B124and234then123_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,d)				[H1];
   assume 			Between (b,c,d)				[H2];  
   thus    Between (a,b,c)

   proof
     ? x . Between (b,x,b) /\ Between (c,x,a) by H1, H2, A7;
     consider x such that
     Between (b,x,b) /\ Between (c,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (c,b,a) by -, X1;   
     qed by -, Bsymmetry_THM`;;


let BTransitivity_THM = thm `;
   let a b c d be point;
   assume			~(b = c)				[H1];
   assume 			Between (a,b,c) 			[H2];
   assume 			Between (b,c,d) 			[H3];
   thus Between (a,c,d)

   proof
     consider x such that 
     Between (a,c,x) /\ c,x === c,d [X1] by A4;
     Between (x,c,a)  [X2] by -, Bsymmetry_THM;
     Between (c,b,a) by H2, Bsymmetry_THM;
     Between (x,c,b) by -, X2, B124and234then123_THM;
     Between (b,c,x) by -, Bsymmetry_THM;
     x = d by -, H1, H3, X1, C1_THM;   
     qed by -, X1`;;


let BTransitivityOrdered_THM = thm `;
   let a b c d be point;
   assume			~(b = c)				[H1];
   assume			Between (a,b,c)				[H2];
   assume 			Between (b,c,d) 			[H3];
   thus    is_ordered (a,b,c,d)

   proof
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     qed by H2, -, X1, H3, is_ordered_DEF`;;


(*
let BTransitivityOrdered_THM = thm `;
   ! a b c d .
   ~(b = c) /\ Between (a,b,c) /\ Between (b,c,d) ==> ORDERED a,b,c,d

   proof
     let a b c d be point;
     assume   ~(b = c) [H1];
     assume Between (a,b,c) [H2];
     assume Between (b,c,d) [H3];
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     thus ORDERED a,b,c,d by H2, -, X1, H3, ORDERED_DEF;
   end`;;
*)


let B124and234Ordered_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,d)				[H1];
   assume 			Between (b,c,d) 			[H2];
   thus   is_ordered (a,b,c,d)

   proof
     cases;
     suppose b = c [P1];
       Between (a,b,c) [P2] by -, Bqaa_THM;
       Between (a,c,d) by P1, H1;   
       qed by P2, H1, -, H2, is_ordered_DEF;
     suppose ~(b = c) [Q1];
       Between (a,b,c) by H1, H2, B124and234then123_THM;   
       qed by -, Q1, H2, BTransitivityOrdered_THM;
    end`;;


let SegmentAddition_THM = thm `;
   let a b c a' b' c' be point;
   assume    	      	 Between (a,b,c)				[H1];
   assume 		 Between (a',b',c') 				[H2];
   assume 		 a,b === a',b' 					[H3];
   assume 		 b,c === b',c' 					[H4];
   thus   a,c === a',c'

   proof
     cases;
     suppose a = b [Y1];
       a,a === a',b' by H3, Y1;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       b,a === a,b by A1;
       b,a === a',b' [Z2] by -, H3, EquivTransitive;
       a',b' === b',a' by A1;
       b,a === b',a' [Z3] by -, Z2, EquivTransitive;
       a,a === a',a' by Baaa_THM;
       a,b,a cong a',b',a' by -, H3, Z3, cong_DEF;  
       qed by -, Z1, H1, H2, H4, A5;
   end`;;


let CongruenceDoubleSymmetry_THM = thm `;
   let a b c d be point;
   assume		a,b === c,d					[H1];
   thus   b,a === d,c

   proof
     b,a === a,b /\ c,d === d,c [X1] by H1, A1;
     a,b === d,c by H1, X1, EquivTransitive;   
     qed by -, X1, EquivTransitive`;;


let C1prime_THM = thm `;
   let a b x y be point;
   assume                       ~(a = b)				[H1];
   assume                       Between (a,b,x)                       	[H2];
   assume                       Between (a,b,y)                       	[H3];
   assume                       a,x === a,y                           	[H4];
   thus         x = y

   proof
     consider m such that
     Between (b,a,m) /\ a,m === a,b [X1] by A4;
     Between (m,a,b) [X2] by X1, Bsymmetry_THM;
     ~(m = a) [X3] by X1, EquivSymmetric, A3, H1;
     is_ordered (m,a,b,x) by H1, X2, H2, BTransitivityOrdered_THM;
     Between (m,a,x) [X4] by -, is_ordered_DEF;
     is_ordered (m,a,b,y) by H1, X2, H3, BTransitivityOrdered_THM;
     Between (m,a,y) by -, is_ordered_DEF;   
     qed by -, X3, X4, H4, C1_THM`;;


let SegmentSubtraction_THM = thm `;
   let a b c a' b' c' be point;
   assume                  Between (a,b,c)                            [H1];
   assume                  Between (a',b',c')                         [H2];
   assume                  a,b === a',b'                              [H3];
   assume                  a,c === a',c'                              [H4];
   thus    b,c === b',c'

   proof
     cases;
     suppose a = b [Y1];
       a,a === a',b' by -, H3;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;   
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       consider x such that
       Between (a,b,x) /\ b,x === b',c' [Z2] by A4;
       a,x === a',c' [Z3] by Z2, H2, H3, SegmentAddition_THM;
       a',c' === a,c by H4, EquivSymmetric;
       a,x === a,c by -, Z3, EquivTransitive;
       x = c by -, Z1, Z2, H1, C1prime_THM;   
       qed by -, Z2;
   end`;;


let EasyAngleTransport_THM = thm `;
     let a O b be point;
     assume		~(O = a)				      [H1];
     thus ? x y . 
     	    Between (b,O,x) /\ Between (a,O,y) /\ x,y,O cong a,b,O

   proof
     consider x such that
     Between (b,O,x) /\ O,x === O,a [X2] by A4;
     x,O === a,O [X3] by -, CongruenceDoubleSymmetry_THM;
     a,O === x,O [X4] by -, EquivSymmetric;
     a,x === x,a by A1;
     a,O,x cong x,O,a [X5] by X4, -, X2, cong_DEF;
     consider y such that
     Between (a,O,y) /\ O,y === O,b [X6] by A4;
     Between (x,O,b) by X2 ,Bsymmetry_THM;
     x,y === a,b [X7] by H1, X5, X6, -, A5;
     y,O === b,O by X6, CongruenceDoubleSymmetry_THM;
     x,y,O cong a,b,O by X7, X3, -, cong_DEF;
     qed by X2, X6, -`;;


let B123and134Ordered_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,c)				[H1];
   assume 			Between (a,c,d) 			[H2];
   thus   is_ordered (a,b,c,d)

   proof
     Between (d,c,a) /\ Between (c,b,a) by H2, H1, Bsymmetry_THM;
     is_ordered (d,c,b,a) by -, B124and234Ordered_THM;
     Between (d,b,a) /\ Between (d,c,b) by -, is_ordered_DEF;
     Between (a,b,d) /\ Between (b,c,d) by -, Bsymmetry_THM;   
     thus is_ordered (a,b,c,d) by -, H1, H2, is_ordered_DEF;
   end`;;


let BextendToLine_THM = thm `;
   let a b c d be point;
   assume			~(a = b)				[H1];
   assume 			Between (a,b,c) 			[H2];
   assume 			Between (a,b,d) 			[H3];
   thus ? x . 
   	  is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x)

   proof
     consider u such that
     Between (a,c,u) /\ c,u === b,d [X1] by A4;
     is_ordered (a,b,c,u) [X2] by H2, X1, B123and134Ordered_THM;
     Between (b,c,u) by X2, is_ordered_DEF;
     Between (u,c,b) [X3] by -, Bsymmetry_THM;
     u,c === c,u by A1;
     u,c === b,d [X4] by -, X1, EquivTransitive;
     Between (a,b,u) [X5] by X2, is_ordered_DEF;
     consider x such that
     Between (a,d,x) /\ d,x === b,c [Y1] by A4;
     is_ordered (a,b,d,x) [Y2] by H3, Y1, B123and134Ordered_THM;
     Between (b,d,x) [Y3] by -, is_ordered_DEF;
     b,c === d,x [Y4] by Y1, EquivSymmetric;
     c,b === b,c by A1;
     c,b === d,x [Y5] by -, Y4, EquivTransitive;
     Between (a,b,x) [Y6] by Y2, is_ordered_DEF;
     u,b === b,x [X6] by X3, Y3, X4, Y5, SegmentAddition_THM;
     b,u === u,b by A1;
     b,u === b,x by -, X6, EquivTransitive;
     u = x by -, H1, X5, Y6, C1_THM;
     qed by -, X2, Y2`;;


let GuptaEasy_THM = thm `;
     let a b c d be point;
     assume			~(a = b)				[H1];
     assume 			Between (a,b,c) 			[H2];
     assume 			Between (a,b,d) 			[H3];
     assume 			~(b = c) 				[H4];
     assume 			~(b = d) 				[H5];
     thus ~ Between (c,b,d)

   proof
     ~ Between (c,b,d) \/  Between (c,b,d) [1];
     cases by 1; 
     suppose ~ Between (c,b,d);
        qed by -;
     suppose Between (c,b,d) [H6];
       ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) 
       by H1, H2, H3, BextendToLine_THM;
       consider x such that
       is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) [X1] by -;
       Between (b,d,x) by X1, is_ordered_DEF;
       is_ordered (c,b,d,x) by -, H5, H6, BTransitivityOrdered_THM;
       Between (b,c,x) /\ Between (c,b,x) by -, X1, is_ordered_DEF;
       b = c [X2] by -, BEquality_THM;
       F by -, H4, X2;
       qed by -;
   end`;;


(* The next result is like SAS: there are 5 pairs of segments 4
   equivalent.  We say we apply Inner5Segments to abc-x and a'b'c'-x' *)


let Inner5Segments_THM = thm `;
   let a b c x a' b' c' x' be point;
   assume      	     	a,b,c cong a',b',c'	[H1];
   assume 		Between (a,x,c) 	[H2];
   assume 		Between (a',x',c') 	[H3];
   assume 		c,x === c',x' 		[H4];
   thus   b,x === b',x'

   proof
     a,b === a',b' /\ a,c === a',c' /\ b,c === b',c' [X1] by H1, cong_DEF;
     cases;
     suppose x = c [Case1];
       c',x' === c,c by H4, Case1, EquivSymmetric;
       x' = c' by -, A3;
       qed by -, Case1, X1;
     suppose ~(x = c) [Case2];
       ~(a = c) [X2] by H2, A6, Case2;
       consider y such that
       Between (a,c,y) /\ c,y === a,c [X3] by A4;
       consider y' such that
       Between (a',c',y') /\ c',y' === a,c [X4] by A4;
       a,c === c',y' by X4, EquivSymmetric;
       c,y === c',y' [X5] by -, X3, EquivTransitive;
       c,b === c',b' [X6] by X1, CongruenceDoubleSymmetry_THM;
       a,c,b cong a',c',b' by cong_DEF, X1, X6;
       b,y === b',y' [X7] by -, X2, X3, X4, X5, A5;
       ~(y = c) [X8] by X3, EquivSymmetric, A3, X2;
       Between (y,c,a) /\ Between (c,x,a) by X3, H2, Bsymmetry_THM;
       Between (y,c,x) [X9] by -, B124and234then123_THM;
       Between (y',c',a') /\ Between (c',x',a') by -, X4, H3, Bsymmetry_THM;

       Between (y',c',x') [X10] by -, B124and234then123_THM;
       y,c === y',c' /\ y,b === y',b' by X5, X7, CongruenceDoubleSymmetry_THM;
       y,c,b cong y',c',b' by -, cong_DEF, X6;   
       qed by -, X8, X9, X10, H4, A5;
   end`;;


let RhombusDiagBisect_THM = thm `;
   let b c d c' d' be point;
   assume			Between (b,c,d')			[H1];
   assume   	     		Between (b,d,c') 			[H2];
   assume   	     		c,d' === c,d 				[H3];
   assume   	     		d,c' === c,d 				[H4];
   assume   	     		d',c' === c,d 				[H5];
   thus ? e . 
   	  Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e

   proof
     Between (d',c,b) /\ Between (c',d,b) [X1] by H1, H2, Bsymmetry_THM;
     consider e such that
     Between (c,e,c') /\ Between (d,e,d') [X2] by X1, A7;
     c,d === c,d' [X3] by H3, EquivSymmetric;
     c,c' === c,c' [X4] by EquivReflexive;
     c,d === d',c' by H5, EquivSymmetric;
     d,c' === d',c' by -, H4, EquivTransitive;
     c,d,c' cong c,d',c' by -, X3, X4, cong_DEF;
     d,e === d',e [X5] by -, X2, EquivReflexive, Inner5Segments_THM;

     d,c === c,d [X6] by A1;
     c,d === d,c' by H4, EquivSymmetric;
     d,c === d,c' [X7] by -, X6, EquivTransitive;
     d,d' === d,d'  [X8] by EquivReflexive;
     c,d === d',c' [X9] by H5, EquivSymmetric;
     d',c' === c',d' by A1;
     c,d === c',d' by -, X9, EquivTransitive;
     c,d' === c',d' [X10] by -, H3, EquivTransitive;
     d,d' === d,d' by EquivReflexive;
     d,c,d' cong d,c',d' by -, X7, X8, X10, cong_DEF;
     c,e === c',e by -, X2, EquivReflexive, Inner5Segments_THM;
     qed by -, X2, X5`;;


(*   In proof below, Apply SAS to p+crq /\ d'+ced	*)

let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume                       Between (b,c,d')                        [H1];
   assume                       Between (d,e,d')                        [H2];
   assume                       c,d' === c,d                            [H3];
   assume                       d,e === d',e                            [H4];
   assume                       ~(c = d)                                [H5];
   assume                       ~(e = d)                                [H6];
   thus ? p r q . 
   	  Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   	  r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric, A3;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
     -, EasyAngleTransport_THM;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
     d',e === d,e by H4, EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by A4;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between (r,c,d') [X12] by X1, Bsymmetry_THM;
     qed by -, X5, X11, X12, X2, X1, X3`;;


(*   a /\ b are equidistant from p /\ q.  Apply SAS to a+pbc /\ a+qbc. *)

let EqDist2PointsBetween_THM = thm `;
   let a b c p q be point;
   assume               ~(a = b)                        [H1];
   assume               Between (a,b,c)                 [H2];
   assume               a,p === a,q /\ b,p === b,q      [H3];
   thus    c,p === c,q

   proof
     a,b  === a,b /\ b,c === b,c [X1] by EquivReflexive;
     a,b,p cong a,b,q by -, H3, cong_DEF;
     p,c === q,c by H1, -, H2, X1, A5;   
     qed by -, CongruenceDoubleSymmetry_THM`;;


(* a and c are equidistant from p and q.  Apply Inner5Segments to
   apb-x /\ aqb-x. *)
 
let EqDist2PointsInnerBetween_THM = thm `;
   let a x c p q be point;
   assume   Between (a,x,c) [H1];
   assume   a,p === a,q /\ c,p === c,q [H2]; 
   thus x,p === x,q

   proof
    a,c === a,c /\ c,x === c,x [X1] by EquivReflexive;
     p,c === q,c by H2, CongruenceDoubleSymmetry_THM;
     a,p,c cong a,q,c by -, H2, X1, cong_DEF;
     p,x === q,x by -, H1, X1, Inner5Segments_THM;   
     thus x,p === x,q by -, CongruenceDoubleSymmetry_THM;
   end`;;


(* In the proof below (after X8), we prove a stronger result than
   BextendToLine_THM with much the same proof.  We find u /\ b' with
   essentially a,b,c,d',u and a b,d,c',b' ordered 5-tuples with 
   d'u === db /\ cb' === bc. *)
(* Show (after Y13) c'd' === cd by applying SAS to b+c'cd /\ b'+cc'd. *)
(* (before Z4) c,d',c',d is a ``flat'' rhombus.  The diagonals bisect
   each other: *)
(* (after W2) r and c are equidistant from p and q, r <> c, 
   Between r,c,d', thus also d' *)
(* (after W3) c and d' are equidistant from p and q, c <> d', Between
       c,d',b', thus also b'. *)
(* (after W4) d' and c are equidistant from p and q, d' <> c, 
   Between d',c,b, thus also b. *)
(* (after W5) b and b' are equidistant from p and q, Between b,c',b,
   thus also c'. *)
(* (after W7) c' and c are equidistant from p and q, c' <> c, 
   Between c',c,p, thus also p. *)
(* (after p,p === p,q) Now we deduce a contradiction from p = q. *)

let Gupta_THM = thm `;
   let a b c d be point;
   assume					~(a = b)		[H1];
   assume   					Between (a,b,c) 	[H2];
   assume   					Between (a,b,d) 	[H3];
   thus Between (b,d,c) \/ Between (b,c,d)

 proof
   (b = c \/ b = d \/ c = d) \/ (~(b = c) /\ ~(b = d) /\ ~(c = d)) [1];
   cases by 1;
   suppose b = c \/ b = d \/ c = d;
     Between (b,d,c) \/ Between (b,c,d) by -, Baaq_THM, Bqaa_THM;
   qed by -;
   suppose ~(b = c) /\ ~(b = d) /\ ~(c = d) [H4];
     assume ~ (Between (b,d,c)) [H5];
     consider d' such that
     Between (a,c,d') /\ c,d' === c,d [X1] by A4;
     consider c' such that
     Between (a,d,c') /\ d,c' === c,d [X2] by A4;
     is_ordered (a,b,c,d') by H2, X1, B123and134Ordered_THM;
     Between (a,b,d') /\ Between (b,c,d') [X3] by -, is_ordered_DEF;
     is_ordered (a,b,d,c') by H3, X2, B123and134Ordered_THM;
     Between (a,b,c') /\ Between (b,d,c') [X4] by -, is_ordered_DEF;
     ~(c = d') [X5] by X1, H4, A3, EquivSymmetric;
     ~(d = c') [X6] by X2, H4, A3, EquivSymmetric;
     ~(b = d') [X7] by X3, H4, A6;
     ~(b = c') [X8] by X4, H4, A6;

     consider u such that
     Between (c,d',u) /\ d',u === b,d [Y1] by A4;
     is_ordered (b,c,d',u) by X5, X3, Y1, BTransitivityOrdered_THM;
     Between (b,c,u) /\  Between (b,d',u) [Y2] by -, is_ordered_DEF;
     consider b' such that
     Between (d,c',b') /\ c',b' === b,c [Y3] by A4;
     is_ordered (b,d,c',b') by X6, X4, Y3, BTransitivityOrdered_THM;
  
     Between (b,d,b') /\ Between (b,c',b') [Y4] by -, is_ordered_DEF;
     Between (c',d,b) [Y5] by X4, Bsymmetry_THM;
     d,c' === c',d /\ b,d === d,b [Y6] by A1;
     c,d === d,c' by X2, EquivSymmetric; 
     c,d' === d,c' by -, X1, EquivTransitive;
     c,d' === c',d [Y7] by -, Y6, EquivTransitive;
     d',u === d,b by Y1, Y6, EquivTransitive;
     c,u === c',b [Y8] by -, Y1, Y5, Y7, SegmentAddition_THM;
     c',b' === b',c' /\ b',b === b,b' [Y9] by A1;
     b,c  === c',b' by Y3, EquivSymmetric;
     b,c === b',c' [Y10] by -, Y9, EquivTransitive;
     Between (b',c',b) by Y4, Bsymmetry_THM;
     b,u === b',b by -, Y2, Y10, Y8, SegmentAddition_THM;
     b,u === b,b' [Y11] by -, Y9, EquivTransitive;
     is_ordered (a,b,d',u) [Y12] by X7, X3, Y2, BTransitivityOrdered_THM;
     is_ordered (a,b,c',b') by X8, X4, Y4, BTransitivityOrdered_THM;
     Between (a,b,u) /\ Between (a,b,b') by -, Y12, is_ordered_DEF;
     u = b' [Y13]  by -, H1, Y11, C1_THM;

     c',b === c,b' by Y13, Y8, EquivSymmetric;
     b,c' === b',c [Z1] by -, CongruenceDoubleSymmetry_THM;
     c,c' === c',c by A1;
     b,c,c' cong b',c',c [Z2] by -, Y10, Z1, cong_DEF;
     Between (b',c',d) by Y3, Bsymmetry_THM;
     c',d' === c,d [Z3] by -, H4, Z2, X3, Y7, A5;
     d',c' === c',d' by A1;
     d',c' === c,d by -, Z3, EquivTransitive;   

     consider e such that
     Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e
     [Z4] by -, X3, X4, X1, X2, RhombusDiagBisect_THM;

     ~(e = c) [U1]
     proof
     cases;
     suppose ~(e = c);
       qed by -;
     suppose e = c [U2];
       c' = e by U2, Z4, EquivSymmetric, A3;
       c' = c by -, U2;
       Between (b,d,c) [U3] by -, X4;
       F by -, U3, H5;
       qed by -;
     end;

     e = d [V1]
     proof
     cases;
     suppose e = d;
       qed by -;
     suppose ~(e = d) [V2];    
       consider p r q such that
       Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
       r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e [W1] 
       by X3, Z4, X1, H4, V2, FlatNormal_THM;
       r,p === r,q /\ c,p === c,q [W2] by W1, cong_DEF;
       ~(c = r) by W1, U1, EquivSymmetric, A3;
       d',p === d',q [W3] by -, W1, W2, EqDist2PointsBetween_THM;

       Between (c,d',b') by Y1, Y13;
       b',p === b',q [W4] by -, X5, W2, W3, EqDist2PointsBetween_THM; 

       Between (d',c,b) by X3, Bsymmetry_THM;
       b,p === b,q [W5] by -, X5, W3, W2, EqDist2PointsBetween_THM;  

       c',p === c',q [W7]by Y4, W4, W5, EqDist2PointsInnerBetween_THM;  

       Between (c',e,c) by Z4, Bsymmetry_THM;
       is_ordered (c',e,c,p) by -, U1, W1, BTransitivityOrdered_THM;
       Between (c',c,p) [W8] by -, is_ordered_DEF;
       ~(c' = c) by Z4, U1, A6;
       p,p === p,q by -, W8, W7, W2, EqDist2PointsBetween_THM;   

       q = p by -, EquivSymmetric, A3;
       p = r by -, W1, A6;
       e = d [W9] by -, W1, EquivSymmetric, A3;
       F by -, W9, V2;
       qed by -;
     end;

     d' = e by V1, Z4, EquivSymmetric, A3;
     d' = d by -, V1;
     Between (b,c,d) by -, X3;
   qed by -;
 end`;;

Freek, I have two new bug reports, but first:

   And in miz3 you should write it just like that!  Why do you think
   you have to use the more convoluted route?

Thanks, and you're right, the simple Mizar consider syntax works fine
in miz3.  That really helps my code.  My guess is that I was making so
many miz3 errors that I didn't isolate which problem I was having.

BUG1) I always get miz3 error messages if I put a comment line in the
middle of a proof.  I'll explain this below.

BUG2) In the following proof that had a ton of mistakes (correct code
below), miz3 only flagged non-errors:

let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume                       Between (b,c,d')                        [H1];
   assume                       Between (d,e,d')                        [H2];
   assume                       c,d' === c,d                            [H3];
   assume                       d,e === d',e                            [H4];
   assume                       ~(c = d)                                [H5];
   assume                       ~(e = d)                                [H6];
   thus    
   ? p,r,q . Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric A3;
     ? p r . Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c by
     EasyAngleTransport;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by -;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1 cong_DEF;
     d',e === d,e by H4 EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by A4;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
::   Apply SAS to p+crq ∧ d'+ced
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between (r,c,d') [X12] by -, X1, Bsymmetry_THM;
     qed by -, X5, X11, X12, X2, X1, X3`;;


The useless-to-me error message was

Exception:
Mizar_error
 (`;
     let a b c d d' e be point;
     assume                       Between (b,c,d')                        [H1];
     assume                       Between (d,e,d')                        [H2];
  ::                                                                          #3
  :: 3: skeleton error
     assume                       c,d' === c,d                            [H3];
  ::                                                                          #3
     assume                       d,e === d',e                            [H4];
  ::                                                                          #3
     assume                       ~(c = d)                                [H5];
  ::                                                                          #3
     assume                       ~(e = d)                                [H6];
  ::                                                                          #3
     thus    
     ? p,r,q . Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
     r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e
  ::                                              #8
  :: 8: syntax or type error hol


The #3 and #8 errors in the statement of the lemma look wrong, and I
never changed the statement.  Here's the correction, except for the
offending comment line:


let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume                       Between (b,c,d')                        [H1];
   assume                       Between (d,e,d')                        [H2];
   assume                       c,d' === c,d                            [H3];
   assume                       d,e === d',e                            [H4];
   assume                       ~(c = d)                                [H5];
   assume                       ~(e = d)                                [H6];
   thus ? p r q . 
   	  Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   	  r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric, A3;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
     -, EasyAngleTransport_THM;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
     d',e === d,e by H4, EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by A4;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
(*   In proof below, Apply SAS to p+crq /\ d'+ced	*)
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between (r,c,d') [X12] by X1, Bsymmetry_THM;
     qed by -, X5, X11, X12, X2, X1, X3`;;

Here's the miz3 error message:

(*   In proof below, Apply SAS to p+crq /\ d'+ced     *)
       c,q=== c,d by X4, X1, X5, X6, A5;
  ::    #8                             #8
  :: 8: syntax or type error hol
       c,d=== c,q by -, EquivSymmetric;
       c,p=== c,q [X8] by -, X7, EquivTransitive;
       r,c=== r,c [X9] by EquivReflexive;
       r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
       e,d=== r,q by X5, EquivSymmetric;
       r,p=== r,q by -, X10, EquivTransitive;
       r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
       Between (r,c,d') [X12] by X1, Bsymmetry_THM;
       qed by -, X5, X11, X12, X2, X1, X3
  ;
  ::#9#3
  :: 9: syntax error mizar
  :: 3: skeleton error
  `,
 (4, 0, 0)).

And I easily fix this by moving the comment line above the lemma:

(*   In proof below, Apply SAS to p+crq /\ d'+ced	*)

let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume                       Between (b,c,d')                        [H1];
   assume                       Between (d,e,d')                        [H2];
   assume                       c,d' === c,d                            [H3];
   assume                       d,e === d',e                            [H4];
   assume                       ~(c = d)                                [H5];
   assume                       ~(e = d)                                [H6];
   thus ? p r q . 
   	  Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   	  r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric, A3;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
     -, EasyAngleTransport_THM;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
     d',e === d,e by H4, EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by A4;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between (r,c,d') [X12] by X1, Bsymmetry_THM;
     qed by -, X5, X11, X12, X2, X1, X3`;;

miz3 tells it's correct, returning 

val ( FlatNormal_THM ) : thm =
  |- !a b c d d' e.
         Between (b,c,d')
         ==> Between (d,e,d')
         ==> c,d' === c,d
         ==> d,e === d',e
         ==> ~(c = d)
         ==> ~(e = d)
         ==> (?p r q.
                  Between (p,r,q) /\
                  Between (r,c,d') /\
                  Between (e,c,p) /\
                  r,c,p cong r,c,q /\
                  r,c === e,c /\
                  p,r === d,e)

-- 
Best,
Bill

Freek, I successfully ported my 120 line Mizar proof of Gupta's
theorem to miz3!  That's a tribute to miz3 and its error messages, as
I got a lot of them, and the errors showed me how to debug my code.

But the first error messages I got didn't help me at all, and the 2nd
one seems erroneous.  

I pasted in the following 120 line proof, and got only one error
message:
       Exception: Failure "term_of_now".

The problem was that on line 70, I had a 
     ~(e = c) [U1];
which should have read 
     ~(e = c) [U1]
as it is a statement I'm about to prove.

After a few fixes, I got the error 

       cases;
  ::        #1
  :: 1: inference error
       suppose ~(e = c);
         qed by -;
  ::             #9
  :: 9: syntax error mizar
       suppose e = c [U2]
         c' = e by U2, Z4, EquivSymmetric, A3;
  ::                                         #9

You can clearly see my error: 
suppose e = c [U2]
needs a ;
but nothing else here is wrong, and #1 and #9 are on different lines. 
 
After those two baffling error messages, the error messages got a lot
clearer, and I finished debugging it (correction in my earlier post).

let Gupta_THM = thm `;
   let a b c d be point;
   assume					~(a = b)		[H1];
   assume   					Between (a,b,c) 	[H2];
   assume   					Between (a,b,d) 	[H3];
   thus Between (b,d,c) \/ Between (b,c,d)

   proof
     cases;
     suppose b = c \/ b = d \/ c = d;
       Between (b,d,c) \/ Between (b,c,d) by -, Baaq_THM, Bqaa_THM;
     end;
     suppose ~(b = c) /\ ~(b = d) /\ ~(c = d) [H4];
       assume   ~ Between (b,d,c) [H5];
       consider d' such that
       Between (a,c,d') /\ c,d' === c,d [X1] by A4;
       consider c' such that
       Between (a,d,c') /\ d,c' === c,d [X2] by A4;
       is_ordered (a,b,c,d') by H2, X1, B123and134Ordered_THM;
       Between (a,b,d') /\ Between (b,c,d') [X3] by -, is_ordered_DEF;
       is_ordered (a,b,d,c') by H3, X2, B123and134Ordered_THM;
       Between (a,b,c') /\ Between (b,d,c') [X4] by -, is_ordered_DEF;
       ~(c = d') [X5] by X1, H4, A3, EquivSymmetric;
       ~(d = c') [X6] by X2, H4, A3, EquivSymmetric;
       ~(b = d') [X7] by X3, H4, A6;
       ~(b = c') [X8] by X4, H4, A6;

     consider u such that
     Between (c,d',u) /\ d',u === b,d [Y1] by A4;
     is_ordered (b,c,d',u) by X5, X3, Y1 BTransitivityOrdered_THM;
     Between (b,c,u) /\  Between (b,d',u) [Y2] by -, is_ordered_DEF;
     consider b' such that
     Between (d,c',b') /\ c',b' === b,c [Y3] by A4;
     is_ordered (b,d,c',b') by X6 X4 Y3 BTransitivityOrdered_THM;
  
     Between (b,d,b') /\ Between (b,c',b') [Y4] by -, is_ordered_DEF;
     Between (c',d,b) [Y5] by X4, Bsymmetry_THM;
     d,c' === c',d /\ b,d === d,b [Y6] by A1;
     c,d === d,c' by X2, EquivSymmetric; 
     c,d' === d,c' by -, X1, EquivTransitive;
     c,d' === c',d [Y7] by -, Y6 EquivTransitive;
     d',u === d,b by Y1, Y6, EquivTransitive;
     c,u === c',b [Y8] by -, Y1, Y5, Y7, SegmentAddition_THM;
     c',b' === b',c' /\ b',b === b,b' [Y9] by A1;
     b,c  === c',b' by Y3 EquivSymmetric;
     b,c === b',c' [Y10] by -, Y9 EquivTransitive;
     Between (b',c',b) by Y4, Bsymmetry_THM;
     b,u === b',b by -, Y2, Y10, Y8, SegmentAddition_THM;
     b,u === b,b' [Y11] by -, Y9, EquivTransitive;
     is_ordered (a,b,d',u) [Y12] by X7, X3, Y2, BTransitivityOrdered_THM;
     is_ordered (a,b,c',b') by X8, X4, Y4, BTransitivityOrdered_THM;
     Between (a,b,u) /\ Between (a,b,b') by -, Y12, is_ordered_DEF;
     u = b' [Y13]  by -, H1, Y11, C1_THM;

     c',b === c,b' by Y13, Y8, EquivSymmetric;
     b,c' === b',c [Z1] by -, CongruenceDoubleSymmetry_THM;
     c,c' === c',c by A1;
     b,c,c' cong b',c',c [Z2] by -, Y10, Z1, cong_DEF;
     Between (b',c',d) by Y3, Bsymmetry_THM;
     c',d' === c,d [Z3] by -, H4, Z2, X3, Y7, A5;
     d',c' === c',d' by A1;
     d',c' === c,d by -, Z3, EquivTransitive;   

     consider e such that
     Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e
     [Z4] by -, X3, X4, X1, X2, RhombusDiagBisect_THM;

     ~(e = c) [U1];
     proof
     cases;
     suppose ~(e = c);
       qed by -;
     suppose e = c [U2]
       c' = e by U2, Z4, EquivSymmetric, A3;
       c' = c by -, U2;
       Between (b,d,c) [U3] by -, X4;
       F by -, U3, H5;
       qed by -;
     end;

     e = d [V1];
     proof
     cases;
     suppose e = d;
       qed by -;
     suppose ~(e = d) [V2];    
       consider p r q such that
       Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
       r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e [W1] 
       by X3, Z4, X1, H4, V2, FlatNormal;
       r,p === r,q /\ c,p === c,q [W2] by W1, cong_DEF;
       ~(c = r) by W1 U1 EquivSymmetric, A3;
       d',p === d',q [W3] by -, W1, W2, EqDist2PointsBetween_THM;

       Between (c,d',b') by Y1, Y13;
       b',p === b',q [W4] by -, X5, W2, W3, EqDist2PointsBetween_THM; 

       Between (d',c,b) by X3 Bsymmetry_THM;
       b,p === b,q [W5] by -, X5, W3, W2, EqDist2PointsBetween_THM;  

       c',p === c',q [W7]by Y4 W4 W5 EqDist2PointsInnerBetween_THM;  

       Between (c',e,c) by Z4, Bsymmetry_THM;
       is_ordered (c',e,c,p) by -, U1, W1, BTransitivityOrdered_THM;
       Between (c',c,p) [W8] by -, is_ordered_DEF;
       ~(c' = c) by Z4 U1 A6;
       p,p === p,q by -, W8, W7, W2, EqDist2PointsBetween;   

       q = p by EquivSymmetric, A3;
       p = r by -, W1 A6;
       e = d [W9] by -, W1 EquivSymmetric A3;
       F by -, W9, V2;
       qed by -;
     end;

     d' = e by V1, Z4, EquivSymmetric, A3;
     d' = d by -, V1;   thus
     Between (b,c,d) by X3;
   end;
 end`;;

Hi Bill,

| John, using your new axiom framework, with help from Freek, I ported my
| Tarski geometry Mizar code up to Gupta's theorem (code below). Thanks again
| for your three frameworks!

That's great, I'm glad it's working out so well! I just loaded your
code and it worked smoothly for me to. It is indeed a tribute to
Freek's miz3 more than to my own work, I think :-)

| Can you look at the top of my
| code?  I could not see how to define the predicates
| ORDERED a,b,c,d
| x on_line a,b
| I failed to modify your `parse_as_infix' defs of === and cong.

Although there is a notion of a "prefix" in HOL Light, this only
forces right-associativity of unary function applications, whereas
binary ones like "," still have lower precedence. So for ORDERED, I
recommend just parenthesizing the quadruples, as I did with "Between".

  let ORDERED_DEF = new_definition                                     
   `ORDERED (a,b,c,d) <=>                                               
    Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;

I think your on_line definition should basically work more or less
as written, using the parse_as_infix and Line_DEF calls you have. But
you have some special character in your definition that may be left
over from the Mizar version. I guess it's meant to be /\ or ==>. If
you replace it by its HOL ASCII counterpart, I think it will work 
fine.

Just a comment on comments from the other thread: you can always put
comments in miz3 proofs by using the native HOL Light convention,
which is a BCPL-style "//" one-line comment.

 let EquivReflexive = thm `;  
   !a b. a,b === a,b
   // This is a really easy proof
   proof
    let a b be point; // point is the type of a and b
    b,a === a,b by A1; // A1 is our first axiom
    qed by -, A2 // Note that we use the previous line here`;;

But as far as I can see the native Mizar style :: is supposed to work
in miz3 too, so I'll defer to Freek on that.

|    I just read Harrison's talk and the first thing that comes to my
|    mind is to get started on algebraic topology in a systematic way.
|    Let's forget proving just the big theorems and build the whole
|    thing.
|
|    I wish I had the time to say I am volunteering, but I cannot right
|    now. Of course, I guess you first need to build some algebra and
|    either topological spaces or simplicial sets.

Yes, I agree completely that doing algebraic topology systematically
would be more satisfying than these ad hoc tours de force. I know
several people have expressed an interest in this, but I don't know
if anyone has worked on it seriously. HOL Light does have some
rudimentary results on homotopy of paths in R^n and quite a lot of
useful lemmas about polyhedra, with even a definition of simplicial
complex (see Multivariate/polytope.ml):

 |- simplicial_complex c <=>      
        FINITE c /\      
        (!s. s IN c ==> ?n. n simplex s) /\  
        (!f s. s IN c /\ f face_of s ==> f IN c) /\          
        (!s s'. s IN c /\ s' IN c
                ==> (s INTER s') face_of s /\ (s INTER s') face_of s')

I am hopeful that these might represent some sort of starting point
for serious algebraic topology, but I don't think I'll have the time
to work on this myself any time soon either!

John.

Thanks, John!  We need to get rid of the new_axiom biz at some point,
I think, but our code sure looks nice.  Thanks again!  I have two miz3
comments for Freek and you:

1) I was wrong about comments: you can use 
:: 
for comments inside a proof, just as in Mizar.  That's almost
explained in Freek's pdf, but it ought to be clearer.  BUT (and I
think this is a bug) you can't have ` in the comment.  

2) Here's a miz3 problem I had that I couldn't solve, and the error
message doesn't help me.  There's only one error message, so I'll just
send the miz3 Exception: Mizar_error, which contains this:

         cases by X1, X2;
  ::                      #2
  :: 2: inference time-out

Mizar thought that was fine.  So I rewrote the code to say first 
cases by X1;
and then 
cases by X2;
and it didn't help.  So I don't think it's a cases problem.  I think
there's some other error I made which isn't getting reported. 


                                Exception:
Mizar_error
 (`;
     let a b x be point;
     assume                                     ~(a = b)                [H1];
     assume                                     ~(a = x)                [H2];
     assume                                     on_line(x,a,b)          [H3];
     thus   ! c . 
            on_line(c,a,b)   ==>  on_line(c,a,x)
  
     proof
       let c be point;
       assume on_line(c,a,b) [H4];
       Between (a,b,x) \/ Between (b,x,a) \/ Between (x,a,b) by H3, Line_DEF;
       Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)            [X1] 
       by -, Bsymmetry_THM;
       Between (a,b,c) \/ Between (b,c,a) \/ Between (c,a,b) by H4, Line_DEF;
       Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b) [X2] 
       by -, Bsymmetry_THM;
       x = b \/ b = c \/ (~(x = b) /\ ~(b = c));
       cases by -;
       suppose x = b [Case1];
         on_line(c,a,x) by -, H4;
       qed by -;
       suppose b = c [Case3];
         Between (a,c,x) \/ Between (c,x,a) \/ Between (x,a,c) by -, H3, Line_DEF;
         Between (x,c,a) \/ Between (a,x,c) \/ Between (c,a,x) by -, Bsymmetry_THM;
         on_line(c,a,x) by -, H2, Line_DEF;
       qed by -;
       suppose ~(x = b) /\ ~(b = c) [Case2];
         Between (a,x,c) \/ Between (a,c,x) \/ Between (x,a,c)
         proof
         cases by X1, X2;
  ::                      #2
  :: 2: inference time-out
         suppose Between (a,b,x) /\ Between (a,b,c) [X3];
           Between (b,x,c) \/ Between (b,c,x) by -, H1, Gupta_THM;
           is_ordered (a,b,x,c) \/ is_ordered (a,b,c,x) by -, Case2, X3,
           BTransitivityOrdered_THM;
         qed by -, is_ordered_DEF;
         suppose Between (a,b,x) /\ Between (a,c,b);
           is_ordered (a,c,b,x) by -, B123and134Ordered_THM;
         qed by -, is_ordered_DEF;
         suppose Between (a,b,x) /\ Between (c,a,b);
           is_ordered (c,a,b,x) by -, H1, BTransitivityOrdered_THM;
           Between (c,a,x) by -, is_ordered_DEF;
         qed by -, Bsymmetry_THM;
         suppose Between (a,x,b) /\ Between (a,b,c);
           is_ordered (a,x,b,c) by -, B123and134Ordered_THM;
         qed by -, is_ordered_DEF;
         suppose Between (a,x,b) /\ Between (a,c,b) [X4];
           consider m such that
             Between (b,a,m) /\ a,m === a,b [X5] by -, A4;
             ~(a = m) [X6] by H1, X5, EquivSymmetric, A3;
           Between (m,a,b) by X5, Bsymmetry_THM;   
           Between (m,a,c) /\ Between (m,a,x) by -, X4, B124and234then123_THM;
           Between (a,c,x) \/ Between (a,x,c) by -, X6, Gupta_THM;
         qed by -;
         suppose Between (a,x,b) /\ Between (c,a,b); 
           Between (c,a,x) by -, B124and234then123_THM;
         qed by -, Bsymmetry_THM;
         suppose Between (x,a,b) /\ Between (a,b,c);
           is_ordered (x,a,b,c) by -, H1, BTransitivityOrdered_THM;
         qed by -, is_ordered_DEF;
         suppose Between (x,a,b) /\ Between (a,c,b);
         qed by -, B124and234then123_THM;
         suppose Between (x,a,b) /\ Between (c,a,b);
           Between (b,a,x) /\ Between (b,a,c) by -, Bsymmetry_THM;
           Between (a,x,c) \/ Between (a,c,x) by -, H1, Gupta_THM;
         qed by -; 
         end;
  
         Between (a,x,c) \/ Between (x,c,a) \/ Between (c,a,x) by -, Bsymmetry_THM;
       qed by -, H2, Line_DEF;
     end
  ;`,
 (0, 1, 0)).
# 

-- 
Best,
Bill

Freek and John, here's 2 miz3 bug reports.  First, John, thanks for
spotting my funny ∧ (should be /\) in my `on_line' def!  

BUG1) Paste in my Tarski geometry miz3 code (updated version below) or
any reasonable version of it, and then paste in

let I1part1_THM = thm `;
   let a b c x be point;
   assume Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)	[X1];
   thus Between (a,b,x) \/ Between (b,x,a) \/ Between (x,a,b)

   proof
   qed by X1,Bsymmetry_THM`;;

This works, and gives the expected output 

  |- !a b c x.
         Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)
         ==> Between (a,b,x) \/ Between (b,x,a) \/ Between (x,a,b)

The bug is that this code (like Freek's drinker's code on p 13--14)
does not seem to fit Freek's grammer on p 16, which say on the top
line that a lemma must be of the form

let ident = thm `; formula proof; `;;

This doesn't happen unles we say that the let, assume and thus lines
comprise a formula.   There's no definition of formula, and I wouldn't
expect formulas to contain labels or semicolons.   

The let and assume lines are proof steps, but the thus line is not.

I don't say this to nitpick, but out of a real interest in
understanding first the syntax and then the semantics of miz3.

BUG2)  A modification of the above working code doesn't not work: 

let I1part1_THM = thm `;
   let a b c x be point;
   assume Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)		[X1];
   assume Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b) 	[X2];
   thus ((Between (a,b,x) /\ Between (a,b,c)) \/ 
	 (Between (a,b,x) /\ Between (a,c,b)) \/ 
	 (Between (a,b,x) /\ Between (c,a,b)) \/ 
	 (Between (a,x,b) /\ Between (a,b,c)) \/ 
	 (Between (a,x,b) /\ Between (a,c,b)) \/ 
	 (Between (a,x,b) /\ Between (c,a,b)) \/ 
	 (Between (x,a,b) /\ Between (a,b,c)) \/  
	 (Between (x,a,b) /\ Between (a,c,b)) \/  
	 (Between (x,a,b) /\ Between (c,a,b)))

   proof
   qed by X1, X2`;;

The error at the end is 

 ::#2
  :: 2: inference time-out
  `,
 (0, 1, 0)).

--
Best,
Bill

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;  
   #use "John5-8ModelTarski.ml";;
   then paste in the following file*)

(* ================================================================= *)
(* HOL Light Tarski geometry axiomatic proofs up to Gupta's theorem. *)
(* ================================================================= *)

(* Proof assistants like HOL Light can be used to help teach rigorous
   axiomatic geometry in high school using Hilbert's axioms, and
   introduce students to the world of formal proofs, which should
   become a hot area in debugging computer software.

   This is a port, mostly due to John Harrison, of Mizar code, which
   was heavily influenced by Julien Narboux's Coq pseudo-code
   http://dpt-info.u-strasbg.fr/~narboux/tarski.html and Wojciech
   A. Trybulec's incsp_1.miz in the MML library on axioms of incidence
   geometry.  We partially prove the theorem of the 1983 book
   Metamathematische Methoden in der Geometrie by Schwabhäuser,
   Szmielew, and Tarski, that Tarski's (extremely weak!) plane
   geometry axioms imply Hilbert's axioms.  We get about as far as
   Narboux, with Gupta's amazing proof which implies Hilbert's axiom
   I1 that two points determine a line.  

   Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework of porting my axiomatic proofs to HOL Light.  *)


new_type("point",0);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("equal_line",(12, "right"));;

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;

let Collinear_DEF = new_definition
  `Collinear(a,b,c) <=>
  Between (a,b,c) \/ Between (b,c,a) \/ Between (c,a,b)`;;

let Line_DEF = new_definition
  `on_line(x,a,b) <=> 
  ~(a = b) /\ (Between (a,b,x) \/ Between (b,x,a) \/ Between (x,a,b))`;;

let  LineEq_DEF = new_definition
  `a,b equal_line x,y <=>
~(a = b) ∧ ~(x = y) ∧ ! c .  on_line(c,a,b)  <=>  c on_line(c,x,y);
end;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;


(* A4 is the Segment Construction axiom, A5 is the SAS axiom and A7 is
   the Inner Pasch axiom.  There are 4 more axioms we're not using yet:
   there exist 3 non-collinear points;
   3 points equidistant from 2 distinct points are collinear;
   Euclid's parallel postulate;
   a first order version of Hilbert's Dedekind Cuts axiom.

   We shall say we apply SAS to a+cbx and a'+c'b'x'.  Normally one
   applies SAS by showing cb = c'b' bx = b'x' (which we assume) and
   angle cbx cong angle c'b'x'.  One might prove the angle congruence
   by showing that the triangles abc /\ a'b'c' were congruent by SSS
   (which we also assume) and then apply the theorem that complements
   of congruent angles are congruent.  Hence Tarski's axiom. *)


(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let EquivReflexive = thm `;
   !a b. a,b === a,b

   proof
    let a b be point;
    b,a === a,b by A1;
    qed by -, A2`;;


let EquivSymmetric = thm `;
   !a b c d. a,b === c,d ==> c,d === a,b

   proof
     let a b c d be point;
     assume a,b === c,d [1];
     a,b === a,b by EquivReflexive;
     qed by -, 1, A2`;;


let EquivTransitive = thm `;
   !a b p q r s .  a,b === p,q /\ p,q === r,s ==> a,b === r,s

   proof
     let a b p q r s be point;
     assume a,b === p,q [H1];
     assume p,q === r,s [H2];
     p,q === a,b by H1, EquivSymmetric;
     qed by -, H2, A2`;;


let Baaa_THM = thm `;
    !a b. Between (a,a,a) /\ a,a === b,b

    proof
     let a b be point;
     consider x such that Between (a,a,x) /\ a,x === b,b [X1] by A4;
     a = x by -, A3;
     qed by -, X1`;;


let Bqaa_THM = thm `;
   !a q. Between(q,a,a)

   proof
     let a q be point;
     consider x such that Between(q,a,x) /\ a,x === a,a [X1] by A4;
     a = x by -, A3;
     qed by -, X1`;;


let C1_THM = thm `;
     let a b x y be point;
     assume             ~(a = b)                                        [H1];
     assume             Between (a,b,x)                                 [H2];
     assume             Between (a,b,y)                                 [H3];
     assume             b,x === b,y                                     [H4];
     thus    y = x
 
   proof
     a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
     a,b,y cong a,b,y by -, cong_DEF;  
     y,x === y,y by -, H1, H2, H3, H4, A5;  
     qed by -, A3`;;


let Bsymmetry_THM = thm `;
    let a p z be point;
    thus Between (a,p,z) ==> Between (z,p,a)

   proof
     assume Between (a,p,z) [H1];
     Between (p,z,z) by Bqaa_THM;  
     consider x such that
     Between (p,x,p) /\ Between (z,x,a) [X1] by -, H1, A7;
     x = p by -, A6;  
     qed by -, X1`;;


let Baaq_THM = thm `;
   let a q be point;
   thus Between (a,a,q)

proof
     Between (q,a,a) by Bqaa_THM;  
     qed by -, Bsymmetry_THM`;;


let BEquality_THM = thm `;
   let a b c be point;
   thus Between (a,b,c) /\ Between (b,a,c) ==> a = b

   proof
     assume  Between (a,b,c) [H1];
     assume Between (b,a,c);  
     ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
     consider x such that
     Between (b,x,b) /\ Between (a,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (a,b,a) by -, X1;  
     qed by -, A6`;;


let B124and234then123_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,d)				[H1];
   assume 			Between (b,c,d)				[H2];  
   thus    Between (a,b,c)

   proof
     ? x . Between (b,x,b) /\ Between (c,x,a) by H1, H2, A7;
     consider x such that
     Between (b,x,b) /\ Between (c,x,a) [X1] by -;
     b = x by X1, A6;  
     Between (c,b,a) by -, X1;   
     qed by -, Bsymmetry_THM`;;


let BTransitivity_THM = thm `;
   let a b c d be point;
   assume			~(b = c)				[H1];
   assume 			Between (a,b,c) 			[H2];
   assume 			Between (b,c,d) 			[H3];
   thus Between (a,c,d)

   proof
     consider x such that 
     Between (a,c,x) /\ c,x === c,d [X1] by A4;
     Between (x,c,a)  [X2] by -, Bsymmetry_THM;
     Between (c,b,a) by H2, Bsymmetry_THM;
     Between (x,c,b) by -, X2, B124and234then123_THM;
     Between (b,c,x) by -, Bsymmetry_THM;
     x = d by -, H1, H3, X1, C1_THM;   
     qed by -, X1`;;


let BTransitivityOrdered_THM = thm `;
   let a b c d be point;
   assume			~(b = c)				[H1];
   assume			Between (a,b,c)				[H2];
   assume 			Between (b,c,d) 			[H3];
   thus    is_ordered (a,b,c,d)

   proof
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     qed by H2, -, X1, H3, is_ordered_DEF`;;


(*
let BTransitivityOrdered_THM = thm `;
   ! a b c d .
   ~(b = c) /\ Between (a,b,c) /\ Between (b,c,d) ==> ORDERED a,b,c,d

   proof
     let a b c d be point;
     assume   ~(b = c) [H1];
     assume Between (a,b,c) [H2];
     assume Between (b,c,d) [H3];
     Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;
     Between (d,c,b) [X2] by H3, Bsymmetry_THM;
     Between (c,b,a) by -, H2, Bsymmetry_THM;
     Between (d,b,a) by -, H1, X2, BTransitivity_THM;
     Between (a,b,d) by -, Bsymmetry_THM;   
     thus ORDERED a,b,c,d by H2, -, X1, H3, ORDERED_DEF;
   end`;;
*)


let B124and234Ordered_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,d)				[H1];
   assume 			Between (b,c,d) 			[H2];
   thus   is_ordered (a,b,c,d)

   proof
     cases;
     suppose b = c [P1];
       Between (a,b,c) [P2] by -, Bqaa_THM;
       Between (a,c,d) by P1, H1;   
       qed by P2, H1, -, H2, is_ordered_DEF;
     suppose ~(b = c) [Q1];
       Between (a,b,c) by H1, H2, B124and234then123_THM;   
       qed by -, Q1, H2, BTransitivityOrdered_THM;
    end`;;


let SegmentAddition_THM = thm `;
   let a b c a' b' c' be point;
   assume    	      	 Between (a,b,c)				[H1];
   assume 		 Between (a',b',c') 				[H2];
   assume 		 a,b === a',b' 					[H3];
   assume 		 b,c === b',c' 					[H4];
   thus   a,c === a',c'

   proof
     cases;
     suppose a = b [Y1];
       a,a === a',b' by H3, Y1;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       b,a === a,b by A1;
       b,a === a',b' [Z2] by -, H3, EquivTransitive;
       a',b' === b',a' by A1;
       b,a === b',a' [Z3] by -, Z2, EquivTransitive;
       a,a === a',a' by Baaa_THM;
       a,b,a cong a',b',a' by -, H3, Z3, cong_DEF;  
       qed by -, Z1, H1, H2, H4, A5;
   end`;;


let CongruenceDoubleSymmetry_THM = thm `;
   let a b c d be point;
   assume		a,b === c,d					[H1];
   thus   b,a === d,c

   proof
     b,a === a,b /\ c,d === d,c [X1] by H1, A1;
     a,b === d,c by H1, X1, EquivTransitive;   
     qed by -, X1, EquivTransitive`;;


let C1prime_THM = thm `;
   let a b x y be point;
   assume                       ~(a = b)				[H1];
   assume                       Between (a,b,x)                       	[H2];
   assume                       Between (a,b,y)                       	[H3];
   assume                       a,x === a,y                           	[H4];
   thus         x = y

   proof
     consider m such that
     Between (b,a,m) /\ a,m === a,b [X1] by A4;
     Between (m,a,b) [X2] by X1, Bsymmetry_THM;
     ~(m = a) [X3] by X1, EquivSymmetric, A3, H1;
     is_ordered (m,a,b,x) by H1, X2, H2, BTransitivityOrdered_THM;
     Between (m,a,x) [X4] by -, is_ordered_DEF;
     is_ordered (m,a,b,y) by H1, X2, H3, BTransitivityOrdered_THM;
     Between (m,a,y) by -, is_ordered_DEF;   
     qed by -, X3, X4, H4, C1_THM`;;


let SegmentSubtraction_THM = thm `;
   let a b c a' b' c' be point;
   assume                  Between (a,b,c)                            [H1];
   assume                  Between (a',b',c')                         [H2];
   assume                  a,b === a',b'                              [H3];
   assume                  a,c === a',c'                              [H4];
   thus    b,c === b',c'

   proof
     cases;
     suppose a = b [Y1];
       a,a === a',b' by -, H3;
       a',b' === a,a by -, EquivSymmetric;
       a' = b' by -, A3;   
       qed by -, H4, Y1;
     suppose ~(a = b) [Z1];
       consider x such that
       Between (a,b,x) /\ b,x === b',c' [Z2] by A4;
       a,x === a',c' [Z3] by Z2, H2, H3, SegmentAddition_THM;
       a',c' === a,c by H4, EquivSymmetric;
       a,x === a,c by -, Z3, EquivTransitive;
       x = c by -, Z1, Z2, H1, C1prime_THM;   
       qed by -, Z2;
   end`;;


let EasyAngleTransport_THM = thm `;
     let a O b be point;
     assume		~(O = a)				      [H1];
     thus ? x y . 
     	    Between (b,O,x) /\ Between (a,O,y) /\ x,y,O cong a,b,O

   proof
     consider x such that
     Between (b,O,x) /\ O,x === O,a [X2] by A4;
     x,O === a,O [X3] by -, CongruenceDoubleSymmetry_THM;
     a,O === x,O [X4] by -, EquivSymmetric;
     a,x === x,a by A1;
     a,O,x cong x,O,a [X5] by X4, -, X2, cong_DEF;
     consider y such that
     Between (a,O,y) /\ O,y === O,b [X6] by A4;
     Between (x,O,b) by X2 ,Bsymmetry_THM;
     x,y === a,b [X7] by H1, X5, X6, -, A5;
     y,O === b,O by X6, CongruenceDoubleSymmetry_THM;
     x,y,O cong a,b,O by X7, X3, -, cong_DEF;
     qed by X2, X6, -`;;


let B123and134Ordered_THM = thm `;
   let a b c d be point;
   assume			Between (a,b,c)				[H1];
   assume 			Between (a,c,d) 			[H2];
   thus   is_ordered (a,b,c,d)

   proof
     Between (d,c,a) /\ Between (c,b,a) by H2, H1, Bsymmetry_THM;
     is_ordered (d,c,b,a) by -, B124and234Ordered_THM;
     Between (d,b,a) /\ Between (d,c,b) by -, is_ordered_DEF;
     Between (a,b,d) /\ Between (b,c,d) by -, Bsymmetry_THM;   
     thus is_ordered (a,b,c,d) by -, H1, H2, is_ordered_DEF;
   end`;;


let BextendToLine_THM = thm `;
   let a b c d be point;
   assume			~(a = b)				[H1];
   assume 			Between (a,b,c) 			[H2];
   assume 			Between (a,b,d) 			[H3];
   thus ? x . 
   	  is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x)

   proof
     consider u such that
     Between (a,c,u) /\ c,u === b,d [X1] by A4;
     is_ordered (a,b,c,u) [X2] by H2, X1, B123and134Ordered_THM;
     Between (b,c,u) by X2, is_ordered_DEF;
     Between (u,c,b) [X3] by -, Bsymmetry_THM;
     u,c === c,u by A1;
     u,c === b,d [X4] by -, X1, EquivTransitive;
     Between (a,b,u) [X5] by X2, is_ordered_DEF;
     consider x such that
     Between (a,d,x) /\ d,x === b,c [Y1] by A4;
     is_ordered (a,b,d,x) [Y2] by H3, Y1, B123and134Ordered_THM;
     Between (b,d,x) [Y3] by -, is_ordered_DEF;
     b,c === d,x [Y4] by Y1, EquivSymmetric;
     c,b === b,c by A1;
     c,b === d,x [Y5] by -, Y4, EquivTransitive;
     Between (a,b,x) [Y6] by Y2, is_ordered_DEF;
     u,b === b,x [X6] by X3, Y3, X4, Y5, SegmentAddition_THM;
     b,u === u,b by A1;
     b,u === b,x by -, X6, EquivTransitive;
     u = x by -, H1, X5, Y6, C1_THM;
     qed by -, X2, Y2`;;


let GuptaEasy_THM = thm `;
     let a b c d be point;
     assume			~(a = b)				[H1];
     assume 			Between (a,b,c) 			[H2];
     assume 			Between (a,b,d) 			[H3];
     assume 			~(b = c) 				[H4];
     assume 			~(b = d) 				[H5];
     thus ~ Between (c,b,d)

   proof
     cases; 
     suppose ~ Between (c,b,d);
        qed by -;
     suppose Between (c,b,d) [H6];
       ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) 
       by H1, H2, H3, BextendToLine_THM;
       consider x such that
       is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) [X1] by -;
       Between (b,d,x) by X1, is_ordered_DEF;
       is_ordered (c,b,d,x) by -, H5, H6, BTransitivityOrdered_THM;
       Between (b,c,x) /\ Between (c,b,x) by -, X1, is_ordered_DEF;
       b = c [X2] by -, BEquality_THM;
       F by -, H4, X2;
       qed by -;
   end`;;


(* The next result is like SAS: there are 5 pairs of segments 4
   equivalent.  We say we apply Inner5Segments to abc-x and a'b'c'-x' *)

let Inner5Segments_THM = thm `;
   let a b c x a' b' c' x' be point;
   assume      	     	a,b,c cong a',b',c'	[H1];
   assume 		Between (a,x,c) 	[H2];
   assume 		Between (a',x',c') 	[H3];
   assume 		c,x === c',x' 		[H4];
   thus   b,x === b',x'

   proof
     a,b === a',b' /\ a,c === a',c' /\ b,c === b',c' [X1] by H1, cong_DEF;
     cases;
     suppose x = c [Case1];
       c',x' === c,c by H4, Case1, EquivSymmetric;
       x' = c' by -, A3;
       qed by -, Case1, X1;
     suppose ~(x = c) [Case2];
       ~(a = c) [X2] by H2, A6, Case2;
       consider y such that
       Between (a,c,y) /\ c,y === a,c [X3] by A4;
       consider y' such that
       Between (a',c',y') /\ c',y' === a,c [X4] by A4;
       a,c === c',y' by X4, EquivSymmetric;
       c,y === c',y' [X5] by -, X3, EquivTransitive;
       c,b === c',b' [X6] by X1, CongruenceDoubleSymmetry_THM;
       a,c,b cong a',c',b' by cong_DEF, X1, X6;
       b,y === b',y' [X7] by -, X2, X3, X4, X5, A5;
       ~(y = c) [X8] by X3, EquivSymmetric, A3, X2;
       Between (y,c,a) /\ Between (c,x,a) by X3, H2, Bsymmetry_THM;
       Between (y,c,x) [X9] by -, B124and234then123_THM;
       Between (y',c',a') /\ Between (c',x',a') by -, X4, H3, Bsymmetry_THM;

       Between (y',c',x') [X10] by -, B124and234then123_THM;
       y,c === y',c' /\ y,b === y',b' by X5, X7, CongruenceDoubleSymmetry_THM;
       y,c,b cong y',c',b' by -, cong_DEF, X6;   
       qed by -, X8, X9, X10, H4, A5;
   end`;;


let RhombusDiagBisect_THM = thm `;
   let b c d c' d' be point;
   assume			Between (b,c,d')			[H1];
   assume   	     		Between (b,d,c') 			[H2];
   assume   	     		c,d' === c,d 				[H3];
   assume   	     		d,c' === c,d 				[H4];
   assume   	     		d',c' === c,d 				[H5];
   thus ? e . 
   	  Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e

   proof
     Between (d',c,b) /\ Between (c',d,b) [X1] by H1, H2, Bsymmetry_THM;
     consider e such that
     Between (c,e,c') /\ Between (d,e,d') [X2] by X1, A7;
     c,d === c,d' [X3] by H3, EquivSymmetric;
     c,c' === c,c' [X4] by EquivReflexive;
     c,d === d',c' by H5, EquivSymmetric;
     d,c' === d',c' by -, H4, EquivTransitive;
     c,d,c' cong c,d',c' by -, X3, X4, cong_DEF;
     d,e === d',e [X5] by -, X2, EquivReflexive, Inner5Segments_THM;

     d,c === c,d [X6] by A1;
     c,d === d,c' by H4, EquivSymmetric;
     d,c === d,c' [X7] by -, X6, EquivTransitive;
     d,d' === d,d'  [X8] by EquivReflexive;
     c,d === d',c' [X9] by H5, EquivSymmetric;
     d',c' === c',d' by A1;
     c,d === c',d' by -, X9, EquivTransitive;
     c,d' === c',d' [X10] by -, H3, EquivTransitive;
     d,d' === d,d' by EquivReflexive;
     d,c,d' cong d,c',d' by -, X7, X8, X10, cong_DEF;
     c,e === c',e by -, X2, EquivReflexive, Inner5Segments_THM;
     qed by -, X2, X5`;;


let FlatNormal_THM = thm `;
   let a b c d d' e be point;
   assume                       Between (b,c,d')                        [H1];
   assume                       Between (d,e,d')                        [H2];
   assume                       c,d' === c,d                            [H3];
   assume                       d,e === d',e                            [H4];
   assume                       ~(c = d)                                [H5];
   assume                       ~(e = d)                                [H6];
   thus ? p r q . 
   	  Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
   	  r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e

   proof
     ~(c = d') by H5, H3, EquivSymmetric, A3;
     consider p r such that
     Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
     -, EasyAngleTransport_THM;
     p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
     d',e === d,e by H4, EquivSymmetric;
     p,r === d,e [X3] by -, X2, EquivTransitive;
     ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
     consider q such that
     Between (p,r,q) /\ r,q === e,d [X5] by A4;
     Between (d',e,d) [X6] by H2, Bsymmetry_THM;
     c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
     c,p === c,d [X7] by -, H3, EquivTransitive;
::   Apply SAS to p+crq /\ d'+ced
     c,q=== c,d by X4, X1, X5, X6, A5;
     c,d=== c,q by -, EquivSymmetric;
     c,p=== c,q [X8] by -, X7, EquivTransitive;
     r,c=== r,c [X9] by EquivReflexive;
     r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
     e,d=== r,q by X5, EquivSymmetric;
     r,p=== r,q by -, X10, EquivTransitive;
     r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
     Between (r,c,d') [X12] by X1, Bsymmetry_THM;
     qed by -, X5, X11, X12, X2, X1, X3`;;


let EqDist2PointsBetween_THM = thm `;
   let a b c p q be point;
   assume               ~(a = b)                        [H1];
   assume               Between (a,b,c)                 [H2];
   assume               a,p === a,q /\ b,p === b,q      [H3];
   thus    c,p === c,q

:: a & b are equidistant from p & q.  Apply SAS to a+pbc /\ a+qbc.

   proof
     a,b  === a,b /\ b,c === b,c [X1] by EquivReflexive;
     a,b,p cong a,b,q by -, H3, cong_DEF;
     p,c === q,c by H1, -, H2, X1, A5;   
     qed by -, CongruenceDoubleSymmetry_THM`;;


let EqDist2PointsInnerBetween_THM = thm `;
   let a x c p q be point;
   assume   Between (a,x,c) [H1];
   assume   a,p === a,q /\ c,p === c,q [H2]; 
   thus x,p === x,q

:: a and c are equidistant from p and q.  Apply Inner5Segments to
:: apb-x /\ aqb-x.

   proof
    a,c === a,c /\ c,x === c,x [X1] by EquivReflexive;
     p,c === q,c by H2, CongruenceDoubleSymmetry_THM;
     a,p,c cong a,q,c by -, H2, X1, cong_DEF;
     p,x === q,x by -, H1, X1, Inner5Segments_THM;   
     thus x,p === x,q by -, CongruenceDoubleSymmetry_THM;
   end`;;



let Gupta_THM = thm `;
   let a b c d be point;
   assume					~(a = b)		[H1];
   assume   					Between (a,b,c) 	[H2];
   assume   					Between (a,b,d) 	[H3];
   thus Between (b,d,c) \/ Between (b,c,d)

   proof
     cases;
     suppose b = c \/ b = d \/ c = d;
       Between (b,d,c) \/ Between (b,c,d) by -, Baaq_THM, Bqaa_THM;
     qed by -;
     suppose ~(b = c) /\ ~(b = d) /\ ~(c = d) [H4];
       assume ~ (Between (b,d,c)) [H5];
       consider d' such that
       Between (a,c,d') /\ c,d' === c,d [X1] by A4;
       consider c' such that
       Between (a,d,c') /\ d,c' === c,d [X2] by A4;
       is_ordered (a,b,c,d') by H2, X1, B123and134Ordered_THM;
       Between (a,b,d') /\ Between (b,c,d') [X3] by -, is_ordered_DEF;
       is_ordered (a,b,d,c') by H3, X2, B123and134Ordered_THM;
       Between (a,b,c') /\ Between (b,d,c') [X4] by -, is_ordered_DEF;
       ~(c = d') [X5] by X1, H4, A3, EquivSymmetric;
       ~(d = c') [X6] by X2, H4, A3, EquivSymmetric;
       ~(b = d') [X7] by X3, H4, A6;
       ~(b = c') [X8] by X4, H4, A6;

::     In the proof below, we prove a stronger result than
::     BextendToLine_THM with much the same proof.  We find u /\ b'
::     with essentially a,b,c,d',u and a b,d,c',b' ordered 5-tuples
::     with d'u === db /\ cb' === bc. *)
       consider u such that
       Between (c,d',u) /\ d',u === b,d [Y1] by A4;
       is_ordered (b,c,d',u) by X5, X3, Y1, BTransitivityOrdered_THM;
       Between (b,c,u) /\  Between (b,d',u) [Y2] by -, is_ordered_DEF;
       consider b' such that
       Between (d,c',b') /\ c',b' === b,c [Y3] by A4;
       is_ordered (b,d,c',b') by X6, X4, Y3, BTransitivityOrdered_THM;

       Between (b,d,b') /\ Between (b,c',b') [Y4] by -, is_ordered_DEF;
       Between (c',d,b) [Y5] by X4, Bsymmetry_THM;
       d,c' === c',d /\ b,d === d,b [Y6] by A1;
       c,d === d,c' by X2, EquivSymmetric; 
       c,d' === d,c' by -, X1, EquivTransitive;
       c,d' === c',d [Y7] by -, Y6, EquivTransitive;
       d',u === d,b by Y1, Y6, EquivTransitive;
       c,u === c',b [Y8] by -, Y1, Y5, Y7, SegmentAddition_THM;
       c',b' === b',c' /\ b',b === b,b' [Y9] by A1;
       b,c  === c',b' by Y3, EquivSymmetric;
       b,c === b',c' [Y10] by -, Y9, EquivTransitive;
       Between (b',c',b) by Y4, Bsymmetry_THM;
       b,u === b',b by -, Y2, Y10, Y8, SegmentAddition_THM;
       b,u === b,b' [Y11] by -, Y9, EquivTransitive;
       is_ordered (a,b,d',u) [Y12] by X7, X3, Y2, BTransitivityOrdered_THM;
       is_ordered (a,b,c',b') by X8, X4, Y4, BTransitivityOrdered_THM;
       Between (a,b,u) /\ Between (a,b,b') by -, Y12, is_ordered_DEF;
       u = b' [Y13]  by -, H1, Y11, C1_THM;

::     Show c'd' === cd by applying SAS to b+c'cd /\ b'+cc'd.
       c',b === c,b' by Y13, Y8, EquivSymmetric;
       b,c' === b',c [Z1] by -, CongruenceDoubleSymmetry_THM;
       c,c' === c',c by A1;
       b,c,c' cong b',c',c [Z2] by -, Y10, Z1, cong_DEF;
       Between (b',c',d) by Y3, Bsymmetry_THM;
       c',d' === c,d [Z3] by -, H4, Z2, X3, Y7, A5;
       d',c' === c',d' by A1;
       d',c' === c,d by -, Z3, EquivTransitive;   

::     c,d',c',d is a "flat" rhombus.  The diagonals bisect each other.
       consider e such that
       Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e
       [Z4] by -, X3, X4, X1, X2, RhombusDiagBisect_THM;

       ~(e = c) [U1]
       proof
	 cases;
	 suppose ~(e = c);
	 qed by -;
	 suppose e = c [U2];
	   c' = e by U2, Z4, EquivSymmetric, A3;
	   c' = c by -, U2;
	   Between (b,d,c) [U3] by -, X4;
	   F by -, U3, H5;
	 qed by -;
       end;

       e = d [V1]
       proof
	 cases;
	 suppose e = d;
	 qed by -;
	 suppose ~(e = d) [V2];
	   consider p r q such that
	   Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
	   r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e [W1] 
	   by X3, Z4, X1, H4, V2, FlatNormal_THM;
	   r,p === r,q /\ c,p === c,q [W2] by W1, cong_DEF;
:: 	   r and c are equidistant from p and q, r <> c, Between r,c,d', thus also d'
	   ~(c = r) by W1, U1, EquivSymmetric, A3;
	   d',p === d',q [W3] by -, W1, W2, EqDist2PointsBetween_THM;

::	   c and d' are equidistant from p and q, c <> d', 
::	   Between c,d',b', thus also b'.
	   Between (c,d',b') by Y1, Y13;
	   b',p === b',q [W4] by -, X5, W2, W3, EqDist2PointsBetween_THM; 

::	   d' and c are equidistant from p and q, d' <> c, Between d',c,b, thus also b. 
	   Between (d',c,b) by X3, Bsymmetry_THM;
	   b,p === b,q [W5] by -, X5, W3, W2, EqDist2PointsBetween_THM;  

::	   b and b' are equidistant from p and q, Between b,c',b, thus also c'.
	   c',p === c',q [W7]by Y4, W4, W5, EqDist2PointsInnerBetween_THM;  

::	   c' and c are equidistant from p and q, c' <> c, Between c',c,p, thus also p. 
	   Between (c',e,c) by Z4, Bsymmetry_THM;
	   is_ordered (c',e,c,p) by -, U1, W1, BTransitivityOrdered_THM;
	   Between (c',c,p) [W8] by -, is_ordered_DEF;
	   ~(c' = c) by Z4, U1, A6;
	   p,p === p,q by -, W8, W7, W2, EqDist2PointsBetween_THM;   

::	   Now we deduce a contradiction from p = q.
	   q = p by -, EquivSymmetric, A3;
	   p = r by -, W1, A6;
	   e = d [W9] by -, W1, EquivSymmetric, A3;
	   F by -, W9, V2;
	 qed by -;
       end;

       d' = e by V1, Z4, EquivSymmetric, A3;
       d' = d by -, V1;
       Between (b,c,d) by -, X3;
     qed by -;
   end`;;

Hi Bill,

| The error at the end is 
|
|  ::#2
|   :: 2: inference time-out
|   `,
|  (0, 1, 0)).

This is a genuine inference timeout, which does indeed seem surprising
for such a simple problem. You did a good job of boiling down the
essential core. To extract it from miz3 completely, the goal to be
proved is effectively:

  `(Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)) /\
   (Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b))
   ==> Between (a,b,x) /\ Between (a,b,c) \/
       Between (a,b,x) /\ Between (a,c,b) \/
       Between (a,b,x) /\ Between (c,a,b) \/
       Between (a,x,b) /\ Between (a,b,c) \/
       Between (a,x,b) /\ Between (a,c,b) \/
       Between (a,x,b) /\ Between (c,a,b) \/
       Between (x,a,b) /\ Between (a,b,c) \/
       Between (x,a,b) /\ Between (a,c,b) \/
       Between (x,a,b) /\ Between (c,a,b)`;;

This can be solved trivially with the right tactic, but the default
provers used in miz3 (HOL_BY and MESON) perform case splitting
somewhat overenthusiastically, as a result of which they take an
significant fraction of a second. This is enough to overstep the low
default inference timeout in miz3. There are two quick fixes:

 1. Use a specific tactic that will solve the goal faster, e.g.
    replace the final line with

        qed by CONV_TAC TAUT, X1, X2

 2. Increase the default inference timeout for miz3. This will make
    the built-in provers effectively more powerful, but will slow
    down the rejection of faulty proofs, making debugging slower.

        reset_miz3 0; timeout := 5;;

Anyway, since neither of these is entirely satisfying, I will take a
look at the default prover implementation to see if it can do a
better job in such situations. Naturally, you could also consider
buying a machine with a new and faster processor :-)

John.

John and Freek, I finished porting my Tarski geometry Mizar code to
miz3, and it's about 2/3 the size!!!  Thank you again for your help!
John, your `parse_as_infix' advice worked perfectly.

   You did a good job of boiling down the essential core.

Thanks, John!  I spent years working for Richard Stallman, who taught
me to write (Emacs) bug reports.  It didn't help my math career, but
it was great to find folks who WANTED to hear about their errors!

I found a workaround for this problem that I feel is a better
solution.  I didn't know how to nest cases in Mizar, but Freek's
grammar showed me how to do it.  Two comment about miz3:

1) I was able to write 1500 lines of Mizar code without any good Mizar
dox because the error messages were informative enough.  The miz3
error messages are not nearly as good, and I'll accept Freek's word
that HOL Light causes this.  But we can make do with baffling error
messages if the dox are good enough.  I would sit down right now and
write up the syntax & semantics of miz3 if I knew what they were.

2) We don't need strict miz3 compliance with Mizar.  Mizar was
extremely successful in showing that lots of folks can write up lots
of formal proofs, without being a HOL Light or Coq code wizard.  But
at this point Mizar is like an old pyramid, and we need spaceships.

-- 
Best,
Bill 

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;  
   then paste in the following file*)

(* ================================================================= *)
(* HOL Light Tarski geometry axiomatic proofs up to Gupta's theorem. *)
(* ================================================================= *)

(* Proof assistants like HOL Light can be used to help teach rigorous
   axiomatic geometry in high school using Hilbert's axioms, and
   introduce students to the world of formal proofs, which should
   become a hot area in debugging computer software.

   This is a port, mostly due to John Harrison, of Mizar code, which
   was heavily influenced by Julien Narboux's Coq pseudo-code
   http://dpt-info.u-strasbg.fr/~narboux/tarski.html and Wojciech
   A. Trybulec's incsp_1.miz in the MML library on axioms of incidence
   geometry.  We partially prove the theorem of the 1983 book
   Metamathematische Methoden in der Geometrie by Schwabhäuser,
   Szmielew, and Tarski, that Tarski's (extremely weak!) plane
   geometry axioms imply Hilbert's axioms.  We get about as far as
   Narboux, with Gupta's amazing proof which implies Hilbert's axiom
   I1 that two points determine a line.  

   Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework of porting my axiomatic proofs to HOL Light.  *)


new_type("point",0);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("on_line",(12, "right"));;
parse_as_infix("equal_line",(12, "right"));;

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;


let Line_DEF = new_definition
  `x on_line a,b <=> 
  ~(a = b) /\ (Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b))`;;

let  LineEq_DEF = new_definition
  `a,b equal_line x,y <=>
~(a = b) /\ ~(x = y) /\ ! c .  c on_line a,b  <=>  c on_line x,y`;;



(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;


(* A4 is the Segment Construction axiom, A5 is the SAS axiom and A7 is
   the Inner Pasch axiom.  There are 4 more axioms we're not using yet:
   there exist 3 non-collinear points;
   3 points equidistant from 2 distinct points are collinear;
   Euclid's parallel postulate;
   a first order version of Hilbert's Dedekind Cuts axiom.

   We shall say we apply SAS to a+cbx and a'+c'b'x'.  Normally one
   applies SAS by showing cb = c'b' bx = b'x' (which we assume) and
   angle cbx cong angle c'b'x'.  One might prove the angle congruence
   by showing that the triangles abc /\ a'b'c' were congruent by SSS
   (which we also assume) and then apply the theorem that complements
   of congruent angles are congruent.  Hence Tarski's axiom. *)


(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let EquivReflexive = thm `;
  !a b. a,b === a,b

  proof
   let a b be point;
   b,a === a,b by A1;
  qed by -, A2`;;


let EquivSymmetric = thm `;
  !a b c d. a,b === c,d ==> c,d === a,b

  proof
    let a b c d be point;
    assume a,b === c,d [1];
    a,b === a,b by EquivReflexive;
  qed by -, 1, A2`;;


let EquivTransitive = thm `;
  !a b p q r s .  a,b === p,q /\ p,q === r,s ==> a,b === r,s

  proof
    let a b p q r s be point;
    assume a,b === p,q [H1];
    assume p,q === r,s [H2];
    p,q === a,b by H1, EquivSymmetric;
    qed by -, H2, A2`;;


let Baaa_THM = thm `;
  !a b. Between (a,a,a) /\ a,a === b,b

  proof
    let a b be point;
    consider x such that Between (a,a,x) /\ a,x === b,b [X1] by A4;
    a = x by -, A3;
  qed by -, X1`;;


let Bqaa_THM = thm `;
  !a q. Between(q,a,a)

  proof
    let a q be point;
    consider x such that Between(q,a,x) /\ a,x === a,a [X1] by A4;
    a = x by -, A3;
  qed by -, X1`;;


let C1_THM = thm `;
  let a b x y be point;
  assume             ~(a = b)						[H1];
  assume             Between (a,b,x)                                 	[H2];
  assume             Between (a,b,y)                                 	[H3];
  assume             b,x === b,y                                     	[H4];
  thus    y = x
 
  proof
    a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
    a,b,y cong a,b,y by -, cong_DEF;  
    y,x === y,y by -, H1, H2, H3, H4, A5;  
    qed by -, A3`;;


let Bsymmetry_THM = thm `;
  let a p z be point;
  thus Between (a,p,z) ==> Between (z,p,a)

  proof
    assume Between (a,p,z) [H1];
    Between (p,z,z) by Bqaa_THM;  
    consider x such that
    Between (p,x,p) /\ Between (z,x,a) [X1] by -, H1, A7;
    x = p by -, A6;  
  qed by -, X1`;;


let Baaq_THM = thm `;
  let a q be point;
  thus Between (a,a,q)

  proof
    Between (q,a,a) by Bqaa_THM;  
  qed by -, Bsymmetry_THM`;;


let BEquality_THM = thm `;
  let a b c be point;
  thus Between (a,b,c) /\ Between (b,a,c) ==> a = b

  proof
    assume  Between (a,b,c) [H1];
    assume Between (b,a,c);  
    ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
    consider x such that
    Between (b,x,b) /\ Between (a,x,a) [X1] by -;
    b = x by X1, A6;  
    Between (a,b,a) by -, X1;  
  qed by -, A6`;;


let B124and234then123_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,d)				[H1];
  assume                       Between (b,c,d)                         	[H2];  
  thus    Between (a,b,c)

  proof
    ? x . Between (b,x,b) /\ Between (c,x,a) by H1, H2, A7;
    consider x such that
    Between (b,x,b) /\ Between (c,x,a) [X1] by -;
    b = x by X1, A6;  
    Between (c,b,a) by -, X1;   
  qed by -, Bsymmetry_THM`;;


let BTransitivity_THM = thm `;
  let a b c d be point;
  assume                       ~(b = c)					[H1];
  assume                       Between (a,b,c)                         	[H2];
  assume                       Between (b,c,d)                         	[H3];
  thus Between (a,c,d)

  proof
    consider x such that 
    Between (a,c,x) /\ c,x === c,d [X1] by A4;
    Between (x,c,a)  [X2] by -, Bsymmetry_THM;
    Between (c,b,a) by H2, Bsymmetry_THM;
    Between (x,c,b) by -, X2, B124and234then123_THM;
    Between (b,c,x) by -, Bsymmetry_THM;
    x = d by -, H1, H3, X1, C1_THM;   
  qed by -, X1`;;


let BTransitivityOrdered_THM = thm `;
  let a b c d be point;
  assume                       ~(b = c)                                 [H1];
  assume                       Between (a,b,c)                          [H2];
  assume                       Between (b,c,d)                          [H3];
  thus    is_ordered (a,b,c,d)					        
								        
  proof								        
    Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;	        
    Between (d,c,b) [X2] by H3, Bsymmetry_THM;			        
    Between (c,b,a) by -, H2, Bsymmetry_THM;			        
    Between (d,b,a) by -, H1, X2, BTransitivity_THM;		        
    Between (a,b,d) by -, Bsymmetry_THM;   			        
    qed by H2, -, X1, H3, is_ordered_DEF`;;			        
								       

let B124and234Ordered_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,d)                          [H1];
  assume                       Between (b,c,d)                          [H2];
  thus   is_ordered (a,b,c,d)					        
								        
  proof								        
    cases;							        
    suppose b = c [P1];						        
      Between (a,b,c) [P2] by -, Bqaa_THM;			        
      Between (a,c,d) by P1, H1;   				        
      qed by P2, H1, -, H2, is_ordered_DEF;			        
    suppose ~(b = c) [Q1];					        
      Between (a,b,c) by H1, H2, B124and234then123_THM;   	        
      qed by -, Q1, H2, BTransitivityOrdered_THM;		        
   end`;;							        
								        

let SegmentAddition_THM = thm `;
  let a b c a' b' c' be point;
  assume                Between (a,b,c)                                 [H1];
  assume                Between (a',b',c')                              [H2];
  assume                a,b === a',b'                                   [H3];
  assume                b,c === b',c'                                   [H4];
  thus   a,c === a',c'						        
								        
  proof								        
    cases;							        
    suppose a = b [Y1];						        
      a,a === a',b' by H3, Y1;					        
      a',b' === a,a by -, EquivSymmetric;			        
      a' = b' by -, A3;						        
    qed by -, H4, Y1;						        
    suppose ~(a = b) [Z1];					        
      b,a === a,b by A1;					        
      b,a === a',b' [Z2] by -, H3, EquivTransitive;		        
      a',b' === b',a' by A1;					        
      b,a === b',a' [Z3] by -, Z2, EquivTransitive;		        
      a,a === a',a' by Baaa_THM;				        
      a,b,a cong a',b',a' by -, H3, Z3, cong_DEF;  		        
    qed by -, Z1, H1, H2, H4, A5;				        
  end`;;							        
								        

let CongruenceDoubleSymmetry_THM = thm `;
  let a b c d be point;
  assume               a,b === c,d					[H1];
  thus   b,a === d,c

  proof
    b,a === a,b /\ c,d === d,c [X1] by H1, A1;
    a,b === d,c by H1, X1, EquivTransitive;   
    qed by -, X1, EquivTransitive`;;


let C1prime_THM = thm `;
  let a b x y be point;
  assume                       ~(a = b)                                 [H1];
  assume                       Between (a,b,x)                          [H2];
  assume                       Between (a,b,y)                          [H3];
  assume                       a,x === a,y                              [H4];
  thus         x = y						        
								        
  proof								        
    consider m such that					        
    Between (b,a,m) /\ a,m === a,b [X1] by A4;			        
    Between (m,a,b) [X2] by X1, Bsymmetry_THM;			        
    ~(m = a) [X3] by X1, EquivSymmetric, A3, H1;		        
    is_ordered (m,a,b,x) by H1, X2, H2, BTransitivityOrdered_THM;       
    Between (m,a,x) [X4] by -, is_ordered_DEF;			        
    is_ordered (m,a,b,y) by H1, X2, H3, BTransitivityOrdered_THM;       
    Between (m,a,y) by -, is_ordered_DEF;   			        
    qed by -, X3, X4, H4, C1_THM`;;				        
								        

let SegmentSubtraction_THM = thm `;
  let a b c a' b' c' be point;
  assume                  Between (a,b,c)                             [H1];
  assume                  Between (a',b',c')                          [H2];
  assume                  a,b === a',b'                               [H3];
  assume                  a,c === a',c'                               [H4];
  thus    b,c === b',c'						      
								      
  proof								      
    cases;							      
    suppose a = b [Y1];						      
      a,a === a',b' by -, H3;					      
      a',b' === a,a by -, EquivSymmetric;			      
      a' = b' by -, A3;   					      
      qed by -, H4, Y1;						      
    suppose ~(a = b) [Z1];					      
      consider x such that					      
      Between (a,b,x) /\ b,x === b',c' [Z2] by A4;		      
      a,x === a',c' [Z3] by Z2, H2, H3, SegmentAddition_THM;	      
      a',c' === a,c by H4, EquivSymmetric;			      
      a,x === a,c by -, Z3, EquivTransitive;			      
      x = c by -, Z1, Z2, H1, C1prime_THM;   			      
    qed by -, Z2;						      
  end`;;							      
								      

let EasyAngleTransport_THM = thm `;
    let a O b be point;
    assume             ~(O = a)						[H1];
    thus ? x y . 
           Between (b,O,x) /\ Between (a,O,y) /\ x,y,O cong a,b,O

  proof
    consider x such that
    Between (b,O,x) /\ O,x === O,a [X2] by A4;
    x,O === a,O [X3] by -, CongruenceDoubleSymmetry_THM;
    a,O === x,O [X4] by -, EquivSymmetric;
    a,x === x,a by A1;
    a,O,x cong x,O,a [X5] by X4, -, X2, cong_DEF;
    consider y such that
    Between (a,O,y) /\ O,y === O,b [X6] by A4;
    Between (x,O,b) by X2 ,Bsymmetry_THM;
    x,y === a,b [X7] by H1, X5, X6, -, A5;
    y,O === b,O by X6, CongruenceDoubleSymmetry_THM;
    x,y,O cong a,b,O by X7, X3, -, cong_DEF;
  qed by X2, X6, -`;;


let B123and134Ordered_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,c)                          [H1];
  assume                       Between (a,c,d)                          [H2];
  thus   is_ordered (a,b,c,d)					        
								        
  proof								        
    Between (d,c,a) /\ Between (c,b,a) by H2, H1, Bsymmetry_THM;        
    is_ordered (d,c,b,a) by -, B124and234Ordered_THM;		        
    Between (d,b,a) /\ Between (d,c,b) by -, is_ordered_DEF;	        
    Between (a,b,d) /\ Between (b,c,d) by -, Bsymmetry_THM;   	        
  qed by -, H1, H2, is_ordered_DEF`;;				        
								        

let BextendToLine_THM = thm `;
  let a b c d be point;
  assume                       ~(a = b)                                 [H1];
  assume                       Between (a,b,c)                          [H2];
  assume                       Between (a,b,d)                          [H3];
  thus ? x . 							        
         is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x)		        
								        
  proof								        
    consider u such that					        
    Between (a,c,u) /\ c,u === b,d [X1] by A4;			        
    is_ordered (a,b,c,u) [X2] by H2, X1, B123and134Ordered_THM;	        
    Between (b,c,u) by X2, is_ordered_DEF;			        
    Between (u,c,b) [X3] by -, Bsymmetry_THM;			        
    u,c === c,u by A1;						        
    u,c === b,d [X4] by -, X1, EquivTransitive;			        
    Between (a,b,u) [X5] by X2, is_ordered_DEF;			        
    consider x such that					        
    Between (a,d,x) /\ d,x === b,c [Y1] by A4;			        
    is_ordered (a,b,d,x) [Y2] by H3, Y1, B123and134Ordered_THM;	        
    Between (b,d,x) [Y3] by -, is_ordered_DEF;			        
    b,c === d,x [Y4] by Y1, EquivSymmetric;			        
    c,b === b,c by A1;						        
    c,b === d,x [Y5] by -, Y4, EquivTransitive;			        
    Between (a,b,x) [Y6] by Y2, is_ordered_DEF;			        
    u,b === b,x [X6] by X3, Y3, X4, Y5, SegmentAddition_THM;	        
    b,u === u,b by A1;						        
    b,u === b,x by -, X6, EquivTransitive;			        
    u = x by -, H1, X5, Y6, C1_THM;				        
  qed by -, X2, Y2`;;						        
								        

let GuptaEasy_THM = thm `;
  let a b c d be point;
  assume                     ~(a = b)                                   [H1];
  assume                     Between (a,b,c)                            [H2];
  assume                     Between (a,b,d)                            [H3];
  assume                     ~(b = c)                                   [H4];
  assume                     ~(b = d)                                   [H5];
  thus ~ Between (c,b,d)					        
								        
  proof
    cases; 
    suppose ~ Between (c,b,d);
    qed by -;
    suppose Between (c,b,d) [H6];
      ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) 
      by H1, H2, H3, BextendToLine_THM;
      consider x such that
      is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) [X1] by -;
      Between (b,d,x) by X1, is_ordered_DEF;
      is_ordered (c,b,d,x) by -, H5, H6, BTransitivityOrdered_THM;
      Between (b,c,x) /\ Between (c,b,x) by -, X1, is_ordered_DEF;
      b = c [X2] by -, BEquality_THM;
      F by -, H4, X2;
    qed by -;
  end`;;


(* The next result is like SAS: there are 5 pairs of segments 4
   equivalent.  We say we apply Inner5Segments to abc-x and a'b'c'-x' *)

let Inner5Segments_THM = thm `;
  let a b c x a' b' c' x' be point;
  assume               a,b,c cong a',b',c'				[H1];
  assume               Between (a,x,c)         				[H2];
  assume               Between (a',x',c')      				[H3];
  assume               c,x === c',x'           				[H4];
  thus   b,x === b',x'

  proof
    a,b === a',b' /\ a,c === a',c' /\ b,c === b',c' [X1] by H1, cong_DEF;
    cases;
    suppose x = c [Case1];
      c',x' === c,c by H4, Case1, EquivSymmetric;
      x' = c' by -, A3;
    qed by -, Case1, X1;
    suppose ~(x = c) [Case2];
      ~(a = c) [X2] by H2, A6, Case2;
      consider y such that
      Between (a,c,y) /\ c,y === a,c [X3] by A4;
      consider y' such that
      Between (a',c',y') /\ c',y' === a,c [X4] by A4;
      a,c === c',y' by X4, EquivSymmetric;
      c,y === c',y' [X5] by -, X3, EquivTransitive;
      c,b === c',b' [X6] by X1, CongruenceDoubleSymmetry_THM;
      a,c,b cong a',c',b' by cong_DEF, X1, X6;
      b,y === b',y' [X7] by -, X2, X3, X4, X5, A5;
      ~(y = c) [X8] by X3, EquivSymmetric, A3, X2;
      Between (y,c,a) /\ Between (c,x,a) by X3, H2, Bsymmetry_THM;
      Between (y,c,x) [X9] by -, B124and234then123_THM;
      Between (y',c',a') /\ Between (c',x',a') by -, X4, H3, Bsymmetry_THM;
      Between (y',c',x') [X10] by -, B124and234then123_THM;
      y,c === y',c' /\ y,b === y',b' by X5, X7, CongruenceDoubleSymmetry_THM;
      y,c,b cong y',c',b' by -, cong_DEF, X6;   
    qed by -, X8, X9, X10, H4, A5;
  end`;;


let RhombusDiagBisect_THM = thm `;
  let b c d c' d' be point;
  assume                       Between (b,c,d')                         [H1];
  assume                       Between (b,d,c')                         [H2];
  assume                       c,d' === c,d                             [H3];
  assume                       d,c' === c,d                             [H4];
  assume                       d',c' === c,d                            [H5];
  thus ? e . 							        
         Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e

  proof
    Between (d',c,b) /\ Between (c',d,b) [X1] by H1, H2, Bsymmetry_THM;
    consider e such that
    Between (c,e,c') /\ Between (d,e,d') [X2] by X1, A7;
    c,d === c,d' [X3] by H3, EquivSymmetric;
    c,c' === c,c' [X4] by EquivReflexive;
    c,d === d',c' by H5, EquivSymmetric;
    d,c' === d',c' by -, H4, EquivTransitive;
    c,d,c' cong c,d',c' by -, X3, X4, cong_DEF;
    d,e === d',e [X5] by -, X2, EquivReflexive, Inner5Segments_THM;
    d,c === c,d [X6] by A1;
    c,d === d,c' by H4, EquivSymmetric;
    d,c === d,c' [X7] by -, X6, EquivTransitive;
    d,d' === d,d'  [X8] by EquivReflexive;
    c,d === d',c' [X9] by H5, EquivSymmetric;
    d',c' === c',d' by A1;
    c,d === c',d' by -, X9, EquivTransitive;
    c,d' === c',d' [X10] by -, H3, EquivTransitive;
    d,d' === d,d' by EquivReflexive;
    d,c,d' cong d,c',d' by -, X7, X8, X10, cong_DEF;
    c,e === c',e by -, X2, EquivReflexive, Inner5Segments_THM;
  qed by -, X2, X5`;;


let FlatNormal_THM = thm `;
  let a b c d d' e be point;
  assume                       Between (b,c,d')                         [H1];
  assume                       Between (d,e,d')                         [H2];
  assume                       c,d' === c,d                             [H3];
  assume                       d,e === d',e                             [H4];
  assume                       ~(c = d)                                 [H5];
  assume                       ~(e = d)                                 [H6];
  thus ? p r q . 						        
         Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\      
         r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e		        
								        
  proof
    ~(c = d') by H5, H3, EquivSymmetric, A3;
    consider p r such that
    Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
    -, EasyAngleTransport_THM;
    p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
    d',e === d,e by H4, EquivSymmetric;
    p,r === d,e [X3] by -, X2, EquivTransitive;
    ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
    consider q such that
    Between (p,r,q) /\ r,q === e,d [X5] by A4;
    Between (d',e,d) [X6] by H2, Bsymmetry_THM;
    c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
    c,p === c,d [X7] by -, H3, EquivTransitive;
::  Apply SAS to p+crq /\ d'+ced
    c,q=== c,d by X4, X1, X5, X6, A5;
    c,d=== c,q by -, EquivSymmetric;
    c,p=== c,q [X8] by -, X7, EquivTransitive;
    r,c=== r,c [X9] by EquivReflexive;
    r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
    e,d=== r,q by X5, EquivSymmetric;
    r,p=== r,q by -, X10, EquivTransitive;
    r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
    Between (r,c,d') [X12] by X1, Bsymmetry_THM;
  qed by -, X5, X11, X12, X2, X1, X3`;;


let EqDist2PointsBetween_THM = thm `;
  let a b c p q be point;
  assume               ~(a = b)						[H1];
  assume               Between (a,b,c)                 			[H2];
  assume               a,p === a,q /\ b,p === b,q      			[H3];
  thus    c,p === c,q

::a & b are equidistant from p & q.  Apply SAS to a+pbc /\ a+qbc.

  proof
    a,b  === a,b /\ b,c === b,c [X1] by EquivReflexive;
    a,b,p cong a,b,q by -, H3, cong_DEF;
    p,c === q,c by H1, -, H2, X1, A5;   
  qed by -, CongruenceDoubleSymmetry_THM`;;


let EqDist2PointsInnerBetween_THM = thm `;
  let a x c p q be point;
  assume      	   Between (a,x,c)					[H1];
  assume 	   a,p === a,q /\ c,p === c,q 				[H2]; 
  thus x,p === x,q

::a and c are equidistant from p and q.  Apply Inner5Segments to
::apb-x /\ aqb-x.

  proof
    a,c === a,c /\ c,x === c,x [X1] by EquivReflexive;
    p,c === q,c by H2, CongruenceDoubleSymmetry_THM;
    a,p,c cong a,q,c by -, H2, X1, cong_DEF;
    p,x === q,x by -, H1, X1, Inner5Segments_THM;   
  qed by -, CongruenceDoubleSymmetry_THM`;;



let Gupta_THM = thm `;
  let a b c d be point;
  assume                                       ~(a = b)                 [H1];
  assume                                       Between (a,b,c)          [H2];
  assume                                       Between (a,b,d)          [H3];
  thus Between (b,d,c) \/ Between (b,c,d)			        
								        
  proof
    cases;
    suppose b = c \/ b = d \/ c = d;
      Between (b,d,c) \/ Between (b,c,d) by -, Baaq_THM, Bqaa_THM;
    qed by -;
    suppose ~(b = c) /\ ~(b = d) /\ ~(c = d) [H4];
      assume ~ (Between (b,d,c)) [H5];
      consider d' such that
      Between (a,c,d') /\ c,d' === c,d [X1] by A4;
      consider c' such that
      Between (a,d,c') /\ d,c' === c,d [X2] by A4;
      is_ordered (a,b,c,d') by H2, X1, B123and134Ordered_THM;
      Between (a,b,d') /\ Between (b,c,d') [X3] by -, is_ordered_DEF;
      is_ordered (a,b,d,c') by H3, X2, B123and134Ordered_THM;
      Between (a,b,c') /\ Between (b,d,c') [X4] by -, is_ordered_DEF;
      ~(c = d') [X5] by X1, H4, A3, EquivSymmetric;
      ~(d = c') [X6] by X2, H4, A3, EquivSymmetric;
      ~(b = d') [X7] by X3, H4, A6;
      ~(b = c') [X8] by X4, H4, A6;

::    In the proof below, we prove a stronger result than
::    BextendToLine_THM with much the same proof.  We find u /\ b'
::    with essentially a,b,c,d',u and a b,d,c',b' ordered 5-tuples
::    with d'u === db /\ cb' === bc. *)
      consider u such that
      Between (c,d',u) /\ d',u === b,d [Y1] by A4;
      is_ordered (b,c,d',u) by X5, X3, Y1, BTransitivityOrdered_THM;
      Between (b,c,u) /\  Between (b,d',u) [Y2] by -, is_ordered_DEF;
      consider b' such that
      Between (d,c',b') /\ c',b' === b,c [Y3] by A4;
      is_ordered (b,d,c',b') by X6, X4, Y3, BTransitivityOrdered_THM;

      Between (b,d,b') /\ Between (b,c',b') [Y4] by -, is_ordered_DEF;
      Between (c',d,b) [Y5] by X4, Bsymmetry_THM;
      d,c' === c',d /\ b,d === d,b [Y6] by A1;
      c,d === d,c' by X2, EquivSymmetric; 
      c,d' === d,c' by -, X1, EquivTransitive;
      c,d' === c',d [Y7] by -, Y6, EquivTransitive;
      d',u === d,b by Y1, Y6, EquivTransitive;
      c,u === c',b [Y8] by -, Y1, Y5, Y7, SegmentAddition_THM;
      c',b' === b',c' /\ b',b === b,b' [Y9] by A1;
      b,c  === c',b' by Y3, EquivSymmetric;
      b,c === b',c' [Y10] by -, Y9, EquivTransitive;
      Between (b',c',b) by Y4, Bsymmetry_THM;
      b,u === b',b by -, Y2, Y10, Y8, SegmentAddition_THM;
      b,u === b,b' [Y11] by -, Y9, EquivTransitive;
      is_ordered (a,b,d',u) [Y12] by X7, X3, Y2, BTransitivityOrdered_THM;
      is_ordered (a,b,c',b') by X8, X4, Y4, BTransitivityOrdered_THM;
      Between (a,b,u) /\ Between (a,b,b') by -, Y12, is_ordered_DEF;
      u = b' [Y13]  by -, H1, Y11, C1_THM;

::    Show c'd' === cd by applying SAS to b+c'cd /\ b'+cc'd.
      c',b === c,b' by Y13, Y8, EquivSymmetric;
      b,c' === b',c [Z1] by -, CongruenceDoubleSymmetry_THM;
      c,c' === c',c by A1;
      b,c,c' cong b',c',c [Z2] by -, Y10, Z1, cong_DEF;
      Between (b',c',d) by Y3, Bsymmetry_THM;
      c',d' === c,d [Z3] by -, H4, Z2, X3, Y7, A5;
      d',c' === c',d' by A1;
      d',c' === c,d by -, Z3, EquivTransitive;   

::    c,d',c',d is a "flat" rhombus.  The diagonals bisect each other.
      consider e such that
      Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e
      [Z4] by -, X3, X4, X1, X2, RhombusDiagBisect_THM;

      ~(e = c) [U1]
      proof
        cases;
        suppose ~(e = c);
        qed by -;
        suppose e = c [U2];
          c' = e by U2, Z4, EquivSymmetric, A3;
          c' = c by -, U2;
          Between (b,d,c) [U3] by -, X4;
          F by -, U3, H5;
        qed by -;
      end;

      e = d [V1]
      proof
        cases;
        suppose e = d;
        qed by -;
        suppose ~(e = d) [V2];
          consider p r q such that
          Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
          r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e [W1] 
          by X3, Z4, X1, H4, V2, FlatNormal_THM;
          r,p === r,q /\ c,p === c,q [W2] by W1, cong_DEF;
::        r and c are equidistant from p and q, r <> c, Between r,c,d', thus also d'
          ~(c = r) by W1, U1, EquivSymmetric, A3;
          d',p === d',q [W3] by -, W1, W2, EqDist2PointsBetween_THM;

::        c and d' are equidistant from p and q, c <> d', 
::        Between c,d',b', thus also b'.
          Between (c,d',b') by Y1, Y13;
          b',p === b',q [W4] by -, X5, W2, W3, EqDist2PointsBetween_THM; 

::        d' and c are equidistant from p and q, d' <> c, Between d',c,b, thus also b. 
          Between (d',c,b) by X3, Bsymmetry_THM;
          b,p === b,q [W5] by -, X5, W3, W2, EqDist2PointsBetween_THM;  

::        b and b' are equidistant from p and q, Between b,c',b, thus also c'.
          c',p === c',q [W7]by Y4, W4, W5, EqDist2PointsInnerBetween_THM;  

::        c' and c are equidistant from p and q, c' <> c, Between c',c,p, thus also p. 
          Between (c',e,c) by Z4, Bsymmetry_THM;
          is_ordered (c',e,c,p) by -, U1, W1, BTransitivityOrdered_THM;
          Between (c',c,p) [W8] by -, is_ordered_DEF;
          ~(c' = c) by Z4, U1, A6;
          p,p === p,q by -, W8, W7, W2, EqDist2PointsBetween_THM;   

::        Now we deduce a contradiction from p = q.
          q = p by -, EquivSymmetric, A3;
          p = r by -, W1, A6;
          e = d [W9] by -, W1, EquivSymmetric, A3;
          F by -, W9, V2;
        qed by -;
      end;

      d' = e by V1, Z4, EquivSymmetric, A3;
      d' = d by -, V1;
      Between (b,c,d) by -, X3;
    qed by -;
  end`;;


(* Using Gupta's theorem, we prove Hilbert's axiom I3; a line is
   determined by two points. *)

let I1part1_THM = thm `;
  let a b x be point;
  assume                                       ~(a = b)                 [H1];
  assume                                       ~(a = x)                 [H2];
  assume                                       x on_line a,b            [H3];
  thus   ! c . 							        
           c on_line a,b   ==>  c on_line a,x			        

  proof
    let c be point;
    assume c on_line a,b						[H4];
    Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)		[X1] 
            by H3, Line_DEF;
    Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b)		[X2] 
    	    by H4, Line_DEF;
    x = b \/ b = c \/ (~(x = b) /\ ~(b = c));
    cases by -;
    suppose x = b [Case1];
    qed by -, H4;
    suppose b = c [Case3];
      Between (a,c,x) \/ Between (a,x,c) \/ Between (x,a,c) by -, X1;
      Between (a,c,x) \/ Between (a,x,c) \/ Between (c,a,x) by -, Bsymmetry_THM;
   qed by -, H2, Line_DEF;
    suppose ~(x = b) /\ ~(b = c) [Case2];
      Between (a,x,c) \/ Between (a,c,x) \/ Between (x,a,c)		[P]
      proof
        cases by X1;
        suppose Between (a,b,x)						[Y1];
          cases by X2;
          suppose Between (a,b,c)					[Y11];
            Between (b,x,c) \/ Between (b,c,x) by -, Y1, H1, Gupta_THM;
            is_ordered (a,b,x,c) \/ is_ordered (a,b,c,x) by 
                       Case2, Y1, Y11, -, BTransitivityOrdered_THM;
            Between (a,x,c) \/ Between (a,c,x) by -, is_ordered_DEF;
          qed by -;
          suppose Between (a,c,b);
            is_ordered (a,c,b,x) by -, Y1, B123and134Ordered_THM;
          qed by -, is_ordered_DEF;
          suppose Between (c,a,b);
            is_ordered (c,a,b,x) by H1, -, Y1, BTransitivityOrdered_THM;
            Between (c,a,x) by -, is_ordered_DEF;
          qed by -, Bsymmetry_THM;
        end;
        suppose Between (a,x,b)						[Y2]; 
          cases by X2;
          suppose Between (a,b,c);
            is_ordered (a,x,b,c) by -, Y2, B123and134Ordered_THM;
          qed by -, is_ordered_DEF;
          suppose Between (a,c,b)					[Y22];
            consider m such that
            Between (b,a,m) /\ a,m === a,b [X5] by -, A4;
            ~(a = m) [X6] by H1, X5, EquivSymmetric, A3;
            Between (m,a,b) by X5, Bsymmetry_THM;   :: m,a,c,b  & m,a,x,b
            Between (m,a,c) /\ Between (m,a,x) by -, Y22, Y2, B124and234then123_THM;
            Between (a,c,x) \/ Between (a,x,c) by -, X6, Gupta_THM;
          qed by -;
          suppose Between (c,a,b); 
            Between (c,a,x) by -, Y2, B124and234then123_THM;   :: c,a,x,b 
          qed by -, Bsymmetry_THM;
        end;
        suppose Between (x,a,b)						[Y3];
          cases by X2;
          suppose Between (a,b,c);
            is_ordered (x,a,b,c) by H1, -, Y3, BTransitivityOrdered_THM;
            qed by -, is_ordered_DEF;
          suppose Between (a,c,b);
          qed by Y3, -, B124and234then123_THM;  :: x,a,c,b
          suppose Between (c,a,b);
            Between (b,a,x) /\ Between (b,a,c) by Y3, -, Bsymmetry_THM;
            Between (a,x,c) \/ Between (a,c,x) by -, H1, Gupta_THM;
          qed by -; 
        end;
      end;
      Between (a,x,c) \/ Between (a,c,x) \/ Between (c,a,x) by P, Bsymmetry_THM;
      c on_line a,x by -, H2, Line_DEF;
    qed by -;
  end`;;


let I1part2_THM = thm `;
  let a b x be point;
  assume                       ~(a = b)                                 [H1];
  assume                       ~(a = x)                                 [H2];
  assume                       x on_line a,b                            [H3];
  thus    a,b equal_line a,x					        
								        
  proof
    ! c . c on_line a,b <=> c on_line a,x				[P]
    proof
      let c be point;
      c on_line a,b ==> c on_line a,x					[Imp1]
      proof
        assume c on_line a,b;
        c on_line a,x by -, H1, H2, H3, I1part1_THM;
      qed by -;
      c on_line a,x ==> c on_line a,b					[Imp2]
      proof
        assume c on_line a,x						[H4];
        Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b) by H3, Line_DEF;
	Between (a,b,x) \/ Between (a,x,b) \/ Between (b,a,x) by -, Bsymmetry_THM;
        b on_line a,x by -, H2, Line_DEF;
        c on_line a,b by -, H1, H2, H4, I1part1_THM;
      qed by -;
    qed by Imp1, Imp2;
  qed by H1, H2, P, LineEq_DEF`;;


let I1part2_THM = thm `;
  let a b x be point;
  assume                       ~(a = b)                                 [H1];
  assume                       ~(a = x)                                 [H2];
  assume                       x on_line a,b                            [H3];
  thus    a,b equal_line a,x					        

  proof
    Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b) by H3, Line_DEF;
    Between (a,b,x) \/ Between (a,x,b) \/ Between (b,a,x) by -, Bsymmetry_THM;
    b on_line a,x [Z1] by -, H2, Line_DEF;
    ! c . c on_line a,b ==> c on_line a,x [Z2] by H1, H2, H3, I1part1_THM;
    ! c . c on_line a,x ==> c on_line a,b [Z3] by H1, H2, Z1, I1part1_THM;
    ! c . c on_line a,x <=> c on_line a,b by Z2, Z3;
  qed by H1, H2, -, LineEq_DEF`;;


let LineEqRefl_THM = thm `;
  let a b be point;
  assume                       ~(a = b)					[H1];
  thus     a,b equal_line a,b

  proof
    ! c . c on_line a,b  <=>  c on_line a,b;
    a,b equal_line a,b by -, H1, LineEq_DEF;
  qed by -`;;


let LineEqA1_THM = thm `;
  let a b be point;
  assume                       ~(a = b)					[H1];
  thus    a,b equal_line b,a

  proof
    ! c . c on_line a,b  <=>  c on_line b,a				[P]
    proof
    let c be point;
      c on_line a,b ==> c on_line b,a					[Imp1]
      proof
        assume c on_line a,b;
        Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b) by -, Line_DEF;
        Between (c,b,a) \/ Between (b,c,a) \/ Between (b,a,c) by -, Bsymmetry_THM;
      qed by -, H1, Line_DEF;
      c on_line b,a ==> c on_line a,b					[Imp2]
      proof
        assume c on_line b,a [H3];
        Between (b,a,c) \/  Between (b,c,a) \/ Between (c,b,a) by -, Line_DEF;
        Between (c,a,b) \/  Between (a,c,b) \/ Between (a,b,c) by -, Bsymmetry_THM;
      qed by -, H1, Line_DEF;
    qed by Imp1, Imp2;
  qed by H1, P, LineEq_DEF`;;


let LineEqSymmetric_THM = thm `;
  let a b c d be point;
  assume                       ~(a = b) /\ ~(c = d)			[H1];
  assume                       a,b equal_line c,d                      	[H2];
  thus   c,d equal_line a,b

  proof
    ! x . x on_line a,b  <=>  x on_line c,d by H2, LineEq_DEF;
    ! x . x on_line c,d <=>  x on_line a,b by -;
    c,d equal_line a,b by -, H1, LineEq_DEF;
  qed by -`;;


let LineEqTrans_THM = thm `;
  let a b c d e f be point;
  assume                       ~(a = b) /\ ~(c = d) /\ ~(e = f)         [H1];
  assume                       a,b equal_line c,d                       [H2];
  assume                       c,d equal_line e,f                       [H3];
  thus   a,b equal_line e,f					        
								        
  proof
    (! y . y on_line a,b  <=>  y on_line c,d)  /\ 
    (! y . y on_line c,d  <=>  y on_line e,f)     [X2] by H2, H3, LineEq_DEF;
    (! y . y on_line a,b  <=>  y on_line e,f) by -;
  qed by -, H1, LineEq_DEF`;;


let onlineEq_THM = thm `;
  let a b c d x be point;
  assume               ~(a = b) /\ ~(c = d)                             [H1];
  assume               x on_line a,b                                    [H2];
  assume               a,b equal_line c,d                               [H3];
  thus   x on_line c,d						        
								        
  proof
    ! y . y on_line a,b <=> y on_line c,d by -, LineEq_DEF;
  qed by -, H2`;;


let I1part2Reverse_THM = thm `;
  let a b y be point;
  assume                       ~(a = b) /\ ~(b = y)			[H1];
  assume                       y on_line a,b                           	[H3];
  thus    a,b equal_line y,b

  proof
    a,b equal_line b,a /\ b,y equal_line y,b [Y1] by H1, LineEqA1_THM;
    y on_line b,a by H3, Y1, onlineEq_THM;
    b,a equal_line b,y by -, H1, Y1, I1part2_THM;
    a,b equal_line b,y by -, H1, Y1, LineEqTrans_THM;
    a,b equal_line y,b by -, H1, Y1, LineEqTrans_THM;
  qed by -`;;


let I1_THM = thm `;
  let a b x y be point;
  assume			~(a = b)				[H1];
  assume			~(x = y)				[H2];
  assume   			a on_line x,y 				[H3];
  assume   			b on_line x,y				[H4];
  thus   x,y equal_line a,b

  proof
    cases;
    suppose (x = b)							[H5];
      ~(b = y) [P1] by -, H2;
      b,a equal_line a,b [P2] by H1, LineEqA1_THM;
      x,y equal_line b,y [P3] by H2, H5, LineEqRefl_THM;
      a on_line b,y by H3, H5;
      b,y equal_line b,a by -, P1, H1, I1part2_THM;
      x,y equal_line b,a by -, H1, H2, P1, P3, LineEqTrans_THM;
    qed by -, H1, H2, P2, LineEqTrans_THM;
    suppose
      ~(x = b)								[H6];
      x,y equal_line x,b [P4] by -, H2, H6, H4, I1part2_THM;
      a on_line x,b by -, H2, H6, H3, onlineEq_THM;
      x,b equal_line a,b by -, H6, H1, I1part2Reverse_THM;   
    qed by H1, H2, H6, P4, -, LineEqTrans_THM;
  end`;;

John, I feel my code isn't quite perfect enough to submit my Hilbert
geometry paper.  Freek's miz3 code in the miz3 dox 1201.3601-1.pdf
solving the drinker's paradox on p 13--14 is perhaps designed to show
various features of miz3, but it is more than twice as long as needed:

Paste in these 4 commands and then the rest of this message:
   hol_light> ocaml
   #use "hol.ml";;  
#load "unix.cma";;
loadt "miz3/miz3.ml";;

let DRINKER = thm `;
  let P be A->bool;
  thus ?x. P x ==> !y. P y [22]

  proof
    (?x. ~P x) \/ ~(?x. ~P x) [1];
    cases by 1;
    suppose ?x. ~P x [2];
      consider x such that ~P x [3] by 2;
      take x;
      assume P x [4];
      F [5] by 3,4;
      thus !y. P y [6] by 5;
    end;
     suppose ~(?x. ~P x) [10];
       consider a being A such that T;
       take a;
       assume P a [11];
       let y be A;
       P y \/ ~P y [12];
       cases by 12;
       suppose P y [13];
         thus P y by 13;
       end;
       suppose ~P y [14];
         ?x. ~P x [15] by 14;
         F [16] by 10,15;
         thus P y [17] by 16;
       end;
     end;
   end`;;

(* Few of the above labels are needed.  Here's a much shorter version.  *)

horizon := 0;; 

let DRINKER = thm `;
  let P be A->bool;
  thus ?x. P x ==> !y. P y

  proof
    (?x. ~P x) \/ ~(?x. ~P x);
    cases by -;
    suppose ?x. ~P x;
      consider x such that ~P x by -;
      P x ==> !y. P y by -;
    qed by -;
    suppose ~(?x. ~P x);
      !y. P y by -;
    qed by -;
  end`;;


(* We can save one line by understanding that ~(!x. P x) <=> !y. P y: *)

let DRINKER = thm `;
  let P be A->bool;
  thus ?x. P x ==> !y. P y

  proof
    (!x. P x) \/ ~(!x. P x);
    cases by -;
    suppose (!x. P x);
    qed by -;
    suppose ~(!x. P x);
      consider x such that ~P x by -;
      P x ==> !y. P y by -;
    qed by -;
  end`;;

(* So I still don't know of an example where `take' is necessary. *)

-- 
Best,
Bill

John Harrison wrote:
> * Each type constructor has an int for its arity and when the user
> tries to construct a type with it, this value is compared with the
> length (also as an int) of the list of type arguments. So in
> principle you could declare a type constructor with arity n and
> later give it n + 2^31 arguments (on a 32-bit platform). This is
> a bit of a rough edge, but of somewhat academic interest, and I
> don't think it implies a soundness problem (you could imagine
> allowing type constructors with the same name but different
> arities). Still, maybe Mark Adams will find a flaw in that
> reasoning and then I'll change to using unit list instead of int!

You've got me worried now.  This use of integers could be exploited when
defining a new type operator.  In general, the input theorem to type
operator definition is:

    |- ?x. P x     or in HOL Light as   |- P x

Imagine the type of 'x' is, say, cartesian product with 2^31 dimensions and
a type variable for each dimension, and 'P' is, say, `\x. true`.  Then the
resulting type operator will be given arity 0 (because the OCaml int length
of the list of type variables will be 2^31, which wraps round as 0 in
OCaml), and the theorem that defines it will state that this 0-dimensioned
type constant is in bijection with the the entire 2^31-dimensioned
representation type (with its 2^31 type parameters).  Inconsistency should
be derivable by using two different type instantiations of this definition
theorem.

HOL Zero is just as vulnerable as HOL Light here, because it also used
OCaml's int for type arities.

I always thought that this would be impossible to exploit in practice, but
now I'm thinking 2^31 =~ 2 billion, and this is perhaps doable in principle
with a machine with something like 100 GB of RAM (although inefficiencies in
the 'union' operation used to compile a term's type variables would mean the
execution would surely take years).

Does this mean unit lists in HOL Light? :)
I'm thinking of adding a check that there are no more than 2^30-1 type
variables in the input theorem.

Mark.

Hi Bill,

| John and Freek, I finished porting my Tarski geometry Mizar code to
| miz3, and it's about 2/3 the size!!!  Thank you again for your help!

Congratulations! I'm really happy to see this work, which is both a
nice addition to HOL Light and a serious stress-test of miz3. I
suppose it is Freek's little syntactic improvements like "qed" that
account for the smaller code, is it? Since I gather you were trying to
keep the automation at a Mizar-like level, I assume that you didn't
try cutting out stages and relying on stronger justification, let
along going in for Urban-style Vampirism :-) By the way, I appreciate
the acknowledgement in the comments, but it's a bit much to say that
the port is "mostly due to John Harrison". All I did was point you in
the right direction and prove a few really simple lemmas as an
example.

|    You did a good job of boiling down the essential core.
|
| Thanks, John!  I spent years working for Richard Stallman, who taught
| me to write (Emacs) bug reports.  It didn't help my math career, but
| it was great to find folks who WANTED to hear about their errors!

Oh, I didn't know you used to work for Richard! I was sorry to see he
fell ill the other day while giving a talk in Barcelona. I hope he's
doing all right now.

| I found a workaround for this problem that I feel is a better
| solution.  I didn't know how to nest cases in Mizar, but Freek's
| grammar showed me how to do it.

Oh I see, yes, that probably is a better solution in several ways.
Using an explicit tactic would make your proofs only 99% declarative
instead of 100%, which would have been a bit unsatisfying.

| 1) I was able to write 1500 lines of Mizar code without any good Mizar
| dox because the error messages were informative enough.  The miz3
| error messages are not nearly as good, and I'll accept Freek's word
| that HOL Light causes this.  But we can make do with baffling error
| messages if the dox are good enough.  I would sit down right now and
| write up the syntax & semantics of miz3 if I knew what they were.

It would certainly be possible to improve the HOL Light error
messages. Generally HOL Light uses only the simplest error reporting
to keep the code simple. (In fact, some parts of the original HOL
Light core were basically Konrad Slind's hol90 code ported from SML to
OCaml and with the error handling removed.) If there are some specific
situations that you found particularly irksome, let me know and I'll
think about a fix. You might already have done this before on this
thread but I didn't pay close enough attention to that side of
things.

If you do have time to work on some kind of miz3 documentation, it
would be great, of course! I think the combination of the existing
paper by Freek, documentation for Mizar itself and even a closer
examination of the code might be enough to give a more or less
definitive picture. There is a reasonable level of documentation of
the "native HOL" facilities; in fact every non-theorem identifier in
the HOL Light system is supposed to have an entry in the reference
manual, which you can also get from inside HOL Light itself by

        help "CONJ_TAC";;

| 2) We don't need strict miz3 compliance with Mizar.  Mizar was
| extremely successful in showing that lots of folks can write up lots
| of formal proofs, without being a HOL Light or Coq code wizard.  But
| at this point Mizar is like an old pyramid, and we need spaceships.

It's certainly true that HOL Light has advantages of programmability,
more decision procedures and a generally more open architecture. But
I wouldn't dismiss Mizar too readily since it has a lot of other very
good features like its more flexible type system, and a much larger
library of abstract mathematics.

| 1) Freek's 1201.3601-1.pdf isn't actually about how to run Mizar
| programs in HOL Light.  It's about how to mix declarative &
| procedural, and I I give Freek credit for for his bold effort.

Yes, although I can't really speak for Freek I think I can confidently
say that his main interest was in discussing the ideas more abstractly
rather than trying to write end-user documentation. So there is
probably a gap in the market for a tutorial and/or reference for miz3
from the user perspective.

| 2) Make HOL Light the right place to write Mizar-like code.  I think
| the Mizar authors were great pioneers, but their program is an
| Egyptian pyramid with secret source code that they're not maintaining.

I am certainly very happy to see the wider use of declarative proof in
HOL Light. More generally, I'm all in favour of having people try out
alternative approaches to the default tactic language or build other
proof tools around HOL Light. For example, there is an interesting set
of Isabelle-style tactics by Petros Papapanagiotou and Jacques Fleuriot
that you can find in the "IsabelleLight" subdirectory.

John.

Hi Mark,

| You've got me worried now.  This use of integers could be exploited when
| defining a new type operator.  In general, the input theorem to type
| operator definition is:
|
|     |- ?x. P x     or in HOL Light as   |- P x
|
| Imagine the type of 'x' is, say, cartesian product with 2^31 dimensions and
| a type variable for each dimension, and 'P' is, say, `\x. true`.  Then the
| resulting type operator will be given arity 0 (because the OCaml int length
| of the list of type variables will be 2^31, which wraps round as 0 in
| OCaml), and the theorem that defines it will state that this 0-dimensioned
| type constant is in bijection with the the entire 2^31-dimensioned
| representation type (with its 2^31 type parameters).  Inconsistency should
| be derivable by using two different type instantiations of this definition
| theorem.

I shouldn't have tempted fate by mentioning you! But I'm not yet
completely convinced. It's true that it would create a type operator
with recorded arity 0, but (at least in the HOL Light implementation)
it would still end up applied to the sorted list of type variables
("tyvars") as if it had arity 2^31. That's not to say this is an ideal
situation, but it seems to fall into the "anomalous" cetegory rather
than the actually inconsistent. Or am I missing something?

| I always thought that this would be impossible to exploit in practice, but
| now I'm thinking 2^31 =~ 2 billion, and this is perhaps doable in principle
| with a machine with something like 100 GB of RAM (although inefficiencies
| in the 'union' operation used to compile a term's type variables would mean
| the execution would surely take years).

Well, I hope that's imppossible for pragmatic reasons: wraparound on
2^31 would only happen on a 32-bit platform, and then I don't think
you could address enough memory directly to put this to the test since
pointers are also 32-bit. And on a 64-bit machine the bar becomes much
higher because integers won't wrap till 2^63. But perhaps there is
some weird way of setting up OCaml where pointers are 64-bit but type
int is 32-bit?

| Does this mean unit lists in HOL Light? :)
| I'm thinking of adding a check that there are no more than 2^30-1 type
| variables in the input theorem.

I don't exclude either possibility yet...

John.

Thanks, John, and thanks again for your help porting to miz3!

   there is probably a gap in the market for a tutorial and/or
   reference for miz3 from the user perspective.

Great!  This is my main task now. But I don't know enough to write
this miz3 tutorial and user reference manual (more below).

   I suppose it is Freek's little syntactic improvements like "qed"
   that account for the smaller code, is it? Since I gather you were
   trying to keep the automation at a Mizar-like level,

Yes, and Freek's idea (which violates the grammar) of beginning a thm
with let ... assume ... thus ... proof (example below), with the
assume statements taking 1 line instead of 2.  But I'll count:

The part you wrote saved 150 lines.  Ignoring that, my new code is 3/4
the size of the original.  As these little syntactic improvements
count more in short proofs, let's go to the first Mizar proof that's
over 30 lines (SegmentAddition), and then the miz3 code is 7/9 the
size of the Mizar code, which isn't 2/3, but every little bit helps.

   Since I gather you were trying to keep the automation at a
   Mizar-like level, 

Absolutely, and I'm convinced that this is mild enough Mizar-like
automation that good high school students could use it.

   By the way, I appreciate the acknowledgement in the comments, but
   it's a bit much to say that the port is "mostly due to John
   Harrison". All I did was point you in the right direction and prove
   a few really simple lemmas as an example.

I am really grateful to you, John, and I couldn't have done without
you, but, uh, I was hoping you'd do even more The reference manual
says not to use new_axiom.  Better error messages would be great.
I'll write some dox but I don't know enough right now to write them.
Here's something simple about `cases' I don't know, in a short proof:

let B124and234Ordered_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,d)                          [H1];
  assume                       Between (b,c,d)                          [H2];
  thus   is_ordered (a,b,c,d)					        
								        
  proof								        
    cases;							        
    suppose b = c [P1];						        
      Between (a,b,c) [P2] by -, Bqaa_THM;			        
      Between (a,c,d) by P1, H1;   				        
    qed by P2, H1, -, H2, is_ordered_DEF;			        
    suppose ~(b = c) [Q1];					        
      Between (a,b,c) by H1, H2, B124and234then123_THM;   	        
    qed by -, Q1, H2, BTransitivityOrdered_THM;		        
  end`;;							        

Note the new more compact Freek style of stating the thm, which
violates Freek's grammar on p 16, which say a lemma must start

let ident = thm `; formula proof; `;;

When the cases construction ends, I immediately write end`;;.  Why is
that OK?  Why didn't I need to write qed by -`;;, or thus thesis; end?
Of my 37 miz3 lemmas, the only ones that end in end`;; are the ones
that end on a cases construction.  I can't write the new dox until I
understand this.  Maybe I can figure it out by reading miz3.ml.

Or another dumb question:  How do you run  miz3 code?  I'm just
selecting in an Emacs window and then pasting into a terminal running 
   hol_light> ocaml
   #use "hol.ml";;  
Why can't I paste in a use command like 
#use "John5-8ModelTarski.ml";;
I know Freek describes a vi-based system but I haven't learned it yet.


   If there are some specific situations that you found particularly
   irksome, let me know and I'll think about a fix. You might already
   have done this before on this thread but I didn't pay close enough
   attention to that side of things.

Great, I'm email them to you again privately.  Basically I'd say that
the miz3 error messages are good enough for reasonably short proofs,
but for proofs 70+ lines long, the error messages can be useless.

   I wouldn't dismiss Mizar too readily since it has a lot of other
   very good features like its more flexible type system, and a much
   larger library of abstract mathematics.

The Mizar type system caused me a lot of trouble, because I couldn't
define the class of Tarski models without showing that R^2 was a
Tarski model, and that ran something 450+ lines in Trybulec's simpler
version of incidence axioms that I ported.  But more seriously:

I don't think Mizar is a flourishing community anymore.  HOL Light is
a flourishing community, while Mizar made great contribution before.
I know folks teach courses using Mizar,but I'm sure code improvements
would really help, like TABs and no 80 character line limit.

   Oh, I didn't know you used to work for Richard! I was sorry to see he
   fell ill the other day while giving a talk in Barcelona. I hope he's
   doing all right now.

I hope so too.  I had kind of a falling out with Richard Stallman
about his free books crusade, which I felt violated the spirit of his
free software crusade (we need to read and modify each other's code).
But I really learned a lot from Richard, and found it a great pleasure
to work with him.  My combinatorics paper
http://www.math.northwestern.edu/~richter/RichterPAMS-Lambda.pdf took
6 years to submit because I couldn't get anyone to admit that they
didn't know the supposedly trivial combinatorial proofs.  While
Richard loved to get bug report!  I used to have this on my web page:

			  Emacs Pretester 
>From '92 to '02, reported to head of GNU project
Richard Stallman, 100s of bug reports.  Wrote some C code for mouse/X
interaction.  Ran Emacs under source-level C debugger GDB.  Wrote 100
lines GDB/Emacs documentation.  Learned enough C, X, & configure to
take active part in investigations, and RCS to keep up with patches.
One bug: found pointer which was garbage-collected prematurely.
Wrote/maintained code for international character display long enough
that Emacs needed legal papers for the copyright.  

-- 
Best,
Bill

On Sat, May 12, 2012 at 11:54 PM, John Harrison
<John.Harrison@...:

> | Does this mean unit lists in HOL Light? :)
> | I'm thinking of adding a check that there are no more than 2^30-1 type
> | variables in the input theorem.
>
> I don't exclude either possibility yet...
>

And what about switching to big integers? (for HOL Zero and/or HOL Light)
I thought HOL Zero might be switching to SML at some point anyway?


>
> John.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

On Sun, 13 May 2012, Ramana Kumar wrote:

> On Sat, May 12, 2012 at 11:54 PM, John Harrison
> <John.Harrison@...:
>
>> | Does this mean unit lists in HOL Light? :)
>> | I'm thinking of adding a check that there are no more than 2^30-1 type
>> | variables in the input theorem.
>>
>> I don't exclude either possibility yet...
>>
>
> And what about switching to big integers? (for HOL Zero and/or HOL 
> Light) I thought HOL Zero might be switching to SML at some point 
> anyway?

With unit list John was probably hoping to have a precise model of natural 
numbers in OCaml.  This is not exactly the case, because datatype values 
can have loops in that language:

   let rec uuuh = () :: uuuh;;
   List.length uuuh;;

Anyway, I think we need to find an exit strategy from this endless thread.

Already in October 2009, I've tried to convince Mark that OCaml is not the 
right vehicle for extremely high trustability that he wants to have for 
HOL Zero.  And back then, I did not know all these nasty tricks yet that 
can be learned in the coffee room of LRI, with hardcore experts like 
Filiatre showing off all the boundary cases and neat tricks outside the 
normal mathematics of ML.

This is why SML never became very popular, because it spoils these games.


 	Makarius

Ramana Kumar wrote:
> Mark wrote:
>> Yes, big integers is the other possibility. ...
>
> Sounds good.
> For your information, I am currently working on a verified compiler for
> (currently a pure subset of) SML.
> But it is also probably several months away from completion :)

Yes, I heard about this.  Sounds great stuff!

Would be nice if it could have some sort of simple mechanism for disallowing
overwriting of certain ML and pretty printer bindings (e.g. a compiler
directive that could be applied for a given binding, which would set a
one-way flag on the binding).  This would stop 'thm' and its pretty printer
being overwritten by the user, for example, and would be an easy way of
eliminating this long-standing vulnerability of LCF-style systems that run
in a simple classic top level ML session.

Mark.

Makarius, here's a miz3 version of an Isabelle proof you asked me to
look at, from the Group theory examples in the Isabelle/Isar Reference
Manual, p 18--19 isabelle.in.tum.de/doc/isar-ref.pdf which gives a
nice proof that left units/identity implies right units.  I find the
Isabelle proof very hard to read, and I prefer the miz3 proof below.
Can you tell me what I'm missing?  Can you write this Mizar-style
proof in Isabelle?  Maybe it would be nice to be able to mix Isabelle
locales and fancy symbols with the miz3 style proofs.

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;  
   then paste in the following file*)


parse_as_infix("***",(20,"right"));;

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let right_inv = thm `;
  let g be A->bool;
  let (**) be A->A->A;
  let i be A->A;
  let e be A;
  assume (e IN g) /\ (!x. x IN g ==> i(x) IN g) /\
    (!x y. x IN g /\ y IN g ==> x ** y IN g) [1];
  assume !x y z. x IN g /\ y IN g /\ z IN g
                 ==> x ** (y ** z) = (x ** y) ** z [Assoc];
  assume !x. x IN g ==> e ** x = x [Left_Unit];
  assume !x. x IN g ==> i(x) ** x = e [Left_Inv];
  thus ! x. x IN g ==> x ** i(x) = e

:: x x' = 1(x x') = (1 x) x' = ((x'' x') x) x' = (x'' (x' x)) x' = (x'' 1) x'
::     = x'' (1 x') = x'' x' = 1

  proof
  let x be A;
  assume x IN g [xing];
  x ** i(x) = e ** (x ** i(x)) by 1, xing, Left_Unit;
  x ** i(x) = (e ** x) ** i(x) by 1, xing, -, Assoc;
  x ** i(x) = ((i(i(x)) ** i(x)) ** x) ** i(x) by 1, xing, -, Left_Inv;
  x ** i(x) = (i(i(x)) ** (i(x) ** x)) ** i(x) by 1, xing, -, Assoc;
  x ** i(x) = (i(i(x)) ** e) ** i(x) by 1, xing, -, Left_Inv;
  x ** i(x) = i(i(x)) ** (e ** i(x)) by 1, xing, -, Assoc;
  x ** i(x) = i(i(x)) ** i(x) by 1, xing, -, Left_Unit;
  qed by 1, xing, -, Left_Inv`;;


(*
It works!  The output is 

  |- !g (**) i e.
         e IN g /\
         (!x. x IN g ==> i x IN g) /\
         (!x y. x IN g /\ y IN g ==> x ** y IN g)
         ==> (!x y z.
                  x IN g /\ y IN g /\ z IN g ==> x ** y ** z = (x ** y) ** z)
         ==> (!x. x IN g ==> e ** x = x)
         ==> (!x. x IN g ==> i x ** x = e)
         ==> (!x. x IN g ==> x ** i x = e)


Some discussion: 

There's no question that the Isabelle proof is easier on the eyes.  I
checked that I can replace `**' by `*', but you \circ is nicer, and
your x^{-1} exponent is a lot more readable than i(x).  More
substantively, it hurts readability to state all the left group theory
axioms in the statement of the theorem.  But most substantively, the
miz3 proof is easier for me to read. 

 A modification of Freek's lagrange1.ml is

let group = new_definition
  `group(g,(**),i,(e:A)) <=>
    (e IN g) /\ (!x. x IN g ==> i(x) IN g) /\
    (!x y. x IN g /\ y IN g ==> x**y IN g) /\
    (!x y z. x IN g /\ y IN g /\ z IN g ==> x**(y**z) = (x**y)**z) /\
    (!x. x IN g ==> e**x = x) /\
    (!x. x IN g ==> x**i(x) = e )`;;

That's something like an Isabelle locale, but I don't know how to put
labels on the axioms, and Freek did not do so.  

The clever Isabelle proof uses the facts x'' x' = 1 and x' x = 1 at
some points, and uses assoc, left ident & left inverses:

x x' = 1(x x') = (1 x) x' = ((x'' x') x) x' = ((x'' (x' x)) x' = ((x'' 1) x'
     = x'' (1 x') = x'' x' = 1

I can't see how Isabelle justified this proof. I know `...' means the
previous right hand side.  But Isabelle is doing other things too. 
Isabelle proved four separate statements 
S1: x x' = 1(x x') = (1 x) x'
S2: (1 x) = (x'' x') x
S3: (x'' (x' x)) x' = x'' (1 x')
S4: x'' (1 x') = 1 
and said finally we're done!  Well, why are we done?  
Isabelle must have combined S3 & S4 to get 
 (x'' (x' x)) x' = 1
and then multiplied S2 on the right by x' to get 
(1 x) x' = ((x'' x') x) x' 
combined the last two statements to 
(1 x) x' = 1
and combined this with S1 to get 
x x' = 1.  
I don't see the Isabelle mechanism yet, and I think my proof above is
a more readable.
*)

Trying to improve my group theory code, I tried to use new_axiom, and
I could not get this to work.  Help!

(* this works fine *)

new_type("element",0);;
new_constant("prod",`:element->element->element`);;
new_constant("inv",`:element->element`);;
new_constant("unit",`:element`);;
parse_as_infix("prod",(20, "right"));;

let A1 = new_axiom
`!x y z. (x prod y) prod z = x prod (y prod z)`;;

let left_unit = new_axiom
  `!x . unit prod x = x`;;

(* This does not: *)

let left_inv = new_axiom
  `!x . inv(x) prod x = unit`;;

(* Exception: Failure "typechecking error (initial type assignment)". *)

-- 
Best,
Bill

It should be

let left_inv = new_axiom
  `!x . (inv x) prod x = unit`;;
________________________________________
From: Bill Richter [richter@...]
Sent: Monday, May 14, 2012 7:53 PM
To: John Harrison
Cc: hol-info@...
Subject: Re: [Hol-info] rigorous axiomatic geometry proof in HOL Light

Trying to improve my group theory code, I tried to use new_axiom, and
I could not get this to work.  Help!

(* this works fine *)

new_type("element",0);;
new_constant("prod",`:element->element->element`);;
new_constant("inv",`:element->element`);;
new_constant("unit",`:element`);;
parse_as_infix("prod",(20, "right"));;

let A1 = new_axiom
`!x y z. (x prod y) prod z = x prod (y prod z)`;;

let left_unit = new_axiom
  `!x . unit prod x = x`;;

(* This does not: *)

let left_inv = new_axiom
  `!x . inv(x) prod x = unit`;;

(* Exception: Failure "typechecking error (initial type assignment)". *)

--
Best,
Bill

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
hol-info mailing list
hol-info@...
https://lists.sourceforge.net/lists/listinfo/hol-info

(* The `inv` you use in your axiom is not the one you think: *)

# type_of `inv`
val it : hol_type = `:real->real`

(* You'd better give your constant another name, like "elt_inv": *)

# new_constant("elt_inv",`:element->element`);;
val it : unit = ()

# let left_inv = new_axiom `!x . elt_inv(x) prod x = unit`;;
val left_inv : thm = |- !x. elt_inv x prod x = unit

(* You can still use "inv" by overloading it: *)

# make_overloadable "inv" `:A->A`;;
val it : unit = ()

# overload_interface("inv",`elt_inv:element->element`);;
val it : unit = ()

(* Then left_inv is displayed using "inv" instead of "elt_inv": *)

# left_inv;;
val it : thm = |- !x. inv x prod x = unit

(* You can also use `inv` for the input now: *)

# let left_inv = new_axiom `!x . inv(x) prod x = unit`;;
val it : thm = |- !x. inv x prod x = unit

(* And if you still plan to use the original `inv` for real numbers  
you should also overload it: *)

# overload_interface("inv",`inv:real->real`);;
val it : unit = ()

--
Vincent Aravantinos
PostDoctoral fellow, Concordia University, Hardware Verification Group
http://users.encs.concordia.ca/~vincent

Le 14 mai 12 à 22:53, Bill Richter a écrit :

> Trying to improve my group theory code, I tried to use new_axiom, and
> I could not get this to work.  Help!
>
> (* this works fine *)
>
> new_type("element",0);;
> new_constant("prod",`:element->element->element`);;
> new_constant("inv",`:element->element`);;
> new_constant("unit",`:element`);;
> parse_as_infix("prod",(20, "right"));;
>
> let A1 = new_axiom
> `!x y z. (x prod y) prod z = x prod (y prod z)`;;
>
> let left_unit = new_axiom
>  `!x . unit prod x = x`;;
>
> (* This does not: *)
>
> let left_inv = new_axiom
>  `!x . inv(x) prod x = unit`;;
>
> (* Exception: Failure "typechecking error (initial type  
> assignment)". *)
>
> -- 
> Best,
> Bill
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.  
> Discussions
> will include endpoint security, mobile security and the latest in  
> malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info

Perhaps try `!x. (inv x) prod x = unit`
My guess is that your term is being parsed incorrectly, leading something
that's not x to be interpreted as a variable and assigned a variable type,
which then makes the types of the two sides of the equation unequal.

On Tue, May 15, 2012 at 3:53 AM, Bill Richter <richter@...
> wrote:

> Trying to improve my group theory code, I tried to use new_axiom, and
> I could not get this to work.  Help!
>
> (* this works fine *)
>
> new_type("element",0);;
> new_constant("prod",`:element->element->element`);;
> new_constant("inv",`:element->element`);;
> new_constant("unit",`:element`);;
> parse_as_infix("prod",(20, "right"));;
>
> let A1 = new_axiom
> `!x y z. (x prod y) prod z = x prod (y prod z)`;;
>
> let left_unit = new_axiom
>  `!x . unit prod x = x`;;
>
> (* This does not: *)
>
> let left_inv = new_axiom
>  `!x . inv(x) prod x = unit`;;
>
> (* Exception: Failure "typechecking error (initial type assignment)". *)
>
> --
> Best,
> Bill
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

Hi Bill,

>Freek's miz3 code in the miz3 dox 1201.3601-1.pdf
>solving the drinker's paradox on p 13--14 is perhaps designed to show
>various features of miz3, but it is more than twice as long as needed:

It's mainly intended to be as close as possible to the
Jaśkowsky/Fitch-style natural deduction proof that's right
before it, to show off the similarity of the proof styles.
That one you _can't_ make significantly shorter, because only
the basic natural deduction intro and elim rules are allowed.

But if you want to be short, then

let DRINKER = thm `;
  let P be A->bool;
  thus ?x. P x ==> !y. P y`;;

already works.  Getting a short proof, or even a proof
that mimics how a human would understand this, was not
the primary aim of the example.  And yes, showing off the
various miz3 proof steps _was_ one of its aims.

If you like to see a _really_ involved proof of this
statement, then look at

	http://www.cs.ru.nl/~freek/notes/drinker.miz

Now that's a silly version, as Mizar also can prove this
without any help.  But this one would also work in a minimal
logic version of Mizar :-)

Freek

Thanks for responding!  Vincent's idea worked. I have new question:

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;    
pasting this in gives an error message *)

new_type("element",0);;
new_constant("prod",`:element->element->element`);;
new_constant("elt_inv",`:element->element`);;
new_constant("unit",`:element`);;
parse_as_infix("prod",(20, "right"));;

let A1 = new_axiom
`!x y z. (x prod y) prod z = x prod (y prod z)`;;

let left_unit = new_axiom
  `!x . unit prod x = x`;;

let left_inv = new_axiom
  `!x . elt_inv(x) prod x = unit`;;

(* 
 I think it's quite interesting that HOL Light left out parentheses    
val left_inv : thm = |- !x. elt_inv x prod x = unit

This does not: *)

parse_as_prefix "elt_inv";;
let left_inv = new_axiom
  `!x . (inv x) prod x = unit`;;

(* I get the usual "typechecking error (initial type assignment)". *)


Vincent, thanks for explaining that inv was already defined:
type_of `inv`;;
val it : hol_type = `:real->real`
I'm an HOL Light newbie.  What should I have read so that I would have
known that?  Neither prefixes();; nor infixes();; lists `inv'.
Should I just make a habit of evaluating things like 
type_of `elt_inv`;;
to see that I'm inventing a new type?

Toal, your fix 
   let left_inv = new_axiom
     `!x . (inv x) prod x = unit`;;
did not work if we just substitute your axiom for mine.   Same error:
  Exception: Failure "typechecking error (initial type assignment)".

-- 
Best,
Bill

Hi Bill,

|    there is probably a gap in the market for a tutorial and/or
|    reference for miz3 from the user perspective.
|
| Great!  This is my main task now. But I don't know enough to write
| this miz3 tutorial and user reference manual (more below).

I hope you manage to produce something. Curiously enough, Freek
wrote a lot of documentation to explicate Trybulec's Mizar, so
maybe you will end up doing the same for Freek's miz3.

  http://cs.ru.nl/~freek/mizar/index.html

| I am really grateful to you, John, and I couldn't have done without
| you, but, uh, I was hoping you'd do even more The reference manual
| says not to use new_axiom.  

Yes, for now you can replace the "new_axiom" stuff with the explicit
model construction I sent out earlier. I will experiment a bit to
find the nicest way of doing things with the axioms as hypotheses. I
like Freek's idea of having the hypothesis in the assumption list of
the theorem rather than as the antecedent of an implication, but I
need to dig into miz3 a bit more deeply or get help from Freek to
make it work.

| Better error messages would be great.

I'll defer to Freek on miz3-specific things, but I will try to
improve cases where the native HOL Light error reporting is part of
the problem.

| Or another dumb question:  How do you run  miz3 code?  I'm just
| selecting in an Emacs window and then pasting into a terminal running
|    hol_light> ocaml
|    #use "hol.ml";;
| Why can't I paste in a use command like
| #use "John5-8ModelTarski.ml";;
| I know Freek describes a vi-based system but I haven't learned it yet.

I do pretty much that, either for miz3 or native HOL Light proofs,
just copying and pasting from an editor window into an OCaml session.
This video might give an impression:

  http://www.math.kobe-u.ac.jp/icms2006/icms2006-video/video/v103.html

I think you may be hitting something I also noticed, which is that
the special parsing of miz3 proofs within `;...` only gets set up
after the miz3 file is loaded, and OCaml parses an entire source
file before anything gets executed. This means that having this in
one file:

 loadt "miz3/miz3.ml";;
 ...
 `; ... a miz3 proof`;;

doesn't work, since when this file is loaded `;....` isn't interpreted
correctly. But you can simply have a root file called "make.ml" or
whatever containing (it shouldn't matter if you use loadt or #use):

 loadt "miz3/miz3.ml";;
 loadt "file_with_miz3_proofs.ml";;

John.

Hi Mark,

| Yes, big integers is the other possibility.  I'm trying to do it as
| light weight as possible, and yet keeping the user interface
| "conventional" (using the classic types so that integer literals
| supplied by the user do not have to be wrapped with 'Int').  However,
| the HOL Zero natural number syntax functions already use big integers,
| and so there is already an inconsistency in style here, and so maybe I
| should follow your suggestion.

I rely quite heavily on the OCaml Num library for various things in
HOL Light's arithmetic decision procedures. But I am a bit reluctant
to introduce a dependency on this library into the logical kernel.
It's pretty big and complicated, and I have found one or two bugs in
it in the past (admittedly many years ago). Since the overflow is a
bit of a theoretical rather than practical problem, I'm inclined to
stick to the devil I know, machine arithmetic, or perhaps just use
int64. (As Makarius pointed out, even the unary representation with
unit lists has its issues too in OCaml.) But thinking through the
implications here together has certainly been valuable, I think.

John.

Freek, thanks for responding!  You set me straight on my two points:

 `?'  means 0 or more, so <by refs> can be nothing.
A proof need have no steps, as in your example:
let FOO = thm `;
  T proof end;`;;
Quick question: Doesn't `?' mean the same as `*'?  
Two more questions, but first a manifesto:

I'd like you to help me with an miz3 documentation project.  I'll do
as much of the work as necessary, but I think I need your help to get
started.  And you may prefer to do the job yourself.

I wrote 1000 lines of Tarski axiomatic geometry miz3 proofs (below),
porting 1500 lines of Mizar code.  I did it partly for the joy of it,
and to check my proofs were correct, but mostly I did it to cite in a
geometry paper I want to submit soon, probably to the Amer Math
Monthly, which has published a number of Hilbert axiom papers.

There are two holdups right now:

1) HOL Light must be easy to download & run.  Right now I can't get
the latest version of ocaml to run, as it requires camlp5.  I can
install both ocaml & camlp5, but then I can't make HOL Light.  I sent
a bug report, and John will probably straighten this out.  I assume
he's working hard at Intel at his real job, proving theorems about
floating point algorithms, and that's fine, I can wait.

2) There must be adequate documentation for how to use miz3 to concoct
the sort of 2-column proofs I did in my Tarski code.  At least the dox
must be good enough for me, and all I need is the miz3 syntax and
semantics.  Your paper arxiv.org/pdf/1201.3601 is not adequate dox,
but as John agreed, it wasn't intended to be, but instead to promote
your bold fusion of declarative and procedural proofs.  

John just wrote:

   I hope you manage to produce something. Curiously enough, Freek
   wrote a lot of documentation to explicate Trybulec's Mizar, so
   maybe you will end up doing the same for Freek's miz3.

     http://cs.ru.nl/~freek/mizar/index.html

What I want (precise syntax & semantics) looks a lot different from
your Mizar dox.  When I was learning Mizar, I relied heavily on your
work, although I didn't read it all.  I didn't learn the precise
syntax & semantics of Mizar, so all the Mizar I did was trial and
error.  I bet you can write the precise syntax & semantics easily,
though, and I'll help as much as I can or you want.

Putting aside manifestos, here are two questions I posted earlier:

3) My code, following your p 13--14 drinkers principle, violates your
grammar (this saved me 100s of lines, so thanks!).  You wrote

   Yes, the miz3 syntax is a bit more liberal than is presented in the
   paper.  (I think the "growing" stuff won't work then, though.)

Can we write down the actual syntax (grammar) of miz3?  I don't know
what "growing" stuff means.

   Basically, instead of `; formal proof ... end;`, you can
   also use `; now ... end;`.  And the "now/end" brackets are
   optional, if the thing is not just a single statement with
   proof/justification, they are added automatically.

Let me try to understand this.  On p 15--18, you write 

   The now syntax can be used when the statement that is being proved
   can be inferred from the skeleton steps in the proof (which is
   generally the case). In that situation

   phi proof ... end;
   can be abbreviated as
   now ... end;

That's interesting, and it sounds like it saves a line, as we don't
need the keyword `proof', and `now' won't go on its own line.  But
what you wrote today says we indicates we can skip the "now/end"
brackets, which saves one more line.   I didn't get that to work.  
Evaluate my code below, and then paste in this lemma again:

let C1_THM = thm `;
  let a b x y be point;
  assume             ~(a = b)						[H1];
  assume             Between (a,b,x)                                 	[H2];
  assume             Between (a,b,y)                                 	[H3];
  assume             b,x === b,y                                     	[H4];
  thus    y = x
 
  proof
    a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
    a,b,y cong a,b,y by -, cong_DEF;  
    y,x === y,y by -, H1, H2, H3, H4, A5;  
    qed by -, A3`;;

it works fine.  But it seems you're saying I don't need the last
end. Since qed means thus thesis; end, this ought to work:

let C1_THM = thm `;
  let a b x y be point;
  assume             ~(a = b)						[H1];
  assume             Between (a,b,x)                                 	[H2];
  assume             Between (a,b,y)                                 	[H3];
  assume             b,x === b,y                                     	[H4];
  thus    y = x
 
  proof
    a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
    a,b,y cong a,b,y by -, cong_DEF;  
    y,x === y,y by -, H1, H2, H3, H4, A5;  
    thus thesis by -, A3`;;

But it doesn't work, and I get the error 
  ::#9
  :: 9: syntax error mizar
Probably I misunderstood what you wrote. 

4) I think I have a semantics question: I have 38 lemmas in my miz3
code below.  All of the proofs end in `qed' except for the 8 which end
in `cases' constructions, and they all end in `end'.  Why?

-- 
Best,
Bill 

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;  
    then paste in the following file*)

(* ================================================================= *)
(* HOL Light Tarski geometry axiomatic proofs up to Gupta's theorem. *)
(* ================================================================= *)

(* Proof assistants like HOL Light can be used to help teach rigorous
   axiomatic geometry in high school using Hilbert's axioms, and
   introduce students to the world of formal proofs, which should
   become a hot area in debugging computer software.

   This is a port, mostly due to John Harrison, of Mizar code, which
   was heavily influenced by Julien Narboux's Coq pseudo-code
   http://dpt-info.u-strasbg.fr/~narboux/tarski.html and Wojciech
   A. Trybulec's incsp_1.miz in the MML library on axioms of incidence
   geometry.  We partially prove the theorem of the 1983 book
   Metamathematische Methoden in der Geometrie by Schwabhäuser,
   Szmielew, and Tarski, that Tarski's (extremely weak!) plane
   geometry axioms imply Hilbert's axioms.  We get about as far as
   Narboux, with Gupta's amazing proof which implies Hilbert's axiom
   I1 that two points determine a line.  

   Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework of porting my axiomatic proofs to HOL Light.  *)


new_type("point",0);;

new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("on_line",(12, "right"));;
parse_as_infix("equal_line",(12, "right"));;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;

let Line_DEF = new_definition
  `x on_line a,b <=> 
  ~(a = b) /\ (Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b))`;;

let  LineEq_DEF = new_definition
  `a,b equal_line x,y <=>
~(a = b) /\ ~(x = y) /\ ! c .  c on_line a,b  <=>  c on_line x,y`;;



(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let A1 = new_axiom
  `!a b. a,b === b,a`;;

let A2 = new_axiom
  `!a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3 = new_axiom
  `!a b c. a,b === c,c ==> a = b`;;

let A4 = new_axiom
  `!a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;

let A5 = new_axiom
  `!a b c x a' b' c' x'.
        ~(a = b) /\ a,b,c cong a',b',c' /\
        Between(a,b,x) /\ Between(a',b',x') /\ b,x === b',x'
        ==> c,x === c',x'`;;

let A6 = new_axiom
  `!a b. Between(a,b,a) ==> a = b`;;

let A7 = new_axiom
  `!a b p q z.
        Between(a,p,z) /\ Between(b,q,z) ==>
        ?x. Between(p,x,b) /\ Between(q,x,a)`;;


(* A4 is the Segment Construction axiom, A5 is the SAS axiom and A7 is
   the Inner Pasch axiom.  There are 4 more axioms we're not using yet:
   there exist 3 non-collinear points;
   3 points equidistant from 2 distinct points are collinear;
   Euclid's parallel postulate;
   a first order version of Hilbert's Dedekind Cuts axiom.

   We shall say we apply SAS to a+cbx and a'+c'b'x'.  Normally one
   applies SAS by showing cb = c'b' bx = b'x' (which we assume) and
   angle cbx cong angle c'b'x'.  One might prove the angle congruence
   by showing that the triangles abc /\ a'b'c' were congruent by SSS
   (which we also assume) and then apply the theorem that complements
   of congruent angles are congruent.  Hence Tarski's axiom. *)


(* ------------------------------------------------------------------------- *)
(* Now Mizarlight versions of the actual proofs.                             *)
(* ------------------------------------------------------------------------- *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

let EquivReflexive = thm `;
  !a b. a,b === a,b

  proof
   let a b be point;
   b,a === a,b by A1;
  qed by -, A2`;;


let EquivSymmetric = thm `;
  !a b c d. a,b === c,d ==> c,d === a,b

  proof
    let a b c d be point;
    assume a,b === c,d [1];
    a,b === a,b by EquivReflexive;
  qed by -, 1, A2`;;


let EquivTransitive = thm `;
  !a b p q r s .  a,b === p,q /\ p,q === r,s ==> a,b === r,s

  proof
    let a b p q r s be point;
    assume a,b === p,q [H1];
    assume p,q === r,s [H2];
    p,q === a,b by H1, EquivSymmetric;
    qed by -, H2, A2`;;


let Baaa_THM = thm `;
  !a b. Between (a,a,a) /\ a,a === b,b

  proof
    let a b be point;
    consider x such that Between (a,a,x) /\ a,x === b,b [X1] by A4;
    a = x by -, A3;
  qed by -, X1`;;


let Bqaa_THM = thm `;
  !a q. Between(q,a,a)

  proof
    let a q be point;
    consider x such that Between(q,a,x) /\ a,x === a,a [X1] by A4;
    a = x by -, A3;
  qed by -, X1`;;


let C1_THM = thm `;
  let a b x y be point;
  assume             ~(a = b)						[H1];
  assume             Between (a,b,x)                                 	[H2];
  assume             Between (a,b,y)                                 	[H3];
  assume             b,x === b,y                                     	[H4];
  thus    y = x
 
  proof
    a,b === a,b /\ a,y === a,y /\ b,y === b,y by EquivReflexive;  
    a,b,y cong a,b,y by -, cong_DEF;  
    y,x === y,y by -, H1, H2, H3, H4, A5;  
    qed by -, A3`;;


let Bsymmetry_THM = thm `;
  let a p z be point;
  thus Between (a,p,z) ==> Between (z,p,a)

  proof
    assume Between (a,p,z) [H1];
    Between (p,z,z) by Bqaa_THM;  
    consider x such that
    Between (p,x,p) /\ Between (z,x,a) [X1] by -, H1, A7;
    x = p by -, A6;  
  qed by -, X1`;;


let Baaq_THM = thm `;
  let a q be point;
  thus Between (a,a,q)

  proof
    Between (q,a,a) by Bqaa_THM;  
  qed by -, Bsymmetry_THM`;;


let BEquality_THM = thm `;
  let a b c be point;
  thus Between (a,b,c) /\ Between (b,a,c) ==> a = b

  proof
    assume  Between (a,b,c) [H1];
    assume Between (b,a,c);  
    ? x . Between (b,x,b) /\ Between (a,x,a) by -, H1, A7;
    consider x such that
    Between (b,x,b) /\ Between (a,x,a) [X1] by -;
    b = x by X1, A6;  
    Between (a,b,a) by -, X1;  
  qed by -, A6`;;


let B124and234then123_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,d)				[H1];
  assume                       Between (b,c,d)                         	[H2];  
  thus    Between (a,b,c)

  proof
    ? x . Between (b,x,b) /\ Between (c,x,a) by H1, H2, A7;
    consider x such that
    Between (b,x,b) /\ Between (c,x,a) [X1] by -;
    b = x by X1, A6;  
    Between (c,b,a) by -, X1;   
  qed by -, Bsymmetry_THM`;;


let BTransitivity_THM = thm `;
  let a b c d be point;
  assume                       ~(b = c)					[H1];
  assume                       Between (a,b,c)                         	[H2];
  assume                       Between (b,c,d)                         	[H3];
  thus Between (a,c,d)

  proof
    consider x such that 
    Between (a,c,x) /\ c,x === c,d [X1] by A4;
    Between (x,c,a)  [X2] by -, Bsymmetry_THM;
    Between (c,b,a) by H2, Bsymmetry_THM;
    Between (x,c,b) by -, X2, B124and234then123_THM;
    Between (b,c,x) by -, Bsymmetry_THM;
    x = d by -, H1, H3, X1, C1_THM;   
  qed by -, X1`;;


let BTransitivityOrdered_THM = thm `;
  let a b c d be point;
  assume                       ~(b = c)                                 [H1];
  assume                       Between (a,b,c)                          [H2];
  assume                       Between (b,c,d)                          [H3];
  thus    is_ordered (a,b,c,d)					        
								        
  proof								        
    Between (a,c,d) [X1] by H1, H2, H3, BTransitivity_THM;	        
    Between (d,c,b) [X2] by H3, Bsymmetry_THM;			        
    Between (c,b,a) by -, H2, Bsymmetry_THM;			        
    Between (d,b,a) by -, H1, X2, BTransitivity_THM;		        
    Between (a,b,d) by -, Bsymmetry_THM;   			        
    qed by H2, -, X1, H3, is_ordered_DEF`;;			        
								       

let B124and234Ordered_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,d)                          [H1];
  assume                       Between (b,c,d)                          [H2];
  thus   is_ordered (a,b,c,d)					        
								        
  proof								        
    cases;							        
    suppose b = c [P1];						        
      Between (a,b,c) [P2] by -, Bqaa_THM;			        
      Between (a,c,d) by P1, H1;   				        
      qed by P2, H1, -, H2, is_ordered_DEF;			        
    suppose ~(b = c) [Q1];					        
      Between (a,b,c) by H1, H2, B124and234then123_THM;   	        
      qed by -, Q1, H2, BTransitivityOrdered_THM;		        
   end`;;							        
								        

let SegmentAddition_THM = thm `;
  let a b c a' b' c' be point;
  assume                Between (a,b,c)                                 [H1];
  assume                Between (a',b',c')                              [H2];
  assume                a,b === a',b'                                   [H3];
  assume                b,c === b',c'                                   [H4];
  thus   a,c === a',c'						        
								        
  proof								        
    cases;							        
    suppose a = b [Y1];						        
      a,a === a',b' by H3, Y1;					        
      a',b' === a,a by -, EquivSymmetric;			        
      a' = b' by -, A3;						        
    qed by -, H4, Y1;						        
    suppose ~(a = b) [Z1];					        
      b,a === a,b by A1;					        
      b,a === a',b' [Z2] by -, H3, EquivTransitive;		        
      a',b' === b',a' by A1;					        
      b,a === b',a' [Z3] by -, Z2, EquivTransitive;		        
      a,a === a',a' by Baaa_THM;				        
      a,b,a cong a',b',a' by -, H3, Z3, cong_DEF;  		        
    qed by -, Z1, H1, H2, H4, A5;				        
  end`;;							        
								        

let CongruenceDoubleSymmetry_THM = thm `;
  let a b c d be point;
  assume               a,b === c,d					[H1];
  thus   b,a === d,c

  proof
    b,a === a,b /\ c,d === d,c [X1] by H1, A1;
    a,b === d,c by H1, X1, EquivTransitive;   
    qed by -, X1, EquivTransitive`;;


let C1prime_THM = thm `;
  let a b x y be point;
  assume                       ~(a = b)                                 [H1];
  assume                       Between (a,b,x)                          [H2];
  assume                       Between (a,b,y)                          [H3];
  assume                       a,x === a,y                              [H4];
  thus         x = y						        
								        
  proof								        
    consider m such that					        
    Between (b,a,m) /\ a,m === a,b [X1] by A4;			        
    Between (m,a,b) [X2] by X1, Bsymmetry_THM;			        
    ~(m = a) [X3] by X1, EquivSymmetric, A3, H1;		        
    is_ordered (m,a,b,x) by H1, X2, H2, BTransitivityOrdered_THM;       
    Between (m,a,x) [X4] by -, is_ordered_DEF;			        
    is_ordered (m,a,b,y) by H1, X2, H3, BTransitivityOrdered_THM;       
    Between (m,a,y) by -, is_ordered_DEF;   			        
    qed by -, X3, X4, H4, C1_THM`;;				        
								        

let SegmentSubtraction_THM = thm `;
  let a b c a' b' c' be point;
  assume                  Between (a,b,c)                             [H1];
  assume                  Between (a',b',c')                          [H2];
  assume                  a,b === a',b'                               [H3];
  assume                  a,c === a',c'                               [H4];
  thus    b,c === b',c'						      
								      
  proof								      
    cases;							      
    suppose a = b [Y1];						      
      a,a === a',b' by -, H3;					      
      a',b' === a,a by -, EquivSymmetric;			      
      a' = b' by -, A3;   					      
      qed by -, H4, Y1;						      
    suppose ~(a = b) [Z1];					      
      consider x such that					      
      Between (a,b,x) /\ b,x === b',c' [Z2] by A4;		      
      a,x === a',c' [Z3] by Z2, H2, H3, SegmentAddition_THM;	      
      a',c' === a,c by H4, EquivSymmetric;			      
      a,x === a,c by -, Z3, EquivTransitive;			      
      x = c by -, Z1, Z2, H1, C1prime_THM;   			      
    qed by -, Z2;						      
  end`;;							      
								      

let EasyAngleTransport_THM = thm `;
    let a O b be point;
    assume             ~(O = a)						[H1];
    thus ? x y . 
           Between (b,O,x) /\ Between (a,O,y) /\ x,y,O cong a,b,O

  proof
    consider x such that
    Between (b,O,x) /\ O,x === O,a [X2] by A4;
    x,O === a,O [X3] by -, CongruenceDoubleSymmetry_THM;
    a,O === x,O [X4] by -, EquivSymmetric;
    a,x === x,a by A1;
    a,O,x cong x,O,a [X5] by X4, -, X2, cong_DEF;
    consider y such that
    Between (a,O,y) /\ O,y === O,b [X6] by A4;
    Between (x,O,b) by X2 ,Bsymmetry_THM;
    x,y === a,b [X7] by H1, X5, X6, -, A5;
    y,O === b,O by X6, CongruenceDoubleSymmetry_THM;
    x,y,O cong a,b,O by X7, X3, -, cong_DEF;
  qed by X2, X6, -`;;


let B123and134Ordered_THM = thm `;
  let a b c d be point;
  assume                       Between (a,b,c)                          [H1];
  assume                       Between (a,c,d)                          [H2];
  thus   is_ordered (a,b,c,d)					        
								        
  proof								        
    Between (d,c,a) /\ Between (c,b,a) by H2, H1, Bsymmetry_THM;        
    is_ordered (d,c,b,a) by -, B124and234Ordered_THM;		        
    Between (d,b,a) /\ Between (d,c,b) by -, is_ordered_DEF;	        
    Between (a,b,d) /\ Between (b,c,d) by -, Bsymmetry_THM;   	        
  qed by -, H1, H2, is_ordered_DEF`;;				        
								        

let BextendToLine_THM = thm `;
  let a b c d be point;
  assume                       ~(a = b)                                 [H1];
  assume                       Between (a,b,c)                          [H2];
  assume                       Between (a,b,d)                          [H3];
  thus ? x . 							        
         is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x)		        
								        
  proof								        
    consider u such that					        
    Between (a,c,u) /\ c,u === b,d [X1] by A4;			        
    is_ordered (a,b,c,u) [X2] by H2, X1, B123and134Ordered_THM;	        
    Between (b,c,u) by X2, is_ordered_DEF;			        
    Between (u,c,b) [X3] by -, Bsymmetry_THM;			        
    u,c === c,u by A1;						        
    u,c === b,d [X4] by -, X1, EquivTransitive;			        
    Between (a,b,u) [X5] by X2, is_ordered_DEF;			        
    consider x such that					        
    Between (a,d,x) /\ d,x === b,c [Y1] by A4;			        
    is_ordered (a,b,d,x) [Y2] by H3, Y1, B123and134Ordered_THM;	        
    Between (b,d,x) [Y3] by -, is_ordered_DEF;			        
    b,c === d,x [Y4] by Y1, EquivSymmetric;			        
    c,b === b,c by A1;						        
    c,b === d,x [Y5] by -, Y4, EquivTransitive;			        
    Between (a,b,x) [Y6] by Y2, is_ordered_DEF;			        
    u,b === b,x [X6] by X3, Y3, X4, Y5, SegmentAddition_THM;	        
    b,u === u,b by A1;						        
    b,u === b,x by -, X6, EquivTransitive;			        
    u = x by -, H1, X5, Y6, C1_THM;				        
  qed by -, X2, Y2`;;						        
								        

let GuptaEasy_THM = thm `;
  let a b c d be point;
  assume                     ~(a = b)                                   [H1];
  assume                     Between (a,b,c)                            [H2];
  assume                     Between (a,b,d)                            [H3];
  assume                     ~(b = c)                                   [H4];
  assume                     ~(b = d)                                   [H5];
  thus ~ Between (c,b,d)					        
								        
  proof
    cases; 
    suppose ~ Between (c,b,d);
    qed by -;
    suppose Between (c,b,d) [H6];
      ? x . is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) 
      by H1, H2, H3, BextendToLine_THM;
      consider x such that
      is_ordered (a,b,c,x) /\ is_ordered (a,b,d,x) [X1] by -;
      Between (b,d,x) by X1, is_ordered_DEF;
      is_ordered (c,b,d,x) by -, H5, H6, BTransitivityOrdered_THM;
      Between (b,c,x) /\ Between (c,b,x) by -, X1, is_ordered_DEF;
      b = c [X2] by -, BEquality_THM;
      F by -, H4, X2;
    qed by -;
  end`;;


(* The next result is like SAS: there are 5 pairs of segments 4
   equivalent.  We say we apply Inner5Segments to abc-x and a'b'c'-x' *)

let Inner5Segments_THM = thm `;
  let a b c x a' b' c' x' be point;
  assume               a,b,c cong a',b',c'				[H1];
  assume               Between (a,x,c)         				[H2];
  assume               Between (a',x',c')      				[H3];
  assume               c,x === c',x'           				[H4];
  thus   b,x === b',x'

  proof
    a,b === a',b' /\ a,c === a',c' /\ b,c === b',c' [X1] by H1, cong_DEF;
    cases;
    suppose x = c [Case1];
      c',x' === c,c by H4, Case1, EquivSymmetric;
      x' = c' by -, A3;
    qed by -, Case1, X1;
    suppose ~(x = c) [Case2];
      ~(a = c) [X2] by H2, A6, Case2;
      consider y such that
      Between (a,c,y) /\ c,y === a,c [X3] by A4;
      consider y' such that
      Between (a',c',y') /\ c',y' === a,c [X4] by A4;
      a,c === c',y' by X4, EquivSymmetric;
      c,y === c',y' [X5] by -, X3, EquivTransitive;
      c,b === c',b' [X6] by X1, CongruenceDoubleSymmetry_THM;
      a,c,b cong a',c',b' by cong_DEF, X1, X6;
      b,y === b',y' [X7] by -, X2, X3, X4, X5, A5;
      ~(y = c) [X8] by X3, EquivSymmetric, A3, X2;
      Between (y,c,a) /\ Between (c,x,a) by X3, H2, Bsymmetry_THM;
      Between (y,c,x) [X9] by -, B124and234then123_THM;
      Between (y',c',a') /\ Between (c',x',a') by -, X4, H3, Bsymmetry_THM;
      Between (y',c',x') [X10] by -, B124and234then123_THM;
      y,c === y',c' /\ y,b === y',b' by X5, X7, CongruenceDoubleSymmetry_THM;
      y,c,b cong y',c',b' by -, cong_DEF, X6;   
    qed by -, X8, X9, X10, H4, A5;
  end`;;


let RhombusDiagBisect_THM = thm `;
  let b c d c' d' be point;
  assume                       Between (b,c,d')                         [H1];
  assume                       Between (b,d,c')                         [H2];
  assume                       c,d' === c,d                             [H3];
  assume                       d,c' === c,d                             [H4];
  assume                       d',c' === c,d                            [H5];
  thus ? e . 							        
         Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e

  proof
    Between (d',c,b) /\ Between (c',d,b) [X1] by H1, H2, Bsymmetry_THM;
    consider e such that
    Between (c,e,c') /\ Between (d,e,d') [X2] by X1, A7;
    c,d === c,d' [X3] by H3, EquivSymmetric;
    c,c' === c,c' [X4] by EquivReflexive;
    c,d === d',c' by H5, EquivSymmetric;
    d,c' === d',c' by -, H4, EquivTransitive;
    c,d,c' cong c,d',c' by -, X3, X4, cong_DEF;
    d,e === d',e [X5] by -, X2, EquivReflexive, Inner5Segments_THM;
    d,c === c,d [X6] by A1;
    c,d === d,c' by H4, EquivSymmetric;
    d,c === d,c' [X7] by -, X6, EquivTransitive;
    d,d' === d,d'  [X8] by EquivReflexive;
    c,d === d',c' [X9] by H5, EquivSymmetric;
    d',c' === c',d' by A1;
    c,d === c',d' by -, X9, EquivTransitive;
    c,d' === c',d' [X10] by -, H3, EquivTransitive;
    d,d' === d,d' by EquivReflexive;
    d,c,d' cong d,c',d' by -, X7, X8, X10, cong_DEF;
    c,e === c',e by -, X2, EquivReflexive, Inner5Segments_THM;
  qed by -, X2, X5`;;


let FlatNormal_THM = thm `;
  let a b c d d' e be point;
  assume                       Between (b,c,d')                         [H1];
  assume                       Between (d,e,d')                         [H2];
  assume                       c,d' === c,d                             [H3];
  assume                       d,e === d',e                             [H4];
  assume                       ~(c = d)                                 [H5];
  assume                       ~(e = d)                                 [H6];
  thus ? p r q . 						        
         Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\      
         r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e		        
								        
  proof
    ~(c = d') by H5, H3, EquivSymmetric, A3;
    consider p r such that
    Between (e,c,p) /\ Between (d',c,r) /\ p,r,c cong d',e,c [X1] by
    -, EasyAngleTransport_THM;
    p,r === d',e /\ p,c === d',c /\ r,c === e,c [X2] by -, X1, cong_DEF;
    d',e === d,e by H4, EquivSymmetric;
    p,r === d,e [X3] by -, X2, EquivTransitive;
    ~(p = r) [X4] by -, EquivSymmetric, H6, A3;
    consider q such that
    Between (p,r,q) /\ r,q === e,d [X5] by A4;
    Between (d',e,d) [X6] by H2, Bsymmetry_THM;
    c,p === c,d' by -, X2, CongruenceDoubleSymmetry_THM;
    c,p === c,d [X7] by -, H3, EquivTransitive;
::  Apply SAS to p+crq /\ d'+ced
    c,q=== c,d by X4, X1, X5, X6, A5;
    c,d=== c,q by -, EquivSymmetric;
    c,p=== c,q [X8] by -, X7, EquivTransitive;
    r,c=== r,c [X9] by EquivReflexive;
    r,p=== e,d [X10] by X3, CongruenceDoubleSymmetry_THM;
    e,d=== r,q by X5, EquivSymmetric;
    r,p=== r,q by -, X10, EquivTransitive;
    r,c,p cong r,c,q [X11] by -, X9, X8, cong_DEF;
    Between (r,c,d') [X12] by X1, Bsymmetry_THM;
  qed by -, X5, X11, X12, X2, X1, X3`;;


let EqDist2PointsBetween_THM = thm `;
  let a b c p q be point;
  assume               ~(a = b)						[H1];
  assume               Between (a,b,c)                 			[H2];
  assume               a,p === a,q /\ b,p === b,q      			[H3];
  thus    c,p === c,q

::a & b are equidistant from p & q.  Apply SAS to a+pbc /\ a+qbc.

  proof
    a,b  === a,b /\ b,c === b,c [X1] by EquivReflexive;
    a,b,p cong a,b,q by -, H3, cong_DEF;
    p,c === q,c by H1, -, H2, X1, A5;   
  qed by -, CongruenceDoubleSymmetry_THM`;;


let EqDist2PointsInnerBetween_THM = thm `;
  let a x c p q be point;
  assume      	   Between (a,x,c)					[H1];
  assume 	   a,p === a,q /\ c,p === c,q 				[H2]; 
  thus x,p === x,q

::a and c are equidistant from p and q.  Apply Inner5Segments to
::apb-x /\ aqb-x.

  proof
    a,c === a,c /\ c,x === c,x [X1] by EquivReflexive;
    p,c === q,c by H2, CongruenceDoubleSymmetry_THM;
    a,p,c cong a,q,c by -, H2, X1, cong_DEF;
    p,x === q,x by -, H1, X1, Inner5Segments_THM;   
  qed by -, CongruenceDoubleSymmetry_THM`;;



let Gupta_THM = thm `;
  let a b c d be point;
  assume                                       ~(a = b)                 [H1];
  assume                                       Between (a,b,c)          [H2];
  assume                                       Between (a,b,d)          [H3];
  thus Between (b,d,c) \/ Between (b,c,d)			        
								        
  proof
    cases;
    suppose b = c \/ b = d \/ c = d;
      Between (b,d,c) \/ Between (b,c,d) by -, Baaq_THM, Bqaa_THM;
    qed by -;
    suppose ~(b = c) /\ ~(b = d) /\ ~(c = d) [H4];
      assume ~ (Between (b,d,c)) [H5];
      consider d' such that
      Between (a,c,d') /\ c,d' === c,d [X1] by A4;
      consider c' such that
      Between (a,d,c') /\ d,c' === c,d [X2] by A4;
      is_ordered (a,b,c,d') by H2, X1, B123and134Ordered_THM;
      Between (a,b,d') /\ Between (b,c,d') [X3] by -, is_ordered_DEF;
      is_ordered (a,b,d,c') by H3, X2, B123and134Ordered_THM;
      Between (a,b,c') /\ Between (b,d,c') [X4] by -, is_ordered_DEF;
      ~(c = d') [X5] by X1, H4, A3, EquivSymmetric;
      ~(d = c') [X6] by X2, H4, A3, EquivSymmetric;
      ~(b = d') [X7] by X3, H4, A6;
      ~(b = c') [X8] by X4, H4, A6;

::    In the proof below, we prove a stronger result than
::    BextendToLine_THM with much the same proof.  We find u /\ b'
::    with essentially a,b,c,d',u and a b,d,c',b' ordered 5-tuples
::    with d'u === db /\ cb' === bc. *)
      consider u such that
      Between (c,d',u) /\ d',u === b,d [Y1] by A4;
      is_ordered (b,c,d',u) by X5, X3, Y1, BTransitivityOrdered_THM;
      Between (b,c,u) /\  Between (b,d',u) [Y2] by -, is_ordered_DEF;
      consider b' such that
      Between (d,c',b') /\ c',b' === b,c [Y3] by A4;
      is_ordered (b,d,c',b') by X6, X4, Y3, BTransitivityOrdered_THM;

      Between (b,d,b') /\ Between (b,c',b') [Y4] by -, is_ordered_DEF;
      Between (c',d,b) [Y5] by X4, Bsymmetry_THM;
      d,c' === c',d /\ b,d === d,b [Y6] by A1;
      c,d === d,c' by X2, EquivSymmetric; 
      c,d' === d,c' by -, X1, EquivTransitive;
      c,d' === c',d [Y7] by -, Y6, EquivTransitive;
      d',u === d,b by Y1, Y6, EquivTransitive;
      c,u === c',b [Y8] by -, Y1, Y5, Y7, SegmentAddition_THM;
      c',b' === b',c' /\ b',b === b,b' [Y9] by A1;
      b,c  === c',b' by Y3, EquivSymmetric;
      b,c === b',c' [Y10] by -, Y9, EquivTransitive;
      Between (b',c',b) by Y4, Bsymmetry_THM;
      b,u === b',b by -, Y2, Y10, Y8, SegmentAddition_THM;
      b,u === b,b' [Y11] by -, Y9, EquivTransitive;
      is_ordered (a,b,d',u) [Y12] by X7, X3, Y2, BTransitivityOrdered_THM;
      is_ordered (a,b,c',b') by X8, X4, Y4, BTransitivityOrdered_THM;
      Between (a,b,u) /\ Between (a,b,b') by -, Y12, is_ordered_DEF;
      u = b' [Y13]  by -, H1, Y11, C1_THM;

::    Show c'd' === cd by applying SAS to b+c'cd /\ b'+cc'd.
      c',b === c,b' by Y13, Y8, EquivSymmetric;
      b,c' === b',c [Z1] by -, CongruenceDoubleSymmetry_THM;
      c,c' === c',c by A1;
      b,c,c' cong b',c',c [Z2] by -, Y10, Z1, cong_DEF;
      Between (b',c',d) by Y3, Bsymmetry_THM;
      c',d' === c,d [Z3] by -, H4, Z2, X3, Y7, A5;
      d',c' === c',d' by A1;
      d',c' === c,d by -, Z3, EquivTransitive;   

::    c,d',c',d is a "flat" rhombus.  The diagonals bisect each other.
      consider e such that
      Between (c,e,c') /\ Between (d,e,d') /\ c,e === c',e /\ d,e === d',e
      [Z4] by -, X3, X4, X1, X2, RhombusDiagBisect_THM;

      ~(e = c) [U1]
      proof
        cases;
        suppose ~(e = c);
        qed by -;
        suppose e = c [U2];
          c' = e by U2, Z4, EquivSymmetric, A3;
          c' = c by -, U2;
          Between (b,d,c) [U3] by -, X4;
          F by -, U3, H5;
        qed by -;
      end;

      e = d [V1]
      proof
        cases;
        suppose e = d;
        qed by -;
        suppose ~(e = d) [V2];
          consider p r q such that
          Between (p,r,q) /\ Between (r,c,d') /\ Between (e,c,p) /\
          r,c,p cong r,c,q /\ r,c === e,c /\ p,r === d,e [W1] 
          by X3, Z4, X1, H4, V2, FlatNormal_THM;
          r,p === r,q /\ c,p === c,q [W2] by W1, cong_DEF;
::        r and c are equidistant from p and q, r <> c, Between r,c,d', thus also d'
          ~(c = r) by W1, U1, EquivSymmetric, A3;
          d',p === d',q [W3] by -, W1, W2, EqDist2PointsBetween_THM;

::        c and d' are equidistant from p and q, c <> d', 
::        Between c,d',b', thus also b'.
          Between (c,d',b') by Y1, Y13;
          b',p === b',q [W4] by -, X5, W2, W3, EqDist2PointsBetween_THM; 

::        d' and c are equidistant from p and q, d' <> c, Between d',c,b, thus also b. 
          Between (d',c,b) by X3, Bsymmetry_THM;
          b,p === b,q [W5] by -, X5, W3, W2, EqDist2PointsBetween_THM;  

::        b and b' are equidistant from p and q, Between b,c',b, thus also c'.
          c',p === c',q [W7]by Y4, W4, W5, EqDist2PointsInnerBetween_THM;  

::        c' and c are equidistant from p and q, c' <> c, Between c',c,p, thus also p. 
          Between (c',e,c) by Z4, Bsymmetry_THM;
          is_ordered (c',e,c,p) by -, U1, W1, BTransitivityOrdered_THM;
          Between (c',c,p) [W8] by -, is_ordered_DEF;
          ~(c' = c) by Z4, U1, A6;
          p,p === p,q by -, W8, W7, W2, EqDist2PointsBetween_THM;   

::        Now we deduce a contradiction from p = q.
          q = p by -, EquivSymmetric, A3;
          p = r by -, W1, A6;
          e = d [W9] by -, W1, EquivSymmetric, A3;
          F by -, W9, V2;
        qed by -;
      end;

      d' = e by V1, Z4, EquivSymmetric, A3;
      d' = d by -, V1;
      Between (b,c,d) by -, X3;
    qed by -;
  end`;;


(* Using Gupta's theorem, we prove Hilbert's axiom I3; a line is
   determined by two points. *)

let I1part1_THM = thm `;
  let a b x be point;
  assume                                       ~(a = b)                 [H1];
  assume                                       ~(a = x)                 [H2];
  assume                                       x on_line a,b            [H3];
  thus   ! c . 							        
           c on_line a,b   ==>  c on_line a,x			        

  proof
    let c be point;
    assume c on_line a,b						[H4];
    Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b)		[X1] 
            by H3, Line_DEF;
    Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b)		[X2] 
    	    by H4, Line_DEF;
    x = b \/ b = c \/ (~(x = b) /\ ~(b = c));
    cases by -;
    suppose x = b [Case1];
    qed by -, H4;
    suppose b = c [Case3];
      Between (a,c,x) \/ Between (a,x,c) \/ Between (x,a,c) by -, X1;
      Between (a,c,x) \/ Between (a,x,c) \/ Between (c,a,x) by -, Bsymmetry_THM;
   qed by -, H2, Line_DEF;
    suppose ~(x = b) /\ ~(b = c) [Case2];
      Between (a,x,c) \/ Between (a,c,x) \/ Between (x,a,c)		[P]
      proof
        cases by X1;
        suppose Between (a,b,x)						[Y1];
          cases by X2;
          suppose Between (a,b,c)					[Y11];
            Between (b,x,c) \/ Between (b,c,x) by -, Y1, H1, Gupta_THM;
            is_ordered (a,b,x,c) \/ is_ordered (a,b,c,x) by 
                       Case2, Y1, Y11, -, BTransitivityOrdered_THM;
            Between (a,x,c) \/ Between (a,c,x) by -, is_ordered_DEF;
          qed by -;
          suppose Between (a,c,b);
            is_ordered (a,c,b,x) by -, Y1, B123and134Ordered_THM;
          qed by -, is_ordered_DEF;
          suppose Between (c,a,b);
            is_ordered (c,a,b,x) by H1, -, Y1, BTransitivityOrdered_THM;
            Between (c,a,x) by -, is_ordered_DEF;
          qed by -, Bsymmetry_THM;
        end;
        suppose Between (a,x,b)						[Y2]; 
          cases by X2;
          suppose Between (a,b,c);
            is_ordered (a,x,b,c) by -, Y2, B123and134Ordered_THM;
          qed by -, is_ordered_DEF;
          suppose Between (a,c,b)					[Y22];
            consider m such that
            Between (b,a,m) /\ a,m === a,b [X5] by -, A4;
            ~(a = m) [X6] by H1, X5, EquivSymmetric, A3;
            Between (m,a,b) by X5, Bsymmetry_THM;   :: m,a,c,b  & m,a,x,b
            Between (m,a,c) /\ Between (m,a,x) by -, Y22, Y2, B124and234then123_THM;
            Between (a,c,x) \/ Between (a,x,c) by -, X6, Gupta_THM;
          qed by -;
          suppose Between (c,a,b); 
            Between (c,a,x) by -, Y2, B124and234then123_THM;   :: c,a,x,b 
          qed by -, Bsymmetry_THM;
        end;
        suppose Between (x,a,b)						[Y3];
          cases by X2;
          suppose Between (a,b,c);
            is_ordered (x,a,b,c) by H1, -, Y3, BTransitivityOrdered_THM;
            qed by -, is_ordered_DEF;
          suppose Between (a,c,b);
          qed by Y3, -, B124and234then123_THM;  :: x,a,c,b
          suppose Between (c,a,b);
            Between (b,a,x) /\ Between (b,a,c) by Y3, -, Bsymmetry_THM;
            Between (a,x,c) \/ Between (a,c,x) by -, H1, Gupta_THM;
          qed by -; 
        end;
      end;
      Between (a,x,c) \/ Between (a,c,x) \/ Between (c,a,x) by P, Bsymmetry_THM;
      c on_line a,x by -, H2, Line_DEF;
    qed by -;
  end`;;


let I1part2_THM = thm `;
  let a b x be point;
  assume                       ~(a = b)                                 [H1];
  assume                       ~(a = x)                                 [H2];
  assume                       x on_line a,b                            [H3];
  thus    a,b equal_line a,x					        
								        
  proof
    ! c . c on_line a,b <=> c on_line a,x				[P]
    proof
      let c be point;
      c on_line a,b ==> c on_line a,x					[Imp1]
      proof
        assume c on_line a,b;
        c on_line a,x by -, H1, H2, H3, I1part1_THM;
      qed by -;
      c on_line a,x ==> c on_line a,b					[Imp2]
      proof
        assume c on_line a,x						[H4];
        Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b) by H3, Line_DEF;
	Between (a,b,x) \/ Between (a,x,b) \/ Between (b,a,x) by -, Bsymmetry_THM;
        b on_line a,x by -, H2, Line_DEF;
        c on_line a,b by -, H1, H2, H4, I1part1_THM;
      qed by -;
    qed by Imp1, Imp2;
  qed by H1, H2, P, LineEq_DEF`;;


let I1part2_THM = thm `;
  let a b x be point;
  assume                       ~(a = b)                                 [H1];
  assume                       ~(a = x)                                 [H2];
  assume                       x on_line a,b                            [H3];
  thus    a,b equal_line a,x					        

  proof
    Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b) by H3, Line_DEF;
    Between (a,b,x) \/ Between (a,x,b) \/ Between (b,a,x) by -, Bsymmetry_THM;
    b on_line a,x [Z1] by -, H2, Line_DEF;
    ! c . c on_line a,b ==> c on_line a,x [Z2] by H1, H2, H3, I1part1_THM;
    ! c . c on_line a,x ==> c on_line a,b [Z3] by H1, H2, Z1, I1part1_THM;
    ! c . c on_line a,x <=> c on_line a,b by Z2, Z3;
  qed by H1, H2, -, LineEq_DEF`;;


let LineEqRefl_THM = thm `;
  let a b be point;
  assume                       ~(a = b)					[H1];
  thus     a,b equal_line a,b

  proof
    ! c . c on_line a,b  <=>  c on_line a,b;
    a,b equal_line a,b by -, H1, LineEq_DEF;
  qed by -`;;


let LineEqA1_THM = thm `;
  let a b be point;
  assume                       ~(a = b)					[H1];
  thus    a,b equal_line b,a

  proof
    ! c . c on_line a,b  <=>  c on_line b,a				[P]
    proof
    let c be point;
      c on_line a,b ==> c on_line b,a					[Imp1]
      proof
        assume c on_line a,b;
        Between (a,b,c) \/ Between (a,c,b) \/ Between (c,a,b) by -, Line_DEF;
        Between (c,b,a) \/ Between (b,c,a) \/ Between (b,a,c) by -, Bsymmetry_THM;
      qed by -, H1, Line_DEF;
      c on_line b,a ==> c on_line a,b					[Imp2]
      proof
        assume c on_line b,a [H3];
        Between (b,a,c) \/  Between (b,c,a) \/ Between (c,b,a) by -, Line_DEF;
        Between (c,a,b) \/  Between (a,c,b) \/ Between (a,b,c) by -, Bsymmetry_THM;
      qed by -, H1, Line_DEF;
    qed by Imp1, Imp2;
  qed by H1, P, LineEq_DEF`;;


let LineEqSymmetric_THM = thm `;
  let a b c d be point;
  assume                       ~(a = b) /\ ~(c = d)			[H1];
  assume                       a,b equal_line c,d                      	[H2];
  thus   c,d equal_line a,b

  proof
    ! x . x on_line a,b  <=>  x on_line c,d by H2, LineEq_DEF;
    ! x . x on_line c,d <=>  x on_line a,b by -;
    c,d equal_line a,b by -, H1, LineEq_DEF;
  qed by -`;;


let LineEqTrans_THM = thm `;
  let a b c d e f be point;
  assume                       ~(a = b) /\ ~(c = d) /\ ~(e = f)         [H1];
  assume                       a,b equal_line c,d                       [H2];
  assume                       c,d equal_line e,f                       [H3];
  thus   a,b equal_line e,f					        
								        
  proof
    (! y . y on_line a,b  <=>  y on_line c,d)  /\ 
    (! y . y on_line c,d  <=>  y on_line e,f)     [X2] by H2, H3, LineEq_DEF;
    (! y . y on_line a,b  <=>  y on_line e,f) by -;
  qed by -, H1, LineEq_DEF`;;


let onlineEq_THM = thm `;
  let a b c d x be point;
  assume               ~(a = b) /\ ~(c = d)                             [H1];
  assume               x on_line a,b                                    [H2];
  assume               a,b equal_line c,d                               [H3];
  thus   x on_line c,d						        
								        
  proof
    ! y . y on_line a,b <=> y on_line c,d by -, LineEq_DEF;
  qed by -, H2`;;


let I1part2Reverse_THM = thm `;
  let a b y be point;
  assume                       ~(a = b) /\ ~(b = y)			[H1];
  assume                       y on_line a,b                           	[H3];
  thus    a,b equal_line y,b

  proof
    a,b equal_line b,a /\ b,y equal_line y,b [Y1] by H1, LineEqA1_THM;
    y on_line b,a by H3, Y1, onlineEq_THM;
    b,a equal_line b,y by -, H1, Y1, I1part2_THM;
    a,b equal_line b,y by -, H1, Y1, LineEqTrans_THM;
    a,b equal_line y,b by -, H1, Y1, LineEqTrans_THM;
  qed by -`;;


let I1_THM = thm `;
  let a b x y be point;
  assume			~(a = b)				[H1];
  assume			~(x = y)				[H2];
  assume   			a on_line x,y 				[H3];
  assume   			b on_line x,y				[H4];
  thus   x,y equal_line a,b

  proof
    cases;
    suppose (x = b)							[H5];
      ~(b = y) [P1] by -, H2;
      b,a equal_line a,b [P2] by H1, LineEqA1_THM;
      x,y equal_line b,y [P3] by H2, H5, LineEqRefl_THM;
      a on_line b,y by H3, H5;
      b,y equal_line b,a by -, P1, H1, I1part2_THM;
      x,y equal_line b,a by -, H1, H2, P1, P3, LineEqTrans_THM;
    qed by -, H1, H2, P2, LineEqTrans_THM;
    suppose
      ~(x = b)								[H6];
      x,y equal_line x,b [P4] by -, H2, H6, H4, I1part2_THM;
      a on_line x,b by -, H2, H6, H3, onlineEq_THM;
      x,b equal_line a,b by -, H6, H1, I1part2Reverse_THM;   
    qed by H1, H2, H6, P4, -, LineEqTrans_THM;
  end`;;

Hi Bill,

| let Collinear_DEF = new_definition
|   `Collinear(A, B, C)  <=>
|   ?l. A on_line l /\ B on_line l /\ C on_line l`;;
|
| (*  Error message for Collinear is
|       Exception: Failure "typechecking error (initial type assignment)".

All HOL Light infixes are assumed to be curried at the outer level,
so HOL Light is expecting to typecheck "A on_line l" as
"((on_line) A) l". If you change the earlier line to the following,
it will work:

  new_constant("on_line",`:point->line->bool`);;

| If I evaluate some other code first, the beginning of my Tarski code,
| however, I get no error message.  So start a HOL Light session over:

In this case "on_line" is being defined, and when parsing the term used
in the definition, the "on_line" constant ends up getting the expected
curried type.

John.

John, thanks for the Currying info.  BTW I'm including below an
explanation of Curry's paradoxical Y combinator, which in the
lambda_calculus defines recursive functions.  

But I think you're pointing out that there's something I don't
understand about the new_axiom code you wrote for me:

new_type("point",0);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

I just tried to modify what you did, and successfully for the Tarski
code.  The analogue of your 
new_constant("on_line",`:point->line->bool`);;
would be this code you did not write for me

new_constant("cong",`:point#point#point->point#point#point->bool`);;

For my Tarski code, I just extended did what you did for me, with no
new constants:


let is_ordered_DEF = new_definition
 `is_ordered (a,b,c,d) <=>
  Between (a,b,c) /\ Between (a,b,d) /\ Between (a,c,d) /\ Between (b,c,d)`;;

let Line_DEF = new_definition
  `x on_line a,b <=> 
  ~(a = b) /\ (Between (a,b,x) \/ Between (a,x,b) \/ Between (x,a,b))`;;



-- 
Best,
Bill 

>From richter@... Tue Oct 17 20:56:02 2000
Date: 8 Mar 1999 02:40:55 -0600
From: Bill Richter <richter@...>
To: matthias@...
CC: zabell, szabell@..., shriram@..., m-depristo@...,
   lars@..., rrb@... 
bcc: jhs@..., mjh@..., hrm@..., lucier@..., wilker@..., rezk 
Subject: Y combinator, Goedel I, & Russell's paradox
Status: O

Matthias, 

We can understand Odifreddi's [p 80--1] startling remark that the Y
combinator "embodies the argument used in Russell's paradox" from
Boolos & Jeffries [Ch 14-15].  

That is, I'll show how the Lambda Calculus Y combinator comes from
Goedel Incompleteness, and how Goedel I sort of comes from Russell's
paradox.  In particular, B&J's treatment of the Goedel fixed point
theorem is much clearer than Barendregt's [Thm (Goedel), sec 6.7].


******** Goedel's fixed point thm => Y combinator ********

For any expression B(y) of number theory, B&J [Lem 2, p 173] show
there exists an expression F(x) such that for any expression M(x),

Q |-   F( #M ) <--> B( #M(#M) )

where Q is the minimal axiom set for number theory [B&J Ch 14], s.t. a
partial function N ---> N is representable in Q iff it's
recursive.  I'm denoting Goedel numbers by #.

Then letting G = F(#F) and plugging in, we have Goedel's result 

Q |-  G <--> B( #G )

Well, that gives us the Y combinator, just take out the #s and the
Qs.  We want 

         (F M) = (B (M M))

for all M, so we let 

	  F = \m. B (m m) 
   	  G = F F
then
	  G = B G

giving us the fixed point for B, which we encode as the Y combinator 

	  Y = \b. (\f. f f) (\m. b (m m))

That's the only reasonable motivation I've ever seen for the Y
combinator.  And maybe that explains that LC_v requires LC: as you
say, LC_v is for programming, LC is for Math logic.  But we need Y in
order to be able to derive the harder Y_v.

******** Goedel fixed point thm => Goedel I ********

Let E be the expression of number theory, E_0 the closed expressions,
or statements.  Let Th(N) be the statements that are true in the
standard model of N.  We'll write, for statements f in E_0,

|= f  

if f in Th(N).

Goedel proved that Th(N) is not decidable, meaning there is no
expression B(x) in E such that for any statement f in E_0,

|=  f   if   Q |-  B(#f)
|= -f   if   Q |- -B(#f)

But this statement implies the more tractable sounding 

|= f   iff   |= B(#f)

since provable in Q implies true in N.  So we show this statement is
false, which shows the previous statement is false too.

Let G = F(#F) be the "fixed point" for -B (which means `not B'), so

Q |-  G = F( #F ) <--> -B( #F(#F) ) = -B( #G )

so pushing from Q to Th(N) and combining with the above, we have 

|= G	iff    |=  -B( #G )  iff |= -G

a contradiction.  Hence Th(N) is undecidable.


********  Russell's paradox => Goedel I  ********  

We also have that for any expression M(x),

|= F( #M )  iff  |= -B( #M(#M) )  iff |= -M(#M) 

The statement F( #M ) means F is satisfied by the Goedel number of M.
Let's translate F( #M ) into set theory as M \in F.   Then we have 

M \in F   iff   M \notin M

That is, F is the "set" F = { M : M \notin M }.  That's the Russell
set, and the contradiction is then the usual Russell paradox

		      F \in F   iff   F \notin F
or
			    G   iff   not G

And we can even see where F & G came from.  Aping Russell, we'd like
to define a formula F(x) such that for any M(x), 

F is satisfied by #M iff #M does not satisfy M.

Well, we can do that if Th(N) is decided by B(y), we "define"

F(#M) = -B( #M(#M) )

Of course it's not clear that such an expression F(x) exists.  Let's
recall B&J's argument, since I don't quite understand it. 

Recall \exists is the Tex symbol for "there exists", the backwards E.

Then B&J define 

diagonalization: E ---> E 

by diagonalization(M) = \exists_x ( x = #M & M )

So if N = N(x), i.e. x is the only free variable in N, then 

Q |-  diagonalization(N) <--> N(#N)

Note the priveleged position of the variable x here.  Then B&J show
[Lem. 1, p 172] that diagonalization is representable in Q (don't
understand the proof yet), meaning that there's an expression A(x,y)
in E such that for any expression M in E,

Q |- \exists_y ( A(#M, y) <--> y = #diagonalization(M) )

Then we define the expression F(x) by 

F = \exists_y ( A(x,y) & B(y) )

so that for any M, 

Q |-   F(#M) <--> B( #diagonalization(M) )

Then letting G = diagonalization(F), we have 

Q |-  G  <--> F(#F) <--> B( #diagonalization(F) ) = B( #G )


********  Caution about analogies ********  

Why not set-theorize Goedel's fixed point theorem?  For any B(y),

Q |-   F( #M ) <--> B( #M(#M) )

I guess that's 

 M \in F   iff (M \in M) \in B

so F is the "set"

F = { M : (M \in M) \in B }

Hmm, looks pretty fishy...  I can't figure out how to make sense out
of that.  Or, how to translate into number theory Cantor's argument
from which Russell's paradox springs:

Given any set X and any function h: X ---> 2^X, h is not onto.

Proof: Let R = { x \in X : x \notin h(x) }.  Then we claim R \in 2^X
is not in the image of h.  If it were, say R = h(y), then we have a
contradiction

y \in R    iff    y \in h(y)    iff    y \notin R 

\qed

Sandy thought that thinking of 2^X as truth functions on X rather than
subsets of X might get us somewhere, but I don't see anything yet...


For another hazy analogy, Odifreddi says on p 81

Set Theory		  Lambda Calculus                
element 		  argument           
set			  function           
membership		  application        
set formation		  lambda abstraction 
set equality		  term equality      

Then he says that \x. N (x x) is the LC analogue of the Russell set
{ x : x \notin x }
for any term N "that is never the identity".  Pretty shaky...

So maybe we should give Goedel some credit for making the translation
of Russell's paradox to number theory :-D

Bill


>From richter@... Tue Oct 17 20:56:10 2000
Date: 14 Mar 1999 04:14:58 -0600
From: Bill Richter <richter@...>
To: zabell
CC: matthias@..., shriram@..., m-depristo@..., lars@..., rrb@...
bcc: weemba@..., jhs@..., szabell@..., rezk
Subject: Re: Y combinator, Goedel I, & Russell's paradox
Status: O

Sandy, thanks for pointing me to Goedel's original argument in Nagel &
Newman's book "Goedel's Proof".  I was so proud to have discovered
Russell's paradox in Boolos & Jeffries's proof, but N&N make the
connection quite clear.  They say that Goedel pointed out that he was
following Richard's parodox, which was concocted in 1905 by a guy
Jules Richard I never heard of, but it goes like this:

Enumerate the formulas M(x) of LA as F_n(x), and ask whether F_n(n) is
true, which is like the question X \in X. Then let R(n) be the
statement -F_n(n), which is like the Russell set
R = { X : X \notin X}.
Assume (here's the contradiction) that R(n) is given by one of our
formulas, so that R(x) = F_m(x), for some m, and then 

		       F_m(m) = R(m) = -F_m(m)

which is Richard's paradox.  Here's a less cryptic account (to me)
than N&N's of how Goedel might have modified Richard's paradox to
prove that any consistent axiomatizable theory T containing Q is
incomplete.  I actually end up with different conclusions than N&N and
Goedel, so I'd be interested in you reading this.

LA is the 1st order language of Arithmetic.  A formula M of LA is
written M(x) if FV(M) = {x}.  Given a number n \in N, the standard
model of LA, they write M(n) for what in the LC we'd call M[x<-n],
which doesn't require x to be free in M, and this is generalized in LA
as 
		     M(n) := \exists_x. x = n & M

After inventing Goedel numbers, Goedel could ask whether M(#M) is
false, for any formula M(x), and that sounds like we want

R(#M) = -M(#M) 

but there is no formula R(x) of LA which gives this.  However, he
replaced this with the more subtle statement 

	R(#M) is true in N   iff    M(#M) is not provable in T

which is the same as 

	     |= R(#M) 	     iff    #M(#M) \notin #T

and then produced R(x) by showing that there's a total recursive
function d: N ---> N such that for any M(x),

d(#M) = #M(#M)

and that recursive means representable in T (or even better, Q), and
that #T is recursively enumerable.   Let's go through this:

B&J [Lem. 1, p 172] explain the function d quite well, why it's
represented in Q by a formula D(x,y) of LA, that

Q |- \exists_y ( D(#M, y) <--> y = #diagonalization(M) )

where M(#M) is generalized to formulas M not of the form M(x) by

diagonalization(M) = \exists_x ( x = #M & M )


Now we need a formula C(y) of LA s.t. for any closed formula M, 

		    |= C(#M)    iff    M \notin T

This follows from r.e. theory, but I haven't seen it written down
anywhere.  N&N's argument here is cryptic to me.  

As B&J [pf. of Thm. 5, p 177] show, T being axiomatizable implies that
#T is is recursively enumerable, meaning there's a a total recursive
function f: N ---> N with Image(f) = #T.  Then as B&J prove [Ch 14],
there's a formula A(x,y) s.t.

f(n) = k  iff   Q |- \forall_y . A(n,y) <-> y = k

Then we claim that B(y) = \exists_x A(x,y) defines Image(f) subset N
in the sense that 

		  |= B(k)    iff    k \in  image(f)

Proof:

|= B(k)  =>  there exists n \in N s.t.  |= A(n,k) 

Since f is a total function, f(n) = l for some l \in N, but then k = l
is provable in Q.  The other direction is easy.
\qed


Now let f and A(x,y) represent #T, and let C(y) = -B(y), so we have

		  |= C(k)    iff    k \notin  #T

so for any closed formula M, we have 

		  |= C(#M)    iff    M \notin T

Now we can define R(x), since we've shown the 2 pieces of R are
representable in Q.  Our desired relation is now 

		  |= R(#M)    iff    |= C( #M(#M) )

and we achieve this by 

R(x) = \exists_y . D(x, y) & C(y)

Then we get our Russell/Richard/Goedel contradictory sentence by 

G = diagonalization(R)

and we have 

Q |-  G  <--> C( #G )

as follows:

Q |-   G <--> R(#R) 

Q |-   R(#M) <--> C( #diagonalization(M) ),   for any formula M of LA, 

Q |-  G  <--> C( #diagonalization(R) ) = C( #G )

As before, I claim that we should think of this as the path to the
Lambda Calculus Y combinator.  We note that the argument works for any
C, and it looks like

R(#M)  = C( #M(#M) )
     G = R(#R)
     G = C( #G )

and in LC this makes perfect sense and gives a fixed point for C by
stripping the pound signs:

let  R = (lambda m. C (m m))
let  G = (R R)
then G = (C G) 

That's the only good motivation for the LC Y combinator I know of

Y = (lambda c. (lambda r. (r r)) (lambda m. c (m m)))

TLS makes a good try to motivate Y_v, but I don't quite buy it.  

Well, on to the contradiction.  Since T contains Q we have 

T |-  G  <--> C( #G )

T |- G iff T |- C( #G ) implies |= C( #G ) iff G \notin T 

T |- G    implies    G \notin T 

Therefore, since T is assumed to be consistent, T cannot prove G,
i.e. T |- G must be false.  On the other hand, G is true in N, since

|= G  iff |= C( #G ) iff G \notin T 

and we just showed that G \notin T.  So  T is strictly smaller than
Th(N). 


Now N&N claim to prove that

			T |- G    iff  T |- -G

and I don't how they can prove that, since T |- C( #G ) doesn't tell
us anything without passing to |= C( #G ).  I've based my treatment on
what I could glean from their account.  To me, 

\forall z. - Dem(z,x) 

means x isn't provable in T and that's where my C comes from, but it
has to take place in N, so I think they're gapping.

Well, N&N isn't giving Goedel's argument anyway, because they say that
Goedel actually proved

	    T |- G    implies    T |- -G

	    T |- -G   implies    LA is omega-inconsistent,

Hmm...

Bill

For completeness, here is my earlier derivation.


********  Russell's paradox => Goedel I  ********  

We also have that for any expression M(x),

|= F( #M )  iff  |= -B( #M(#M) )  iff |= -M(#M) 

The statement F( #M ) means F is satisfied by the Goedel number of M.
Let's translate F( #M ) into set theory as M \in F.   Then we have 

M \in F   iff   M \notin M

That is, F is the "set" F = { M : M \notin M }.  That's the Russell
set, and the contradiction is then the usual Russell paradox

	       F \in F   iff   F \notin F
or
			    G   iff   not G

And we can even see where F & G came from.  Aping Russell, we'd like
to define a formula F(x) such that for any M(x), 

F is satisfied by #M iff #M does not satisfy M.

Well, we can do that if Th(N) is decided by B(y), we "define"

F(#M) = -B( #M(#M) )

Of course it's not clear that such an expression F(x) exists.  Let's
recall B&J's argument. 

Recall \exists is the Tex symbol for "there exists", the backwards E.

Then B&J define 

diagonalization: E ---> E 

by diagonalization(M) = \exists_x ( x = #M & M )

So if N = N(x), i.e. x is the only free variable in N, then 

Q |-  diagonalization(N) <--> N(#N)

Note the priveleged position of the variable x here.  Then B&J show
[Lem. 1, p 172] that diagonalization is representable in Q, meaning
that there's an expression A(x,y) in E such that for any expression M
in E,

Q |- \exists_y ( A(#M, y) <--> y = #diagonalization(M) )

Then we define the expression F(x) by 

F = \exists_y ( A(x,y) & B(y) )

so that for any M, 

Q |-   F(#M) <--> B( #diagonalization(M) )

Then letting G = diagonalization(F), we have 

Q |-  G  <--> F(#F) <--> B( #diagonalization(F) ) = B( #G )



>From richter@... Tue Oct 17 20:56:45 2000
Date: 19 Mar 1999 02:52:51 -0600
From: Bill Richter <richter@...>
To: zabell
CC: matthias@..., szabell@..., shriram@..., lars@..., m-depristo@...,
   c-jensen@..., rrb@... 
Subject: Re: Y combinator, Goedel I, & Russell's paradox
Status: O

Matthias, I now think that your argument in TLS [p 157-9] for the
nonsolvability of Halting Problem isn't actually a proof.  I still
like your argument, it's the 1st thing I ever understood about the
connection between Goedel I & Russell's paradox.  I think it's quite
suitable for TLS, and you don't claim that you've proven the theorem.
However... 

You prove that there exists no Scheme function will-stop? that returns
#t or #f on a function f depending on whether 
(f '())
halts or not.  Then you give a nice Russell-ish argument, 

(define (last-try x)
  (if (will-stop? last-try)
      (eternity x)))

(last-try '()) halts  <=> (last-try '()) doesn't halt

But that doesn't prove the Halting Problem is unsolvable, because we
can't perform any computation on Scheme expressions in Scheme.  I
think that's true, anyway.  

Moving from LC_v to LC, Turing etc. proved that computable functions
on N are lambda-definable, but I don't think computable functions on
Lambda are definable in LC.  That's why they use the kludge of Goedel
numbering

#: Lambda ---> N

to handle computations on Lambda, and then the #-fixed point theorem

F [#X] = X

Using this, Dana Scott showed [Hankin, ch 6] that 

{X in Lambda : X has a beta-nf} 

is undecidable, and that's essentially the nonsolvability of Halting
Problem.  That is, there's no computable function h: N ---> {0,1} such
that h^{-1}( 1 ) is the image

{X has a beta-nf} subset Lambda -#--> N 

I think it would be interesting to port these nonsolvability theorems
to LC_v, can you tell me where that was done?  And even better, is
there some way of jazzing up LC_v to handle computations on Lambda?
Maybe use Lambda as Data Constants?  I know that Scheme has functions
that would allow you to do some computations on Lambda, like symbol? &
procedure?.   But I still think no matter how rich Scheme is, that
Scheme won't capture computations on Scheme expressions. 

-- Bill


>From richter@... Tue Oct 17 20:56:55 2000
Date: 19 Mar 1999 03:01:20 -0600
From: Bill Richter <richter@...>
To: matthias@...
CC: zabell, szabell@..., shriram@..., lars@..., m-depristo@...,
   c-jensen@..., rrb@...
Subject: Re: Y combinator, Goedel I, & Russell's paradox
Status: O

Matthias, I finally understand Odifreddi's cryptic derivation 

	       Russell's paradox    =>    Y combinator

Maybe Odifreddi's argument was badly translated from Italian, or maybe
he didn't understand it himself.  I suspect Curry understood it,
because Y is sometimes called "Curry's paradoxical combinator". 

I'm really happy with this argument, as it avoids the Goedel numbers
that came up in the previous derivation via Goedel I.

The proof of Russell's paradox (basically due to Cantor) can be
generalized as follows.  See below for why this is a generalization.

Let X and A be sets, and N: A ---> A be a function with no fixed
point.  Let A^X be the set of functions from X to A.  Then Cantor
showed that X is smaller A^X, and in fact his proof shows that for any
function

h: X ---> A^X

we can construct an element R \in A^X that's not in the image of h.
Thus, no function h is onto, and that's what smaller means.

Our function h is "adjoint" to a function

h': X \times X ---> A	       h'(y,x) = h(y)(x)

and then we can define the function R: X ---> A by

R(x) = N( h'(x,x) )

If we assume h is onto, we get the diagonal argument counterexample:
assume R = h(y) for some y \in X, then

R(x) = h'(y,x)  for all x \in X, but then 

R(y) = N( h'(y,y) ) = h'(y,y)

and so h'(y,y) is a fixed point of N, and that's a contradiction.


Well, the contrapositive of this argument gives a technique to produce
fixed points!  I wouldn't have thought of it before reading it in
Odifreddi, but it makes sense.  Suppose we think N: A ---> A really
has a fixed point, and we have a function

k: X \times X ---> A

Let's define as above the function R: X ---> A by

R(x) = N( k(x,x) )

and let's suppose we can show that for some y \in X, we have

R(x) = k(y,x)  for all x \in X.

Then we know that N has a fixed point.

And furthermore k(y,y) is a fixed point for N, since

R(y) = N( k(y,y) ) = k(y,y)


Now for the LC Y combinator.  Let A = X be the set Lambda/= of lambda
expressions modulo alpha & beta equivalence, and application gives us
a function 

k: X \times X ---> X

       (U,V) |--> U V

Given N \in X, we have a function  

N: X ---> X 

  U |--> N U

Now we look at the function R: X ---> X by

R(x) = N (x x)

and we can see that for 

y = \x. N (x x)

we have

R(x) = k(y,x)  for all x \in X

So the Russell/Cantor argument above tells us that 

y y = k(y,y) is a fixed point for N,

and that's the LC Y combinator, 

\n. (\y. y y) (\x. n (x x))

Isn't that nice!
\qed
 
There's no need to modify this derivation of Y to give Y_v of LC_v,
because Y_v is the port of Y to LC_v, once we understand where the
formula for Y came from, we don't have to wonder about where Y_v came
from, in case we aren't satisfied by the derivation of Y_v in TLS :)

BTW I note that your partial-derivation of Y_v in TLS comes
immediately after your partial-proof of the nonsolvability of the
Halting Problem, so I could easily believe you knew this argument, but
presented something more suitable for the young in TLS.


Russell's paradox is really Cantor's theorem that any set X is smaller
than its power set 2^X.  In fact, given any function

h: X ---> 2^X

we can construct an element R \in 2^X that's not in the image of h:

R = { x \in X : x \notin h(x) }

Recall the contradiction: assume R = h(y) for some y \in X, then 

	 y \in R    iff    y \notin h(y)    iff   y \notin R

But instead let's think of 2^X as the set of functions from X to
{T,F}, and we have the function 

-: {T,F} ---> {T,F}

that switches T and F, then R \in 2^X is the function 

x |--> - h(x)(x) 

   We see this translation of R because the correspondence between the
   power set and function is

   f: X ---> {T,F}      |-->      f^{-1}(T) subset X           

   So 

   - h(x)(x) = T    iff    x \notin h(x)^{-1}(T) subset  X

Now we have the usual diagonalization argument:

R = h(y) means 

- h(x)(x) = R(x) = h(y)(x)		for all x \in X

but that gives the contradiction 

- h(y)(y) = h(y)(y)    \in       {T,F}


To really get Russell's paradox, if X is the nonsensical set of all
sets, then 2^X is a subset of X.  After all, any subset of X is a set,
hence an element of X.  So instead of a function 

h: X ---> 2^X  

we might as well take the composite 

X -h--> 2^X subset X 

and we have such a function, the identity function.  Then 

x \notin h(x)	

translates to 

x \notin x

and we have the usual Russell set 

R = { x \in X : x \notin x }

and y = R, so the paradox is 

	 R \in R    iff    R \notin R

And this last paradoxical sentence has a flavor that's shared by your
TLS argument

(define (last-try x)
  (if (will-stop? last-try)
      (eternity x)))

(last-try '()) halts  <=> (last-try '()) doesn't halt

even if last-try isn't really analogous to R.  But it's a start, and I
was really thrilled to see your argument, it was the 1st thing I'd
ever understood about the proof of Goedel I.  But now in Sandy
Zabell's class I went through the proof of the nonsolvability of the
Halting Problem as well as Goedel I and I was able to squeeze a much
stronger connection between Russell's paradox and Goedel I/Halting
from Boolos & Jeffries, which I already posted, but I only worried
about it to deduce Y, which we now see comes directly from Russell's
paradox.  Hard to say my Goedel efforts were wasted, though, it's a
nice theorem :)  But I'd sure like to get the Goedel numbers out of the
Scott's undecidability of 

{X in Lambda : X has a beta-nf} 

-- Bill

John, I see my problem, I had 
new_constant("on_line",`:point#line->bool`);;
which I guess (for the Currying reasons you explained) isn't your 
new_constant("on_line",`:point->line->bool`);;
My Hilbert axiom incidence & betweenness axiom code  now works: 

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;    *)

new_type("point",0);;
new_type("line",0);;

new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("on_line",`:point->line->bool`);;

parse_as_infix("on_line",(12, "right"));;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l. A on_line l /\ B on_line l /\ C on_line l`;;

let I1 = new_axiom
  `!A B. ?! l. A on_line l /\ B on_line l`;;

let I2 = new_axiom
  `!l. ? A B. A on_line l /\ B on_line l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A B C. ~ Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
       	    Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)`;;

let B4 = new_axiom
  `!A B C. ~ Collinear(A, B, C) ==> 
   !l. ~(A on_line l) /\ ~(B on_line l) /\ ~(C on_line l) /\ 
   ?X. X on_line l /\ Between(A, X, B) ==>
   ?Y. Y on_line l /\ (Between(A, X, C) \/ Between(B, Y, C))`;;

(* no error messages!
-- 
Best,
Bill *)

Yes, for now you can replace the "new_axiom" stuff with the
   explicit model construction I sent out earlier. I will experiment a
   bit to find the nicest way of doing things with the axioms as
   hypotheses. I like Freek's idea of having the hypothesis in the
   assumption list of the theorem rather than as the antecedent of an
   implication, but I need to dig into miz3 a bit more deeply or get
   help from Freek to make it work.

Great, John, and thanks for helping me!  I have two thoughts:

1) One advantage of Tarski's axioms over Hilbert's is that they're
``more'' FOL.  In my Hilbert paper, I'm constantly using set theory,
and we use sets to define notions like rays, angles and triangles, and
the congruence axioms are based on these set-definitions.  So what a
great place to try out HOL set theory ideas!

2) I've often posted here that my Mizar code was silly, but I think I
finally understand it.  I'm taking advantage of a Mizar feature: a
more aggressive automation would defeat my 2-column proofs, but Mizar
is aggressive enough that it works.  It goes like this:

I have a big definition of all the axioms, and I give them names like
CongruenceSymmetry.  Then I define a a set S to be a Tarski-model if
it satisfies all the axioms, so e.g. S CongruenceSymmetry is true.
Then I prove theorems that the axioms hold for a Tarski model!  All 7
proofs are ridiculously short.  Then I invoke the axioms like this.
In theorem EquivReflexive, the 2-line proof is 

     b,a equiv a,b by A1, TarskiModel;
     hence a,b equiv a,b by A2, TarskiModel;

I thought today, why didn't I just write the proof simpler, like 

     b,a equiv a,b by TarskiModel;
     hence a,b equiv a,b by TarskiModel;

That would really make a joke out of my scheme.  An aggressive
automation would be able to handle this simpler proof, because
TarskiModel is a label saying that S satisfies Tarski's axioms,
including A1 and A2.  Well, much to my relief, this simpler proof
didn't work.  Which means that the Mizar automation is so
non-aggressive that we can do 2-column proofs this way.  I assume miz3
is similarly non-aggressive.  So I now think my original Mizar code
isn't so bad, and it looks even better with the extra HOL-powered sets
needed for Hilbert's axioms.

-- 
Best,
Bill

Hi Bill & John,

>| Better error messages would be great.

The way the error messages work is that first the proof is
split into "steps" based on the semicolons and keywords.
(I think certain keywords always start a new step and
semicolons always end one, with "now" and "proof" being
the exception because they count as a step but don't have a
semicolon, and with bracketing taken into account, because
you don't want to have REWRITE_TAC[FOO; BAR] split the step.)

Anyway, then the errors always point at the end of such
a step.  And then errors 4 to 9 you should take to mean
"something is seriously wrong", of the order of a syntax
or type error, while for errors 1 to 3 you should think
about the actual proof, i.e., they mean something like
"the contents of the statements don't match up".  Error 3,
"skeleton error", means that the proof step doesn't match
the "thesis", while errors 1 and 2 mean that the "by"
didn't get it (or that the inference just doesn't hold in
the first place).

There actually are three parsers working together: my
Mizar-style proof language parser (error 9), the HOL term and
type parsers (error 8) and the ocaml parser for the items
in a "by" list (which may be thms/tactics/conversions,
so everything there is first given to the ocaml parser:
that's error 5).

>I'll defer to Freek on miz3-specific things, but I will try to
>improve cases where the native HOL Light error reporting is part of
>the problem.

The main problem on that side is of course that the HOL
term parser won't point out where the syntax error is if
there is a syntax error.  Still I don't know whether adding
something for that would be too useful.  If I get error 8,
I generally put the offending statement between backquotes
in the HOL session, and fiddle with it until it's right.
And then copy/paste it back.

Freek

Hi Bill,

| John, thanks for the Currying info.  BTW I'm including below an
| explanation of Curry's paradoxical Y combinator, which in the
| lambda_calculus defines recursive functions.  

Thanks, that's an interesting discussion! HOL really is built on top
of typed lambda calculus, so ultimately all terms are those of lambda
calculus, with logical connectives and other constructs merely being
implemented by constants. You can see the underlying abstract syntax
for terms if you remove the special prettyprinting, e.g.

 #remove_printer print_qterm;;
 # `!x. SUC x = x + 1`;;
 val it : term =
  Comb (Const ("!", `:(num->bool)->bool`),
   Abs (Var ("x", `:num`),
    Comb
     (Comb (Const ("=", `:num->num->bool`),
       Comb (Const ("SUC", `:num->num`), Var ("x", `:num`))),
     Comb (Comb (Const ("+", `:num->num->num`), Var ("x", `:num`)),
      Comb (Const ("NUMERAL", `:num->num`),
       Comb (Const ("BIT1", `:num->num`), Const ("_0", `:num`)))))))

Even for such a small term, this is not very readable, but it can be
instructive if you want to see how certain derived constructs like
`[a;b;c]`, `{x,y}` and `if p then q else r` actually map down into
the underlying abstract syntax of typed lambda-calculus.

John.

Hi Bill,

| 1) One advantage of Tarski's axioms over Hilbert's is that they're
| ``more'' FOL.  In my Hilbert paper, I'm constantly using set theory,
| and we use sets to define notions like rays, angles and triangles, and
| the congruence axioms are based on these set-definitions.  So what a
| great place to try out HOL set theory ideas!

Indeed so, though as Phil pointed out earlier, you may need to be
careful not to assume the axiom of infinity without justification.
That shouldn't be a danger since you will be using the special
geometric type of points without relying on any infinite types like
:num that are already there. In fact, Phil and Jacques have an
interesting paper where they systematically derive the natural
numbers from some of Hilbert's axioms.

| That would really make a joke out of my scheme.  An aggressive
| automation would be able to handle this simpler proof, because
| TarskiModel is a label saying that S satisfies Tarski's axioms,
| including A1 and A2.  Well, much to my relief, this simpler proof
| didn't work.  Which means that the Mizar automation is so
| non-aggressive that we can do 2-column proofs this way.  I assume 
| miz3 is similarly non-aggressive.

In general, the default miz3 prover may be more powerful than Mizar's
because it first tries "HOL_BY" (which is close to Mizar's basic
prover) and then MESON (which is a more general first-order prover.
However, since "TarskiModel(....)" refers to something merely defined
to be equal to the conjunction of the axioms, rather than actually
*being* the conjunction of those axioms, neither prover will
automatically take that definition into account. So indeed I don't
think this will by default work in miz3 either. This situation does
seem right from a pedagogical point of view if you want to identify
clearly where each axiom and earlier theorem gets used in a proof.

John.

John and Freek, the simplest way for me to understand my syntax and
semantics would be to read and then rewrite miz3.ml.  Right now I feel
I couldn't possibly do that, because of what Freek writes on p 17--18:

   if one leaves out enhancements like the caches and time-outs, the
   system becomes unusable for serious work. [...]

   In other words the full proof is processed every time a check is
   done. To make this ac- ceptably fast, there are two caches. The
   first cache holds inferences that have already been checked, to
   prevent the checker from having to run all tactics every time. The
   sec-ond cache holds the OCaml objects associated with the elements
   in the by justifications.  These are calculated using the OCaml
   functions Toploop.parse_toplevel_phrase and Toploop.execute_phrase
   (which together are the OCaml equivalent of Lisp’s eval function).

I'm not competent to deal with OCaml caches, and I bet it would impede
my visibility of the `abstract description'.  My only hope that we
could rip out the OCaml code is Freek's preceding remark

   Specifically, when checking a proof from the vi interface by typing

But I don't ever do that, and John doesn't either.

-- 
Best,
Bill

| an explanation of Curry's paradoxical Y combinator, which in the
   | lambda_calculus defines recursive functions.

   Thanks, that's an interesting discussion! 

John, I'd be thrilled if you read it, and you'd be the first.  Sorry
for leaving on the to- & cc-lists.  Partly I wrote it because I was so
dissatisfied with Matthias Felleisen's explanation of the Y combinator
in his book The Little Schemer.  BTW I only learned how to code in
Scheme after reading Felleisen's free book HtDP.

Thanks for the responses, which I'll study, and I'm glad you fixed the
camlp5 biz.  One remark about sets and geometry axioms:

Seems we should be able to  define a Tarski model to be a triple 
(S, Between, Equiv) where
S is a set (of our points), 
Between is a subset of the Cartesian product C^4, and
Equiv is a  subset of the Cartesian product C^3,
where the 7 axioms involving Between and Equiv hold.  

I think in HOL you define Cartesian products using lambda, which sorta
makes sense, because an element of C^4 is a function 
{1,2,3,4} -> C.
That's a switch for me, because in Scheme you're taught not to do
this, because the lambda doesn't get evaluated soon enough.  

Does this sound like a good idea?  And the only improvement would be
to able to make a global declaration that we're using the Tarski model
(S, Between, Equiv) over the next 38 theorems & proofs.

You keep referring to Phil's work, and maybe he's solved all these
problems.  Is his code available for studying (and borrowing)?

-- 
Best,
Bill

I have hacked the HOL-Light files parser.ml and printer.ml to provide some experimental support for non-ascii ("eight-bit") chars in terms, see 

http://csee.essex.ac.uk/staff/norbert/hol_light_non_ascii/

It is not a proper Unicode mode or anything like that, and in particular you cannot mix ascii and non-ascii characters in one identifier unless you use an underscore character to join them.  But it should support some typical use-cases such as identifiers made from Greek letters or mathematical symbols. 

Please email me directly if you have comments/ find bugs - I am not a regular reader of this mailing list. 

Norbert.

John, can you help me with Cartesian powers?  

Following this example in the tutorial 

let monotonic = new_definition
 `monotonic c <=> !q q'. q SUBSET q' ==> (c q) SUBSET (c q')`;;

(* I tried this, and it works: *) 

let plane = new_definition
  `plane S Between  Equiv <=> 
  (Between SUBSET S /\ Equiv SUBSET S)`;;

(* But that's not what I want.  I thought the reference manual said that
^ means Cartesian power, so I tried something that didn't work: *)

let planex = new_definition
  `planex S Between  Equiv <=> 
  (Between SUBSET S^3 /\ Equiv SUBSET S^4)`;;

(*     Warning: inventing type variables
Exception: Failure "new_definition: term not closed". *)

let planexa = new_definition
  `planexa S Between  Equiv <=> 
  (Between:S->S->S->bool /\ Equiv:S->S->S>S->bool)`;;

(*   Same error message. *)

-- 
Best,
Bill

Hi Bill,

| (* But that's not what I want.  I thought the reference manual said that
| ^ means Cartesian power, so I tried something that didn't work: *)

It's true that ^ means Cartesian power, but on *types* rather than
*terms*. If you are happy to just use the universe of an arbitrary
type "S" as your basic set, then you could use the ^ constructor to
produce types of triples "S^3" or whatever. On the one hand, this
would be a bit easier because then the fact that p is a point is
implicit in the typing `p:S` and doesn't require a membership
assertion. On the other hand it is a bit less general that letting S
be an arbitrary subset of an arbitrary type.

There is no Cartesian power on sets predefined, though it would not
be hard to define it, and perhaps this is the right way to go.
Alternatively, you can use either of the following in place of S^3,
though they are a bit verbose:

  `{(x,y,z) | x IN S /\ y IN S /\ z IN S}`

  `S CROSS S CROSS S`

John.

Thanks, John! Yet again you were extremely helpful. Your fix works:

let plane = new_definition
  `plane S Between  Equiv <=> 
  (Between SUBSET {(x,y,z) | x IN S /\ y IN S /\ z IN S} /\ 
  Equiv SUBSET {(x,y,z,w) | x IN S /\ y IN S /\ z IN S /\ w IN S})`;;

I don't know how to define the types of triples "S^3", but I can read
the reference manual to try to figure this out.   I have another dumb
question below, but first let me explain why I need sets. 

The way I organized my Hilbert paper was to define a Hilbert plane S,
a set whose elements we call points, with subsets called lines, which
has Betweenness and relations satisfying 13 axioms.  Then for solid
geometry I say we have a set Space with certain subsets S which are
Hilbert planes.  These two alternatives seems unpleasant:

1) to go back and redefine one axioms, using the new term coplanar,
and then reprove all the theorems (the fixes are all easy).

2) be doing solid geometry from the beginning: that's tough on a high
school audience, who have enough trouble with plane geometry.


new_type("point",0);;
new_type("line",0);;
new_constant("on_line",`:point->line->bool`);;
parse_as_infix("on_line",(12, "right"));;
new_constant("Between",`:point#point#point->bool`);;

new_constant("Twiddle",`:point->line->point->bool`);;

let Twiddle_DEF = new_definition
  `Twiddle(A, l, B) <=> 
  ~(?X. (X on_line l) /\ Between(A, X, B))`;;

(*  error message: Exception: Failure "typechecking error (initial type assignment)". *)

new_constant("Twiddle6",`:line->point#point->bool`);;
parse_as_infix("Twiddle6",(12, "right"));;

let Twiddle6_DEF = new_definition
  `l Twiddle6 A,B <=> 
  ~(?X. (X on_line l) /\ Between(A, X, B))`;;

-- 
Best,
Bill

Has everyone read Freek Wiedijk's bold and stirring article in the
Notices of the AMS, mentioned in the wiki page for HOL Light?  Freek's
last point occurred to me: how can I get someone to referee my Hilbert
paper?  Why don't I formalize it myself first in miz3?

-- 
Best,
Bill 

Freek Wiedijk

The Future of Formal Mathematics

In mathematics there have been three main revolutions:

o The introduction of proof by the Greeks in the fourth century BC,
culminating in Euclid’s Elements.

o The introduction of rigor in mathematics in the nineteenth
century. During this time December 2008 Notices of the AMS 1413 the
nonrigorous calculus was made rigorous by Cauchy and others. This time
also saw the development of mathematical logic by Frege and the
development of set theory by Cantor.

o The introduction of formal mathematics in the late twentieth and
early twenty-first centuries.

Most mathematicians are not aware that this third revolution already
has happened, and many probably will disagree that this revolution
even is needed.  However, in a few centuries mathematicians will look
back at our time as the time of this revolution.  [...] 
referees will insist on getting a formalized version before they want
to look at a paper.

Hi Bill,

| Thanks, John!  You made a great Equiv improvement. I'm still really
| confused about HOL Light types, and I would appreciate more guidance.
| I think that everything I want to do with sets ought be easily doable
| in HOL Light with types explaining the mathematical structures.

It is possible to express certain properties with types rather than
explicit set constraints, and this can indeed make things a lot
smoother and more convenient. On the other hand, HOL types are quite
restricted (compared, for example, to richer type theories like Coq's)
while set constraints are more general and flexible. Also, there is
no concept of one type being a "subtype" of another: different types
are considered disjoint and need explicit mappings between them, which
makes it more convenient to use sets where you want such subset
relationships. In general, it can be a difficult trade-off deciding
whether to use types or set constraints in a given situation.

| You defined the type `point' here:
| new_type("point",0);;
| Can't we define the types `line' and `plane' to both be  
| point->bool
| and then write 
| !P:plane. !x y. x IN P /\ Y IN P ==> ... 

If you literally define "plane" as a synonym of "point->bool" (which
can be done with "new_type_abbrev") then this would typecheck but
wouldn't adequately express the fact that you want plane to be a
member of "point->bool" with specific properties, not any member. On
the other hand, if you define a type ":plane" taking into account
those constraints, then you wouldn't be able to treat it as a set and
use IN directly, because of the disjointness issue I mentioned above.
This is why I think set constraints may work better, even at the cost
of slightly more involved statements. More experimentation may be
needed.

|    And for axioms or theorems that are true in higher dimensions, you
|    might as well omit the "plane" hypothesis. 
|
| Ah, but that's not the way Hilbert's axioms work.  I'm still
| absolutely amazed that Hilbert only needed 3 incidence axioms like 
| ``If two distinct planes intersect, their intersection is a line.''
| to handle 3-dim geometry on top of your relativized to any plane P
| 2-dim axioms.

Yes, that does seem surprising. OK then, I guess you should just
keep the planarity hypotheses there anyway.

|    it might be a useful basis for analyzing, for example, just what
|    set-theoretic properties you actually end up using and hence
|    clarify the relationship with the other way of formalizing it using
|    unanalyzed concepts for "line" etc. instead of considering them as
|    subsets of points.
|
| Here I don't quite follow you.  I think the set theory approach is
| just MUCH simpler than the `unanalyzed concepts' approach, but we
| could with work turn all the set theory into `unanalyzed concepts'.

I agree that it seems much simpler, and thinking of lines and planes
as sets of points certainly corresponds to my intuition. Though I
wonder if this is just because of the ubiquity of the set concept
in modern mathematics. Would, say, an 18th-century mathematician have
taken the same view?

| And why would anyone want to do pure syntactic proofs with
| `unanalyzed concepts' now that HOL Light handles sets so nicely? I
| assume the set theory capability has a lot do with how HOL differs
| from FOL.

Perhaps because using sets might be felt to make things less clear
from a foundational perspective, since on the face of it you are also
using some set-theoretic properties in addition to the explicit
axioms. Now, in fact, I think it is clear that such uses are in some
sense inessential and eliminable. My point was that having a corpus of
totally explicit formal proofs might be a good starting-point for
making that belief more rigorous.

John.

John, I wrote 200+ lines of miz3 code proving the first two lemmas of
my paper http://www.math.northwestern.edu/~richter/hilbert.pdf 
Thanks again for your help in setting up my framework!  I actually
discovered your "new_type_abbrev" myself reading the dox, and I think
I'm in complete agreement with you here:

   This is why I think set constraints may work better, even at the
   cost of slightly more involved statements.

So in other words, we won't define a type ":plane" taking into account
those constraints.  Can you please look at my code below?  The only
hard part was the set theory, which you may be able to improve on. 

That's my first 4 thms, for which I needed to study section 2.9
"Theorems about sets and functions" of your reference manual.

I have a joke: I'm proving two easy-sounding results, the first being
Given two distinct lines l and m, if X IN l INTERS m, then l INTERS m = {X}.
Well, in my 2 line proof, I had a typo, writing B instead of X.  I
wonder how many more typos I can find by formalizing my paper!  Thanks
for the nice comment about my son, who already found lots of mistakes.

-- 
Best,
Bill 

(* Paste in these 2 commands:
   hol_light> ocaml
   #use "hol.ml";;  
   then paste in the following file*)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here coding my Hilbert axiomatic proofs in HOL Light.   *)


new_type("point",0);;
new_type_abbrev("line",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l. A IN l /\ B IN l /\ C IN l`;;

let Twiddle_DEF = new_definition
  `Twiddle A l B <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

parse_as_infix("same_side",(12, "right"));;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A B C. ~ Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
       	    Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)`;;

let B4 = new_axiom
  `!A B C. ~ Collinear(A, B, C) ==> 
   !l. ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   ?X. X IN l /\ Between(A, X, B) ==>
   ?Y. Y IN l /\ (Between(A, X, C) \/ Between(B, Y, C))`;;

let B4' = new_axiom
  `!A B C. ~ Collinear(A, B, C) ==> 
   A,B same_side l /\ B,C same_side l ==> A,C same_side l `;;

#load "unix.cma";;
loadt "miz3/miz3.ml";;
horizon := 0;; 

let SingletonSubset_THM = thm `;
    let p be A->bool;
    let x be A;
    assume x IN p [H1];
    thus {x} SUBSET p

    proof
      {} SUBSET p by EMPTY_SUBSET;
      {x} SUBSET p [X1] by -, H1, INSERT_SUBSET;
    qed by  -, X1`;;


let SingletonElement_THM = thm `;
    let x a be A;
    thus a IN {x} <=> a = x

    proof
      ~(a IN {}) [X1] by NOT_IN_EMPTY; 
      a IN {x} ==> a = x						[Imp1]
      proof
        assume a IN {x}							[H1];
      	~(a IN {}) by NOT_IN_EMPTY; 
      qed by -, H1, IN_INSERT; 
      a = x ==> a IN {x}						[Imp2]
      proof 
        assume a = x;
        a IN {x} by -, IN_INSERT;
      qed by -;
    qed by Imp1, Imp2`;;


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p								[H1];
  assume ~(p = {x}) 							[H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
    {x} SUBSET p by H1, SingletonSubset_THM;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x}) [X1] by -, SUBSET;
    ~(a = x) by -, SingletonElement_THM;
  qed by -, X1`;;
 

let Line01infinity_THM = thm `;
  let X be point;
  let l m be line;
  assume ~(l = m)							[H1];
  assume X IN l /\ X IN m 						[H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    cases by -;
    suppose l INTER m = {X};
    qed by -;
    suppose ~(l INTER m = {X})						[H3];
      X IN l INTER m by H2, IN_INTER;
      consider A such that
      A IN l INTER m  /\ ~(A = X) [X1] by -, H3, BiggerThanSingleton_THM;
      A IN l /\ X IN l /\ A IN m /\ X IN m by -, H2, IN_INTER;
      l = m by -, X1, I1;
      F by -, H1;
    qed by -;
  end;`;;
 

let EquivIntersectionHelp_THM = thm `;
  let A X be point;
  let l m be line;
  assume l INTER m = {X}						[H1];
  assume A IN m DELETE X 						[H2];
  thus ~(A IN l) 

  proof
    A IN m /\ ~(A = X) [X1] by H2, IN_DELETE;
    cases;
    suppose ~(A IN l);
    qed by -;
    suppose (A IN l);
      A IN l INTER m by -, X1, IN_INTER;
      A = X by -, H1, SingletonElement_THM;
      F by -, X1;
    qed by -;
  end`;;


let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be line;
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X) [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X) [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      cases;
      suppose A,B same_side l;
      qed by -;
      suppose ~(A,B same_side l);
        consider G such that 
        (G IN l) /\ Between(A, G, B) [X5] by -, same_side_DEF;
	
	 ~(A = B) /\ Collinear(A, G, B) [X6] by -, B1;
	consider k such that 
	A IN k /\ G IN k /\ B IN k [X7] by -, Collinear_DEF;
	k = m by -, X1, X2, X6, I1;
	G IN l INTER m by -, X5, X7, IN_INTER;
	G = X by -, H1, SingletonElement_THM;
	Between(A, X, B) by -, X5;
        F by -, H3;
      qed by -;
    end;
  qed by X3, X4`;;

John, I wasn't clear in my last message, but I think you said to use
HOL sets instead of types, so planes and lines both have type
point->bool?  If I'm misunderstanding you, please correct me.

   I agree that it seems much simpler, and thinking of lines and
   planes as sets of points certainly corresponds to my
   intuition. Though I wonder if this is just because of the ubiquity
   of the set concept in modern mathematics. Would, say, an
   18th-century mathematician have taken the same view?

I would have thought you knew more about this than I, but Cantor's set
theory was a over 100 years later, and he met with fierce resistance:
http://en.wikipedia.org/wiki/Georg_Cantor.  But your 1700s
mathematicians (Cauchy, who discovered Cauchy sequences?) weren't
writing axiomatic geometry proofs.  Everyone was doing Euclid's
picture proofs until Pasch & Hilbert.  Wiki says ``Hilbert adopted and
warmly defended Georg Cantor's set theory.''

   Perhaps because using sets might be felt to make things less clear
   from a foundational perspective, since on the face of it you are
   also using some set-theoretic properties in addition to the
   explicit axioms. Now, in fact, I think it is clear that such uses
   are in some sense inessential and eliminable. My point was that
   having a corpus of totally explicit formal proofs might be a good
   starting-point for making that belief more rigorous.

Are you saying that my set-theory powered Hilbert proofs will show
that the set-they is ` inessential and eliminable', or that you want
to see non-set-theory axiomatic geometry proofs?  I could write up
non-set-theory versions of my Hilbert proofs, although it wouldn't
``debug'' my paper very well, and my Tarski proofs have no set theory.

-- 
Best,
Bill

Hi Bill,

| I have your InteriorAngle_DEF, which looks great, and thanks for
| writing it.  Does my Line_DEF look OK?   I have a thm which gets no
| error message until the last line 
| 
|     thus G IN int_angle(A, O, B) by H1, Distinct, I3, notGina, notGinb, Gsim_aB,
|     Gsim_bA, InteriorAngle_DEF ;
| 
| and Freek's miz3 error message is #2 inference time-out, which means
| that miz3 couldn't prove this assertion G IN int_angle(A, O, B).
| Well, I could believe I messed up something that complicated, and I'll
| try some things.

Without seeing the exact script I can't be absolutely sure, but I
think it's very likely that the default prover is failing to expand
or otherwise take account of the "let" construct. Can you try it
with the lets manually expanded? For example, do

  let InteriorAngle_ALT = 
    CONV_RULE(TOP_DEPTH_CONV let_CONV) InteriorAngle_DEF;;

and try using InteriorAngle_ALT in place of InteriorAngle_DEF.

John.

Hi Bill,

| I tried it and I get the same error message.  I just posted my code
| (sorry I didn't see that you & Rob had written), and maybe I'll say 
| the problems I'm having can probably all be circumvented, as in this
| case I replaced a {P | ... } definition by a boolean function.  But it
| would be nice to do exactly what I want as an exercise to show that
| HOL Light is very flexible and can handle the set-theoretic
| constructions that come up naturally in math.

Yes, this may be the core problem: the default built-in miz3 prover
doesn't know much about sets, and may not know that, say, the formulas
S = {x | P x} and !x. x IN S <=> P x are equivalent, as you might have
expected. There is a standard HOL Light tactic called SET_TAC that
does some preprocessing of set operations and then calls MESON. It
would certainly be possible to change the default miz3 prover to do
something similar. 

You are probably going to hit quite a few such restrictions as you are
using miz3 pretty heavily, and it may make sense for us to improve the
default miz3 prover as you hit these issues rather than have you work
around them. However, I am a bit short of time to work on it right now
so I can't promise to fix these shortcomings myself in the short term.

| Here's another thing I couldn't do.  Let's define Line(A, B) to be the
| (unique if A <> B) line through the points A and B.  Well, then I'd
| like to say in my miz3 code 
| 
| let a = Line(A, B);
| 
| I can't get anything like that to work.  You ought to be able to do
| that, right?  I see that Freek in lagrange1.ml did this:
| 
|   set coset = \a. {b | b IN g /\ ?x. x IN h /\ b = a**x} [coset];
|   !a. coset a = {b' | b' IN g /\ ?x. x IN h /\ b' = a**x} [13];
| 
| So maybe it's set and not let, but that didn't work for me.

I don't know exactly what went wrong, but I can say that let is really
a (derived) HOL term construct and needs to conform to the syntax
"let x1 = e1 [and x2 = e2 and ... and xn = en] in E" as part of a
single term. By constrast, "set" is a Mizar and miz3 construct, and
that's what I would expect to work in this situation. (In the world of
standard HOL Light tactics, ABBREV_TAC plays a similar role.) I don't
know why you hit problems with it.

John.

Thanks, John!  I'll fiddle with the miz3 term `set' and book up in the
Mizar literature.  This is excellent:

   Yes, this may be the core problem: the default built-in miz3 prover
   doesn't know much about sets, and may not know that, say, the
   formulas S = {x | P x} and !x. x IN S <=> P x are equivalent, as
   you might have expected. There is a standard HOL Light tactic
   called SET_TAC that does some preprocessing of set operations and
   then calls MESON. It would certainly be possible to change the
   default miz3 prover to do something similar.

Thanks!  That really helps my faith in HOL Light.  That would be great
if you or Freek could make this improvement.

   You are probably going to hit quite a few such restrictions as you
   are using miz3 pretty heavily, and it may make sense for us to
   improve the default miz3 prover as you hit these issues rather than
   have you work around them. However, I am a bit short of time to
   work on it right now so I can't promise to fix these shortcomings
   myself in the short term.

Can we make a deal?  If I code up the Hilbert plane geometry part of
my paper (18+ pages), can you fix it by the time I'm done?  I think it
would be easy to modify my worked-around code if you fix it by then.

-- 
Best,
Bill

Yes, this may be the core problem: the default built-in miz3 prover
   doesn't know much about sets [...] SET_TAC [...] it may make sense
   for us to improve the default miz3 prover

Thanks, John!  Maybe we don't have to improve miz3 for my set theory
needs, but instead, I need to rewrite some definitions.  Details:

1) Searching for SET_TAC , and found new set theorems IN_SING,
SING_SUBSET, MEMBER_NOT_EMPTY in sets.ml and got rid of three of mine!

2) sets.ml shows how DELETE & IN_DELETE (which I use in my code) work:

parse_as_infix("DELETE",(21,"left"));;

let DELETE = new_definition
  `s DELETE x = {y:A | y IN s /\ ~(y = x)}`;;

let IN_DELETE = prove
 (`!s. !x:A. !y. x IN (s DELETE y) <=> x IN s /\ ~(x = y)`,
  REWRITE_TAC[IN_ELIM_THM; DELETE]);;

3) Why can't I do that?  I prove theorems ConverseCrossbar_THM &
WholeRayInterior_THM (code included below) using

let Ray_DEF = new_definition
  `!A B X.  ray(X, A, B) <=> ~(A = B) /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`;;

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  int_angle(P, A, O, B) <=> ~ Collinear(A, O, B) /\ ?a b. 
  O IN a /\ A IN a /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;

I'm really happy these two proofs worked, because now I know I can
code up my Hilbert axiom paper.  But I'd prefer (change ray to rag):

let Rag_DEF = new_definition
  `!A B.  rag(A, B) = if (A = B) {} else {X | Collinear(A, B, X) /\ ~ Between(X, A, B)`;;

let IN_RAG = prove
 (`!A. !X:point. !B. X IN rag(A, B) <=> ~(A = B)  /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`,
  REWRITE_TAC[IN_ELIM_THM; DELETE]);;

Ray_DEF worked but IN_RAY gave the error message 

  Exception: Failure "term after binary operator expected".
#       Exception: Failure "TAC_PROOF: Unsolved goals".

I'm so ignorant, I'm not surprised, so I tried a stunt from sets.ml:

let IN_RAG = prove
 (`!A. !X:point. !B. X IN rag(A, B) <=> ~(A = B)  /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`,
  REWRITE_TAC[IN_ELIM_THM; DELETE] THEN SET_TAC[]);;

and on a fast 64-bit machine I got the error:
    0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..Exception: Failure "solve_goal: Too deep".

I tried other stunts from sets.ml, but nothing worked.  It was fun
trying some actual HOL Light tactics, even in complete ignorance!

-- 
Best,
Bill 

(* Paste in these 2 commands:
   cd ~/hol_light; ocaml
   #use "hol.ml";; 
   then paste in the following file*)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)


new_type("point",0);;
new_type_abbrev("line",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l:line. A IN l /\ B IN l /\ C IN l`;;

let Twiddle_DEF = new_definition
  `Twiddle A l B <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l:line A:point. ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l:line A:point B:point C:point. 
  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

let Ray_DEF = new_definition
  `!A B X.  ray(X, A, B) <=> ~(A = B) /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`;;

let Angle_DEF = new_definition
  `!A O B. Angle(A, O, B) = if Collinear(A, O, B) then {} else 
  {ray(O, A), ray(O, B)}`;;

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  int_angle(P, A, O, B) <=> ~ Collinear(A, O, B) /\ ?a b. 
  O IN a /\ A IN a /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A:point B:point C:point. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~ Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> (Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)) /\
        ~(Between(A, B, C) /\ Between(B, C, A)) /\ 
        ~(Between(A, B, C) /\ Between(C, A, B)) /\ 
        ~(Between(B, C, A) /\ Between(C, A, B))`;;

let B4 = new_axiom
  `!l A B C. ~ Collinear(A, B, C) ==> 
   !l. ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
   (?X. X IN l /\ Between(A, X, C)) ==> 
   (?Y. Y IN l /\ Between(A, Y, B)) \/ 
   (?Y. Y IN l /\ Between(B, Y, C))`;;

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})			[X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}							[H1];
  assume x IN m      							[H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}						[H1];
  assume e IN l      							[H2];
  assume ~(e = x)							[H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)				[X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let B4'_THM = thm `;
  let l be line;
  let A B C be point;
  assume ~ Collinear(A, B, C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)	[H1];
  assume A,B same_side l /\ B,C same_side l   	     	       	  	[H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\ Between(A, Y, B)) /\ 
   ~(?Y. Y IN l /\ Between(B, Y, C)) ==> 
   ~(?X. X IN l /\ Between(A, X, C))  by H1, B4;
  qed by -, H1, H2, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A C X be point;
  let m be line;
  assume A IN m /\ C IN m						[H1];
  assume Between(A, X, C) 						[H2];
  thus X IN m

  proof
    ~(A = C) /\ Collinear(A, X, C)		[X1] by H2, B1;
    consider l such that
    A IN l /\ X IN l /\ C IN l			[X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A C X be point;
  let m be line;
  assume A IN m /\ C IN m						[H1];
  assume Collinear(A, X, C) 						[H2];
  assume ~(A = C)     	 						[H3];
  thus X IN m

  proof
    consider l such that 
    A IN l /\ X IN l /\ C IN l			[X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let Line01infinity_THM = thm `;
  let X be point;
  let l m be line;
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})						[H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)		[X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by -, H2, IN_INTER;
    l = m by -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be line;
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)				[X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X) 				[X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ Between(A, G, B)		[X5] by -, same_side_DEF;
      
       ~(A = B) /\ Collinear(A, G, B)		[X6] by -, B1;
      consider k such that 
      A IN k /\ G IN k /\ B IN k		[X7] by -, Collinear_DEF;
      k = m by -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      Between(A, X, B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l:line A:point. A,A same_side l
    proof
      let l be line;
      let A be point;
       ~(?X. (X IN l) /\ Between(A, X, A)) by B1;
    qed by -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be line;
      let A B be point;
      assume A,B same_side l						[H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ Between(A, X, B)) by H1, same_side_DEF;
      ~(?X. (X IN l) /\ Between(B, X, A)) by -, B1;
    qed by -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l:line A:point B:point C:point. 
    ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be line;
      let A B C be point;
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)			[H0];
      assume A,B same_side l  	       	      				[H1];
      assume B,C same_side l 						[H2];
      A,C same_side l
      proof
        ~ Collinear(A, B, C) \/ Collinear(A, B, C);
        cases by -;
        suppose ~ Collinear(A, B, C);
        qed by -, H0, H1, H2, B4'_THM;
        suppose Collinear(A, B, C)					[Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by -, H2, H0, SameSideReflexiveRelation_THM, 
	      	    	    Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)	[Distinct];
            consider m such that 
            A IN m /\ C IN m				[W1] by Distinct, I1;
            ~(l = m)  	   				[W2] by W1, H0;
            cases;
            suppose l INTER m = {}			[Disjoint];
              !X. Between(A, X, C) ==> ~(X IN l)
              proof
                let X be point;
                assume Between(A, X, C);
                X IN m by -, W1, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by -, same_side_DEF;
            suppose ~(l INTER m = {})			[NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m				[U1] by -, IN_INTER;
              l INTER m = {X} 		[U2] by W2, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)			[U3] by U1, I2;
              ~(E IN m) [U4] by U2, U3, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by U3, H0;
              consider B' such that 
              Between(E, B, B') by -, B2;
              Between(B', B, E)				[U5] by -, B1;
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear(B', B, E) [U6] by -, B1;
              consider n such that 
              E IN n /\ B' IN n				[U7] by -, I1;
              B IN n 	      		[U8] by U7, U5, BetweenLinear_THM;
              ~(l = n) 			[U9] by H0, -;
              l INTER n = {E} [U10] by U9, U7, U3, Line01infinity_THM;
              ~(B' IN l) [U11] by -, U7, U6, IntersectionSingletonOneNotOther_THM;
              ~ Between(B, E, B')    	 [U12] by U6, U5, B3;
              B' IN n DELETE E /\ B IN n DELETE E by U7, U8, U6, IN_DELETE;
              B, B' same_side l [U13] by U10, -, U12, EquivIntersection_THM;
              ~(m = n) 	      	      	 [U14] by  U7, U4;
              B IN m by W1, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [U15]  by -, U8, U14, Line01infinity_THM;
              ~(A IN n) [U16] by -, W1, Distinct, IntersectionSingletonOneNotOther_THM;
              ~ Collinear(A, B, B')
              proof
                assume Collinear(A, B, B');
                consider k such that 
                A IN k /\ B IN k /\ B' IN k		[V1] by -, Collinear_DEF;
                k = n by U6, -, U8, U7, I1;
                F by -, U16, V1;
              qed by -;
              A,B' same_side l		[U17] by -, H0, U11, H1, U13, B4'_THM;
              ~(C IN n)      		[U18] by U15, W1, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [U19] by H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~ Collinear(C, B, B')
              proof
                assume Collinear(C, B, B');
                consider k such that 
                C IN k /\ B IN k /\ B' IN k		[V2] by -, Collinear_DEF;
                k = n by U6, -, U8, U7, I1;
                F by -, U18, V2;
              qed by -;
              C,B' same_side l by -, H0, U11, U19, U13, B4'_THM;
              B',C same_side l [U20] by H0, U11, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [U21] by U15, U7, U6, IntersectionSingletonOneNotOther_THM;

              ~ Collinear(A, B', C)
              proof
                assume Collinear(A, B', C);
                consider k such that 
                A IN k /\ B' IN k /\ C IN k		[V3] by -, Collinear_DEF;
                k = m by Distinct, W1, -, I1;
                F by -, U21, V3;
              qed by -;
              A, C same_side l by -, H0, U11, U17, U20, B4'_THM;
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~ Collinear(A, B, C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~ Collinear(A, B, C)						[H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C						[C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that A IN l /\ Q IN l by -, I1;
      Collinear(A, B, C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C						[C2];
      consider l such that A IN l /\ B IN l by -, I1;
      Collinear(A, B, C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)							[C3];
      consider l such that B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B) 	      	     	       	    	    	[U] 
      proof
        assume A = B;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)						[V]
      proof
        assume A = C;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~ Collinear(A, O, B)			[H1];
  assume Between(A, G, B)			[H2];
  thus int_angle(G, A, O, B)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
    	     	      	    	     		 NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a			  [aOA] by -, I1;
    consider b such that O IN b /\ B IN b 		   [bOB] by Distinct, I1;
    consider l such that A IN l /\ B IN l 		   [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}			[alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  Between(B, G, A) /\ Collinear(A, G, B) 
    	     	      	    	     	 	       	     	  [X1] by H2, B1;
    ~ Between(G, A, B) 				       [notGAB] by -, H2, B3, B1;
    G IN l 	       		      	    [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a    	      [Gsim_aB] by alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}			[blB] by -, bOB, lAB, Line01infinity_THM;
    ~ Between(G, B, A) 			[notGBA] by H2, B1, B3;   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b    	       [Gsim_bA]by blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let WholeRayInterior_THM = thm `;
  let A O B X be point;
  assume ~ Collinear(A, O, B)						[H1];
  assume int_angle(X, A, O, B)						[H2];
  let P be point;
  assume ray(P, O, X)							[H3];
  assume ~(P = O)  							[H4];
  thus int_angle(P, A, O, B) 

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a	[a_OA] by Distinct, I1;
    consider b such that O IN b /\ B IN b 	[b_OB] by Distinct, I1;
    consider x such that O IN x /\ X IN x 	[x_OX] by Distinct, I1;
    consider a' b' such that O IN a' /\ A IN a' /\ O IN b' /\ B IN b' /\
    ~(X IN a') /\ ~(X IN b') /\ X,B same_side a' /\ X,A same_side b' [Xint'] by H2, InteriorAngle_DEF;
    a' = a /\ b' = b by Distinct, -, a_OA, b_OB, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by -, Xint';
    ~(O = X) /\ Collinear(O, X, P) /\ ~ Between(P, O, X) [XrayPOX] by H3, Ray_DEF;
    P IN x   	 [Pin_x] by x_OX, XrayPOX, Collinear_DEF, CollinearLinear_THM;
    P IN x DELETE O 	   	 	    [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O 		       [Xin_x_O] by x_OX, XrayPOX,  IN_DELETE;
    ~(x = a) /\ ~(x = b) 	       [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by axb_intO, Pin_x_O, Xin_x_O, XrayPOX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by axb_intO, Pin_x_O, Xin_x_O, XrayPOX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    int_angle(P, A, O, B) by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF;
  qed by -`;;

Hi Bill,

| I'm really happy these two proofs worked, because now I know I can
| code up my Hilbert axiom paper.  But I'd prefer (change ray to rag):
|
| let Rag_DEF = new_definition
|   `!A B.  rag(A, B) = if (A = B) {} else {X | Collinear(A, B, X) /\ ~ Between(X, A, B)`;;
|
| let IN_RAG = prove
|  (`!A. !X:point. !B. X IN rag(A, B) <=> ~(A = B)  /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`,
|   REWRITE_TAC[IN_ELIM_THM; DELETE]);;
|
| Ray_DEF worked but IN_RAY gave the error message
|
| Exception: Failure "term after binary operator expected".

Are you sure there isn't a cut-and-paste error, or that the problem
wasn't actually with Ray_DEF? On the face of it your if-then-else
expression is missing a "then" and shouldn't parse.

| I'm so ignorant, I'm not surprised, so I tried a stunt from sets.ml:
|
| let IN_RAG = prove
|  (`!A. !X:point. !B. X IN rag(A, B) <=> ~(A = B)  /\ Collinear(A, B, X) /\ ~ Between(X, A, B)`,
|   REWRITE_TAC[IN_ELIM_THM; DELETE] THEN SET_TAC[]);;

The basic issue here is that SET_TAC (in common with the other
built-in HOL inference rules and tactics) never implicitly uses
definitions, so you need to either expand them or supply them as
lemmas. It's all at sea here with rag, Collinear and Between.

With that understood, SET_TAC does a fairly competent job of most
routine facts of set theory. Roughly speaking it rewrites with
extensionality and the definition of SUBSET then expands away
set-theoretic definitions to get a pure first-order core that is
solved by MESON. So it can prove really trivial identities like

       `{a,b} = {c,d} <=> a = c /\ b = d \/ a = d /\ b = c`

as well as somewhat more interesting lemmas, e.g.

       `(!x. f(f x) = x) /\
        (!x. x IN s ==> f x IN t) /\ (!x. x IN t ==> f x IN s)
        ==> IMAGE f s = t /\ IMAGE f t = s`

There are (at least) two notable restrictions/bugs. Neither of these
is hard to fix and I should eventually get round to it, but it would
mean a lot of regression testing to make sure I don't break any
existing proofs.

 * The treatment of if-then-else expressions is incomplete since it
   isn't properly integrated with the elimination of set-theoretic
   concepts.

 * Higher-order set concepts (sets of sets etc.) can get expanded
   too clumsily and result in a non-first-order goal that is likely
   to be unsolvable by MESON, even when a more delicate reduction
   would have worked.

John.

John, I made big progress on our set theory problem!  700+ lines of
code below.  I just reference `IN', the first definition in sets.ml

let IN = new_definition
  `!P:A->bool. !x. x IN P <=> P x`;;

So I define `ray' as a curried function

let Ray_DEF = new_definition
  `!A B X. ray (A,B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

and later I can write, as if a ray was a set,

G IN ray(O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;

I can then even ``intersect'' rays with other sets using INTER.  I'm
really happy about this!  It's not everything I wanted (yet), but it
should be all the set theory I need to code up my Hilbert paper.

-- 
best,
Bill 

(* 
Paste in these 2 commands:			(setq case-fold-search nil)
   cd ~/hol_light; ocaml
   #use "hol.ml";; 
   then paste in the following file*)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)


new_type("point",0);;
new_type_abbrev("line",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l:line. A IN l /\ B IN l /\ C IN l`;;

let Twiddle_DEF = new_definition
  `Twiddle A l B <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l:line A:point. ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l:line A:point B:point C:point. 
  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

let Ray_DEF = new_definition
  `!A B X. ray (A,B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

(*
exec GOAL_TAC;
 p();; 

let Angle_DEF = new_definition
  `!A O B. Angle(A, O, B) = if Collinear(A, O, B) then {} else 
  {ray(O, A), ray(O, B)}`;;
*)

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  P int_angle A,O,B <=> ~Collinear(A, O, B) /\ ?a b. 
  O IN a /\ A IN a /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A:point B:point C:point. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> (Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)) /\
        ~(Between(A, B, C) /\ Between(B, C, A)) /\ 
        ~(Between(A, B, C) /\ Between(C, A, B)) /\ 
        ~(Between(B, C, A) /\ Between(C, A, B))`;;

let B4 = new_axiom
  `!l A B C. ~Collinear(A, B, C) ==> 
   !l. ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
   (?X. X IN l /\ Between(A, X, C)) ==> 
   (?Y. Y IN l /\ Between(A, Y, B)) \/ 
   (?Y. Y IN l /\ Between(B, Y, C))`;;

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})                       [X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}                                                 [H1];
  assume x IN m                                                         [H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume e IN l                                                         [H2];
  assume ~(e = x)                                                       [H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)                          [X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let ExistsPointOffLine_THM = thm `;
  let l be line; 
  thus ?Q:point. ~(Q IN l)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [useI3] by I3;
    cases;
    suppose ~(A IN l) \/ ~(B IN l) \/ ~(C IN l);
    qed by -;
    suppose (A IN l) /\ (B IN l) /\ (C IN l);
      Collinear(A, B, C) by -, Collinear_DEF;
      F by -, useI3;
    qed by -;
  end`;;


let B4'_THM = thm `;
  let l be line;
  let A B C be point;
  assume ~Collinear(A, B, C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)     [H1];
  assume A,B same_side l /\ B,C same_side l                             [H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\ Between(A, Y, B)) /\ 
   ~(?Y. Y IN l /\ Between(B, Y, C)) ==> 
   ~(?X. X IN l /\ Between(A, X, C))  by H1, B4;
  qed by -, H1, H2, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A B C be point;
  let m be line;
  assume A IN m /\ C IN m                                               [H1];
  assume Between(A, B, C) \/ Between(B, C, A)  \/ Between(C, A, B)      [H2];
  thus B IN m

  proof
    ~(A = C) /\ 
    (Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B))  [X1] by H2, B1;
    consider l such that
    A IN l /\ B IN l /\ C IN l                  [X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be line;
  assume A IN m /\ C IN m                                               [H1];
  assume Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B)       [H2];
  assume ~(A = C)                                                       [H3];
  thus B IN m

  proof
    consider l such that 
    A IN l /\ B IN l /\ C IN l                  [X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear(A, B, C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that A IN l /\ Q IN l by -, I1;
      Collinear(A, B, C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that A IN l /\ B IN l by -, I1;
      Collinear(A, B, C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)								[U] 
      proof
        assume A = B;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)								[V]
      proof
        assume A = C;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray(O, Q)

  proof
    ~Between (O,O,Q) [OOQ] by B1;
    consider l such that 
    O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
    O IN ray(O,Q) by H1, -, OOQ, IN, Ray_DEF;  
  qed by -`;;


let Line01infinity_THM = thm `;
  let X be point;
  let l m be line;
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})                                           [H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)         [X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by -, H2, IN_INTER;
    l = m by -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be line;
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)                          [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X)                          [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ Between(A, G, B)              [X5] by -, same_side_DEF;
      
       ~(A = B) /\ Collinear(A, G, B)           [X6] by -, B1;
      consider k such that 
      A IN k /\ G IN k /\ B IN k                [X7] by -, Collinear_DEF;
      k = m by -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      Between(A, X, B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l:line A:point. A,A same_side l
    proof
      let l be line;
      let A be point;
       ~(?X. (X IN l) /\ Between(A, X, A)) by B1;
    qed by -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be line;
      let A B be point;
      assume A,B same_side l                                            [H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ Between(A, X, B)) by H1, same_side_DEF;
      ~(?X. (X IN l) /\ Between(B, X, A)) by -, B1;
    qed by -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l:line A:point B:point C:point. 
    ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be line;
      let A B C be point;
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)                        [H0];
      assume A,B same_side l                                            [H1];
      assume B,C same_side l                                            [H2];
      A,C same_side l
      proof
        ~Collinear(A, B, C) \/ Collinear(A, B, C);
        cases by -;
        suppose ~Collinear(A, B, C);
        qed by -, H0, H1, H2, B4'_THM;
        suppose Collinear(A, B, C)                                      [Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by -, H2, H0, SameSideReflexiveRelation_THM, 
                            Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)      [Distinct];
            consider m such that 
            A IN m /\ C IN m                            [W1] by Distinct, I1;
            ~(l = m)                                    [W2] by W1, H0;
            cases;
            suppose l INTER m = {}                      [Disjoint];
              !X. Between(A, X, C) ==> ~(X IN l)
              proof
                let X be point;
                assume Between(A, X, C);
                X IN m by -, W1, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by -, same_side_DEF;
            suppose ~(l INTER m = {})                   [NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m                          [U1] by -, IN_INTER;
              l INTER m = {X}           [U2] by W2, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)                        [U3] by U1, I2;
              ~(E IN m) [U4] by U2, U3, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by U3, H0;
              consider B' such that 
              Between(E, B, B') by -, B2;
              Between(B', B, E)                         [U5] by -, B1;
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear(B', B, E) [U6] by -, B1;
              consider n such that 
              E IN n /\ B' IN n                         [U7] by -, I1;
              B IN n                    [U8] by U7, U5, BetweenLinear_THM;
              ~(l = n)                  [U9] by H0, -;
              l INTER n = {E} [U10] by U9, U7, U3, Line01infinity_THM;
              ~(B' IN l) [U11] by -, U7, U6, IntersectionSingletonOneNotOther_THM;
              ~ Between(B, E, B')        [U12] by U6, U5, B3;
              B' IN n DELETE E /\ B IN n DELETE E by U7, U8, U6, IN_DELETE;
              B, B' same_side l [U13] by U10, -, U12, EquivIntersection_THM;
              ~(m = n)                   [U14] by  U7, U4;
              B IN m by W1, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [U15]  by -, U8, U14, Line01infinity_THM;
              ~(A IN n) [U16] by -, W1, Distinct, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B, B') by U6, U7, U8, I1, U16, Collinear_DEF;
              A,B' same_side l          [U17] by -, H0, U11, H1, U13, B4'_THM;
              ~(C IN n)                 [U18] by U15, W1, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [U19] by H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
	      ~Collinear(C, B, B') by U6, U7, U8, I1, U18, Collinear_DEF;
              C,B' same_side l by -, H0, U11, U19, U13, B4'_THM;
              B',C same_side l [U20] by H0, U11, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [U21] by U15, U7, U6, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B', C) by Distinct, W1, I1, U21, Collinear_DEF;
              A, C same_side l by -, H0, U11, U17, U20, B4'_THM;
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~Collinear(A, O, B)						[H1];
  assume Between(A, G, B)                       			[H2];
  thus G int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
                                                 NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a                         [aOA] by -, I1;
    consider b such that O IN b /\ B IN b                  [bOB] by Distinct, I1;
    consider l such that A IN l /\ B IN l                  [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}                     [alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  Between(B, G, A) /\ Collinear(A, G, B) 
                                                                  [X1] by H2, B1;
    ~ Between(G, A, B)                                 [notGAB] by -, H2, B3, B1;
    G IN l                                  [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a           [Gsim_aB] by alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}                     [blB] by -, bOB, lAB, Line01infinity_THM;
    ~ Between(G, B, A)                  [notGBA] by H2, B1, B3;   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b            [Gsim_bA]by blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let InteriorHelp_THM = thm `;
  let A O B P be point;
  let a b be line;
  assume O IN a /\ A IN a /\ O IN b /\ B IN b				[aOAbOB];
  assume  P int_angle A,O,B						[P_AOB];
  thus ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b

  proof
    consider alpha beta such that ~Collinear (A,O,B) /\ 
    O IN alpha /\ A IN alpha /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, InteriorAngle_DEF;
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by -, NonCollinearImpliesDistinct_THM;
    alpha = a /\ beta = b by -, aOAbOB, exists, I1;
  qed by -, exists`;;


let WholeRayInterior_THM = thm `;
  let A O B X P be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume X int_angle A,O,B                                              [H2];
  assume P IN ray(O,X)							[H3];
  assume ~(P = O)                                                       [H4];
  thus P int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a       [a_OA] by Distinct, I1;
    consider b such that O IN b /\ B IN b       [b_OB] by Distinct, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by H2, a_OA, b_OB, InteriorHelp_THM; 
    ~(O = X) /\ Collinear(O, X, P) /\ ~ Between(P, O, X) [P_OX] by H3, IN, Ray_DEF;
    consider x such that O IN x /\ X IN x       [x_OX] by P_OX, I1;
    :: P IN x       [Pin_x] by x_OX, P_OX, Collinear_DEF, CollinearLinear_THM;
    P IN x       [Pin_x] by x_OX, P_OX, CollinearLinear_THM;
    P IN x DELETE O                         [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O                    [Xin_x_O] by x_OX, P_OX,  IN_DELETE;
    ~(x = a) /\ ~(x = b)               [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, 
                                           SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF`;;


let AngleOrdering_THM = thm `;
  let O A P Q be point;
  let a be line;
  assume ~(O = A)                                                       [H1];
  assume O IN a /\ A IN a                                               [H2];
  assume ~(P IN a) /\ ~(Q IN a)                                         [H3];
  assume P, Q same_side a                                               [H4];
  assume ~Collinear(P, O, Q)                                            [H5];
  thus P int_angle Q,O,A \/ Q int_angle P,O,A

  proof
    ~(P = O) /\ ~(P = Q) /\ ~(O = Q) [Distinct] by H5, NonCollinearImpliesDistinct_THM;
    consider p such that O IN p /\ P IN p             [p_OP] by Distinct, I1;
    consider q such that O IN q /\ Q IN q             [q_OQ] by Distinct, I1;
    ~(q = a) by H3, q_OQ;
    q INTER a = {O}                       by -, H2, q_OQ, Line01infinity_THM;
    ~(A IN q) by -, H2, H1, IntersectionSingletonOneNotOther_THM;
    ~(P IN q)                             [notPq] by q_OQ, H5, Collinear_DEF;
    ~(p = q) by -, p_OP;
    p INTER q = {O}              	by -, p_OP, q_OQ, Line01infinity_THM;
    ~Collinear(Q, O, A)        [QOA_noncol] by H1, H2, I1, H3, Collinear_DEF;
    ~Collinear (P,O,A)         [POA_noncol] by H1, H2, I1, H3, Collinear_DEF;

    assume ~(P int_angle Q,O,A)                                   [notP_QOA];
    Q int_angle P,O,A
    proof
      ~(P, A same_side q)           		 by QOA_noncol, H2, q_OQ, H3,
                                      notPq, H4, notP_QOA, InteriorAngle_DEF;
      consider G such that (G IN q) /\ Between(P, G, A) [existG] by -, same_side_DEF;
      G int_angle P,O,A [G_POA] by  POA_noncol, existG, ConverseCrossbar_THM;
      ~(G IN a) /\ G,P same_side a [Gsim_aP] by -, InteriorAngle_DEF, H1, H2, I1;
      ~(G = O)                     [GnotO] by -, H2;
      G,Q same_side a              by Gsim_aP, H3, H4, 
                      SameSideTransitiveRelation_THM, Transitive_relation_DEF;
      ~Between (Q,O,G) 		   [notQOG] by -, same_side_DEF, H2, B1;
      Collinear(O,G,Q)             by q_OQ, existG, Collinear_DEF; 
      Q IN ray(O,G) by GnotO, -, notQOG, IN, Ray_DEF;
    qed by POA_noncol, G_POA, -, Distinct, WholeRayInterior_THM;
  qed by -`;;


let InteriorReflectionInterior_THM = thm `;
  let A O B D A' be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  assume Between(A, O, A')                                              [H3];
  thus B  int_angle D,O,A'

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    O IN b /\ B IN b				      [b_OB] by Distinct, I1;
    ~(A IN b) 	                          [notAb] by b_OB, H1, Collinear_DEF;
    ~(B IN a)                      	  [notBa] by a_OA, H1, Collinear_DEF;
   ~(a = b) by -, b_OB;
    b INTER a = {O}		 [ab_O] by -, a_OA, b_OB, Line01infinity_THM;
    A' IN a    	     	         [A'a] by H3, a_OA, BetweenLinear_THM;
    A' IN a DELETE O by A'a, H3, B1, IN_DELETE; 
    ~(A' IN b) 	     	      [notA'b] by ab_O, -, EquivIntersectionHelp_THM;
    ~(A,A' same_side b)       [Ansim_bA'] by b_OB, H3, same_side_DEF ;
    ~(D IN a) /\ ~(D IN b) /\ 
    D,B same_side a /\ D,A same_side b [DintAOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D,A' same_side b)       [Dnsim_bA']
    proof
      assume D,A' same_side b;
      A',D same_side b by DintAOB, notA'b, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      A',A same_side b by DintAOB, notA'b, notAb, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;                       
      A,A' same_side b by notA'b, notAb, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      F by -, Ansim_bA';
    qed by -;
    ~(D int_angle B,O,A')					[notD_BOA']
    proof
      assume D int_angle B,O,A';
      D,A' same_side b by b_OB, a_OA, A'a, -, DintAOB, InteriorHelp_THM;
      F by -, Dnsim_bA';     
    qed by -; 
    ~Collinear (D,O,B) [DOB_noncol] by Distinct, b_OB, I1, DintAOB, Collinear_DEF;
    ~(O = A') by H3, B1;
    B int_angle D,O,A' by -, a_OA, A'a, DintAOB, notBa, DOB_noncol, notD_BOA', AngleOrdering_THM;
  qed by -`;;


let Crossbar_THM = thm `;
  let O A B D be point;
  assume ~Collinear(A, O, B)						[H1];
  assume D int_angle A,O,B                                              [H2];
  thus ?G. Between(A, G, B) /\ G IN ray(O, D)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    O IN b /\ B IN b                                  [b_OB] by Distinct, I1;
    ~(B IN a) [notBa] by a_OA, H1, Collinear_DEF;
    ~(D IN a) /\ ~(D IN b) /\ D,B same_side a [D_AOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D = O)  	     	      	  	      	      [DnotO] by D_AOB, a_OA;
    consider l such that 
    O IN l /\ D IN l				      [l_OD] by -, I1;
    ~(a = l) /\ ~(b = l)  [abl_distinct] by l_OD, D_AOB, b_OB, notBa;
    a INTER l = {O} [alO] by abl_distinct, a_OA, l_OD, Line01infinity_THM; 
    b INTER l = {O} [blO] by abl_distinct, b_OB, l_OD, Line01infinity_THM; 
    ~(A IN l) /\ ~(B IN l) [ABnot_l] by alO, blO, a_OA, b_OB, Distinct, IntersectionSingletonOneNotOther_THM;
    consider A' such that Between(A, O, A') 	      [AOA'] by Distinct, B2;
    A' IN a  	     	  	         [A'a] by a_OA, -, BetweenLinear_THM;
    ~(A' = O) [A'notO] by AOA', B1;
    ~(A,A' same_side l) 	    [Ansim_lA'] by l_OD, AOA', same_side_DEF;
    ~(A' IN l) [A'not_l] by alO, A'a, A'notO, IntersectionSingletonOneNotOther_THM;

    B int_angle D,O,A'  by H1, H2, AOA', InteriorReflectionInterior_THM;
    B,A' same_side l [Bsim_lA'] by l_OD, a_OA, A'a, -, InteriorHelp_THM;
    ~(A,B same_side l)						[Ansim_lB]
    proof
      assume A,B same_side l;
      A,A' same_side l by ABnot_l, A'not_l, -, Bsim_lA', SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    qed by -, Ansim_lA';
    consider G such that 
    Between(A, G, B) /\ G IN l		      [AGB] by Ansim_lB, same_side_DEF;
    Collinear (O,D,G) 	     		  [ODGcol] by AGB, l_OD, Collinear_DEF;
    G int_angle A,O,B 		              by H1, AGB, ConverseCrossbar_THM;
    ~(G IN a) /\ G,B same_side a [Gsim_aB] by a_OA, b_OB, -, InteriorHelp_THM;
    D,B same_side a by a_OA, b_OB, H2, InteriorHelp_THM;
    B,D same_side a by notBa, D_AOB, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
    G,D same_side a [Gsim_aD] by Gsim_aB, notBa, D_AOB, Gsim_aB, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    ~Between(G, O, D) by a_OA, -, same_side_DEF;
    G IN ray(O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;
  qed by AGB, G_OD`;;


(*
exec GOAL_TAC;
 p();; 
*)

let IntervalTransitivity_THM = thm `;
  let O P Q R be point;
  let m be line;
  assume O IN m								[H1];
  assume P IN m DELETE O /\ Q IN m DELETE O /\ R IN m DELETE O		[H2];
  assume ~Between(P, O, Q) /\ ~Between(Q, O, R)     	     		[H3];
  thus ~Between(P, O, R)

  proof
    P IN m /\ Q IN m /\ R IN m /\ ~(P = O) /\ ~(Q = O) /\ ~(R = O) [H2'] by H2, IN_DELETE;
    consider E such that 
    ~(E IN m)				 [notEm] by ExistsPointOffLine_THM;
    ~(O = E) by H1, notEm;
    consider l such that 
    O IN l /\ E IN l			 [OE_l] by -, I1;
    ~(m = l) by notEm, OE_l;
    l INTER m = {O}			 [ml_O] by -, H1, OE_l, Line01infinity_THM;
    ~(P IN l) /\  ~(Q IN l) /\ ~(R IN l) [PQRnotl] by ml_O, H2', IntersectionSingletonOneNotOther_THM;
    P,Q same_side l /\ Q,R same_side l   [Psim_lQsim_lR] by ml_O, H2, H3, PQRnotl, EquivIntersection_THM;
    P,R same_side l    	   	     	 [Psim_lR] by PQRnotl, Psim_lQsim_lR, 
    		  			 SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by OE_l, -, same_side_DEF`;;

John, here's a more coherent reply, with 800 lines of code below.

   miz3 may not know that, say, the formulas S = {x | P x} and 
   !x. xIN S <=> P x are equivalent, as you might have expected.

Yes, but there's a way around this that's good enough for me!  I don't
actually need to use this set notation { } here: 

let Ray_DEF = new_definition
  `!A B X. ray(A, B) = {X | ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)}`;;

This definition works fine for me:

let Ray_DEF = new_definition
  `!A B X. ray(A, B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

What's important isn't {} in the definition, but being able to treat
ray(A, B) as a set, as I can, e.g. in this simple example:

let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray(O, Q)

  proof
    ~Between (O,O,Q) [OOQ] by B1;
    consider l such that 
    O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
  qed by H1, -, OOQ, IN, Ray_DEF`;;

For a much more interesting example, see the last result 

RayWellDefined_THM : thm =
  |- !O P Q. ~(Q = O) ==> P IN ray (O,Q) DELETE O ==> ray (O,P) = ray (O,Q)

where I prove the rays are equal by showing each is a subset of the
other.   That's the kind of set theory I can't do without, and I have
it, thanks to the first definition in sets.ml

let IN = new_definition
  `!P:A->bool. !x. x IN P <=> P x`;;

-- 
Best,
Bill 

(* Paste in these 2 commands

   cd ~/hol_light; ocaml
   #use "hol.ml";; 

   and then paste in the following file. *)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)

#load "unix.cma";;
loadt "miz3/miz3.ml";;

horizon := 0;; 

new_type("point",0);;
new_type_abbrev("line",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l:line. A IN l /\ B IN l /\ C IN l`;;

let Twiddle_DEF = new_definition
  `Twiddle A l B <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l:line A:point. ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l:line A:point B:point C:point. 
  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

let Ray_DEF = new_definition
  `!A B X. ray(A, B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

(*
exec GOAL_TAC;
 p();; 

let Angle_DEF = new_definition
  `!A O B. Angle(A, O, B) = if Collinear(A, O, B) then {} else 
  {ray(O, A), ray(O, B)}`;;
*)

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  P int_angle A,O,B <=> ~Collinear(A, O, B) /\ ?a b. 
  O IN a /\ A IN a /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A:point B:point C:point. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> (Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)) /\
        ~(Between(A, B, C) /\ Between(B, C, A)) /\ 
        ~(Between(A, B, C) /\ Between(C, A, B)) /\ 
        ~(Between(B, C, A) /\ Between(C, A, B))`;;

let B4 = new_axiom
  `!l A B C. ~Collinear(A, B, C) ==> 
   !l. ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
   (?X. X IN l /\ Between(A, X, C)) ==> 
   (?Y. Y IN l /\ Between(A, Y, B)) \/ 
   (?Y. Y IN l /\ Between(B, Y, C))`;;

let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})                       [X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}                                                 [H1];
  assume x IN m                                                         [H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume e IN l                                                         [H2];
  assume ~(e = x)                                                       [H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let CollinearSymmetry_THM = thm `;
  let A B C be point;
  assume Collinear (A, B, C)			[H1];
  thus Collinear (A, C, B) /\ Collinear(B, A, C) /\ Collinear(B, C, A) /\ 
       Collinear(C, A, B) /\ Collinear(C, B, A) 

  proof
    consider l such that A IN l /\ B IN l /\ C IN l by H1, Collinear_DEF;
  qed by -, Collinear_DEF`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)                          [X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let DoubleSubsetEqual_THM = thm `;
  let s t be A->bool;
  assume s SUBSET t			[H1];
  assume t SUBSET s			[H2];
  thus s = t

  proof
   !x:A. x IN s ==> x IN t [sSt] by H1, SUBSET;
   !x:A. x IN t ==> x IN s [tSs] by H2, SUBSET;
   !x:A. x IN s <=> x IN t [sEt] by sSt, tSs;
   s = t by -, EXTENSION;
  qed by -`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let ExistsPointOffLine_THM = thm `;
  let l be line; 
  thus ?Q:point. ~(Q IN l)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [useI3] by I3;
    cases;
    suppose ~(A IN l) \/ ~(B IN l) \/ ~(C IN l);
    qed by -;
    suppose (A IN l) /\ (B IN l) /\ (C IN l);
      Collinear(A, B, C) by -, Collinear_DEF;
      F by -, useI3;
    qed by -;
  end`;;


let B4'_THM = thm `;
  let l be line;
  let A B C be point;
  assume ~Collinear(A, B, C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)     [H1];
  assume A,B same_side l /\ B,C same_side l                             [H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\ Between(A, Y, B)) /\ 
   ~(?Y. Y IN l /\ Between(B, Y, C)) ==> 
   ~(?X. X IN l /\ Between(A, X, C))  by H1, B4;
  qed by -, H1, H2, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A B C be point;
  let m be line;
  assume A IN m /\ C IN m                                               [H1];
  assume Between(A, B, C) \/ Between(B, C, A)  \/ Between(C, A, B)      [H2];
  thus B IN m

  proof
    ~(A = C) /\ 
    (Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B))  [X1] by H2, B1;
    consider l such that
    A IN l /\ B IN l /\ C IN l                  [X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be line;
  assume A IN m /\ C IN m                                               [H1];
  assume Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B)       [H2];
  assume ~(A = C)                                                       [H3];
  thus B IN m

  proof
    consider l such that 
    A IN l /\ B IN l /\ C IN l                  [X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear(A, B, C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that A IN l /\ Q IN l by -, I1;
      Collinear(A, B, C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that A IN l /\ B IN l by -, I1;
      Collinear(A, B, C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)								[U] 
      proof
        assume A = B;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)								[V]
      proof
        assume A = C;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray(O, Q)

  proof
    ~Between (O,O,Q) [OOQ] by B1;
    consider l such that 
    O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
  qed by H1, -, OOQ, IN, Ray_DEF`;;


let Line01infinity_THM = thm `;
  let X be point;
  let l m be line;
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})                                           [H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)         [X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by -, H2, IN_INTER;
    l = m by -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be line;
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)                          [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X)                          [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ Between(A, G, B)              [X5] by -, same_side_DEF;
      
       ~(A = B) /\ Collinear(A, G, B)           [X6] by -, B1;
      consider k such that 
      A IN k /\ G IN k /\ B IN k                [X7] by -, Collinear_DEF;
      k = m by -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      Between(A, X, B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l:line A:point. A,A same_side l
    proof
      let l be line;
      let A be point;
       ~(?X. (X IN l) /\ Between(A, X, A)) by B1;
    qed by -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l:line A:point B:point. ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be line;
      let A B be point;
      assume A,B same_side l                                            [H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ Between(A, X, B)) by H1, same_side_DEF;
      ~(?X. (X IN l) /\ Between(B, X, A)) by -, B1;
    qed by -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l:line A:point B:point C:point. 
    ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be line;
      let A B C be point;
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)                        [H0];
      assume A,B same_side l                                            [H1];
      assume B,C same_side l                                            [H2];
      A,C same_side l
      proof
        ~Collinear(A, B, C) \/ Collinear(A, B, C);
        cases by -;
        suppose ~Collinear(A, B, C);
        qed by -, H0, H1, H2, B4'_THM;
        suppose Collinear(A, B, C)                                      [Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by -, H2, H0, SameSideReflexiveRelation_THM, 
                            Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)      [Distinct];
            consider m such that 
            A IN m /\ C IN m                            [W1] by Distinct, I1;
            ~(l = m)                                    [W2] by W1, H0;
            cases;
            suppose l INTER m = {}                      [Disjoint];
              !X. Between(A, X, C) ==> ~(X IN l)
              proof
                let X be point;
                assume Between(A, X, C);
                X IN m by -, W1, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by -, same_side_DEF;
            suppose ~(l INTER m = {})                   [NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m                          [U1] by -, IN_INTER;
              l INTER m = {X}           [U2] by W2, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)                        [U3] by U1, I2;
              ~(E IN m) [U4] by U2, U3, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by U3, H0;
              consider B' such that 
              Between(E, B, B') by -, B2;
              Between(B', B, E)                         [U5] by -, B1;
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear(B', B, E) [U6] by -, B1;
              consider n such that 
              E IN n /\ B' IN n                         [U7] by -, I1;
              B IN n                    [U8] by U7, U5, BetweenLinear_THM;
              ~(l = n)                  [U9] by H0, -;
              l INTER n = {E} [U10] by U9, U7, U3, Line01infinity_THM;
              ~(B' IN l) [U11] by -, U7, U6, IntersectionSingletonOneNotOther_THM;
              ~ Between(B, E, B')        [U12] by U6, U5, B3;
              B' IN n DELETE E /\ B IN n DELETE E by U7, U8, U6, IN_DELETE;
              B, B' same_side l [U13] by U10, -, U12, EquivIntersection_THM;
              ~(m = n)                   [U14] by  U7, U4;
              B IN m by W1, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [U15]  by -, U8, U14, Line01infinity_THM;
              ~(A IN n) [U16] by -, W1, Distinct, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B, B') by U6, U7, U8, I1, U16, Collinear_DEF;
              A,B' same_side l          [U17] by -, H0, U11, H1, U13, B4'_THM;
              ~(C IN n)                 [U18] by U15, W1, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [U19] by H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
	      ~Collinear(C, B, B') by U6, U7, U8, I1, U18, Collinear_DEF;
              C,B' same_side l by -, H0, U11, U19, U13, B4'_THM;
              B',C same_side l [U20] by H0, U11, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [U21] by U15, U7, U6, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B', C) by Distinct, W1, I1, U21, Collinear_DEF;
              A, C same_side l by -, H0, U11, U17, U20, B4'_THM;
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~Collinear(A, O, B)						[H1];
  assume Between(A, G, B)                       			[H2];
  thus G int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
                                                 NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a                         [aOA] by -, I1;
    consider b such that O IN b /\ B IN b                  [bOB] by Distinct, I1;
    consider l such that A IN l /\ B IN l                  [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}                     [alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  Between(B, G, A) /\ Collinear(A, G, B) 
                                                                  [X1] by H2, B1;
    ~ Between(G, A, B)                                 [notGAB] by -, H2, B3, B1;
    G IN l                                  [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a           [Gsim_aB] by alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}                     [blB] by -, bOB, lAB, Line01infinity_THM;
    ~ Between(G, B, A)                  [notGBA] by H2, B1, B3;   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b            [Gsim_bA]by blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let InteriorHelp_THM = thm `;
  let A O B P be point;
  let a b be line;
  assume O IN a /\ A IN a /\ O IN b /\ B IN b				[aOAbOB];
  assume  P int_angle A,O,B						[P_AOB];
  thus ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b

  proof
    consider alpha beta such that ~Collinear (A,O,B) /\ 
    O IN alpha /\ A IN alpha /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, InteriorAngle_DEF;
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by -, NonCollinearImpliesDistinct_THM;
    alpha = a /\ beta = b by -, aOAbOB, exists, I1;
  qed by -, exists`;;


let WholeRayInterior_THM = thm `;
  let A O B X P be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume X int_angle A,O,B                                              [H2];
  assume P IN ray(O,X)							[H3];
  assume ~(P = O)                                                       [H4];
  thus P int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that O IN a /\ A IN a       [a_OA] by Distinct, I1;
    consider b such that O IN b /\ B IN b       [b_OB] by Distinct, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by H2, a_OA, b_OB, InteriorHelp_THM; 
    ~(O = X) /\ Collinear(O, X, P) /\ ~ Between(P, O, X) [P_OX] by H3, IN, Ray_DEF;
    consider x such that O IN x /\ X IN x       [x_OX] by P_OX, I1;
    :: P IN x       [Pin_x] by x_OX, P_OX, Collinear_DEF, CollinearLinear_THM;
    P IN x       [Pin_x] by x_OX, P_OX, CollinearLinear_THM;
    P IN x DELETE O                         [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O                    [Xin_x_O] by x_OX, P_OX,  IN_DELETE;
    ~(x = a) /\ ~(x = b)               [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, 
                                           SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF`;;


let AngleOrdering_THM = thm `;
  let O A P Q be point;
  let a be line;
  assume ~(O = A)                                                       [H1];
  assume O IN a /\ A IN a                                               [H2];
  assume ~(P IN a) /\ ~(Q IN a)                                         [H3];
  assume P, Q same_side a                                               [H4];
  assume ~Collinear(P, O, Q)                                            [H5];
  thus P int_angle Q,O,A \/ Q int_angle P,O,A

  proof
    ~(P = O) /\ ~(P = Q) /\ ~(O = Q) [Distinct] by H5, NonCollinearImpliesDistinct_THM;
    consider p such that O IN p /\ P IN p             [p_OP] by Distinct, I1;
    consider q such that O IN q /\ Q IN q             [q_OQ] by Distinct, I1;
    ~(q = a) by H3, q_OQ;
    q INTER a = {O}                       by -, H2, q_OQ, Line01infinity_THM;
    ~(A IN q) by -, H2, H1, IntersectionSingletonOneNotOther_THM;
    ~(P IN q)                             [notPq] by q_OQ, H5, Collinear_DEF;
    ~(p = q) by -, p_OP;
    p INTER q = {O}              	by -, p_OP, q_OQ, Line01infinity_THM;
    ~Collinear(Q, O, A)        [QOA_noncol] by H1, H2, I1, H3, Collinear_DEF;
    ~Collinear (P,O,A)         [POA_noncol] by H1, H2, I1, H3, Collinear_DEF;

    assume ~(P int_angle Q,O,A)                                   [notP_QOA];
    Q int_angle P,O,A
    proof
      ~(P, A same_side q)           		 by QOA_noncol, H2, q_OQ, H3,
                                      notPq, H4, notP_QOA, InteriorAngle_DEF;
      consider G such that (G IN q) /\ Between(P, G, A) [existG] by -, same_side_DEF;
      G int_angle P,O,A [G_POA] by  POA_noncol, existG, ConverseCrossbar_THM;
      ~(G IN a) /\ G,P same_side a [Gsim_aP] by -, InteriorAngle_DEF, H1, H2, I1;
      ~(G = O)                     [GnotO] by -, H2;
      G,Q same_side a              by Gsim_aP, H3, H4, 
                      SameSideTransitiveRelation_THM, Transitive_relation_DEF;
      ~Between (Q,O,G) 		   [notQOG] by -, same_side_DEF, H2, B1;
      Collinear(O,G,Q)             by q_OQ, existG, Collinear_DEF; 
      Q IN ray(O,G) by GnotO, -, notQOG, IN, Ray_DEF;
    qed by POA_noncol, G_POA, -, Distinct, WholeRayInterior_THM;
  qed by -`;;


let InteriorReflectionInterior_THM = thm `;
  let A O B D A' be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  assume Between(A, O, A')                                              [H3];
  thus B  int_angle D,O,A'

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    O IN b /\ B IN b				      [b_OB] by Distinct, I1;
    ~(A IN b) 	                          [notAb] by b_OB, H1, Collinear_DEF;
    ~(B IN a)                      	  [notBa] by a_OA, H1, Collinear_DEF;
   ~(a = b) by -, b_OB;
    b INTER a = {O}		 [ab_O] by -, a_OA, b_OB, Line01infinity_THM;
    A' IN a    	     	         [A'a] by H3, a_OA, BetweenLinear_THM;
    A' IN a DELETE O by A'a, H3, B1, IN_DELETE; 
    ~(A' IN b) 	     	      [notA'b] by ab_O, -, EquivIntersectionHelp_THM;
    ~(A,A' same_side b)       [Ansim_bA'] by b_OB, H3, same_side_DEF ;
    ~(D IN a) /\ ~(D IN b) /\ 
    D,B same_side a /\ D,A same_side b [DintAOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D,A' same_side b)       [Dnsim_bA']
    proof
      assume D,A' same_side b;
      A',D same_side b by DintAOB, notA'b, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      A',A same_side b by DintAOB, notA'b, notAb, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;                       
      A,A' same_side b by notA'b, notAb, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      F by -, Ansim_bA';
    qed by -;
    ~(D int_angle B,O,A')					[notD_BOA']
    proof
      assume D int_angle B,O,A';
      D,A' same_side b by b_OB, a_OA, A'a, -, DintAOB, InteriorHelp_THM;
      F by -, Dnsim_bA';     
    qed by -; 
    ~Collinear (D,O,B) [DOB_noncol] by Distinct, b_OB, I1, DintAOB, Collinear_DEF;
    ~(O = A') by H3, B1;
    B int_angle D,O,A' by -, a_OA, A'a, DintAOB, notBa, DOB_noncol, notD_BOA', AngleOrdering_THM;
  qed by -`;;


let Crossbar_THM = thm `;
  let O A B D be point;
  assume ~Collinear(A, O, B)						[H1];
  assume D int_angle A,O,B                                              [H2];
  thus ?G. Between(A, G, B) /\ G IN ray(O, D)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    O IN b /\ B IN b                                  [b_OB] by Distinct, I1;
    ~(B IN a) [notBa] by a_OA, H1, Collinear_DEF;
    ~(D IN a) /\ ~(D IN b) /\ D,B same_side a [D_AOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D = O)  	     	      	  	      	      [DnotO] by D_AOB, a_OA;
    consider l such that 
    O IN l /\ D IN l				      [l_OD] by -, I1;
    ~(a = l) /\ ~(b = l)  [abl_distinct] by l_OD, D_AOB, b_OB, notBa;
    a INTER l = {O} [alO] by abl_distinct, a_OA, l_OD, Line01infinity_THM; 
    b INTER l = {O} [blO] by abl_distinct, b_OB, l_OD, Line01infinity_THM; 
    ~(A IN l) /\ ~(B IN l) [ABnot_l] by alO, blO, a_OA, b_OB, Distinct, IntersectionSingletonOneNotOther_THM;
    consider A' such that Between(A, O, A') 	      [AOA'] by Distinct, B2;
    A' IN a  	     	  	         [A'a] by a_OA, -, BetweenLinear_THM;
    ~(A' = O) [A'notO] by AOA', B1;
    ~(A,A' same_side l) 	    [Ansim_lA'] by l_OD, AOA', same_side_DEF;
    ~(A' IN l) [A'not_l] by alO, A'a, A'notO, IntersectionSingletonOneNotOther_THM;

    B int_angle D,O,A'  by H1, H2, AOA', InteriorReflectionInterior_THM;
    B,A' same_side l [Bsim_lA'] by l_OD, a_OA, A'a, -, InteriorHelp_THM;
    ~(A,B same_side l)						[Ansim_lB]
    proof
      assume A,B same_side l;
      A,A' same_side l by ABnot_l, A'not_l, -, Bsim_lA', SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    qed by -, Ansim_lA';
    consider G such that 
    Between(A, G, B) /\ G IN l		      [AGB] by Ansim_lB, same_side_DEF;
    Collinear (O,D,G) 	     		  [ODGcol] by AGB, l_OD, Collinear_DEF;
    G int_angle A,O,B 		              by H1, AGB, ConverseCrossbar_THM;
    ~(G IN a) /\ G,B same_side a [Gsim_aB] by a_OA, b_OB, -, InteriorHelp_THM;
    D,B same_side a by a_OA, b_OB, H2, InteriorHelp_THM;
    B,D same_side a by notBa, D_AOB, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
    G,D same_side a [Gsim_aD] by Gsim_aB, notBa, D_AOB, Gsim_aB, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    ~Between(G, O, D) by a_OA, -, same_side_DEF;
    G IN ray(O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;
  qed by AGB, G_OD`;;


(*
exec GOAL_TAC;
 p();; 
*)

let IntervalTransitivity_THM = thm `;
  let O P Q R be point;
  let m be line;
  assume O IN m								[H1];
  assume P IN m DELETE O /\ Q IN m DELETE O /\ R IN m DELETE O		[H2];
  assume ~Between(P, O, Q) /\ ~Between(Q, O, R)     	     		[H3];
  thus ~Between(P, O, R)

  proof
    P IN m /\ Q IN m /\ R IN m /\ ~(P = O) /\ ~(Q = O) /\ ~(R = O) [H2'] by H2, IN_DELETE;
    consider E such that 
    ~(E IN m)				 [notEm] by ExistsPointOffLine_THM;
    ~(O = E) by H1, notEm;
    consider l such that 
    O IN l /\ E IN l			 [OE_l] by -, I1;
    ~(m = l) by notEm, OE_l;
    l INTER m = {O}			 [ml_O] by -, H1, OE_l, Line01infinity_THM;
    ~(P IN l) /\  ~(Q IN l) /\ ~(R IN l) [PQRnotl] by ml_O, H2', IntersectionSingletonOneNotOther_THM;
    P,Q same_side l /\ Q,R same_side l   [Psim_lQsim_lR] by ml_O, H2, H3, PQRnotl, EquivIntersection_THM;
    P,R same_side l    	   	     	 [Psim_lR] by PQRnotl, Psim_lQsim_lR, 
    		  			 SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by OE_l, -, same_side_DEF`;;


let RayLine_THM = thm `;
  let O P X be point;
  let l be line;
  assume O IN l /\ P IN l			[H1];
  assume X IN ray(O,P)				[H2];
  thus X IN l

  proof
    ~(O = P) /\ Collinear (O,P,X)     by H2, IN, Ray_DEF;
    X IN l by H1, -, CollinearLinear_THM;
  qed by -`;;

let RayWellDefinedHalfway_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                               [H1];
  assume P IN ray(O, Q) DELETE O                 [H2];
  thus ray(O, P) SUBSET ray(O, Q)

  proof
    consider m such that 
    O IN m /\ Q IN m     [OQm] by H1, I1;
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    P IN m     [Pm] by OQm, H2', RayLine_THM;
    P IN m DELETE O /\ Q IN m DELETE O [PQm_O] by Pm, H2', OQm, H1, IN_DELETE;
    ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    !X. X IN ray(O, P) ==> X IN ray(O, Q)
    proof
      let X be point;
      assume X IN ray(O, P)     [XrOP];
      X IN m     [Xm] by OQm, Pm, H2', -, RayLine_THM;
      Collinear (O, Q, X)     [OQXcol] by OQm, Xm,  Collinear_DEF;
      ~Between (X, O, P)     [notXOP] by XrOP, IN, Ray_DEF;
      cases;
      suppose X = O;
        X IN ray(O, Q) by H1, -, OriginInRay_THM;
      qed by -;
      suppose ~(X = O) [notXO];
        X IN m DELETE O by Xm, notXO, IN_DELETE;
        ~Between(X, O, Q) by OQm, -, PQm_O, notXOP, notPOQ, IntervalTransitivity_THM;  
        X IN ray(O, Q) by H1, OQXcol, -, IN, Ray_DEF;
      qed by -;
    end;
  qed by -, SUBSET`;;


let RayWellDefined_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)							[H1];
  assume P IN ray(O, Q) DELETE O                 			[H2];
  thus ray(O, P) = ray(O, Q)

  proof
    ray (O,P) SUBSET ray (O,Q)     [PsubsetQ] by H1, H2, RayWellDefinedHalfway_THM; 
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    Collinear (O, Q, P) /\ ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    Collinear (O, P, Q)     [OQPcol] by notPOQ, CollinearSymmetry_THM;

    ~Between (Q, O, P)     [notQOP] by notPOQ, B1;
    Q IN ray(O, P) by H2', OQPcol, notQOP, IN, Ray_DEF;
    Q IN ray(O, P) DELETE O [QrOP_O] by -, H1, IN_DELETE;
    ray (O,Q) SUBSET ray (O,P)     [QsubsetP] by H2', QrOP_O, RayWellDefinedHalfway_THM; 
    
  qed by PsubsetQ, QsubsetP, DoubleSubsetEqual_THM `;;

John, I realized my miz3 Hilbert axiom formalization may not have been
rigorous, or captured Hilbert's axiom, as I had no notion of line
other than the datatype new_type_abbrev("line",`:point->bool`);;
saying a line is a subset of our model of Hilbert's axiom.  That's
possibly buggy, because there is indeed one such subset, the entire
model, so there would be a "line" containing every point.

I think I solved this problem with a predicate `Line' which has the
same HOL Light axiomatic status as the relations `Between' and `==='
which you coded for me, and my axioms now refer to `Line'.

I'm up to 870 lines, including 3 lemmas from sec 4 of my Hilbert paper
http://www.math.northwestern.edu/~richter/hilbert.pdf

-- 
Best,
Bill 


(* Paste in these 4 commands   
   cd ~/hol_light; ocaml
   #use "hol.ml";; 

   #load "unix.cma";;
   loadt "miz3/miz3.ml";;
  and then paste in the following file. *)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)

horizon := 0;; 

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l A. Line l /\  ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l A B. Line l /\  ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l A B C. 
  Line l /\  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

let Ray_DEF = new_definition
  `!A B X. ray(A, B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

(*
exec GOAL_TAC;
 p();; 

let Angle_DEF = new_definition
  `!A O B. Angle(A, O, B) = if Collinear(A, O, B) then {} else 
  {ray(O, A), ray(O, B)}`;;
*)

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  P int_angle A,O,B <=> ~Collinear(A, O, B) /\ ?a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. Line l /\  A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
                             ~Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> (Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)) /\
        ~(Between(A, B, C) /\ Between(B, C, A)) /\ 
        ~(Between(A, B, C) /\ Between(C, A, B)) /\ 
        ~(Between(B, C, A) /\ Between(C, A, B))`;;

let B4 = new_axiom
  `!l A B C. Line l /\ ~Collinear(A, B, C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\ Between(A, X, C)) ==> 
   (?Y. Y IN l /\ Between(A, Y, B)) \/ (?Y. Y IN l /\ Between(B, Y, C))`;;


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})                       [X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}                                                 [H1];
  assume x IN m                                                         [H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume e IN l                                                         [H2];
  assume ~(e = x)                                                       [H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)                          [X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let DoubleSubsetEqual_THM = thm `;
  let s t be A->bool;
  assume s SUBSET t                     [H1];
  assume t SUBSET s                     [H2];
  thus s = t

  proof
   !x:A. x IN s ==> x IN t [sSt] by H1, SUBSET;
   !x:A. x IN t ==> x IN s [tSs] by H2, SUBSET;
   !x:A. x IN s <=> x IN t [sEt] by sSt, tSs;
   s = t by -, EXTENSION;
  qed by -`;;


let CollinearSymmetry_THM = thm `;
  let A B C be point;
  assume Collinear (A, B, C)                    [H1];
  thus Collinear (A, C, B) /\ Collinear(B, A, C) /\ Collinear(B, C, A) /\ 
       Collinear(C, A, B) /\ Collinear(C, B, A) 

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l by H1, Collinear_DEF;
  qed by -, Collinear_DEF`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let ExistsPointOffLine_THM = thm `;
  let l be point_set; 
  assume Line l                                                         [H1];
  thus ?Q:point. ~(Q IN l)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [useI3] by I3;
    cases;
    suppose ~(A IN l) \/ ~(B IN l) \/ ~(C IN l);
    qed by -;
    suppose (A IN l) /\ (B IN l) /\ (C IN l);
      Collinear(A, B, C) by H1, -, Collinear_DEF;
      F by -, useI3;
    qed by -;
  end`;;


let B4'_THM = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l                                                         [H0];
  assume ~Collinear(A, B, C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)     [H1];
  assume A,B same_side l /\ B,C same_side l                             [H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\ Between(A, Y, B)) /\ 
   ~(?Y. Y IN l /\ Between(B, Y, C)) ==> 
   ~(?X. X IN l /\ Between(A, X, C))  by H0, H1, B4;
  qed by -, H1, H2, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume Between(A, B, C) \/ Between(B, C, A)  \/ Between(C, A, B)      [H2];
  thus B IN m

  proof
    ~(A = C) /\ 
    (Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B))  [X1] by H2, B1;
    consider l such that
    Line l /\ A IN l /\ B IN l /\ C IN l              [X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B)       [H2];
  assume ~(A = C)                                                       [H3];
  thus B IN m

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l           [X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear(A, B, C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that Line l /\ A IN l /\ Q IN l by -, I1;
      Collinear(A, B, C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that Line l /\ A IN l /\ B IN l by -, I1;
      Collinear(A, B, C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that Line l /\ B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)                                                          [U] 
      proof
        assume A = B;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)                                                          [V]
      proof
        assume A = C;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray(O, Q)

  proof
    ~Between (O,O,Q) [OOQ] by B1;
    consider l such that 
    Line l /\ O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
  qed by H1, -, OOQ, IN, Ray_DEF`;;


let Line01infinity_THM = thm `;
  let X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})                                           [H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)         [X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by H0, -, H2, IN_INTER;
    l = m by H0, -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)                          [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X)                          [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ Between(A, G, B)              [X5] by H0, -, same_side_DEF;
      
       ~(A = B) /\ Collinear(A, G, B)           [X6] by -, B1;
      consider k such that 
      Line k /\ A IN k /\ G IN k /\ B IN k      [X7] by -, Collinear_DEF;
      k = m by H0, -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      Between(A, X, B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l A. Line l ==>  A,A same_side l
    proof
      let l be point_set;
      let A be point;
      assume Line l                                                     [H0];
       ~(?X. (X IN l) /\ Between(A, X, A)) by H0, B1;
    qed by H0, -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l A B. Line l /\ ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be point_set;
      let A B be point;
      assume Line l                                                     [H0];
      assume A,B same_side l                                            [H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ Between(A, X, B)) by H0, H1, same_side_DEF;
      ~(?X. (X IN l) /\ Between(B, X, A)) by -, B1;
    qed by H0, -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l A B C. 
    Line l /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be point_set;
      let A B C be point;
      assume Line l                                                     [lLine];
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)                        [H0];
      assume A,B same_side l                                            [H1];
      assume B,C same_side l                                            [H2];
      A,C same_side l
      proof
        ~Collinear(A, B, C) \/ Collinear(A, B, C);
        cases by -;
        suppose ~Collinear(A, B, C);
        qed by lLine, -, H0, H1, H2, B4'_THM;
        suppose Collinear(A, B, C)                                      [Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by lLine, -, H2, H0, SameSideReflexiveRelation_THM, 
                            Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)      [Distinct];
            consider m such that 
            Line m /\ A IN m /\ C IN m                  [ACm] by Distinct, I1;
            ~(l = m)                                    [not_lm] by ACm, H0;
            cases;
            suppose l INTER m = {}                      [Disjoint];
              !X. Between(A, X, C) ==> ~(X IN l)
              proof
                let X be point;
                assume Between(A, X, C);
                X IN m by lLine, -, ACm, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by lLine, -, same_side_DEF;
            suppose ~(l INTER m = {})                   [NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m                          [Xin_lm] by -, IN_INTER;
              l INTER m = {X}           [lmX] by lLine, ACm, not_lm, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)                        [Einl_X] by Xin_lm, I2;
              ~(E IN m) [notEm] by lmX, Einl_X, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by Einl_X, H0;
              consider B' such that 
              Between(E, B, B') by -, B2;
              Between(B', B, E)                         [B'BE] by -, B1;
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear(B', B, E) [B'BEcol] by -, B1;
              consider n such that 
              Line n /\ E IN n /\ B' IN n               [EB'n] by -, I1;
              B IN n                    [Bn] by EB'n, B'BE, BetweenLinear_THM;
              ~(l = n)                  [not_ln] by H0, -;
              l INTER n = {E} [lnE] by lLine, not_ln, EB'n, Einl_X, Line01infinity_THM;
              ~(B' IN l) [notB'l] by -, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~ Between(B, E, B')        [BEB'] by B'BEcol, B'BE, B3;
              B' IN n DELETE E /\ B IN n DELETE E by EB'n, Bn, B'BEcol, IN_DELETE;
              B, B' same_side l [Bsim_lB'] by lLine, EB'n, lnE, -, BEB', EquivIntersection_THM;
              ~(m = n)                   [not_mn] by  EB'n, notEm;
              B IN m by ACm, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [mn_B]  by ACm, EB'n, -, Bn, not_mn, Line01infinity_THM;
              ~(A IN n) [not_An] by -, ACm, Distinct, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B, B')
              proof
                assume Collinear(A, B, B');
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B IN alpha /\ B' IN alpha [ABB'alpha] by -, Collinear_DEF;
                alpha = n by B'BEcol, ABB'alpha, EB'n, Bn, I1;
                A IN n by -, ABB'alpha;
              qed by -, not_An;
              A,B' same_side l          [Asim_lB'] by lLine, -, H0, notB'l, H1, Bsim_lB', B4'_THM;

              ~(C IN n)                 [notCn] by mn_B, ACm, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [Csim_lB] by lLine, H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~Collinear(C, B, B')
              proof
                assume Collinear(C, B, B');
                consider alpha such that 
                Line alpha /\ C IN alpha /\ B IN alpha /\ B' IN alpha [CBB'alpha] by -, Collinear_DEF;
                alpha = n by -, EB'n, B'BEcol, CBB'alpha, Bn, I1;
                C IN n by -, CBB'alpha;
              qed by -, notCn;
              C,B' same_side l by lLine, -, H0, notB'l, Csim_lB, Bsim_lB', B4'_THM;
              B',C same_side l [B'sim_C] by lLine, H0, notB'l, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [notB'm] by mn_B, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B', C) 
              proof
                assume Collinear(A, B', C);
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B' IN alpha /\ C IN alpha [AB'Calpha] by -, Collinear_DEF;
                alpha = m by Distinct, -, ACm, I1;
                B' IN m by -, AB'Calpha;
                F by -, notB'm;
              qed by -;
              A, C same_side l by lLine, -, H0, notB'l, Asim_lB', B'sim_C, B4'_THM;
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume Between(A, G, B)                                               [H2];
  thus G int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
                                                 NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a                         [aOA] by -, I1;
    consider b such that Line b /\ O IN b /\ B IN b                  [bOB] by Distinct, I1;
    consider l such that Line l /\ A IN l /\ B IN l                  [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}                     [alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  Between(B, G, A) /\ Collinear(A, G, B) 
                                                                  [X1] by H2, B1;
    ~ Between(G, A, B)                                 [notGAB] by -, H2, B3, B1;
    G IN l                                  [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a           [Gsim_aB] by aOA, lAB, alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}                     [blB] by -, bOB, lAB, Line01infinity_THM;
    ~ Between(G, B, A)                  [notGBA] by H2, B1, B3;   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b            [Gsim_bA] by bOB, lAB, blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let InteriorHelp_THM = thm `;
  let A O B P be point;
  let a b be point_set;
  assume Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b       [aOAbOB];
  assume  P int_angle A,O,B                                             [P_AOB];
  thus ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b

  proof
    consider alpha beta such that ~Collinear (A,O,B) /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\ 
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, InteriorAngle_DEF;
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by -, NonCollinearImpliesDistinct_THM;
    alpha = a /\ beta = b by -, aOAbOB, exists, I1;
  qed by -, exists`;;


let WholeRayInterior_THM = thm `;
  let A O B X P be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume X int_angle A,O,B                                              [H2];
  assume P IN ray(O,X)                                                  [H3];
  assume ~(P = O)                                                       [H4];
  thus P int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a       [a_OA] by Distinct, I1;
    consider b such that Line b /\ O IN b /\ B IN b       [b_OB] by Distinct, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by H2, a_OA, b_OB, InteriorHelp_THM; 
    ~(O = X) /\ Collinear(O, X, P) /\ ~ Between(P, O, X) [P_OX] by H3, IN, Ray_DEF;
    consider x such that Line x /\ O IN x /\ X IN x       [x_OX] by P_OX, I1;
    :: P IN x       [Pin_x] by x_OX, P_OX, Collinear_DEF, CollinearLinear_THM;
    P IN x       [Pin_x] by x_OX, P_OX, CollinearLinear_THM;
    P IN x DELETE O                         [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O                    [Xin_x_O] by x_OX, P_OX,  IN_DELETE;
    ~(x = a) /\ ~(x = b)               [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by a_OA, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by b_OB, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF`;;


let AngleOrdering_THM = thm `;
  let O A P Q be point;
  let a be point_set;
  assume ~(O = A)                                                       [H1];
  assume Line a /\ O IN a /\ A IN a                                               [H2];
  assume ~(P IN a) /\ ~(Q IN a)                                         [H3];
  assume P, Q same_side a                                               [H4];
  assume ~Collinear(P, O, Q)                                            [H5];
  thus P int_angle Q,O,A \/ Q int_angle P,O,A

  proof
    ~(P = O) /\ ~(P = Q) /\ ~(O = Q) [Distinct] by H5, NonCollinearImpliesDistinct_THM;
    consider p such that Line p /\ O IN p /\ P IN p             [p_OP] by Distinct, I1;
    consider q such that Line q /\ O IN q /\ Q IN q             [q_OQ] by Distinct, I1;
    ~(q = a) by H3, q_OQ;
    q INTER a = {O}                       by -, H2, q_OQ, Line01infinity_THM;
    ~(A IN q) by -, H2, H1, IntersectionSingletonOneNotOther_THM;
    ~(P IN q)                             [notPq] by q_OQ, H5, Collinear_DEF;
    ~(p = q) by -, p_OP;
    p INTER q = {O}                     by -, p_OP, q_OQ, Line01infinity_THM;
    ~Collinear(Q, O, A)        [QOA_noncol] by H1, H2, I1, H3, Collinear_DEF;
    ~Collinear (P,O,A)         [POA_noncol] by H1, H2, I1, H3, Collinear_DEF;

    assume ~(P int_angle Q,O,A)                                   [notP_QOA];
    Q int_angle P,O,A
    proof
      ~(P, A same_side q)                        by QOA_noncol, H2, q_OQ, H3,
                                      notPq, H4, notP_QOA, InteriorAngle_DEF;
      consider G such that (G IN q) /\ Between(P, G, A) [existG] by q_OQ, -, same_side_DEF;
      G int_angle P,O,A [G_POA] by  POA_noncol, existG, ConverseCrossbar_THM;
      ~(G IN a) /\ G,P same_side a [Gsim_aP] by -, InteriorAngle_DEF, H1, H2, I1;
      ~(G = O)                     [GnotO] by -, H2;
      G,Q same_side a              by H2, Gsim_aP, H3, H4, 
                      SameSideTransitiveRelation_THM, Transitive_relation_DEF;
      ~Between (Q,O,G)             [notQOG] by -, same_side_DEF, H2, B1;
      Collinear(O,G,Q)             by q_OQ, existG, Collinear_DEF; 
      Q IN ray(O,G) by GnotO, -, notQOG, IN, Ray_DEF;
    qed by POA_noncol, G_POA, -, Distinct, WholeRayInterior_THM;
  qed by -`;;


let InteriorReflectionInterior_THM = thm `;
  let A O B D A' be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  assume Between(A, O, A')                                              [H3];
  thus B  int_angle D,O,A'

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                [b_OB] by Distinct, I1;
    ~(A IN b)                             [notAb] by b_OB, H1, Collinear_DEF;
    ~(B IN a)                             [notBa] by a_OA, H1, Collinear_DEF;
   ~(a = b) by -, b_OB;
    b INTER a = {O}              [ab_O] by -, a_OA, b_OB, Line01infinity_THM;
    A' IN a                      [A'a] by H3, a_OA, BetweenLinear_THM;
    A' IN a DELETE O by A'a, H3, B1, IN_DELETE; 
    ~(A' IN b)                [notA'b] by ab_O, -, EquivIntersectionHelp_THM;
    ~(A,A' same_side b)       [Ansim_bA'] by b_OB, H3, same_side_DEF ;
    ~(D IN a) /\ ~(D IN b) /\ 
    D,B same_side a /\ D,A same_side b [DintAOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D,A' same_side b)       [Dnsim_bA']
    proof
      assume D,A' same_side b;
      A',D same_side b by b_OB, DintAOB, notA'b, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      A',A same_side b by b_OB, DintAOB, notA'b, notAb, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;                       
      A,A' same_side b by b_OB, notA'b, notAb, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      F by -, Ansim_bA';
    qed by -;
    ~(D int_angle B,O,A')                                       [notD_BOA']
    proof
      assume D int_angle B,O,A';
      D,A' same_side b by b_OB, a_OA, A'a, -, DintAOB, InteriorHelp_THM;
      F by -, Dnsim_bA';     
    qed by -; 
    ~Collinear (D,O,B) [DOB_noncol] by Distinct, b_OB, I1, DintAOB, Collinear_DEF;
    ~(O = A') by H3, B1;
    B int_angle D,O,A' by -, a_OA, A'a, DintAOB, notBa, DOB_noncol, notD_BOA', AngleOrdering_THM;
  qed by -`;;


let Crossbar_THM = thm `;
  let O A B D be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  thus ?G. Between(A, G, B) /\ G IN ray(O, D)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                  [b_OB] by Distinct, I1;
    ~(B IN a) [notBa] by a_OA, H1, Collinear_DEF;
    ~(D IN a) /\ ~(D IN b) /\ D,B same_side a [D_AOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D = O)                                          [DnotO] by D_AOB, a_OA;
    consider l such that 
    Line l /\ O IN l /\ D IN l                                [l_OD] by -, I1;
    ~(a = l) /\ ~(b = l)  [abl_distinct] by l_OD, D_AOB, b_OB, notBa;
    a INTER l = {O} [alO] by abl_distinct, a_OA, l_OD, Line01infinity_THM; 
    b INTER l = {O} [blO] by abl_distinct, b_OB, l_OD, Line01infinity_THM; 
    ~(A IN l) /\ ~(B IN l) [ABnot_l] by alO, blO, a_OA, b_OB, Distinct, IntersectionSingletonOneNotOther_THM;
    consider A' such that Between(A, O, A')           [AOA'] by Distinct, B2;
    A' IN a                              [A'a] by a_OA, -, BetweenLinear_THM;
    ~(A' = O) [A'notO] by AOA', B1;
    ~(A,A' same_side l)             [Ansim_lA'] by l_OD, AOA', same_side_DEF;
    ~(A' IN l) [A'not_l] by alO, A'a, A'notO, IntersectionSingletonOneNotOther_THM;

    B int_angle D,O,A'  by H1, H2, AOA', InteriorReflectionInterior_THM;
    B,A' same_side l [Bsim_lA'] by l_OD, a_OA, A'a, -, InteriorHelp_THM;
    ~(A,B same_side l)                                          [Ansim_lB]
    proof
      assume A,B same_side l;
      A,A' same_side l by l_OD, ABnot_l, A'not_l, -, Bsim_lA', SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    qed by -, Ansim_lA';
    consider G such that 
    Between(A, G, B) /\ G IN l                [AGB] by l_OD, Ansim_lB, same_side_DEF;
    Collinear (O,D,G)                     [ODGcol] by AGB, l_OD, Collinear_DEF;
    G int_angle A,O,B                         by H1, AGB, ConverseCrossbar_THM;
    ~(G IN a) /\ G,B same_side a [Gsim_aB] by a_OA, b_OB, -, InteriorHelp_THM;
    D,B same_side a by a_OA, b_OB, H2, InteriorHelp_THM;
    B,D same_side a by a_OA, notBa, D_AOB, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
    G,D same_side a [Gsim_aD] by a_OA, Gsim_aB, notBa, D_AOB, Gsim_aB, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    ~Between(G, O, D) by a_OA, -, same_side_DEF;
    G IN ray(O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;
  qed by AGB, G_OD`;;


let IntervalTransitivity_THM = thm `;
  let O P Q R be point;
  let m be point_set;
  assume Line m                                                         [H0];
  assume O IN m                                                         [H1];
  assume P IN m DELETE O /\ Q IN m DELETE O /\ R IN m DELETE O          [H2];
  assume ~Between(P, O, Q) /\ ~Between(Q, O, R)                         [H3];
  thus ~Between(P, O, R)

  proof
    P IN m /\ Q IN m /\ R IN m /\ ~(P = O) /\ ~(Q = O) /\ ~(R = O) [H2'] by H2, IN_DELETE;
    consider E such that 
    ~(E IN m)                            [notEm] by H0, ExistsPointOffLine_THM;
    ~(O = E) by H1, notEm;
    consider l such that 
    Line l /\ O IN l /\ E IN l                   [OE_l] by -, I1;
    ~(m = l) by notEm, OE_l;
    l INTER m = {O}                      [ml_O] by OE_l, H0, -, H1, OE_l, Line01infinity_THM;
    ~(P IN l) /\  ~(Q IN l) /\ ~(R IN l) [PQRnotl] by ml_O, H2', IntersectionSingletonOneNotOther_THM;
    P,Q same_side l /\ Q,R same_side l   [Psim_lQsim_lR] by OE_l, H0, ml_O, H2, H3, PQRnotl, EquivIntersection_THM;
    P,R same_side l                      [Psim_lR] by OE_l, PQRnotl, Psim_lQsim_lR, 
                                         SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by OE_l, -, same_side_DEF`;;


let RayLine_THM = thm `;
  let O P X be point;
  let l be point_set;
  assume Line l /\ O IN l /\ P IN l                     [H1];
  assume X IN ray(O,P)                          [H2];
  thus X IN l

  proof
    ~(O = P) /\ Collinear (O,P,X)     by H2, IN, Ray_DEF;
    X IN l by H1, -, CollinearLinear_THM;
  qed by -`;;


let RayWellDefinedHalfway_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                               [H1];
  assume P IN ray(O, Q) DELETE O                 [H2];
  thus ray(O, P) SUBSET ray(O, Q)

  proof
    consider m such that 
    Line m /\ O IN m /\ Q IN m     [OQm] by H1, I1;
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    P IN m     [Pm] by OQm, H2', RayLine_THM;
    P IN m DELETE O /\ Q IN m DELETE O [PQm_O] by Pm, H2', OQm, H1, IN_DELETE;
    ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    !X. X IN ray(O, P) ==> X IN ray(O, Q)
    proof
      let X be point;
      assume X IN ray(O, P)     [XrOP];
      X IN m     [Xm] by OQm, Pm, H2', -, RayLine_THM;
      Collinear (O, Q, X)     [OQXcol] by OQm, Xm,  Collinear_DEF;
      ~Between (X, O, P)     [notXOP] by XrOP, IN, Ray_DEF;
      cases;
      suppose X = O;
        X IN ray(O, Q) by H1, -, OriginInRay_THM;
      qed by -;
      suppose ~(X = O) [notXO];
        X IN m DELETE O by Xm, notXO, IN_DELETE;
        ~Between(X, O, Q) by OQm, -, PQm_O, notXOP, notPOQ, IntervalTransitivity_THM;  
        X IN ray(O, Q) by H1, OQXcol, -, IN, Ray_DEF;
      qed by -;
    end;
  qed by -, SUBSET`;;


let RayWellDefined_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                                                       [H1];
  assume P IN ray(O, Q) DELETE O                                        [H2];
  thus ray(O, P) = ray(O, Q)

  proof
    ray (O,P) SUBSET ray (O,Q)     [PsubsetQ] by H1, H2, RayWellDefinedHalfway_THM; 
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    Collinear (O, Q, P) /\ ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    Collinear (O, P, Q)     [OQPcol] by notPOQ, CollinearSymmetry_THM;
    ~Between (Q, O, P)     [notQOP] by notPOQ, B1;
    Q IN ray(O, P) by H2', OQPcol, notQOP, IN, Ray_DEF;
    Q IN ray(O, P) DELETE O [QrOP_O] by -, H1, IN_DELETE;
    ray (O,Q) SUBSET ray (O,P)     [QsubsetP] by H2', QrOP_O, RayWellDefinedHalfway_THM; 
  qed by PsubsetQ, QsubsetP, DoubleSubsetEqual_THM `;;


let OppositeRaysIntersect1pointHelp_THM = thm `;
  let A O B X be point;
  assume Between(A, O, B)                                                       [H1];                   
  assume X IN ray(O, B) DELETE O     [H2];
  thus ~(X IN ray(O, A))

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ Collinear (A, O, B) [B1_AOB] by H1, B1;
    X IN ray(O, B) /\ ~(X = O)     [H2'] by H2, IN_DELETE; 
    Collinear (O, B, X) /\ ~Between (X, O, B)     [K2] by -, IN, Ray_DEF;
    consider m such that
    Line m /\ A IN m /\ B IN m     [ABm] by B1_AOB, I1;
    O IN m     [Om] by ABm, B1_AOB, CollinearLinear_THM;
    X IN m     [Xm] by ABm, Om, K2, B1_AOB, CollinearLinear_THM;
    A IN m DELETE O /\ X IN m DELETE O /\ B IN m DELETE O     [AXBm_O] by ABm, Xm, H2', B1_AOB, IN_DELETE; 
    Between(A, O, X) by H1, ABm, Om, AXBm_O, K2, IntervalTransitivity_THM;
    Between(X, O, A) by -, B1;
  qed by -, IN, Ray_DEF`;;


let OppositeRaysIntersect1point_THM = thm `;
  let A O B be point;
  assume Between(A, O, B)							[H1];
  thus ray(O, A) INTER ray(O, B) = {O} 

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ Between (B,O,A) /\ Collinear (A,O,B) [B1_AOB] by H1, B1;
    O IN ray(O, A) INTER ray(O, B) by B1_AOB, OriginInRay_THM, IN_INTER;
    {O} SUBSET ray(O, A) INTER ray(O, B)     [Osubset_rOA] by -, SING_SUBSET; 
    ray(O, A) INTER ray(O, B) SUBSET {O}
    proof
      !X. X IN ray(O, A) INTER ray(O, B) ==> X IN {O}
      proof
        let X be point;
      	assume X IN ray(O, A) INTER ray(O, B);
      	X IN ray(O, A) /\ X IN ray(O, B)     [XinBothRays] by -, IN_INTER;
	cases;
	suppose X = O;
	qed by -, IN_SING;
	suppose ~(X = O);
	  X IN ray(O, B) DELETE O by -, XinBothRays, IN_DELETE;
	  ~(X IN ray (O,A)) by H1, -, OppositeRaysIntersect1pointHelp_THM;
 	  F by -, XinBothRays; 
	qed by -;
      end;
    qed by -, SUBSET;
    qed by -, Osubset_rOA, DoubleSubsetEqual_THM`;;

John, I succeeded at another set theory task in my miz3 Hilbert
axiomatic geometry formalization (almost 1000 lines below), rewriting
Between (A,X,B) as X IN open_int (A,B), via my definition 

let Interval_DEF = new_definition
  `!A B X. open_int (A,B) X <=> Between (A,X,B)`;;

My convexity result below really loses clarity if stated with Between:

IntervalsAreConvex_THM : thm =
  |- !A B C. B IN open_int (A,C) ==> open_int (A,B) SUBSET open_int (A,C)

-- 
Best,
Bill 


(* Paste in these 4 commands    
   cd ~/hol_light; ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
   and then paste in the following file. *)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)


horizon := 0;; 

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  Between (A,B,C) /\ Between (A,B,D) /\ Between (A,C,D) /\ Between (B,C,D)`;;

let Collinear_DEF = new_definition
  `Collinear(A, B, C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(?X. (X IN l) /\ Between(A, X, B))`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l A. Line l /\  ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l A B. Line l /\  ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l A B C. 
  Line l /\  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

let Ray_DEF = new_definition
  `!A B X. ray(A, B) X <=> ~(A = B) /\ Collinear(A, B, X) /\ ~Between(X, A, B)`;;

(*
exec GOAL_TAC;
 p();; 

let Angle_DEF = new_definition
  `!A O B. Angle(A, O, B) = if Collinear(A, O, B) then {} else 
  {ray(O, A), ray(O, B)}`;;
*)

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  P int_angle A,O,B <=> ~Collinear(A, O, B) /\ ?a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;

let Interval_DEF = new_definition
  `!A B X. open_int (A,B) X <=> Between (A,X,B)`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. Line l /\  A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
                             ~Collinear(A, B, C)`;;

let B1 = new_axiom
  `! A B C. Between(A, B, C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between(C, B, A) /\ Collinear(A, B, C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between(A, B, C)`;;

(*
let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear(A, B, C)
    ==> (Between(A, B, C) \/ Between(B, C, A) \/ Between(C, A, B)) /\
        ~(Between(A, B, C) /\ Between(B, C, A)) /\ 
        ~(Between(A, B, C) /\ Between(C, A, B)) /\ 
        ~(Between(B, C, A) /\ Between(C, A, B))`;;
*)

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear (A,B,C)
    ==> (Between (A,B,C) \/ Between (B,C,A) \/ Between (C,A,B)) /\
        ~(Between (A,B,C) /\ Between (B,C,A)) /\ 
        ~(Between (A,B,C) /\ Between (C,A,B)) /\ 
        ~(Between (B,C,A) /\ Between (C,A,B))`;;


let B4 = new_axiom
  `!l A B C. Line l /\ ~Collinear(A, B, C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\ Between(A, X, C)) ==> 
   (?Y. Y IN l /\ Between(A, Y, B)) \/ (?Y. Y IN l /\ Between(B, Y, C))`;;


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})                       [X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}                                                 [H1];
  assume x IN m                                                         [H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume e IN l                                                         [H2];
  assume ~(e = x)                                                       [H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)                          [X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let DoubleSubsetEqual_THM = thm `;
  let s t be A->bool;
  assume s SUBSET t                     [H1];
  assume t SUBSET s                     [H2];
  thus s = t

  proof
   !x:A. x IN s ==> x IN t [sSt] by H1, SUBSET;
   !x:A. x IN t ==> x IN s [tSs] by H2, SUBSET;
   !x:A. x IN s <=> x IN t [sEt] by sSt, tSs;
   s = t by -, EXTENSION;
  qed by -`;;


let CollinearSymmetry_THM = thm `;
  let A B C be point;
  assume Collinear (A, B, C)                    [H1];
  thus Collinear (A, C, B) /\ Collinear(B, A, C) /\ Collinear(B, C, A) /\ 
       Collinear(C, A, B) /\ Collinear(C, B, A) 

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l by H1, Collinear_DEF;
  qed by -, Collinear_DEF`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let ExistsPointOffLine_THM = thm `;
  let l be point_set; 
  assume Line l                                                         [H1];
  thus ?Q:point. ~(Q IN l)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear(A, B, C) [useI3] by I3;
    cases;
    suppose ~(A IN l) \/ ~(B IN l) \/ ~(C IN l);
    qed by -;
    suppose (A IN l) /\ (B IN l) /\ (C IN l);
      Collinear(A, B, C) by H1, -, Collinear_DEF;
      F by -, useI3;
    qed by -;
  end`;;


let B4'_THM = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l                                                         [H0];
  assume ~Collinear(A, B, C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)     [H1];
  assume A,B same_side l /\ B,C same_side l                             [H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\ Between(A, Y, B)) /\ 
   ~(?Y. Y IN l /\ Between(B, Y, C)) ==> 
   ~(?X. X IN l /\ Between(A, X, C))  by H0, H1, B4;
  qed by -, H1, H2, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume Between(A, B, C) \/ Between(B, C, A)  \/ Between(C, A, B)      [H2];
  thus B IN m

  proof
    ~(A = C) /\ 
    (Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B))  [X1] by H2, B1;
    consider l such that
    Line l /\ A IN l /\ B IN l /\ C IN l              [X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume Collinear(A,B,C) \/ Collinear(B,C,A) \/ Collinear(C,A,B)       [H2];
  assume ~(A = C)                                                       [H3];
  thus B IN m

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l           [X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear(A, B, C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that Line l /\ A IN l /\ Q IN l by -, I1;
      Collinear(A, B, C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that Line l /\ A IN l /\ B IN l by -, I1;
      Collinear(A, B, C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that Line l /\ B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)                                                          [U] 
      proof
        assume A = B;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)                                                          [V]
      proof
        assume A = C;
        Collinear(A, B, C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray(O, Q)

  proof
    ~Between (O,O,Q) [OOQ] by B1;
    consider l such that 
    Line l /\ O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
  qed by H1, -, OOQ, IN, Ray_DEF`;;


let Line01infinity_THM = thm `;
  let X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})                                           [H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)         [X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by H0, -, H2, IN_INTER;
    l = m by H0, -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~ Between(A, X, B)                                             [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)                          [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X)                          [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ Between(A, G, B)              [X5] by H0, -, same_side_DEF;
      
       ~(A = B) /\ Collinear(A, G, B)           [X6] by -, B1;
      consider k such that 
      Line k /\ A IN k /\ G IN k /\ B IN k      [X7] by -, Collinear_DEF;
      k = m by H0, -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      Between(A, X, B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l A. Line l ==>  A,A same_side l
    proof
      let l be point_set;
      let A be point;
      assume Line l                                                     [H0];
       ~(?X. (X IN l) /\ Between(A, X, A)) by H0, B1;
    qed by H0, -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l A B. Line l /\ ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be point_set;
      let A B be point;
      assume Line l                                                     [H0];
      assume A,B same_side l                                            [H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ Between(A, X, B)) by H0, H1, same_side_DEF;
      ~(?X. (X IN l) /\ Between(B, X, A)) by -, B1;
    qed by H0, -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l A B C. 
    Line l /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be point_set;
      let A B C be point;
      assume Line l                                                     [lLine];
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)                        [H0];
      assume A,B same_side l                                            [H1];
      assume B,C same_side l                                            [H2];
      A,C same_side l
      proof
        ~Collinear(A, B, C) \/ Collinear(A, B, C);
        cases by -;
        suppose ~Collinear(A, B, C);
        qed by lLine, -, H0, H1, H2, B4'_THM;
        suppose Collinear(A, B, C)                                      [Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by lLine, -, H2, H0, SameSideReflexiveRelation_THM, 
                            Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)      [Distinct];
            consider m such that 
            Line m /\ A IN m /\ C IN m                  [ACm] by Distinct, I1;
            ~(l = m)                                    [not_lm] by ACm, H0;
            cases;
            suppose l INTER m = {}                      [Disjoint];
              !X. Between(A, X, C) ==> ~(X IN l)
              proof
                let X be point;
                assume Between(A, X, C);
                X IN m by lLine, -, ACm, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by lLine, -, same_side_DEF;
            suppose ~(l INTER m = {})                   [NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m                          [Xin_lm] by -, IN_INTER;
              l INTER m = {X}           [lmX] by lLine, ACm, not_lm, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)                        [Einl_X] by Xin_lm, I2;
              ~(E IN m) [notEm] by lmX, Einl_X, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by Einl_X, H0;
              consider B' such that 
              Between(E, B, B') by -, B2;
              Between(B', B, E)                         [B'BE] by -, B1;
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear(B', B, E) [B'BEcol] by -, B1;
              consider n such that 
              Line n /\ E IN n /\ B' IN n               [EB'n] by -, I1;
              B IN n                    [Bn] by EB'n, B'BE, BetweenLinear_THM;
              ~(l = n)                  [not_ln] by H0, -;
              l INTER n = {E} [lnE] by lLine, not_ln, EB'n, Einl_X, Line01infinity_THM;
              ~(B' IN l) [notB'l] by -, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~ Between(B, E, B')        [BEB'] by B'BEcol, B'BE, B3;
              B' IN n DELETE E /\ B IN n DELETE E by EB'n, Bn, B'BEcol, IN_DELETE;
              B, B' same_side l [Bsim_lB'] by lLine, EB'n, lnE, -, BEB', EquivIntersection_THM;
              ~(m = n)                   [not_mn] by  EB'n, notEm;
              B IN m by ACm, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [mn_B]  by ACm, EB'n, -, Bn, not_mn, Line01infinity_THM;
              ~(A IN n) [not_An] by -, ACm, Distinct, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B, B')
              proof
                assume Collinear(A, B, B');
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B IN alpha /\ B' IN alpha [ABB'alpha] by -, Collinear_DEF;
                alpha = n by B'BEcol, ABB'alpha, EB'n, Bn, I1;
                A IN n by -, ABB'alpha;
              qed by -, not_An;
              A,B' same_side l          [Asim_lB'] by lLine, -, H0, notB'l, H1, Bsim_lB', B4'_THM;

              ~(C IN n)                 [notCn] by mn_B, ACm, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [Csim_lB] by lLine, H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~Collinear(C, B, B')
              proof
                assume Collinear(C, B, B');
                consider alpha such that 
                Line alpha /\ C IN alpha /\ B IN alpha /\ B' IN alpha [CBB'alpha] by -, Collinear_DEF;
                alpha = n by -, EB'n, B'BEcol, CBB'alpha, Bn, I1;
                C IN n by -, CBB'alpha;
              qed by -, notCn;
              C,B' same_side l by lLine, -, H0, notB'l, Csim_lB, Bsim_lB', B4'_THM;
              B',C same_side l [B'sim_C] by lLine, H0, notB'l, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [notB'm] by mn_B, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~Collinear(A, B', C) 
              proof
                assume Collinear(A, B', C);
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B' IN alpha /\ C IN alpha [AB'Calpha] by -, Collinear_DEF;
                alpha = m by Distinct, -, ACm, I1;
                B' IN m by -, AB'Calpha;
                F by -, notB'm;
              qed by -;
              A, C same_side l by lLine, -, H0, notB'l, Asim_lB', B'sim_C, B4'_THM;
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume Between(A, G, B)                                               [H2];
  thus G int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
                                                 NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a                         [aOA] by -, I1;
    consider b such that Line b /\ O IN b /\ B IN b                  [bOB] by Distinct, I1;
    consider l such that Line l /\ A IN l /\ B IN l                  [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}                     [alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  Between(B, G, A) /\ Collinear(A, G, B) 
                                                                  [X1] by H2, B1;
    ~ Between(G, A, B)                                 [notGAB] by -, H2, B3, B1;
    G IN l                                  [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a           [Gsim_aB] by aOA, lAB, alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}                     [blB] by -, bOB, lAB, Line01infinity_THM;
    ~ Between(G, B, A)                  [notGBA] by H2, B1, B3;   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b            [Gsim_bA] by bOB, lAB, blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let InteriorHelp_THM = thm `;
  let A O B P be point;
  let a b be point_set;
  assume Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b       [aOAbOB];
  assume  P int_angle A,O,B                                             [P_AOB];
  thus ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b

  proof
    consider alpha beta such that ~Collinear (A,O,B) /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\ 
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, InteriorAngle_DEF;
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by -, NonCollinearImpliesDistinct_THM;
    alpha = a /\ beta = b by -, aOAbOB, exists, I1;
  qed by -, exists`;;


let WholeRayInterior_THM = thm `;
  let A O B X P be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume X int_angle A,O,B                                              [H2];
  assume P IN ray(O,X)                                                  [H3];
  assume ~(P = O)                                                       [H4];
  thus P int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a       [a_OA] by Distinct, I1;
    consider b such that Line b /\ O IN b /\ B IN b       [b_OB] by Distinct, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by H2, a_OA, b_OB, InteriorHelp_THM; 
    ~(O = X) /\ Collinear(O, X, P) /\ ~ Between(P, O, X) [P_OX] by H3, IN, Ray_DEF;
    consider x such that Line x /\ O IN x /\ X IN x       [x_OX] by P_OX, I1;
    :: P IN x       [Pin_x] by x_OX, P_OX, Collinear_DEF, CollinearLinear_THM;
    P IN x       [Pin_x] by x_OX, P_OX, CollinearLinear_THM;
    P IN x DELETE O                         [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O                    [Xin_x_O] by x_OX, P_OX,  IN_DELETE;
    ~(x = a) /\ ~(x = b)               [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by a_OA, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by b_OB, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF`;;


let AngleOrdering_THM = thm `;
  let O A P Q be point;
  let a be point_set;
  assume ~(O = A)                                                       [H1];
  assume Line a /\ O IN a /\ A IN a                                               [H2];
  assume ~(P IN a) /\ ~(Q IN a)                                         [H3];
  assume P, Q same_side a                                               [H4];
  assume ~Collinear(P, O, Q)                                            [H5];
  thus P int_angle Q,O,A \/ Q int_angle P,O,A

  proof
    ~(P = O) /\ ~(P = Q) /\ ~(O = Q) [Distinct] by H5, NonCollinearImpliesDistinct_THM;
    consider p such that Line p /\ O IN p /\ P IN p             [p_OP] by Distinct, I1;
    consider q such that Line q /\ O IN q /\ Q IN q             [q_OQ] by Distinct, I1;
    ~(q = a) by H3, q_OQ;
    q INTER a = {O}                       by -, H2, q_OQ, Line01infinity_THM;
    ~(A IN q) by -, H2, H1, IntersectionSingletonOneNotOther_THM;
    ~(P IN q)                             [notPq] by q_OQ, H5, Collinear_DEF;
    ~(p = q) by -, p_OP;
    p INTER q = {O}                     by -, p_OP, q_OQ, Line01infinity_THM;
    ~Collinear(Q, O, A)        [QOA_noncol] by H1, H2, I1, H3, Collinear_DEF;
    ~Collinear (P,O,A)         [POA_noncol] by H1, H2, I1, H3, Collinear_DEF;

    assume ~(P int_angle Q,O,A)                                   [notP_QOA];
    Q int_angle P,O,A
    proof
      ~(P, A same_side q)                        by QOA_noncol, H2, q_OQ, H3,
                                      notPq, H4, notP_QOA, InteriorAngle_DEF;
      consider G such that (G IN q) /\ Between(P, G, A) [existG] by q_OQ, -, same_side_DEF;
      G int_angle P,O,A [G_POA] by  POA_noncol, existG, ConverseCrossbar_THM;
      ~(G IN a) /\ G,P same_side a [Gsim_aP] by -, InteriorAngle_DEF, H1, H2, I1;
      ~(G = O)                     [GnotO] by -, H2;
      G,Q same_side a              by H2, Gsim_aP, H3, H4, 
                      SameSideTransitiveRelation_THM, Transitive_relation_DEF;
      ~Between (Q,O,G)             [notQOG] by -, same_side_DEF, H2, B1;
      Collinear(O,G,Q)             by q_OQ, existG, Collinear_DEF; 
      Q IN ray(O,G) by GnotO, -, notQOG, IN, Ray_DEF;
    qed by POA_noncol, G_POA, -, Distinct, WholeRayInterior_THM;
  qed by -`;;


let InteriorReflectionInterior_THM = thm `;
  let A O B D A' be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  assume Between(A, O, A')                                              [H3];
  thus B  int_angle D,O,A'

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                [b_OB] by Distinct, I1;
    ~(A IN b)                             [notAb] by b_OB, H1, Collinear_DEF;
    ~(B IN a)                             [notBa] by a_OA, H1, Collinear_DEF;
   ~(a = b) by -, b_OB;
    b INTER a = {O}              [ab_O] by -, a_OA, b_OB, Line01infinity_THM;
    A' IN a                      [A'a] by H3, a_OA, BetweenLinear_THM;
    A' IN a DELETE O by A'a, H3, B1, IN_DELETE; 
    ~(A' IN b)                [notA'b] by ab_O, -, EquivIntersectionHelp_THM;
    ~(A,A' same_side b)       [Ansim_bA'] by b_OB, H3, same_side_DEF ;
    ~(D IN a) /\ ~(D IN b) /\ 
    D,B same_side a /\ D,A same_side b [DintAOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D,A' same_side b)       [Dnsim_bA']
    proof
      assume D,A' same_side b;
      A',D same_side b by b_OB, DintAOB, notA'b, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      A',A same_side b by b_OB, DintAOB, notA'b, notAb, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;                       
      A,A' same_side b by b_OB, notA'b, notAb, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      F by -, Ansim_bA';
    qed by -;
    ~(D int_angle B,O,A')                                       [notD_BOA']
    proof
      assume D int_angle B,O,A';
      D,A' same_side b by b_OB, a_OA, A'a, -, DintAOB, InteriorHelp_THM;
      F by -, Dnsim_bA';     
    qed by -; 
    ~Collinear (D,O,B) [DOB_noncol] by Distinct, b_OB, I1, DintAOB, Collinear_DEF;
    ~(O = A') by H3, B1;
    B int_angle D,O,A' by -, a_OA, A'a, DintAOB, notBa, DOB_noncol, notD_BOA', AngleOrdering_THM;
  qed by -`;;


let Crossbar_THM = thm `;
  let O A B D be point;
  assume ~Collinear(A, O, B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  thus ?G. Between(A, G, B) /\ G IN ray(O, D)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                  [b_OB] by Distinct, I1;
    ~(B IN a) [notBa] by a_OA, H1, Collinear_DEF;
    ~(D IN a) /\ ~(D IN b) /\ D,B same_side a [D_AOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D = O)                                          [DnotO] by D_AOB, a_OA;
    consider l such that 
    Line l /\ O IN l /\ D IN l                                [l_OD] by -, I1;
    ~(a = l) /\ ~(b = l)  [abl_distinct] by l_OD, D_AOB, b_OB, notBa;
    a INTER l = {O} [alO] by abl_distinct, a_OA, l_OD, Line01infinity_THM; 
    b INTER l = {O} [blO] by abl_distinct, b_OB, l_OD, Line01infinity_THM; 
    ~(A IN l) /\ ~(B IN l) [ABnot_l] by alO, blO, a_OA, b_OB, Distinct, IntersectionSingletonOneNotOther_THM;
    consider A' such that Between(A, O, A')           [AOA'] by Distinct, B2;
    A' IN a                              [A'a] by a_OA, -, BetweenLinear_THM;
    ~(A' = O) [A'notO] by AOA', B1;
    ~(A,A' same_side l)             [Ansim_lA'] by l_OD, AOA', same_side_DEF;
    ~(A' IN l) [A'not_l] by alO, A'a, A'notO, IntersectionSingletonOneNotOther_THM;

    B int_angle D,O,A'  by H1, H2, AOA', InteriorReflectionInterior_THM;
    B,A' same_side l [Bsim_lA'] by l_OD, a_OA, A'a, -, InteriorHelp_THM;
    ~(A,B same_side l)                                          [Ansim_lB]
    proof
      assume A,B same_side l;
      A,A' same_side l by l_OD, ABnot_l, A'not_l, -, Bsim_lA', SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    qed by -, Ansim_lA';
    consider G such that 
    Between(A, G, B) /\ G IN l                [AGB] by l_OD, Ansim_lB, same_side_DEF;
    Collinear (O,D,G)                     [ODGcol] by AGB, l_OD, Collinear_DEF;
    G int_angle A,O,B                         by H1, AGB, ConverseCrossbar_THM;
    ~(G IN a) /\ G,B same_side a [Gsim_aB] by a_OA, b_OB, -, InteriorHelp_THM;
    D,B same_side a by a_OA, b_OB, H2, InteriorHelp_THM;
    B,D same_side a by a_OA, notBa, D_AOB, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
    G,D same_side a [Gsim_aD] by a_OA, Gsim_aB, notBa, D_AOB, Gsim_aB, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    ~Between(G, O, D) by a_OA, -, same_side_DEF;
    G IN ray(O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;
  qed by AGB, G_OD`;;


let IntervalTransitivity_THM = thm `;
  let O P Q R be point;
  let m be point_set;
  assume Line m                                                         [H0];
  assume O IN m                                                         [H1];
  assume P IN m DELETE O /\ Q IN m DELETE O /\ R IN m DELETE O          [H2];
  assume ~Between(P, O, Q) /\ ~Between(Q, O, R)                         [H3];
  thus ~Between(P, O, R)

  proof
    P IN m /\ Q IN m /\ R IN m /\ ~(P = O) /\ ~(Q = O) /\ ~(R = O) [H2'] by H2, IN_DELETE;
    consider E such that 
    ~(E IN m)                            [notEm] by H0, ExistsPointOffLine_THM;
    ~(O = E) by H1, notEm;
    consider l such that 
    Line l /\ O IN l /\ E IN l                   [OE_l] by -, I1;
    ~(m = l) by notEm, OE_l;
    l INTER m = {O}                      [ml_O] by OE_l, H0, -, H1, OE_l, Line01infinity_THM;
    ~(P IN l) /\  ~(Q IN l) /\ ~(R IN l) [PQRnotl] by ml_O, H2', IntersectionSingletonOneNotOther_THM;
    P,Q same_side l /\ Q,R same_side l   [Psim_lQsim_lR] by OE_l, H0, ml_O, H2, H3, PQRnotl, EquivIntersection_THM;
    P,R same_side l                      [Psim_lR] by OE_l, PQRnotl, Psim_lQsim_lR, 
                                         SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by OE_l, -, same_side_DEF`;;


let RayLine_THM = thm `;
  let O P X be point;
  let l be point_set;
  assume Line l /\ O IN l /\ P IN l                     [H1];
  assume X IN ray(O,P)                          [H2];
  thus X IN l

  proof
    ~(O = P) /\ Collinear (O,P,X)     by H2, IN, Ray_DEF;
    X IN l by H1, -, CollinearLinear_THM;
  qed by -`;;


let RayWellDefinedHalfway_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                               [H1];
  assume P IN ray(O, Q) DELETE O                 [H2];
  thus ray(O, P) SUBSET ray(O, Q)

  proof
    consider m such that 
    Line m /\ O IN m /\ Q IN m     [OQm] by H1, I1;
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    P IN m     [Pm] by OQm, H2', RayLine_THM;
    P IN m DELETE O /\ Q IN m DELETE O [PQm_O] by Pm, H2', OQm, H1, IN_DELETE;
    ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    !X. X IN ray(O, P) ==> X IN ray(O, Q)
    proof
      let X be point;
      assume X IN ray(O, P)     [XrOP];
      X IN m     [Xm] by OQm, Pm, H2', -, RayLine_THM;
      Collinear (O, Q, X)     [OQXcol] by OQm, Xm,  Collinear_DEF;
      ~Between (X, O, P)     [notXOP] by XrOP, IN, Ray_DEF;
      cases;
      suppose X = O;
        X IN ray(O, Q) by H1, -, OriginInRay_THM;
      qed by -;
      suppose ~(X = O) [notXO];
        X IN m DELETE O by Xm, notXO, IN_DELETE;
        ~Between(X, O, Q) by OQm, -, PQm_O, notXOP, notPOQ, IntervalTransitivity_THM;  
        X IN ray(O, Q) by H1, OQXcol, -, IN, Ray_DEF;
      qed by -;
    end;
  qed by -, SUBSET`;;


let RayWellDefined_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                                                       [H1];
  assume P IN ray(O, Q) DELETE O                                        [H2];
  thus ray(O, P) = ray(O, Q)

  proof
    ray (O,P) SUBSET ray (O,Q)     [PsubsetQ] by H1, H2, RayWellDefinedHalfway_THM; 
    P IN ray(O, Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    Collinear (O, Q, P) /\ ~Between (P, O, Q)     [notPOQ] by H2', IN, Ray_DEF;
    Collinear (O, P, Q)     [OQPcol] by notPOQ, CollinearSymmetry_THM;
    ~Between (Q, O, P)     [notQOP] by notPOQ, B1;
    Q IN ray(O, P) by H2', OQPcol, notQOP, IN, Ray_DEF;
    Q IN ray(O, P) DELETE O [QrOP_O] by -, H1, IN_DELETE;
    ray (O,Q) SUBSET ray (O,P)     [QsubsetP] by H2', QrOP_O, RayWellDefinedHalfway_THM; 
  qed by PsubsetQ, QsubsetP, DoubleSubsetEqual_THM `;;


let OppositeRaysIntersect1pointHelp_THM = thm `;
  let A O B X be point;
  assume Between(A, O, B)                                                       [H1];                   
  assume X IN ray(O, B) DELETE O     [H2];
  thus ~(X IN ray(O, A))

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ Collinear (A, O, B) [B1_AOB] by H1, B1;
    X IN ray(O, B) /\ ~(X = O)     [H2'] by H2, IN_DELETE; 
    Collinear (O, B, X) /\ ~Between (X, O, B)     [K2] by -, IN, Ray_DEF;
    consider m such that
    Line m /\ A IN m /\ B IN m     [ABm] by B1_AOB, I1;
    O IN m     [Om] by ABm, B1_AOB, CollinearLinear_THM;
    X IN m     [Xm] by ABm, Om, K2, B1_AOB, CollinearLinear_THM;
    A IN m DELETE O /\ X IN m DELETE O /\ B IN m DELETE O     [AXBm_O] by ABm, Xm, H2', B1_AOB, IN_DELETE; 
    Between(A, O, X) by H1, ABm, Om, AXBm_O, K2, IntervalTransitivity_THM;
    Between(X, O, A) by -, B1;
  qed by -, IN, Ray_DEF`;;


let OppositeRaysIntersect1point_THM = thm `;
  let A O B be point;
  assume Between(A, O, B)                                                       [H1];
  thus ray(O, A) INTER ray(O, B) = {O} 

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ Between (B,O,A) /\ Collinear (A,O,B) [B1_AOB] by H1, B1;
    O IN ray(O, A) INTER ray(O, B) by B1_AOB, OriginInRay_THM, IN_INTER;
    {O} SUBSET ray(O, A) INTER ray(O, B)     [Osubset_rOA] by -, SING_SUBSET; 
    ray(O, A) INTER ray(O, B) SUBSET {O}
    proof
      !X. X IN ray(O, A) INTER ray(O, B) ==> X IN {O}
      proof
        let X be point;
        assume X IN ray(O, A) INTER ray(O, B);
        X IN ray(O, A) /\ X IN ray(O, B)     [XinBothRays] by -, IN_INTER;
        cases;
        suppose X = O;
        qed by -, IN_SING;
        suppose ~(X = O);
          X IN ray(O, B) DELETE O by -, XinBothRays, IN_DELETE;
          ~(X IN ray (O,A)) by H1, -, OppositeRaysIntersect1pointHelp_THM;
          F by -, XinBothRays; 
        qed by -;
      end;
    qed by -, SUBSET;
    qed by -, Osubset_rOA, DoubleSubsetEqual_THM`;;


let TransitivitybetweennessHelp_THM = thm `;
  let A B C D be point;
  assume Between (A,B,C) /\ Between (B,C,D)     [H1];
  thus Between (A,B,D)

  proof
    ~(A  = B) /\ ~(A  = C) /\ ~(B  = C) [Distinct] by H1, B1;
    consider l such that
    Line l /\ A IN l /\ C IN l [ACl] by Distinct, I1;
    B IN l /\ D IN l by ACl, H1, BetweenLinear_THM;
    Collinear (B,A,D) [BADcol] by ACl, -, Collinear_DEF;
    ~Between (D,B,C) by H1, B1, B3;
    D IN ray (B,C) DELETE B by Distinct, H1, B1, -, IN, Ray_DEF, IN_DELETE;
    ~(D IN ray (B,A)) by Distinct, H1, -, OppositeRaysIntersect1pointHelp_THM; 
    Between (D,B,A) by Distinct, BADcol, -, IN, Ray_DEF;
  qed by -, B1`;;


let Transitivitybetweenness_THM = thm `;
  let A B C D be point;
  assume Between (A,B,C) /\ Between (B,C,D)     [H1];
  thus is_ordered (A,B,C,D)

  proof
    Between (A,B,D)      [ABD] by H1, TransitivitybetweennessHelp_THM;
    Between (D,C,B) /\ Between (C,B,A)     by H1, B1;
    Between (D,C,A)     [DCA] by -, TransitivitybetweennessHelp_THM;
    Between (A,C,D)     by -, B1;
  qed by H1, ABD, -, is_ordered_DEF`;;


let Transitivitybetweenness_THM = thm `;
  let A B C D be point;
  assume Between (A,B,C) /\ Between (B,C,D)     [H1];
  thus is_ordered (A,B,C,D)

  proof
    !P Q R S. Between (P,Q,R) /\ Between (Q,R,S) ==> Between (P,Q,S)     [help]
    proof
      let P Q R S be point;
      assume Between (P,Q,R) /\ Between (Q,R,S)     [PQRS];
      ~(P  = Q) /\ ~(P  = R) /\ ~(Q  = R) [Distinct] by PQRS, B1;
      consider l such that
      Line l /\ P IN l /\ R IN l [PRl] by Distinct, I1;
      Q IN l /\ S IN l by PRl, PQRS, BetweenLinear_THM;
      Collinear (Q,P,S) [QPScol] by PRl, -, Collinear_DEF;
      ~Between (S,Q,R) by PQRS, B1, B3;
      S IN ray (Q,R) DELETE Q by Distinct, PQRS, B1, -, IN, Ray_DEF, IN_DELETE;
      ~(S IN ray (Q,P)) by Distinct, PQRS, -, OppositeRaysIntersect1pointHelp_THM; 
      Between (S,Q,P) by Distinct, QPScol, -, IN, Ray_DEF;
    qed by -, B1;

    Between (A,B,D)      [ABD] by H1, help;
    Between (D,C,B) /\ Between (C,B,A)     by H1, B1;
    Between (D,C,A)     [DCA] by -, help;
    Between (A,C,D)     by -, B1;
  qed by H1, ABD, -, is_ordered_DEF`;;


let IntervalsAreConvex_THM = thm `;
 let A B C be point;
  assume B IN open_int (A,C)     [H1];
  thus open_int (A,B) SUBSET open_int (A,C) 

  proof
    !X. X IN open_int (A,B) ==> X IN open_int (A,C)
    proof
      let X be point;
      assume X IN open_int (A,B)     [Xin_intAB];
      Between (A,B,C)     [ABC] by H1, IN, Interval_DEF;
      Between (A,X,B)     [AXB] by Xin_intAB, IN, Interval_DEF;
      ~(A = X) /\ ~(A = B) /\ ~(A = C) /\ ~(X = B) /\ ~(B = C)     [Distinct] by AXB, ABC, B1;
      consider l such that 
      Line l /\ A IN l /\ C IN l     [ACl] by Distinct, I1;
      B IN l /\ X IN l      by ACl, ABC, AXB, BetweenLinear_THM;
      Collinear (B,C,X)     [BCXcol] by ACl, -, Collinear_DEF;
      Collinear (B,A,X)     [ABXcol] by AXB, B1, CollinearSymmetry_THM ;
      ~Between (X,B,A)     by Distinct, ABXcol, AXB, B3;
      X IN ray(B,A) DELETE B     [XrBA_B] by Distinct, ABXcol, -, Ray_DEF, IN, IN_DELETE;
      ~(X IN ray (B,C))     [notXrBC] by ABC, B1, XrBA_B, OppositeRaysIntersect1pointHelp_THM;
      Between (X,B,C)     by Distinct, BCXcol, notXrBC, IN, Ray_DEF;
      Between (A,X,C)     [AXC] by AXB, -, TransitivitybetweennessHelp_THM;
      X IN open_int (A,C)     by AXC, IN, Interval_DEF;
    qed by -;
  qed by -, SUBSET`;;

John and Freek, I'm over 1000 lines of miz3 axiomatic Hilbert code
(below), and I my code now (after the beginning) only uses the set
theoretic B IN open_int (A, C) instead of the Between (A,B,C) .  

I found what may be a bug in miz3: I could not prove my thms B3' and
B4' in the way I proved thms B1' and B2'.  

-- 
Best,
Bill 

(* Paste in these 2 commands   
   cd hol_light; ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
   and then paste in the following file. *)

(* ================================================================= *)
(* HOL Light Hilbert geometry axiomatic proofs. *)
(* ================================================================= *)

(* Thanks to Mizar folks who wrote an influential language I was able
   to learn, Freek Wiedijk, who wrote the miz3 port of Mizar to HOL
   Light, and especially John Harrison, who came up with the entire
   framework here of porting my axiomatic proofs to HOL Light.       *)


horizon := 0;; 

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;


let Interval_DEF = new_definition
  `!A B X. open_int (A,B) X <=> Between (A,X,B)`;;

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(?X. (X IN l) /\  X IN open_int (A,B))`;;

let Ray_DEF = new_definition
  `!A B X. ray (A,B) X <=> ~(A = B) /\ Collinear (A,B,X) /\ ~(A IN open_int (X,B))`;;

let cong_DEF = new_definition
 `A,B,C cong X,Y,Z <=>
   A,B === X,Y /\ A,C === X,Z /\ B,C === Y,Z`;;

let is_ordered_DEF = new_definition
 `is_ordered (A,B,C,D) <=>
  B IN open_int (A,C) /\ B IN open_int (A,D) /\ C IN open_int (A,D) /\ C IN open_int (B,D)`;;

let Reflexive_relation_DEF = new_definition
  `Reflexive_Property <=> 
  !l A. Line l /\  ~(A IN l) ==> A,A same_side l`;;

let Symmetric_relation_DEF = new_definition
  `Symmetric_Property <=> 
  !l A B. Line l /\  ~(A IN l) /\ ~(B IN l) ==> 
  A,B same_side l ==> B,A same_side l`;;

let Transitive_relation_DEF = new_definition
  `Transitive_Property <=> 
  !l A B C. 
  Line l /\  ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
  A,B same_side l /\ B,C same_side l ==> A,C same_side l`;;

(*
exec GOAL_TAC;
 p();; 

let Angle_DEF = new_definition
  `!A O B. Angle (A,O,B) = if Collinear (A,O,B) then {} else 
  {ray (O,A), ray (O,B)}`;;
*)

let InteriorAngle_DEF = new_definition
 `!A O B P. 
  P int_angle A,O,B <=> ~Collinear (A,O,B) /\ ?a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


(* ------------------------------------------------------------------------- *)
(* The axioms.                                                               *)
(* ------------------------------------------------------------------------- *)

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let I2 = new_axiom
  `!l. ? A B. Line l /\  A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `?A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
                             ~Collinear (A,B,C)`;;

let B1 = new_axiom
  `! A B C. Between (A,B,C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between (C,B,A) /\ Collinear (A,B,C)`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ?C. Between (A,B,C)`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear (A,B,C)
    ==> (Between (A,B,C) \/ Between (B,C,A) \/ Between (C,A,B)) /\
        ~(Between (A,B,C) /\ Between (B,C,A)) /\ 
        ~(Between (A,B,C) /\ Between (C,A,B)) /\ 
        ~(Between (B,C,A) /\ Between (C,A,B))`;;

let B4 = new_axiom
  `!l A B C. Line l /\ ~Collinear (A,B,C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\ Between (A,X,C)) ==> 
   (?Y. Y IN l /\ Between (A,Y,B)) \/ (?Y. Y IN l /\ Between (B,Y,C))`;;


let B1' = thm `;
  !A B C.  B IN open_int (A,C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
             B IN open_int (C,A) /\ Collinear (A,B,C)
  by IN, Interval_DEF, B1`;;


let B2' = thm `;
  !A B. ~(A = B) ==> ?C.  B IN open_int (A,C)
  by IN, Interval_DEF, B2`;;


let B3' = thm `;
  let A B C be point;
  assume ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear (A,B,C)		[H1];
  thus (B IN open_int (A,C) \/ C IN open_int (B,A) \/ A IN open_int (C,B)) /\
        ~(B IN open_int (A,C) /\ C IN open_int (B,A)) /\ 
        ~(B IN open_int (A,C) /\ A IN open_int (C,B)) /\ 
        ~(C IN open_int (B,A) /\ A IN open_int (C,B))

  proof
  qed by H1, IN, Interval_DEF, B3`;;


let B4' = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l /\ ~Collinear (A,B,C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\  X IN open_int (A,C))		[H1];
   thus (?Y. Y IN l /\  Y IN open_int (A,B)) \/ (?Y. Y IN l /\  Y IN open_int (B,C))

   proof
     Line l /\ ~Collinear (A,B,C) /\ 
     ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
     (?X. X IN l /\  Between (A,X,C)) by H1, IN, Interval_DEF;
     (?Y. Y IN l /\ Between (A,Y,B)) \/ (?Y. Y IN l /\ Between (B,Y,C)) by -, B4;
   qed by -, IN, Interval_DEF`;;


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p                                                         [H1];
  assume ~(p = {x})                                                     [H2];
  thus ?a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p by H1, SING_SUBSET;
    ~(p SUBSET {x}) by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ ~(a IN {x})                       [X1] by -, SUBSET;
     ~(a = x) by -, IN_SING;
  qed by -, X1`;;
 

let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}                                                 [H1];
  assume x IN m                                                         [H2];
  thus ~(x IN l)

  proof
    assume (x IN l);
    x IN l INTER m by -, H2, IN_INTER;
    F by -, NOT_IN_EMPTY, H1;
  qed by -`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume e IN l                                                         [H2];
  assume ~(e = x)                                                       [H3];
  thus ~(e IN m)

  proof
    assume e IN m;
    e IN l INTER m by H2, -, IN_INTER;
    e = x by -, H1, IN_SING;
    F by -, H3;
  qed by -`;;


let EquivIntersectionHelp_THM = thm `;
  let a x be A;
  let l m be A->bool;
  assume l INTER m = {x}                                                [H1];
  assume a IN m DELETE x                                                [H2];
  thus ~(a IN l) 

  proof
    a IN m /\ ~(a = x)                          [X1] by H2, IN_DELETE;
    qed by -, H1, H2, IntersectionSingletonOneNotOther_THM`;;


let DoubleSubsetEqual_THM = thm `;
  let s t be A->bool;
  assume s SUBSET t                     [H1];
  assume t SUBSET s                     [H2];
  thus s = t

  proof
   !x:A. x IN s ==> x IN t [sSt] by H1, SUBSET;
   !x:A. x IN t ==> x IN s [tSs] by H2, SUBSET;
   !x:A. x IN s <=> x IN t [sEt] by sSt, tSs;
   s = t by -, EXTENSION;
  qed by -`;;


let CollinearSymmetry_THM = thm `;
  let A B C be point;
  assume Collinear (A,B,C)                    [H1];
  thus Collinear (A,C,B) /\ Collinear (B,A,C) /\ Collinear (B,C,A) /\ 
       Collinear (C,A,B) /\ Collinear (C,B,A) 

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l by H1, Collinear_DEF;
  qed by -, Collinear_DEF`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear (A,B,C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let ExistsPointOffLine_THM = thm `;
  let l be point_set; 
  assume Line l                                                         [H1];
  thus ?Q:point. ~(Q IN l)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear (A,B,C) [useI3] by I3;
    cases;
    suppose ~(A IN l) \/ ~(B IN l) \/ ~(C IN l);
    qed by -;
    suppose (A IN l) /\ (B IN l) /\ (C IN l);
      Collinear (A,B,C) by H1, -, Collinear_DEF;
      F by -, useI3;
    qed by -;
  end`;;


let B4'' = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l                                                         [H0];
  assume ~Collinear (A,B,C) /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)     [H1];
  assume A,B same_side l /\ B,C same_side l                             [H2];
  thus A,C same_side l

  proof 
   ~(?Y. Y IN l /\  Y IN open_int (A,B)) /\ 
   ~(?Y. Y IN l /\  Y IN open_int (B,C)) ==> 
   ~(?X. X IN l /\  X IN open_int (A,C))  by H0, H1, B4';
  qed by -, H1, H2, IN, same_side_DEF`;;


let BetweenLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume B IN open_int (A,C) \/ C IN open_int (B,A)  \/ A IN open_int (C,B)      [H2];
  thus B IN m

  proof
    ~(A = C) /\ 
    (Collinear (A,B,C) \/ Collinear (B,C,A) \/ Collinear (C,A,B))  [X1] by H2, B1';
    consider l such that
    Line l /\ A IN l /\ B IN l /\ C IN l              [X2] by -, Collinear_DEF;
    l = m by X1, -, H2, H1, I1;
  qed by -, X2`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m                                     [H1];
  assume Collinear (A,B,C) \/ Collinear (B,C,A) \/ Collinear (C,A,B)       [H2];
  assume ~(A = C)                                                       [H3];
  thus B IN m

  proof
    consider l such that 
    Line l /\ A IN l /\ B IN l /\ C IN l           [X1] by H2, Collinear_DEF;
    l = m by H3, -, H1, I1;
  qed by -, X1`;;
 

let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear (A,B,C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that Line l /\ A IN l /\ Q IN l by -, I1;
      Collinear (A,B,C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that Line l /\ A IN l /\ B IN l by -, I1;
      Collinear (A,B,C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that Line l /\ B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)                                                          [U] 
      proof
        assume A = B;
        Collinear (A,B,C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)                                                          [V]
      proof
        assume A = C;
        Collinear (A,B,C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;


let OriginInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)                               [H1];
  thus O IN ray (O,Q)

  proof
    ~(O IN open_int (O,Q)) [OOQ] by B1';
    consider l such that 
    Line l /\ O IN l /\ Q IN l by H1, I1;
    Collinear (O,Q,O) by -, Collinear_DEF;
  qed by H1, -, OOQ, IN, Ray_DEF`;;


let Line01infinity_THM = thm `;
  let X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume ~(l = m)                                                       [H1];
  assume X IN l /\ X IN m                                               [H2];
  thus l INTER m = {X}

  proof
    (l INTER m = {X}) \/ ~(l INTER m = {X});
    assume ~(l INTER m = {X})                                           [H3];
    X IN l INTER m by H2, IN_INTER;
    consider A such that
    A IN l INTER m  /\ ~(A = X)         [X1] by -, H3, BiggerThanSingleton_THM;
    A IN l /\ X IN l /\ A IN m /\ X IN m by H0, -, H2, IN_INTER;
    l = m by H0, -, X1, I1;
    F by -, H1;
  qed by -`;;
 

let EquivIntersection_THM = thm `;
  let A B X be point;
  let l m be point_set;
  assume Line l /\ Line m                                               [H0];
  assume l INTER m = {X}                                                [H1];
  assume A IN m DELETE X /\ B IN m DELETE X                             [H2];
  assume ~(X IN open_int (A,B))                                         [H3];
  thus  ~(A IN l) /\ ~(B IN l) /\ A,B same_side l

  proof
    A IN m /\ ~(A = X)                          [X1] by H2, IN_DELETE;
    B IN m /\ ~(B = X)                          [X2] by H2, IN_DELETE;
    ~(A IN l) /\ ~(B IN l) [X3] by H1, H2, EquivIntersectionHelp_THM;
    A,B same_side l                                                     [X4]
    proof
      assume ~(A,B same_side l);
      consider G such that 
      (G IN l) /\ G IN open_int (A,B)           [X5] by H0, -, same_side_DEF;
      
       ~(A = B) /\ Collinear (A,G,B)            [X6] by -, B1';
      consider k such that 
      Line k /\ A IN k /\ G IN k /\ B IN k      [X7] by -, Collinear_DEF;
      k = m by H0, -, X1, X2, X6, I1;
      G IN l INTER m by -, X5, X7, IN_INTER;
      G = X by -, H1, IN_SING;
      X IN open_int (A,B) by -, X5;
      F by -, H3;
    qed by -;
  qed by X3, X4`;;


let SameSideReflexiveRelation_THM = thm `;
  thus Reflexive_Property

  proof
    !l A. Line l ==>  A,A same_side l
    proof
      let l be point_set;
      let A be point;
      assume Line l                                                     [H0];
       ~(?X. (X IN l) /\ X IN open_int (A,A)) by H0, B1';
    qed by H0, -, same_side_DEF;
  qed by -, Reflexive_relation_DEF`;;


let SameSideSymmetricRelation_THM = thm `;
  thus Symmetric_Property

  proof
    !l A B. Line l /\ ~(A IN l) /\ ~(B IN l) ==> 
    A,B same_side l ==> B,A same_side l
    proof
      let l be point_set;
      let A B be point;
      assume Line l                                                     [H0];
      assume A,B same_side l                                            [H1];
      assume ~(A IN l) /\ ~(B IN l);
      ~(?X. (X IN l) /\ X IN open_int (A,B)) by H0, H1, same_side_DEF;
      ~(?X. (X IN l) /\ X IN open_int (B,A)) by -, B1';
    qed by H0, -, same_side_DEF;
  qed by -, Symmetric_relation_DEF`;;


let SameSideTransitiveRelation_THM = thm `;
  thus Transitive_Property

  proof
    !l A B C. 
    Line l /\ ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) ==> 
    A,B same_side l /\ B,C same_side l ==> A,C same_side l 
    proof
      let l be point_set;
      let A B C be point;
      assume Line l                                                     [lLine];
      assume ~(A IN l) /\ ~(B IN l) /\ ~(C IN l)                        [H0];
      assume A,B same_side l                                            [H1];
      assume B,C same_side l                                            [H2];
      A,C same_side l
      proof
        ~Collinear (A,B,C) \/ Collinear (A,B,C);
        cases by -;
        suppose ~Collinear (A,B,C);
        qed by lLine, -, H0, H1, H2, B4'';
        suppose Collinear (A,B,C)                                      [Coll];
          cases;
          suppose A = B \/ A = C \/ B = C;
          qed by lLine, -, H2, H0, SameSideReflexiveRelation_THM, 
                            Reflexive_relation_DEF, H1;
          suppose ~(A = B) /\ ~(A = C) /\ ~(B = C)      [Distinct];
            consider m such that 
            Line m /\ A IN m /\ C IN m                  [ACm] by Distinct, I1;
            ~(l = m)                                    [not_lm] by ACm, H0;
            cases;
            suppose l INTER m = {}                      [Disjoint];
              !X. X IN open_int (A,C) ==> ~(X IN l)
              proof
                let X be point;
                assume X IN open_int (A,C);
                X IN m by lLine, -, ACm, BetweenLinear_THM;
                ~(X IN l) by -, Disjoint, DisjointOneNotOther_THM; 
              qed by -;
            qed by lLine, -, same_side_DEF;
            suppose ~(l INTER m = {})                   [NotDisjoint];
              consider X such that
              X IN l INTER m by NotDisjoint, MEMBER_NOT_EMPTY;
              X IN l /\ X IN m                          [Xin_lm] by -, IN_INTER;
              l INTER m = {X}           [lmX] by lLine, ACm, not_lm, -, Line01infinity_THM;
              consider E such that 
              E IN l /\ ~(E = X)                        [Einl_X] by Xin_lm, I2;
              ~(E IN m) [notEm] by lmX, Einl_X, IntersectionSingletonOneNotOther_THM;
              ~(E = B) by Einl_X, H0;
              consider B' such that 
              B IN open_int (E,B') by -, B2';
              B IN open_int (B',E)                         [B'BE] by -, B1';
              ~(B' = E) /\ ~(B = E) /\ ~(B' = B) /\ Collinear (B',B,E) [B'BEcol] by -, B1';
              consider n such that 
              Line n /\ E IN n /\ B' IN n               [EB'n] by -, I1;
              B IN n                    [Bn] by EB'n, B'BE, BetweenLinear_THM;
              ~(l = n)                  [not_ln] by H0, -;
              l INTER n = {E} [lnE] by lLine, not_ln, EB'n, Einl_X, Line01infinity_THM;
              ~(B' IN l) [notB'l] by -, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~(E IN open_int (B,B'))        [BEB'] by B'BEcol, B'BE, B3';
              B' IN n DELETE E /\ B IN n DELETE E by EB'n, Bn, B'BEcol, IN_DELETE;
              B, B' same_side l [Bsim_lB'] by lLine, EB'n, lnE, -, BEB', EquivIntersection_THM;
              ~(m = n)                   [not_mn] by  EB'n, notEm;
              B IN m by ACm, Coll, Distinct, CollinearLinear_THM;
              m INTER n = {B} [mn_B]  by ACm, EB'n, -, Bn, not_mn, Line01infinity_THM;
              ~(A IN n) [not_An] by -, ACm, Distinct, IntersectionSingletonOneNotOther_THM;
              ~Collinear (A,B,B')
              proof
                assume Collinear (A,B,B');
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B IN alpha /\ B' IN alpha [ABB'alpha] by -, Collinear_DEF;
                alpha = n by B'BEcol, ABB'alpha, EB'n, Bn, I1;
                A IN n by -, ABB'alpha;
              qed by -, not_An;
              A,B' same_side l          [Asim_lB'] by lLine, -, H0, notB'l, H1, Bsim_lB', B4'';

              ~(C IN n)                 [notCn] by mn_B, ACm, Distinct, 
              IntersectionSingletonOneNotOther_THM;
              C,B same_side l [Csim_lB] by lLine, H0, H2, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~Collinear (C,B,B')
              proof
                assume Collinear (C,B,B');
                consider alpha such that 
                Line alpha /\ C IN alpha /\ B IN alpha /\ B' IN alpha [CBB'alpha] by -, Collinear_DEF;
                alpha = n by -, EB'n, B'BEcol, CBB'alpha, Bn, I1;
                C IN n by -, CBB'alpha;
              qed by -, notCn;
              C,B' same_side l by lLine, -, H0, notB'l, Csim_lB, Bsim_lB', B4'';
              B',C same_side l [B'sim_C] by lLine, H0, notB'l, -, SameSideSymmetricRelation_THM, 
              Symmetric_relation_DEF;
              ~(B' IN m) [notB'm] by mn_B, EB'n, B'BEcol, IntersectionSingletonOneNotOther_THM;
              ~Collinear (A,B',C) 
              proof
                assume Collinear (A,B',C);
                consider alpha such that 
                Line alpha /\ A IN alpha /\ B' IN alpha /\ C IN alpha [AB'Calpha] by -, Collinear_DEF;
                alpha = m by Distinct, -, ACm, I1;
                B' IN m by -, AB'Calpha;
                F by -, notB'm;
              qed by -;
              A, C same_side l by lLine, -, H0, notB'l, Asim_lB', B'sim_C, B4'';
            qed by -;
          end;
        end;
      end;
    qed by -;
  qed by -, Transitive_relation_DEF`;;


let SameSideEquivalenceRelation_THM = thm `;
  thus Reflexive_Property /\ Symmetric_Property /\ Transitive_Property
  proof
  qed by SameSideReflexiveRelation_THM, SameSideSymmetricRelation_THM,
  SameSideTransitiveRelation_THM`;;


let ConverseCrossbar_THM = thm `;
  let O A B G be point;
  assume ~Collinear (A,O,B)                                            [H1];
  assume G IN open_int (A,B)                                               [H2];
  thus G int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, 
                                                 NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a                         [aOA] by -, I1;
    consider b such that Line b /\ O IN b /\ B IN b                  [bOB] by Distinct, I1;
    consider l such that Line l /\ A IN l /\ B IN l                  [lAB] by Distinct, I1;
     ~(B IN a) by H1, aOA, Collinear_DEF;
    ~(a = l) by -, lAB;
    a INTER l = {A}                     [alA] by -, aOA, lAB, Line01infinity_THM;
    ~(A = G) /\ ~(A = B) /\ ~(G = B) /\  G IN open_int (B,A) /\ Collinear (A,G,B) 
                                                                  [X1] by H2, B1';
    ~(A IN open_int (G,B))                                 [notGAB] by -, H2, B3', B1';
    G IN l                                  [Ginl] by lAB, H2, BetweenLinear_THM;
   ~(G IN a)    [notGina] by alA, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE A /\ B IN l DELETE A by Ginl, lAB, X1, IN_DELETE;
    G,B same_side a           [Gsim_aB] by aOA, lAB, alA, -, notGAB, EquivIntersection_THM;
    :: same argument shows   G,A same_side b
    ~(A IN b) by H1, bOB, Collinear_DEF;
    ~(b = l) by -, lAB;
    b INTER l = {B}                     [blB] by -, bOB, lAB, Line01infinity_THM;
    ~(B IN open_int (G,A))              [notGBA] by H2, B1', B3';   
    ~(G IN b)   [notGinb] by blB, Ginl, X1, IntersectionSingletonOneNotOther_THM;
    G IN l DELETE B /\ A IN l DELETE B by Ginl, lAB, X1, IN_DELETE;
    G,A same_side b            [Gsim_bA] by bOB, lAB, blB, -, notGBA, EquivIntersection_THM;
  qed by H1, aOA, bOB, notGina, notGinb, Gsim_aB, Gsim_bA, InteriorAngle_DEF`;;


let InteriorHelp_THM = thm `;
  let A O B P be point;
  let a b be point_set;
  assume Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b       [aOAbOB];
  assume  P int_angle A,O,B                                             [P_AOB];
  thus ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b

  proof
    consider alpha beta such that ~Collinear (A,O,B) /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\ 
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, InteriorAngle_DEF;
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by -, NonCollinearImpliesDistinct_THM;
    alpha = a /\ beta = b by -, aOAbOB, exists, I1;
  qed by -, exists`;;


let WholeRayInterior_THM = thm `;
  let A O B X P be point;
  assume ~Collinear (A,O,B)                                            [H1];
  assume X int_angle A,O,B                                              [H2];
  assume P IN ray (O,X)                                                  [H3];
  assume ~(P = O)                                                       [H4];
  thus P int_angle A,O,B

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that Line a /\ O IN a /\ A IN a       [a_OA] by Distinct, I1;
    consider b such that Line b /\ O IN b /\ B IN b       [b_OB] by Distinct, I1;
    ~(X IN a) /\ ~(X IN b) /\ X,B same_side a /\ X,A same_side b [XintAOB] by H2, a_OA, b_OB, InteriorHelp_THM; 
    ~(O = X) /\ Collinear (O,X,P) /\ ~(O IN open_int (P,X)) [P_OX] by H3, IN, Ray_DEF;
    consider x such that Line x /\ O IN x /\ X IN x       [x_OX] by P_OX, I1;
    :: P IN x       [Pin_x] by x_OX, P_OX, Collinear_DEF, CollinearLinear_THM;
    P IN x       [Pin_x] by x_OX, P_OX, CollinearLinear_THM;
    P IN x DELETE O                         [Pin_x_O] by Pin_x, H4, IN_DELETE;
    X IN x DELETE O                    [Xin_x_O] by x_OX, P_OX,  IN_DELETE;
    ~(x = a) /\ ~(x = b)               [x_not_ab] by XintAOB, x_OX;
    a INTER x = {O} /\ b INTER x = {O} [axb_intO] by x_not_ab, x_OX, a_OA, b_OB, Line01infinity_THM;
    ~(P IN a) /\ P,X same_side a [Psim_aX] by a_OA, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    ~(P IN b) /\ P,X same_side b [Psim_bX] by b_OB, x_OX, axb_intO, Pin_x_O, Xin_x_O, P_OX, EquivIntersection_THM;
    P,B same_side a  /\ P,A same_side b by Psim_aX, Psim_bX, XintAOB, a_OA, b_OB, H1, Collinear_DEF, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by H1, a_OA, b_OB, Psim_aX, Psim_bX, -, InteriorAngle_DEF`;;


let AngleOrdering_THM = thm `;
  let O A P Q be point;
  let a be point_set;
  assume ~(O = A)                                                       [H1];
  assume Line a /\ O IN a /\ A IN a                                               [H2];
  assume ~(P IN a) /\ ~(Q IN a)                                         [H3];
  assume P, Q same_side a                                               [H4];
  assume ~Collinear (P,O,Q)                                            [H5];
  thus P int_angle Q,O,A \/ Q int_angle P,O,A

  proof
    ~(P = O) /\ ~(P = Q) /\ ~(O = Q) [Distinct] by H5, NonCollinearImpliesDistinct_THM;
    consider p such that Line p /\ O IN p /\ P IN p             [p_OP] by Distinct, I1;
    consider q such that Line q /\ O IN q /\ Q IN q             [q_OQ] by Distinct, I1;
    ~(q = a) by H3, q_OQ;
    q INTER a = {O}                       by -, H2, q_OQ, Line01infinity_THM;
    ~(A IN q) by -, H2, H1, IntersectionSingletonOneNotOther_THM;
    ~(P IN q)                             [notPq] by q_OQ, H5, Collinear_DEF;
    ~(p = q) by -, p_OP;
    p INTER q = {O}                     by -, p_OP, q_OQ, Line01infinity_THM;
    ~Collinear (Q,O,A)        [QOA_noncol] by H1, H2, I1, H3, Collinear_DEF;
    ~Collinear (P,O,A)         [POA_noncol] by H1, H2, I1, H3, Collinear_DEF;

    assume ~(P int_angle Q,O,A)                                   [notP_QOA];
    Q int_angle P,O,A
    proof
      ~(P,A same_side q)                        by QOA_noncol, H2, q_OQ, H3,
                                      notPq, H4, notP_QOA, InteriorAngle_DEF;
      consider G such that (G IN q) /\ G IN open_int (P,A) [existG] by q_OQ, -, same_side_DEF;
      G int_angle P,O,A [G_POA] by  POA_noncol, existG, ConverseCrossbar_THM;
      ~(G IN a) /\ G,P same_side a [Gsim_aP] by -, InteriorAngle_DEF, H1, H2, I1;
      ~(G = O)                     [GnotO] by -, H2;
      G,Q same_side a              by H2, Gsim_aP, H3, H4, 
                      SameSideTransitiveRelation_THM, Transitive_relation_DEF;
      ~(O IN open_int (Q,G))       [notQOG] by -, same_side_DEF, H2, B1';
      Collinear (O,G,Q)             by q_OQ, existG, Collinear_DEF; 
      Q IN ray (O,G) by GnotO, -, notQOG, IN, Ray_DEF;
    qed by POA_noncol, G_POA, -, Distinct, WholeRayInterior_THM;
  qed by -`;;


let InteriorReflectionInterior_THM = thm `;
  let A O B D A' be point;
  assume ~Collinear (A,O,B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  assume O IN open_int (A,A')                                              [H3];
  thus B  int_angle D,O,A'

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                [b_OB] by Distinct, I1;
    ~(A IN b)                             [notAb] by b_OB, H1, Collinear_DEF;
    ~(B IN a)                             [notBa] by a_OA, H1, Collinear_DEF;
   ~(a = b) by -, b_OB;
    b INTER a = {O}              [ab_O] by -, a_OA, b_OB, Line01infinity_THM;
    A' IN a                      [A'a] by H3, a_OA, BetweenLinear_THM;
    A' IN a DELETE O by A'a, H3, B1', IN_DELETE; 
    ~(A' IN b)                [notA'b] by ab_O, -, EquivIntersectionHelp_THM;
    ~(A,A' same_side b)       [Ansim_bA'] by b_OB, H3, same_side_DEF ;
    ~(D IN a) /\ ~(D IN b) /\ 
    D,B same_side a /\ D,A same_side b [DintAOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D,A' same_side b)       [Dnsim_bA']
    proof
      assume D,A' same_side b;
      A',D same_side b by b_OB, DintAOB, notA'b, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      A',A same_side b by b_OB, DintAOB, notA'b, notAb, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;                       
      A,A' same_side b by b_OB, notA'b, notAb, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
      F by -, Ansim_bA';
    qed by -;
    ~(D int_angle B,O,A')                                       [notD_BOA']
    proof
      assume D int_angle B,O,A';
      D,A' same_side b by b_OB, a_OA, A'a, -, DintAOB, InteriorHelp_THM;
      F by -, Dnsim_bA';     
    qed by -; 
    ~Collinear (D,O,B) [DOB_noncol] by Distinct, b_OB, I1, DintAOB, Collinear_DEF;
    ~(O = A') by H3, B1';
    B int_angle D,O,A' by -, a_OA, A'a, DintAOB, notBa, DOB_noncol, notD_BOA', AngleOrdering_THM;
  qed by -`;;


let Crossbar_THM = thm `;
  let O A B D be point;
  assume ~Collinear (A,O,B)                                            [H1];
  assume D int_angle A,O,B                                              [H2];
  thus ?G. G IN open_int (A,B) /\ G IN ray (O,D)

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider a such that 
    Line a /\ O IN a /\ A IN a                                  [a_OA] by Distinct, I1;
    consider b such that 
    Line b /\ O IN b /\ B IN b                                  [b_OB] by Distinct, I1;
    ~(B IN a) [notBa] by a_OA, H1, Collinear_DEF;
    ~(D IN a) /\ ~(D IN b) /\ D,B same_side a [D_AOB] by a_OA, b_OB, H2, InteriorHelp_THM;
    ~(D = O)                                          [DnotO] by D_AOB, a_OA;
    consider l such that 
    Line l /\ O IN l /\ D IN l                                [l_OD] by -, I1;
    ~(a = l) /\ ~(b = l)  [abl_distinct] by l_OD, D_AOB, b_OB, notBa;
    a INTER l = {O} [alO] by abl_distinct, a_OA, l_OD, Line01infinity_THM; 
    b INTER l = {O} [blO] by abl_distinct, b_OB, l_OD, Line01infinity_THM; 
    ~(A IN l) /\ ~(B IN l) [ABnot_l] by alO, blO, a_OA, b_OB, Distinct, IntersectionSingletonOneNotOther_THM;
    consider A' such that O IN open_int (A,A')           [AOA'] by Distinct, B2';
    A' IN a                              [A'a] by a_OA, -, BetweenLinear_THM;
    ~(A' = O) [A'notO] by AOA', B1';
    ~(A,A' same_side l)             [Ansim_lA'] by l_OD, AOA', same_side_DEF;
    ~(A' IN l) [A'not_l] by alO, A'a, A'notO, IntersectionSingletonOneNotOther_THM;

    B int_angle D,O,A'  by H1, H2, AOA', InteriorReflectionInterior_THM;
    B,A' same_side l [Bsim_lA'] by l_OD, a_OA, A'a, -, InteriorHelp_THM;
    ~(A,B same_side l)                                          [Ansim_lB]
    proof
      assume A,B same_side l;
      A,A' same_side l by l_OD, ABnot_l, A'not_l, -, Bsim_lA', SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    qed by -, Ansim_lA';
    consider G such that 
    G IN open_int (A,B) /\ G IN l                [AGB] by l_OD, Ansim_lB, same_side_DEF;
    Collinear (O,D,G)                     [ODGcol] by AGB, l_OD, Collinear_DEF;
    G int_angle A,O,B                         by H1, AGB, ConverseCrossbar_THM;
    ~(G IN a) /\ G,B same_side a [Gsim_aB] by a_OA, b_OB, -, InteriorHelp_THM;
    D,B same_side a by a_OA, b_OB, H2, InteriorHelp_THM;
    B,D same_side a by a_OA, notBa, D_AOB, -, SameSideSymmetricRelation_THM, Symmetric_relation_DEF;
    G,D same_side a [Gsim_aD] by a_OA, Gsim_aB, notBa, D_AOB, Gsim_aB, -, SameSideTransitiveRelation_THM, Transitive_relation_DEF;
    ~(O IN open_int (G,D)) by a_OA, -, same_side_DEF;
    G IN ray (O,D) [G_OD] by DnotO, ODGcol, -, IN, Ray_DEF;
  qed by AGB, G_OD`;;


let IntervalTransitivity_THM = thm `;
  let O P Q R be point;
  let m be point_set;
  assume Line m                                                         [H0];
  assume O IN m                                                         [H1];
  assume P IN m DELETE O /\ Q IN m DELETE O /\ R IN m DELETE O          [H2];
  assume ~(O IN open_int (P,Q)) /\ ~(O IN open_int (Q,R))               [H3];
  thus ~(O IN open_int (P,R))

  proof
    P IN m /\ Q IN m /\ R IN m /\ ~(P = O) /\ ~(Q = O) /\ ~(R = O) [H2'] by H2, IN_DELETE;
    consider E such that 
    ~(E IN m)                            [notEm] by H0, ExistsPointOffLine_THM;
    ~(O = E) by H1, notEm;
    consider l such that 
    Line l /\ O IN l /\ E IN l                   [OE_l] by -, I1;
    ~(m = l) by notEm, OE_l;
    l INTER m = {O}                      [ml_O] by OE_l, H0, -, H1, OE_l, Line01infinity_THM;
    ~(P IN l) /\  ~(Q IN l) /\ ~(R IN l) [PQRnotl] by ml_O, H2', IntersectionSingletonOneNotOther_THM;
    P,Q same_side l /\ Q,R same_side l   [Psim_lQsim_lR] by OE_l, H0, ml_O, H2, H3, PQRnotl, EquivIntersection_THM;
    P,R same_side l                      [Psim_lR] by OE_l, PQRnotl, Psim_lQsim_lR, 
                                         SameSideTransitiveRelation_THM, Transitive_relation_DEF;
  qed by OE_l, -, same_side_DEF`;;


let RayLine_THM = thm `;
  let O P X be point;
  let l be point_set;
  assume Line l /\ O IN l /\ P IN l                     [H1];
  assume X IN ray (O,P)                          [H2];
  thus X IN l

  proof
    ~(O = P) /\ Collinear (O,P,X)     by H2, IN, Ray_DEF;
    X IN l by H1, -, CollinearLinear_THM;
  qed by -`;;


let RayWellDefinedHalfway_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                               [H1];
  assume P IN ray (O,Q) DELETE O                 [H2];
  thus ray (O,P) SUBSET ray (O,Q)

  proof
    consider m such that 
    Line m /\ O IN m /\ Q IN m     [OQm] by H1, I1;
    P IN ray (O,Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    P IN m     [Pm] by OQm, H2', RayLine_THM;
    P IN m DELETE O /\ Q IN m DELETE O [PQm_O] by Pm, H2', OQm, H1, IN_DELETE;
    ~(O IN open_int (P,Q))     [notPOQ] by H2', IN, Ray_DEF;
    !X. X IN ray (O,P) ==> X IN ray (O,Q)
    proof
      let X be point;
      assume X IN ray (O,P)     [XrOP];
      X IN m     [Xm] by OQm, Pm, H2', -, RayLine_THM;
      Collinear (O,Q,X)     [OQXcol] by OQm, Xm,  Collinear_DEF;
      ~(O IN open_int (X,P))     [notXOP] by XrOP, IN, Ray_DEF;
      cases;
      suppose X = O;
        X IN ray (O,Q) by H1, -, OriginInRay_THM;
      qed by -;
      suppose ~(X = O) [notXO];
        X IN m DELETE O by Xm, notXO, IN_DELETE;
        ~(O IN open_int (X,Q)) by OQm, -, PQm_O, notXOP, notPOQ, IntervalTransitivity_THM;  
        X IN ray (O,Q) by H1, OQXcol, -, IN, Ray_DEF;
      qed by -;
    end;
  qed by -, SUBSET`;;


let RayWellDefined_THM = thm `;
  let O P Q be point;
  assume ~(Q = O)                                                       [H1];
  assume P IN ray (O,Q) DELETE O                                        [H2];
  thus ray (O,P) = ray (O,Q)

  proof
    ray (O,P) SUBSET ray (O,Q)     [PsubsetQ] by H1, H2, RayWellDefinedHalfway_THM; 
    P IN ray (O,Q) /\ ~(P = O)     [H2'] by H2, IN_DELETE;
    Collinear (O,Q,P) /\ ~(O IN open_int (P,Q))     [notPOQ] by H2', IN, Ray_DEF;
    Collinear (O,P,Q)     [OQPcol] by notPOQ, CollinearSymmetry_THM;
    ~(O IN open_int (Q,P))     [notQOP] by notPOQ, B1';
    Q IN ray (O,P) by H2', OQPcol, notQOP, IN, Ray_DEF;
    Q IN ray (O,P) DELETE O [QrOP_O] by -, H1, IN_DELETE;
    ray (O,Q) SUBSET ray (O,P)     [QsubsetP] by H2', QrOP_O, RayWellDefinedHalfway_THM; 
  qed by PsubsetQ, QsubsetP, DoubleSubsetEqual_THM `;;


let OppositeRaysIntersect1pointHelp_THM = thm `;
  let A O B X be point;
  assume O IN open_int (A,B)                                                       [H1];                   
  assume X IN ray (O,B) DELETE O     [H2];
  thus ~(X IN ray (O,A))

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ Collinear (A,O,B) [B1_AOB] by H1, B1';
    X IN ray (O,B) /\ ~(X = O)     [H2'] by H2, IN_DELETE; 
    Collinear (O,B,X) /\ ~(O IN open_int (X,B))     [K2] by -, IN, Ray_DEF;
    consider m such that
    Line m /\ A IN m /\ B IN m     [ABm] by B1_AOB, I1;
    O IN m     [Om] by ABm, B1_AOB, CollinearLinear_THM;
    X IN m     [Xm] by ABm, Om, K2, B1_AOB, CollinearLinear_THM;
    A IN m DELETE O /\ X IN m DELETE O /\ B IN m DELETE O     [AXBm_O] by ABm, Xm, H2', B1_AOB, IN_DELETE; 
    O IN open_int (A,X) by H1, ABm, Om, AXBm_O, K2, IntervalTransitivity_THM;
    O IN open_int (X,A) by -, B1';
  qed by -, IN, Ray_DEF`;;


let OppositeRaysIntersect1point_THM = thm `;
  let A O B be point;
  assume O IN open_int (A,B)                                                       [H1];
  thus ray (O,A) INTER ray (O,B) = {O} 

  proof
    ~(A = O) /\ ~(A = B) /\ ~(O = B) /\ O IN open_int (B,A) /\ Collinear (A,O,B) [B1_AOB] by H1, B1';
    O IN ray (O,A) INTER ray (O,B) by B1_AOB, OriginInRay_THM, IN_INTER;
    {O} SUBSET ray (O,A) INTER ray (O,B)     [Osubset_rOA] by -, SING_SUBSET; 
    ray (O,A) INTER ray (O,B) SUBSET {O}
    proof
      !X. X IN ray (O,A) INTER ray (O,B) ==> X IN {O}
      proof
        let X be point;
        assume X IN ray (O,A) INTER ray (O,B);
        X IN ray (O,A) /\ X IN ray (O,B)     [XinBothRays] by -, IN_INTER;
        cases;
        suppose X = O;
        qed by -, IN_SING;
        suppose ~(X = O);
          X IN ray (O,B) DELETE O by -, XinBothRays, IN_DELETE;
          ~(X IN ray (O,A)) by H1, -, OppositeRaysIntersect1pointHelp_THM;
          F by -, XinBothRays; 
        qed by -;
      end;
    qed by -, SUBSET;
    qed by -, Osubset_rOA, DoubleSubsetEqual_THM`;;


let TransitivitybetweennessHelp_THM = thm `;
  let A B C D be point;
  assume B IN open_int (A,C) /\ C IN open_int (B,D)     [H1];
  thus B IN open_int (A,D)

  proof
    ~(A  = B) /\ ~(A  = C) /\ ~(B  = C) [Distinct] by H1, B1';
    consider l such that
    Line l /\ A IN l /\ C IN l [ACl] by Distinct, I1;
    B IN l /\ D IN l by ACl, H1, BetweenLinear_THM;
    Collinear (B,A,D) [BADcol] by ACl, -, Collinear_DEF;
    ~(B IN open_int (D,C)) by H1, B1', B3';
    D IN ray (B,C) DELETE B by Distinct, H1, B1', -, IN, Ray_DEF, IN_DELETE;
    ~(D IN ray (B,A)) by Distinct, H1, -, OppositeRaysIntersect1pointHelp_THM; 
    B IN open_int (D,A) by Distinct, BADcol, -, IN, Ray_DEF;
  qed by -, B1'`;;


let Transitivitybetweenness_THM = thm `;
  let A B C D be point;
  assume B IN open_int (A,C) /\ C IN open_int (B,D)     [H1];
  thus is_ordered (A,B,C,D)

  proof
    B IN open_int (A,D)      [ABD] by H1, TransitivitybetweennessHelp_THM;
    C IN open_int (D,B) /\ B IN open_int (C,A)     by H1, B1';
    C IN open_int (D,A)     [DCA] by -, TransitivitybetweennessHelp_THM;
    C IN open_int (A,D)     by -, B1';
  qed by H1, ABD, -, is_ordered_DEF`;;


let Transitivitybetweenness_THM = thm `;
  let A B C D be point;
  assume B IN open_int (A,C) /\ C IN open_int (B,D)     [H1];
  thus is_ordered (A,B,C,D)

  proof
    !P Q R S. Q IN open_int (P,R) /\ R IN open_int (Q,S) ==> Q IN open_int (P,S)     [help]
    proof
      let P Q R S be point;
      assume Q IN open_int (P,R) /\ R IN open_int (Q,S)     [PQRS];
      ~(P  = Q) /\ ~(P  = R) /\ ~(Q  = R)     [Distinct] by PQRS, B1';
      consider l such that
      Line l /\ P IN l /\ R IN l     [PRl] by Distinct, I1;
      Q IN l /\ S IN l     by PRl, PQRS, BetweenLinear_THM;
      Collinear (Q,P,S)     [QPScol] by PRl, -, Collinear_DEF;
      ~(Q IN open_int (S,R))     by PQRS, B1', B3';
      S IN ray (Q,R) DELETE Q     by Distinct, PQRS, B1', -, IN, Ray_DEF, IN_DELETE;
      ~(S IN ray (Q,P))     by Distinct, PQRS, -, OppositeRaysIntersect1pointHelp_THM; 
      Q IN open_int (S,P)     by Distinct, QPScol, -, IN, Ray_DEF;
    qed by -, B1';

    B IN open_int (A,D)      [ABD] by H1, help;
    C IN open_int (D,B) /\ B IN open_int (C,A)     by H1, B1';
    C IN open_int (D,A)     [DCA] by -, help;
    C IN open_int (A,D)     by -, B1';
  qed by H1, ABD, -, is_ordered_DEF`;;


let IntervalsAreConvex_THM = thm `;
 let A B C be point;
  assume B IN open_int (A,C)     [H1];
  thus open_int (A,B) SUBSET open_int (A,C) 

  proof
    !X. X IN open_int (A,B) ==> X IN open_int (A,C)
    proof
      let X be point;
      assume X IN open_int (A,B)     [XinAB];
     ~(A = X) /\ ~(A = B) /\ ~(A = C) /\ ~(X = B) /\ ~(B = C)     [Distinct] by H1, XinAB, B1';
      consider l such that 
      Line l /\ A IN l /\ C IN l     [ACl] by Distinct, I1;
      B IN l /\ X IN l      by ACl, H1, XinAB, B1', BetweenLinear_THM;
      Collinear (B,C,X)     [BCXcol] by ACl, -, Collinear_DEF;
      Collinear (B,A,X)     [ABXcol] by XinAB, B1', CollinearSymmetry_THM ;
      ~(B IN open_int (X,A))     by Distinct, ABXcol, XinAB, B3';
      X IN ray (B,A) DELETE B     [XrBA_B] by Distinct, ABXcol, -, Ray_DEF, IN, IN_DELETE;
      ~(X IN ray (B,C))     [notXrBC] by H1, B1', XrBA_B, OppositeRaysIntersect1pointHelp_THM;
      B IN open_int (X,C)     by Distinct, BCXcol, notXrBC, IN, Ray_DEF;
      X IN open_int (A,C)     by XinAB, -, TransitivitybetweennessHelp_THM;
    qed by -;
  qed by -, SUBSET`;;


let TransitivityBetweennessVariant_THM = thm `;
  let A X B C be point;
  assume X IN open_int (A,B) /\ B IN open_int (A,C)     [H1];
  thus is_ordered (A,X,B,C)

  proof
    ~(A = X) /\ ~(A = B) /\ ~(A = C) /\ ~(X = B) /\ ~(B = C)     [Distinct] by H1, B1';
    consider l such that 
    Line l /\ A IN l /\ C IN l     [ACl] by Distinct, I1;
    B IN l /\ X IN l     by ACl, H1, B1', BetweenLinear_THM;
    Collinear (B,C,X)     [BCXcol] by H1, ACl, -, Collinear_DEF;
    Collinear (B,A,X)     [ABXcol] by H1, B1', CollinearSymmetry_THM ;
    ~(B IN open_int (X,A))     by Distinct, ABXcol, H1, B3';
    X IN ray (B,A) DELETE B     [XrBA_B] by Distinct, ABXcol, -, Ray_DEF, IN, IN_DELETE;
    ~(X IN ray (B,C))     [notXrBC] by H1, B1', XrBA_B, OppositeRaysIntersect1pointHelp_THM;
    B IN open_int (X,C)     by Distinct, BCXcol, notXrBC, IN, Ray_DEF;
    is_ordered (A,X,B,C)     by H1, -, Transitivitybetweenness_THM;
  qed by -`;;


let Interval2sides2aLineHelp_THM = thm `;
  let A B C X be point;
  let l be point_set;
  assume ~(A = B) /\ ~(A = C) /\ ~(A = X) /\ ~(B = C) /\ ~(B = X) /\ ~(C = X)     [H1];
  assume Line l /\ A IN l /\ B IN l /\ C IN l /\ X IN l     [H2];
  assume B IN open_int (A,C)     [H3];   	       	      
  thus ~(X IN open_int (A,B)) \/ ~(X IN open_int (B,C)) 

  proof
    assume X IN open_int (A,B)     [X_AB];
    Collinear (X,B,C)     [XBCcol] by H2, Collinear_DEF;
    is_ordered (A,X,B,C)     [AXBC] by X_AB, H3, TransitivityBetweennessVariant_THM;
    B IN open_int (X,C)     [B_XC] by AXBC, is_ordered_DEF;
    ~(X IN open_int (C,B)) by H1, XBCcol, B_XC, B3';
  qed by -, B1'`;;


let Interval2sides2aLine_THM = thm `;
  let A B C X be point;
  let l be point_set;
  assume ~(A = B) /\ ~(A = C) /\ ~(A = X) /\ ~(B = C) /\ ~(B = X) /\ ~(C = X)     [H1];
  assume Line l /\ A IN l /\ B IN l /\ C IN l /\ X IN l     [H2];
  thus ~(X IN open_int (A,B)) \/ ~(X IN open_int (B,C)) \/ ~(X IN open_int (A,C))

  proof
    Collinear (A,B,C) by H2, Collinear_DEF;
    B IN open_int (A,C) \/ C IN open_int (B,A) \/ A IN open_int (C,B) by H1, -, B3';
    cases by -;
    suppose B IN open_int (A,C);
    qed by H1, H2, -, Interval2sides2aLineHelp_THM;
    suppose C IN open_int (B,A);
      ~(X IN open_int (B,C)) \/ ~(X IN open_int (C,A)) by H1, H2, -, Interval2sides2aLineHelp_THM; 
    qed by -, B1';
    suppose A IN open_int (C,B);
      ~(X IN open_int (C,A)) \/ ~(X IN open_int (A,B)) by H1, H2, -, Interval2sides2aLineHelp_THM;
    qed by -, B1';
  end`;;

John, I apologize for a bad bug report yesterday, and also exceeding
the 40KB message limit.  I can handle axiom B3 fine, and I now have my
Hilbert axiomatic geometry miz3 code on my web page at
http://www.math.northwestern.edu/~richter/OpenIntervalHilbertAxiom.ml

I think I found a miz3 bug.  Maybe the problem is that miz3 is fine
until a certain depth has been exceeded, as you said earlier on a
different matter.  My Interval_DEF substitution into the axioms B1--B4
fails for axiom B4 in the simplest way, and I need to work harder:

horizon := 0;; 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

let Interval_DEF = new_definition
  `!A B X. open_int (A,B) X <=> Between (A,X,B)`;;

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let B3 = new_axiom
  `!A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear (A,B,C)
    ==> (Between (A,B,C) \/ Between (B,C,A) \/ Between (C,A,B)) /\
        ~(Between (A,B,C) /\ Between (B,C,A)) /\ 
        ~(Between (A,B,C) /\ Between (C,A,B)) /\ 
        ~(Between (B,C,A) /\ Between (C,A,B))`;;

let B3' = thm `;
  !A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear (A,B,C)
    ==> (B IN open_int (A,C) \/ C IN open_int (B,A) \/ A IN open_int (C,B)) /\
        ~(B IN open_int (A,C) /\ C IN open_int (B,A)) /\ 
        ~(B IN open_int (A,C) /\ A IN open_int (C,B)) /\ 
        ~(C IN open_int (B,A) /\ A IN open_int (C,B))
  by IN, Interval_DEF, B3`;;

(* that worked fine, and this should work too: *)

let B4 = new_axiom
  `!l A B C. Line l /\ ~Collinear (A,B,C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\ Between (A,X,C)) ==> 
   (?Y. Y IN l /\ Between (A,Y,B)) \/ (?Y. Y IN l /\ Between (B,Y,C))`;;

let B4prime_THM = thm `;
  !l A B C. Line l /\ ~Collinear (A,B,C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\ X IN open_int (A,C)) ==> 
   (?Y. Y IN l /\ Y IN open_int (A,B)) \/ (?Y. Y IN l /\ Y IN open_int (B,C))
  by IN, Interval_DEF, B4`;;

(* It doesn't work, and I get the error message 

    Exception:
Mizar_error
 (`;
    !l A B C. Line l /\ ~Collinear (A,B,C) /\ 
     ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
     (?X. X IN l /\ X IN open_int (A,C)) ==> 
     (?Y. Y IN l /\ Y IN open_int (A,B)) \/ (?Y. Y IN l /\ Y IN open_int (B,C))
    by IN, Interval_DEF, B4
  ;
  ::#2
  :: 2: inference time-out
  `,
 (0, 1, 0)).
# 

So I must prove B4' by with the longer code which seems to say the
same thing as the above timed-out proof: *)

let B4' = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l /\ ~Collinear (A,B,C) /\ 
   ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
   (?X. X IN l /\  X IN open_int (A,C))		[H1];
   thus (?Y. Y IN l /\  Y IN open_int (A,B)) \/ 
        (?Y. Y IN l /\  Y IN open_int (B,C))

   proof
     Line l /\ ~Collinear (A,B,C) /\ 
     ~(A IN l) /\ ~(B IN l) /\ ~(C IN l) /\ 
     (?X. X IN l /\  Between (A,X,C)) by H1, IN, Interval_DEF;
     (?Y. Y IN l /\ Between (A,Y,B)) \/ (?Y. Y IN l /\ Between (B,Y,C)) by -, B4;
   qed by -, IN, Interval_DEF`;;

(* this is fine! *)

John & Freek, I found a real bug (the code below), an inference error
that miz3 should report but does not.  I think miz3 calculates some
result ~(A = B), but the `by' mechanism malfunctions, as ~(A = B) is
used even though it's not given by a `by' justification.

BTW I've formalized my Hilbert geometry axiom paper
http://www.math.northwestern.edu/~richter/hilbert.pdf 
up through Lemma 4.8 (1200 lines of code)
http://www.math.northwestern.edu/~richter/OpenIntervalHilbertAxiom.ml
 and I'm amazed at how well miz3 is working.  This is the only serious
 bug I've found, as opposed to additional features I'd like.

-- 
Best,
Bill 

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Line",`:point_set->bool`);;

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let I3 = new_axiom
  `?A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
                             ~Collinear (A,B,C)`;;

let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ?Q:point. ~(Q = P)

  proof
    consider A B C such that 
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ ~Collinear (A,B,C) [X1] by I3;
    cases;
    suppose B = P;
      ~(A = B) by -, X1;
    qed by -;
    suppose ~(B = P);
    qed by -;
  end`;;


let NonCollinearImpliesDistinct_THM = thm `;
  let A B C be point;
  assume ~Collinear (A,B,C)                                            [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  proof
    cases;
    suppose A = B /\ B = C                                              [C1];
      consider Q such that ~(Q = A) by OnePointImpliesAnother_THM;
      consider l such that Line l /\ A IN l /\ Q IN l by -, I1;
      Collinear (A,B,C) by -, C1, Collinear_DEF;
    qed by -, H1;
    suppose ~(A = B) /\ B = C                                           [C2];
      consider l such that Line l /\ A IN l /\ B IN l by -, I1;
      Collinear (A,B,C) by -, C2, Collinear_DEF;
    qed by -, H1;
    suppose ~(B = C)                                                    [C3];
      consider l such that Line l /\ B IN l /\ C IN l [X1] by C3, I1;
      ~(A = B)                                                          [U] 
      proof
        assume A = B;
        Collinear (A,B,C) by -, X1, Collinear_DEF;
      qed by -, H1; 
      ~(A = C)                                                          [V]
      proof
        assume A = C;
        Collinear (A,B,C) by -, X1, Collinear_DEF;
      qed by -, H1; 
    qed by U, V, C3;          
  end`;;

(* This next proof works fine, and this shows a bug in miz3.  I should
have gotten a #1 inference error on line 2 of the proof.  Line p
should not exist, as Distinct does not include ~(A = B), even though
this was calculated to be true by NonCollinearImpliesDistinct_THM *)

let I1bug_THM = thm `;
  let A B C be point;
  assume ~Collinear (A,B,C) [H1];
  thus A = A 

  proof
    ~(B = C)  [Distinct] by H1, NonCollinearImpliesDistinct_THM;
    consider p such that 
    Line p /\ B IN p /\ A IN p     by Distinct, I1;
  qed by -`;;


(* this of course doesn't work *)

let I1not_bug_THM = thm `;
  let A B C be point;
  thus A = A 

  proof
    consider p such that 
    Line p /\ B IN p /\ A IN p     by I1;
  qed by -`;;

John & Freek, here's a minor bug (really a new feature I desire) in
the last thm of my 1200 lines of Hilbert geometry axiom code 
http://www.math.northwestern.edu/~richter/OpenIntervalHilbertAxiom.ml

let TwosidesTriangle2aLine_THM = thm `;
  let A B C be point;
  let l be point_set;
  assume Line l /\ ~Collinear (A,B,C) [H1];
  thus A,B same_side l \/ B,C same_side l \/ A,C same_side l

  proof
    (A,B same_side l \/ B,C same_side l) \/ A,C same_side l
    proof
      assume ~(A,B same_side l \/ B,C same_side l);
      ~(A,B same_side l) /\ ~(B,C same_side l) [H2] by -;
      [...] 

I don't think I should need the first line of the proof, which just
inserts a pair of parenthesis. I think this should have worked:

let TwosidesTriangle2aLine_THM = thm `;
  let A B C be point;
  let l be point_set;
  assume Line l /\ ~Collinear (A,B,C) [H1];
  thus A,B same_side l \/ B,C same_side l \/ A,C same_side l

  proof
    assume ~(A,B same_side l \/ B,C same_side l);
    ~(A,B same_side l) /\ ~(B,C same_side l) [H2] by -;
    [...] 

It's not that big a deal: 3 extra lines to the proof and almost 100
lines of code indented an extra 2 space.  But I would have thought
that miz3 (which seems very smart to me) would understand that

alpha \/ beta \/ gamma 

is equivalent to 

~alpha /\ ~beta ==> gamma

-- 
Best,
Bill

John & Freek, I'm sorry, I just goofed, I really want to get rid of
two lines of code, not just one.  Here's the last thm of
http://www.math.northwestern.edu/~richter/OpenIntervalHilbertAxiom.ml

let TwosidesTriangle2aLine_THM = thm `;
  let A B C be point;
  let l be point_set;
  assume Line l /\ ~Collinear (A,B,C) [H1];
  thus A,B same_side l \/ B,C same_side l \/ A,C same_side l

  proof
    (A,B same_side l \/ B,C same_side l) \/ A,C same_side l
    proof
      assume ~(A,B same_side l \/ B,C same_side l);
      ~(A,B same_side l) /\ ~(B,C same_side l) [H2] by -;
      [...] 

I think this should have worked:

  thus A,B same_side l \/ B,C same_side l \/ A,C same_side l

  proof
    assume  ~(A,B same_side l) /\ ~(B,C same_side l) [H2];
    [...] 

I would have thought that miz3 would understand that

alpha \/ beta \/ gamma 

is equivalent to 

~alpha /\ ~beta ==> gamma

It looks to me that I needed to tell miz3 two facts:

alpha \/ beta \/ gamma <=> (alpha \/ beta) \/ gamma 

~(alpha \/ beta) <=> ~alpha /\ ~beta

But I could easily be misunderstanding Mizar, miz3 and HOL Light.

-- 
Best,
Bill

John, here's a much shorter version of my bug report yesterday.  I
don't of course know that this is a bug in miz3 or HOL Light, as I
haven't mastered the documentation for either, but miz3 isn't doing
what I think it should do, and it's a serious matter to me.

(* Paste in these 4 commands, with 2 copy/pastes
   cd ~/hol_light; ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
   and then paste in the following file. *)

horizon := 0;; 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let B1 = new_axiom
  `! A B C. Between (A,B,C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between (C,B,A) /\ Collinear (A,B,C)`;;

(* This next proof works fine, returning 

0..0..1..5..12..27..50..88..138..212..321..453..695..1034..1503..2194..solved at 2319
val I1unhappy_THM : thm = |- !A B C. Between (A,B,C) ==> A = A
#

That's evidence for a bug in miz3.  I think I should have gotten a #1
inference error after line 2 of the proof.  Distinct doesn't include
the needed assumption for I1, ~(A = B).  Axiom B1, cited on line 1,
does compute ~(A = B), but with horizon = 0 I don't think this result
should have been available to justify line 2. 
*)

let I1unhappy_THM = thm `;
  let A B C be point;
  assume Between (A,B,C) [H1];
  thus A = A 

  proof
    ~(B = C)  [Distinct] by H1, B1;
    consider p such that 
    Line p /\ A IN p /\ B IN p     by Distinct, I1;
  qed by -`;;

(* 
This of course doesn't work, yielding the error 
#1 :: 1: inference error
after line 1 of the proof.
 *)

let I1not_unhappy_THM = thm `;
  let A B C be point;
  assume Between (A,B,C) [H1];
  thus A = A 

  proof
    consider p such that 
    Line p /\ A IN p /\ B IN p     by I1;
  qed by -`;;

!horizon;;

(* 
As expected, this command yields 
  val it : int = 0
Let's check that axiom B1 is working:
*)

let B1works_THM = thm `;
  let A B C be point;
  assume Between (A,B,C) [H1];
  thus ~(A = B) 

  proof
    ~(A = B) /\ ~(A = C) /\ ~(B = C) /\
    Between (C,B,A) /\ Collinear (A,B,C) by H1, B1;
  qed by -`;;

(* Works fine! 
B1works_THM : thm = |- !A B C. Between (A,B,C) ==> ~(A = B)

-- 
Best,
Bill *)

Freek, your MESON analysis was amazing, and so here's my much shorter
report, mostly due to you, and not not a bug report I think:

(* Paste in these 4 commands, in two mouse copy/pastes
   cd ~/hol_light; ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
   and then paste in the following file. *)

horizon := 0;; 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

  MESON[I1] `~(B = C) ==> ?p. Line p /\ A IN p /\ B IN p`;;

(* As you predicted, MESON proved the result, and got your number 2319:

  0..0..1..5..12..27..50..88..138..212..321..453..695..1034..1503..2194..solved at 2319
val it : thm = |- ~(B = C) ==> (?p. Line p /\ A IN p /\ B IN p)

I'll take your word for it that miz3 does this in in proving 
*)

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ?l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let B1 = new_axiom
  `! A B C. Between (A,B,C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between (C,B,A) /\ Collinear (A,B,C)`;;

let I1unhappy_THM = thm `;
  let A B C be point;
  assume Between (A,B,C) [H1];
  thus A = A 

  proof
    ~(B = C)  [Distinct] by H1, B1;
    consider p such that 
    Line p /\ A IN p /\ B IN p     by Distinct, I1;
  qed by -`;;


(* So miz3 might be showing an un-Mizar-like excessive amount of
logical reasoning power.  I don't know enough about Mizar or axiomatic
geometry to decide if I think that's a problem.  But the main thing is
that miz3 didn't make a logical error!!!  That's what worried me the
most.  I like your analysis:

   There are two possibilities: ~(A = B) or A = B.  In the
   first case we're done by I1.  In the second case, we have
   C as the second point by "Distinct".  So in that case use
   I1 to get the line through A = B on the one hand and C on
   the other hand.  And then take _that_ line.

Great!  I've often been happy that miz3 performed complicated logical
deductions for me, the sort of things that I used few words in my
Hilbert paper to prove.  This is the one case when miz3 was more
powerful than I wanted, and it was a mistake on my part.

-- 
Best,
Bill 
*)

I solved two problems in my in-progress Hilbert geometry formalization
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar

Math-symbols) I wrote some simple Emacs Lisp code to turn math symbols 
⇒, ⇔, ¬, ∨, ∧, ∀, ∃, ⊂, ∈, ∪, ∩ and ∅.
into their HOL Light versions 
==>, <=>, ~, \/, /\, !, ?, SUBSET, IN, UNION, INTER and {} 
and vice versa.  I have a low level system for running HOL Light using
this emacs code explained in my tar file above.  I'm happy with it.  I
find the math symbols to be necessary to read my own code once the
proofs get complicated enough, and also I'm writing my code by pasting
in fragments copied from the pdf file of my Hilbert paper, so I have
to do something with the math symbols anyway.

I'd be interested if someone looked at the two versions of my code
(straight HOL Light and enriched with math symbols) and tells me which
one they think is more human readable.  I don't understand why ocaml,
HOL Light or miz3 can't perform the translation (from ∅ to {} e.g.).
I know John said there were Unicode issues he didn't want to deal
with.  The biconditional symbol ⇔ is ASCII char 8660, and I can
believe that having to deal with these huge ASCII char would be a
problem.  But if it's just a small number of fancy chars, it seems
they could be pre-processed, as I do in my Emacs code .

Emacs Shell) Pasting miz3 code into an xterm window has the problem
that xterm only remembers about half of my file now, so I can't scroll
up to see if I had any errors at the beginning.  So instead I create a
shell in Emacs by M-x shell and run ocaml/HOL Light/miz3 in the Emacs
shell.  I can now view my entire file, as I expected, but there's an
unexpected bonus: the miz3 output (with #s) comes at the end, and
isn't interspersed with the text.  I think this works really well.

-- 
Best,
Bill

Freek and John, I'm over 1800 lines in my miz3 Hilbert paper formalization!
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar

Here's a bug report on a miz3 inference error I think I shouldn't have
gotten.  I have a definition for a point belonging to the interior of
an angle that works fine.  I make a similar but longer definition for
a point belonging to the interior of an triangle that doesn't work.
The obvious workaround worked fine for me

let InteriorTriangle_DEF = new_definition
 `! A B C P. 
  P int_triangle A,B,C  <=> 
  P int_angle A,B,C  /\ P int_angle B,C,A  /\ P int_angle C,A,B`;;

but I think miz3 should have handled my definition below.


-- 
Best,
Bill 

(*
Paste in these 4 commands, in two mouse copy/pastes  
   cd ~/hol_light; ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
into a terminal window or Emacs window running a shell via M-x shell.
Then paste in the following file. *)

horizon := 0;; 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

parse_as_infix("same_side",(12, "right"));;
parse_as_infix("int_angle",(12, "right"));;
parse_as_infix("int_triangle",(12, "right"));;

let Interval_DEF = new_definition
  `! A B X. open_int (A,B) X <=> Between (A,X,B)`;;

let Collinear_DEF = new_definition
  `Collinear (A,B,C)  <=> 
  ? l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let same_side_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(? X. (X IN l) /\  X IN open_int (A,B))`;;

let InteriorAngle_DEF = new_definition
 `! A O B P. 
  P int_angle A,O,B <=> ~Collinear (A,O,B) /\ ? a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;

let InteriorTriangle_DEF = new_definition
 `! A O B P. 
  P int_triangle A,O,B  <=> ~Collinear (A,O,B) /\ ? a b l. 
  Line a /\ O IN a /\ A IN a /\ 
  Line b /\ O IN b /\ B IN b /\ 
  Line l /\ A IN l /\ B IN l /\ 
  ~(P IN a) /\ ~(P IN b) /\ ~(P IN l) /\ 
  P,B same_side a /\ P,O same_side l /\ P,A same_side b`;;


let EasyInterior_THM = thm `;
  let A O B P be point;
  assume P int_angle A,O,B [H1];
  thus P = P

  proof
    consider a b such that 
    ~Collinear (A,O,B) /\ 
    Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
    ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b by H1, InteriorAngle_DEF;
  qed by -`;;


(* 
That works fine, and the output is 
val EasyInterior_THM : thm = |- !A O B P. P int_angle A,O,B ==> P = P
*)

let HmmmInterior_THM = thm `;
  let A O B P be point;
  assume P int_triangle A,O,B [H1];
  thus P = P

  proof
    consider a b l such that 
    ~Collinear (A,O,B) /\ 
    Line a /\ O IN a /\ A IN a /\ 
    Line b /\ O IN b /\ B IN b /\ 
    Line l /\ A IN l /\ B IN l /\ 
    ~(P IN a) /\ ~(P IN b) /\ ~(P IN l) /\ 
    P,B same_side a /\ P,O same_side l /\ P,A same_side b by H1, InteriorTriangle_DEF;
  qed by -`;;


(* 
This similar proof gets the #1 inference error after the first
statement of the proof.
*)

Here's a bug report on a miz3 inference error I wish miz3 had avoided
(code included below).  I think it's a serious set theory problem.

I define a predicate angle A O B P and use it as set theoretically as
P IN angle A O B.  4 times in my miz3 Hilbert axiomatic geometry code
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar
I have to insert an extra line reminding miz3 that A O B P means the
same thing as P IN angle A O B, as in AngleKludgeWorks_THM below,
rather than just putting IN in the by list as in AngleShorterWorks_THM
below, where I only use part of the angle def.  If I don't insert the
extra line, I get an inference error as in AngleInferenceError_THM.

I use the set theoretic idiom P IN angle A O B 66 times in my 1900-
lines of miz3 Hilbert code,So I don't think I'm making a dumb mistake.
A similar set theoretic stunt with ray (P IN ray O Q: 47 times) works
without any trouble.  I'm guessing the problem is simply that
InteriorAngle_DEF is longer than Ray_DEF.

-- 
Best,
Bill 

(* Paste in these 5 commands, in two pastes, with a RET in between.
   cd ~/hol_light
   ocaml
   #use "hol.ml";; 

#load "unix.cma";;
loadt "miz3/miz3.ml";;

AngleKludgeWorks_THM works fine, but AngleInferenceError_THM gets an
#1 inference error after the InteriorAngle_DEF line.  A shortened
version of AngleInferenceError_THM, AngleShorterWorks_THM, works fine.
*)

horizon := 0;; 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point#point#point->bool`);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Line",`:point_set->bool`);;

parse_as_infix("===",(12, "right"));;
parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;

let Interval_DEF = new_definition
  `! A B X. open (A,B) X <=> Between (A,X,B)`;;

let Collinear_DEF = new_definition
  `Collinear A B C  <=> 
  ? l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let SameSide_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(? X. (X IN l) /\  X IN open (A,B))`;;

let InteriorAngle_DEF = new_definition
 `! A O B P. 
  angle A O B P <=> ~Collinear A O B /\ ? a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  ~(P IN a) /\ ~(P IN b) /\ P,B same_side a /\ P,A same_side b`;;


let AngleKludgeWorks_THM = thm `;
  let A O B P be point;
  assume P IN angle A O B     [ P_AOB];
  thus P = P

  proof
    angle A O B P by P_AOB, IN;
    consider alpha beta such that ~Collinear A O B /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\ 
    P,B same_side alpha /\ P,A same_side beta [exists] by -, InteriorAngle_DEF;
  qed by -`;;


let AngleInferenceError_THM = thm `;
  let A O B P be point;
  assume P IN angle A O B     [ P_AOB];
  thus P = P

  proof
    consider alpha beta such that ~Collinear A O B /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) /\ 
    P,B same_side alpha /\ P,A same_side beta [exists] by P_AOB, IN, InteriorAngle_DEF;
  qed by -`;;
 

let AngleShorterWorks_THM = thm `;
  let A O B P be point;
  assume P IN angle A O B     [ P_AOB];
  thus P = P

  proof
    consider alpha beta such that ~Collinear A O B /\ 
    Line alpha /\ O IN alpha /\ A IN alpha /\ 
    Line beta /\ O IN beta /\B IN beta /\
    ~(P IN alpha) /\ ~(P IN beta) by P_AOB, IN, InteriorAngle_DEF;
  qed by -`;;

Freek, that's very interesting!  To get a decent comparison between
the miz3 HOLBY prover and actual Mizar in my Tarski geometry code, I
have to get rid of infixes and switch to currying, as you said here:

   >         a,b equal_line c,d

   The "HOL style" way of defining this would be a "Curried"
   _non_-infix function "equal_line" that you write like

	     equal_line a b c d

So I got rid of all my infixes in my almost 1000 lines of miz3 code of
http://www.math.northwestern.edu/~richter/TarskiAxiomGeometry.ml 
There's not a single comma in the code of the curried version
http://www.math.northwestern.edu/~richter/TarskiAxiomGeometryCurry.ml

The improvement is significant but not overwhelming.  I had five
5-digit `solved at' numbers, and now have only one, in a simple proof:

[...]..solved at 12994
val LineEqTrans_THM : thm =
  |- !a b c d e f.
         ~(a = b) /\ ~(c = d) /\ ~(e = f)
         ==> equal_line a b c d
         ==> equal_line c d e f
         ==> equal_line a b e f

let LineEqTrans_THM = thm `;
  let a b c d e f be point;
  assume                       ~(a = b) /\ ~(c = d) /\ ~(e = f)         [H1];
  assume                        equal_line a b c d                       [H2];
  assume                        equal_line c d e f                       [H3];
  thus    equal_line a b e f					        
								        
  proof
    (! y .  on_line y a b  <=>   on_line y c d)  /\ 
    (! y .  on_line y c d  <=>   on_line y e f)     [X2] by H2, H3, LineEq_DEF;
    (! y .  on_line y a b  <=>   on_line y e f) by -;
  qed by -, H1, LineEq_DEF`;;

As you explained to me, the `solved at' numbers mean that HOLBY has
quit and MESON has taken over.  Why is MESON working so hard???

This isn't the only time MESON works hard.  I also have six 4-digit
`solved at' numbers.

This might be a HOL Light bug, as it didn't work:

new_type("point",0);;
new_constant("===",`:point->point->point->point->bool`);;
new_constant("Between",`:point->point->point->bool`);;

let cong_DEF = new_definition
 `cong a b c x y z <=>
    === a b x y /\  === a c x z /\  === b c y z`;;

The cong_DEF earns me an error message:

#       Exception: Failure "term after binary operator expected".

It worked fine when I change === to EquiV:

#       val cong_DEF : thm =
  |- !a x b c y z.
         cong a b c x y z <=> EquiV a b x y /\ EquiV a c x z /\ EquiV b c y z

-- 
Best,
Bill

The name "seg<" is irregular, in that it combines both alpha-numeric and
symbolic characters.  Any names can be used for constants and variables in
the HOL logic, but HOL Light (and HOL4 I think) have no mechanism for
*parsing* irregular names.  So defining a constant called "seg<" by
supplying a term quotation won't work.

To define such a constant using 'new_definition' you would have construct
the definition term argument, using syntax constructors (such as 'mk_var',
'mk_eq', 'mk_comb', etc).  This would mean that terms involving your new
constant would get pretty printed as you desire.  But you still have the
problem that you can't parse in term quotations involving the new constant -
they would always require syntax constructors.

Mark.

on 27/6/12 8:10 AM, Bill Richter <richter@...> wrote:

> ....
>
> parse_as_infix("seg_less",(12, "right"));;
>
> let SegmentOrdering_DEF = new_definition
> `s seg_less t   <=>
> ? A B C D X. s = Segment A B /\ t = Segment C D /\
> X IN open (C,D) /\ Segment A B  === Segment C X`;;
>
> ....
>
> BTW I would have preferred to call it seg<, to go with angle< later,
> but HOL Light didn't let me do that.  Does anyone know why?

On 27/06/2012, at 18:21, "Mark" <mark@...> wrote:

> The name "seg<" is irregular, in that it combines both alpha-numeric and
> symbolic characters.  Any names can be used for constants and variables in
> the HOL logic, but HOL Light (and HOL4 I think) have no mechanism for
> *parsing* irregular names.  So defining a constant called "seg<" by
> supplying a term quotation won't work.

As it happens HOL4 will parse "irregular names" of the sort you describe.  The trick is to define the underlying constant with a nice name, and to then do something like

  val _ = overload_on ("seg<", ``seglt``)

where seglt is the "nice name".   For example, my theory of the lambda calculus uses -b-> as an infix beta-reduction arrow.  With Unicode on, you can get the same arrow with an inserted Greek beta. 

Michael

Freek, how does you prove ?! in miz3, that something exists uniquely?
I couldn't find that in your paper or any Mizar dox.  Here's a ?
result I proved in (proof below) where I wanted ?!
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar

OrderedCongruentSegments_THM : thm =
  |- ! A B C D F.
         ~(A = C) /\ ~(D = F)
         ==> Segment A C === Segment D F
         ==> B IN open (A,C)
         ==> (? E. E IN open (D,F) /\ Segment A B === Segment D E)

I can live without ?! in this case, but I'm curious how it's done.

-- 
Best,
Bill 


let OrderedCongruentSegments_THM = thm `;
  let A B C D F be point;
  assume ~(A = C) /\ ~(D = F) [H1];
  assume Segment A C === Segment D F [H2];
  assume B IN open (A,C) [H3];
  thus ? E. E IN open (D,F) /\ Segment A B === Segment D E

  proof 
    ~(A = B) /\ ~(B = C) /\ Collinear A C B     [ABC] by B1', H3, CollinearSymmetry_THM;
    ~(A IN open (B,C))     by ABC, H3, B3', B1';
    B IN ray A C DELETE A     [BrAC] by H1, ABC, -, IN, Ray_DEF, IN_DELETE; 
    C IN ray A C DELETE A     [CrAC] by H1, EndpointInRay_THM, IN_DELETE;


    consider E such that 
    E IN ray D F DELETE D /\ Segment D E === Segment A B     [DE_AB] by ABC, H1, C1;
    ~(E = D) /\ Collinear D E F /\ ~(D IN open (F,E))     [ErDF_D] by -, IN, IN_DELETE, Ray_DEF, B1', CollinearSymmetry_THM;
    Segment A B === Segment D E     [AB_DE] by ABC, -, DE_AB, C2Symmetric;
    ~(E = F)     [EnotF]
    proof 
      assume E = F;
      Segment A B === Segment A C     [AB_AC] by -, H1, ABC, H2, DE_AB, C2Transitive, C2Symmetric;
      Segment A C === Segment A C     by H1, C2Reflexive;
      B = C by H1, BrAC, AB_AC, CrAC, -, C1;
    qed by -, ABC;
    ~(F IN open (E,D))
    proof
      assume F IN open (E,D);
      F IN open (D,E)     [DFE] by -, B1';
      consider G such that 
      C IN open (A,G) /\ Segment C G === Segment F E     [CG_FE] by EnotF, H1, C1OppositeRay_THM;
      ~(A = C) /\ ~(A = G) /\ ~(G = C) /\ Collinear A C G     [AnotG] by -, B1';
      ~(A IN open (G,C))     by -, CG_FE, B3'; 
      G IN ray A C DELETE A     [GrayAC] by H1, AnotG, -, IN, Ray_DEF, IN_DELETE;
      Segment A G === Segment D E     [AG_DE] by CG_FE, DFE, H2, CG_FE, C3;
      B = G     [BG] by ErDF_D, H1, BrAC, GrayAC, AB_DE, AG_DE, C1;
      B IN open (A,G)     by CG_FE, IntervalsAreConvex_THM, H3, SUBSET; 
    qed by BG, -, B1';
    E IN open (D,F)     by ErDF_D, H1, EnotF, -, B3';
  qed by AB_DE, -`;;

Michael, thanks again, and it works: set theoretic segment ordering!
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
Formalization really clarified my mathematics here.  Here's my
definition, following your suggestion (and my original try).

let SegmentOrdering_DEF = new_definition
 `s seg_less t   <=> 
  ? A B C D X. s = Segment A B /\ t = Segment C D /\ 
  ~(A = B) /\ ~(C = D) /\ 
  X IN open (C,D) /\ Segment A B === Segment C X`;;

Here's the miz3 theorem I proved.

SegmentOrderingTransitive_THM : thm =
  |- ! s t u. s seg_less t ==> t seg_less u ==> s seg_less u

The problem was not with HOL Light, but my own murky understanding of
segment ordering.  I don't think Greenberg and Hartshorne explained it
well, although quite possibly they understood the following point.

Greenberg and Hartshorne both write AB < CD, which means of course
that < is a predicate defined on two segments.  The segment AB is the
set of points between A and B together with A and B:

Segment_DEF : thm = |- ! A B. Segment A B = {A, B} UNION open (A,B)

But I'd fallen into the mental mistake of thinking of < as a predicate
defined on four points, not two sets of points, as in
seg<(A, B, C, D).
Not a whole lot is riding on it, but something is: 

It's obviously true that AB = BA, and Hartshorne stresses this, and
therefore we don't need Tarski's axiom which amounts to 
seg<(A, B, B, A).
One can prove that if AB = XY, then either A = X and B = Y or A = Y
and B = X.  I figure this is bound to come up somewhere, but to my
surprise it was not needed in my proof of my transitivity result
above.   A more interesting version of this will come up with angle
ordering, or even angle congruence.   One typically writes 
angle AOB 
meaning the subset of the plane which is the union of the two rays 
ray OA and ray OB.  So 
angle AOB = angle BOA and 
angle AOB = angle A'OB for any point A' IN ray OA - {O}.
If one wants to think of angle congruence as a relation on 6 points,
then we need two  more axioms.   Since nobody wants those axioms 
angle AOB cong angle BOA 
angle AOB cong angle A'OB for any point A' IN ray OA - {O}.
it's important to really thing of the angle as a subset of the plane.
I don't believe I've been really thinking this way.   Formalization
will force to me straighten some things out, I believe. 

Thanks, Freek, this looks great:

# EXISTS_UNIQUE;;
val it : thm = |- !P. (?!x. P x) <=> (?x. P x /\ (!y. P y ==> y = x))

I see it's from theorems.ml.  I'll try it out.

-- 
Best,
Bill

Thanks to all the help I got here, I'm doing fine formalizing my paper
http://www.math.northwestern.edu/~richter/hilbert.pdf
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
I've formalized 12 of my 18 pages on Hilbert plane geometry, and got
past the hard part, formalizing the set theory involved in segments
and angles, both subsets of the Hilbert plane.  In particular I proved
the SAS, ASA and Angle Subtraction theorems, stated below together
with the definitions and congruence axioms needed.

I'd like to discuss how HOL Light and miz3 actually checking my
proofs, as I want my formalization to be a selling point for my paper.

John's HOL Light documentation doesn't seem to explain the proof
mechanism, but http://hol.sourceforge.net/documentation.html, looks
good, and I think I need to read the HOL Logic manual.   

I'm not good enough at HOL Light to read the miz3.ml code, and even
HOL Light experts would have trouble, because miz3 is a very ambitious
project to combine declarative (all I'm using) and procedural proofs.

John's purple FOL book explains how to implement a Mizar style proof
assistant in FOL.   John even suggested that his purple book code is
all I need.  Freek explained that I'm getting heavy miz3 use out of
MESON, but I see that John's code
http://www.cl.cam.ac.uk/~jrh13/atp/index.html includes
meson.ml: MESON-type model elimination 
Could I really switch to John's purple FOL code?  Maybe more
reasonably, could one implement John's purple book Mizar code
tactics.ml: Tactics and Mizar-style proofs 
in HOL Light?  I'm not of course looking for an improvement in speed
or durability, but only in understanding. 

-- 
Best,
Bill 

SAS_THM : thm =
  |- ∀ A B C A' B' C'.
         ¬Collinear A B C ∧ ¬Collinear A' B' C'
         ⇒ seg A B ≡ seg A' B' ∧ seg A C ≡ seg A' C'
         ⇒ angle B A C ≡ angle B' A' C'
         ⇒ A,B,C ≅ A',B',C'

ASA_THM : thm =
  |- ∀ A B C A' B' C'.
         ¬Collinear A B C ∧ ¬Collinear A' B' C'
         ⇒ seg B C ≡ seg B' C'
         ⇒ angle A B C ≡ angle A' B' C'
         ⇒ angle B C A ≡ angle B' C' A'
         ⇒ A,B,C ≅ A',B',C'

AngleSubtraction_THM : thm =
  |- ∀ A O B A' O' B' G G'.
         ¬Collinear A O B ∧ ¬Collinear A' O' B'
         ⇒ G ∈ int_angle A O B ∧ G' ∈ int_angle A' O' B'
         ⇒ angle A O B ≡ angle A' O' B'
         ⇒ angle A O G ≡ angle A' O' G'
         ⇒ angle B O G ≡ angle B' O' G'

Segment_DEF : thm = |- ∀ A B. seg A B = {A, B} ∪ open (A,B)

SEGMENT : thm = |- ∀ s. Segment s ⇔ (∃ A B. s = seg A B ∧ ¬(A = B))

SegmentOrdering_DEF : thm =
  |- ∀ t s.
         s seg_less t ⇔
         Segment s ∧
         Segment t ∧
         (∃ C D X. t = seg C D ∧ X ∈ open (C,D) ∧ s ≡ seg C X)

Angle_DEF : thm = |- ∀ A O B. angle A O B = ray O A ∪ ray O B

ANGLE : thm =
  |- ∀alpha. Angle alpha ⇔
             (∃ A O B. alpha = angle A O B ∧ ¬Collinear A O B)

TriangleCong_DEF : thm =
  |- ∀ A B C A' B' C'.
         A,B,C ≅ A',B',C' ⇔
         ¬Collinear A B C ∧ ¬Collinear A' B' C' ∧
         seg A B ≡ seg A' B' ∧
         seg A C ≡ seg A' C' ∧
         seg B C ≡ seg B' C' ∧
         angle A B C ≡ angle A' B' C' ∧
         angle B C A ≡ angle B' C' A' ∧
         angle C A B ≡ angle C' A' B'

C1 : thm =
  |- ∀ s O Z.
         Segment s ∧ ¬(O = Z)
         ⇒ (∃! P. P ∈ ray O Z ━ O ∧ seg O P ≡ s)

C2Reflexive : thm = |- Segment s ⇒ s ≡ s

C2Symmetric : thm = |- Segment s ∧ Segment t ∧ s ≡ t ⇒ t ≡ s

C2Transitive : thm =
  |- Segment s ∧ Segment t ∧ Segment u ∧ s ≡ t ∧ t ≡ u ⇒ s ≡ u

C3 : thm =
  |- ∀ A B C A' B' C'.
         B ∈ open (A,C) ∧
         B' ∈ open (A',C') ∧
         seg A B ≡ seg A' B' ∧
         seg B C ≡ seg B' C'
         ⇒ seg A C ≡ seg A' C'

C4 : thm =
  |- ∀alpha O A l Y.
         Angle alpha ∧ ¬(O = A) ∧ Line l ∧ O ∈ l ∧ A ∈ l ∧ ¬(Y ∈ l)
         ⇒ (∃! r. Ray r ∧ (∃B. ¬(O = B) ∧ r = ray O B ∧ 
                    ¬(B ∈ l) ∧ B,Y same_side l ∧ angle A O B ≡ alpha))

C5Reflexive : thm = |- Angle alpha ⇒ alpha ≡ alpha

C5Symmetric : thm =
  |- Angle alpha ∧ Angle beta ∧ alpha ≡ beta ⇒ beta ≡ alpha

C5Transitive : thm =
  |- Angle alpha ∧ Angle beta ∧
     Angle gamma ∧ alpha ≡ beta ∧ beta ≡ gamma
     ⇒ alpha ≡ gamma

C6 : thm =
  |- ∀A B C A' B' C'.
         ¬Collinear A B C ∧ ¬Collinear A' B' C' ∧
         seg A B ≡ seg A' B' ∧ seg A C ≡ seg A' C' ∧
         angle B A C ≡ angle B' A' C'
         ⇒ angle A B C ≡ angle A' B' C'

On Thu, Jul 5, 2012 at 3:17 AM, Bill Richter
<richter@...:

> Thanks to all the help I got here, I'm doing fine formalizing my paper
> http://www.math.northwestern.edu/~richter/hilbert.pdf
>
> http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
> I've formalized 12 of my 18 pages on Hilbert plane geometry, and got
> past the hard part, formalizing the set theory involved in segments
> and angles, both subsets of the Hilbert plane.  In particular I proved
> the SAS, ASA and Angle Subtraction theorems, stated below together
> with the definitions and congruence axioms needed.
>
> I'd like to discuss how HOL Light and miz3 actually checking my
> proofs, as I want my formalization to be a selling point for my paper.
>

This question is actually easy.
HOL Light, in the tradition of so-called "LCF-style" proof assistants,
checks proofs by using an abstract datatype for theorems whose only
constructors are inference rules.

You can see this in the file "fusion.ml", which, being the only ML code one
needs to trust (presuming you trust your ML environment) to believe that
HOL Light thms are theorems of higher order logic, is relatively
well-written and easy to read.
In particular, notice that in the module signature the type thm is abstract
(it doesn't say "type thm = something", just "type thm") and the only
functions that return thms (at the bottom) are inference rules (REFL,
TRANS, etc.), definitional rules (new_basic_definition, etc.) and axioms
(new_axiom).
Since OCaml modules are "closed", when the module type signature ends and
there's nothing else to generate thms, we know those are the only ways thms
will ever be generated.

Thus, no matter how clever the code you use to generate your proofs (be it
miz3, normal HOL Light tactics, or something else), ultimately, if that
code generates any thms, what it has to do is steer the so-called "kernel"
in fusion.ml by calling the inference/definition rules and new_axiom,
possibly using existing theorems and existing derived rules (which do the
same thing), in clever ways to construct the desired thms. The kernel is
designed so that doing so is equivalent to running line-by-line down a
proof in higher order logic.

In the implementation of the rules you can check that they do what they
ought to.
In particular, new_axiom records any axioms in the list !the_axioms,  so
you can check axioms() to be sure you nobody added unsound axioms to prove
your theorems. the_axioms itself is in the module and not the signature, so
the only access to it outside of fusion.ml is read-only via axioms (which
is in the signature), thus the list can only grow, and axioms used along
the way can't be removed and hidden.

As you may have inferred, while thms are OCaml objects that you can store
and play with, and we have a story for why they can only be created in ways
guaranteeing that they have proofs, the proofs themselves are dynamic and
ephemeral. If you want to see/keep the (ultra low level) proofs as well,
you could use Joe Hurd's fork of HOL Light (
http://src.gilith.com/hol-light.html) which records the proofs and enables
export in OpenTheory Article format (
http://www.gilith.com/research/opentheory/article.html).

This is why sometimes people let LCF-style proofs become "unreadable": no
matter whether you write readable (maybe even declarative) programs for
constructing thms or whether you write totally unreadable (but possibly
efficient, or smart, or good for exploration and automation) code for
constructing thms, there will always be this (ephemeral) ultra low level
proof that is the "real" proof of your theorem in the formal sense. There
are arguments on both sides for prioritising readability of the programs or
not.


> John's HOL Light documentation doesn't seem to explain the proof
> mechanism, but http://hol.sourceforge.net/documentation.html, looks
> good, and I think I need to read the HOL Logic manual.
>
> I'm not good enough at HOL Light to read the miz3.ml code, and even
> HOL Light experts would have trouble, because miz3 is a very ambitious
> project to combine declarative (all I'm using) and procedural proofs.
>
> John's purple FOL book explains how to implement a Mizar style proof
> assistant in FOL.   John even suggested that his purple book code is
> all I need.  Freek explained that I'm getting heavy miz3 use out of
> MESON, but I see that John's code
> http://www.cl.cam.ac.uk/~jrh13/atp/index.html includes
> meson.ml: MESON-type model elimination
> Could I really switch to John's purple FOL code?  Maybe more
> reasonably, could one implement John's purple book Mizar code
> tactics.ml: Tactics and Mizar-style proofs
> in HOL Light?  I'm not of course looking for an improvement in speed
> or durability, but only in understanding.
>
> --
> Best,
> Bill
>
> SAS_THM : thm =
>   |- ∀ A B C A' B' C'.
>          ¬Collinear A B C ∧ ¬Collinear A' B' C'
>          ⇒ seg A B ≡ seg A' B' ∧ seg A C ≡ seg A' C'
>          ⇒ angle B A C ≡ angle B' A' C'
>          ⇒ A,B,C ≅ A',B',C'
>
> ASA_THM : thm =
>   |- ∀ A B C A' B' C'.
>          ¬Collinear A B C ∧ ¬Collinear A' B' C'
>          ⇒ seg B C ≡ seg B' C'
>          ⇒ angle A B C ≡ angle A' B' C'
>          ⇒ angle B C A ≡ angle B' C' A'
>          ⇒ A,B,C ≅ A',B',C'
>
> AngleSubtraction_THM : thm =
>   |- ∀ A O B A' O' B' G G'.
>          ¬Collinear A O B ∧ ¬Collinear A' O' B'
>          ⇒ G ∈ int_angle A O B ∧ G' ∈ int_angle A' O' B'
>          ⇒ angle A O B ≡ angle A' O' B'
>          ⇒ angle A O G ≡ angle A' O' G'
>          ⇒ angle B O G ≡ angle B' O' G'
>
> Segment_DEF : thm = |- ∀ A B. seg A B = {A, B} ∪ open (A,B)
>
> SEGMENT : thm = |- ∀ s. Segment s ⇔ (∃ A B. s = seg A B ∧ ¬(A = B))
>
> SegmentOrdering_DEF : thm =
>   |- ∀ t s.
>          s seg_less t ⇔
>          Segment s ∧
>          Segment t ∧
>          (∃ C D X. t = seg C D ∧ X ∈ open (C,D) ∧ s ≡ seg C X)
>
> Angle_DEF : thm = |- ∀ A O B. angle A O B = ray O A ∪ ray O B
>
> ANGLE : thm =
>   |- ∀alpha. Angle alpha ⇔
>              (∃ A O B. alpha = angle A O B ∧ ¬Collinear A O B)
>
> TriangleCong_DEF : thm =
>   |- ∀ A B C A' B' C'.
>          A,B,C ≅ A',B',C' ⇔
>          ¬Collinear A B C ∧ ¬Collinear A' B' C' ∧
>          seg A B ≡ seg A' B' ∧
>          seg A C ≡ seg A' C' ∧
>          seg B C ≡ seg B' C' ∧
>          angle A B C ≡ angle A' B' C' ∧
>          angle B C A ≡ angle B' C' A' ∧
>          angle C A B ≡ angle C' A' B'
>
> C1 : thm =
>   |- ∀ s O Z.
>          Segment s ∧ ¬(O = Z)
>          ⇒ (∃! P. P ∈ ray O Z ━ O ∧ seg O P ≡ s)
>
> C2Reflexive : thm = |- Segment s ⇒ s ≡ s
>
> C2Symmetric : thm = |- Segment s ∧ Segment t ∧ s ≡ t ⇒ t ≡ s
>
> C2Transitive : thm =
>   |- Segment s ∧ Segment t ∧ Segment u ∧ s ≡ t ∧ t ≡ u ⇒ s ≡ u
>
> C3 : thm =
>   |- ∀ A B C A' B' C'.
>          B ∈ open (A,C) ∧
>          B' ∈ open (A',C') ∧
>          seg A B ≡ seg A' B' ∧
>          seg B C ≡ seg B' C'
>          ⇒ seg A C ≡ seg A' C'
>
> C4 : thm =
>   |- ∀alpha O A l Y.
>          Angle alpha ∧ ¬(O = A) ∧ Line l ∧ O ∈ l ∧ A ∈ l ∧ ¬(Y ∈ l)
>          ⇒ (∃! r. Ray r ∧ (∃B. ¬(O = B) ∧ r = ray O B ∧
>                     ¬(B ∈ l) ∧ B,Y same_side l ∧ angle A O B ≡ alpha))
>
> C5Reflexive : thm = |- Angle alpha ⇒ alpha ≡ alpha
>
> C5Symmetric : thm =
>   |- Angle alpha ∧ Angle beta ∧ alpha ≡ beta ⇒ beta ≡ alpha
>
> C5Transitive : thm =
>   |- Angle alpha ∧ Angle beta ∧
>      Angle gamma ∧ alpha ≡ beta ∧ beta ≡ gamma
>      ⇒ alpha ≡ gamma
>
> C6 : thm =
>   |- ∀A B C A' B' C'.
>          ¬Collinear A B C ∧ ¬Collinear A' B' C' ∧
>          seg A B ≡ seg A' B' ∧ seg A C ≡ seg A' C' ∧
>          angle B A C ≡ angle B' A' C'
>          ⇒ angle A B C ≡ angle A' B' C'
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

Thanks, Ramana!  You explain very well I think how I could check what
proofs I'm getting, and why HOL Light is reliable.  That's really
valuable information, but it's not what I want.  Let me try again.

The fact that HOL Light (using miz3) checks my proofs conclusively
tells me that my theorems are correct.  I just proved a new one:

OrderedCongruentAngles_THM : thm =
  |- ∀ A O B A' O' B' G.
         ¬Collinear A O B ∧ ¬Collinear A' O' B'
         ⇒ angle A O B ≡ angle A' O' B'
         ⇒ G ∈ int_angle A O B
         ⇒ (∃G'. G' ∈ int_angle A' O' B' ∧ angle A O G ≡ angle A' O' G')

http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
I'm not worried that the theorem might actually be false.  

My question is: What kind of proof is miz3 saying I have?  Recall that
my long-term purpose is to teach a rigorous axiomatic high school
Geometry course.  There must be powerful theorem provers that could
prove every result in the course!  Josef got Vampire to prove most of
my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
enough to make it useless for teaching Geometry!  I think miz3 is just
about right, from my experience of 2350 lines of Hilbert axiomatic
code and 985 lines of Tarski code, but I'll never be sure until I know
what miz3 calls a proof.  Part of the problem is that there's no
documentation for exactly what a Mizar proof is.  Again, from my
original Tarski code experience, I think Mizar is about the right
level of power.  But I don't know, and can't explain it in my paper.

So I can read "fusion.ml", and kananaskis-7-logic-1.pdf, as you
suggested, and learn what a HOL proof.  That's great.  But miz3 proofs
are much simpler.  John's book (which I haven't understood yet)
clearly explains (I think) what John means by a Mizar-like FOL proof.
I was hoping someone would explain this to me, and then explain how
John's purple book Mizar-like FOL compares to miz3.  Maybe I'll have
to explain it myself, after learning it.  I have time, as I have 6
more tough pages in my paper to formalize before I'll submit my paper
http://www.math.northwestern.edu/~richter/hilbert.pdf

Here's my hazy idea.  I more or less know what an FOL proof is, and I
think writing them down is tedious, and we'd like a proof assistant to
automate the tedious details (substituting variables etc) , so we're
left with the interesting part of the FOL proof.  I think this is what
Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
for sure, and more precisely, exactly what automation they do.

It's never happened that when I ``intentionally'' wrote up a miz3
proof, that miz3 proved the theorems before I thought I had completed
the proof.  That's what I want.  But once I goofed in my miz3 proof,
miz3 approved a proof that I didn't think was a proof.  Freek
explained that MESON is quite powerful, and explained how MESON proved
my result.  So as long as I don't goof like that, I'm OK.  But could
my students exploit the power of MESON to hand in miz3 proofs that I
wouldn't call proofs?  I know issues like this get discussed here,
maybe it's called `malicious' proofs.  I'm not really worried about
malice, and I'd be thrilled to have any students, but the teacher
ought to know what the proof assistant will accept as a proof.

-- 
Best,
Bill

If there are powerful theorem provers that can prove every result in the
course, you should think hard about the value you are imparting to your
students by making them write proofs in a restricted language, and design
that language accordingly.

I feel like maybe you didn't understand what I said, so let me try one
thing again: miz3 is an OCaml library that defines a bunch of functions and
stuff that make up what looks like a proof language, but ultimately the
proofs that are checked by the proof assistant are the low level higher
order logic proofs that those functions create. The proof assistant does
not care whether they were generated by miz3 functions or by MESON or by
anything else: in fact, it does not know! Perhaps it would be instructive
for me to show you the OpenTheory proof for one of your theorems, that is,
a proof you might have thought you never wrote but actually is what is
generated - if so, let me know and I'll try to get Joe's proof-logging fork
to run your code some time.

It sounds like what you want is control over which functions your students
are allowed to call when they're trying to write proof scripts (that is,
code to create low level HOL proofs).
Well, that's easy: write down the list of functions (or miz3 keywords or
whatever) that you want them to be allowed to use, make an OCaml module out
of it, tell them to import that module and forbid them (verbally, or
manually, or you could write a script to check their source files if you
don't trust them) from importing anything else or from defining their own
functions.

On Fri, Jul 6, 2012 at 7:44 AM, Bill Richter
<richter@...:

> Thanks, Ramana!  You explain very well I think how I could check what
> proofs I'm getting, and why HOL Light is reliable.  That's really
> valuable information, but it's not what I want.  Let me try again.
>
> The fact that HOL Light (using miz3) checks my proofs conclusively
> tells me that my theorems are correct.  I just proved a new one:
>
> OrderedCongruentAngles_THM : thm =
>   |- ∀ A O B A' O' B' G.
>          ¬Collinear A O B ∧ ¬Collinear A' O' B'
>          ⇒ angle A O B ≡ angle A' O' B'
>          ⇒ G ∈ int_angle A O B
>          ⇒ (∃G'. G' ∈ int_angle A' O' B' ∧ angle A O G ≡ angle A' O' G')
>
>
> http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
> I'm not worried that the theorem might actually be false.
>
> My question is: What kind of proof is miz3 saying I have?  Recall that
> my long-term purpose is to teach a rigorous axiomatic high school
> Geometry course.  There must be powerful theorem provers that could
> prove every result in the course!  Josef got Vampire to prove most of
> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
> enough to make it useless for teaching Geometry!  I think miz3 is just
> about right, from my experience of 2350 lines of Hilbert axiomatic
> code and 985 lines of Tarski code, but I'll never be sure until I know
> what miz3 calls a proof.  Part of the problem is that there's no
> documentation for exactly what a Mizar proof is.  Again, from my
> original Tarski code experience, I think Mizar is about the right
> level of power.  But I don't know, and can't explain it in my paper.
>
> So I can read "fusion.ml", and kananaskis-7-logic-1.pdf, as you
> suggested, and learn what a HOL proof.  That's great.  But miz3 proofs
> are much simpler.  John's book (which I haven't understood yet)
> clearly explains (I think) what John means by a Mizar-like FOL proof.
> I was hoping someone would explain this to me, and then explain how
> John's purple book Mizar-like FOL compares to miz3.  Maybe I'll have
> to explain it myself, after learning it.  I have time, as I have 6
> more tough pages in my paper to formalize before I'll submit my paper
> http://www.math.northwestern.edu/~richter/hilbert.pdf
>
> Here's my hazy idea.  I more or less know what an FOL proof is, and I
> think writing them down is tedious, and we'd like a proof assistant to
> automate the tedious details (substituting variables etc) , so we're
> left with the interesting part of the FOL proof.  I think this is what
> Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
> for sure, and more precisely, exactly what automation they do.
>
> It's never happened that when I ``intentionally'' wrote up a miz3
> proof, that miz3 proved the theorems before I thought I had completed
> the proof.  That's what I want.  But once I goofed in my miz3 proof,
> miz3 approved a proof that I didn't think was a proof.  Freek
> explained that MESON is quite powerful, and explained how MESON proved
> my result.  So as long as I don't goof like that, I'm OK.  But could
> my students exploit the power of MESON to hand in miz3 proofs that I
> wouldn't call proofs?  I know issues like this get discussed here,
> maybe it's called `malicious' proofs.  I'm not really worried about
> malice, and I'd be thrilled to have any students, but the teacher
> ought to know what the proof assistant will accept as a proof.
>
> --
> Best,
> Bill
>

OK I guess your problem is that you don't know how powerful (in the
automation dimension) each of the miz3 keywords is, so you wouldn't know
which ones to include in your restricted set anyway.
For that you will have to search for documentation, read the miz3 code, or
wait for someone who knows to answer because unfortunately I don't :)

On Fri, Jul 6, 2012 at 8:17 AM, Ramana Kumar <ramana.kumar@...> wrote:

> If there are powerful theorem provers that can prove every result in the
> course, you should think hard about the value you are imparting to your
> students by making them write proofs in a restricted language, and design
> that language accordingly.
>
> I feel like maybe you didn't understand what I said, so let me try one
> thing again: miz3 is an OCaml library that defines a bunch of functions and
> stuff that make up what looks like a proof language, but ultimately the
> proofs that are checked by the proof assistant are the low level higher
> order logic proofs that those functions create. The proof assistant does
> not care whether they were generated by miz3 functions or by MESON or by
> anything else: in fact, it does not know! Perhaps it would be instructive
> for me to show you the OpenTheory proof for one of your theorems, that is,
> a proof you might have thought you never wrote but actually is what is
> generated - if so, let me know and I'll try to get Joe's proof-logging fork
> to run your code some time.
>
> It sounds like what you want is control over which functions your students
> are allowed to call when they're trying to write proof scripts (that is,
> code to create low level HOL proofs).
> Well, that's easy: write down the list of functions (or miz3 keywords or
> whatever) that you want them to be allowed to use, make an OCaml module out
> of it, tell them to import that module and forbid them (verbally, or
> manually, or you could write a script to check their source files if you
> don't trust them) from importing anything else or from defining their own
> functions.
>
>
> On Fri, Jul 6, 2012 at 7:44 AM, Bill Richter <
> richter@...> wrote:
>
>> Thanks, Ramana!  You explain very well I think how I could check what
>> proofs I'm getting, and why HOL Light is reliable.  That's really
>> valuable information, but it's not what I want.  Let me try again.
>>
>> The fact that HOL Light (using miz3) checks my proofs conclusively
>> tells me that my theorems are correct.  I just proved a new one:
>>
>> OrderedCongruentAngles_THM : thm =
>>   |- ∀ A O B A' O' B' G.
>>          ¬Collinear A O B ∧ ¬Collinear A' O' B'
>>          ⇒ angle A O B ≡ angle A' O' B'
>>          ⇒ G ∈ int_angle A O B
>>          ⇒ (∃G'. G' ∈ int_angle A' O' B' ∧ angle A O G ≡ angle A' O' G')
>>
>>
>> http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
>> I'm not worried that the theorem might actually be false.
>>
>> My question is: What kind of proof is miz3 saying I have?  Recall that
>> my long-term purpose is to teach a rigorous axiomatic high school
>> Geometry course.  There must be powerful theorem provers that could
>> prove every result in the course!  Josef got Vampire to prove most of
>> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
>> enough to make it useless for teaching Geometry!  I think miz3 is just
>> about right, from my experience of 2350 lines of Hilbert axiomatic
>> code and 985 lines of Tarski code, but I'll never be sure until I know
>> what miz3 calls a proof.  Part of the problem is that there's no
>> documentation for exactly what a Mizar proof is.  Again, from my
>> original Tarski code experience, I think Mizar is about the right
>> level of power.  But I don't know, and can't explain it in my paper.
>>
>> So I can read "fusion.ml", and kananaskis-7-logic-1.pdf, as you
>> suggested, and learn what a HOL proof.  That's great.  But miz3 proofs
>> are much simpler.  John's book (which I haven't understood yet)
>> clearly explains (I think) what John means by a Mizar-like FOL proof.
>> I was hoping someone would explain this to me, and then explain how
>> John's purple book Mizar-like FOL compares to miz3.  Maybe I'll have
>> to explain it myself, after learning it.  I have time, as I have 6
>> more tough pages in my paper to formalize before I'll submit my paper
>> http://www.math.northwestern.edu/~richter/hilbert.pdf
>>
>> Here's my hazy idea.  I more or less know what an FOL proof is, and I
>> think writing them down is tedious, and we'd like a proof assistant to
>> automate the tedious details (substituting variables etc) , so we're
>> left with the interesting part of the FOL proof.  I think this is what
>> Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
>> for sure, and more precisely, exactly what automation they do.
>>
>> It's never happened that when I ``intentionally'' wrote up a miz3
>> proof, that miz3 proved the theorems before I thought I had completed
>> the proof.  That's what I want.  But once I goofed in my miz3 proof,
>> miz3 approved a proof that I didn't think was a proof.  Freek
>> explained that MESON is quite powerful, and explained how MESON proved
>> my result.  So as long as I don't goof like that, I'm OK.  But could
>> my students exploit the power of MESON to hand in miz3 proofs that I
>> wouldn't call proofs?  I know issues like this get discussed here,
>> maybe it's called `malicious' proofs.  I'm not really worried about
>> malice, and I'd be thrilled to have any students, but the teacher
>> ought to know what the proof assistant will accept as a proof.
>>
>> --
>> Best,
>> Bill
>>
>
>

Dear Ramana ,

I want to know that what is the procedure to use  (.....) in HOL when we
require to verify our theorem.

For example: when we deals in proof with summation such as

a* (1- rn) / (1-r)   =  a + ar +ar2 + ar3+……….+a(r)n-1

I want to know thart R.HS we have dots (.....)  so how to cater with this
problem using HOL during proving our goal.I will be looking forwrad to your
kind reply


On Fri, Jul 6, 2012 at 12:20 AM, Ramana Kumar <ramana.kumar@...:

> OK I guess your problem is that you don't know how powerful (in the
> automation dimension) each of the miz3 keywords is, so you wouldn't know
> which ones to include in your restricted set anyway.
> For that you will have to search for documentation, read the miz3 code, or
> wait for someone who knows to answer because unfortunately I don't :)
>
>
> On Fri, Jul 6, 2012 at 8:17 AM, Ramana Kumar <ramana.kumar@...:
>
>> If there are powerful theorem provers that can prove every result in the
>> course, you should think hard about the value you are imparting to your
>> students by making them write proofs in a restricted language, and design
>> that language accordingly.
>>
>> I feel like maybe you didn't understand what I said, so let me try one
>> thing again: miz3 is an OCaml library that defines a bunch of functions and
>> stuff that make up what looks like a proof language, but ultimately the
>> proofs that are checked by the proof assistant are the low level higher
>> order logic proofs that those functions create. The proof assistant does
>> not care whether they were generated by miz3 functions or by MESON or by
>> anything else: in fact, it does not know! Perhaps it would be instructive
>> for me to show you the OpenTheory proof for one of your theorems, that is,
>> a proof you might have thought you never wrote but actually is what is
>> generated - if so, let me know and I'll try to get Joe's proof-logging fork
>> to run your code some time.
>>
>> It sounds like what you want is control over which functions your
>> students are allowed to call when they're trying to write proof scripts
>> (that is, code to create low level HOL proofs).
>> Well, that's easy: write down the list of functions (or miz3 keywords or
>> whatever) that you want them to be allowed to use, make an OCaml module out
>> of it, tell them to import that module and forbid them (verbally, or
>> manually, or you could write a script to check their source files if you
>> don't trust them) from importing anything else or from defining their own
>> functions.
>>
>>
>> On Fri, Jul 6, 2012 at 7:44 AM, Bill Richter <
>> richter@...> wrote:
>>
>>> Thanks, Ramana!  You explain very well I think how I could check what
>>> proofs I'm getting, and why HOL Light is reliable.  That's really
>>> valuable information, but it's not what I want.  Let me try again.
>>>
>>> The fact that HOL Light (using miz3) checks my proofs conclusively
>>> tells me that my theorems are correct.  I just proved a new one:
>>>
>>> OrderedCongruentAngles_THM : thm =
>>>   |- ∀ A O B A' O' B' G.
>>>          ¬Collinear A O B ∧ ¬Collinear A' O' B'
>>>          ⇒ angle A O B ≡ angle A' O' B'
>>>          ⇒ G ∈ int_angle A O B
>>>          ⇒ (∃G'. G' ∈ int_angle A' O' B' ∧ angle A O G ≡ angle A' O' G')
>>>
>>>
>>> http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
>>> I'm not worried that the theorem might actually be false.
>>>
>>> My question is: What kind of proof is miz3 saying I have?  Recall that
>>> my long-term purpose is to teach a rigorous axiomatic high school
>>> Geometry course.  There must be powerful theorem provers that could
>>> prove every result in the course!  Josef got Vampire to prove most of
>>> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
>>> enough to make it useless for teaching Geometry!  I think miz3 is just
>>> about right, from my experience of 2350 lines of Hilbert axiomatic
>>> code and 985 lines of Tarski code, but I'll never be sure until I know
>>> what miz3 calls a proof.  Part of the problem is that there's no
>>> documentation for exactly what a Mizar proof is.  Again, from my
>>> original Tarski code experience, I think Mizar is about the right
>>> level of power.  But I don't know, and can't explain it in my paper.
>>>
>>> So I can read "fusion.ml", and kananaskis-7-logic-1.pdf, as you
>>> suggested, and learn what a HOL proof.  That's great.  But miz3 proofs
>>> are much simpler.  John's book (which I haven't understood yet)
>>> clearly explains (I think) what John means by a Mizar-like FOL proof.
>>> I was hoping someone would explain this to me, and then explain how
>>> John's purple book Mizar-like FOL compares to miz3.  Maybe I'll have
>>> to explain it myself, after learning it.  I have time, as I have 6
>>> more tough pages in my paper to formalize before I'll submit my paper
>>> http://www.math.northwestern.edu/~richter/hilbert.pdf
>>>
>>> Here's my hazy idea.  I more or less know what an FOL proof is, and I
>>> think writing them down is tedious, and we'd like a proof assistant to
>>> automate the tedious details (substituting variables etc) , so we're
>>> left with the interesting part of the FOL proof.  I think this is what
>>> Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
>>> for sure, and more precisely, exactly what automation they do.
>>>
>>> It's never happened that when I ``intentionally'' wrote up a miz3
>>> proof, that miz3 proved the theorems before I thought I had completed
>>> the proof.  That's what I want.  But once I goofed in my miz3 proof,
>>> miz3 approved a proof that I didn't think was a proof.  Freek
>>> explained that MESON is quite powerful, and explained how MESON proved
>>> my result.  So as long as I don't goof like that, I'm OK.  But could
>>> my students exploit the power of MESON to hand in miz3 proofs that I
>>> wouldn't call proofs?  I know issues like this get discussed here,
>>> maybe it's called `malicious' proofs.  I'm not really worried about
>>> malice, and I'd be thrilled to have any students, but the teacher
>>> ought to know what the proof assistant will accept as a proof.
>>>
>>> --
>>> Best,
>>> Bill
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>
>


-- 
~Regards

Saqib Khan
MS-CSE
Research Assistant @ SAVE
National University of Science and Technology (NUST)

Hi Bill,

I understand exactly what you are looking for (or at least I think I do!) -
a theorem prover with very clearly defined functionality, that automates
what is "trivial" and does not automate what is not "trivial", and that is
easy to use, caters for all the classic styles of doing (symbolic) proof on
paper and does not require months of training.  And if this system is also a
"serious" system involved in the formalisation of mathematics, and is highly
trustworthy, then all the better.  You see such a system as being an
excellent way of teaching students how to do proof.

As you say, Mizar and miz3 (and don't forget Isar) perhaps come about the
closest of any current systems to what you want.  I've had in mind for many
years a design of a system that does exactly what you want, but have been
too busy with other stuff to develop this up till now.  I suppose this
doesn't really help you until it's been implemented, but I just wanted to
tell you that!

I suppose a problem with using existing systems is that they are trying to
do something different - to enable proofs to be proved with minimal amount
of user effort.  Sometimes the approach they use to achieving this means
that they come close to your goals, but they will never be perfect for what
you want.

By the way, "malicious" proofs are not proofs that use a theorem prover's
automatic facilities when they are not intended to be used.  Malicious
proofs are proofs that deliberately take advantage of unsoundness (or other
trustworthiness issues) in the theorem prover, to prove a fallacy, or to
appear to prove a fallacy.

Mark.


on 6/7/12 7:45 AM, Bill Richter <richter@...> wrote:

> My question is: What kind of proof is miz3 saying I have?  Recall that
> my long-term purpose is to teach a rigorous axiomatic high school
> Geometry course.  There must be powerful theorem provers that could
> prove every result in the course!  Josef got Vampire to prove most of
> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
> enough to make it useless for teaching Geometry!  I think miz3 is just
> about right, from my experience of 2350 lines of Hilbert axiomatic
> code and 985 lines of Tarski code, but I'll never be sure until I know
> what miz3 calls a proof.  Part of the problem is that there's no
> documentation for exactly what a Mizar proof is.  Again, from my
> original Tarski code experience, I think Mizar is about the right
> level of power.  But I don't know, and can't explain it in my paper.
>
> ....
>
> Here's my hazy idea.  I more or less know what an FOL proof is, and I
> think writing them down is tedious, and we'd like a proof assistant to
> automate the tedious details (substituting variables etc) , so we're
> left with the interesting part of the FOL proof.  I think this is what
> Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
> for sure, and more precisely, exactly what automation they do.
>
> It's never happened that when I ``intentionally'' wrote up a miz3
> proof, that miz3 proved the theorems before I thought I had completed
> the proof.  That's what I want.  But once I goofed in my miz3 proof,
> miz3 approved a proof that I didn't think was a proof.  Freek
> explained that MESON is quite powerful, and explained how MESON proved
> my result.  So as long as I don't goof like that, I'm OK.  But could
> my students exploit the power of MESON to hand in miz3 proofs that I
> wouldn't call proofs?  I know issues like this get discussed here,
> maybe it's called `malicious' proofs.  I'm not really worried about
> malice, and I'd be thrilled to have any students, but the teacher
> ought to know what the proof assistant will accept as a proof.

I understand exactly what you are looking for (or at least I think
   I do!) - a theorem prover with very clearly defined functionality,
   that automates what is "trivial" and does not automate what is not
   "trivial"

Thanks, Mark, and that's exactly right.

   and that is easy to use, caters for all the classic styles of doing
   (symbolic) proof on paper and does not require months of training.

Yeah, and right now only one style: 2-column proofs that are common in
US high school Geometry courses, except I want rigorous proofs you get
from Hilbert's axioms, and not the ''when the going gets tough we'll
draw a picture and say it's obvious'' style going back to Euclid.
 
   I've had in mind for many years a design of a system that does
   exactly what you want

You don't have to implement your system to help me.  Maybe it's enough
to clarify what "trivial" means.  I should know by now, from writing
2300 lines of miz3 Hilbert axiomatic geometry code
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
but I don't.  Somehow my fuzzy idea is that the automation ought to
just be calculating how to use the the axioms and theorems I list to
prove the statements I want.  Uh, that didn't sound right!  Isn't any
proof like that?  If someone would run my code and watch MESON churn,
maybe they could clarify what "trivial" means.  

   I suppose a problem with using existing systems is that they are
   trying to do something different - to enable proofs to be proved
   with minimal amount of user effort.

I don't think that's the problem.  I think the problem is my practical
ignorance of FOL.  I haven't read John's purple book yet and
understood what he thinks a Mizar-like proof assistant in FOL is.

   And if this system is also a "serious" system involved in the
   formalisation of mathematics, and is highly trustworthy, then all
   the better.  You see such a system as being an excellent way of
   teaching students how to do proof.

Yes, particularly as the students may feel they are learning valuable
computer skills.  But I've actually learned a lot about my paper
http://www.math.northwestern.edu/~richter/hilbert.pdf
I believe my proofs more because HOL Light checked them, and
formalizing the proofs clarified my thinking.  Here's the first thing
I learned, and I sure felt dumb when I figured it out.  

http://en.wikipedia.org/wiki/Hilbert%27s_axioms
I. Combination
  7. Upon every straight line there exist at least two points, in
  every plane at least three points not lying in the same straight
  line, and in space there exist at least four points not lying in a
  plane 

I translated this (restricting to one plane) as there 
∃ X Y Z:point . ¬∃ l: line. X ∈ l ∧ Y ∈ l ∧ Z ∈ l

Well, I was wrong!  We have to insist that X, Y, Z are distinct
points. Arguably that's what `at least three points' means.  If we use
my busted version of the axiom, then we can get a model of Hilbert
plane geometry with one point and no lines!  I've learned more
complicated things about my paper as well :)

   By the way, "malicious" proofs are not proofs that use a theorem
   prover's automatic facilities when they are not intended to be
   used.  Malicious proofs are proofs that deliberately take advantage
   of unsoundness (or other trustworthiness issues) in the theorem
   prover, to prove a fallacy, or to appear to prove a fallacy.

Thanks.  I suppose your unsoundness and my excessive power are related
ideas, but they're quite different too.

   your problem is that you don't know how powerful (in the automation
   dimension) each of the miz3 keywords is, so you wouldn't know which
   ones to include in your restricted set anyway.  For that you will
   have to search for documentation, read the miz3 code, or wait for
   someone who knows to answer because unfortunately I don't :)

That's right, Ramana, and Freek doesn't seem to know either, so
reading the miz3 code is probably quite difficult.  A while back Freek
said that miz3 has two pieces, HOLBY and MESON, and that HOLBY does
everything that Mizar does, and then MESON takes over (and you can see
this, because it churns numbers and prints "solved at"), so miz3 is
more powerful than Mizar!  That was very helpful of Freek, but I
posted that my very Mizar-like Tarski axiomatic geometry code where
MESON did quite a lot of work.  The first time I did this, Freek said
no, you have to curry your functions to get a miz3/Mizar comparison,
because MESON has to calculate all the pairs, so I uncurried every
function of mine, and still have pretty big MESON solved at numbers.

-- 
Best,
Bill

If there are powerful theorem provers that can prove every result
   in the course, you should think hard about the value you are
   imparting to your students

That's easy, Ramana, I want my students to learn how to write
mathematical proofs!  I think that's a valuable skill.   Thanks for
explaining in more detail how miz3 & Ocaml work.  

   Perhaps it would be instructive for me to show you the OpenTheory
   proof for one of your theorems, that is, a proof you might have
   thought you never wrote but actually is what is generated - if so,
   let me know and I'll try to get Joe's proof-logging fork to run
   your code some time.

That would be instructive if apply OpenTheory to my code!



-- 
Best,
Bill

On 06/07/12 16:44, Bill Richter wrote:
> My question is: What kind of proof is miz3 saying I have?  Recall that
> my long-term purpose is to teach a rigorous axiomatic high school
> Geometry course.  There must be powerful theorem provers that could
> prove every result in the course!  Josef got Vampire to prove most of
> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
> enough to make it useless for teaching Geometry!  I think miz3 is just
> about right, from my experience of 2350 lines of Hilbert axiomatic
> code and 985 lines of Tarski code, but I'll never be sure until I know
> what miz3 calls a proof.  Part of the problem is that there's no
> documentation for exactly what a Mizar proof is.  Again, from my
> original Tarski code experience, I think Mizar is about the right
> level of power.  But I don't know, and can't explain it in my paper.

miz3 is not constructing a Mizar proof, nor even a "miz3" proof.  Rather it is 
constructing a proof in higher-order logic, ultimately using the primitive rules 
of inference of higher-order logic.  (See the HOL4 Logic manual for a 
presentation of one set of primitives.)  That is the "ground truth" of the 
system and attempting to recast things at a higher level of abstraction is 
always going to be a bit fraught.

Certainly, miz3 presents an appealing interface that lets the user think they 
are working at a rather higher level.  It's an illusion, but a reasonably 
convincing one.  The illusion hangs together because the engineering heuristics 
that Freek and John have put together mean that the steps that a human thinks 
should be obvious are ones that the system often accepts too.  But this stuff 
really is a matter of heuristics:

- What should the timeout be?
- Should simplification precede attempts at first order reasoning?
   - If so, how much should be allowed?
   - What default simplification rules should be included (if any)?
- What proof search strategy should be used when doing the f.o. reasoning?
- etc

If you hit the sweet spot, then the system lurking behind "by" doesn't prove so 
much that the user doesn't learn anything, but isn't so stupid that the human 
has to provide unnecessary detail.

Ultimately, I'm afraid there is no precise way of explaining what Mizar/miz3 are 
capable of for your paper.  You can only point to experience, and say that the 
system behind "by" seems to allow reasonable leaps of inference.

Note that a Mizar/miz3 proof is probably fairly solid in the face of changes to 
the underlying systems, but if its reasoning power (remember how this depends on 
those heuristics) doesn't always increase then it's possible (though unlikely I 
suspect) that a proof that worked yesterday won't work today.

If you haven't already been pointed at John's 1996 paper about the original 
Mizar mode for HOL Light, then I certainly recommend it:

   http://www.cl.cam.ac.uk/~jrh13/papers/mizar.html

Michael

Michael, thank you very much, and  I did not know of John's paper 
   http://www.cl.cam.ac.uk/~jrh13/papers/mizar.html
which I will read carefully.   I didn't quite understand you:

I couldn't figure out what your `illusion' was.  I think miz3 is much
less powerful than HOL Light is generally.  I'd like to say precisely
how miz3 is more powerful than straight FOL, which would be very
tedious I believe to write proofs in.  But Tom Hales is formalizing
his Kepler conjecture proof in HOL Light and other powerful proof
assistants.  Tom wouldn't consider only using miz3, right?

BTW I habitually use the term miz3 to refer to the Mizar-like part of
miz3, but the real power of miz3 is that it combines Mizar-like proofs
with the more powerful procedural HOL Light proofs.

I think you said that it would be very difficult to precisely explain
what miz3 is doing, as by various complicated strategies, it appears
in good cases that in miz3,

   "by" doesn't prove so much that the user doesn't learn anything,
   but isn't so stupid that the human has to provide unnecessary
   detail.

Well, that's what I want, and I've been quite satisfied with miz3's
"by" performance.  What's bothered me is not knowing how to define
things, but that's more HOL Light, and you and John helped me a lot.

   Ultimately, I'm afraid there is no precise way of explaining what
   Mizar/miz3 are capable of for your paper.  You can only point to
   experience, and say that the system behind "by" seems to allow
   reasonable leaps of inference.

I'll take your word for it,an Freek seems to agree, but I'm not
satisfied.  I know what I use miz3 for, and it's simple.  Basically
"by" substitutes all the variables I have into all the results in my
"by" list and in a very simple-minded way puts together a proof of my
assertion.  Plus "by" can do certain proofs by contradictions

-- 
Best,
Bill

I made my Hilbert axiomatic geometry code more readable, but code that
ran in 1:07 minutes now runs in 2:15 minutes.  I sure enjoyed myself!
Perhaps this is an interface issue of the sort Mark & Felix raised.

I'd like to be able to write != or <> to mean "not equal" and have it
work fine, so that e.g. miz3 would know that ~(x = y) is the same as x
<> y, and if my thesis is
(x = y) \/ alpha
I could prove it by first making the assumption
x <> y
and then proving alpha.   I tried this for IN, defining NOTIN by 

let NOTIN = new_definition
  `!a:A l:A->bool. a NOTIN l  <=> ~(a IN l)`;;

I had to make massive changes to get away with this, and it was fun,
as I improved some sub-optimal old proofs, but I don't like this:

let Interval2sides2aLineHelp_THM = thm `;
  let A B C X be point;
  let l be point_set;
  assume ¬(A = B) ∧ ¬(A = C) ∧ ¬(A = X) ∧ ¬(B = C) ∧ ¬(B = X) ∧ ¬(C = X)     [H1];
  assume Line l ∧ A ∈ l ∧ B ∈ l ∧ C ∈ l ∧ X ∈ l     [H2];
  assume B ∈ open (A,C)     [H3];                        
  thus X ∉ open (A,B) ∨ X ∉ open (B,C) 

  proof
    assume ¬(X ∉ open (A,B));
    X ∈ open (A,B)     [X_AB] by -, ∉;
    Collinear X B C     [XBCcol] by H2, Collinear_DEF;
    ordered A X B C     [AXBC] by X_AB, H3, TransitivityBetweennessVariant_THM;
    B ∈ open (X,C)     [B_XC] by AXBC, Ordered_DEF;
    X ∉ open (C,B)     by H1, XBCcol, B_XC, B3', ∉;
  qed     by -, B1', ∉`;;

It would be nice to replace the first two lines of my proof with 
    assume X ∈ open (A,B)     [X_AB];

As another interface issue, I find my concrete syntax here, which
Emacs pre-processes (turning ∉ to NOTIN), to be improve readability.

Anyway, I'm happy, I've basically formalized the first 6 sections of
my paper, and so I only have one left to formalize, the hardest, which
treats Hartshorne's book, and I'm over 2700 lines of code!
http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
-- 
Best,
Bill

On 19/07/12 13:04, Bill Richter wrote:
> Michael, thank you very much, and  I did not know of John's paper
>     http://www.cl.cam.ac.uk/~jrh13/papers/mizar.html
> which I will read carefully.   I didn't quite understand you:

> I couldn't figure out what your `illusion' was.  I think miz3 is much
> less powerful than HOL Light is generally.  I'd like to say precisely
> how miz3 is more powerful than straight FOL, which would be very
> tedious I believe to write proofs in.  But Tom Hales is formalizing
> his Kepler conjecture proof in HOL Light and other powerful proof
> assistants.  Tom wouldn't consider only using miz3, right?

How would you define "powerful"?  Though it might be tedious (perhaps extremely 
so) to do some things, I don't think there's anything preventing Tom Hales from 
doing all of the Kepler conjecture in structured miz3 proofs.

>     Ultimately, I'm afraid there is no precise way of explaining what
>     Mizar/miz3 are capable of for your paper.  You can only point to
>     experience, and say that the system behind "by" seems to allow
>     reasonable leaps of inference.

> I'll take your word for it,an Freek seems to agree, but I'm not
> satisfied.  I know what I use miz3 for, and it's simple.  Basically
> "by" substitutes all the variables I have into all the results in my
> "by" list and in a very simple-minded way puts together a proof of my
> assertion.  Plus "by" can do certain proofs by contradictions

"by" is ultimately calling meson, a first-order proof procedure.  Ignoring 
possible additional simplification that might happen first, meson is then 
looking for a first-order proof of your goal, using implication chaining and 
instantiation, and doing so to an arbitrary depth.  In this sense, miz3 *isn't* 
any more powerful than "straight FOL". (Given which, what in your experience 
makes you say that it is?)  Like all other first order systems (e.g., Vampire), 
all you can say is that it will prove some goals and won't prove others (and 
assuming soundness, it won't prove anything that isn't actually true).  Indeed, 
if you were using Isabelle, you could link the equivalent of "by" directly to 
Vampire or some other modern first order prover and probably find that you could 
make rather larger jumps than previously.

Contrariwise, there is some handling of higher-order features in meson, and all 
of those first-order steps are really happening in HOL, not FOL.  That's why I 
said the "ground truth" really is HOL, not FOL.  One guess I have is that what 
you find appealing about HOL is not so much the logical reasoning, but rather 
the fact that the types and terms give you an appealing expressiveness without 
requiring very tedious type annotations.  That's a credit to simple type theory 
and not much to do with the proof-power of "by".

Michael

Hi Bill,

>I think miz3 is much less powerful than HOL Light is generally.

Sorry to disagree, but this seems wrong to me.  This is
only true if you don't put tactics in the justifications.
I especially allow _arbitrary_ HOL Light tactics there for
exactly this reason: so miz3 would be just as "powerful"
as "HOL Light generally".

In fact, the miz3_of_hol code can automatically convert
arbitrary HOL Light tactic scripts to miz3 proofs.
(Actually the parser in the current code can only handle
John's tactic script conventions, but the _approach_ can
handle _any_ HOL Light tactic script.)

And even without explicit tactics I think you can prove
_any_ theorem of the HOL Light logic with a sufficiently
detailed miz3 proof.  The ten inference rules of the HOL
Light logic certainly seem within the power of miz3's "by",
bad as it is :-)

Freek

Sorry to disagree, but this seems wrong to me.  This is only true
   if you don't put tactics in the justifications.  I especially allow
   _arbitrary_ HOL Light tactics there for exactly this reason: so
   miz3 would be just as "powerful" as "HOL Light generally".

Sorry, Freek, you're right.  As I posted, I habitually use the term miz3 to only mean the Mizar part of miz3, which is to say, not using tactics  in the justifications.  It's my goal to learn how to use tactics in miz3, to be writing proofs that are both declarative and procedural.  It seems to me that everyone should formalize that way.  How do you want folks to refer to the Mizar part of miz3, with no tactics  in the justifications?  This part is, I claim, much less powerful than HOL Light is generally, and you seem to agree:

   without explicit tactics I think you can prove _any_ theorem of the
   HOL Light logic with a sufficiently detailed miz3 proof.

Yes, and you might need a ton of extra details, as Michael wrote:

   Though it might be tedious (perhaps extremely so) to do some
   things, I don't think there's anything preventing Tom Hales from
   doing all of the Kepler conjecture in structured miz3 proofs.

Right, and that's what I mean by power.  Hales estimated that formalizing his Kepler conjecture proof would take 20 man years, but that's using the full power of HOL Light.  If Hales restricted himself to the Mizar part of miz3, with no tactics  in the justifications, what's a good estimate?  40 man years?  100 man years?  

Michael, that's  clearly not your meaning of power:

   In this sense, miz3 *isn't* any more powerful than "straight
   FOL". (Given which, what in your experience makes you say that it
   is?)

Yes, I'm in complete agreement, miz3 is only checking proofs FOL of mine, although as a technical point, with my Hilbert proofs I'm also making some use of the ZFC axioms encoded in HOL as well as Hilbert's f.o. geometry axioms.    

   "by" is ultimately calling meson, a first-order proof procedure.
   Ignoring possible additional simplification that might happen
   first, meson is then looking for a first-order proof of your goal,
   using implication chaining and instantiation, and doing so to an
   arbitrary depth.

Thanks, Michael, and I'm thinking about your heuristics from yesterday.  But we should be able to put an upper bound on what miz3 can accomplish with MESON and simplifications (can you expand on simplification BTW?) if it justifies  a statement alpha with the miz3 line 

alpha by X1, X2, ....;

   Like all other first order systems (e.g., Vampire), all you can say
   is that it will prove some goals and won't prove others

According to Josef Urban, Vampire is clearly more powerful than the Mizar part of miz3, as it proved with no instructions all but 4 of my theorems in 1000 lines of Tarski geometry code.  

   Indeed, if you were using Isabelle, you could link the equivalent
   of "by" directly to Vampire or some other modern first order prover
   and probably find that you could make rather larger jumps than
   previously.

That's interesting!  But that's my whole point: I don't want the Mizar part of miz3 to be able to make overly large jumps.   I know from experience that there's a lot of hit & miss on exactly how large a jump I can get away with.   Sometimes I can combine 3 lines of code into 1, and sometimes I think miz3 will prove something and I time out, so I put in another line or two of the proof.  I don't need to have this explained precisely.  I'm sure that's in your heuristics.  But I want to be able to explain in my Geometry paper that there's a reasonable upper bound on what miz3 can do.   Back to your 

   "by" is ultimately calling meson, a first-order proof procedure.
   Ignoring possible additional simplification that might happen
   first, meson is then looking for a first-order proof of your goal,
   using implication chaining and instantiation, and doing so to an
   arbitrary depth.  In this sense, miz3 *isn't* any more powerful
   than "straight FOL".

Ok, let's allow miz3 to do all possible simplifications with no bound on the depth and no time-out.  That would be unusable, because miz3 would never catch any of my numerous obvious blunders.   But we should be able to describe what the miz3 by  (sans tactics) could prove that way.  

-- 
Best,
Bill

Even if we fix the proof tool as "miz3 with MESON only (no other tactics)",
there is still potential confusion about what "power" might mean. Here are
some possibilities. You should probably pick one before discussing further:

   1. Which theorems is it theoretically possible to prove? (I think we all
   agree that the answer is "all the theorems of HOL".)
   2. Which theorems is it theoretically possible to prove with a resource
   bound (e.g. lines of proof script, or time/memory to run the proof script).
   This is a family of questions, and I'm not sure anyone will have any good
   data on the answers...
   3. Which theorems is it possible for Bill Richter to prove (optionally
   with an additional resource bound)? (No idea...)


On Fri, Jul 20, 2012 at 8:21 AM, Bill Richter <richter@...>
wrote:
>    Sorry to disagree, but this seems wrong to me.  This is only true
>    if you don't put tactics in the justifications.  I especially allow
>    _arbitrary_ HOL Light tactics there for exactly this reason: so
>    miz3 would be just as "powerful" as "HOL Light generally".
>
> Sorry, Freek, you're right.  As I posted, I habitually use the term miz3
to only mean the Mizar part of miz3, which is to say, not using tactics  in
the justifications.  It's my goal to learn how to use tactics in miz3, to
be writing proofs that are both declarative and procedural.  It seems to me
that everyone should formalize that way.  How do you want folks to refer to
the Mizar part of miz3, with no tactics  in the justifications?  This part
is, I claim, much less powerful than HOL Light is generally, and you seem
to agree:
>
>    without explicit tactics I think you can prove _any_ theorem of the
>    HOL Light logic with a sufficiently detailed miz3 proof.
>
> Yes, and you might need a ton of extra details, as Michael wrote:
>
>    Though it might be tedious (perhaps extremely so) to do some
>    things, I don't think there's anything preventing Tom Hales from
>    doing all of the Kepler conjecture in structured miz3 proofs.
>
> Right, and that's what I mean by power.  Hales estimated that formalizing
his Kepler conjecture proof would take 20 man years, but that's using the
full power of HOL Light.  If Hales restricted himself to the Mizar part of
miz3, with no tactics  in the justifications, what's a good estimate?  40
man years?  100 man years?
>
> Michael, that's  clearly not your meaning of power:
>
>    In this sense, miz3 *isn't* any more powerful than "straight
>    FOL". (Given which, what in your experience makes you say that it
>    is?)
>
> Yes, I'm in complete agreement, miz3 is only checking proofs FOL of mine,
although as a technical point, with my Hilbert proofs I'm also making some
use of the ZFC axioms encoded in HOL as well as Hilbert's f.o. geometry
axioms.
>
>    "by" is ultimately calling meson, a first-order proof procedure.
>    Ignoring possible additional simplification that might happen
>    first, meson is then looking for a first-order proof of your goal,
>    using implication chaining and instantiation, and doing so to an
>    arbitrary depth.
>
> Thanks, Michael, and I'm thinking about your heuristics from yesterday.
 But we should be able to put an upper bound on what miz3 can accomplish
with MESON and simplifications (can you expand on simplification BTW?) if
it justifies  a statement alpha with the miz3 line
>
> alpha by X1, X2, ....;
>
>    Like all other first order systems (e.g., Vampire), all you can say
>    is that it will prove some goals and won't prove others
>
> According to Josef Urban, Vampire is clearly more powerful than the Mizar
part of miz3, as it proved with no instructions all but 4 of my theorems in
1000 lines of Tarski geometry code.
>
>    Indeed, if you were using Isabelle, you could link the equivalent
>    of "by" directly to Vampire or some other modern first order prover
>    and probably find that you could make rather larger jumps than
>    previously.
>
> That's interesting!  But that's my whole point: I don't want the Mizar
part of miz3 to be able to make overly large jumps.   I know from
experience that there's a lot of hit & miss on exactly how large a jump I
can get away with.   Sometimes I can combine 3 lines of code into 1, and
sometimes I think miz3 will prove something and I time out, so I put in
another line or two of the proof.  I don't need to have this explained
precisely.  I'm sure that's in your heuristics.  But I want to be able to
explain in my Geometry paper that there's a reasonable upper bound on what
miz3 can do.   Back to your
>
>    "by" is ultimately calling meson, a first-order proof procedure.
>    Ignoring possible additional simplification that might happen
>    first, meson is then looking for a first-order proof of your goal,
>    using implication chaining and instantiation, and doing so to an
>    arbitrary depth.  In this sense, miz3 *isn't* any more powerful
>    than "straight FOL".
>
> Ok, let's allow miz3 to do all possible simplifications with no bound on
the depth and no time-out.  That would be unusable, because miz3 would
never catch any of my numerous obvious blunders.   But we should be able to
describe what the miz3 by  (sans tactics) could prove that way.
>
> --
> Best,
> Bill
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info

I've now formalized all the theorems in the first 6 sections of my Hilbert axiomatic geometry paper http://www.math.northwestern.edu/~richter/hilbert.pdf in 2800 lines of miz3 code http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz  My last result was Moise and Venema's Plane Separation axiom:

Prop 4.13: The complement in the plane of a line l is a disjoint union
of two nonempty convex sets H1 and H2. If P ∈ H1 and Q ∈ H2 , then 
¬(open (P,Q) ∩ l = ∅).

It's easy mathematically but used a lot of HOL set theory.  I'm very
happy to have formalized it, and I'm including the defs & thms below.


Ramana, I think my definition of power is quite different from any of your 3 definitions.  I thought my last post was clear, but maybe it wasn't.  Let me try again:  I want to say that miz3 (without tactics) is so lacking in power that a human can read such miz3 proofs.  I think if anyone read my code, they could understand quite as easily as my paper.  I want to say that in such a miz3 line 
alpha by X1, X2, ..., Xn;
which miz3 says is OK, that a human will easily be able to check that results X1,..., Xn actually prove alpha. Provided that the human understands alpha, X1,...,Xn, of course.  I think this lack of power can be explained precisely with some kind of an upper bound.  

Now I believe that MESON is much more powerful than that.  I think we can all be astounded by what MESON can prove for us.  But I don't believe that miz3 (without tactics) uses the full power of MESON. 

-- 
Best,
Bill 

PlaneComplement_DEF : thm =
  |- ∀ P A α. complement α P ⇔ P ∉ α

CONVEX : thm =
  |- ∀α. Convex α ⇔
             (∀ A B. A ∈ α ∧ B ∈ α ⇒ open (A,B) ⊂ α)

HalfPlaneConvexNonempty_THM : thm =
  |- ∀l H A.
         Line l ∧ A ∉ l ∧ 
         (∀X. X ∈ H ⇔ X ∉ l ∧ X,A same_side l)
         ⇒ ¬(H = ∅)  ∧  H ⊂ complement l  ∧  Convex H

PlaneSeparation_THM : thm =
  |- ∀ l. Line l
         ⇒ (∃ H1 H2.
                  H1 ∩ H2 = ∅ ∧ ¬(H1 = ∅) ∧ ¬(H2 = ∅) ∧
                  Convex H1 ∧ Convex H2 ∧ complement l = H1 ∪ H2 ∧
                  (∀P Q. P ∈ H1 ∧ Q ∈ H2 ⇒ ¬(P,Q same_side l)))

On Fri, Jul 20, 2012 at 12:21 AM, Bill Richter <
richter@...> wrote:

>    Sorry to disagree, but this seems wrong to me.  This is only true
>    if you don't put tactics in the justifications.  I especially allow
>    _arbitrary_ HOL Light tactics there for exactly this reason: so
>    miz3 would be just as "powerful" as "HOL Light generally".
>
> Sorry, Freek, you're right.  As I posted, I habitually use the term miz3
> to only mean the Mizar part of miz3, which is to say, not using tactics  in
> the justifications.  It's my goal to learn how to use tactics in miz3, to
> be writing proofs that are both declarative and procedural.  It seems to me
> that everyone should formalize that way.  How do you want folks to refer to
> the Mizar part of miz3, with no tactics  in the justifications?  This part
> is, I claim, much less powerful than HOL Light is generally, and you seem
> to agree:
>
>    without explicit tactics I think you can prove _any_ theorem of the
>    HOL Light logic with a sufficiently detailed miz3 proof.
>
> Yes, and you might need a ton of extra details, as Michael wrote:
>
>    Though it might be tedious (perhaps extremely so) to do some
>    things, I don't think there's anything preventing Tom Hales from
>    doing all of the Kepler conjecture in structured miz3 proofs.
>
> Right, and that's what I mean by power.  Hales estimated that formalizing
> his Kepler conjecture proof would take 20 man years, but that's using the
> full power of HOL Light.  If Hales restricted himself to the Mizar part of
> miz3, with no tactics  in the justifications, what's a good estimate?  40
> man years?  100 man years?
>
> Michael, that's  clearly not your meaning of power:
>
>    In this sense, miz3 *isn't* any more powerful than "straight
>    FOL". (Given which, what in your experience makes you say that it
>    is?)
>
> Yes, I'm in complete agreement, miz3 is only checking proofs FOL of mine,
> although as a technical point, with my Hilbert proofs I'm also making some
> use of the ZFC axioms encoded in HOL as well as Hilbert's f.o. geometry
> axioms.
>
>    "by" is ultimately calling meson, a first-order proof procedure.
>    Ignoring possible additional simplification that might happen
>    first, meson is then looking for a first-order proof of your goal,
>    using implication chaining and instantiation, and doing so to an
>    arbitrary depth.
>
> Thanks, Michael, and I'm thinking about your heuristics from yesterday.
>  But we should be able to put an upper bound on what miz3 can accomplish
> with MESON and simplifications (can you expand on simplification BTW?) if
> it justifies  a statement alpha with the miz3 line
>
> alpha by X1, X2, ....;
>
>    Like all other first order systems (e.g., Vampire), all you can say
>    is that it will prove some goals and won't prove others
>
> According to Josef Urban, Vampire is clearly more powerful than the Mizar
> part of miz3, as it proved with no instructions all but 4 of my theorems in
> 1000 lines of Tarski geometry code.
>
>    Indeed, if you were using Isabelle, you could link the equivalent
>    of "by" directly to Vampire or some other modern first order prover
>    and probably find that you could make rather larger jumps than
>    previously.
>
> That's interesting!  But that's my whole point: I don't want the Mizar
> part of miz3 to be able to make overly large jumps.   I know from
> experience that there's a lot of hit & miss on exactly how large a jump I
> can get away with.   Sometimes I can combine 3 lines of code into 1, and
> sometimes I think miz3 will prove something and I time out, so I put in
> another line or two of the proof.  I don't need to have this explained
> precisely.  I'm sure that's in your heuristics.  But I want to be able to
> explain in my Geometry paper that there's a reasonable upper bound on what
> miz3 can do.   Back to your
>
>    "by" is ultimately calling meson, a first-order proof procedure.
>    Ignoring possible additional simplification that might happen
>    first, meson is then looking for a first-order proof of your goal,
>    using implication chaining and instantiation, and doing so to an
>    arbitrary depth.  In this sense, miz3 *isn't* any more powerful
>    than "straight FOL".
>
> Ok, let's allow miz3 to do all possible simplifications with no bound on
> the depth and no time-out.  That would be unusable, because miz3 would
> never catch any of my numerous obvious blunders.   But we should be able to
> describe what the miz3 by  (sans tactics) could prove that way.
>

Bill, are you aware of John Harrison's paper "Optimizing Proof Search in
Model Elimination"
(http://www.cl.cam.ac.uk/~jrh13/papers/me.html)? He tested various
heuristics for bounding the Meson search including I think the one actually
used by MESON_TAC today. From the point of view of education and
predictability of what the prover will and won't do, a simple limit on
depth of chaining has sounded interesting to me, and that is one of the
options he tested.

-Cris


>
> --
> Best,
> Bill
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

Thanks, Cris, I did not know about John's paper http://www.cl.cam.ac.uk/~jrh13/papers/me.html.  It looks very interesting, but his interesting details aren't what  what I want to talk about.   I want to know if my education ideas fall apart if e.g. we put no `limit on depth of chaining.'   Otherwise we're talking about Michael's heuristics, where you fiddle with various parameters trying to `hit the sweet spot' where tedious things are proven easily and astounding results don't get proven automatically.  I'm satisfied that experts like John & Freek have done a great job with the heuristics.  I'm not going to try to explain that to my audience of mathematicians, even if I understood it myself.  I'm looking for some kind of upper bound on how  astounding a result you can prove with little work if we have no heuristics, e.g. no `limit on depth of chaining.'  

-- 
Best,
Bill

Hi Bill,

On Fri, Jul 20, 2012 at 9:00 PM, Bill Richter
<richter@...> wrote:
>   I'm looking for some kind of upper bound on how  astounding a result you can prove with little work if we have no heuristics, e.g. no `limit on depth of chaining.'

There is no established limit. There are just optimists, pessimists,
and measures of progress. In some parts of math, systems like
Waldmeister and Prover9 already produce fairly astounding results,
like the proof of the Robbins conjecture
(http://en.wikipedia.org/wiki/Robbins_algebra). See Stanovsky &
Philips (ceur-ws.org/Vol-378/paper3.pdf) for recent overview of
results in loop theory. A more representative collection of problems
is the TPTP library (tptp.org). Performance of systems on such
problems is annually measured in the CASC competition (tptp.org/CASC).

It is also hard to define what "little work" means. A very small
system like leanCoP  (http://www.leancop.de/) can be surprisingly
powerful on some problems.

Best,
Josef

>
> --
> Best,
> Bill
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info

If you don't impose any limits to stop its search "prematurely" then the first order prover is capable of proving any theorem that has a proof.   Of course, you do also have to prime said prover with the relevant axioms.   (I'm afraid I don't really see what you mean by the combination of "little work" and "no limit on depth of chaining".)

Michael

On 21/07/2012, at 5:00, Bill Richter <richter@...> wrote:

> Thanks, Cris, I did not know about John's paper http://www.cl.cam.ac.uk/~jrh13/papers/me.html.  It looks very interesting, but his interesting details aren't what  what I want to talk about.   I want to know if my education ideas fall apart if e.g. we put no `limit on depth of chaining.'   Otherwise we're talking about Michael's heuristics, where you fiddle with various parameters trying to `hit the sweet spot' where tedious things are proven easily and astounding results don't get proven automatically.  I'm satisfied that experts like John & Freek have done a great job with the heuristics.  I'm not going to try to explain that to my audience of mathematicians, even if I understood it myself.  I'm looking for some kind of upper bound on how  astounding a result you can prove with little work if we have no heuristics, e.g. no `limit on depth of chaining.'  
> 
> -- 
> Best,
> Bill 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info

Hi Bill,

On Fri, Jul 20, 2012 at 12:00 PM, Bill Richter <
richter@...> wrote:

> Thanks, Cris, I did not know about John's paper
> http://www.cl.cam.ac.uk/~jrh13/papers/me.html.  It looks very
> interesting, but his interesting details aren't what  what I want to talk
> about.   I want to know if my education ideas fall apart if e.g. we put no
> `limit on depth of chaining.'   Otherwise we're talking about Michael's
> heuristics, where you fiddle with various parameters trying to `hit the
> sweet spot' where tedious things are proven easily and astounding results
> don't get proven automatically.  I'm satisfied that experts like John &
> Freek have done a great job with the heuristics.  I'm not going to try to
> explain that to my audience of mathematicians, even if I understood it
> myself.  I'm looking for some kind of upper bound on how  astounding a
> result you can prove with little work if we have no heuristics, e.g. no
> `limit on depth of chaining.'
>

Do your education ideas fall apart if e.g. we put no 'limit on depth of
chaining'; in other words can proof steps tend to become non-obvious? I
agree this is an important sort of a question to ask about use of theorem
proving for educational purposes. It is a cognitive psychology question and
cannot be expected to have a black and white answer, unlike a question such
as "is there a decision procedure". But I think that surely greater depth
of chaining can lead to steps that are less than obvious.

In section 2 of John Harrison's paper he uses an example of a theorem
"proposed by Los, as an example of a purely logical assertion which is
nevertheless not obvious. It is now often referred to by some name such as
nonobv (sic!) in the theorem proving literature; it is problem MSC006-1 in
the TPTP problem library". The theorem (cut and pasted from a different
source) is:

(!(x:'a) (y:'a) z. P x y /\ P y z ==> P x z) /\
   (!x (y:'a) z. Q x y /\ Q y z ==> Q x z) /\
   (!x y. P x y ==> P y x) /\
   (!x y. P x y \/ Q x y)
   ==> (!x y. P x y) \/ (!x y. Q x y)


John proceeds to show a MESON proof of it.  So there is a data point of a
theorem provable by MESON, for which there is some consensus that the
"step" of proving it is not obvious.

Also as Beeson points out in his MathXpert retrospective, as students
progress in studying mathematics, the appropriate step size changes
(increases) substantially as their skills improve. What is obvious to a
trained mathematician is likely to be non-obvious to a non-mathematician,
and so on.

I hope this helps.

-Cris


> --
> Best,
> Bill
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

On 20/07/2012, at 19:38, Bill Richter <richter@...> wrote:

>  I think this lack of power can be explained precisely with some kind of an upper bound.  
> 
> Now I believe that MESON is much more powerful than that.  I think we can all be astounded by what MESON can prove for us.  But I don't believe that miz3 (without tactics) uses the full power of MESON. 

miz3's "by" is just an invocation of MESON but with, as I understand, a time limit imposed.  As computers get faster, your "by" steps will become ever more capable and ever "closer" to the full power of MESON.

Michael

Thanks to everyone for responding, especially Michael, as this is a point that I need to straighten out for my paper which I'm pretty close to submitting.  Michael, this is scary:

   If you don't impose any limits to stop its search "prematurely"
   then the first order prover is capable of proving any theorem that
   has a proof.  Of course, you do also have to prime said prover with
   the relevant axioms.

I have 2841 lines of miz3 no-tactics Hilbert axiomatic geometry code.  You seem to be saying that if we remove all the artificially imposed limits from miz3 then we could prove any one of my 103 theorem with a 1-line proof like this:

let AnyOneOfThem_THM = thm `;
  assertion
  proof
  qed     by all the axioms and definitions is a list with commas`;;

Is that what you're saying?  I would be very surprised if this was true.    This 1-line proof would be an example of what I meant by "little work."  Perhaps the way no-tactics miz3 would become so powerful was that we had "no limit on [Cris's] depth of chaining". 

   miz3's "by" is just an invocation of MESON but with, as I
   understand, a time limit imposed.  As computers get faster, your
   "by" steps will become ever more capable and ever "closer" to the
   full power of MESON.

Michael, I think miz3's "by" only uses MESON for simple purposes, so it wouldn't matter that much if we were using MESON at full strength.   Chris's MESON example about MESON's astounding power  doesn't refute my rather vague claim, because Los's example isn't about a miz3 "by" justification involving Hilbert's geometry axioms.    Cris may be on to something, though...

Josef, can you confirm that what you ran Vampire on my Tarski miz3 (or Mizar) code, your program was quite small, much smaller than my 1000 lines?   You basically just stated my Tarski theorems and then Vampire proved them (all but a few such as Gupta's theorem)?  Since you're a Mizar expert, can you compare this to Mizar or miz3:

   In some parts of math, systems like Waldmeister and Prover9 already
   produce fairly astounding results, like the proof of the Robbins
   conjecture (http://en.wikipedia.org/wiki/Robbins_algebra). 

There's no way I'll believe that Mizar would prove the Robbins conjecture without the user writing a very long proof.  I'm skeptical that no-tactics miz3 could do replicate the Waldmeister/Prover9 feat if we stopped imposing limits to stop miz3's search "prematurely," to paraphrase Michael.

-- 
Best,
Bill

Chris, your MESON example was illuminating, and I hope someone can tell me what it means.  Paste this code from p 36 of John's tutorial into the HOL Light window:

MESON[]
`(!x y z. P x y /\ P y z ==> P x z) /\
(!x y z. Q x y /\ Q y z ==> Q x z) /\
(!x y. P x y ==> P y x) /\
(!x y. P x y \/ Q x y)
==> (!x y. P x y) \/ (!x y. Q x y)`;;

MESON solves this logic puzzle (which I still haven't yet solved) quite quickly, and it writes 
...solved at 23107

And we can easily make this a no-tactics miz3 theorem with a 1-line proof:

let LosLogic_THM = thm `;
  let x y be A;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z	[H1];
  assume ! x y z. Q x y /\ Q y z ==> Q x z 	[H2];
  assume !x y. P x y ==> P y x 	       	 	[H3];
  assume !x y. P x y \/ Q x y 			[H4];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
  qed     by H1, H2, H3, H4`;;

The miz3 proof is almost as quick, with a MESON `solved at' number of 23088.  The clear moral of your example is that if one uses no-tactics miz3 to solve logic puzzle like this, then miz3 (using MESON) can astound us, proving things we can't easily prove by ourselves.  

Now it's dimly possible that one would actually want to have a proof like that in Hilbert axiomatic geometry code, as I have other set-theoretic proofs similarly using A and A->bool, e.g. this one with a MESON `solved at' number of 32:

parse_as_infix("NOTIN",(11, "right"));;

let NOTIN = new_definition
  `!a:A l:A->bool. a NOTIN l  <=> ~(a IN l)`;;

let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p     [H1];
  assume ~(p = {x})     [H2];
  thus ? a . a IN p /\ ~(a = x)

  proof
     {x} SUBSET p     by H1, SING_SUBSET;
    ~(p SUBSET {x})     by -,  H2, SUBSET_ANTISYM;
    consider a such that 
    a IN p /\ a NOTIN {x}     [X1] by -, SUBSET, NOTIN;
     ~(a = x)     by -, IN_SING, NOTIN;
  qed     by -, X1`;;
 
But these MESON `solved at' numbers seem very small to me.  My record for a MESON `solved at' number is 310649, achieved in the proof of a result that looks pretty obvious, that the supplement of an angle is well-defined up to angle congruence: 

SupplementsCongAnglesCong_THM : thm =
  |- !alpha beta alpha' beta'.
         alpha Suppl alpha' /\ beta Suppl beta'
         ==> alpha === beta
         ==> alpha' === beta'

And I claim any of you could understand my proof, in http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz 
in spite of the fact that MESON worked to hard to prove it.   So Michael's `sweet spot' seems to be  about what you want to use no-tactics miz3 for.   Why am I hitting the sweet spot with my geometry code?  And Michael, do they play baseball in Australia?

The question of course arises of whether miz3 could have proven my Hilbert axiomatic geometry results with much shorter proofs than I gave.  I'm very skeptical that it could have, because I typically evaluate my proof a zillion times before it works, at first with no proof at all beyond 
 proof

  qed     by -`;;
 And I always have a #1 inference error  after the final qed until I've written in what I call a proof, and removed the zillion obvious blunders that miz3 detected for me.   In fact, let's try the above one right now:

let SupplementsCongAnglesCong_THM = thm `;
  let alpha beta alpha' beta' be point_set;
  assume alpha Suppl alpha'  /\  beta Suppl beta' [H1];
  assume alpha === beta [H2];
  thus alpha' === beta'

  proof

    qed     by -`;;

miz3 instantly calculated my #1 inference error, with MESON getting only up to 49.

-- 
Best,
Bill

On Sat, Jul 21, 2012 at 4:31 AM, Bill Richter <richter@...
> wrote:

> Thanks to everyone for responding, especially Michael, as this is a point
> that I need to straighten out for my paper which I'm pretty close to
> submitting.  Michael, this is scary:
>
>    If you don't impose any limits to stop its search "prematurely"
>    then the first order prover is capable of proving any theorem that
>    has a proof.  Of course, you do also have to prime said prover with
>    the relevant axioms.
>
> I have 2841 lines of miz3 no-tactics Hilbert axiomatic geometry code.  You
> seem to be saying that if we remove all the artificially imposed limits
> from miz3 then we could prove any one of my 103 theorem with a 1-line proof
> like this:
>
> let AnyOneOfThem_THM = thm `;
>   assertion
>   proof
>   qed     by all the axioms and definitions is a list with commas`;;
>
> Is that what you're saying?  I would be very surprised if this was true.
>
[...]

> There's no way I'll believe that Mizar would prove the Robbins conjecture
> without the user writing a very long proof.  I'm skeptical that no-tactics
> miz3 could do replicate the Waldmeister/Prover9 feat if we stopped imposing
> limits to stop miz3's search "prematurely," to paraphrase Michael.
>

Isn't MESON (without limits) complete? I think the only question is how
long you would be willing to wait for each proof, and possibly how much
memory you have.

Hi Bill,

On Sat, Jul 21, 2012 at 5:31 AM, Bill Richter
<richter@...> wrote:

> Josef, can you confirm that what you ran Vampire on my Tarski miz3 (or Mizar) code,

Yes. This is what I wrote here before (I cannot find the email in
archive, weird):

The 5 theorems that Vampire could
not solve were the longer ones, like Gupta, I1part1, etc . You can see
for yourself by going to http://bit.ly/KfuypA (will take a while, my
server is computing now). Hover mouse or click on the red-black |-
symbol next to each theorem, and Vampire will start grinding on it.


> your program was quite small, much smaller than my 1000 lines?

Vampire has about 100k lines of C++ code. leanCoP (written in Prolog)
boasts "Size of core prover: 333/555 bytes (v1.0/v2.0)." and its
performance on re-proving (see below) Mizar (and HOL) problems is not
so much worse. I have not tried your problems with leanCoP (but it's
no big deal).

>  You basically just stated my Tarski theorems and then Vampire proved them (all but a few such as Gupta's theorem)?

They were (re)proved from their exact Mizar-proof dependencies (the
theorems and defs used in the Mizar proof). Proving "from the whole
library" (without pre-selecting suitable premises) is obviously
harder, and requires combination with Google-like techniques.

>Since you're a Mizar expert, can you compare this to Mizar or miz3:
>
>    In some parts of math, systems like Waldmeister and Prover9 already
>    produce fairly astounding results, like the proof of the Robbins
>    conjecture (http://en.wikipedia.org/wiki/Robbins_algebra).
>
> There's no way I'll believe that Mizar would prove the Robbins conjecture without the user writing a very long proof.  I'm skeptical that no-tactics miz3 could do replicate the Waldmeister/Prover9 feat if we stopped imposing limits to stop miz3's search "prematurely," to paraphrase Michael.

Mizar "by" (and thus holby) are explicitly limited by design to
understand only "obvious inferences" (google it, Martin Davis and
Piotr Rudnicki have old papers on this). MESON is a complete ATP, but
very poor in equational reasoning, which is crucial for Robbins. But
today, when we know how to prove Robbins, it probably (my speculation)
would not be so hard to write a small (say Prolog) equational prover
that would prove Robbins in a reasonable time.

Btw., the original proof of Robbins was re-factored semiautomatically
by Ingo Dahn, and then formalized by Adam Grabowski in Mizar (and the
Mizar proof is not long - perhaps one article).

Best,
Josef

On 21/07/2012, at 14:49, Bill Richter <richter@...> wrote:

> The miz3 proof is almost as quick, with a MESON `solved at' number of 23088.  The clear moral of your example is that if one uses no-tactics miz3 to solve logic puzzle like this, then miz3 (using MESON) can astound us, proving things we can't easily prove by ourselves.  

The reason those numbers are so similar is that the underlying technology is basically the same.

> Now it's dimly possible that one would actually want to have a proof like that in Hilbert axiomatic geometry code,So Michael's `sweet spot' seems to be  about what you want to use no-tactics miz3 for.   Why am I hitting the sweet spot with my geometry code?  And Michael, do they play baseball in Australia?
> 

Australia's favourite bat-and-ball game is cricket...  

> In fact, let's try the above one right now:
> 
> let SupplementsCongAnglesCong_THM = thm `;
>  let alpha beta alpha' beta' be point_set;
>  assume alpha Suppl alpha'  /\  beta Suppl beta' [H1];
>  assume alpha === beta [H2];
>  thus alpha' === beta'
> 
>  proof
> 
>    qed     by -`;;
> 
> miz3 instantly calculated my #1 inference error, with MESON getting only up to 49.

What if you quote H1, H2 and all of the theorems that you ultimately quoted in the final proof as arguments to "by"? Does miz3 "by" then get it in one step?  That's the true test. 

Michael

On 21/07/2012, at 13:31, Bill Richter <richter@...> wrote:

> Michael, this is scary:
> 
>   If you don't impose any limits to stop its search "prematurely"
>   then the first order prover is capable of proving any theorem that
>   has a proof.  Of course, you do also have to prime said prover with
>   the relevant axioms.
> 
> You seem to be saying that if we remove all the artificially imposed limits from miz3 then we could prove any one of my 103 theorem with a 1-line proof like this:
> 
> let AnyOneOfThem_THM = thm `;
>  assertion
>  proof
>  qed     by all the axioms and definitions is a list with commas`;;

> Is that what you're saying?  I would be very surprised if this was true.    This 1-line proof would be an example of what I meant by "little work."  Perhaps the way no-tactics miz3 would become so powerful was that we had "no limit on [Cris's] depth of chaining". 

This is absolutely true.  As Ramana said, model elimination is "complete", as are the methods used by the other first order provers, like Vampire.  We know first order logic to be semi-decidable, so that we know that we can recursively enumerate all of the system's theorems.  MESON implements an r.e. method for doing just that.  And "by" uses MESON.   I'm not suggesting that this is pragmatically reasonable.  In particular, your computer may well run out of memory before it gets to the proof of your theorem. 

> Michael, I think miz3's "by" only uses MESON for simple purposes, so it wouldn't matter that much if we were using MESON at full strength.   Chris's MESON example about MESON's astounding power  doesn't refute my rather vague claim, because Los's example isn't about a miz3 "by" justification involving Hilbert's geometry axioms.    Cris may be on to something, though...

"by" invokes MESON in just the same way that you'd invoke it for using its "full power".  There's no such thing as "simple purposes".   When you say 

  x by th1, th2, ...

You set MESON up to prove the goal th1 /\ th2 /\ th3 ... ==> x, which it attempts using "full" MESON (i.e, full first order search).  [Claim modulo time-outs and depth-limits etc.]

> There's no way I'll believe that Mizar would prove the Robbins conjecture without the user writing a very long proof.  I'm skeptical that no-tactics miz3 could do replicate the Waldmeister/Prover9 feat if we stopped imposing limits to stop miz3's search "prematurely," to paraphrase Michael.

Maybe not, but then MESON is not a state of the art first order prover with all of those other systems' smart heuristics.  We also don't know how long the users had to wait to have the system actually prove the conjecture. 

Michael

On 21 Jul 2012, at 05:49, Bill Richter wrote:

> Chris, your MESON example was illuminating, and I hope someone can tell me what it means.  Paste this code from p 36 of John's tutorial into the HOL Light window:
> 
> MESON[]
> `(!x y z. P x y /\ P y z ==> P x z) /\
> (!x y z. Q x y /\ Q y z ==> Q x z) /\
> (!x y. P x y ==> P y x) /\
> (!x y. P x y \/ Q x y)
> ==> (!x y. P x y) \/ (!x y. Q x y)`;;
> 
> MESON solves this logic puzzle (which I still haven't yet solved) quite quickly, and it writes 
> ...solved at 23107

Your post inspired me to write up an "intuitive" proof of Los's non-obvious theorem, see https://dl.dropbox.com/u/34693999/nonobv.pdf. As I say in the write-up, whether an "intuitive" proof is better or worse than what an ATP produces is a matter of opinion. In fact, a fairly mindless approach by a human being will come up with a low-level proof of the non-obvious theorem without too much effort. It took me a lot longer to come up with something that actually feels like it is using the apparent structure in the problem. Specifically, the fact that P is very nearly an equivalence relation seems to a human quite important, but you have to work to get a conceptual proof that exploits that. Human beings deliberately try to find proofs that use familiar concepts. Machines don't need the warm feelings that that gives.

It seems to me that it is a really deep AI challenge to try to produce mechanized theorem proving systems that are usable and don't suffer the Frankenstein effect (whereby the monster you create displays emergent behaviour that goes fair beyond your own abilities). This is, I think, what you and Mark Adams and others want for pedagogical purpose and I think it is actually a much, much harder challenge than working towards mechanized theorem proving systems that are "merely" powerful and usable (and include decision procedures and heuristics that go way beyond human capabilities).

In some sense, this issue already arises in mathematics without mechanization: in the foreword to Freek Wiedijk's Seventeen Provers of the World, Dana Scott writes:

`As I have often told students, “Algebra is smarter than you are!” By which I mean that the laws of algebra allow us to make many steps which combine information and hide tracks after simplifications, especially by cancellation. Results can be surprising, as we know from, say, the technique of generating functions.'

Ordinary mathematical practice already involves powerful conceptual tools that have surprising consequences. So I am impressed by endeavours to implement mechanized systems for mathematics that mimic human capability without giving any surprises, but I prefer easier challenges myself!

Regards,

Rob.

https://dl.dropbox.com/u/34693999/nonobv.pdf

Congratulations, Rob, I had no idea how to prove Los's non-obvious theorem until I read your solution.   I'm not quite satisfied with your exposition, though, and here's a miz3 version of your proof not using your extension P', reflexivity, domain P or range P (isn't dom = ran anyway?).  The key is my `a_works', which I learned from your proof. 


#load "unix.cma";;
loadt "miz3/miz3.ml";;
horizon := 0;; 

let RobProofLosLogic_THM = thm `;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z      [Ptrans];
  assume ! x y z. Q x y /\ Q y z ==> Q x z      [Qtrans];
  assume !x y. P x y ==> P y x                  [Psym];
  assume !x y. P x y \/ Q x y                   [PunionQ];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
    assume ~(!x y. Q x y);
    consider a b such that 
    ~Q a b     [notQab] by -;
    P a b     [Pab] by -, PunionQ;
    ! z. P a z     [a_works]
    proof
      assume ~(! z. P a z);
      consider z such that 
      ~P a z     [notPaz] by -;
      ~P b z 
      proof
        assume P b z;
         P a z     by Pab, -, Ptrans;
      qed     by -, notPaz;
       ~P z b     by -, Psym;
      Q a z /\ Q z b     by notPaz, -, PunionQ;
      Q a b     by -, Qtrans;
    qed     by -, notQab;
    !x y. P x y
    proof
      let x y be A;
      P a x /\ P a y     by a_works, Psym;
      P x y     by -, Psym, Ptrans;
    qed by -;
  qed     by -`;;

This is a great example of how it's OK for miz3 to have the theorem-proving power that I was so afraid of.   It seems ridiculous to worry that MESON somehow used it's power to prove the theorem itself and so my proof is just fluff that MESON is ignoring.  I never asked miz3 to prove the theorem from the assumptions.  On top of that, miz3 verified this proof almost instantaneously, writing

0..0..1..3..6..solved at 13

while John's proof converted to miz3 gets the MESON solved at number 23088:

let LosLogic_THM = thm `;
  let x y be A;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z	[H1];
  assume ! x y z. Q x y /\ Q y z ==> Q x z 	[H2];
  assume !x y. P x y ==> P y x 	       	 	[H3];
  assume !x y. P x y \/ Q x y 			[H4];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
  qed     by H1, H2, H3, H4`;;

In this miz3 proof, I asked miz3 to verify the conclusion from the hypotheses.  In the proof, I never did, I only asked miz3 to verify a sequence of claims that lead up to your proof.

-- 
Best,
Bill

Thanks again, everyone, and I realized how wrong I was last night and performed Michael's exercise:

   What if you quote H1, H2 and all of the theorems that you
   ultimately quoted in the final proof as arguments to "by"? Does
   miz3 "by" then get it in one step?  That's the true test.

Below I reproved my first 23 theorems with 1-line proofs of this sort.   Arguably they're all pretty obvious results, although one of them earned  a MESON solved at number of 849,716.   The computer keeps rebooting on my 24th theorem (I've gotten a partial MESON number of 18million), so I'll report on that later.  

I see how I've been so wrong about miz3 & MESON.  In my Hilbert axiomatic geometry code,  I only asked miz3 to verify logical deductions that I thought were obvious.   I never asked miz3 to prove the theorems for me.  What I didn't ask for, I didn't get!  I draw 2 conclusions:

1) Michael is right: miz3 (using MESON) could conceivably justify any miz3 statement 

  x by th1, th2, ...

as long as the implication

th1 /\ th2 /\ th3 ... ==> x 

is actually provable in FOL or maybe HOL.   If this implication is provable and miz3 gives a #2 timeouts error, that's only because miz3 is preventing itself from trying hard enough to prove this implication.  That's the answer to the theoretical question I needed for my paper:   x by th1, th2, ... will be verified if it's true and if miz3 thinks it's "easy enough".

2) Thus even non-tactics miz3 can be used to try to prove theorems rather to verify proofs.  This doesn't affect my educational scheme of high school student coding up their rigorous axiomatic geometry proofs in miz3.  If miz3 verifies a student's proof, and I think the proof is too short, I can ask the student for more details.  Math is always like that. 

Josef, I looked at your code http://bit.ly/KfuypA, and it doesn't look short. Let me ask you again: did you code up short Vampire proofs of my Tarski results,  something like the 1-line proofs I have below (after the almost 200 lines of definition and axioms)? 

-- 
Best,
Bill 

horizon := 0;; 
timeout := 1000;;

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point->point->point->bool`);;
new_constant("Line",`:point_set->bool`);;
new_constant("===",`:(point->bool)->(point->bool)->bool`);;

parse_as_infix("cong",(12, "right"));;
parse_as_infix("same_side",(12, "right"));;
parse_as_infix("===",(12, "right"));;
parse_as_infix("<_seg",(12, "right"));;
parse_as_infix("<_ang",(12, "right"));;
parse_as_infix("Suppl",(12, "right"));;
parse_as_infix("NOTIN",(11, "right"));;

let NOTIN = new_definition
  `!a:A l:A->bool. a NOTIN l  <=> ~(a IN l)`;;

let Interval_DEF = new_definition
  `! A B X. open (A,B) X <=> Between A X B`;;

let Collinear_DEF = new_definition
  `Collinear A B C  <=> 
  ? l. Line l /\  A IN l /\ B IN l /\ C IN l`;;

let SameSide_DEF = new_definition
  `A,B same_side l <=> 
  Line l /\  ~(? X. (X IN l) /\  X IN open (A,B))`;;

let Ray_DEF = new_definition
  `! A B X. ray A B X <=> ~(A = B) /\ Collinear A B X /\ A NOTIN open (X,B)`;;

let Ordered_DEF = new_definition
 `ordered A B C D <=>
  B IN open (A,C) /\ B IN open (A,D) /\ C IN open (A,D) /\ C IN open (B,D)`;;

let InteriorAngle_DEF = new_definition
 `! A O B P. 
  int_angle A O B P <=> ~Collinear A O B /\ ? a b. 
  Line a /\ O IN a /\ A IN a /\ Line b /\ O IN b /\ B IN b /\
  P NOTIN a /\ P NOTIN b /\ P,B same_side a /\ P,A same_side b`;;

let InteriorTriangle_DEF = new_definition
 `! A B C P. 
  int_triangle A B C P <=> 
  P IN int_angle A B C  /\ P IN int_angle B C A  /\ P IN int_angle C A B`;;

let Tetralateral_DEF = new_definition
  `Tetralateral A B C D  <=> 
  ~(A = B) /\ ~(A = C) /\ ~(A = D) /\ ~(B = C) /\ ~(B = D) /\ ~(C = D) /\ 
  ~Collinear A B C /\ ~Collinear B C D /\ ~Collinear C D A /\ ~Collinear D A B`;;

let Quadrilateral_DEF = new_definition
  `Quadrilateral A B C D  <=> 
  Tetralateral A B C D /\ 
  open (A,B) INTER open (C,D) = {} /\ 
  open (B,C) INTER open (D,A) = {} `;;

let ConvexQuad_DEF = new_definition
  `ConvexQuadrilateral A B C D  <=> 
  Quadrilateral A B C D /\ 
  A IN int_angle B C D /\ B IN int_angle C D A /\ C IN int_angle D A B /\ D IN int_angle A B C `;;

let Segment_DEF = new_definition
  `seg A B = {A, B} UNION open (A,B)`;;

let SEGMENT = new_definition
  `Segment s  <=>  ? A B. s = seg A B /\ ~(A = B)`;;

let SegmentOrdering_DEF = new_definition
 `s <_seg t   <=> 
  Segment s /\ 
  ? C D X. t = seg C D /\ X IN open (C,D) /\ s === seg C X`;;

let Angle_DEF = new_definition
 ` angle A O B = ray O A UNION ray O B `;;

let ANGLE = new_definition
 `Angle alpha  <=>  ? A O B. alpha = angle A O B /\ ~Collinear A O B`;;

let AngleOrdering_DEF = new_definition
 `alpha <_ang beta   <=> 
  Angle alpha /\ 
  ? A O B G. ~Collinear A O B  /\  beta = angle A O B /\ 
             G IN int_angle A O B  /\  alpha === angle A O G`;;

let RAY = new_definition
 `Ray r  <=> ? O A. ~(O = A) /\ r = ray O A`;;

let TriangleCong_DEF = new_definition
 `! A B C A' B' C' :point. (A, B, C) cong (A', B', C')  <=> 
  ~Collinear A B C /\ ~Collinear A' B' C' /\ 
  seg A B === seg A' B' /\ seg A C === seg A' C' /\ seg B C === seg B' C' /\ 
  angle A B C === angle A' B' C' /\ 
  angle B C A === angle B' C' A' /\ 
  angle C A B === angle C' A' B'`;;

let SupplementaryAngles_DEF = new_definition
 `! alpha beta. alpha Suppl beta   <=> 
  ? A O B A'. ~Collinear A O B  /\  O IN open (A,A')  /\  alpha = angle A O B  /\  beta = angle B O A'`;;

let RightAngle_DEF = new_definition
 `! alpha. Right alpha  <=> Angle alpha /\ 
  ? beta. alpha Suppl beta /\ alpha === beta`;;

let PlaneComplement_DEF = new_definition
 `! A:point alpha:point_set. complement alpha P  <=> P NOTIN alpha`;;

let CONVEX = new_definition
 `Convex alpha  <=>  ! A B. A IN alpha /\ B IN alpha  ==> open (A,B) SUBSET alpha`;;


(* ----------------------------------------------------------------- *)
(* The axioms.                                                       *)
(* ----------------------------------------------------------------- *)


let I1 = new_axiom
  `! A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

let I2 = new_axiom
  `! l. ? A B. Line l /\  A IN l /\ B IN l /\ ~(A = B)`;;

let I3 = new_axiom
  `? A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
                             ~Collinear A B C`;;

let B1 = new_axiom
  `! A B C. Between A B C ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
            Between C B A /\ Collinear A B C`;;

let B2 = new_axiom
  `! A B. ~(A = B) ==> ? C. Between A B C`;;

let B3 = new_axiom
  `! A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear A B C
    ==> (Between A B C \/ Between B C A \/ Between C A B) /\
        ~(Between A B C /\ Between B C A) /\ 
        ~(Between A B C /\ Between C A B) /\ 
        ~(Between B C A /\ Between C A B)`;;

let B4 = new_axiom
  `! l A B C. Line l /\ ~Collinear A B C /\ 
   A NOTIN l /\ B NOTIN l /\ C NOTIN l /\ 
   (? X. X IN l /\ Between A X C) ==> 
   (? Y. Y IN l /\ Between A Y B) \/ (? Y. Y IN l /\ Between B Y C)`;;

let C1 = new_axiom
  `! s O Z. Segment s /\ ~(O = Z)  ==>  
   ?! P. P IN ray O Z DELETE O  /\  seg O P === s`;;

let C2Reflexive = new_axiom
  `Segment s  ==>  s === s`;;

let C2Symmetric = new_axiom
  `Segment s /\ Segment t /\ s === t  ==>  t === s`;;

let C2Transitive = new_axiom
  `Segment s /\ Segment t /\ Segment u /\ 
   s === t /\ t === u ==>  s === u`;;

let C3 = new_axiom
  `! A B C A' B' C'.  B IN open (A,C) /\ B' IN open (A',C') /\ 
  seg A B === seg A' B' /\ seg B C === seg B' C'  ==> 
  seg A C === seg A' C'`;;

let C4 = new_axiom
 `! alpha O A l Y. Angle alpha /\ ~(O = A) /\ Line l /\ O IN l /\ A IN l /\ 
  Y NOTIN l  ==>  
  ?! r. Ray r /\ ? B. ~(O = B) /\ r = ray O B /\ B NOTIN l /\ B,Y same_side l /\ 
  angle A O B === alpha`;;

let C5Reflexive = new_axiom
  `Angle alpha  ==>  alpha === alpha`;;

let C5Symmetric = new_axiom
  `Angle alpha /\ Angle beta /\ alpha === beta  ==>  beta === alpha`;;

let C5Transitive = new_axiom
  `Angle alpha /\ Angle beta /\ Angle gamma /\ 
   alpha === beta /\ beta === gamma ==>  alpha === gamma`;;

let C6 = new_axiom
  `! A B C A' B' C'. ~Collinear A B C /\ ~Collinear A' B' C' /\ 
   seg B A === seg B' A' /\ seg B C === seg B' C' /\ angle A B C === angle A' B' C'
   ==> angle B C A === angle B' C' A'`;;


(* ----------------------------------------------------------------- *)
(* Theorems.                                                         *)
(* ----------------------------------------------------------------- *)


let B1' = thm `;
  ! A B C.  B IN open (A,C) ==> ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ 
             B IN open (C,A) /\ Collinear A B C
  by IN, Interval_DEF, B1`;;


let B2' = thm `;
  ! A B. ~(A = B) ==> ? C.  B IN open (A,C)
  by IN, Interval_DEF, B2`;;


let B3' = thm `;
  ! A B C. ~(A = B) /\ ~(A = C) /\ ~(B = C) /\ Collinear A B C
    ==> (B IN open (A,C) \/ C IN open (B,A) \/ A IN open (C,B)) /\
        ~(B IN open (A,C) /\ C IN open (B,A)) /\ 
        ~(B IN open (A,C) /\ A IN open (C,B)) /\ 
        ~(C IN open (B,A) /\ A IN open (C,B))
  by IN, Interval_DEF, B3`;;


let B4' = thm `;
  ! l A B C. Line l /\ ~Collinear A B C /\ 
   A NOTIN l /\ B NOTIN l /\ C NOTIN l /\ 
   (? X. X IN l /\  X IN open (A,C)) ==>
   (? Y. Y IN l /\  Y IN open (A,B)) \/ (? Y. Y IN l /\  Y IN open (B,C)) 
   by B4, IN, Interval_DEF`;;


let B4'' = thm `;
  let l be point_set;
  let A B C be point;
  assume Line l     [H0];
  assume ~Collinear A B C /\ A NOTIN l /\ B NOTIN l /\ C NOTIN l     [H1];
  assume A,B same_side l /\ B,C same_side l     [H2];
  thus A,C same_side l

  by H0, H1, H2, B4', IN, SameSide_DEF`;;


let BiggerThanSingleton_THM = thm `;
  let p be A->bool;
  let x be A;
  assume x IN p     [H1];
  assume ~(p = {x})     [H2];
  thus ? a . a IN p /\ ~(a = x)

  by H1, H2, SING_SUBSET, SUBSET_ANTISYM, SUBSET, NOTIN, IN_SING`;;


let DisjointOneNotOther_THM = thm `;
  let x be A;
  let l m be A->bool;
  assume l INTER m = {}     [H1];
  assume x IN m     [H2];
  thus x NOTIN l

  proof
  qed     by H1, H2, NOTIN, IN_INTER, NOT_IN_EMPTY`;;


let IntersectionSingletonOneNotOther_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}     [H1];
  assume e IN l     [H2];
  assume ~(e = x)     [H3];
  thus e NOTIN m

  by H1, H2, H3, NOTIN, IN_INTER, IN_SING`;;


let EquivIntersectionHelp_THM = thm `;
  let e x be A;
  let l m be A->bool;
  assume l INTER m = {x}     [H1];
  assume e IN m DELETE x     [H2];
  thus e NOTIN l 

  by H1, H2, NOTIN, IN_DELETE, IntersectionSingletonOneNotOther_THM`;;


let SubsetTensor_THM = thm `;
  let a b s be A->bool;
  assume a SUBSET b     [H1];
  thus a INTER s SUBSET b INTER s /\ s INTER a SUBSET s INTER b

  by H1, INTER_SUBSET, SUBSET_TRANS, SUBSET_INTER`;;


let NonemptySubsetSing_THM = thm `;
  let a be A;
  let l be A->bool;
  assume ~(l = {})     [H1];
  assume l SUBSET {a}     [H2];
  thus a IN l

  by H1, H2, MEMBER_NOT_EMPTY, SUBSET, IN_SING`;;


let CollinearSymmetry_THM = thm `;
  let A B C be point;
  assume Collinear A B C     [H1];
  thus Collinear A C B /\ Collinear B A C /\ Collinear B C A /\ 
       Collinear C A B /\ Collinear C B A 

  by H1, Collinear_DEF`;;


let OnePointImpliesAnother_THM = thm `;
  let P be point; 
  thus ? Q:point. ~(Q = P)

  by I3`;;


let ExistsPointOffLine_THM = thm `;
  let l be point_set; 
  assume Line l     [H1];
  thus ? Q:point. Q NOTIN l

  by H1, I3, NOTIN, Collinear_DEF`;;


let BetweenLinear_THM = thm `;  ::solved at 849,716
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m     [H1];
  assume B IN open (A,C) \/ C IN open (B,A)  \/ A IN open (C,B)     [H2];
  thus B IN m

  by H1, H2, B1', Collinear_DEF, I1`;;

 
let CollinearLinear_THM = thm `;
  let A B C be point;
  let m be point_set;
  assume Line m /\ A IN m /\ C IN m     [H1];
  assume Collinear A B C \/ Collinear B C A \/ Collinear C A B     [H2];
  assume ~(A = C)     [H3];
  thus B IN m

  by H1, H2, H3, Collinear_DEF, I1`;;


let SameSideDisjointIntersection_THM = thm `;
  ! l A B. Line l  ==> 
    (A,B same_side l  <=>  open (A,B) INTER l = {})
  by IN_INTER, SameSide_DEF, MEMBER_NOT_EMPTY`;;


let NonCollinearImpliesDistinct_THM = thm `;  ::solved at 1,050,293  
  let A B C be point;
  assume ~Collinear A B C     [H1];
  thus ~(A = B) /\ ~(A = C) /\ ~(B = C)

  by H1, OnePointImpliesAnother_THM, I1, Collinear_DEF`;;


let OpenIntervalSubsetLine_THM = thm `;
  let A B be point;
  let l be point_set;
  assume Line l /\ A IN l /\ B IN l     [H1];
  thus open (A,B) SUBSET l

  by H1, BetweenLinear_THM, SUBSET`;;


let SameSideDisjointLines_THM = thm `;  
  let l m be point_set;
  let A B be point;
  assume Line m /\ A IN m /\ B IN m         [m_line];
  assume Line l                                 [l_line];
  assume m INTER l = {}                              [Disjoint];
  thus A NOTIN l  /\  B NOTIN l  /\  A,B same_side l
 
  by m_line, l_line, Disjoint, IN_INTER, MEMBER_NOT_EMPTY, NOTIN, OpenIntervalSubsetLine_THM, SubsetTensor_THM, SUBSET_EMPTY, SameSideDisjointIntersection_THM`;;


let Reverse4Order_THM = thm `;
  let A B C D be point;
  assume ordered A B C D     [H1];
  thus ordered D C B A

  by H1, Ordered_DEF, B1'`;;


let OriginInRay_THM = thm `; 
  let O Q be point;
  assume ~(Q = O)     [H1];
  thus O IN ray O Q

  by H1, B1', NOTIN, I1, Collinear_DEF, IN, Ray_DEF`;;


let EndpointInRay_THM = thm `;
  let O Q be point;
  assume ~(Q = O)     [H1];
  thus Q IN ray O Q

  by H1, B1', NOTIN, I1, Collinear_DEF, IN, Ray_DEF`;;

Hi Bill,

> Josef, I looked at your code http://bit.ly/KfuypA, and it doesn't look short.

I did not say it is my proof code, only that you can see Vampire in
action by clicking the icons. It is your Mizar article, piped through
a html-izer (and behind the scenes, also through an ATP problem
generator).

> Let me ask you again: did you code up short Vampire proofs of my Tarski results,  something like the 1-line proofs I have below (after the almost 200 lines of definition and axioms)?

Yes, but I only coded the translation of your Mizar formulas to an ATP
(TPTP) format, see e.g.
http://mws.cs.ru.nl/~mptp/cgi-bin/showtmpfile.cgi?file=problems/joe/joe__166_44&tmp=Ep6tU6
for your first theorem. I did not "code the Vampire proofs". ATP
stands for automated theorem prover: the proofs are found (or "coded"
as you say) automatically. The same thing as MESON does for you in
HOL.

Josef

So I now finally understand that no-tactics miz3 can be used as a theorem-prover, but that I was not doing so: miz3 and MESON won't try to prove anything except my statements 
   x by th1, th2, ...
and only by trying to build a FOL proof of the implication
th1 /\ th2 /\ th3 ... ==> x 
then as long as my statements `x by th1, th2, ...' seem obvious to me, I run only a very minor risk of miz3 doing something really smart that I don't understand.  That's great, and thanks to everyone for helping me understand this. 

I'm curious about using no-tactics miz3 or any other proof assistant to produce 1-line proofs, though.   I'm not doing very well with miz3, and I suppose that's a good thing.  I set the timeout pretty high
timeout := 4000;;
and I timed out (on an old slow machine) at 18 & 26 million in trying to convert some pretty simple proofs to 1-line proofs (original proofs commented out): 

let Line01infinity_THM = thm `;     :: #2 timeout at 18,678,485
  let X be point;
  let l m be point_set;
  assume Line l /\ Line m     [H0];
  assume ~(l = m)     [H1];
  assume X IN l /\ X IN m     [H2];
  thus l INTER m = {X}

  :: proof
  ::   assume ~(l INTER m = {X})     [H3];
  ::   X IN l INTER m     by H2, IN_INTER;
  ::   consider A such that
  ::   A IN l INTER m  /\ ~(A = X)     [X1] by -, H3, BiggerThanSingleton_THM;
  ::   A IN l /\ X IN l /\ A IN m /\ X IN m     by H0, -, H2, IN_INTER;
  ::   l = m     by H0, -, X1, I1;
  ::   F     by -, H1;
  :: qed     by -
  by  H0, H1, H2, IN_INTER, BiggerThanSingleton_THM, I1`;;


let SameSideLinesIntersect1Point_THM = thm `;    :: #2 timeout at  26,338,897 
  let A B X be point;
  let l m be point_set;
  assume Line l /\ Line m                [H0];
  assume l INTER m = {X}                    [H1];
  assume A IN m DELETE X /\ B IN m DELETE X          [H2];
  assume ~(A,B same_side l)             [H3];
  thus  A NOTIN l /\ B NOTIN l /\ X IN open (A,B)

  :: proof
  ::   A NOTIN l /\ B NOTIN l     [notABl] by H1, H2, EquivIntersectionHelp_THM;
  ::   A IN m /\ B IN m /\ ~(A = X) /\ ~(B = X)     [H2'] by H2, IN_DELETE;
  ::   ~(open (A,B) INTER l = {})     [nonempty] by H0, H3, SameSideDisjointIntersection_THM;
  ::   open (A,B) SUBSET m     [ABm] by H0, H2', OpenIntervalSubsetLine_THM;
  ::   open (A,B) INTER l SUBSET {X} by -, SubsetTensor_THM, H1, INTER_COMM;
  ::   X IN open (A,B) INTER l by nonempty, -, NonemptySubsetSing_THM;
  :: qed     by notABl, -, IN_INTER
  by H0, H1, H2, H3, EquivIntersectionHelp_THM, IN_DELETE, SameSideDisjointIntersection_THM, OpenIntervalSubsetLine_THM, SubsetTensor_THM, INTER_COMM, NonemptySubsetSing_THM, IN_INTER`;;


I think everyone will agree that these two results look pretty obvious.   Line01infinity_THM says that if a point X belongs to two lines distinct l and m, then l INTER m = {X}.  That's just axiom I1, two points determine a line.   The next result says that if l INTER m = {X} and points A, B on m are on opposite sides of l, then X must be between A and B.   If MESON can't prove that in 26 million whatevers, then I think I agree with Ramana and Michael that MESON isn't the top FOL prover.  I bet I could do a lot better if I learned how to use HOL tactics.  I'm interested in seeing if some better FOL prover would verify such 1-line proof versions of most of my result.  

Josef, let me try again.  I apologize for not knowing the terminology or anything about Vampire.  Would there be a way to turn my 971 lines of Tarski code http://www.math.northwestern.edu/~richter/TarskiAxiomGeometryCurry.ml (which for Freek I made all my predicates official curried HOL functions, in order to show that holby is weaker than Mizar) into  say 150 lines of 1-line proofs that a top FOL prover would then verify?  I think you did something like, but don't have the 150 line file.

-- 
Best,
Bill

Hi Bill,

> Josef, let me try again.  I apologize for not knowing the terminology or anything about Vampire.  Would there be a way to turn my 971 lines of Tarski code http://www.math.northwestern.edu/~richter/TarskiAxiomGeometryCurry.ml (which for Freek I made all my predicates official curried HOL functions, in order to show that holby is weaker than Mizar) into  say 150 lines of 1-line proofs that a top FOL prover would then verify?  I think you did something like, but don't have the 150 line file.

Yes. But I do it now only for Mizar, and I told you the results (the
shortening would be about 1400 lines of your Mizar code to some 300,
if ATPs could prove everything). We (mostly Cezary Kaliszyk) might
have a similar bridge to ATPs for HOL Light quite soon (but don't ask
me to try it now :-). If you want to experiment in this direction,
Isabelle has currently the most polished bridge to ATPs, ask there. Or
you can also try the bridge to Prover9 by John Harrison, which already
works in HOL Light (again, don't ask me how, I only saw the code there
:-).

Best,
Josef

But I do it now only for Mizar, and I told you the results (the
   shortening would be about 1400 lines of your Mizar code to some 300,
   if ATPs could prove everything).

Josef, that's great, and Mizar is fine.  Can you show me your 300 lines of Mizar code, and tell me how to run it on Vampire?   Why not even make it shorter by taking out Gupta's theorem etc which Vampire won't prove in one line?  I see there's prover9 stuff in the Hol Light distribution, e.g. hol_light/Examples/prover9.ml.  

I think you're pointing to something I need to explain in my geometry paper, which we might call the difference between ATPs and Mizar.   Now ATP means Automated theorem prover?   So Mizar is not an ATP, but as it only checks quite detailed proofs?    I want to say that miz3 can be used as an ATP, unlike Mizar, but miz3 isn't a very efficient ATP (taking maybe 3 hours to prove my simple result Line01infinity2_THM which is just a set-theoretic restatement of the uniqueness part of axiom I1, 2 points uniquely determine a line), and vampire or prover9 is a much more efficient ATP. 

-- 
Best,
Bill

On Tue, Jul 24, 2012 at 6:41 AM, Bill Richter
<richter@...> wrote:
>    But I do it now only for Mizar, and I told you the results (the
>    shortening would be about 1400 lines of your Mizar code to some 300,
>    if ATPs could prove everything).
>
> Josef, that's great, and Mizar is fine.  Can you show me your 300 lines of Mizar code,

Just remove all the toplevel proof ... end blocks in your original
Mizar article.

> and tell me how to run it on Vampire?

I did: click the red/black icons in that html-ized version. For a
longer story and Emacs access, read http://arxiv.org/pdf/1109.0616 .

Best,
Josef
(I am probably not doing email in the next two weeks)

Hi Michael,

>miz3's "by" is just an invocation of MESON but with,
>as I understand, a time limit imposed.

FWIW, one can turn off the time limit by setting "timeout"
to -1.  This is useful for example if one wants to recheck
a proof that is known to be correct on a slow computer.

Of course, if a miz3 proof contains a tactic that doesn't
terminate, then with this setting the checking of that
proof won't terminate either.

Freek

Hi Ramana,

>Isn't MESON (without limits) complete?

I think it's complete for first order logic (although I'm
not completely sure about whether it's complete for first
order logic with equality).  However, we're in a higher
order logic here, right?  So I guess it won't be complete
for the HOL logic?

>I think the only question is how long you would be willing
>to wait for each proof, and possibly how much memory
>you have.

I think the difference between undecidable and infeasible
is overrated :-)

Freek

Hi Bill,

>MESON[]
>`(!x y z. P x y /\ P y z ==> P x z) /\
>(!x y z. Q x y /\ Q y z ==> Q x z) /\
>(!x y. P x y ==> P y x) /\
>(!x y. P x y \/ Q x y)
>==> (!x y. P x y) \/ (!x y. Q x y)`;;
>
>MESON solves this logic puzzle (which I still haven't yet
>solved) quite quickly, and it writes
>...solved at 23107

>
>let LosLogic_THM = thm `;
>  let x y be A;
>  let P Q be A->A->bool;
>  assume ! x y z. P x y /\ P y z ==> P x z	[H1];
>  assume ! x y z. Q x y /\ Q y z ==> Q x z 	[H2];
>  assume !x y. P x y ==> P y x 	       	 	[H3];
>  assume !x y. P x y \/ Q x y 			[H4];
>  thus (!x y. P x y) \/ (!x y. Q x y)
>
>  proof
>  qed     by H1, H2, H3, H4`;;
>
>The miz3 proof is almost as quick, with a MESON `solved at'
>number of 23088.

Actually 23088 is _smaller_ than 23107, so I don't know
what you mean with "almost as quick" :-)

I have been trying to understand where the difference between
23107 and 23088 comes from.  The reason is that MESON gets
as its argument a list of thms corresponding to H1 until H4,
instead of getting them as antecedents of an implication:

# MESON
    [ASSUME `!x:A y:A z:A. P x y /\ P y z ==> P x z`;
     ASSUME `!x:A y:A z:A. Q x y /\ Q y z ==> Q x z`;
     ASSUME `!x:A y:A. P x y ==> P y x`;
     ASSUME `!x:A y:A. P x y \/ Q x y`]
    `(!x:A y:A. P x y) \/ (!x:A y:A. Q x y)`;;
0..0..2..7..16..30..48..72..108..168..236..340..516..702..918..1260..1660..2098..2716..3438..4298..5528..6944..8594..11052..13780..16742..20862..solved
at 23088val it : thm = !x y z. P x y /\ P y z ==> P x z,
  !x y z. Q x y /\ Q y z ==> Q x z, !x y. P x y ==> P y x,
  !x y. P x y \/ Q x y |- (!x y. P x y) \/ (!x y. Q x y)
# 

So there's the 23088 again, see?

Freek

Freek, thanks for spotting my arithmetic error, and that was clever of you to figure out where the smaller MESON number for the miz3 proof came from.  I'd like your opinion on some of the cool stuff I learned from Michael, Ramana, Cris and Rob:

1) Miz3 is definitely more powerful than Mizar, and miz3 can even be used as a 1-line proof theorem-prover, although it does not seem to be very efficient.  

2) Given a statement 
x by th1, th2, ...;
miz3 tries to construct (using MESON among other things) an FOL proof of the implication
th1 /\ th2 /\ th3 ... ==> x 
Nothing limits the power of miz3 to prove such statements other than "heuristics", not only of MESON but because of 
timeouts and e.g. depth limitations imposed. 

3) This to-me unexpected power of miz3 shouldn't affect any plans to use miz3 in education, e.g. my plans to use miz3 in high school Geometry courses.  It's like converse of Jesus's slogan ``Ask and you shall receive.''  Miz3 won't do what you don't ask it to do!  If the theorem is an implication, and you ask miz3 to prove the statement 
qed by antecedents`;;
it may do so, and we've seen interesting example here recently.  If the user only uses miz3, as I do, to justify statements that appear obvious to them, then I think miz3 is fine.  The more-or-less unlimited MESON power should allow miz3 to, in a reasonable time, to prove what looks obvious to us. There's no precise mathematical meaning of obvious.  If someone codes up a miz3 proof that works, and we don't understand their proof, we can ask them for more details, just like we'd ask a human for more details.  The only difference is that now we can ask the human miz3-user to code up the extra details, and we can see that miz3 justified these as well.    I found it very illuminating that when I coded up in miz3 Rob's proof of the logic puzzle, the MESON "solved at" number was far lower than 23088: 
0..0..1..3..6..solved at 13


There's a question that nobody seemed to know the answer to, but I hope you do.  Does miz3 do anything else to limit its power other than with the variable timeout, which you explained to me how to change long ago?   Does miz3 impose any e.g. any depth limitations on MESON?  

-- 
Best,
Bill

On Fri, Jul 6, 2012 at 12:54 PM, Save seecs <save.seecs@...> wrote:

> Dear Ramana ,
>
> I want to know that what is the procedure to use  (.....) in HOL when we
> require to verify our theorem.
>
> For example: when we deals in proof with summation such as
>
> a* (1- rn) / (1-r)   =  a + ar +ar2 + ar3+……….+a(r)n-1
>
> I want to know thart R.HS we have dots (.....)  so how to cater with this
> problem using HOL during proving our goal.I will be looking forwrad to
> your kind reply
>

Did you figure this out?
The short answer is: use SUM_IMAGE in pred_setTheory, or use recursion to
define your own function to do the summation.


>
> On Fri, Jul 6, 2012 at 12:20 AM, Ramana Kumar <ramana.kumar@...:
>
>> OK I guess your problem is that you don't know how powerful (in the
>> automation dimension) each of the miz3 keywords is, so you wouldn't know
>> which ones to include in your restricted set anyway.
>> For that you will have to search for documentation, read the miz3 code,
>> or wait for someone who knows to answer because unfortunately I don't :)
>>
>>
>> On Fri, Jul 6, 2012 at 8:17 AM, Ramana Kumar <ramana.kumar@...:
>>
>>> If there are powerful theorem provers that can prove every result in the
>>> course, you should think hard about the value you are imparting to your
>>> students by making them write proofs in a restricted language, and design
>>> that language accordingly.
>>>
>>> I feel like maybe you didn't understand what I said, so let me try one
>>> thing again: miz3 is an OCaml library that defines a bunch of functions and
>>> stuff that make up what looks like a proof language, but ultimately the
>>> proofs that are checked by the proof assistant are the low level higher
>>> order logic proofs that those functions create. The proof assistant does
>>> not care whether they were generated by miz3 functions or by MESON or by
>>> anything else: in fact, it does not know! Perhaps it would be instructive
>>> for me to show you the OpenTheory proof for one of your theorems, that is,
>>> a proof you might have thought you never wrote but actually is what is
>>> generated - if so, let me know and I'll try to get Joe's proof-logging fork
>>> to run your code some time.
>>>
>>> It sounds like what you want is control over which functions your
>>> students are allowed to call when they're trying to write proof scripts
>>> (that is, code to create low level HOL proofs).
>>> Well, that's easy: write down the list of functions (or miz3 keywords or
>>> whatever) that you want them to be allowed to use, make an OCaml module out
>>> of it, tell them to import that module and forbid them (verbally, or
>>> manually, or you could write a script to check their source files if you
>>> don't trust them) from importing anything else or from defining their own
>>> functions.
>>>
>>>
>>> On Fri, Jul 6, 2012 at 7:44 AM, Bill Richter <
>>> richter@...> wrote:
>>>
>>>> Thanks, Ramana!  You explain very well I think how I could check what
>>>> proofs I'm getting, and why HOL Light is reliable.  That's really
>>>> valuable information, but it's not what I want.  Let me try again.
>>>>
>>>> The fact that HOL Light (using miz3) checks my proofs conclusively
>>>> tells me that my theorems are correct.  I just proved a new one:
>>>>
>>>> OrderedCongruentAngles_THM : thm =
>>>>   |- ∀ A O B A' O' B' G.
>>>>          ¬Collinear A O B ∧ ¬Collinear A' O' B'
>>>>          ⇒ angle A O B ≡ angle A' O' B'
>>>>          ⇒ G ∈ int_angle A O B
>>>>          ⇒ (∃G'. G' ∈ int_angle A' O' B' ∧ angle A O G ≡ angle A' O' G')
>>>>
>>>>
>>>> http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
>>>> I'm not worried that the theorem might actually be false.
>>>>
>>>> My question is: What kind of proof is miz3 saying I have?  Recall that
>>>> my long-term purpose is to teach a rigorous axiomatic high school
>>>> Geometry course.  There must be powerful theorem provers that could
>>>> prove every result in the course!  Josef got Vampire to prove most of
>>>> my Tarski miz3 results.  So I'd like to know that miz3 isn't powerful
>>>> enough to make it useless for teaching Geometry!  I think miz3 is just
>>>> about right, from my experience of 2350 lines of Hilbert axiomatic
>>>> code and 985 lines of Tarski code, but I'll never be sure until I know
>>>> what miz3 calls a proof.  Part of the problem is that there's no
>>>> documentation for exactly what a Mizar proof is.  Again, from my
>>>> original Tarski code experience, I think Mizar is about the right
>>>> level of power.  But I don't know, and can't explain it in my paper.
>>>>
>>>> So I can read "fusion.ml", and kananaskis-7-logic-1.pdf, as you
>>>> suggested, and learn what a HOL proof.  That's great.  But miz3 proofs
>>>> are much simpler.  John's book (which I haven't understood yet)
>>>> clearly explains (I think) what John means by a Mizar-like FOL proof.
>>>> I was hoping someone would explain this to me, and then explain how
>>>> John's purple book Mizar-like FOL compares to miz3.  Maybe I'll have
>>>> to explain it myself, after learning it.  I have time, as I have 6
>>>> more tough pages in my paper to formalize before I'll submit my paper
>>>> http://www.math.northwestern.edu/~richter/hilbert.pdf
>>>>
>>>> Here's my hazy idea.  I more or less know what an FOL proof is, and I
>>>> think writing them down is tedious, and we'd like a proof assistant to
>>>> automate the tedious details (substituting variables etc) , so we're
>>>> left with the interesting part of the FOL proof.  I think this is what
>>>> Mizar, John's Mizar-like FOL, and miz3 all do.  But I'd like to know
>>>> for sure, and more precisely, exactly what automation they do.
>>>>
>>>> It's never happened that when I ``intentionally'' wrote up a miz3
>>>> proof, that miz3 proved the theorems before I thought I had completed
>>>> the proof.  That's what I want.  But once I goofed in my miz3 proof,
>>>> miz3 approved a proof that I didn't think was a proof.  Freek
>>>> explained that MESON is quite powerful, and explained how MESON proved
>>>> my result.  So as long as I don't goof like that, I'm OK.  But could
>>>> my students exploit the power of MESON to hand in miz3 proofs that I
>>>> wouldn't call proofs?  I know issues like this get discussed here,
>>>> maybe it's called `malicious' proofs.  I'm not really worried about
>>>> malice, and I'd be thrilled to have any students, but the teacher
>>>> ought to know what the proof assistant will accept as a proof.
>>>>
>>>> --
>>>> Best,
>>>> Bill
>>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> hol-info mailing list
>> hol-info@...
>> https://lists.sourceforge.net/lists/listinfo/hol-info
>>
>>
>
>
> --
> ~Regards
>
> Saqib Khan
> MS-CSE
> Research Assistant @ SAVE
> National University of Science and Technology (NUST)
>
>
>

Freek, I realized that my new position is that think I I don't agree with Michael, who I believe was saying that miz3 only behaves in a Mizar-like fashion because limitations you & John imposed on miz3 and the weakness of MESON.  If I misquoted Michael, I apologize.  My new position is that miz3 is Mizar-like enough for me no matter how powerful miz3 and MESON are.  Even if miz3 could quickly prove all my theorems if I asked it too, I can still write up what I call readable proofs, and miz3 will only try to justify my proofs.  Miz3 won't on its own steam go prove the theorem. 

   >If the user only uses miz3, as I do, to justify statements that
   >appear obvious to them, then I think miz3 is fine.

   Sure.  But do you remember that time when you thought that miz3 had
   accepted a "wrong" proof, when in fact it had just been clever?
   (Something about a line through two points when it hadn't been
   given the distinctness of the points?)  So even accidentally it
   might be taking shortcuts that for your own understanding shouldn't
   have been taken.

Good point, and let's take another look at your excellent explanation, which I'll exposit with this code:

horizon := 0;; 
new_type("point",0);;
new_constant("Line",`:point_set->bool`);;

let I1 = new_axiom
  `!A B.  ~(A = B) ==> ?! l. Line l /\  A IN l /\ B IN l`;;

  MESON[I1] `~(B = C) ==> ?p. Line p /\ A IN p /\ B IN p`;;


let BillBlunder_THM = thm `;
  let A B C be point;
  assume ~(B = C) [H1];
  thus ?p. Line p /\ A IN p /\ B IN p

  by H1, I1`;;


The MESON "solved at" numbers are 2318 and 2319, essentially the same, and I would not consider this to be a Mizar-like proof, as the reasoning is, for me, too difficult.  Your explanation, which I accept, is that MESON performed the reasoning in this miz3 proof with MESON "solved at" number 99:


let FreekExplainsMESONReasoning_THM = thm `;
  let A B C be point;
  assume ~(B = C) [H1];
  thus ?p. Line p /\ A IN p /\ B IN p

  proof
    cases;
    suppose A = B [AB];
      ?p. Line p /\ A IN p /\ C IN p by -, H1, I1;
    qed by -, AB;
    suppose ~(A = B) [notAB];
    qed by -, I1;
  end`;;
 

This example shows that I'm capable of fooling myself into thinking I have simple Mizar-like proofs, when I'm actually making secret leaps like in BillBlunder_THM, because I actually coded up a proof like that.

But such is life.  I suppose someone might want a proof assistant that is so weak that if it verifies a proof, then we'll know the reasoning was indeed blitheringly obvious.   I did think that miz3 was such a weak proof assistant, and it was a jolt to realize how powerful miz3 actually is.  But I don't need such a weak proof assistant.   If I'm so dumb that I write up hard proofs and think they're easy proofs, maybe I'm not a good mathematician!   And if my students code up proofs with leaps in them that I'm too lazy or stupid to spot, maybe I'm a bad teacher.  It's the road to ruin to want our technology to be so good that we don't have to be smart.  

-- 
Best,
Bill

I think you've got my position quite reasonably.  On the other hand, I'm not sure I see why you think that it conflicts with your “new position”.  Like you, I wouldn't mind if the automatic tactic behind "by" was arbitrarily powerful.  Nonetheless, the current implementation of miz3's "by" does seem to emulate the deliberate weaknesses of Mizar's reasoner. 

Michael

On 26/07/2012, at 16:50, Bill Richter <richter@...> wrote:

> Freek, I realized that my new position is that think I I don't agree with Michael, who I believe was saying that miz3 only behaves in a Mizar-like fashion because limitations you & John imposed on miz3 and the weakness of MESON.  If I misquoted Michael, I apologize.  My new position is that miz3 is Mizar-like enough for me no matter how powerful miz3 and MESON are.  Even if miz3 could quickly prove all my theorems if I asked it too, I can still write up what I call readable proofs, and miz3 will only try to justify my proofs.  Miz3 won't on its own steam go prove the theorem.

I think you've got my position quite reasonably.  On the other
   hand, I'm not sure I see why you think that it conflicts with your
   “new position”.  Like you, I wouldn't mind if the automatic tactic
   behind "by" was arbitrarily powerful.  Nonetheless, the current
   implementation of miz3's "by" does seem to emulate the deliberate
   weaknesses of Mizar's reasoner.

Thanks, Michael, that's great.  I know I changed my position, and largely because of your criticism, for which I'm grateful.   Since you say we're not in conflict, let me go back and re-interpret your post on Wed, 18

   The illusion hangs together because the engineering heuristics that
   Freek and John have put together mean that the steps that a human
   thinks should be obvious are ones that the system often accepts
   too. [...] 
   If you hit the sweet spot, then the system lurking behind "by"
   doesn't prove so much that the user doesn't learn anything, but
   isn't so stupid that the human has to provide unnecessary detail.

I think now that you were criticizing the way I used to think of miz3.   But I think we now agree that the reason why miz3 is useful is that it's powerful enough that we don't have to provide unnecessary detail, but we produce human readable proofs by not asking miz3 to prove too much.  

Maybe you can study the issue of miz3 deliberate weakness with me.   Freek pointed out that miz3 calls HOL_BY which calls MESON.  Let's go to the hol_light directory.  I think that 

miz3/miz3.ml just says HOL_BY is the prover, and refers us to Examples/holby.ml, which begins with the comment

(* A HOL "by" tactic, doing Mizar-like things, trying something that is      *)
(* sufficient for HOL's basic rules, trying a few other things like          *)
(* arithmetic, and finally if all else fails using MESON_TAC[].              *)

That doesn't look like any deliberate weaknesses to me.  There are 3 occurrences of MESON_TAC in holby.ml, and I can't understand any of them.  I certainly don't see any shackles being put on MESON there.  However, as Freek explained to me, MESON has itself a limit, as explained in the reference manual def of GEN_MESON_TAC:

   Normally MESON, MESON_TAC and ASM_MESON_TAC explore the search
   space by successively increasing a size limit from 0, increasing it
   by 1 per step and giving up when a depth of 50 is reached.  The
   more general tactic GEN_MESON_TAC allows the user to specify the
   starting, finishing and stepping value, but is otherwise identical
   to ASM_MESON_TAC. In fact, that is defined as:

   # let ASM_MESON_TAC = GEN_MESON_TAC 0 50 1;; 

I get the impression that MESON, MESON_TAC and ASM_MESON_TAC are much the same thing. 

BTW I'm now close to 3000 lines in my miz3 Hilbert axiomatic geometry code http://www.math.northwestern.edu/~richter/RichterHOL-LightMiz3HilbertAxiomGeometry.tar.gz
and I just coded up a reasonable proof of the SSS triangle congruence result. 

-- 
Best,
Bill

On 22 Jul 2012, at 10:39, Bill Richter wrote:

>   https://dl.dropbox.com/u/34693999/nonobv.pdf
> 
> Congratulations, Rob,

Thank you!

> I had no idea how to prove Los's non-obvious theorem until I read your solution.   I'm not quite satisfied with your exposition, though, and here's a miz3 version of your proof not using your extension P', reflexivity, domain P or range P

I was using these things because it is typical of how things look in standard textbook mathematics.

> (isn't dom = ran anyway?).

Yes, but as I had set myself a rigid limit of 1 page, I didn't have room for that particular digression (while I did want to give the right general formula for the field of the relation).

>  The key is my `a_works', which I learned from your proof. 
> 

I relaxed my page limit to 2 pages, and added two more proofs to https://dl.dropbox.com/u/34693999/nonobv.pdf. The new proofs are the simple direct and "fairly mindless" one that I referred to in my previous post and one involving a bit of baby model theory to explain why the mindless approach is guaranteed to work, because from the form of the problem one can see that if the theorem were false, there would be a counter-example with at most 4 elements. Your neat proof with a_works implicitly exploits a bit more of the details to reduce to a 3-element counter-example. (When it works, I am actually quite a fan of the device of using counter-example generators like Mace as theorem-provers as it gives a very nice separation of concerns: the human worries about the reduction of infinite problems to finite ones and the machine then worries about the finite problems). 

Regards,

Rob

Thanks, Rob!  I'll study your two new proofs and post later.  I'm not real happy with my miz3 proof, and have a more direct argument which is longer.  I'm hoping you have some good ideas on a better proof.  Hey, could you read my miz3 proof, and do you have any comments about coding up proofs that way?

-- 
Best,
Bill

https://dl.dropbox.com/u/34693999/nonobv.pdf

Rob, I like your 2nd proof (although I think your 4 cases are about P and not P, instead of P and Q), and it got me thinking, and I now have some understanding of Los's Logic problem.  The problem with Los's result is it makes no sense: P is symmetric and transitive, Q is transitive, P or Q is true, show either all P or all Q.  Our reaction is What is going on???  That's why it's so impressive you solved it.  But I made some progress understanding it:

The result is almost about entirely about P, with Q almost being ~P.  So let's prove the case  special case Q = ~P first.  That turns out to have a comprehensible proof!  Then we just have to fiddle with the proof a bit to handle the general case.  Below is my miz3 proof of Los's Logic result, to a large extent a modification of your 2nd proof.

-- 
Best,
Bill 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
horizon := 0;; 

let SymTransImpliesSkewTrans_THM = thm `;
  let P be A->A->bool;
  assume ∀ x y z. P x y ∧ P y z ⇒ P x z		[Ptrans];
  assume ∀x y. P x y ⇒ P y x				[Psym];
  thus ∀ x y z. P x y ∧ ¬P y z ⇒ ¬P x z

  proof
    ∀ x y z. P y x ∧ ¬P y z ⇒ ¬P x z     by Ptrans;
 qed by -, Psym`;;


(* That was an comprehensible result I detected in your proof.  The next result solves Los's problem in case Q = ~P. *)

let RobLosPnotP_THM = thm `;
  let P be A->A->bool;
  assume ∀ x y z. P x y ∧ P y z ⇒ P x z		[Ptrans];
  assume ∀ x y z. ¬P x y ∧ ¬P y z ⇒ ¬P x z		[notPtrans];
  assume ∀x y. P x y ⇒ P y x                        	[Psym];
  thus (∀x y. P x y) ∨ (∀x y. ¬P x y)
  
  proof
    ∀ x y z. P x y ∧ ¬P y z ⇒ ¬P x z     by Ptrans, Psym, SymTransImpliesSkewTrans_THM;
    ∀ x y z. ¬P y z ⇒ ¬P x z     [almost_done] by -, notPtrans;
    assume ¬(∀x y. P x y);
    consider a b such that 
    ¬P a b     [notPab] by -;
    ¬P b a     [notPba] by -, Psym;
    ∀x y. ¬P x y
    proof
      let x y be A;
      ¬P x a  ∧  ¬P y b     by notPba, notPab, almost_done;
    qed     by -, Psym, notPab, notPtrans;
  qed by -`;;


(* My proof below of Los's result is more complicated than I'd like, but it's a straightforward modification of the above comprehensible proof.  The MESON solved at number 108 is a bit lower than the the above proof, and I get a strange error miz3 message for I believe some step of the proof:
Warning: No useful-looking instantiations of lemma
*)
  
let LosLogic_THM = thm `;
  let P Q be A->A->bool;
  assume ∀ x y z. P x y ∧ P y z ⇒ P x z		[Ptrans];
  assume ∀ x y z. Q x y ∧ Q y z ⇒ Q x z		[Qtrans];
  assume ∀x y. P x y ⇒ P y x				[Psym];
  assume ∀x y. P x y ∨ Q x y 				[PunionQ];
  thus (∀x y. P x y) ∨ (∀x y. Q x y)

  proof
    ∀ x y z. ¬P x y ∧ ¬P y z ⇒ Q x z ∧ Q z x     [nearnotPtrans] by PunionQ, Qtrans, Psym;
    ∀ x y z. P x y ∧ ¬P y z ⇒ ¬P x z ∧ ¬P z x     by Ptrans, Psym, SymTransImpliesSkewTrans_THM, Psym;
    ∀ x y z. P x y ∧ ¬P y z ⇒ Q x z ∧ Q z x     by -, PunionQ;
    ∀ x y z. ¬P y z  ⇒  Q x z ∧ Q z x     [good_enough] by nearnotPtrans, -;
    assume ¬(∀x y. P x y);
    consider a b such that 
    ¬P a b  ∧ ¬P b a     [notPab] by -, Psym;
    Q a b ∧ Q b a     [Qab] by -, Psym, PunionQ;
    ∀x y. Q x y
    proof
      let x y be A;
      Q x a ∧ Q b y     by notPab, good_enough;
    qed     by -, Qab, Qtrans;
  qed     by -`;;

Bill,

On 29 Jul 2012, at 07:28, Bill Richter wrote:

>   https://dl.dropbox.com/u/34693999/nonobv.pdf
> 
> Rob, I like your 2nd proof (although I think your 4 cases are about P and not P, instead of P and Q),

My argument does work exactly as stated, but I agree that it is simpler to avoid having overlapping cases by doing the case analysis as you suggest. Thanks for the improvement, which I have adopted in the write-up.

> and it got me thinking, and I now have some understanding of Los's Logic problem.  The problem with Los's result is it makes no sense: P is symmetric and transitive, Q is transitive, P or Q is true, show either all P or all Q.  Our reaction is What is going on???  That's why it's so impressive you solved it.  But I made some progress understanding it:
> 
> The result is almost about entirely about P, with Q almost being ~P.  So let's prove the case  special case Q = ~P first.  That turns out to have a comprehensible proof!  Then we just have to fiddle with the proof a bit to handle the general case.  Below is my miz3 proof of Los's Logic result, to a large extent a modification of your 2nd proof.

I am not quite sure exactly what you were trying to achieve here. I would have hoped that miz3 would be able to express my 2nd proof as it stands. Not knowing miz3, I have done the next best things with the tools I do know and done a ProofPower transcription of my 2nd proof with your improvement in a "quasi-declarative" style. See:

https://dl.dropbox.com/u/34693999/los-non-obv-proof.pdf

I am guessing that you didn't really want to express my 2nd proof as is, but were after a comprehensible proof expressed in miz3. I think one needs to have a comprehensible proof in mind to achieve that and I don't quite see one following  your approach. My proof 1 at least has a comprehensible proof strategy, and that may be the best you can hope for. Did you not find proof 1 comprehensible?

Regards,

Rob.

https://dl.dropbox.com/u/34693999/nonobv.pdf

Rob, thanks for the acknowledgment and modifying your proof 2 of Los's Logic result.  Sorry for posting my code yesterday with my Isabelle-type fonts still in.  I'm including the version which runs in HOL Light.  I recommend you learn miz3, and I coded up your proof 2 in miz3 to get you started.  I didn't understand your declarative ProofPower proof 2 formalization, but I know mine is a lot shorter.  

A word about "the eye of the beholder."  Your proof 2 is a simplification of your proof 1, but I still don't see its intuition.  I haven't understood your proof 3 yet.  So I'm naturally amazed at your work!  The intuition for my proof below is that Q is almost ~P, so let's work the special case of Q = ~P, which has an intuitive proof.  Since I only thought of this after staring at your proofs for a long time, I have no confidence that I would actually have done this without seeing your proofs first.

Here's something miz3 cases & skeletons which Freek explained to me that's not in his paper arxiv.org/pdf/1201.3601.  It pays to write an outline of your proof before filling in the steps.  So when I first started coding up your proof 2, I got this far without thinkingl:

horizon := 0;; 

let RobProof2LosLogic_THM = thm `;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z         [Ptrans];
  assume ! x y z. Q x y /\ Q y z ==> Q x z         [Qtrans];
  assume !x y. P x y ==> P y x                            [Psym];
  assume !x y. P x y \/ Q x y                            [PunionQ];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
    assume ~(!x y. P x y);
    consider a b such that 
    ~P a b  /\ ~P b a     [notPab] by -, Psym;
    Q a b /\ Q b a     [Qab] by -, Psym, PunionQ;
    !x y. Q x y
    proof
      let x y be A;
      cases;
      suppose P x a /\ P b y;
      qed by -;
      suppose ~P x a /\ ~P b y;
      qed by -;
      suppose P x a /\ ~P b y;
      qed by -;
      suppose ~P x a /\ P b y;
      qed by -;
    end;
  qed by -`;;

Miz3 gives me "#1 inference error" after each "qed by -;" of of the 4 cases, because I haven't written in the proofs yet.  But you'll notice that that the proof of "!x y. Q x y" ends with "end;" and not "qed by -;"  Otherwise I would get a "#9 syntax error mizar."  The reason, Freek explains, I think, is that proving each case exhausts the thesis, so "qed" (which means "thus thesis; end;") wouldn't make sense: there's no thesis anymore!  Writing outline proofs first is especially helpful if you have nested cases.  

Here's my miz3 formalization of your proof 2, which took 40 minutes after I finished the above outline proof.   I agree that your case (iii) is very similar to your case (iv), but it took me a while to see it.  You might want to rewrite your proof a bit.  Your phrase "x exchanged for y" isn't quite accurate.

#load "unix.cma";;
loadt "miz3/miz3.ml";;
horizon := 0;; 

let RobProof2LosLogic_THM = thm `;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z         [Ptrans];
  assume ! x y z. Q x y /\ Q y z ==> Q x z         [Qtrans];
  assume !x y. P x y ==> P y x                            [Psym];
  assume !x y. P x y \/ Q x y                            [PunionQ];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
    assume ~(!x y. P x y);
    consider a b such that 
    ~P a b  /\ ~P b a     [notPab] by -, Psym;
    Q a b /\ Q b a     [Qab] by -, Psym, PunionQ;
    !x y. Q x y
    proof
      let x y be A;
      cases;
      suppose P x a /\ P b y [PxyPby];
        ~P x y
        proof
          assume P x y [Con];
          P a x /\ P y b by PxyPby, Psym;
          P a b by -, Con, Ptrans;
        qed by -, notPab;
        Q x y by -, PunionQ;
      qed by -;
      suppose ~P x a /\ ~P b y;
        Q x a /\ Q b y by -, PunionQ;
      qed by -, Qab, Qtrans;
      suppose P x a /\ ~P b y [Pxy_notPby];
        ~P x b
        proof
          assume P x b;
            P a b by -, Pxy_notPby, Psym, Ptrans;
          qed by -, notPab;
        Q x b /\ Q b y by -, Pxy_notPby, PunionQ;
      qed by -, Qtrans;
      suppose ~P x a /\ P b y;
        P y b /\ ~P a x [Pyb_notPax] by -, Psym;
        ~P y a
        proof
          assume P y a;
          P a b by -, Psym, Pyb_notPax, Ptrans;
        qed by -, notPab;
        Q x a /\ Q a y by Pyb_notPax, -, Psym, PunionQ;
      qed by -, Qtrans;
    end;
  qed by -`;;


-- 
Best,
Bill 

Here's my proof from yesterday that I think is more intuitive, in spite of the fact that MESON worked about 10 times harder to prove it.  Our two proofs are about the same length, if you subtract my comments and extra blank lines. 

#load "unix.cma";;
loadt "miz3/miz3.ml";;
horizon := 0;; 

let SymTransImpliesSkewTrans_THM = thm `;
  let P be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z         [Ptrans];
  assume !x y. P x y ==> P y x                            [Psym];
  thus ! x y z. P x y /\ ~P y z ==> ~P x z

  proof
    ! x y z. P y x /\ ~P y z ==> ~P x z     by Ptrans;
 qed by -, Psym`;;


(* That was an comprehensible result I detected in your proof.  The next result solves Los's problem in case Q = ~P. *)

let RobLosPnotP_THM = thm `;
  let P be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z         [Ptrans];
  assume ! x y z. ~P x y /\ ~P y z ==> ~P x z              [notPtrans];
  assume !x y. P x y ==> P y x                            [Psym];
  thus (!x y. P x y) \/ (!x y. ~P x y)
  
  proof
    ! x y z. P x y /\ ~P y z ==> ~P x z     by Ptrans, Psym, SymTransImpliesSkewTrans_THM;
    ! x y z. ~P y z ==> ~P x z     [almost_done] by -, notPtrans;
    assume ~(!x y. P x y);
    consider a b such that 
    ~P a b     [notPab] by -;
    ~P b a     [notPba] by -, Psym;
    !x y. ~P x y
    proof
      let x y be A;
      ~P x a  /\  ~P y b     by notPba, notPab, almost_done;
    qed     by -, Psym, notPab, notPtrans;
  qed by -`;;


(* My proof below of Los's result is more complicated than I'd like, but it's a straightforward modification of the above comprehensible proof.  The MESON solved at number 108 is a bit lower than the the above proof, and I get a strange error miz3 message for I believe some step of the proof:
Warning: No useful-looking instantiations of lemma
*)
  
let LosLogic_THM = thm `;
  let P Q be A->A->bool;
  assume ! x y z. P x y /\ P y z ==> P x z         [Ptrans];
  assume ! x y z. Q x y /\ Q y z ==> Q x z         [Qtrans];
  assume !x y. P x y ==> P y x                            [Psym];
  assume !x y. P x y \/ Q x y                            [PunionQ];
  thus (!x y. P x y) \/ (!x y. Q x y)

  proof
    ! x y z. ~P x y /\ ~P y z ==> Q x z /\ Q z x     [nearnotPtrans] by PunionQ, Qtrans, Psym;
    ! x y z. P x y /\ ~P y z ==> ~P x z /\ ~P z x     by Ptrans, Psym, SymTransImpliesSkewTrans_THM, Psym;
    ! x y z. P x y /\ ~P y z ==> Q x z /\ Q z x     by -, PunionQ;
    ! x y z. ~P y z  ==>  Q x z /\ Q z x     [good_enough] by nearnotPtrans, -;
    assume ~(!x y. P x y);
    consider a b such that 
    ~P a b  /\ ~P b a     [notPab] by -, Psym;
    Q a b /\ Q b a     [Qab] by -, Psym, PunionQ;
    !x y. Q x y
    proof
      let x y be A;
      Q x a /\ Q b y     by notPab, good_enough;
    qed     by -, Qab, Qtrans;
  qed     by -`;;

Bill,

On 30 Jul 2012, at 09:31, Bill Richter wrote:

>   https://dl.dropbox.com/u/34693999/nonobv.pdf
> 
> Rob, thanks for the acknowledgment and modifying your proof 2 of Los's Logic result.  Sorry for posting my code yesterday with my Isabelle-type fonts still in.  I'm including the version which runs in HOL Light.  I recommend you learn miz3,

One day maybe. Ars longa, vita brevis.

> and I coded up your proof 2 in miz3 to get you started.  I didn't understand your declarative ProofPower proof 2 formalization, but I know mine is a lot shorter.  

No, it's not. The ProofPower proof involves 29 non-comment lines of ML and 9 of those are boiler-plate. Your miz3 version is 52 lines of code. The document I posted includes commentary and pasted-in output from the tool to show what is going on.
> 
Regards,

Rob.

Rob, thanks for explaining your ProofPower proof was shorter than mine.  I went to your ProofPower web site, and it sounds similar to HOL Light.  Is it easy to port code from one to the other?  You must be a HOL Light expert, because John H thanked you (along with Freek W and Michael N) in his purple book.

   Ars longa, vita brevis.

Chaucer's version is "Life is so short, and the craft takes so long to learn."  But I think it would be easy for you to paste my miz3 code into a ocaml/HOL-Light process window, and then maybe fiddle with the code, make the proof shorter or longer.   Anyway, thanks for explaining your excellent solutions of Los's Logic problem, which previously it seemed that only MESON could solve.

-- 
Best,
Bill

the intuition is just in a little diagram with 4 points and lots of
   edges labelled P and Q.

Thanks, Rob, and I think I understand now!  You solved Los's Logic problem because you had the courage to try a bold frontal attack, while I floundered for the lack of some cool insight.  This is an important point, as we're interested in how smart MESON is.  Here's how I think your bold frontal attack must have gone.  Let's change the symbols P & Q to ~ and <.  So we know that 
~ is symmetric and transitive  (~symm, ~trans)
< is transitive	   (<trans)
forall x y. x ~ y or x < y	(~union<)
We're trying to prove 
(forall x y. x ~ y) or (forall x y. x < y)
So we have to negate one of these two and prove the other.  You got both proofs to work, I believe, so let's negate the ~ one.  So we'll assume that 
there exists a b such that a !~ b  (i.e. a !~ b is false).
We must prove forall x y. x < y.  

So choose x y, and let's take diagrams of involving the points a, b, x & y for both ~ and <.  We'll have an arrow from one point to another if there's a relation.  With 4 points, there are 4^4 = 256 possible diagrams for each relation, and so 256^2 = 65536 total possibilities.  We don't want to look at all 65,536!  Of course we know that 
a !~ b     by assumption
b !~ a     by ~symm
a < b and b < a     by ~union<.
So in each diagram there are really only 3*3*4*4 = 144 possibilities, so we have 20,736 total possibilities.  That's still way too many.  I've drawn two diagrams with 4 points in each, connected by 6 lines.  In the < picture I have 2 arrowheads to  indicate arrows a -> b and b -> a.  In the ~ picture I have 2 little x's marked in to indicate there is no arrow from a -> b or b -> a.

OK, staring at the two diagrams I see nothing, so I'll look at two triangles instead, with 3 points a, b & x.  I count a mere 144 = (2*2*3)^2 possibilities for the two diagrams.  I don't want to check them all, though.  I think it's quite possible that our bold explorer would then bifurcate on the question of 
a ~ x.  
Let's look at the two cases:

a ~ x     by assumption
x ~ a     by ~symm
b !~ x and x !~ b     by ~symm, ~trans, since a !~ b and b !~ a 
b < x and x < b     by ~union<
a < x and x < a     by <trans, since a < b and b < a.

Let's look at the other case:

a !~ x     by assumption
x !~ a     by ~symm
a < x and x < a     by ~union<
b < x and x < b     by <trans, since a < b and b < a.

Whuddya know!  We got the same result both ways!  Thus we've proved that 

Lemma: forall x. a < x and x < a and b < x and x < b

I think that's easier to see if you draw the 4 triangles.  Now it's all downhill.  

Choose x and y.  Then 
a < b and b < a     by assumption
x < a and a < y     by Lemma
x < y     by <trans
QED

I think I showed that what MESON proved, a bold explorer could have replicated without any particular insight.  Congratulations for actually doing this!

-- 
Best,
Bill

Sorry, Rob, I had a dumb typo, and meant to write "there exists a b such that a !~ b  (i.e. a ~ b is false)."

Konrad and Michael, as I see you're an author of the HOL Logic manual http://sourceforge.net/projects/hol/files/hol/kananaskis-7/kananaskis-7-logic.pdf/download
I'll ask you a question about my miz3 code, where the first few lines are 

new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Between",`:point->point->point->bool`);;
new_constant("Line",`:point_set->bool`);;
new_constant("≡",`:(point->bool)->(point->bool)->bool`);;

I haven't read the manual carefully, but I see that you're working in something like a model of ZFC (except there's no empty set), and that `new_type' does not occur in the manual.  I see it occurs in the Description manual http://sourceforge.net/projects/hol/files/hol/kananaskis-7/kananaskis-7-description.pdf/download
I hope you can appreciate my confusion, as I'm working in HOL Light, and John Harrison's documentation barely explains HOL, and he does not (I think) refer to your manuals.  A few dumb questions first:

Can we call your manual a HOL4 manual?  Do all version of HOL (e.g. HOL Light, Proof Power & Isabelle) abide by your Logic manual?  What does Kananaskis mean?

My guess is that my new_type declaration of "point" says that there exists an un-named set of point, and that any variable of type point will refer to an element of this set.  Is that right?  Let's call this set H, for Hilbert plane.  The new_constant declaration of "Line" then says there's a predicate Line defined on the power set P(H).   So later on when I write 

  let l be point_set;
  let A B C be point;
  assume Line l

I mean that the variable l refers to a subset of H, the variables A, B & C refer to elements of H, and that the subset l is actually a line, meaning that Line(l) = True.  Am I getting this right?  Can you explain an easy way I can cite this in my forthcoming geometry paper?  

BTW I recently adopted a better spin of my paper.  Before I was saying that I was improving Hartshorne's book Geometry: Euclid and Beyond, as a number of his proofs have gaps too wide for a high school student to leap.  Sounds kinda negativistic, right?  Now I say that I'm  continuing Hartshorne's great work by actually formalizing Hartshorne's Theorem 10.4, that all of Euclid's propositions in book I up to Prop (I.28) are true in any Hilbert plane, except for Props (I.1) and (I.22), which require extra axioms.  

-- 
Best,
Bill

On Wed, Aug 1, 2012 at 6:00 AM, Bill Richter
<richter@...:

> new_type("point",0);;
> new_type_abbrev("point_set",`:point->bool`);;
> new_constant("Between",`:point->point->point->bool`);;
> new_constant("Line",`:point_set->bool`);;
> new_constant("≡",`:(point->bool)->(point->bool)->bool`);;


> I haven't read the manual carefully, but I see that you're working in
> something like a model of ZFC (except there's no empty set), and that
> `new_type' does not occur in the manual.  I see it occurs in the
> Description manual
> http://sourceforge.net/projects/hol/files/hol/kananaskis-7/kananaskis-7-description.pdf/download
> I hope you can appreciate my confusion, as I'm working in HOL Light, and
> John Harrison's documentation barely explains HOL, and he does not (I
> think) refer to your manuals.  A few dumb questions first:
>
> Can we call your manual a HOL4 manual?


Yes.


>  Do all version of HOL (e.g. HOL Light, Proof Power & Isabelle) abide by
> your Logic manual?


Roughly yes, with minor variations, except for Isabelle. Isabelle is a
logical framework. Isabelle/HOL very roughly abides by the HOL4 Logic
manual but the logic inherits some completely new features from the
underlying framework.


>  What does Kananaskis mean?
>

It's the name of some lakes and a river in Alberta. (I think that's the
intended reference.) It was adopted (as was "Athabasca"), as the name of a
"generation" of HOL4 releases. We're up to Kananaskis release 7 (soon to be
8).


>
> My guess is that my new_type declaration of "point" says that there exists
> an un-named set of point, and that any variable of type point will refer to
> an element of this set.  Is that right?  Let's call this set H, for Hilbert
> plane.  The new_constant declaration of "Line" then says there's a
> predicate Line defined on the power set P(H).   So later on when I write
>
>   let l be point_set;
>   let A B C be point;
>   assume Line l
>
> I mean that the variable l refers to a subset of H, the variables A, B & C
> refer to elements of H, and that the subset l is actually a line, meaning
> that Line(l) = True.  Am I getting this right?  Can you explain an easy way
> I can cite this in my forthcoming geometry paper?
>

new_type and new_constant add new types and new constants to HOL by fiat. I
suppose you must characterise them with new_axiom.
The HOL Logic Manual does not mention new_type because one of its aims is
to build a model of HOL in set theory to give confidence that HOL is sound.
Once you use new_type or new_constant or new_axiom, the model described in
the manual is no longer guaranteed to exist.
It's up to you to show that another model exists if you want people to
believe your work isn't inconsistent.
(And it's hard to imagine doing so without first understanding the manual
or something equivalent.)
But if you know roughly what your model would look like, and it fits within
the existing HOL model (very likely), then there's no reason to declare new
types and new constants by fiat and then prove that the resulting system is
sound (outside of the proof assistant).
You can use HOL4's (and HOL Light's) mechanisms for definition! (You end up
doing roughly the same proof, and you get the advantage of having it
formalised and checked by the system.)
The manual does account for definitions of new types and constants by
conservative extension and explicitly proves that such definitions are
covered by the model in set theory that it develops.


>
> BTW I recently adopted a better spin of my paper.  Before I was saying
> that I was improving Hartshorne's book Geometry: Euclid and Beyond, as a
> number of his proofs have gaps too wide for a high school student to leap.
>  Sounds kinda negativistic, right?  Now I say that I'm  continuing
> Hartshorne's great work by actually formalizing Hartshorne's Theorem 10.4,
> that all of Euclid's propositions in book I up to Prop (I.28) are true in
> any Hilbert plane, except for Props (I.1) and (I.22), which require extra
> axioms.
>
> --
> Best,
> Bill
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

Thank you Rob! I was hoping for someone to clear up my mistakes and teach
me something more about conservative extension :)
(I may come off sounding confident but usually I am not.)
Also, Bill if you're not using new_axiom, then sorry for any offence caused
by the tone of my previous email.

On Wed, Aug 1, 2012 at 8:29 AM, <rda@...> wrote:

> Ramana,
>
> > new_type and new_constant add new types and new constants to HOL
> > by fiat.
>
> What these functions do is introduce new names into the available
> vocabulary (or signatures and type signatures to use the terminologies of
> the LOGIC manual). This is a conservative extension mechanism. For
> new_constant, it is equivalent to a constant_specification with defining
> property T. new_type has no equivalent in terms of type_specification,
> because when it imposes no restriction on the cardinality of the new type,
> so it really ought to be in the LOGIC manual.
>
> > I
> > suppose you must characterise them with new_axiom.
>
> This is not true. IF all you need to know of a types is that it is
> non-empty or of a constant that it has a given type, then you have no need
> to use new_axiom in conjunction with new_type and new_constant. This is
> precisely what Bill is doing, I believe.
>
> It is not very common to work like this, because the theory you get is not
> very suitable for reuse. It is more common to use type variables for
> unknown types and variable parameters for unknown objects, so that they
> can be instantiated to particular models. However, working with the
> unspecified types and constants you get from new_type and new_constant is
> a perfectly good approach and can be clearer if the theory you want is
> just intended as a thing to be read and appreciated in its own right.
>
> > The HOL Logic Manual does not mention new_type because one of its aims is
> > to build a model of HOL in set theory to give confidence that HOL is
> > sound.
> > Once you use new_type or new_constant or new_axiom, the model described
> in
> > the manual is no longer guaranteed to exist.
>
> What you say about new_axiom is true. Once you use new_axiom, it is down
> to you do produce some argument of your own as to the consistency of the
> resulting system. What you say about new_type or new_constant is wrong,
> see above.
>
> Regards,
>
> Rob.
>
>

Ramana,

> new_type and new_constant add new types and new constants to HOL
> by fiat.

What these functions do is introduce new names into the available
vocabulary (or signatures and type signatures to use the terminologies of
the LOGIC manual). This is a conservative extension mechanism. For
new_constant, it is equivalent to a constant_specification with defining
property T. new_type has no equivalent in terms of type_specification,
because when it imposes no restriction on the cardinality of the new type,
so it really ought to be in the LOGIC manual.

> I
> suppose you must characterise them with new_axiom.

This is not true. IF all you need to know of a types is that it is
non-empty or of a constant that it has a given type, then you have no need
to use new_axiom in conjunction with new_type and new_constant. This is
precisely what Bill is doing, I believe.

It is not very common to work like this, because the theory you get is not
very suitable for reuse. It is more common to use type variables for
unknown types and variable parameters for unknown objects, so that they
can be instantiated to particular models. However, working with the
unspecified types and constants you get from new_type and new_constant is
a perfectly good approach and can be clearer if the theory you want is
just intended as a thing to be read and appreciated in its own right.

> The HOL Logic Manual does not mention new_type because one of its aims is
> to build a model of HOL in set theory to give confidence that HOL is
> sound.
> Once you use new_type or new_constant or new_axiom, the model described in
> the manual is no longer guaranteed to exist.

What you say about new_axiom is true. Once you use new_axiom, it is down
to you do produce some argument of your own as to the consistency of the
resulting system. What you say about new_type or new_constant is wrong,
see above.

Regards,

Rob.

Thanks, Ramana and Rob!  As Rob says, I don't use new_axiom to define by type "point", but I do use new_axiom to define Hilbert's geometry axioms, so I took no offense.  I would definitely prefer to use neither new_type nor new_axiom. I'm using what John set me up with, but I think he thought of it as more of a way to get started, rather than the best way to formalize Euclid's book 1.  BTW I don't think either of you answered my question 

   > the variable l refers to a subset of H, the variables A, B & C
   > refer to elements of H, and that the subset l is actually a line,
   > meaning that Line(l) =True.  Am I getting this right?

I would prefer to say that a Hilbert plane is a set H with two relations, Between and ===, with a predicate Line defined on subsets of H, so that H satisfies the axioms I1--3, B1--4 and C1--6.  That's how I wrote my Tarski geometry Mizar code.  I wasn't quite happy with that, and folks certainly believe that Hilbert's axioms are consistent.  But I would like to know how to avoid new_type nor new_axiom.  It's possible that miz3 could not handle the extra set theory load, as John suggested, and he said he'd improve the miz3 set theory capacity when he returned.  Neither of you addressed 

   > John Harrison's documentation barely explains HOL, and he does
   > not (I think) refer to your manuals.

Do you agree with me?  What is to be made of this?  I mean, if one uses new_type in HOL Light, what theorems is HOL Light supposed to be formalizing?  I don't know where John writes anything stronger about types than on p 13 of his tutorial:

   A key feature of HOL is that every term has a well-defined
   type. Roughly speaking, the type indicates what kind of
   mathematical object the term represents (a number, a set, a
   function, etc.)

-- 
Best,
Bill

On Thu, Aug 2, 2012 at 8:03 AM, Bill Richter
<richter@...:

> Thanks, Ramana and Rob!  As Rob says, I don't use new_axiom to define by
> type "point", but I do use new_axiom to define Hilbert's geometry axioms,
> so I took no offense.  I would definitely prefer to use neither new_type
> nor new_axiom. I'm using what John set me up with, but I think he thought
> of it as more of a way to get started, rather than the best way to
> formalize Euclid's book 1.  BTW I don't think either of you answered my
> question
>
>    > the variable l refers to a subset of H, the variables A, B & C
>    > refer to elements of H, and that the subset l is actually a line,
>    > meaning that Line(l) =True.  Am I getting this right?
>
> I would prefer to say that a Hilbert plane is a set H with two relations,
> Between and ===, with a predicate Line defined on subsets of H, so that H
> satisfies the axioms I1--3, B1--4 and C1--6.


Yes, you can certainly say that all with definitions.
Define a four-argument predicate

  Hilbert_plane H (Between) (===) Line = axiom_1_holds /\ axiom_2_holds /\
...

and use that as a hypothesis on all your theorems.
H, Between, ===, and Line, will all be variables that you universally
quantify over, but restrict with the hypothesis Hilbert_plane.
Apart from avoiding new_axiom, this has the additional benefit of making
your results reusable: anyone can provide whatever H, Between, ===, and
Line they want by specialising one of your theorems and their obligation is
to show that their combination satisfies all the axioms then they get your
result as a conclusion.

 That's how I wrote my Tarski geometry Mizar code.  I wasn't quite happy
> with that, and folks certainly believe that Hilbert's axioms are
> consistent.  But I would like to know how to avoid new_type nor new_axiom.


I described how above. And we have discussed this before. See for example
http://sourceforge.net/mailarchive/message.php?msg_id=29172311


>  It's possible that miz3 could not handle the extra set theory load, as
> John suggested, and he said he'd improve the miz3 set theory capacity when
> he returned.  Neither of you addressed
>
>    > John Harrison's documentation barely explains HOL, and he does
>    > not (I think) refer to your manuals.
>
> Do you agree with me?  What is to be made of this?


Read the history of HOL Light.
Here are some suggestions:
http://www.cl.cam.ac.uk/~jrh13/papers/holright.html
http://www.cl.cam.ac.uk/~mjcg/papers/HolHistory.html
http://www.nicta.com.au/__data/assets/pdf_file/0010/17695/tphols-2008.pdf


> I mean, if one uses new_type in HOL Light, what theorems is HOL Light
> supposed to be formalizing?  I don't know where John writes anything
> stronger about types than on p 13 of his tutorial:
>
>    A key feature of HOL is that every term has a well-defined
>    type. Roughly speaking, the type indicates what kind of
>    mathematical object the term represents (a number, a set, a
>    function, etc.)
>
> --
> Best,
> Bill
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

Thanks, Ramana!  I don't quite understand.  In each theorem I should
make an extra hypothesis which will look something like assume
Hilbert_plane H (Between) (===) Line {HP}; 
And I'll add the label HP to each "by" list in which I refer to one of
my earlier theorems?  In your earlier post, I think you said you
preferred shallow embeddings.  Do you call this a shallow embedding?

Back to my earlier question, my miz3 code begins 
new_type("point",0);;
new_type_abbrev("point_set",`:point->bool`);;
new_constant("Line",`:point_set->bool`);;
I still don't know what the HOL, or HOL4 meaning of this is, but I have a new conjecture:
My new_type command defines a set called "point",  And later when I write 
let A B C be point;
that means that the variables A, B & C refer to elements of the set "point"  Does that sound right?  In particular, a type is the name of a set?

I'm having trouble with the term HOL.  If someone asked me to describe what HOL Light was doing, I'd say that we were working in a model of ZFC with some extra features. E.g. it's quite difficult in ZFC to construct the real line R (see Halmos's book Naive Set Theory), but HOL Light hands us a nice copy of R with all its properties.  So if one did not have a model of ZFC, one would be doing FOL, just manipulating the f.o. ZFC axioms, but it's a lot nice to actually have a model of ZFC, i.e. a collection of sets.  I don't mean that we have all the sets that a model of ZFC would contain.  There's a set UNIV, the universe we work in, and a ZFC model would not contain that.   All this is great, but I don't know why we're using the term HOL to describe it.  I understand that HOL means 2nd order logic, 3rd order logic etc, but that just means you can quantify over more and more complicated sets, and I guess we get all those sets in a model of ZFC.  

I'm also confused about the HOL Logic manual saying we don't get the empty set.  I use the empty set all the time, it's called EMPTY or [ {}, defined in sets.ml.  Maybe there's a technicality which going like this.  In sets.ml, sets are "constructed" as boolean functions.  So (assuming that "point" is actually a set, as I conjectured above) we can define the empty subset of point as the function
{}: point -> bool
which takes every element of point to False.  So is that it, we can get the empty set by confusing sets with boolean functions?

-- 
Best,
Bill

Define a four-argument predicate
     Hilbert_plane H (Between) (===) Line = axiom_1_holds /\ axiom_2_holds /\
   ...
   and use that as a hypothesis on all your theorems.

Thanks, Ramana!  The code below indicates that I can get rid of new_axiom following your suggestion.  I should have seen this myself before, but I was bogged down in the set theory which I still don't know how to pull off, so I didn't even try.  So thanks!

I kept the new_type stuff, and made TarskiModel a 0-argument predicate, and proved the first 4 theorems of my Tarski axiomatic geometry http://www.math.northwestern.edu/~richter/TarskiAxiomGeometry.ml

EquivReflexive : thm = |- TarskiModel ==> (!a b. a,b === a,b)
EquivSymmetric : thm =
  |- TarskiModel ==> (!a b c d. a,b === c,d ==> c,d === a,b)
EquivTransitive : thm =
  |- TarskiModel
     ==> (!a b p q r s. a,b === p,q ==> p,q === r,s ==> a,b === r,s)
Baaa_THM : thm =
  |- TarskiModel ==> (!a b. Between (a,a,a) /\ a,a === b,b)

I'm not too happy about the extra clutter caused by the statement TarskiModel, the label TM I use to refer to it, and turning the axioms into theorems.  But that's great that I can get rid of new_axiom at least, so thanks.  

I don't know how to get rid of new_type using H and your 4-arg predicate.   I tried this, and I got the error message 
#     Exception: Failure "term after binary operator expected":

parse_as_infix("===",(12, "right"));;
let A1_DEF = new_definition
  `A1axiom  T  ===  <=>  !a b. T a /\ T b  ==>  a,b === b,a`;;

I can appreciate this error message.  I want to say that T is a set and a belongs to T (or T a = True, or T a), but I don't see how I can do that without some typing.  What do I even want the type of a, b & T to be here?  

This seems to be a question of how to implement sets in HOL Light. 

-- 
Best,
Bill 

horizon := 0;; 
#load "unix.cma";;
loadt "miz3/miz3.ml";;

new_type("point",0);;
new_constant("===",`:point#point->point#point->bool`);;
new_constant("Between",`:point#point#point->bool`);;

parse_as_infix("===",(12, "right"));;

let A1_DEF = new_definition
  `A1axiom  <=>  !a b. a,b === b,a`;;

let A2_DEF = new_definition
  `A2axiom  <=>  !a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s`;;

let A3_DEF = new_definition
  `A3axiom  <=>  !a b c. a,b === c,c ==> a = b`;;

let A4_DEF = new_definition
  `A4axiom  <=>  !a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;; 

let TarskiModel_DEF = new_definition
  `TarskiModel  <=>  A1axiom /\ A2axiom /\ A3axiom /\ A4axiom`;;

let A1 = thm `;
  TarskiModel  ==>  !a b. a,b === b,a
  by TarskiModel_DEF, A1_DEF`;;
 
let A2 = thm `;
  TarskiModel  ==>  !a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q === r,s
  by TarskiModel_DEF, A2_DEF`;;
 
let A3 = thm `;
  TarskiModel  ==>  !a b c. a,b === c,c ==> a = b
  by TarskiModel_DEF, A3_DEF`;;

let A4 = thm `;
  TarskiModel  ==>  !a q b c. ?x. Between(q,a,x) /\ a,x === b,c
  by TarskiModel_DEF, A4_DEF`;;


let EquivReflexive = thm `;
  TarskiModel  ==> !a b. a,b === a,b

  proof
   assume TarskiModel [TM];
   let a b be point;
   b,a === a,b by A1, TM;
  qed by -, A2, TM`;;


let EquivSymmetric = thm `;
   assume TarskiModel [TM];
   let a b c d be point;
   assume a,b === c,d [1];
   thus c,d === a,b

  proof
    a,b === a,b by EquivReflexive, TM;
  qed by -, 1, A2, TM`;;


let EquivTransitive = thm `;
  assume TarskiModel [TM];
  let a b p q r s be point;
  assume a,b === p,q [H1];
  assume p,q === r,s [H2];
  thus a,b === r,s

  proof
    p,q === a,b by H1, EquivSymmetric, TM;
  qed by -, H2, A2, TM`;;


let Baaa_THM = thm `;
  assume TarskiModel [TM];
  let a b be point;
  thus Between (a,a,a) /\ a,a === b,b

  proof
    consider x such that 
    Between (a,a,x) /\ a,x === b,b [X1] by A4, TM;
    a = x by -, A3, TM;
  qed by -, X1`;;

On 03/08/12 13:43, Bill Richter wrote:
> I don't know how to get rid of new_type using H and your 4-arg predicate.   I
> tried this, and I got the error message #     Exception: Failure "term after
> binary operator expected":

> parse_as_infix("===",(12, "right"));; let A1_DEF = new_definition `A1axiom  T
> ===  <=>  !a b. T a /\ T b  ==>  a,b === b,a`;;

> I can appreciate this error message.  I want to say that T is a set and a
> belongs to T (or T a = True, or T a), but I don't see how I can do that
> without some typing.  What do I even want the type of a, b & T to be here?

> This seems to be a question of how to implement sets in HOL Light.

You could do it by replacing your concrete type point with a type variable.
See

   type_of `MAP`

for syntax.  (In HOL4 and SML, you'd get (:'a->'b) -> 'a list -> 'b list, but I 
have this feeling that HOL Light does things a little differently.)

But, first: the issue you have with your parameterised axioms and === is caused 
by the fact that you need a way of "stripping" === of its special infix status.

So, I'd suggest:

   `A1axiom T (===) <=> !a b. T a /\ T b ==> a,b === b,a`

Do this without pre-committing to any types at all and your definition will be 
suitably polymorphic.

Ultimately, you'd have theorems of the form

   TarskiModel T (===) ==> ...some conclusion...

 From skimming your sources very superficially, it looks as if the Between 
'constant' would need to be a parameter of TarskiModel too.

It also looks as if you could dispense with the T parameter, and just have

   A1axiom (===) <=> !a b. a,b === b,a

Again, not defining any types in advance would give you something suitably 
polymorphic.

As you noted, doing things this way is likely to be rather painful because you 
will constantly have this annoying TarskiModel hypothesis hanging around.

Michael

On 03/08/12 07:48, Bill Richter wrote:
> Back to my earlier question, my miz3 code begins new_type("point",0);;
> new_type_abbrev("point_set",`:point->bool`);;
> new_constant("Line",`:point_set->bool`);; I still don't know what the HOL, or
> HOL4 meaning of this is, but I have a new conjecture: My new_type command
> defines a set called "point",  And later when I write let A B C be point;
> that means that the variables A, B & C refer to elements of the set "point"
> Does that sound right?  In particular, a type is the name of a set?

A non-polymorphic type denotes a non-empty ZFC set.  We can assume that this set 
is one of the "non-empty sets in the von Neumann cumulative hierarchy formed 
before stage ω + ω" (Logic Manual, p10)

A polymorphic type is a effectively a function on types; when you instantiate 
the type variables you are applying the function to arguments and getting back 
an actual non-empty set.

When you do a new_type command, the system picks an arbitrary non-empty set and 
identifies your chosen name with that set.  Logically, you know nothing at all 
about that type except that it is non-empty.

> I'm also confused about the HOL Logic manual saying we don't get the empty
> set.  I use the empty set all the time, it's called EMPTY or {}, defined in
> sets.ml.  Maybe there's a technicality which going like this.  In sets.ml,
> sets are "constructed" as boolean functions.  So (assuming that "point" is
> actually a set, as I conjectured above) we can define the empty subset of
> point as the function {}: point -> bool which takes every element of point to
> False.  So is that it, we can get the empty set by confusing sets with
> boolean functions?

Yes, the empty set, {}, that you are referring to is just a predicate (the 
predicate that is everywhere false) over a type.  Alternatively, it is a subset 
of a non-empty set.  If you read something saying that there is no empty set, 
it's meaning that there is no empty type.

It is true that we can't do anything in HOL that you couldn't do in ZFC/FOL, but 
things tend to work more smoothly in HOL.  In particular, there is no 
distinction between predicates and 'sets', and no need for axioms restricting 
what you can and can't write with a set comprehension.  This is because all such 
predicates, sets and comprehensions are all done with respect to some bounding 
set in the ZFC model.

HOL's handling of functions is also cleaner.  In FOL, you can't quantify over a 
function-symbol, so it's illegal to write

   ∃f. ∀n. f (n + 1) < f (n)

where f is a function symbol of the FOL.  But, of course, mathematicians are 
working in ZFC and sets can be held to represent functions, so you *are* 
allowed to write

  ∃f ∈ N × N. ∀n ∈ N. f ` (n + 1) < f ` n

where the "function" f is really just a set, and the function symbols are 
actually ` ("function application"), + and × (in the outer quantification).

The meta-theory of FOL tells us that we can introduce fresh function symbols in 
certain circumstances, so we might be able to create formulas that use f as a 
function symbol, but that f can't be the same as the f which is just a subset of 
N × N, even if it's behaviour looks pretty similar.  This is pretty yucky, and 
HOL hides lots of complexity.

Michael

On Fri, Aug 3, 2012 at 4:43 AM, Bill Richter
<richter@...:

>    Define a four-argument predicate
>      Hilbert_plane H (Between) (===) Line = axiom_1_holds /\ axiom_2_holds
> /\
>    ...
>    and use that as a hypothesis on all your theorems.
>
> Thanks, Ramana!  The code below indicates that I can get rid of new_axiom
> following your suggestion.  I should have seen this myself before, but I
> was bogged down in the set theory which I still don't know how to pull off,
> so I didn't even try.  So thanks!
>
> I kept the new_type stuff, and made TarskiModel a 0-argument predicate,
> and proved the first 4 theorems of my Tarski axiomatic geometry
> http://www.math.northwestern.edu/~richter/TarskiAxiomGeometry.ml
>
> EquivReflexive : thm = |- TarskiModel ==> (!a b. a,b === a,b)
> EquivSymmetric : thm =
>   |- TarskiModel ==> (!a b c d. a,b === c,d ==> c,d === a,b)
> EquivTransitive : thm =
>   |- TarskiModel
>      ==> (!a b p q r s. a,b === p,q ==> p,q === r,s ==> a,b === r,s)
> Baaa_THM : thm =
>   |- TarskiModel ==> (!a b. Between (a,a,a) /\ a,a === b,b)
>
> I'm not too happy about the extra clutter caused by the statement
> TarskiModel, the label TM I use to refer to it, and turning the axioms into
> theorems.  But that's great that I can get rid of new_axiom at least, so
> thanks.
>

If HOL Light has record datatypes (not sure if it does), you can at least
hide all the arguments to TarskiModel inside a record. And put an overload
of TM for TarskiModel so you don't have to type/read the long name
everywhere. (Come to think of it, overloads may also not be available in
HOL Light...)

In HOL4 you could use both features I mention above.

In Isabelle, you could do the whole thing much more cleanly using what is
known as a "locale", where you fix some constants like ===, Between, H,
etc. and state some properties (the axioms) you want to hold of them in
this context, and then do your formalisation without the clutter, and at
the end it gives you the effect of having used the extra hypothesis on
every theorem.

(All these features could exist in all the theorem provers; they just
happen not to.)

Finally, if you go back to your old new_axiom way in HOL Light for
convenience, it may be possible to simulate locales by using OpenTheory
theory packages. But I can't really recommend that yet because the idea is
completely untested.


>
> I don't know how to get rid of new_type using H and your 4-arg predicate.
>   I tried this, and I got the error message
> #     Exception: Failure "term after binary operator expected":
>
> parse_as_infix("===",(12, "right"));;
> let A1_DEF = new_definition
>   `A1axiom  T  ===  <=>  !a b. T a /\ T b  ==>  a,b === b,a`;;
>
> I can appreciate this error message.  I want to say that T is a set and a
> belongs to T (or T a = True, or T a), but I don't see how I can do that
> without some typing.  What do I even want the type of a, b & T to be here?
>
> This seems to be a question of how to implement sets in HOL Light.
>
> --
> Best,
> Bill
>
> horizon := 0;;
> #load "unix.cma";;
> loadt "miz3/miz3.ml";;
>
> new_type("point",0);;
> new_constant("===",`:point#point->point#point->bool`);;
> new_constant("Between",`:point#point#point->bool`);;
>
> parse_as_infix("===",(12, "right"));;
>
> let A1_DEF = new_definition
>   `A1axiom  <=>  !a b. a,b === b,a`;;
>
> let A2_DEF = new_definition
>   `A2axiom  <=>  !a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q ===
> r,s`;;
>
> let A3_DEF = new_definition
>   `A3axiom  <=>  !a b c. a,b === c,c ==> a = b`;;
>
> let A4_DEF = new_definition
>   `A4axiom  <=>  !a q b c. ?x. Between(q,a,x) /\ a,x === b,c`;;
>
> let TarskiModel_DEF = new_definition
>   `TarskiModel  <=>  A1axiom /\ A2axiom /\ A3axiom /\ A4axiom`;;
>
> let A1 = thm `;
>   TarskiModel  ==>  !a b. a,b === b,a
>   by TarskiModel_DEF, A1_DEF`;;
>
> let A2 = thm `;
>   TarskiModel  ==>  !a b p q r s. a,b === p,q /\ a,b === r,s ==> p,q ===
> r,s
>   by TarskiModel_DEF, A2_DEF`;;
>
> let A3 = thm `;
>   TarskiModel  ==>  !a b c. a,b === c,c ==> a = b
>   by TarskiModel_DEF, A3_DEF`;;
>
> let A4 = thm `;
>   TarskiModel  ==>  !a q b c. ?x. Between(q,a,x) /\ a,x === b,c
>   by TarskiModel_DEF, A4_DEF`;;
>
>
> let EquivReflexive = thm `;
>   TarskiModel  ==> !a b. a,b === a,b
>
>   proof
>    assume TarskiModel [TM];
>    let a b be point;
>    b,a === a,b by A1, TM;
>   qed by -, A2, TM`;;
>
>
> let EquivSymmetric = thm `;
>    assume TarskiModel [TM];
>    let a b c d be point;
>    assume a,b === c,d [1];
>    thus c,d === a,b
>
>   proof
>     a,b === a,b by EquivReflexive, TM;
>   qed by -, 1, A2, TM`;;
>
>
> let EquivTransitive = thm `;
>   assume TarskiModel [TM];
>   let a b p q r s be point;
>   assume a,b === p,q [H1];
>   assume p,q === r,s [H2];
>   thus a,b === r,s
>
>   proof
>     p,q === a,b by H1, EquivSymmetric, TM;
>   qed by -, H2, A2, TM`;;
>
>
> let Baaa_THM = thm `;
>   assume TarskiModel [TM];
>   let a b be point;
>   thus Between (a,a,a) /\ a,a === b,b
>
>   proof
>     consider x such that
>     Between (a,a,x) /\ a,x === b,b [X1] by A4, TM;
>     a = x by -, A3, TM;
>   qed by -, X1`;;
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> hol-info mailing list
> hol-info@...
> https://lists.sourceforge.net/lists/listinfo/hol-info
>

It also looks as if you could dispense with the T parameter, and just have

      A1axiom (===) <=> !a b. a,b === b,a

Thanks, Michael, it works!!!  Whether or not I use first 

 parse_as_infix("===",(12, "right"));;

But I think that's only because === is already declared to be an infix.  I don't know why you parenthesized ===, but it seems to be needed.   I'll try to post working code soon.  Can you explain why this works, when a and b don't have types?  Or what it even means?  To me, === is a 4-ary relation on set T.  On to your other points:

   You could do it by replacing your concrete type point with a type variable.
   See

      type_of `MAP`

   for syntax.  (In HOL4 and SML, you'd get (:'a->'b) -> 'a list -> 'b list, but I 
   have this feeling that HOL Light does things a little differently.)

Cool, I tried in HOL Light
type_of `MAP`;;
hol_type = `:(?134838->?134839)->(?134838)list->(?134839)list`

I think that's a cryptic version of what you said, because the HOL html reference manual say 
map : ('a -> 'b) -> 'a list -> 'b list
    map f [x1;...;xn] returns [(f x1);...;(f xn)]. 

That's the map function I'm used to from Scheme.  Strangely enough map has a different hol_type than MAP:
type_of `map`;;
val it : hol_type = `:?134840`

I guess that's what polymorphism means: map works for any types a and b.  I think I'm already using polymorphism in my Hilbert code, e.g.: 

   let BiggerThanSingleton_THM = thm `;
     let p be A->bool;
     let x be A;
     assume x IN p     [H1];
     assume ~(p = {x})     [H2];
     thus ? a . a IN p /\ ~(a = x)

     proof
	{x} SUBSET p     by H1, SING_SUBSET;
       ~(p SUBSET {x})     by -,  H2, SUBSET_ANTISYM;
       consider a such that 
       a IN p /\ a NOTIN {x}     [X1] by -, SUBSET, NOTIN;
	~(a = x)     by -, IN_SING, NOTIN;
     qed     by -, X1`;;

I don't know where I got the idea of using A as a type instead of 'a, or what 'a means, but to me, A stands for any type, and it works in my Hilbert code, A apparently being replaced by point. 

Here's another dumb question, for Freek maybe:  It's been obvious to me for some time that much of sets.ml could be proved quite easily in miz3.   But that's awkward if we can't load in such a file with miz3 stuff in it.   Why doesn't use work for miz3 code, as in #use "hol.ml";; ?

-- 
Best,
Bill

On 3 Aug 2012, at 05:49, Michael Norrish wrote:

> On 03/08/12 07:48, Bill Richter wrote:
>> Back to my earlier question, my miz3 code begins new_type("point",0);;
>> new_type_abbrev("point_set",`:point->bool`);;
>> new_constant("Line",`:point_set->bool`);; I still don't know what the HOL, or
>> HOL4 meaning of this is, but I have a new conjecture: My new_type command
>> defines a set called "point",  And later when I write let A B C be point;
>> that means that the variables A, B & C refer to elements of the set "point"
>> Does that sound right?  In particular, a type is the name of a set?
> 
> A non-polymorphic type denotes a non-empty ZFC set.  We can assume that this set 
> is one of the "non-empty sets in the von Neumann cumulative hierarchy formed 
> before stage ω + ω" (Logic Manual, p10)

That isn't quite right. What the Logic Manual correctly says is that the set-theoretic universe in which HOL types and terms take their values is closed under certain operations and that the set of sets you mention (V_{\omega+\omega}) is a possible universe. It doesn't say that V_{\omega+\omega} is the universe and the axioms don't imply any upper bound on the cardinality of types.
> 
> A polymorphic type is a effectively a function on types; when you instantiate 
> the type variables you are applying the function to arguments and getting back 
> an actual non-empty set.
> 
> When you do a new_type command, the system picks an arbitrary non-empty set and 
> identifies your chosen name with that set.  Logically, you know nothing at all 
> about that type except that it is non-empty.

Quite so. In particular, you don't know anything else about its cardinality. It could be V_{\omega+\omega} itself or something much bigger. It would be consistent (but not conservative) to use new_axiom to assert that a type introduced with new_type was a model of HOL or of ZFC, say. This is why I said in a reply to Ramana the other day that new_type really should be accounted for in the Logic Manual: new_constant is equivalent to a special case of constant specification but new_type is not equivalent to a special case of type definition.

Regards,

Rob.

Michael, your polymorphism worked!  Following your advice, I coded up in miz3, without new_type or new_axiom, my first 7 Tarski axiomatic geometry theorems of http://www.math.northwestern.edu/~richter/TarskiAxiomGeometry.ml
I'm stuck on the next result because I don't know how to rewrite my definition 

parse_as_infix("cong",(12, "right"));;

let cong_DEF = new_definition
 `a,b,c cong x,y,z <=>
   a,b === x,y /\ a,c === x,z /\ b,c === y,z`;;

My problem, I think, is that cong is now a function of ===, which is now a variable being passed around.  Here's my miz3 code below, which I really enjoyed writing, as it took quite a bit of fiddling to get right.  Let me try to explain why your polymorphism works on axiom A4, on which HOL-Light/miz3 prints out 

val A4 : thm =
  |- !(===) Between.
         TarskiModel (===) Between
         ==> (!a q b c. ?x. Be