Content uploaded by Christoph Benzmüller
Author content
All content in this area was uploaded by Christoph Benzmüller
Content may be subject to copyright.
The Journal of Symbolic Logic
Volume 69, Number 4, Dec. 2004
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY
CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Abstract. In this paper we re-examine the semantics of classical higher-order logic with the purpose
of clarifying the role of extensionality. To reach this goal, we distinguish nine classes of higher-order
models with respect to various combinations of Boolean extensionality and three forms of functional
extensionality. Furthermore, we develop a methodology of abstract consistency methods (by providing the
necessary model existence theorems) needed to analyze completeness of (machine-oriented) higher-order
calculi with respect to these model classes.
§1. Motivation. In classical first-order predicate logic, it is rather simple to assess
the deductive power of a calculus: first-order logic has a well-established and
intuitive set-theoretic semantics, relative to which completeness can easily be verified
using, for instance, the abstract consistency method (cf. the introductory textbooks
[6, 22]). This well understood meta-theory has supported the development of calculi
adapted to special applications—such as automated theorem proving (cf. [16, 47]
for an overview).
In higher-order logics, the situation is rather different: the intuitive set-theoretic
standard semantics cannot give a sensible notion of completeness, since it does
not admit complete (recursively axiomatizable) calculi [24, 6]. There is a more
general notion of semantics [26], the so-called Henkin models, that allows complete
(recursively axiomatizable) calculi and therefore sets the standard for deductive
power of calculi.
Peter Andrews’ Unifying Principle for Type Theory [1] provides a method of
higher-order abstract consistency that has become the standard tool for complete-
ness proofs in higher-order logic, even though it can only be used to show complete-
ness relative to a certain Hilbert style calculus Tâ. A calculus Cis called complete
relative to a calculus Tâiff (if and only if) Cproves all theorems of Tâ. Since Tâis
not complete with respect to Henkin models, the notion of completeness that can
be established by this method is a strictly weaker notion than Henkin completeness.
The differences between these notions of completeness can largely be analyzed in
terms of availability of various extensionality principles, which can be expressed
axiomatically in higher-order logic.
As a consequence of the limitations of Andrew’s Unifying Principle, calculi for
higher-order automated theorem proving [1, 32, 33, 34, 42, 36, 37] and the cor-
responding theorem proving systems such as Tps [7, 8], or earlier versions of the
Leo [14] system are not complete with respect to Henkin models. Moreover, they
Received February 23, 1998; final version March 29, 2004.
c
2004, Association for Symbolic Logic
0022-4812/04/6904-0004/$7.20
1027
1028 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
are not even sound with respect to Tâ, since they (for the most part) employ
ç-conversion, which is not admissible in Tâ. In other words, their deductive power
lies somewhere between Tâand Henkin models. Characterizing exactly where re-
veals important theoretical properties of these calculi that have direct consequences
for the adequacy in various application domains (see the discussion in section 8.1).
Unlike calculi without computational concerns, calculi for mechanized reasoning
systems cannot be made complete by simply adding extensionality axioms, since
the search spaces induced by their introduction grow prohibitively. Being able to
compare and characterize the methods and computational devices used instead is a
prerequisite for further development in this area.
In this situation, the aim of this article is to provide a semantical meta theory
that will support the development of higher-order calculi for automated theorem
proving just as the corresponding methodology does in first-order logic. To reach
this goal, we need to establish:
(1) classes of models that adequately characterize the deductive power of existing
theorem-proving calculi (providing semantics with respect to which they are
sound and complete), and
(2) a methodology of abstract consistency methods (by providing for these model
classes the necessary model existence theorems, which extend Andrews’ Uni-
fying Principle), so that the completeness analysis for higher-order calculi
will become almost as simple as in first-order logic.
We fully achieve the first goal in this article, and take a large step towards the
second. In the model existence theorems presented in this article, we have to
assume a new condition called saturation, which limits their utility in completeness
proofs for machine-oriented calculi. Fortunately, the saturation condition can be
lifted by extensions of the methods presented in this article (see the discussion in
the conclusion 8.2 and [12]).
Due to the inherent complexity of higher-order semantics we first give an informal
exposition of the issues covered and the techniques applied. In Section 4, we will
investigatethe properties of the model classes introduced in Section 3 in more detail
and corroborate them with example models in Section 5. We prove model existence
theorems for the model classes in Section 6. Finally, in Section 7 we will apply
the model existence theorems from Section 6 to the task of proving completeness
of higher-order natural deduction calculi. Section 8 concludes the article with a
discussion of related work, possible applications, and the saturation assumption we
introduced for the model existence theorems.
The work reported in this article is based on [15] and significantly extends the
material presented there.
§2. Informal exposition. Before we turn to the exposition of the semantics in
Section 2.3, let us specify what we mean by “higher-order logic”: any simply typed
logical system that allows quantification over function and predicate variables.
Technically, we will follow tradition and employ a logical system HOL based on
the simply typed ë-calculus as introduced in [18]; this does not restrict the generality
of the methods reported in this article, since the ideas can be carried over. A related
logical system is discussed in detail in [6].
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1029
2.1. Simply typed ë-calculus. To formulate higher-order logic we start with a
collection of types T. We assume there are some basic types in Tand that whenever
α, â ∈T, then the function type (α→â) is in T. Furthermore, we assume the
types are generated freely, so that (α1→â1)≡(α2→â2) implies α1≡α2and
â1≡â2.
HOL -formulae (or terms) are built up from a set Vof (typed) variables and
asignature Σ (a set of typed constants) as applications and ë-abstractions. We
assume the set Vαof variables of type αis countably infinite for each type α. The
set wffα(Σ) of well-formed formulae consists of those formulae which have type α.
The type of formula Aαwill be annotated as an index, if it is not clear from the
context. We will denote variables with upper-case letters (Xα, Y, Z, X 1
â, X 2
ã, . . . ),
constants with lower-case letters (cα, fα→â,...) and well-formed formulae with
upper-case bold letters (Aα,B,C1,...). Finally, we abbreviate multiple applications
and abstractions in a kind of vector notation, so that AU kdenotes k-fold application
(associating to the left), ëX kAdenotes k-fold ë-abstraction (associating to the
right) and we use the square dot ‘ ’ as an abbreviation for a pair of brackets, where
‘ ’ stands for the left one with its partner as far to the right as is consistent with the
bracketing already present in the formula. We may avoid full bracketing of formulas
in the remainder if the bracketing structure is clear from the context.
We will use the terms like free and bound variables or closed formulae in their
standard meaning and use free(A) for the set of free variables of a formula A. In
particular, alphabetic change of names of bound variables is built into HOL: we
consider alphabetic variants to be identical (viewing the actual representation as a
representative of an alphabetic equivalence class) and use a notion of substitution
that avoids variable capture by systematicallyrenaming bound variables.1We denote
a substitution that instantiates a free variable Xwith a formula Awith [A/X ] and
write ó, [A/X ] for the substitution that is identical with óbut instantiates Xwith
A. For any term Awe denote by A[B]pthe term resulting by replacing the subterm
at position pin Aby B.
A structural equality relation of HOL terms is induced by âç-reduction
(ëX A)B→â[B/X ]A(ëX CX)→çC
where Xis not free in C. It is well-known that the reduction relations â,ç, and
âç are terminating and confluent on wff(Σ), so that there are unique normal forms
(cf. [9] for an introduction). We will denote the â-normal form of a term Aby A
yâ,
and the âç-normal form of Aby A↓âç . If we allow both reduction and expansion
steps, we obtain notions of â-conversion,ç-conversion, and âç-conversion. We say
Aand Bare â-equal [ç-equal,âç-equal] (written A≡âB[A≡çB,A≡âç B]) when Ais
â-convertible [ç-convertible, âç-convertible] to B.
2.2. Higher-order logic (HOL ). In HOL , the set of base types is {o, é}for truth
values and individuals. We will call a formula of type oaproposition, and a sentence
if it is closed. We will assume that the signature Σ contains logical constants for
negation (¬o→o), disjunction (∨o→o→o), and universal quantification (Πα
(α→o)→o) for
each type α. Optionally, Σ may contain primitive equality (=α
α→α→o) for each type
1We could also have used de Bruijn’s indices [19] as a concrete implementation of this approach at
the syntax level.
1030 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
α. All other constants are called parameters, since the argumentation in this article
is parametric in their choice.
We write disjunctions and equations, i.e., ter ms of the form ((∨A)B) or ((= A)B),
in infix notation as A∨Band A=B. As we only assume the logical constants ¬,
∨, and Πα(and possibly =α) as primitive, we will use formulae of the form A∧B,
A⇒B, and A⇔Bas shorthand for the formulae ¬((¬A)∨(¬B)), and (¬A)∨B,
and (A⇒B)∧(B⇒A), respectively. For each A∈wffo(Σ), the standard notations
∀XαAand ∃XαAfor quantification are regarded as shorthand for Πα(ëXαA) and
¬(Πα(ëXα¬A)). Finally, we extend the vector notation for ë-binders to k-fold
quantification: we will use ∀XkAand ∃XkAin the obvious way.
We often need to distinguish between atomic and non-atomic formulae in wff o(Σ).
A non-atomic formula is any formula whose â-normal form is either of the form
¬A,A∨B, or ΠαC(where A,B∈wffo(Σ) and C∈wff α→o(Σ)). An atomic formula
is any other formula in wffo(Σ)—including primitive equations A=αBin case of
the presence of primitive equality.
It is matter of folklore that equality can directly be expressed in HOL . A
prominent example is the Leibniz formula for equality
Qα:= (ëXαYα∀Pα→oPX ⇒PY ).
With this definition, the formula (QαAB) (expressing equality of two formulae A
and Bof type α)â-reduces to ∀Pα→o(PA)⇒(PB), which can be read as: formulae
Aand Bare not equal iff there exists a discerning property P.2In other words, Aand
Bare equal, if they are indiscernible. We will use the notation A.
=αBas shorthand
for the â-reduct ∀Pα→o(PA)⇒(PB) of (QαAB) (where P /∈free(A)∪free(B)).3
There are alternative ways to define equality in terms of the logical connectives
([6, p. 203]) and the techniques for equality introduced in this article carry over to
them (cf. Remark 4.4).
In this article we use several different notions of equality. In order to prevent
misunderstandings we explain these different notions together with their syntactical
representation here:
If we define a concept we use : = (e.g., let D: = {T,F}). ≡represents identity.
We refer to a representative of the identity relation on Dαas an object of the
semantical domain Dα→α→owith qα. Note that we possibly have one, several, or
no qαin Dα→α→ofor each domain Dα. The remaining two notions are related to
syntax. =αmay occur as a constant symbol of type α→α→oin a signature Σ.
Finally, .
=αand Qαare used for Leibniz equality as described above.
2.3. Notions of models for HOL .A model of HOL is a collection of non-empty
domains Dαfor all types αtogether with a way of interpreting formulae. The
model classes discussed in this article will vary in the domains and specifics of
the evaluation of formulae. The relationships between these classes of models are
depicted as a cube in Figure 1. We will discuss the model classes from bottom to
top, from the most specific notion of standard models (ST) to the most general
notion of õ-complexes, motivating the respective generalizations as we go along. In
Section 3, where we develop the theory formally based on the intuitions discussed
2Note that this is symmetric by considering complements and hence it is sufficient to use ⇒instead
of ⇔.
3Note that A.
=αBis â-normal iff Aand Bare â-normal. The same holds for âç-equality.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1031
ST
Mâfb 'H
Mâçb
Mâîb
Mâf
∇
f
Mâî
∇
îMâç ∇
çMâb∇
b
Mâ∇
c,∇
â,∇
¬,∇
∨,∇
∧,∇
∀,∇
∃,∇
sat
î
ç
ç
ç
î
f
î
f
b
b
b
b
î
ç
full
Figure 1. The landscape of higher-order semantics.
here, we will proceed the other way around, specializing the notion of a Σ-model
more and more.
The symbols in the boxes in Figure 1 denote model classes, the symbols labeling
the arrows indicate the properties inducing the corresponding specialization, and
the ∇-symbols next to the boxes indicate the clauses in the definition of abstract
consistency classes (cf. Definition 6.5) that are needed to establish a model existence
theorem for this particular class of models (cf. Theorem 6.34).
2.3.1. Standard and Henkin models [ST,H,Mâfb].Astandard model (ST, cf.
Definition 3.51) for HOL provides a fixed set Déof individuals and a set Do:= {T,F}
of truth values. All the domains for the function types are defined inductively: Dα→â
is the set of functions f:Dα−→ Dâ. The evaluation function Eϕwith respect to an
assignment ϕof variables is obtained by the standard homomorphic construction
that evaluates a ë-abstraction with a function.
One can reconstruct the key idea behind Henkin models (Hisomorphic to Mâfb ,
cf. Definitions 3.50, and Theorem 3.68)by the following observation. If the set Déis
infinite, the set Dé→oof sets of individuals must be uncountably infinite. On the other
hand, any reasonable semantics of a language with a countable signature that admits
1032 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
sound and complete calculi must have countable models. Leon Henkin generalized
the class of admissible domains for functional types [26]. Instead of requiring
Dα→â(and thus in particular, Dé→o) to be the full set of functions (predicates), it is
sufficient to require that Dα→âhas enough members that any well-formed formula
can be evaluated (in other words, the domains of function types are rich enough to
satisfy comprehension). Note that with this generalized notion of a model, there are
fewer formulae that are valid in all models (intuitively, for any given formula there
are more possibilities for counter-models). The generalization to Henkin models
restricts the set of valid formulae sufficiently so that all of them can be proven by a
Hilbert-style calculus [26].
Of course our picture in Figure 1 is not complete here; we can axiomatically
require the existence of particular (classes of ) functions, e.g., by assuming the de-
scription or choice operators. We will not pursue this here; for a detailed discussion
of the semantic issues raised by the presence of these logical constants see [3]. Note
that even though we can consider model classes with richer and richer function
spaces, we can never reach standard models where function spaces are full while
maintaining complete (recursively axiomatizable) calculi.
2.3.2. Models without boolean extensionality [Mâ,Mâî,Mâç,Mâf].The next gen-
eralization of model classes comes from the fact that we want to have logics where
the axiom of Boolean extensionality can fail. For instance, in the semantics of nat-
ural language we have so-called verbs and adjectives of “propositional attitude”like
believe or obvious. We may not want to commit ourselves to a logic where the sen-
tence “John believes that Phil is a woodchuck” automatically entails “John believes
that Phil is a groundhog” since John might not be aware that “woodchuck” is just
another word for “groundhog”. The axiom of Boolean extensionality does just that;
it states that whenever two propositions are equivalent, they must be equal, and can
be substituted for each other. Similarly, the formulae obvious(O) and obvious(F)
where O:= 2 + 2 = 4 and F:= ∀n > 2xn+yn=zn⇒x=y=z= 0 should
not be equivalent, even if their arguments are. (Both Oand Fare true over the nat-
ural numbers, but Fermat’s last theorem Fis non-obvious to most people). These
phenomena have been studied under the heading of “hyper-intensional semantics”
in theoretical semantics; see [39] for a survey.
To account for this behavior, we have to generalize the class of Henkin models
further so that there are counter-models to the examples above. Obviously, this
involves weakening the assumption that Do≡ {T,F}since this entails that the values
of Oand Fare identical. We call the assumption that Dohas two elements property
b. In our Σ-models without property b(Mâ,Mâî ,Mâç,Mâf, cf. Definitions 3.41
and 3.49) we only insist that there is a division of the truth values into “good” and
“bad” ones, which we express by insisting on the existence of a valuation õof Do,
i.e., a function õ:Do−→ {T,F}that is coordinated with the interpretations of the
logical constants ¬,∨, and Πα(for each type α). Thus we havea notion of validity:
we call a sentence Avalid in such a model if õ(a)≡T, where a∈Dois the value
of the sentence A. For example, there is a Σ-model (see Examples 5.4 and 5.5)
where woodchuck(phil), groundhog(phil) and believe(john,woodchuck(phil)) are
all valid, but believe(john,groundhog(phil)) is not. In this model, the value of
woodchuck(phil) is different from the value of groundhog(phil) in Do.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1033
2.3.3. Models without functional extensionality [Mâ,Mâç,Mâî,Mâb,Mâçb,
Mâîb].In mathematics (and as a consequence in most higher-order model the-
ories), we assume functional extensionality, which states that two functions are
equal, if they return identical values on all arguments. In many applications we
want to use a logic that allows a finer-grained modeling of properties of functions.
For instance, if we want to model programs as (higher-order) functions, we might
be interested in intensional4properties like run-time complexity. Consider for in-
stance the two functions I:= ëX X and L:= ëX rev(rev(X)), where rev is the
self-inverse function that reverses the order of elements in a list. While the identity
function has constant complexity, the function rev is linear in the length of its ar-
gument. As a consequence, even though Lbehaves like Ion all inputs, they have
different time complexity. A logic with a functionally extensional model theory
(which is encoded as property f, cf. Definitions 3.5, 3.41 and 3.46) would conflate I
and Lsemantically and thus hide this difference rendering the logic unsuitable for
complexity analysis.
To arrive at a model theory which does not require functional extensionality
(which we will a call non-functional model theory in the remainder) we need to
generalize the notion of domains at function types and evaluation functions. This
is because the usual construction already uses sets of (extensional) functions for the
domains of function type and the property of functionality to construct values for
ë-terms.
We build on the notion of applicative structures (cf. Definition 3.1) to define Σ-
evaluations (cf. Definition 3.18), where the evaluation function is assumed to respect
application and â-conversion. In such models, a function is not uniquely deter-
mined by its behavior on all possible arguments. Such models can be constructed,
for example, by labeling for functions (e.g., a green and a red version of a func-
tion f) in order to differentiate between them, even though they are functionally
equivalent (cf. Example 5.6). Property bmay or may not hold for non-functional
Σ-Models.
We can factor functional extensionality (property f) into two independent prop-
erties, property çand property î. A model satisfies property çif it respects ç-
conversion. A model satisfies property îif we can conclude the values of ëX Mand
ëX Nare identical whenever the values of Mand Nare identical for any assignment
of the variable X. We will show that a model satisfies property fiff it satisfies both
property çand property î(cf. Lemma 3.24).
2.3.4. Andrews’ models and õ-complexes [Mâ,Mâç ].Peter Andrews has pio-
neered the construction of non-functional models with his õ-complexes in [1] based
on Kurt Sch¨
utte’s semi-valuation method [50]. These constructions, where both
functional and Boolean extensionality fail, are Σ-models as defined in Defini-
tion 3.41. (Typically they will not even satisfy the property that Leibniz equality
corresponds to identity in the model, but they will have a quotient by Theorem 3.62
which does satisfy this property.)
2.4. Characterizing the deductive power of calculi. These model classes discussed
in the previous section characterize the deductive power of many higher-order
4Just as in the linguistic application,the word “intensional” is used as a synonym for“non-extensional”
even though totally different properties are intended.
1034 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
theorem provers on a semantic level. For example, Tps [8] can be used in modes
in which the deductive power is characterized by Mâç (or even Mâif ç-conversion
is disallowed). Note that in particular Tps is not complete with respect to Henkin
models. It is not even complete for Mâçb, although it can be used in modes with
some ‘extensionality treatment’ built into the proof procedure.
The incompleteness of Tps for Henkin models5can be seen from the fact that
it fails to refute formulae such as cAo∧ ¬c(¬¬A), where cis a constant of type
o→o, or to prove formulae like p(ëXαBX∧AX)⇒p(ëXαAX∧BX), where
pis a constant of type (α→o)→o. The problem in the former example is that
the higher-order unification algorithm employed by Tps cannot determine that A
and ¬¬Adenote identical semantic objects (by Boolean extensionality as already
mentioned before), and thus returns failure instead of success. In the second
example both functional and Boolean extensionality are needed in order to prove
the theorem.
[21] discusses a presentation of higher-order logic in a first-order logic based on
an approach called theorem proving modulo. It is easy to check that this approach
is also incomplete for model classes with property b. For instance the approach
cannot prove the formula
∀Po→oXoYo(PX ∧PY )⇒P(X∧Y)
which is valid in Henkin models and which requires b. As a result, the theorem
proving modulo approach of representing higher-order logic in a first-order logic [21]
can only be used for logics without Boolean extensionality in its current form.
2.4.1. Model existence theorems. For all the notions of model classes (except,
of course, for standard models, where such a theorem cannot hold for recursively
axiomatizable logical systems) we present model existence theorems tying the differ-
entiating conditions of the models to suitable conditions in the abstract consistency
classes (cf. Section 6.3).
A model existence theorem for a logical system S(i.e., a logical language LS
together with a consequence relation |=S⊆LS×LS) is a theorem of the form:
If a set of sentences Φof Sis a member of an abstract consistency class
Γ, then there exists a S-model for Φ.
For the proof we can use the classical construction in all cases: abstract consistent
sets are extended to Hintikka sets (cf. Section 6.2), which induce a valuation on
a term structure (cf Definition 3.35). We then take a quotient by the congruence
induced by Leibniz equality in the term model.
2.4.2. Completeness of calculi. Given a model existence theorem as described
above we can show the completeness of a particular calculus C(i.e., the derivability
relation `S⊆LS×LS) by proving that the class Γ of sets of sentences Φ that are
C-consistent (i.e., cannot be refuted in C) is an abstract consistency class. Then the
model existence theorem tells us that C-consistent sets of sentences are satisfiable
in S. Now we assume that a sentence Ais valid in S, so ¬Adoes not have a
S-model and is therefore C-inconsistent. Hence, ¬Ais refutable in C. This shows
5In case the extensionality axioms are not available in the search space. Note that one can add
extensionality axioms to the calculus in order to achieve—at least in theory—Henkin completeness. But
this increases the search space drastically and is not feasible in practice.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1035
refutation completeness of C. For many calculi C, this also shows Ais provable,
thus establishing completeness of C.
Note that with this argumentation the completeness proof for Ccondenses to
verifying that Γ is an abstract consistency class, a task that does not refer to S-
models. Thus the usefulness of model existence theorems derives from the fact that
it replaces the model-theoretic analysis in completeness proofs with the verification
of some proof-theoretic conditions. In this respect a model existence theorem is
similar to a Herbrand Theorem, but it is easier to generalize to other logic systems
like higher-order logic. The technique was developed for first-order logic by Jaakko
Hintikka and Raymond Smullyan [29, 52, 53].
§3. Semantics for higher-order logic. In this section we will introduce the seman-
tical constructions and discuss their relationships. We will start out by defining
applicative structures and Σ-evaluations to give an algebraic semantics for the sim-
ply typed ë-calculus. To obtain a model for higher-order logic, we use a Σ-valuation
to determine whether propositions are true or false.
3.1. Applicative structures.
Definition 3.1 ((Typed) Applicative structure).A collection D:= DT: =
{Dα|α∈T}of non-empty sets Dα, indexed by the set Tof types, is called
atyped collection (of sets). Let DTand ETbe typed collections, then a col-
lection f:= {fα:Dα−→ Eα|α∈T}of functions is called a typed function
f:DT−→ ET. We will write F(A;B) for the set of functions from Ato Band
FT(DT;ET) for the set of typed functions. In the following we will also use the
notion of a typed function extended to the n-ary case in the obvious way.
We call the pair (D,@) a (typed) applicative structure if D≡DTis a typed
collection of sets and
@ : = {@αâ :Dα→â×Dα−→ Dâ|α, â ∈T}.
Each (non-empty) set Dαis called the domain of type αand the family of functions
@ is called the application operator. We write simply f@afor f@αâawhen f∈Dα→â
and a∈Dαare clear in context.
Remark 3.2.Often an applicative structure is defined to also include an inter-
pretation of the constants in a given signature (for example, in [44]). We prefer this
signature-independent definition (as in [30]) for our purposes.
Remark 3.3 (Currying).The application operator @ in an applicative structure
is an abstract version of function application. It is no restriction to exclusively use
a binary application operator, which corresponds to unary function application,
since we can define higher-arity application operators from the binary one by setting
f@(a1,...,an) : = (...(f@a1)...@an) (“Currying”).
Definition 3.4 (Frame).An applicative structure (D,@) is called a frame, if
Dα→â⊆F(Dα;Dâ) and @αâ is application for functions for all types αand â.
Definition 3.5 (Functional/full/standard applicative structures).Let A:=
(D,@) be an applicative structure. We say that Ais functional if for all types
αand âand objects f,g∈Dα→â, we have f≡gwhenever f@a≡g@afor every
1036 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
a∈Dα.6We say Ais full if for all types αand âand every function f:Dα−→ Dâ
there is an object f∈Dα→âsuch that f@a≡f(a) for every a∈Dα. Finally, we say
Ais standard if it is a frame and Dα→â≡F(Dα;Dâ) for all types αand â. Note
that these definitions impose restrictions on the domains for function types only.
Remark 3.6.It is easy to show that every frame is functional. Furthermore, an
applicative structure is standard iff it is a full frame.
Example 3.7 (Applicative singleton structure).We choose a single element aand
define Dα:= {a}for all types α. The pair (DT,@a), where a@aa=ais a (trivial)
example of a functional applicative structure. It is called the singleton applicative
structure.
Example 3.8 (Applicative term structures).If we define A@B: = (AB) for A∈
wffα→â(Σ) and B∈wffα(Σ), then @ : wffα→â(Σ) ×wffα(Σ) −→ wffâ(Σ) is a
total function. Thus (wff (Σ),@) is an applicative structure. The intuition behind
this example is that we can think of the formula A∈wff α→â(Σ) as a function
A: wffα(Σ) −→ wffâ(Σ) that maps Bto (AB).
Analogously, we can define the applicative structure (cwff(Σ),@) of closed for-
mulae (when we ensure Σ contains enough constants so that cwff α(Σ) is non-empty
for all types α).
Definition 3.9 (Homomorphism).Let A1:= (D1,@1) and A2: = (D2,@2)
be applicative structures. A homomorphism from A1to A2is a typed function
κ:D1−→ D2such that for all types α, â ∈T, all f∈D1
α→â, and a∈D1
αwe have
κ(f)@2κ(a)≡κ(f@1a). We write κ:A1−→ A2. The two applicative structures
A1and A2are called isomorphic if there are homomorphisms i:A1−→ A2and
j:A2−→ A1which are mutually inverse at each type.
The most important method for constructing structures (and models) with given
properties in this article is well-known for algebraic structures and consists of
building a suitable congruence and passing to the quotient structure. We will now
develop the formal basis for it.
Definition 3.10 (Applicative structure congruences).LetA: = (D,@) be an ap-
plicative structure. A typed equivalence relation ∼is called a congruence on Aiff
for all f,f0∈Dα→âand a,a0∈Dα(for any types αand â), f∼f0and a∼a0imply
f@a∼f0@a0.
The equivalence class [[a]]∼of a∈Dαmodulo ∼is the set of all a0∈Dα, such that
a∼a0. A congruence ∼is called functional iff for all types αand âand f,g∈Dα→â,
we have f∼gwhenever f@a∼g@afor every a∈Dα.
Lemma 3.11. The â-equality and âç-equality relations ≡âand ≡âç are congruences
on the applicative structures wff (Σ) and cwff .
Proof. The congruence properties are a direct consequence of the fact that âç-
reduction rules are defined to act on subterm positions. a
6This is called “extensional” in [44]. We use the term “functional” to distinguish it from other forms
of extensionality.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1037
Definition 3.12 (Quotient applicative structure).Let A:= (D,@) be an ap-
plicative structure, ∼a congruence on A, and D∼
α:= {[[a]]∼|a∈Dα}. Further-
more, let @∼be defined by [[f]]∼@∼[[a]]∼:= [[f@a]]∼. (To see that this definition
only depends on equivalence classes of ∼, consider f0∈[[f]]∼and a0∈[[a]]∼. Then
f∼f0and a∼a0imply f@a∼f0@a0. Thus, [[f@a]]∼≡[[f0@a0]]∼. So, @∼is
well-defined.) A/
∼:= (D∼,@∼) is also an applicative structure. We call A/
∼the
quotient structure of Afor the relation ∼and the typed function ð∼:A−→ A/
∼
that maps ato [[a]]∼its canonical projection.
Theorem 3.13. Let Abe an applicative structure and let ∼be a congruence on A,
then the canonical projection ð∼is a surjective homomorphism. Furthermore, A/
∼is
functional iff ∼is functional.
Proof. Let A:= (D,@) be an applicative structure. To convince ourselves
that ð∼is indeed a surjective homomorphism, we note that ð∼is surjective by the
definition of D∼. To see that ð∼is a homomorphism let f∈Dα→â, and a∈Dâ,
then ð∼(f)@∼ð∼(a)≡[[f]]∼@∼[[a]]∼≡[[f@a]]∼≡ð∼(f@a).
The quotient construction collapses ∼to identity, so functionality of ∼is equiv-
alent to functionality of A/
∼. Formally, suppose [[f]]∼and [[g]]∼are elements of
D∼
α→âsuch that [[f]]∼@∼[[a]]∼≡[[g]]∼@∼[[a]]∼for every [[a]]∼in D∼
α. This is equiv-
alent to [[f@a]]∼≡[[g@a]]∼for every a∈Dαand hence f@a∼g@afor all a∈Dα.
By functionality of ∼, we have f∼g. That is, [[f]]∼≡[[g]]∼.a
Lemma 3.14. ≡âç is a functional congruence on wff (Σ). If Σαis infinite for all
types α∈T, then ≡âç is also functional on cwff .
Proof. By Lemma 3.11, ≡âç is a congruence relation. To show functionality let
A,B∈wffã→α(Σ) such that AC≡âç BC for all C∈wffã(Σ) be given. In particular,
for any variable X∈Vãthat is not free in Aor B, we have AX≡âç BXand
ëX AX≡âçëX BX. By definition we have A≡çëXãAX≡âçëXãBX≡çB.
To show functionality of âç-equality on closed formulae, suppose Aand Bare
closed. With the same variable Xas above, let Mand Nbe the âç-normal forms of
AXand BX, respectively. We cannot conclude that M≡Nsince Xis not a closed
term. Instead, choose a constant cã∈Σãthat does not occur in Aor B. (Such a
constant must exist, since we have assumed that Σãis infinite.) An easy induction
on the length of the âç-reduction sequence from AXto Mshows that cdoes not
occur in Mand Ac≡[c/X ](AX)âç-reduces to [c/X ]M. Similarly, cdoes not
occur in Nand Bc âç-reduces to [c/X ]N. Since cis a constant, substituting cfor
Xcannot introduce new redexes. So, simple inductions on the sizes of Mand N
show [c/X ]Mand [c/X ]Nare âç-normal. By assumption, we know Ac≡âçBc.
Since normal forms are unique, we must have [c/X ]M≡[c/X ]N. Using the fact
that cdoes not occur in either Mor N, an induction on the size of Mreadily shows
M≡N. So, we have A≡çëXãAX≡âçëXãM≡ëXãN≡âçëXãBX≡çBa
Remark 3.15.Suppose we have a signature Σ with a single constant cé. In this
case, cis the only closed âç-normal form of type é. Since ëX X 6≡âç ëX c even
though (ëX X )c≡âçc≡âç (ëX c)cwe have a counterexample to functionality of ≡âç
on cwff . The problem here is that we do not have another constant déto distinguish
the two functions. In wff (Σ) we could always use a variable.
1038 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Remark 3.16 (Assumptions on Σ).From now on, we assume Σαto be infinite for
each type α. Furthermore, we assume there is a particular cardinal ℵssuch that Σα
has cardinality ℵsfor every type α. Since Vis countable, this implies wffα(Σ) and
cwffαhave cardinality ℵsfor each type α. Also, whether or not primitive equality
is included in the signature, there can only be finitely many logical constants in Σα
for each particular type α. Thus, the cardinality of the set of parameters in Σαis
also ℵs. In the countable case, ℵsis ℵ0.
3.2. Σ-evaluations. Σ-evaluations are applicative structures with a notion of eval-
uation for well-formed formulae in wff (Σ).
Definition 3.17 (Variable assignment).Let A:= (D,@) be an applicative
structure. A typed function ϕ:V−→ Dis called a variable assignment into A.
Given a variable assignment ϕ, variable Xα, and value a∈Dα, we use ϕ, [a/X ] to
denote the variable assignment with (ϕ, [a/X ])(X)≡aand (ϕ, [a/X ])(Y)≡ϕ(Y)
for variables Yother than X.
Definition 3.18 (Σ-evaluation).Let E:FT(V;D)−→ FT(wff (Σ),D) be a
total function, where FT(V;D) is the set of variable assignments and FT(wff (Σ),
D) is the set of typed functions mapping terms into objects in D. We will write the
argument of Eas a subscript. So, for each assignment ϕ, we have a typed function
Eϕ: wff(Σ) −→ D.Eis called an evaluation function for Aif for any assignments
ϕand øinto A, we have
(1) Eϕ
V≡ϕ.
(2) Eϕ(FA)≡Eϕ(F)@Eϕ(A) for any F∈wffα→â(Σ) and A∈wffα(Σ) and types
αand â.
(3) Eϕ(A)≡Eø(A) for any type αand A∈wffα(Σ), whenever ϕand øcoincide
on free(A).
(4) Eϕ(A)≡Eϕ(A
yâ) for all A∈wffα(Σ).
We call J: = (D,@,E) a Σ-evaluation if (D,@) is an applicative structure andEis
an evaluation function for (D,@). We call Eϕ(Aα)∈Dαthe denotation of Aαin J
for ϕ. (Note that since Eis a function, the denotation in Jis unique. However, for
a given applicative structure A, there may be many possible evaluation functions.)
If Ais a closed formula, then Eϕ(A) is independent of ϕ, since free(A) = ∅. In
these cases we sometimes drop the reference to ϕfrom Eϕ(A) and simply write
E(A).
We call a Σ-evaluation J:= (D,@,E)functional [full,standard] if the applicative
structure (D,@) is functional [full,standard]. We say Jis a Σ-evaluation over a
frame if (D,@) is a frame.
Σ-evaluations generalize Σ-evaluations over frames, which are the basis for Henkin
models, to the non-functional case. The existence of an evaluation function that
meets the conditions above seems to be the weakest situation where one would like to
speak of a model. We cannot in general assume the evaluation function is uniquely
determined by its values on constants as this requires functionality. For example,
two evaluation functions Eand E0on the same applicative structure may agree on
all constants, but give a different value to the term (ëXéX). Such an example is
constructed and discussed later in Remark 5.7.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1039
Remark 3.19 (Σ-evaluations respect â-equality).Let J:= (D,@,E) be a Σ-
evaluation and A≡âB. For all assignments ϕinto (D,@), we have Eϕ(A)≡
Eϕ(A
yâ)≡Eϕ(B
yâ)≡Eϕ(B).
We can easily show Σ-evaluations satisfy a Substitution-Value Lemma.
Lemma 3.20 (Substitution-value lemma).Let J:= (D,@,E)be a Σ-evaluation
and ϕbe an assignment into J. For any types αand â, variables Xâ, and formulae
A∈wffα(Σ) and B∈wff â(Σ), we have Eϕ,[Eϕ(B)/X](A)≡Eϕ([B/X ]A).
Proof. Using the fact that Erespects â-equality (cf. Remark 3.19) and the other
properties of E(cf. Definition 3.18), we can compute
Eϕ,[Eϕ(B)/X ](A)≡Eϕ,[Eϕ(B)/X ]((ëX A)X)
≡Eϕ,[Eϕ(B)/X ](ëX A)@Eϕ,[Eϕ(B)/X ](X)
≡Eϕ(ëX A)@Eϕ(B)
≡Eϕ((ëX A)B)
≡Eϕ([B/X ]A).a
We will consider two weaker notions of functionality. These forms are often
discussed in the literature (cf. [28]).
Definition 3.21 (Weakly functional evaluations).Let J≡(D,@,E) be a Σ-
evaluation. We say Jis ç-functional if Eϕ(A)≡Eϕ(A↓âç ) for any type α, formula
A∈wffα(Σ), and assignment ϕ. We say Jis î-functional if for all α, â ∈T,
M,N∈wffâ(Σ), assignments ϕ, and variables Xα,Eϕ(ëXαMâ)≡Eϕ(ëXαNâ)
whenever Eϕ,[a/X](M)≡Eϕ,[a/X ](N) for every a∈Dα.
We will now establish that functionality is equivalent to ç-functionality and î-
functionality combined. We prepare for this by first proving two lemmas about
functional Σ-evaluations.
Lemma 3.22. Let J: = (D,@,E)be a functional Σ-evaluation. For any assign-
ment ϕinto Jand F∈wffα→â(Σ) where Xα/∈free(F), we have
Eϕ(ëXαFX)≡Eϕ(F).
Proof. Let a∈Dαbe given. Since Xα/∈free(F), we have Eϕ,[a/X ](F)≡Eϕ(F).
Since Erespects â-equality (cf. Remark 3.19), we can compute
Eϕ(ëX FX)@a≡Eϕ,[a/X ]((ëX FX)X)≡Eϕ,[a/X](FX)≡Eϕ(F)@a.
Generalizing over a, we conclude Eϕ(ëX FX)≡Eϕ(F) by functionality. a
Lemma 3.23. Let J: = (D,@,E)be a functional Σ-evaluation. If a formula A
ç-reduces to Bin one step, then for any assignment ϕinto J,Eϕ(A)≡Eϕ(B).
Proof. We prove this by induction on the structure of the term A. For the
base case when Ais the ç-redex which is reduced, we apply Lemma 3.22. When
A≡(FC), then the ç-reduction either occurs in For C. So, B≡(GD) where F
ç-reduces to Gin one step (or G≡F) and D≡C(or Cç-reduces to Din one
step). So, by induction we have Eϕ(F)≡Eϕ(G) and Eϕ(C)≡Eϕ(D). It follows
that Eϕ(A)≡Eϕ(B).
When Ais a ë-abstraction, we must use functionality. Suppose for some type α,
A≡(ëXαC) (and this is not the ç-redex reduced to obtain B). Then B≡(ëXαD)
1040 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
where Cç-reduces in one step to D. By the induction hypothesis, for any a∈Dα,
Eϕ,[a/X ](C)≡Eϕ,[a/X ](D). Since Eis an evaluation function, we have
Eϕ(ëX C)@a≡Eϕ,[a/X ]((ëX C)X)≡Eϕ,[a/X ](C)
≡Eϕ,[a/X ](D)≡Eϕ,[a/X ]((ëX D)X)≡Eϕ(ëX D)@a.
By functionality, Eϕ(A)≡Eϕ(ëX C)≡Eϕ(ëX D)≡Eϕ(B). a
Lemma 3.24 (Functionality).Let J: = (D,@,E)be a Σ-evaluation. Then Jis
functional iff it is both ç-functional and î-functional.
Proof. The fact that functionality implies ç-functionality now follows from a
simple induction on the number of âç-reduction steps using Lemma 3.23 and
Remark 3.19.
To show functionality implies î-functionality, let M,N∈wffâ(Σ), an assignment
ϕand a variable Xαbe given. Suppose Eϕ,[a/X ](M)≡Eϕ,[a/X ](N) for every a∈Dα.
We need to show Eϕ(ëX M)≡Eϕ(ëX N). This follows from functionality since
Eϕ(ëX M)@a≡Eϕ,[a,X ]((ëX M)X)≡Eϕ,[a/X ](M)
≡Eϕ,[a/X ](N)≡Eϕ,[a,X ]((ëX N)X)≡Eϕ(ëX N)@a
for every a∈Dα.
To show functionality from ç-functionality and î-functionality, let f,g∈Dα→â
such that f@a≡g@afor all a∈Dαbe given. We need to show that f≡g. Let
Fα→â,Gα→âand Xαbe variables and ϕbe any assignment such that ϕ(F)≡f
and ϕ(G)≡g. Then for any a∈Dαwe have Eϕ,[a/X ](FX )≡f@a≡g@a≡
Eϕ,[a/X ](GX ), and thus Eϕ(ëX FX )≡Eϕ(ëX GX ) by î-functionality. Hence,
f≡Eϕ(F)≡Eϕ(ëX FX )≡Eϕ(ëX GX )≡Eϕ(G)≡g
by ç-functionality. a
Lemma 3.25 (î-functionality and replacement).Let J: = (D,@,E)be a î-func-
tional Σ-evaluation and B,C∈wffâ(Σ). Suppose Eϕ(B)≡Eϕ(C)for every assign-
ment ϕinto J. Then for all formulae A∈wffα(Σ), positions p, and assignments ϕ
into J,Eϕ(A[B]p)≡Eϕ(A[C]p).
Proof. We show the assertion by an induction on the structure of A. If pis the
top position, we have
Eϕ(A[B]p)≡Eϕ(B)≡Eϕ(C)≡Eϕ(A[C]p).
In particular, if Ais a constant or a variable, then pmust be the top position and
we are done. Otherwise, assume pis not the top position. If Ais an application FD,
we have to consider two cases: A[B]p=F[B]qDand A[B]p=F(D[B]r) for some
positions qand r. Since the second case is analogous we only show the first case.
By the inductive hypothesis we have
Eϕ(A[B]p)≡Eϕ(F[B]qD)≡Eϕ(F[B]q)@Eϕ(D)
≡Eϕ(F[C]q)@Eϕ(D)≡Eϕ(F[C]qD)≡Eϕ(A[C]p).
If A[B]p=ëXãD[B]q, then we get the assertion from î-functionality. By the induc-
tive hypothesis, we know Eø(D[B]q)≡Eø(D[C]p) for every assignment ø. In par-
ticular, for any assignment ϕand c∈Dã, we have Eϕ,[c/X ](D[B]q)≡Eϕ,[c/X ](D[C]p).
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1041
By î-functionality, we have
Eϕ(A[B]p)≡Eϕ(ëX D[B]q)≡Eϕ(ëX D[C]q)≡Eϕ(A[C]p).
Thus we have completed all the cases and proven the assertion. a
Example 3.26 (Singleton evaluation).The singleton applicative structure (cf. Ex-
ample 3.7) is a Σ-evaluation if for any assignment ϕand formula Awe take
Eϕ(A)≡a, where ais the (unique) member of Dα. Note that in this Σ-evaluation
E(ëX X )≡Eϕ(ëX Y ) for any assignment ϕ.
For a detailed discussion on the closure conditions needed for the domains for
function types to be rich enough for evaluation functions to exist, we refer the reader
to [2, 4].
Note that the applicative term structure wff (Σ) from Example 3.8 cannot be made
into a Σ-evaluation by providing an evaluation function. To see this, suppose Eis
an evaluation function for wff (Σ) and F:= E(ëXαX)∈wff α→α(Σ). Since Eis
assumed to be an evaluation function, we must have
Eϕ(A)≡Eϕ((ëXαX)A)≡F@A≡FA
for every A∈wffα(Σ). In particular, for any constant aα∈Σα, we must have
Fa≡Eϕ(a)≡E((ëXαX)a)≡E(ëXαX)@E(a)≡F(Fa). But clearly Fa6≡
F(Fa) no matter what F∈wffα→α(Σ) we choose. In particular, the “obvious”
choice of E(ëXαX)≡(ëXαX) does not work. This example suggests that we need
to consider â-convertible terms equal before we can obtain a term evaluation (cf.
Definition 3.35).
Definition 3.27 (Σ-evaluation congruences).Acongruence on a Σ-evaluation
J≡(D,@,E) is a congruence on the underlying applicative structure (D,@).
Given any two variable assignments ϕand øinto (D,@), we will use the notation
ϕ∼øto indicate that ϕ(X)∼ø(X) for every variable X.
A typed equivalence relation was defined to be a congruence if it respects appli-
cation. In order to form a quotient of a Σ-evaluation, we must be able to define
an evaluation function E∼on the quotient structure. But E∼interprets all terms,
including ë-abstractions. It is not obvious that one can find a well-defined E∼that
is really an evaluation function. In fact, the property one needs in order to show
E∼will be a well-defined evaluation function is Eϕ(A)∼Eø(A) for all A∈wff α(Σ)
and assignments ϕand øwith ϕ∼ø. One can show this by an easy induction
on the term Aif the congruence ∼is functional. However, without the assumption
that ∼is functional, this direct proof will fail when Ais a ë-abstraction. This is a
general problem with trying to prove properties of evaluations since many objects
in Dα→âmay represent the same function from Dαto Dâ. Fortunately, there is a
way to use combinators to reduce such inductions to terms which only have very
special ë-abstractions.
Definition 3.28 (SK-combinatory formulae).For all types α,â, and ã, we define
two families of closed formulae we call combinators:
Kα→â→α:= ëXαYâX
S(α→â→ã)→(α→â)→α→ã:= ëUα→â→ãVα→âWα(UW (VW )).
1042 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
We define the set of SK -combinatory formulae to be the least subset of the set
Sα∈Twffα(Σ) containing every Kand S, every constant c∈Σ and every variable,
that is closed under application.
As shown in [3], every formula can be â-expanded to an SK -combinatory formula.
Lemma 3.29. For every type αand A∈wffα(Σ), there is an SK -combinatory
formula A0∈wffα(Σ) such that A0â-reduces to A.
Proof. See Proposition 1 in [3]. The main difference to this setup is the signature,
and this plays no role in the proof. a
Now, we can show Eϕ(A)∼Eø(A) for SK-combinatory Awhenever ϕ∼ø.
Lemma 3.30. Let J≡(D,@,E)be a Σ-evaluation, ∼a congruence on J, and ϕ
and øassignments into Jwith ϕ∼ø. For every SK-combinatory formula A, we
have Eϕ(A)∼Eø(A).
Proof. The proof is by induction on the SK -combinatory formula A. If Ais
a variable X, we have Eϕ(X)≡ϕ(X)∼ø(X)≡Eø(X). If Ais closed (e.g., a
constant in Σ or a combinator), then Eϕ(A)≡Eø(A), so certainly Eϕ(A)∼Eø(A).
Finally, if Ais an application of two SK-combinatory formulae Fand B, then by
the inductive hypothesis we have Eϕ(F)∼Eø(F) and Eϕ(B)∼Eø(B). Since ∼
respects application, Eϕ(FB)≡Eϕ(F)@Eϕ(B)∼Eø(F)@Eø(B)≡Eø(FB). a
We can use this result to show the same property holds for all formulae.
Lemma 3.31. Let J≡(D,@,E)be a Σ-evaluation, ϕand øassignments into J
with ϕ∼ø, and ∼a congruence on J. For every formula A, we have Eϕ(A)∼Eø(A).
Proof. Let A∈wffα(Σ) for some type α. By Lemma 3.29 there is an SK-
combinatory formula A0that â-reduces to A. By Remark 3.19 and Lemma 3.30,
we have Eϕ(A)≡Eϕ(A0)∼Eø(A0)≡Eø(A). a
Remark 3.32 (Correspondence with logical relations).Lemma 3.31 is essentially
an instance of the “Basic Lemma” for logical relations (Lemma 8.2.5 in [44]). In
fact, ∼is functional, iff ∼is a logical relation over the applicative structure. If ∼
is not functional, it still satisfies this “Basic Lemma” property, which makes it a
pre-logical relation in the sense of [31].
Definition 3.33 (Quotient Σ-evaluation).Let J≡(D,@,E) be a Σ-evaluation,
∼a congruence on Jand let (D∼,@∼) be the quotient applicative structure of
(D,@) with respect to ∼.
For each A∈D∼
α, we choose a representative A∗∈A. So, [[A∗]]∼≡A. Note
that [[a]]∗
∼∼afor every a∈Dα. For any assignment ϕinto J/
∼, let ϕ∗be the
assignment into Jgiven by ϕ∗(X) : = ϕ(X)∗. Note that ϕ≡ð∼◦ϕ∗. So we can
define E∼
ϕas ð∼◦Eϕ∗, and call J/
∼:= (D∼,@∼,E∼) the quotient Σ-evaluation of
Jmodulo ∼. (By Lemma 3.31, the definition of E∼does not depend on the choice
of representatives.)
This definition is justified by the following theorem.
Theorem 3.34 (Quotient Σ-evaluation theorem).If JisaΣ-evaluation and ∼is
a congruence on J, then J/
∼is a Σ-evaluation.
Proof. We prove that E∼is an evaluation function by verifying the conditions
in Definition 3.18. For any assignment ϕinto the quotient applicative structure, let
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1043
ϕ∗be the assignment with ϕ≡ð∼◦ϕ∗as in Definition 3.33. First, we compute
E∼
ϕ
V≡(ð∼◦Eϕ∗)
V≡ð∼◦Eϕ∗
V≡ð∼◦ϕ∗≡ϕ. Since ð∼is a homomorphism
we have
E∼
ϕ(FA)≡ð∼(Eϕ∗(FA))
≡ð∼(Eϕ∗(F)@Eϕ∗(A))
≡ð∼(Eϕ∗(F))@∼ð∼(Eϕ∗(A))
≡E∼
ϕ(F)@∼E∼
ϕ(A).
If ϕand øcoincide on free(A), then E∼
ϕ(A)≡[[Eϕ∗(A)]]∼≡[[Eø∗(A)]]∼≡E∼
ø(A)
since this entails that ϕ∗and ø∗coincide on free(A) too (as we have chosen par-
ticular representatives for each equivalence class). Finally, E∼
ϕ(A)≡[[Eϕ∗(A)]]∼≡
[[Eϕ∗(A
yâ)]]∼≡E∼
ϕ(A
yâ). a
Definition 3.35 (Term evaluations for Σ).Let cwff (Σ)
yâbe the collection of
closed well-formed formulae in â-normal form and A@âBbe (AB)
yâ. For the
definition of an evaluation function let ϕbe an assignment into cwff (Σ)
yâ. Note
that ó:= ϕ
free(A)is a substitution, since free(A) is finite. Thus we can choose
Eâ
ϕ(A) : = ó(A)
yâ. We call T E(Σ)â: = (cwff
yâ,@â,Eâ) the â-term evaluation
for Σ.
Analogously, we can define TE(Σ)âç : = ( cwff↓âç ,@âç,Eâç ) the âç-term evalua-
tion for Σ.
The name term evaluation in the previous definition is justified by the following
lemma.
Lemma 3.36. T E(Σ)âis a Σ-evaluation and T E(Σ)âç is a functional Σ-evaluation.
Proof. The fact that (cwff (Σ)
yâ,@â) is an applicative structure is immediate:
For each type α, cwff α(Σ)
yâis non-empty (by the assumption in Remark 3.16) and
@â: cwffα→â(Σ)
yâ×cwffα(Σ)
yâ−→ cwffâ(Σ)
yâ.
We next check that Eâis an evaluation function.
(1) Eâ
ϕ(X)≡ϕ
free(X)(X)≡ϕ(X).
(2) Eâ
ϕrespects application since ó(FA)
yâ≡ó(F)
yâó(A)
yâ
yâwhere ó≡
ϕ
free(FA).
(3) Eâ
ϕ(A)≡ϕ
free(A)(A)
yâ≡ϕ0
free(A)(A)
yâ≡Eâ
ϕ0(A) whenever ϕand ϕ0
coincide on free(A).
(4) Eâ
ϕ(A)≡ó(A)
yâ≡ó(A
yâ)
yâ≡Eâ
ϕ(A
yâ) where ó≡ϕ
free(A).
A similar argument shows that TE(Σ)âç is a Σ-evaluation. Also, one can show
TE(Σ)âç is functional using an argument similar to Lemma 3.14 since Σ is infinite
at all types by Remark 3.16. (Alternatively, one can simply apply Lemma 3.14
and Theorem 3.13 to note that the applicative structure cwff (Σ)/
≡âç is functional.
The applicative structure cwff (Σ)/
≡âç is isomorphic to the applicative structure
1044 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
( cwff (Σ)
yâç ,@âç). One can easily show that functionality is preserved under iso-
morphism.) a
Remark 3.37.Note that TE(Σ)âis not a functional Σ-evaluation since, for in-
stance, for any constant hã→ä∈Σ
(ëXãhã→äX)@âCã≡h@âC
for all Cin TEã(Σ)âbut ëX hX 6≡ h.
Remark 3.38.One can show that an evaluation function Efor an applicative
structure (D,@) is uniquely determined by its values E(c) on the constants c∈Σ
and its values E(S) and E(K) on the combinators Sand K. When the applicative
structure is functional, even the values of each E(S) and E(K) are determined, so
that Eis uniquely determined by its values E(c) for c∈Σ.
Definition 3.39 (Homomorphism on Σ-evaluations).Let J1:= (D1,@1,E1)
and J2:= (D2,@2,E2) be Σ-evaluations. A Σ-homomorphism is a typed function
κ:D1−→ D2such that κis a homomorphism from the applicative structure
(D1,@1) to the applicative structure (D2,@2) and κE1
ϕ(A)≡E2
κ◦ϕ(A) for every
A∈wffα(Σ) and assignment ϕfor J1.
3.3. Σ-models. The semantic notions so far are independent of the set of base
types. Now, we specialize these to obtain a notion of models by requiring specialized
behavior on the type oof truth values. For this we use the notion of a Σ-valuation
which gives a truth-value interpretation to the domain Doof a Σ-evaluation con-
sistent with the intuitive interpretations of the logical constants. Since models are
semantic entities that are constructed primarily to make a statement about the truth
or falsity of a formula, the requirement thatthere exists a Σ-valuation is perhaps the
most general condition under which one wants to speak of a model. Thus we will
define our most general notion of semantics as Σ-evaluations that have Σ-valuations.
Definition 3.40.Fix two values T6≡ F. Let J:= (D,@,E) be a Σ-evalua-
tion and õ:Do−→ {T,F}be a (total) function. We define several properties that
characterize logical operators with respect to õin the table shown in Figure 2.
prop. where holds when for all
L¬(n)n∈Do→oõ(n@a)≡Tiff õ(a)≡Fa∈Do
L∨(d)d∈Do→o→oõ(d@a@b)≡Tiff õ(a)≡Tor õ(b)≡Ta,b∈Do
L∧(c)c∈Do→o→oõ(c@a@b)≡Tiff õ(a)≡Tand õ(b)≡Ta,b∈Do
L⇒(i)i∈Do→o→oõ(i@a@b)≡Tiff õ(a)≡For õ(b)≡Ta,b∈Do
L⇔(e)e∈Do→o→oõ(e@a@b)≡Tiff õ(a)≡õ(b)a,b∈Do
Lα
∀(ð)ð∈D(α→o)→oõ(ð@f)≡Tiff ∀a∈Dαõ(f@a)≡Tf∈Dα→o
Lα
∃(ó)ó∈D(α→o)→oõ(ó@f)≡Tiff ∃a∈Dαõ(f@a)≡Tf∈Dα→o
Lα
=(q)q∈Dα→α→oõ(q@a@b)≡Tiff a≡b a,b∈Dα
Figure 2. Logical properties in Σ-models.
Definition 3.41 (Σ-model).Let J:= (D,@,E) be a Σ-evaluation. A function
õ:Do−→ {T,F}is called a Σ-valuation for Jif L¬(E(¬)) and L∨(E(∨)) hold,
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1045
and for every type αLα
∀(E(Πα)) holds. In this case, M: = (D,@,E, õ) is called a
Σ-model.
For the case of (the optional) primitive equality, i.e., when =α∈Σα→α→ofor all
types α, we say Mis a Σ-model with primitive equality if Lα
=(E(=α)) holds for every
type α.
We say that ϕis an assignment into Mif it is an assignment into the underlying
applicative structure (D,@). Furthermore, ϕsatisfies a formula A∈wffo(Σ) in M
(we write M|=ϕA) if õ(Eϕ(A)) ≡T. We say that Ais valid in M(and write M|=A)
if M|=ϕAfor all assignments ϕ. When A∈cwffo(Σ), we drop the reference to the
assignment and use the notation M|=A. Finally, we say that Mis a Σ-model for a
set Φ ⊆cwffo(Σ) (we write M|= Φ) if M|=Afor all A∈Φ.
A Σ-model M:= (D,@,E, õ) is called functional [full,standard] if the applicative
structure (D,@) is functional [full,standard]. Similarly, Mis called ç-functional
[î-functional] if the evaluation (D,@,E) is ç-functional [î-functional]. We say M
is a Σ-model over a frame if (D,@) is a frame.
Remark 3.42 (Adding primitive equality).In the definition of Σ-model above,
the addition of property Lα
=(E(=α)) addressing the case of primitive equality above
has a purely practical motivation: calculi with a primitive treatment of equality,
see for instance [10, 11], may provide a more effective approach to equational
reasoning in higher-order logic than the exclusive use of Leibniz equality. Therefore
we enrich our theory to automatically also address the situation where (always built-
in) Leibniz equality and (optional) primitive equality are simultaneously present
in the language. The generalization to primitive equality is less trivial than the
generalization to other (optional) primitive logical connectives such as ∧or ⇒.
This is the main reason why we built primitive equality directly into our theory
while we omit other logical primitives (cf. also Remarks 3.47 and 6.9).
Lemma 3.43 (Truth and falsity in Σ-models).Let M:= (D,@,E, õ )be a Σ-
model and ϕan assignment. Let To:= ∀PoP∨ ¬Pand Fo: = ¬To. Then õ(Eϕ(To))
≡Tand õ(Eϕ(Fo)) ≡F.
Proof. Let Pbe a variable of type o. We have õ(Eϕ(To)) ≡T, iff õ(Eϕ(P∨¬P)) ≡
Tfor every assignment ϕ. The properties of õshow that this statement is equivalent
to õ(ϕ(P)) ≡Tor õ(ϕ(P)) ≡F, which is always true since õmaps into {T,F}. Note
further that õ(Eϕ(Fo)) ≡Fsince õ(Eϕ(To)) ≡T.a
Remark 3.44.Let M:= (D,@,E, õ) be a Σ-model. By Lemma 3.43, Domust
have at least the two elements Eϕ(To) and Eϕ(Fo), and õmust be surjective.
Remark 3.45.In contrast to the case of Henkin models, Definition 3.41 only
constrains the functional behavior of the values of the logical constants with respect
to õ. This does not fully specify these values since
•Mneed not be functional,
•and there can be more than two truth values.
We will now introduce semantical properties called q,ç,f, and b, which we will
use to characterize different classes of Σ-models.
Definition 3.46 (Properties q,ç,î,fand b).Given a Σ-model M:= (D,@,E,
õ), we say that Mhas property
1046 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
q: iff for all α∈Tthere is some qα∈Dα→α→osuch that Lα
=(qα) holds.
ç: iff Mis ç-functional.
î: iff Mis î-functional.
f: iff Mis functional. (This is generally associated with functional extensionality.)
b: iff Dohas at most two elements. By Lemma 3.44 we can assume without loss
of generality that Do≡ {T,F},õis the identity function, Eϕ(To)≡Tand
Eϕ(Fo)≡F. (This is generally associated with Boolean extensionality.)
Remark 3.47 (Choice of logical constants).The work presented in this article is
based on the choice of the primitive logical constants ¬,∨, and Πα. We have
also introduced shorthand for formulas constructed using ∧,⇒,⇔, and existential
quantification. One can (easily; cf. Lemma 3.48) verify that in any Σ-model M≡
(D,@,E, õ), each of the properties L∧(E(ëXoYoX∧Y)), L⇒(E(ëXoYoX⇒Y)),
L⇔(E(ëXoYoX⇔Y)) and Lα
∃(E(ëPα→o∃XαPX )) (for each type α) hold with
respect to õ. In this sense, our choice of logical constants and shorthand for
other logical constants is sufficient. However, Leibniz equality Qαwill only satisfy
Lα
=(E(Qα)) for each type αiff the model satisfies property q(cf. Remark 3.52 and
Theorem 3.63).
On the other hand, in the absence of extensionality, one can gain some (limited)
expressive power by including extra logical constants such as ∧in the signature.
This is the case since there may be several objects in c∈Do→o→osuch that L∧(c)
holds. So, one could have a Σ-model M≡(D,@,E, õ) (where ∧is also in Σ) such
that L∧(E(∧)) holds, but E(∧)6≡ E(ëXoYo¬(¬X∨ ¬Y)). We will not investigate
this possibility here.
Our choice of logical constants differs from Andrews’ choice [6] who considers
primitive equality as the only logical primitive from which all other logical operators
are defined using the definitions in Figure 3. For the sake of clarity, we write
qαfor =αwhen =αis not being written in infix notation. For Henkin models,
the definitions in Figure 3 are appropriate. However, without extensionality, the
situation is quite different. Suppose J≡(D,@,E) is a Σ-evaluation where =α∈Σ
for every type α. Let õ:Do−→ {T,F}be a function such that Lα
=(E(=α)) holds for
each type α. The fact that õ(E(To)) ≡Tfollows directly from Lo→o→o
=(E(=o→o→o))
and reflexivity of (meta-level) equality. Unfortunately, this is the last definition
which is clearly appropriate without further assumptions. So long as Dohas more
than one element, one can show õ(E(Fo)) ≡F. So, let us explicitly assume Do
To:= qo=o→o→oqo
Fo:= (ëXoTo) =o→o(ëXoX)
¬o→o:= qoFo
Πα:= qα→o(ëXαTo)
∧o→o→o:= ëXoYo(ëGo→o→oGToTo) =(o→o→o)→o(ëGo→o→oGXY )
⇒o→o→o:= ëXoYo(X=o(X∧Y))
∨o→o→o:= ëXoYo¬(¬X∧ ¬Y)
Σα:= ëPα→o(¬ΠαëXα¬(PX ))
Figure 3. A definition of logical constants from equality in
Henkin models.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1047
has more than one element, which is anyway met by Σ-models (cf. Remark 3.44).
Next, we investigate whether L¬(E(¬)) holds. Let a∈Dobe given. By Lo
=(E(=o)),
we know õ(E(=o)@E(Fo)@a)≡Tis equivalent to E(Fo)≡a. So, if õ(E(=o)@
E(Fo)@a)≡T, then õ(a)≡õ(E(Fo)) ≡F. For the converse, suppose õ(a)≡F.
This, in general, does not imply E(Fo)≡a. However, if we assume ais the
unique member of Dosuch that õ(a)≡F, then we can conclude E(Fo)≡a. In
particular, if Dohas only two elements, then õmust be injective and we can conclude
E(Fo)≡a. So, Boolean extensionality is required to ensure that L¬(E(¬)) holds
for this definition of ¬.
We now investigate whether Lα
∀(E(Πα)) holds for Παdefined as in Figure 3.
Let f∈Dα→obe given. Suppose õ(E(=α→o)@E(ëXαTo)@f)≡T. Then, by
Lα→o
=(E(=α→o)), we know E(ëXαTo)≡f. This does guarantee E(To)≡f@aand
hence õ(f@a)≡Tfor every a∈Dα. However, showing the converse requires that
Mis functional (i.e., strong functional extensionality is given). Suppose õ(E(=α)@
E(ëXαTo)@f)≡F. We can conclude E(ëXαTo)6≡ f, but this is of little value. If J
is not functional, then these may be different representatives in Dα→oof the same
function. If Jis functional, there must be some a∈Dαsuch that E(To)6≡ f@a.
However, this still does not imply õ(f@a)≡F. If Dohas only two elements, then the
facts that E(To)6≡ f@aand E(To)6≡ E(Fo) imply E(Fo)≡f@a, hence õ(f@a)≡F.
Similar observations apply to the other definitions in Figure 3. These definitions
do show that at least Toand Foare definable from primitive equality (so long as Do
has at least two elements). Further more, if Dohas exactly two elements ¬is definable
from primitive equality. We conjecture that this is asmuch as one can define in terms
of primitive equality without extensionality assumptions. That is, we conjecture
that without assuming Dohas two elements, there may be no object n∈Do→osuch
that L¬(n) holds. Furthermore, we conjecture that without assuming functionality
and that Dohas two elements, there may be no object d∈Do→o→osuch that L∨(d)
holds, and there may be no object ð∈D(α→o)→osuch that Lα
∀(ð) holds.
The next lemma formally verifies that L⇔(E(ëXoYoX⇔Y)) holds with respect
to the valuation of a Σ-model, as indicated in the remark above.
Lemma 3.48 (Equivalence).Let M:= (D,@,E, õ)be a Σ-model, ϕan assign-
ment into M, and A,B∈wffo(Σ).õ(Eϕ(A⇔B)) ≡Tiff õ(Eϕ(A)) ≡õ(Eϕ(B)).
Proof. Suppose õ(Eϕ(A⇔B)) ≡T. This implies õ(Eϕ(¬A∨B)) ≡Tand
õ(Eϕ(¬B∨A)) ≡T. If õ(Eϕ(A)) ≡T, then õ(Eϕ(¬A∨B)) ≡Timplies õ(Eϕ(B)) ≡T,
so õ(Eϕ(A)) ≡T≡õ(Eϕ(B)). If õ(Eϕ(A)) ≡F, then õ(Eϕ(¬B∨A)) ≡Timplies
õ(Eϕ(B)) ≡F, so õ(Eϕ(A)) ≡F≡õ(Eϕ(B)). Since these are the only two possible
values for õ(Eϕ(A)), we have õ(Eϕ(A)) ≡õ(Eϕ(B)).
Suppose õ(Eϕ(A)) ≡õ(Eϕ(B)). Either õ(Eϕ(A)) ≡õ(Eϕ(B)) ≡Tor õ(Eϕ(A)) ≡
õ(Eϕ(B)) ≡F. An easy consideration of both cases verifies õ(Eϕ(¬A∨B)) ≡Tand
õ(Eϕ(¬B∨A)) ≡T. Hence, õ(Eϕ(A⇔B)) ≡T.a
We next define classes of Σ-models in which certain properties hold. These classes
are denoted by M∗where ∗ ∈ {â,âç,âî, âf, âb,âçb, âîb,âfb}. The subscript âis
always included to emphasize that â-equal terms are interpreted to be identical
elements in all models (cf. Remark 3.19). The subscripts ç,î,fand bindicate when
the corresponding properties must hold (cf. Definition 3.46). Note that we are not
including property qas an explicit subscript. The only Σ-models we need to consider
1048 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
which do not satisfy property qare term models. It will turn out (cf. Theorem 3.62)
that we can obtain a model satisfying property qfrom a model that does not by taking
a quotient. However, this may not preserve properties îor f. Consequently, we omit
qas a subscript and define the sets M∗(for ∗ ∈ {â, âç, âî , âf,âb, âçb,âîb,âfb}) so
that every model in M∗satisfies property q. (This choice will be discussed further
in Remark 3.52.)
Definition 3.49 (Higher-order model classes).We will denote the class of Σ-
models that satisfy property qby Mâ, and we will use subclasses of Mâdepending
on the validity of the properties ç,î,f, and b. We obtain the specialized classes
of Σ-models Mâç,Mâî ,Mâf,Mâb,Mâçb,Mâîb, and Mâfb by requiring that the
properties specified in the index are valid.
If primitive equality is in the signature, i.e., if =α∈Σα→α→o, then we require the
models to be Σ-models with primitive equality. Note that in this case property qis
automatically ensured.
We can group these eight classes in two dimensions as in Figure 4 based on the
“amount of extensionality” required.
functional
Boolean
none weak (ç) weak (î) strong (f)
none MâMâç Mâî Mâf
b MâbMâçbMâîbMâfb
Figure 4. Extensional model classes.
Definition 3.50 (Σ-Henkin models).A Σ-Henkin model is a model Mover a
frame with M∈Mâfb . We denote the class of all Σ-Henkin models by H. (Such
models are called general models in [2] and [6]. We avoid this terminology here since
we consider models which are more general than these.)
Definition 3.51 (Σ-standard models).A Σ-standard model is a Σ-Henkin model
that is also full (i.e., a model M∈Mâfb over a standard frame). The class of all
Σ-standard models is denoted by ST.
Remark 3.52 (Property q).The purpose of property qis to ensure that for all
types αthere is an object qαin Dα→α→orepresenting meta equality for the do-
main Dα. This ensures the existence of objects representing unit sets {a}for each
a∈Dαin the domains Dα→o, which in turn makes Leibniz equality the intended
equality relation. This is because membership in these unit sets can be used as
an appropriately strong criterion to distinguish between different elements of Dα.
This aspect is discussed in detail by Peter Andrews in [2]. He notes that Leon
Henkin unintentionally introduced in [26] a class of models which need not satisfy
property qinstead of the class of Henkin models in the sense above. As Andrews
shows, a consequence is that such a model may fail to satisfy the principle of strong
functional extensionality (cf. Definition 4.5) given by the formula
∀Fé→é∀Gé→é(∀XéFX .
=éGX )⇒F.
=é→éG
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1049
even though the model (as a model over a frame) is functional. Andrews fixed
this problem by introducing property q. Here, we have followed this by requiring
property qin all our model classes M∗.
Now let us extend the notion of a quotient evaluation to Σ-models.
Definition 3.53 (Σ-model congruences).Acongruence on a Σ-model M≡(D,
@,E, õ) is a congruence on the underlying Σ-evaluation(D,@,E) such that õ(a)≡
õ(b) for all a,b∈Dowith a∼b.
Definition 3.54 (Quotient Σ-model).Let M≡(D,@,E, õ) be a Σ-model, ∼be
a congruence on M, and (D∼,@∼,E∼) be the quotient Σ-evaluation of (D,@,E)
with respect to ∼(cf. Definition 3.33). Using the notation for representatives A∗∈A
for A∈D∼
αas in Definition 3.33, we define õ∼:D∼
o−→ {T,F}by õ∼(A) : = õ(A∗)
for every A∈D∼
o. (Since õ(a)≡õ(b) whenever a∼bin Do, this definition
of õ∼does not depend on the choice of representatives and õ∼([[a]]∼)≡õ(a) for
every a∈Do.) We call M/
∼:= (D∼,@∼,E∼, õ∼) the quotient Σ-model of Mwith
respect to ∼.
Theorem 3.55 (Quotient Σ-model theorem).Let M≡(D,@,E, õ)be a Σ-
model and ∼be a congruence on M. The quotient M/
∼is a Σ-model.
Furthermore, if for every type α,=α∈Σαand we have õ(E(=α)@a@b)≡Tiff
a∼bfor every a,b∈Dα, then M/
∼is a Σ-model with primitive equality.
Proof. We check the conditions of Definition 3.41, again using the A∗notation
for representatives. To check condition L¬(E∼(¬)) for õ∼, for all A∈D∼
owe
need to show that õ∼(E∼(¬)@∼A)≡Tiff õ∼(A)≡F. Let A∈D∼
obe given.
Since Mis a Σ-model we have õ(E(¬)@A∗)≡Tiff õ(A∗)≡F. Since [[A∗]]∼≡A
and [[E(¬)@A∗]]∼≡E∼(¬)@∼A, we have õ∼(E∼(¬)@∼A)≡Tiff õ∼(A)≡F.
Checking condition L∨(E∼(∨)) for õ∼is analogous.
To check condition Lα
∀(E∼(Πα)) for õ∼, suppose we have G∈D∼
α→o. For every
A∈D∼
α,õ∼(G@∼A)≡õ(G∗@A∗). So, if õ∼(G@∼A)≡Tfor every A∈D∼
α, then
õ(G∗@a)≡õ(G∗@[[a]]∗
∼)≡Tfor every a∈Dα, and we conclude õ(E(Πα)@G∗)≡
T. Hence, õ∼(E∼(Πα)@∼G)≡T. Conversely, suppose õ∼(E∼(Πα)@G)≡T.
Then õ(E(Πα)@G∗)≡Tand hence õ∼(G@A)≡õ(G∗@A∗)≡Tfor every A∈D∼
α.
Suppose primitive equality is in the signature and õ(E(=α)@a@b)≡Tiff a∼b
for every a,b∈Dα. To verify Lα
=(E∼(=α)) holds for õ∼, we simply note that
õ∼(E∼(=α)@∼A@∼B)≡T, iff õ(E(=α)@A∗@B∗)≡T, iff A∗∼B∗, iff A≡B.a
We can define properties of a congruence analogous to those defined for models
in Definition 3.46.
Definition 3.56 (Properties ç,î,fand bfor congruences).Given a Σ-model
M:= (D,@,E, õ) and a congruence ∼on M, we say ∼has property
ç: iff Eϕ(A)∼Eϕ(A↓âç) for any type α,A∈wff α(Σ), and assignment ϕ.
î: iff for all α, â ∈T,M,N∈wffâ(Σ), assignment ϕ, and variables Xα,
Eϕ(ëXαMâ)∼Eϕ(ëXαNâ) whenever Eϕ,[a/X](M)∼Eϕ,[a/X ](N) for every
a∈Dα.
f: iff ∼is functional.
b: iff Dohas at most two equivalence classes with respect to ∼. (By Remark 3.44
there are always at least two.)
1050 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Remark 3.57.It follows trivially from reflexivity of congruences that if a model
satisfies property ç, then any congruence on the model satisfies property ç. Similarly,
if a model has only two elements in Do, then Docan have at most two equivalence
classes with respect to any congruence ∼. So, if a model satisfies property b, then
any congruence on the model satisfies property b. This is not true for properties î
or f. For an example, we refer to the functional model (satisfying property f, hence
property î) constructed by Andrews in [2]. Using the results we prove below, one
can show Leibniz equality must induce a congruence failing to satisfy properties î
and fon this functional model.
Lemma 3.58. Let Mbe a Σ-model, Φ⊆cwff o(Σ), and ∼be a congruence on M.
We have M/
∼|= Φ iff M|= Φ. Furthermore, if ∗ ∈ {ç, î, f,b}and ∼satisfies
property ∗, then M/
∼satisfies property ∗.
Proof. Let Ao∈Φ. Since Ais closed, M|=A, iff õ(E(A)) ≡T, iff õ∼(E∼(A)) ≡
T, iff M/
∼|=A. So, M|= Φ iff M/
∼|= Φ.
Suppose ∼satisfies property ç. Let A∈wff α(Σ), and an assignment ϕinto M/
∼
be given. Let ϕ∗be a corresponding assignment into M(cf. Definition 3.33). Since
∼satisfies property ç, we know Eϕ∗(A)∼Eϕ∗(A↓âç). Taking equivalence classes,
we have E∼
ϕ(A)≡E∼
ϕ(A↓âç).
Suppose ∼satisfies property î. Let M,N∈wffâ(Σ), a variable Xαand an
assignment ϕinto M/
∼be given. Again, let ϕ∗be a corresponding assignment
into M. Suppose E∼
ϕ,[A/X ](M)≡E∼
ϕ,[A/X ](N) for every A∈D∼
α. This means
Eϕ∗,[A∗/X ](M)∼Eϕ∗,[A∗/X ](N) for every A∈D∼
α. For any a∈Dα, using
Lemma 3.31, we know
Eϕ∗,[a/X ](M)∼Eϕ∗,[A∗/X](M)∼Eϕ∗,[A∗/X ](N)∼Eϕ∗,[a/X ](N)
where A∈D∼
αis the equivalence class of a. Since ∼satisfies property î, we
know that Eϕ∗(ëX M)∼Eϕ∗(ëX N). Taking equivalence classes, we see that
E∼
ϕ(ëX M)≡E∼
ϕ(ëX N).
If ∼is functional (satisfies property f), we know M/
∼is functional (satisfies
property f) by Theorem 3.13.
Finally, if ∼satisfies property b, then clearly D∼
ohas only two elements. So, M/
∼
satisfies property b.a
Definition 3.59 (Congruence relation .
∼).Let M≡(D,@,E, õ) be a Σ-model.
Let qα∈Dα→α→obe E(Qα), i.e., the interpretation of Leibniz equality at type α.
We define a.
∼bin Dαiff õ(qα@a@b)≡T.
Before checking .
∼is a congruence, we first show that it is at least reflexive.
Lemma 3.60. Let Mbe a Σ-model. For each type αand a∈Dα, we have a.
∼a.
Proof. We need to check õ(E(Qα)@a@a)≡T. Let Xαbe a variable of type α
and ϕbe some assignment with ϕ(X)≡a. Let r: = Eϕ(ëPα→o¬(PX )∨PX )).
For any p∈Dα→o, since Eis an evaluation function, we have
õ(r@p)≡õ(Eϕ,[p/P](¬(PX )∨PX )).
As Mis a Σ-model, we have õ(Eϕ,[p/P](¬(PX )∨PX )) ≡Tsince either
õ(Eϕ,[p/P](PX )) ≡Tor õ(Eϕ,[p/P](¬(PX ))) ≡T.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1051
So, again since Mis a Σ-model, õ(E(Πα→o)@r)≡T. By the definitions of rand
.
=α, we have õ(Eϕ(X.
=αX)) ≡T. As X.
=αXisaâ-reduct of QαXX , we have
õ(Eϕ(QαXX )) ≡Tas well. Using ϕ(X)≡a, we see that õ(E(Qα)@a@a)≡T.a
In order to check that .
∼is a congruence, it is useful to unwind the definitions to
better characterize when a.
∼bfor a,b∈Dα.
Lemma 3.61 (Properties of .
∼).Let Mbe a Σ-model. For each type αand a,b∈
Dα, the following are equivalent:
(1) a.
∼b.
(2) For all variables Xαand Yαand assignments ϕsuch that ϕ(X)≡aand
ϕ(Y)≡b, we have õ(Eϕ(X.
=αY)) ≡T.
(3) For every p∈Dα→o,õ(p@a)≡Timplies õ(p@b)≡T.
(4) For every p∈Dα→o,õ(p@a)≡õ(p@b).
Proof. At each type α, let qα∈Dα→α→obe the interpretation E(Qα) of Leibniz
equality. By definition, a.
∼biff õ(qα@a@b)≡T.
To show (1) implies (2), suppose a.
∼band ϕis an assignment with ϕ(Xα)≡a
and ϕ(Yα)≡b. Since õ(qα@a@b)≡T, we have õ(Eϕ(QαXY )) ≡T. Since E
respects â-equality (cf. Remark 3.19), we have õ(Eϕ(X.
=αY)) ≡T.
To show (2) implies (3), suppose õ(Eϕ(X.
=αY)) ≡Twhenever ϕis an as-
signment with ϕ(X)≡aand ϕ(Y)≡b. Let Xand Ybe particular distinct
variables of type αand ϕbe any such assignment with ϕ(X)≡aand ϕ(Y)≡b.
Let p∈Dα→owith õ(p@a)≡Tand a variable Pα→obe given. By assumption,
õ(Eϕ(∀Pα→o¬(PX )∨(PY ))) ≡T. Since õ(Eϕ,[p/P](PX )) ≡õ(p@a)≡T, we have
õ(p@b)≡õ(Eϕ,[p/P](PY )) ≡T.
To show (3) implies (4), let p∈Dα→obe given. If õ(p@a)≡T, then we have
õ(p@b)≡Tby assumption. So, õ(p@a)≡õ(p@b) in this case. Otherwise, we
must have õ(p@a)≡F. Let q: = Eϕ(ëXα¬(Pα→oX)) where ϕis some assignment
with ϕ(P) : = p. Since Mis a model, õ(q@a)≡õ(E(¬)@(p@a)) ≡T. Applying
the assumption to q, we have õ(q@b)≡Tand so õ(E(¬)@(p@b)) ≡T. Thus,
õ(p@b)≡Fand õ(p@a)≡õ(p@b) in this case as well.
To show (4) implies (1), suppose õ(p@a)≡õ(p@b) for every p∈Dα→o. In par-
ticular, this holds for p:= qα@a∈Dα→o. Since õ(qα@a@a)≡Tby Lemma 3.60,
we must have õ(qα@a@b)≡T. That is, a.
∼b.a
Theorem 3.62 (Properties of M/.
∼).Let Mbe a Σ-model. Then .
∼is a congruence
relation on the model Mand M/.
∼satisfies property q. Furthermore, if for every type
α,=α∈Σαand õ(E(=α)@a@b)≡Tiff a.
∼bfor all a,b∈Dα, then M/.
∼is a
Σ-model with primitive equality.
Proof. We first verify that .
∼is an equivalence relation on each Dα. Reflexivity
was shown in Lemma 3.60. To check symmetry and transitivity we use condition
(4) in Lemma 3.61. For symmetry, let a.
∼bin Dαand p∈Dα→obe given. So,
õ(p@a)≡õ(p@b). Generalizing over p, we have b.
∼a. For transitivity, let a.
∼b
and b.
∼cin Dαand p∈Dα→obe given. So, õ(p@a)≡õ(p@b)≡õ(p@c).
Generalizing over p, we have a.
∼c.
We next verify that .
∼is a congruence. Suppose f.
∼gin Dα→âand a.
∼b∈Dα.
To show f@a.
∼g@bwe use condition (3) in Lemma 3.61. Let p∈Dâ→owith
õ(p@(f@a)) ≡Tbe given. Let ϕbe an assignment with ϕ(Pâ→o)≡p,ϕ(Xα)≡a
1052 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
and ϕ(Gα→â)≡gfor variables P,Xand G. We can use Lemma 3.61(3)
with Eϕ(ëFα→â(P(FX ))) and f.
∼gto verify that õ(p@(g@a)) ≡T. Using
Lemma 3.61(3) with Eϕ(ëXα(P(GX ))) and a.
∼bverifies õ(p@(g@b)) ≡T. So,
f@a.
∼g@b.
It remains to check that õ(a)≡õ(b) whenever a.
∼bfor a,b∈Do. Let a.
∼b
in Dobe given. Applying Lemma 3.61(4) to E(ëXoX)∈Do→owe have õ(a)≡
õ(E(ëXoX)@a)≡õ(E(ëXoX)@b)≡õ(b) as desired. So, .
∼is a congruence
relation on M.
Now, we show M/.
∼satisfies property q. At each type α, let qα∈Dα→α→obe the
interpretation E(Qα) of Leibniz equality. To check property q, we show that [[qα]] .
∼
is the appropriate object in D.
∼
α→α→ofor each α∈T. Let a,b∈Dαbe given. Note
that [[a]] .
∼≡[[b]] .
∼is equivalent to a.
∼b.
Also, õ.
∼([[qα]] .
∼@.
∼[[a]] .
∼@.
∼[[b]] .
∼)≡Tis equivalent to õ(qα@a@b)≡T. So, we
need to show that õ(qα@a@b)≡Tif and only if a.
∼b. But this is precisely the
definition of .
∼.
The statement for primitive equality follows immediately by Theorem 3.55. a
Now, we know that when one takes a quotient of a model Mby .
∼, one obtains
a model satisfying property q. It is worthwhile to note the following relationship
between .
∼and property q.
Theorem 3.63. Let M≡(D,@,E, õ )be a Σ-model. The following are equivalent:
(1) Msatisfies property q.
(2) For any congruence ∼on M, type α, and a,b∈Dα,a∼bimplies a≡b.
(3) For any type α, and a,b∈Dα,a.
∼bimplies a≡b.
(4) For any type α,Lα
=(E(Qα)) holds for õ.
Proof. To show (1) implies (2), suppose Msatisfies q,∼is a congruence on M,
and a∼bfor a,b∈Dα. Let qα∈Dα→α→obe the object at type αguaranteed to
exist by property q. Since a∼b, we have (qα@a@a)∼(qα@a@b). By property q,
we have õ(qα@a@a)≡T(since a≡a). Since ∼is a congruence on the model, we
have õ(qα@a@b)≡T. By property q, this means a≡b.
Since .
∼is a particular congruence on M, we know (2) implies (3).
To show (3) implies (4), we need to show Lα
=(E(Qα)) holds for each type α. By
the definition of .
∼, for every a,b∈Dαwe have õ(E(Qα)@a@b)≡T, if and only if
a.
∼b, iff a≡b. The last equivalence holds by our assumption that a.
∼bimplies
that a≡b, and by Lemma 3.60.
For each type α,Lα
=(E(Qα)) implies E(Qα) is the witness required to show
property q. So, we know (4) implies (1). a
Remark 3.64 (Congruences for Σ-models with primitive equality).Theorem
3.63 shows that once we have a model Mwhich satisfies property q, there are no
nontrivial congruences on M. Hence, there are no nontrivial quotients of M. In
particular, the only possible congruence for a Σ-model with primitive equality is
the trivial congruence given by the identity relation ≡. Consequently, the quotient
construction in the case of a Σ-model with primitive equality leads to essentially the
same model again. We therefore do not consider quotients of models with primitive
equality.
3.4. Σ-models over frames. In this section, we define the notion of an isomor-
phism between two models and show every functional Σ-model is isomorphic to a
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1053
model over a frame. In particular, this shows that the model class Mâfb is simply
the closure of the class Hof Henkin models under isomorphism of Σ-models.
Definition 3.65 (Σ-model homomorphism/isomorphism).Let M1≡(D1,@1,
E1, õ1) and M2≡(D2,@2,E2, õ 2) be Σ-models. A homomorphism from M1to
M2is a typed function κ:D1−→ D2such that κis a homomorphism from the
evaluation (D1,@1,E1) to the evaluation (D2,@2,E2) and õ1(a)≡õ2(κ(a)) for
every a∈D1
o.
A homomorphism ifrom M1to M2is called an isomorphism iff there is a homo-
morphism jfrom M2to M1where jα:D2
α−→ D1
αis the inverse of iα:D1
α−→ D2
α
at each type α. Two models are said to be isomorphic if there is such an isomor-
phism. (It is clear from the definition that this is a symmetric relationship between
models.)
Remark 3.66.The class Hof Henkin models is not closed under isomorphism
of models. Neither is the class ST of standard models. This is because Henkin
and standard models require that the domains Dα→âconsist of functions from
F(Dα;Dâ). We may, however, take a given Henkin model and appropriately mod-
ify it to obtain an isomorphic model that is not in the class of Henkin models. For
example, we may choose D0
α→â:= {(0, f )|f∈Dα→â}and define @ appropri-
ately (cf. Example 5.6 for a similar construction).
Lemma 3.67. Let M1and M2be isomorphic Σ-models.
(1) For any set of sentences Φ,M1|= Φ, iff M2|= Φ.
(2) If M1is a Σ-model with primitive equality, then M2is a Σ-model with primitive
equality.
(3) If ∗ ∈ {q, ç, î, f,b}and M1satisfies ∗, then M2satisfies ∗.
In particular, each model class M∗is closed under isomorphism of models.
Proof. Let ibe a homomorphism from M1≡(D1,@1,E1, õ1) to M2≡(D2,
@2,E2, õ2) and jbe its inverse.
Let Φ be a set of sentences with M1|= Φ. That is, for every A∈Φ, õ1(E1(A)) ≡T.
So, for every A∈Φ, õ2(E2(A)) ≡õ1(j(E2(A))) ≡õ1(E1(A)) ≡T(since Ais closed,
we can ignore the variable assignment). This shows M2|= Φ; the other direction is
obtained by switching indices.
Suppose qα∈D1
α→α→ois such that Lα
=(qα) holds for õ1. We show that Lα
=(i(qα))
holds for õ2. Given a,b∈D2
α. We have a≡b, iff j(a)≡j(b), iff õ1(qα@1j(a)@1
j(b)) ≡T, iff õ2(i(qα@1j(a)@1j(b))) ≡T, iff õ2(i(qα)@2a@2b)) ≡T.
In particular, suppose M1is a Σ-model with primitive equality. Then, we have
Lα
=(E1(=α)) for õ1at each type α. So, Lα
=(i(E1(=α))) holds for õ2at each type α.
Since i(E1(=α)) ≡E2(=α), we know M2is a Σ-model with primitive equality.
Next, suppose M1satisfies property q. Let αbe a type and qαbe the witness for
property qin M1at α. That is, Lα
=(qα) holds for õ1. We have shown Lα
=(i(qα))
holds for õ2. Hence, M2satisfies property q.
Suppose M1satisfies property ç. To show M2satisfies ç, let A∈wff α(Σ) and an
assignment ϕinto M2be given. We compute
E2
ϕ(A)≡(i◦j)(E2
ϕ(A)) ≡i(E1
j◦ϕ(A))
≡i(E1
j◦ϕ(A↓âç)) ≡(i◦j)(E2
ϕ(A↓âç)) ≡E2
ϕ(A↓âç).
1054 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
So, M2satisfies property ç.
M2satisfies î, let M,N∈wffâ(Σ), a variable Xα, and an assignment øinto M2
be given. Suppose E2
ø,[b/X ](M)≡E2
ø,[b/X ](N) for all b∈D2
α. For any a∈D1
α, we
compute
E1
j◦ø,[a/X ](M)≡j(E2
i◦j◦ø,[i(a)/X ](M)) ≡j(E2
ø,[i(a)/X ](M))
≡j(E2
ø,[i(a)/X ](N)) ≡E1
j◦ø,[a/X ](N).
Since M1satisfies property î, we know E1
j◦ø(ëX M)≡E1
j◦ø(ëX N). Finally, we
compute
E2
ø(ëX M)≡i(E1
j◦ø(ëX M)) ≡i(E1
j◦ø(ëX N)) ≡E2
ø(ëX N).
So, M2satisfies property î.
Suppose M1satisfies property fand we are given f,g∈D2
α→âfor types αand
â. Suppose further that f@2b≡g@2bfor every b∈D2
α. It is enough to show
j(f)≡j(g). This follows from property fin M1if we can show j(f)@1a≡j(g)@1a
for every a∈D1
α. So, let a∈D1
αbe given. We finish the proof by computing
j(f)@1a≡j(f)@1(j◦i)(a)≡j(f@2i(a))
≡j(g@2i(a)) ≡j(g)@1(j◦i)(a)≡j(g)@1a.
Finally, if M1satisfies property b, then D1
ohas two elements. Since io:D1
o−→ D2
o
has inverse jo,D2
omust also have two elements. Thus, M2satisfies property b.a
Theorem 3.68 (Models over frames).Let M≡(D,@,E, õ)be a Σ-model which
satisfies property f(i.e., Mis functional). Then there is an isomorphic model Mfr
over a frame.
Proof. We define the model Mfr : = (Dfr ,@fr ,Efr , õfr ) by defining its compo-
nents.
We first define the domains Dfr for Mfr by induction on types. We simultaneously
define functions iα:Dα−→ Dfr
αand jα:Dfr
α−→ Dαwhich will witness that the
two models are isomorphic. At each step of the definition, we check that iαand jα
are mutual inverses. For base types α∈ {é, o }let Dfr
α:= Dαand iαand jαbe the
identity functions (clearly mutual inverses).
Given two types αand â, we assume we have Dfr
α, mutual inverses iα:Dα→Dfr
α
and jα:Dfr
α−→ Dα, as well as Dfr
âand mutual inverses iâ:Dâ→Dfr
âand
jâ:Dfr
â−→ Dâ. We define
Dfr
α→â:= f:Dfr
α−→ Dfr
â
∃f∈Dα→â∀a∈Dfr
αf(a)≡iâ(f@jα(a)) .
Note that Dfr
α→â⊆F(Dfr
α;Dfr
â). To define the map iα→â:Dα→â−→ Dfr
α→â, we let
iα→â(f) be the function taking each a∈Dfr
αto iâ(f@jα(a)). This choice for iα→â(f)
is clearly in Dfr
α→âby definition. To define the inverse map jα→â:Dfr
α→â−→ Dα→â,
we must use the fact that Mis functional. Given any f∈Dfr
α→â, by definition there
is some f∈Dα→âsuch that f(a)≡iâ(f@jα(a)) for every a∈Dfr
α. (Note that
the function fand object fare different in general.) By functionality and the fact
that the iand jat types αand âare already inverses, this fis unique, since if
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1055
iâ(f@jα(a)) ≡iâ(g@jα(a)) for every a∈Dfr
α, then f@jα(iα(a)) ≡g@jα(iα(a))
for every a∈Dfr
α. That is, f@a≡g@afor every a∈Dfr
α. So, for every f∈Dfr
α→â,
we define jα→â(f) to be the unique fsuch that f(a)≡iâ(f@jα(a)). It is easy to
check that iα→âand jα→âare mutually inverse.
For the applicative structure (Dfr ,@fr ) to be a frame, we are forced to let the
application operator @fr to be function application. That is, for every f∈Dfr
α→â
and a∈Dfr
α,f@fr a: = f(a). We define the evaluation function Efr simply by
Efr
ϕ(A) : = i(Ej◦ϕ(A)) for every A∈wffα(Σ) and assignment ϕinto the applicative
structure (Dfr ,@fr ). Since Dfr
o≡Do, we can let õfr := õ.
We only sketch the remainder of the proof. First one can show that iand j
preserve application. One can use this fact to verify that Efr is an evaluation
function so that (Dfr ,@fr ,Efr ) is a Σ-evaluation, and that õfr ≡õis a valuation
function for this evaluation. This verifies Mfr is a model. Finally, to verify one has
an isomorphism, one can easily check the remainder of the conditions for iand j
to be homomorphisms between the models. These are isomorphisms since they are
mutually inverse on the domains of each type. a
We can conclude that Mâfb is simply the closure of the class of Hof Henkin
models under isomorphism. Given any M∈Mâfb, by Theorem 3.68, there is an
isomorphic model Mfr over a frame. By Lemma 3.67, this model Mfr satisfies q,f,
and b(since Mdoes). Also, if primitive equality is present in the signature, by the
same lemma we know Mfr is a model with primitive equality. That is, Mfr ∈H.
§4. Properties of model classes. In this section we discuss some properties of the
model classes introduced in section 3. Our interest is in the properties of Leibniz
equality and primitive equality.
Definition 4.1 (Extensionality for Leibniz equality).We call a formula of the
form
EXTα→â
.
=:= ∀Fα→â∀Gα→â(∀XαFX .
=âGX )⇒F.
=α→âG
an axiom of (strong) functional extensionality for Leibniz equality, and refer to the
set
EXT→
.
=:= {EXTα→â
.
=|α, â ∈T}
as the axioms of (strong) functional extensionality for Leibniz equality. Note that
EXT→
.
=specifies functionality of the relation corresponding to Leibniz equality .
=.
We call the formula
EXTo
.
=:= ∀Ao∀Bo(A⇔B)⇒A.
=oB
the axiom of Boolean extensionality. We call the set EXT→
.
=∪ {EXTo
.
=}the axioms
of (strong) extensionality for Leibniz equality.
In Examples 5.4 to 5.8 below we give concrete models in which EXTo
.
=and
EXTα→â
.
=fail in various ways. First, we prove relationships between properties q,b
and fand the statements EXTo
.
=and EXT→
.
=.
Lemma 4.2 (Leibniz equality in Σ-models).Let M: = (D,@,E, õ )be a Σ-model,
ϕbe an assignment, α∈T, and A,B∈wff α(Σ).
1056 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
(1) If Eϕ(A)≡Eϕ(B), then õ(Eϕ(A.
=αB)) ≡T.
(2) If Msatisfies property qand õ(Eϕ(A.
=αB)) ≡T, then Eϕ(A)≡Eϕ(B).
Proof. Let ϕbe any assignment into M. For the first part, suppose Eϕ(A)≡
Eϕ(B). Given r∈Dα→o, we have either õ(r@Eϕ(A)) ≡õ(r@Eϕ(B)) ≡For
õ(r@Eϕ(B)) ≡õ(r@Eϕ(A)) ≡T. In either case, for any variable Pα→onot in
free(A)∪free(B), we have õ(Eϕ,[r/P](¬(PA)∨PB)) ≡T. So, we have Eϕ(A.
=αB)≡
T.
To show the second part, suppose õ(Eϕ(A.
=αB)) ≡T. By property q, there is
some qα∈Dα→α→osuch that for a,b∈Dαwe have õ(qα@a@b)≡Tiff a≡b.
Let r≡qα@Eϕ(A). From õ(Eϕ(A.
=αB)) ≡T, we obtain Eϕ,[r/P](¬PA∨PB)≡T
(where Pα→o/∈free(A)∪free(B)). Since Eϕ,[r/P](PA)≡qα@Eϕ(A)@Eϕ(A)≡T,
we must have õ(Eϕ,[r/P](PB)) ≡T. That is, õ(qα@Eϕ(A)@Eϕ(B)) ≡T. By the
choice of qα, we have Eϕ(A)≡Eϕ(B). a
Theorem 4.3 (Extensionality in Σ-models).Let M≡(D,@,E, õ)be a Σ-model.
(1) If Msatisfies property qbut not property f, then M6|=EXT→
.
=.
(2) If Msatisfies property qbut not property b, then M6|=EXTo
.
=.
(3) If Msatisfies properties qand f, then M|=EXT→
.
=.
(4) If Msatisfies property b, then M|=EXTo
.
=.
Thus we can characterize the different semantical structures with respect to Boolean
and functional extensionality by the table in Figure 5.7
in Mâ,Mâç ,Mâî MâfMâb,Mâçb,MâîbMâfb
formula valid? by valid? by valid? by valid? by
EXT→
.
=— 1. + 3. — 1. + 3.
EXTo
.
=— 2. — 2. + 4.7+ 4.7
Figure 5. Extensionality in Σ-models.
Proof. Suppose Msatisfies property qbut does not satisfy property f. Then there
must be types αand âand objects f,g∈Dα→âsuch that f6≡ gbut f@a≡g@a
for every a∈Dα. Let Fα→â, Gα→â∈Vα→âbe distinct variables, Xα∈Vα, and
ϕbe any assignment with ϕ(F)≡fand ϕ(G)≡g. For any a∈Dα,f@a≡g@a
implies õ(Eϕ,[a/X ](FX .
=âGX )) ≡Tby Lemma 4.2(1). Using the fact that õis a
valuation, we have õ(Eϕ(∀X(FX .
=âGX ))) ≡T. On the other hand, since f6≡ g
and Msatisfies property q, we have õ(Eϕ(F.
=α→âG)) ≡Fby contraposition of
Lemma 4.2(2). This implies M6|=EXTα→â
.
=.
Suppose Msatisfies property qbut does not satisfy property b. Then, there must
be at least three elements in Do. Since õmaps into a two element set, there must
be two distinct elements a,b∈Dosuch that õ(a)≡õ(b). Let Ao, Bo∈Vobe
distinct variables and ϕbe any assignment into Mwith ϕ(A)≡aand ϕ(B)≡b.
By Lemma 3.48, we know õ(Eϕ(A⇔B)) ≡T. Since a6≡ band property qholds,
7The cases in the figure corresponding to Theorem4.3(4) are actually special cases. In Theorem 4.3(4),
we can infer a model satisfies EXTo
.
=even if property qdoes not hold. However, the models in Mâb,
Mâçb,Mâîband Mâfb do satisfy property qby the definition of these model classes.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1057
by contraposition of Lemma 4.2(2), we know õ(Eϕ(A.
=oB)) ≡F. It follows that
M6|=EXTo
.
=.
Let ϕbe any assignment into M. From õ(Eϕ(∀XαFX .
=GX )) ≡Twe
know õ(Eϕ,[a/X](FX .
=GX )) ≡Tholds for all a∈Dα. By Lemma 4.2(2)
we can conclude that Eϕ,[a/X ](FX )≡Eϕ,[a/X ](GX ) for all a∈Dαand hence
Eϕ,[a/X ](F)@Eϕ,[a/X ](X)≡Eϕ,[a/X](G)@Eϕ,[a/X ](X) for all a∈Dα. That is,
Eϕ,[a/X ](F)@a≡Eϕ,[a/X ](G)@afor all a∈Dα. Since Xdoes not occur free in
For G, by property fand Definition 3.18(3) we obtain Eϕ(F)≡Eϕ(G). This
finally gives us that õ(Eϕ(F.
=α→âG)) ≡Twith Lemma 4.2(1). It follows that
M|=EXTα→â
.
=and M|=EXT→
.
=, since αand âwere chosen arbitrarily. Note that
we certainly need the assumption that Msatisfies property q(which is employed
within the application of Lemma 4.2(2). As explained in Remark 3.52, there is a
functional model in which property qfails and EXTé→é
.
=is not valid.
Let Ao, Bo∈Vobe distinct variables and ϕbe any assignment into M. Since
property bholds, we can assume Do≡ {T,F}and õis the identity function. Suppose
õ(Eϕ(A⇔B)) ≡T. By Lemma 3.48, we have Eϕ(A)≡õ(Eϕ(A)) ≡õ(Eϕ(B)) ≡
Eϕ(B). By Lemma 4.2(1), we have õ(Eϕ(A.
=oB)) ≡T. It follows that M|=
EXTo
.
=.a
Remark 4.4 (Alternative definitions of equality).Leibniz equality is a very
prominent way of defining equality in higher-order logic. However, there are alter-
native definitions such as (cf. [6, p. 203])
..
=α:= ëXαYα∀Qα→α→o(∀ZαQZZ)⇒QXY.
An important question is whether an alternative definition of equality is equivalent
to the Leibniz definition in particular model classes. As Remark 3.47 shows, this
has to be carefully investigated for each equality definition and each model class
in question. We can show that for all Aα,Bα∈cwff α(Σ) A..
=Band A.
=Bare
equivalent modulo õfor all M∈Mâ(and thus for all other model classes). That
is, we can show õ(E(A..
=αB)) ≡õ(E(A.
=αB)). Note that this is weaker than
showing E(A..
=αB)≡E(A.
=αB). The key idea is to reduce the definition of ..
= to
.
= (and vice versa) by instantiating the universally quantified set variables Qand P
appropriately. We may, for instance, show A..
=αBimplies A.
=αBby choosing the
instantiation [ëUαVα∀Pα→oPU ⇒PV ] for Qand the converse by choosing the
instantiation [ëVα∀Qα→α→o(∀ZαQZZ)⇒QAV] for P. As a consequence the
properties of Leibniz equality with respect to extensionality also apply to ..
=.
Definition 4.5 (Extensionality for primitive equality).Analogous to the exten-
sionality axioms for Leibniz equality, we can define the axioms of strong (functional
and Boolean) extensionality for primitive equality:
EXTα→â
=:= ∀Fα→â∀Gα→â(∀XαFX =âGX )⇒F=α→âG
EXTo
=:= ∀Ao∀Bo(A⇔B)⇒A=oB.
As before we refer to the set EXT→
=:= {EXTα→â
=|α, â ∈T}as the axioms of
(strong) functional extensionality for primitive equality.
The following lemma shows that in a Σ-model with primitive equality for each
α∈Tthe denotations of =αand .
=αare identical modulo õ.
1058 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Lemma 4.6 (Primitive and Leibniz equality).If M: = (D,@,E, õ )∈M∗is a
Σ-model with primitive equality where ∗ ∈ {â, âç, âî, âf,âb, âçb,âîb,âfb}, then we
have õ(Eϕ(A=αB)) ≡õ(Eϕ(A.
=αB)) for all assignments ϕinto M, types α∈T,
and A,B∈wffα(Σ).
Proof. Since property qholds for M∈M∗, by Lemma 4.2 parts (1) and (2), we
have õ(Eϕ(A.
=αB)) ≡Tiff Eϕ(A)≡Eϕ(B). Since Mis a Σ-model with primitive
equality, we know Eϕ(A)≡Eϕ(B) is equivalent to õ(E(=α)@Eϕ(A)@Eϕ(B)) ≡T,
and hence to õ(Eϕ(A=αB)) ≡T.a
Remark 4.7.Lemma 4.6 implies that for all models in our model classes M∗the
extensionality axioms for primitive equality are equivalent to the corresponding
extensionality axioms for Leibniz equality. Thus, the analysis for the Leibniz
versions applies directly to the versions using primitive equality. Also, Lemma 4.6
reinforces that (provided property qholds) we can indeed use Leibniz equality to
treat equality as a defined notion (relative to models in M∗). Thus, we principally
do not need to assume the constants =αto be in our signature. The critical part
in this choice is that for ensuring the correct meaning for Qαwe have to require
the existence of an object representing the identity relation for each type in each
Σ-model (cf. [2] for a discussion in the context of Henkin models). This requirement
is automatically met if we consider primitive equality. Hence it seems natural to
treat equality as primitive.
Remark 4.8 (Properties çand î).We have shown, in the presence of property
q, a model Msatisfies property fiff M|=EXT→
.
=. Similarly, we have shown that
property bcorresponds to a model satisfying EXTo
.
=. A corresponding analysis can
be done for properties çand î(cf. Definition 3.46). Assume Msatisfies property
q. Then, Msatisfies property çiff M|=A.
=α(A↓âç) for every type αand closed
formula A∈cwffα(Σ). Also, Msatisfies property îiff
M|=∀Fα→â∀Gα→â(∀XαFX .
=âGX )⇒(ëX FX ).
=α→â(ëX GX )
for all types αand â.
§5. Example models. We now sketch the construction of models in the model
classes M∗to demonstrate concretely how properties for Boolean, strong and weak
functional extensionality can fail. We need this to show that the inclusions (cf.
Figure 1) of the model classes defined in Section 3 are proper, and we indeed need
all of them.
We start with the simplest example of a Henkin model, which we will call the
singleton model, since the domain of individuals is a singleton. Note that the un-
derlying evaluation of this model is not the singleton evaluation from Example 3.26
since Dohas two elements. In this model, all forms of extensionality are valid.
Example 5.1 (Singleton model—Mâfb ∈ST ⊆H⊆Mâfb ).Let (D,@) be the
full frame with Do:= {T,F}and Dé: = {∗}. One can easily define an evaluation
function Efor this frame by induction on terms, using functions to interpret ë-
abstractions. The identity function õ:Do−→ {T,F}is a valuation, assuming the
logical constants are interpreted in the standard way (including primitive equality,
if present in Σ). So, Mâfb := (D,@,E, õ) defines a model. This model clearly
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1059
satisfies all our properties b,f(hence çand î) and q(since the frame is full). So,
Mâfb ∈ST ⊆H⊆Mâfb.
Remark 5.2.In particular, all our model classes are non-empty. By parts (3)
and (4) of Theorem 4.3, we have Mâfb |=EXTo
.
=and Mâfb |=EXT→
.
=.
We can use the singleton model Mâfb to construct another model which makes
the importance of property qclear.
Remark 5.3.Let Mâfb ≡(D,@,E, õ) as above and T E(Σ)â≡(Dâ,@â,Eâ)
be the â-term evaluation as defined in Definition 3.35. Let õ0:Dâ
o−→ {T,F}
be the function õ0(A) := õ(E(A)) for every A∈cwffo(Σ)
yâ. One can show
M0:= (Dâ,@â,Eâ, õ0) is a Σ-model such that M0|=Aiff Mâfb |=Afor every
sentence A. In particular, M0|=EXTo
.
=and M0|=EXT→
.
=.
Nevertheless, M0fails to satisfy properties q,b,çand f. Property bdoes not hold
since Dâ
o≡cwffo(Σ)
yâis infinite. Property çdoes not hold since, for example,
Eâ(ëFé→éXéFX )≡ëFé→éXéFX 6≡ ëFé→éF≡Eâ(ëFé→éF).
Property fcannot hold since property çdoes not hold. (On the other hand, property
îdoes hold since the underlying evaluation is a term evaluation.)
We know now by Theorem 4.3, either part (1) or part (2), that property qmust
not hold. A concrete way to see that property qfails is to consider two distinct
constants aé, bé∈Σé. We must have Mâfb |=a.
=éb(since Déhas only one element),
and so M0|=a.
=éb. On the other hand aand bare distinct elements (as distinct
â-normal forms) in Dâ
é.
The model M0shows that property qis needed in the proofs of parts (1) and (2)
of Theorem 4.3.
Example 5.4 (Failure of b—Mâf∈Mâf\Mâfb).Let (D,@) be the full frame
with Do={a,b,c}and Dé={0,1}. We define an evaluation function Efor
this frame by defining E(¬), E(∨), and E(Πα) to be the functions given in the
following table:
E(¬)a b c
c c a
E(∨)a b c
a a a a
b a a a
c a a c
E(Πα)@f=a,if f@g∈ {a,b}for all g∈Dα,
c,if f@g=cfor some g∈Dα.
We can choose E(w) to be arbitrary for parameters w∈Σ. Since the applicative
structure (D,@) is a frame, hence functional, this uniquely determines Eon all
formulae. Also, since the frame is full, we are guaranteed that there will be enough
functions to interpret ë-abstractions.
Let the map õ:Do−→ {T,F}be defined by õ(a) : = T,õ(b) : = Tand õ(c) := F.
It is easy to check that Mâf: = (D,@,E, õ) is indeed a Σ-model. Since this is a
model over a frame, we automatically know it satisfies property f. Since the frame
is full, we know property qholds. (By the same argument, if primitive equality is
in the signature, we can ensure E(=α) is interpreted appropriately for each type
1060 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
α.) Clearly property bfails, so we have Mâf∈Mâf\Mâfb. By Theorem 4.3(2),
Mâf6|=EXTo
.
=.
In this model one can easily verify, if d:= Eϕ(Do) and e: = Eϕ(Eo), then the
values Eϕ(D∧E), Eϕ(D⇒E), and Eϕ(D⇔E) are given by the following tables:
e:
E(D∧E)a b c
d:a a a c
b a a c
c c c c
e:
E(D⇒E)a b c
d:a a a c
b a a c
c a a a
e:
E(D⇔E)a b c
d:a a a c
b a a c
c c c a
Note that one can properly model the woodchuck /groundhog example from [39]
referred to in the introduction in Mâf.
Example 5.5 (Groundhogs and woodchucks).Let Mâfbe given as above and
suppose woodchucké→o, groundhogé→o, johné, and philéare in the signature Σ. Let
E(phil) : = 0 and E(john) : = 1. Let E(woodchuck) be the function w∈Dé→o
with w(0) ≡band w(1) ≡c. Let E(groundhog) be the function g∈Dé→owith
g(0) ≡aand g(1) ≡c. One can show that the sentence ∀Xé(woodchuck X)⇔
(groundhog X) is valid. Also, E(woodchuck phil) ≡band E(groundhog phil) ≡a,
so the propositions (woodchuck phil) and (groundhog phil) are valid. Next, sup-
pose believeé→o→o∈Σ and E(believe) is the (Curried) function bel ∈Dé→o→osuch
that bel(1)(b)≡band bel(1)(a)≡bel(1)(c)≡bel(0)(a)≡bel(0)(b)≡bel(0)(c)≡
c(Intuitively, John believes propositions with value b, but not those with value aor
c). So, believes john(woodchuck phil) is valid, while believes john(groundhog phil)
is not.
As we have seen, Boolean extensionality fails when one has more than two values
in Do. We can generalize the construction defining Do: = {F} ∪ B, where Bis
any set with T∈Band F/∈B. The model will satisfy Boolean extensionality iff
B≡ {T}. In this way, we can easily construct models for the case with property b
and the case without property bsimultaneously. We will use this idea to parameterize
the remaining model constructions by B. These semantic constructions are similar
to those in multi-valued logics, which have been studied for higher-order logic
in [38]. In contrast to these logics where the logical connectives are adapted to talk
about multiple truth values, in our setting we are mainly interested in multiple truth
values as diverse õ-pre-images of Tand F.
Example 5.6 (Failure of fand ç—Mâîb∈Mâîb\Mâfb).We start by construct-
ing a non-functional applicative structure by attaching distinguishing labels to func-
tions without changing their applicative behavior. Let Bbe any set with T∈B
and F/∈B. Let Do:= {F} ∪ Band Dé: = {∗} with ∗as singleton element. For
each function type α→â, let
Dα→â:= {(i, f )|i∈ {0,1}and f:Dα−→ Dâ}.
Technically, we should write DBfor D, but to ease the notation, we wait until
the model is defined to make its dependence on Bexplicit. We define application
by (i, f)@a: = f(a) whenever (i, f)∈Dα→âand a∈Dα. It is easy to see that
(D,@) is an applicative structure and is not functional. Consider, for example, the
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1061
unique function u:Dé−→ Dé. For both (0, u),(1, u)∈Dé→éwe have (i, u)@∗ ≡ ∗,
although (0, u)6≡ (1, u ).
We can define an evaluation function by induction on terms. We must be-
gin by interpreting the constants. For the logical constants, let E(¬) : = (0, n )
where n(b) := Ffor every b∈Band n(F) : = T. Let E(∨) := (0, d ) where
d(b) : = (0, kT) for every b∈B,d(F) : = (0, id ), kTis the constant Tfunction and
id is the identity function from Doto Do. For each type α, let d(Πα) : = (0, ðα)
where for each (i, f)∈Dα→o,ðα((i, f)) : = Tif f(a)∈Bfor all a∈Dαand
ðα(i, f) : = Fotherwise. For each type α, let qα:= (0, q α)∈Dα→α→owhere
qα(a) : = (0, s a) and sa(b) : = Tif a≡band sa(b) : = Fotherwise. If primitive
equality is present in the signature, let E(=α) : = qα. Let E(w)∈Dαbe arbitrary
for parameters w∈Σα.
For variables, we must define Eϕ(X) : = ϕ(X). Similarly, for application, we
must define Eϕ(FA) : = Eϕ(F)@Eϕ(A). For ë-abstractions, we have a choice. To
be definite, we choose Eϕ(ëXαBâ) : = (0, f) where f:Dα−→ Dâis the function
such that f(a)≡Eϕ,[a/X ](B) for all a∈Dα.
With some work (which we omit), one can show that this Eis an evaluation
function. Furthermore, taking õto be the function such that õ(b) : = Tfor ev-
ery b∈Band õ(F) : = F, one can easily show that this is a valuation. Hence,
MB:= (D,@,E, õ) is a Σ-model.
The objects qαwitness property qfor MB(and also show that this is a model
with primitive equality, when primitive equality is in the signature). Note that the
objects (1, qα) also witness property q. So, in the non-functional case such witnesses
are not unique.
We have already noted that property ffails, since the applicative structure is
not functional. One may question whether properties çor îhold. In fact, prop-
erty çdoes not, as one may verify by computing, for example, E(ëFα→âF) and
E(ëFα→âXαFX ) for types αand â. We have E(ëFα→âF)≡(0, id) where id is
the identity function from Dα→âto Dα→â. However, E(ëFα→âXαFX )≡(0, p)
where pis the function from Dα→âto Dα→âsuch that p((i, f)) ≡(0, f) for each
f:Dα−→ Dâ. Property îdoes hold.8The reason is that if Eϕ,[a/X ](M)≡
Eϕ,[a/X ](N) for every a∈Dα, then Eϕ(ëXαM)≡(0, f)≡Eϕ(ëX N) where
f(a)≡Eϕ,[a/X ](M)≡Eϕ,[a/X](N) for every a∈Dα.
Since MBis satisfies property qbut not property f, by Theorem 4.3(1) we have
MB6|=EXTα→â
.
=for some types αand â. (One can easily check that, in fact,
MB6|=EXTα→â
.
=for all types αand âby considering the witnesses (0, f) and
(1, f) in Dα→âwhere f:Dα−→ Dâis any function.)
If B≡ {T}, then the model Mâîb: = M{T}satisfies property b. So, we know
Mâîb∈Mâîb\Mâfb. On the other hand, if bis any value with b/∈ {T,F}, and
B≡ {T,b}, then the model Mâî : = M{T,b}does not satisfy property b. In this
case, we know Mâî ∈Mâî \(Mâf∪Mâîb).
8This construction is an example of how one constructs models for the simply typed ë-calculus using
retractions. Such constructions will always yield models satisfying property î, but only yield models
satisfying property çwhen each retraction is an isomorphism, in which case the applicative structure is
functional.
1062 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Remark 5.7.Let MBbe the Σ-model (D,@,E, õ) constructed in Example 5.6.
We can define an alternative evaluation function E0by induction on terms. For
all w∈Σ, let E0(w) : = E(w). For variables, we define E0
ϕ(X) : = ϕ(X). For
application, we must define E0
ϕ(FA) : = E0
ϕ(F)@E0
ϕ(A). For ë-abstractions, we
choose E0
ϕ(ëXαBâ) : = (1, f ) where f:Dα−→ Dâis the function such that f(a)≡
Eϕ,[a/X ](B) for all a∈Dα. We omit checking E0is an evaluation function, but the
verification is that same is checking Eis an evaluation function. Notice that Eand
E0agree on all constants (by definition). However, they are different evaluation
functions. For example,
E(ëXéX)≡(0,id) 6≡ (1,id) ≡E0(ëXéX)
where id: Dé−→ Déis the identity function.This example shows that evaluation
functions are not uniquely determined by their values on constants in non-functional
models.
In Lemma 3.14, we have shown that âç-equality induces a functional congruence
if the Σαis infinite for all types α. As a result, with such signatures, the term
evaluation TE(Σ)âç is functional (cf. Lemma 3.36). As noted in Remark 3.15, if Σ
is finite, we cannot show that functionality holds. Nevertheless, even if Σ is finite,
the evaluation TE(Σ)âç interprets âç-convertible terms the same. We can use this
idea to construct non-functional models which satisfy property ç.
Example 5.8 (Failure of î—Instances of Mâ,Mâç,Mâb,Mâçb).Again, let Bbe
any set with T∈Band F/∈B. Choose constants cé, co∈Σ and let Σ0:= {cé, co}.
By induction on types, we define C0
α∈cwffα(Σ0)
yâç ⊆cwffα(Σ0)
yâ. At base types,
let C0
é:= céand C0
o:= co. At function types, let C0
α→â:= ëXαC0
â. (Thus each C0
α
is of the form ëX câwhere â∈ {é, o}.) In particular, cwffα(Σ0)
yâç and cwffα(Σ0)
yâ
are non-empty for each type α.
We can now inductively define a map ñfrom wffα(Σ) to wffα(Σ0) which collapses
terms to the smaller signature. For variables, let ñ(X) : = X. For constants wα∈Σ
(including logical constants), let ñ(wα) : = C0
α. For application and ë-abstraction,
we simply use ñ(FA) : = ñ(F)ñ(A) and ñ(ëX A) : = ëX ñ(A). By induction on
the formula A, one can show [ñ(B)/X ]ñ(A)≡ñ([B/X ]A) for any A∈wffα(Σ),
B∈wffâ(Σ) and Xâ. From this, one can show ñ(A)≡âçñ(B) whenever A≡âçBfor
every A,B∈wffα(Σ). Note also that ñ(A0)≡A0for every A0∈wffα(Σ0).
We can construct a non-functional applicative structure using an indexing tech-
nique similar to Example 5.6. In this case, instead of indexing with i∈ {0,1}, we
use terms in cwff α(Σ0)↓
∗as indices. (Here A↓
∗means the â-normal form if ∗ ≡ â
and the âç-normal form if ∗ ≡ âç.) In essence, this index records some informa-
tion about the “implementation” of the function. Note that cwffé(Σ0)↓
∗≡ {cé}and
cwffo(Σ0)↓
∗≡ {co}. Let Dé:= {(cé,0)}and Do: = {(co,F)} ∪{(co,b)|b∈B}. For
function types, let Dα→âbe the set of pairs (F0
α→â, f), where F0∈cwffα→â(Σ0)↓
∗
and f:Dα−→ Dâis any function such that f(A0, a)≡((F0A0)↓
∗, b) for some value
b. Application is defined as in Example 5.6: (F, f )@a:= f(a). The construction
of this applicative structure closely follows Andrews’ õ-complexes in [1], except we
have a very restricted signature Σ0which does not include logical constants.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1063
To show that each domain is non-empty, we construct a particular element cα∈
Dαfor each type α. (This element will also be used to interpret parameters.) Let
cé:= (cé,0), co: = (co,F), and cα→â: = (C0
α→â, k) where k:Dα−→ Dâis the
constant function k(a) : = câfor every a∈Dα. The fact that cα→â∈Dα→âfollows
from (C0
α→âA)↓
∗≡C0
â.
One can see that the applicative structure is non-functional by noting (ëXéX, f )
and (ëXécé, f) are distinct members of Dé→é, where fis the unique function taking
Déinto itself. However, (ëXéX, f)@cé≡cé≡(ëXécé, f)@cé. In fact, once we
define the evaluation function, this same example will show that property îwill fail.
Let õ:Do−→ {T,F}be õ((co,F)) : = Fand õ((co,b)) : = Tfor each b∈B. This
will be the valuation function on the model.
We only sketch the definition of the evaluation function Eand the proof that this
gives a model M∗,B:= (D,@,E, õ). We can define Eby induction on terms. First,
we interpret parameters wα∈Σ by E(wα) : = cα. For logical constants aα∈Σ, we
choose the first component of E(aα) to be C0
αand the second component to be an
appropriate function. We can define the witnesses qαin a similar way and use these
to interpret primitive equality, if it is present in the signature.
We are forced to let Eϕ(X) := ϕ(X) and Eϕ(FA) : = Eϕ(F)@Eϕ(A). For the ë-
abstraction step, we choose Eϕ(ëXαBâ) : = ((ó(ñ(ëX B)))↓
∗, f), where f:Dα−→
Dâsatisfies f(a)≡Eϕ,[a/X](B) for all a∈Dαand óis the substitution defined by
letting ó(Y) be the first component of ϕ(Y) for each Y∈free(ëX B). In order
to show Eis well-defined, one shows the first component of Eϕ(A) is (ó(ñ(A)))↓
∗
(where óis the substitution for free(A) defined from the first components of the
values of ϕ) for every formula A.
The fact that Eevaluates variables and application properly is immediate from
the definition. The fact that Eϕ(A) depends only the free variables in Afollows by
an induction on the definition of E. To show Erespects â-conversion if ∗ ≡ âand
âç-conversion if ∗ ≡ âç (so that the model will also satisfy property ç), one first
shows Erespects a single â[ç]-reduction, then does an induction on the position of
the redex, and finally does an induction on the number of â[ç]-reductions.
Once these details are checked, we know M∗,Bis a model (with primitive equality,
if present) satisfying property q. We already know the model will not satisfy property
fsince the applicative structure is not functional. We can also check that the
model will not satisfy property îby considering E(ëXéX) and E(ëXécé). We
know E(ëXéX)6≡ E(ëXécé) since the first components ((ëXéX) and (ëXécé)) are
not equal. However, Déhas only one element, cé≡(cé,0). So, we must have
Eϕ,[a/X ](X)≡cé≡Eϕ,[a/X ](cé) for every a∈Dé. This shows property îfails.
If ∗ ≡ âç, then we have noted above that Erespects âç-conversion. So, in
this case, the model satisfies property ç. If ∗ ≡ â, then we can easily check
E(ëFé→éXéFX )6≡ E(ëFé→éF) since the first components will differ. So, in this
case, the model does not satisfy property ç.
As in Example 5.6, if B≡ {T}, then Mâb: = Mâ,{T}and Mâçb:= Mâç,{T}satisfy
property b. So, we know Mâb∈Mâb\(Mâçb∪Mâîb) and Mâçb∈Mâçb\Mâfb . If
B≡ {T,b}where bis any value with b/∈ {T,F}, then the models Mâ:= Mâ,{T,b}
and Mâç := Mâç,{T,b}do not satisfy property b, so Mâ∈Mâ\(Mâç ∪Mâî ∪Mâb)
and Mâç ∈Mâç \(Mâf∪Mâçb).
1064 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
In particular, the models Mâç and Mâçbshow that respecting ç-conversion does
not guarantee strong functional extensionality.
Thus we have given (sketches of) concrete models that distinguish model classes
and shown that the inclusions between the M∗model classes in Figure 1 are proper.
§6. Model existence. In this section we present the model existence theorems
for the different semantical notions introduced in Section 3. The model existence
theorems have the following form, where ∗ ∈ {â,âç,âî, âf, âb,âçb, âîb,âfb}:
Theorem (Model existence).For a given abstract consistency class Γ
Σ∈Acc∗(cf.
Definition 6.7) and a set Φ∈Γ
Σthere is a Σ-model Mof Φ, such that M∈M∗(cf.
Definition 3.49).
The most important tools used in the proofs of the model existence theorems are
the so-called Σ-Hintikka sets. These sets allow computations that resemble those in
the considered semantical structures (e.g., Henkin models) and allow us to construct
appropriate valuations for the term evaluation TE(Σ)âdefined in Definition 3.35.
The key step in the proof of the model existence theorems is an extension lemma,
which guarantees a Σ-Hintikka set Hfor any sufficiently Σ-pure set of sentences Φ
in Γ
Σ.
6.1. Abstract consistency. Let us now review a few technicalities that we will need
for the proofs of the model existence theorems.
Definition 6.1 (Compactness).Let Cbe a class of sets.
(1) Cis called closed under subsets if for any sets Sand T,S∈Cwhenever
S⊆Tand T∈C.
(2) Cis called compact if for every set Swe have S∈Ciff every finite subset of
Sis a member of C.
Lemma 6.2. If Cis compact, then Cis closed under subsets.
Proof. Suppose S⊆Tand T∈C. Every finite subset Aof Sis a finite subset
of T, and since Cis compact we know that A∈C. Thus S∈C.a
We will now introduce a technical side-condition that ensures that we always have
enough witness constants.
Definition 6.3 (Sufficiently Σ-pure).Let Σ be a signature and Φ be a set of Σ-
sentences. Φ is called sufficiently Σ-pure if for each type αthere is a set Pα⊆Σαof
parameters with equal cardinality to wffα(Σ), such that the elements of Pαdo not
occur in the sentences of Φ.
This can be obtained in practice by enriching the signature with spurious param-
eters. Another way would be to use specially marked variables (which may never
be instantiated) as in [36]. Note that for any set to be sufficiently Σ-pure, Σαmust
be infinite for each type α, since we have assumed that Vα⊆wff (Σ) are infinite.
Recall that in Remark 3.16 we assumed every Σαhas a common (infinite) cardinality
ℵsfor every type α. (One could easily show that no set of Σ-sentences could be
sufficiently pure if, for example, Σéis countable while Σé→éis uncountable. In such a
case wffα(Σ) is uncountable for every type αso one could not satisfy the sufficient
purity condition at type é.)
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1065
Notation 6.4.For reasons of legibility we will write S∗afor S∪ {a}, where S
is a set. We will use this notation with the convention that ∗associates to the left.
Definition 6.5 (Properties for abstract consistency classes).Let Γ
Σbe a class of
sets of Σ-sentences. We define the following properties of Γ
Σ, where Φ ∈Γ
Σ,α,
â∈T,A,B∈cwffo,F∈cwffα→o, and G,H, (ëXαM), (ëXαN)∈cwffα→âare
arbitrary.
∇
c: If Ais atomic, then A/∈Φ or ¬A/∈Φ.
∇
¬: If ¬¬A∈Φ, then Φ ∗A∈Γ
Σ.
∇
â: If A≡âBand A∈Φ, then Φ ∗B∈Γ
Σ.
∇
ç: If A≡âç Band A∈Φ, then Φ ∗B∈Γ
Σ.
∇
∨: If A∨B∈Φ, then Φ ∗A∈Γ
Σor Φ ∗B∈Γ
Σ.
∇
∧: If ¬(A∨B)∈Φ, then Φ ∗ ¬A∗ ¬B∈Γ
Σ.
∇
∀: If ΠαF∈Φ, then Φ ∗FW ∈Γ
Σfor each W∈cwffα.
∇
∃: If ¬ΠαF∈Φ, then Φ ∗ ¬(Fw)∈Γ
Σfor any parameter wα∈Σαwhich does
not occur in any sentence of Φ.
∇
b: If ¬(A.
=oB)∈Φ, then Φ ∗A∗ ¬B∈Γ
Σor Φ ∗ ¬A∗B∈Γ
Σ.
∇
î: If ¬(ëXαM.
=α→âëXαN)∈Φ, then Φ ∗ ¬([w/X ]M.
=â[w/X ]N)∈Γ
Σfor
any parameter wα∈Σαwhich does not occur in any sentence of Φ.
∇
f: If ¬(G.
=α→âH)∈Φ, then Φ ∗ ¬(Gw.
=âHw)∈Γ
Σfor any parameter
wα∈Σαwhich does not occur in any sentence of Φ.
∇
sat : Either Φ ∗A∈Γ
Σor Φ ∗ ¬A∈Γ
Σ.
For the optional case of primitive equality, i.e., when =α∈Σα→α→ofor all types
α, we now add a set of further properties. While our first choice will be to combine
the ∇r
=property with ∇.
=
=, we will later show that other pair combinations from this
set are equivalent.
Definition 6.6 (Properties for abstract consistency classes).Suppose =α∈
Σα→α→ofor all types α. Let Γ
Σbe a class of sets of Σ-sentences. We define for
Φ∈Γ
Σ,A,B∈cwffαand F∈cwffowhere Fhas a subterm of type αat position p:
∇r
=:¬(A=αA)/∈Φ.
∇s
=: If F[A]p∈Φ and A=αB∈Φ, then Φ ∗F[B]p∈Γ
Σ.9
∇.
=
=: If A=αB∈Φ, then Φ ∗A.
=αB∈Γ
Σ.
∇=
.
=: If A.
=αB∈Φ, then Φ ∗A=αB∈Γ
Σ.
∇.
=−
=−: If ¬(A=αB)∈Φ, then Φ ∗ ¬(A.
=αB)∈Γ
Σ.
∇=−
.
=−: If ¬(A.
=αB)∈Φ, then Φ ∗ ¬(A=αB)∈Γ
Σ.
Definition 6.7 (Abstract consistency classes).Let Σ be a signature and Γ
Σbe a
class of sets of Σ-sentences that is closed under subsets. If ∇
c,∇
¬,∇
â,∇
∨,∇
∧,∇
∀
and ∇
∃are valid for Γ
Σ, then Γ
Σis called an abstract consistency class for Σ-models.
Furthermore, when =α∈Σα→α→ofor all types αand the properties ∇r
=and ∇.
=
=
are valid then Γ
Σis called an abstract consistency class with primitive equality. In
the following we often simply use the phrase abstract consistency class to refer to
an abstract consistency class with or without primitive equality. We will denote
9Although this resembles Lemma 3.25 which required property î, it is far weaker since Aand Bmust
be closed.
1066 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
the collection of abstract consistency classes (with primitive equality) by Accâ.
Similarly, we introduce the following collections of specialized abstract consistency
classes (with primitive equality): Accâç ,Accâî,Accâf,Accâb,Accâçb,Accâîb,Accâfb,
where we indicate by indices which additional properties from {∇
ç,∇
î,∇
f,∇
b}are
required.
Remark 6.8.If primitive equality is not in the signature, Accâcorresponds to
the abstract consistency property discussed by Andrews in [1]. The only (technical)
differences correspond to αâ-conversion. In [1], α-conversion is handled in the ∇
â
rule using α-standardized forms. Also, we have defined the ∇
ârule to work with
â-conversion instead of â-reduction. We prefer this stronger version of ∇
âover the
weaker option “If A∈Φ, then Φ ∗A
yâ∈Γ
Σ” since it helps to avoid the use of ∇
sat
in several proofs below. (Note that ∇
âfollows from the weaker option and ∇
sat .)
Furthermore, in practical applications, e.g., proving completeness of calculi, the
stronger property is typically as easy to validate as the weaker one. An analogous
argument applies to ∇
ç.
Remark 6.9.While the work presented in this article is based on the choice of
the primitive logical connectives ¬,∨,and Πα(and possibly primitive equality), a
means to generalize the framework over the concrete choice of logical primitives
is provided by the uniform notation approach as, for instance, given in [22]. It is
clearly possible to achieve such a generalization for our framework as well. This
can be done in straightforward manner: ∇
∧becomes an α-property, ∇
∨becomes a
â-property, ∇
∀becomes a ã-property, and ∇
∃becomes a ä-property. Thus they will
have the following form:
α-case: If α∈Φ, then Φ ∗α1∗α2∈Γ
Σ.
â-case: If â∈Φ, then Φ ∗â1∈Γ
Σor Φ ∗â2∈Γ
Σ.
ã-case: If ã∈Φ, then Φ ∗ãW∈Γ
Σfor each W∈cwffα.
ä-case: If ä∈Φ, then Φ ∗äw ∈Γ
Σfor any parameter wα∈Σ which does not occur
in any sentence of Φ.
We often refer to property ∇
cas “atomic consistency”. The next lemma shows
that we also have the corresponding property for non-atoms.
Lemma 6.10 (Non-atomic consistency).Let Γ
Σbe an abstract consistency class
and A∈cwffo(Σ), then for all Φ∈Γ
Σwe have A/∈Φor ¬A/∈Φ.
Proof following a similar argument in [1], Lemma 3.3.3.If for some Φ ∈Γ
Σand
A∈cwffo(Σ) we have A∈Φ and ¬A∈Φ, then {A,¬A} ∈ Γ
Σsince Γ
Σis closed
under subsets. Furthermore, using ∇
âand closure under subsets we can assume
such an Ais â-normal. We prove {A,¬A}/∈Γ
Σfor any â-normal A∈cwffo(Σ) by
induction on the number of logical constants in A.
If Ais atomic (which includes primitive equations), this follows immediately from
∇
c. Suppose A≡ ¬Bfor some B∈cwffo(Σ) and {¬B,¬¬B} ∈ Γ
Σ. By ∇
¬and
closure under subsets, we have {¬B,B} ∈ Γ
Σ, contradicting the induction hypothesis
for B. Suppose A≡B∨Cfor some B,C∈cwff o(Σ) and {B∨C,¬(B∨C)} ∈ Γ
Σ.
By ∇
∨,∇
∧and closure under subsets, we have either {B,¬B} ∈ Γ
Σor {C,¬C} ∈ Γ
Σ,
contradicting the induction hypotheses for Band C. Suppose A≡ΠαBfor some
B∈cwffα→o(Σ) and {ΠαB,¬(ΠαB)} ∈ Γ
Σ. Since Σαis assumed to be infinite (by
Remark 3.16), there is a parameter wα∈Σαwhich does not occur in A. Since
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1067
wis a parameter, the sentence Bwclearly has one less logical constant than ΠαB.
However, we cannot directly apply the induction hypothesis as Bwmay not be
â-normal. Since Bis â-normal, the only way Bwcan fail to be â-normal is if B
has the form ëXαCfor some C∈wffo(Σ) where free(C)⊆ {Xα}. In this case, it
is easy to show that the reduct [w/X ]Cis â-normal and contains the same number
of logical constants as B. In either case, we can let Nbe the â-normal form of Bw
and apply the induction hypothesis to obtain {N,¬N}/∈Γ
Σ. On the other hand,
∇
∃,∇
∀,∇
âand closure under subsets implies {N,¬N} ∈ Γ
Σ, a contradiction. a
Remark 6.11.Note that for the connectives ∨and Παthere is a positive and a
negative condition given in the definition above, namely ∇
∨/∇
∧for ∨and ∇
∀/∇
∃for
Πα. For .
=oand .
=α→âthe situation is different since we need only conditions for
the negative cases. Positive counterparts can be inferred by expanding the Leibniz
definition of equality (cf. Lemma 6.12).
Lemma 6.12 (Leibniz equality).Let Γ
Σbe an abstract consistency class. The fol-
lowing properties are valid for all Φ∈Γ
Σ,A,B∈cwffo(Σ),C∈cwffα(Σ) and
F,G∈cwffα→â(Σ).
∇r
.
=:¬(C.
=αC)/∈Φ.
∇→
.
=:If F.
=α→âG∈Φ, then Φ∗FW .
=âGW ∈Γ
Σfor any closed W∈cwffα(Σ).
∇o
.
=:If A.
=oB∈Φ, then Φ∗A∗B∈Γ
Σor Φ∗ ¬A∗ ¬B∈Γ
Σ.
Proof. To show ∇r
.
=, assume ¬(C.
=C)∈Φ. By subset closure {¬(C.
=C)} ∈ Γ
Σ
and by ∇
∃with some parameter pwhich does not occur in Cand ∇
âwe get
{¬(C.
=C),¬(¬pC∨pC)} ∈ Γ
Σ. The contradiction follows by ∇
∧,∇
¬and ∇
c. So,
∇r
.
=holds.
To show ∇→
.
=, suppose F.
=α→âG∈Φ. By application of ∇
∀with ëXα→âFW .
=
XWand ∇
âwe have Φ ∗(¬(FW .
=FW)∨FW .
=GW)∈Γ
Σ. By ∇
∨and subset
closure we get Φ ∗ ¬(FW .
=FW)∈Γ
Σor Φ ∗FW .
=GW ∈Γ
Σ. The latter proves
the assertion since the first option is ruled out by ∇r
.
=(shown above).
To show ∇o
.
=, suppose A.
=oB∈Φ. Applying ∇
∀with ëY Y we have Φ ∗
(ëPo→o¬PA∨PB)(ëY Y )∈Γ
Σ. By ∇
âand subset closure we get Φ ∗ ¬A∨B∈
Γ
Σ. Similarly, we further derive by ∇
∀with ëY ¬Y,∇
â, and subset closure that
Φ∗ ¬A∨B∗ ¬¬A∨ ¬B∈Γ
Σ. By applying ∇
∨twice and subset closure we get
the following four options: (i) Φ ∗ ¬A∗ ¬¬A∈Γ
Σ, (ii) Φ ∗ ¬A∗ ¬B∈Γ
Σ, (iii)
Φ∗B∗ ¬¬A∈Γ
Σ, or (iv) Φ ∗B∗ ¬B∈Γ
Σ. Cases (i) and (iv) are ruled out by
non-atomic consistency. In case (iii) we furthermore get by ∇
¬and subset closure
that Φ ∗B∗A∈Γ
Σ. Thus, Φ ∗ ¬A∗ ¬B∈Γ
Σor Φ ∗B∗A∈Γ
Σ.a
We could easily add respective properties for symmetry, transitivity, and congru-
ence to the previous lemma. They can be shown analogously, i.e., they also follow
from the properties of Leibniz equality.
In contrast to [1], we work with saturated abstract consistency classes in order
to simplify the proofs of the model existence theorems. For a discussion of the
consequences of this decision, see Section 8.2.
Definition 6.13 (Saturatedness).We call an abstract consistency class Γ
Σsatu-
rated if it satisfies ∇
sat .
1068 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Remark 6.14.Clearly, not all abstract consistency classes are saturated, since the
empty set is one that is not (cwffo(Σ) is certainly non-empty since ∀PoP∈cwffo(Σ)).
Remark 6.15.The saturation condition ∇
sat can be very difficult to verify in
practice. For example, showing that an abstract consistency class induced from a
sequent calculus (as in [1]) is saturated corresponds to showing cut-elimination (cf.
[12]). Since Andrews [1] did not use saturation, he could use his results to give a
model-theoretic proof of cut-elimination for a sequent calculus. We cannot use the
results of this article to obtain similar cut-elimination results.
We now investigate derived properties of primitive equality.
Lemma 6.16 (Primitive equality).Let Γ
Σbe an abstract consistency class with prim-
itive equality, i.e., =α∈Σα→α→ofor all types α∈T, where ∇r
=and ∇.
=
=hold. Then
∇=
.
=and ∇s
=are valid. Furthermore, ∇.
=−
=−and ∇=−
.
=−are valid if Γ
Σis saturated.
Proof. To show ∇=
.
=we derive from (A.
=αB)∈Φ by ∇
∀with ëXαA=αX,∇
â,
and subset closure that Φ ∗ ¬(A=A)∨A=B∈Γ
Σ. By ∇
∨and subset closure we
get Φ ∗ ¬(A=A)∈Γ
Σor Φ ∗A=B∈Γ
Σ. The assertion follows from the latter
option since the former is ruled out by ∇r
=.
In order to show ∇s
=let F[A]p∈Φ, we derive from A=αB∈Φ by ∇.
=
=that
Φ∗(A.
=B)∈Γ
Σ. By ∇
∀with ëX F[X]p(where X∈Vαdoes not occur bound in
F[A]p), ∇
â, and subset closure we furthermore get that Φ ∗(¬F[A]p∨F[B]p)∈Γ
Σ.
Application of ∇
∨and subset closure gives us Φ∗¬F[A]p∈Γ
Σor Φ∗F[B]p∈Γ
Σ. The
assertion follows from the latter option since the former is ruled out by F[A]p∈Φ
and non-atomic consistency.
The straightforward proof for ∇=−
.
=−employs saturation, ∇.
=
=, and non-atomic
consistency. Similarly, the proof for ∇.
=−
=−employs saturation, ∇=
.
=, and atomic
consistency. a
The next theorem provides some alternatives to our choice of ∇.
=
=and ∇r
=in
the definition of abstract consistency classes with primitive equality provided that
saturation holds. In practical applications the user may therefore choose the com-
bination that suits best.
Theorem 6.17 (Alternative properties for primitive equality).Let Γ
Σbe an ab-
stract consistency class and let =α∈Σα→α→ofor all types α∈T. If Γ
Σis saturated
and validates one of the following combinations of properties, then it also validates ∇.
=
=
and ∇r
=. The combinations are:
(1) ∇s
=and ∇r
=.
(2) ∇.
=
=and ∇=
.
=.
(3) ∇.
=−
=−and ∇=−
.
=−.
Proof. To prove (1) we only have to show ∇.
=
=. Let (A=B)∈Φ and suppose
Φ∗(A.
=B)/∈Γ
Σ. Then by saturation Φ ∗ ¬(A.
=B)∈Γ
Σand by application of ∇s
=
we get a contradiction to ∇r
.
=(cf. Lemma 6.12).
To prove (2) we only have to show ∇r
=. Since Φ ∗ ¬(A.
=A)/∈Γ
Σby ∇r
.
=we get by
saturation Φ ∗A.
=A∈Γ
Σ. By ∇=
.
=and subset closure, we have Φ ∗A=A∈Γ
Σ. By
atomic consistency, we have ¬(A=A)/∈Φ.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1069
For (3) we first show ∇r
=. Suppose ¬(A=A)∈Φ. Then by ∇.
=−
=−we get
Φ∗ ¬(A.
=A)∈Γ
Σcontradicting ∇r
.
=. To show ∇.
=
=let A=B∈Φ and suppose
Φ∗A.
=B/∈Γ
Σ. By saturation we get Φ ∗ ¬(A.
=B)∈Γ
Σand by application of
∇=−
.
=−we get a contradiction to atomic consistency. a
Lemma 6.18 (Compactness of abstract consistency classes).For each abstract con-
sistency class Γ
Σthere exists a compact abstract consistency class Γ0
Σsatisfying the same
∇
∗properties such that Γ
Σ⊆Γ0
Σ.
Proof (following and extending [6], Proposition 2506). We choose Γ0
Σ:= {Φ⊆
cwffo|every finite subset of Φ is in Γ
Σ}. Now suppose that Φ ∈Γ
Σ. Γ
Σis closed
under subsets, so every finite subset of Φ is in Γ
Σand thus Φ ∈Γ0
Σ. Hence Γ
Σ⊆Γ0
Σ.
Next let us show that Γ0
Σis compact. Suppose Φ ∈Γ0
Σand Ψ is an arbitrary
finite subset of Φ. By definition of Γ0
Σall finite subsets of Φ are in Γ
Σand therefore
Ψ∈Γ0
Σ. Thus all finite subsets of Φ are in Γ0
Σwhenever Φ is in Γ0
Σ. On the other
hand, suppose all finite subsets of Φ are in Γ0
Σ. Then by the definition of Γ0
Σthe finite
subsets of Φ are also in Γ
Σ, so Φ ∈Γ0
Σ. Thus Γ0
Σis compact. Note that by Lemma 6.2
we have that Γ0
Σis closed under subsets.
Next we show that if Γ
Σsatisfies ∇
∗, then Γ0
Σsatisfies ∇
∗.
∇
c: Let Φ ∈Γ0
Σand suppose there is an atom A, such that {A,¬A} ⊆ Φ. {A,¬A}
is clearly a finite subset of Φ and hence {A,¬A} ∈ Γ
Σcontradicting ∇
cfor Γ
Σ.
∇
¬: Let Φ ∈Γ0
Σ,¬¬A∈Φ, Ψ be any finite subset of Φ ∗A, and Θ : = (Ψ \ {A})∗
¬¬A. Θ is a finite subset of Φ, so Θ ∈Γ
Σ. Since Γ
Σis an abstract consistency
class and ¬¬A∈Θ, we get Θ ∗A∈Γ
Σby ∇
¬for Γ
Σ. We know that Ψ ⊆Θ∗A
and Γ
Σis closed under subsets, so Ψ ∈Γ
Σ. Thus every finite subset Ψ of Φ ∗A
is in Γ
Σand therefore by definition Φ ∗A∈Γ0
Σ.
∇
â,∇
ç,∇
∨,∇
∧,∇
∀,∇
∃: Analogous to ∇
¬.
∇
î: Let Φ ∈Γ0
Σ,¬(ëXαM.
=α→âëX N)∈Φ and Ψ be any finite subset of
Φ∗¬([w/X ]M.
=â[w/X ]N), where w∈Σαis a parameter that does not occur
in any sentence of Φ. We show that Ψ ∈Γ
Σ. Clearly Θ : = (Ψ\{¬([w/X ]M.
=â
[w/X ]N)})∗ ¬(ëX M.
=α→âëX N) is a finite subset of Φ and therefore
Θ∈Γ
Σ. Since Γ
Σsatisfies ∇
îand ¬(ëX M.
=α→âëX N)∈Θ, we have
Θ∗ ¬([w/X ]M.
=â[w/X ]N)∈Γ
Σ. Furthermore, Ψ ⊆Θ∗ ¬([w/X ]M.
=â
[w/X ]N) and Γ
Σis closed under subsets, so Ψ ∈Γ
Σ. Thus every finite subset
Ψ of Φ ∗ ¬([w/X ]M.
=â[w/X ]N) is in Γ
Σ, and therefore by definition we have
Φ∗ ¬([w/X ]M.
=α[w/X ]N)∈Γ0
Σ.
∇
f: Analogous to ∇
î.
∇
b: Let Φ ∈Γ0
Σwith ¬(A.
=B)∈Φ. Assume Φ ∗A∗ ¬B/∈Γ
Σand Φ ∗ ¬A∗B/∈Γ
Σ.
Then there exists finite subsets Φ1and Φ2of Φ, such that Φ1∗A∗ ¬B/∈Γ
Σ
and Φ2∗ ¬A∗B/∈Γ
Σ. Now we choose Φ3: = Φ1∪Φ2∗ ¬(A.
=B). Obviously
Φ3is a finite subset of Φ and therefore Φ3∈Γ
Σ. Since Γ
Σsatisfies ∇
b, we have
that Φ3∗A∗ ¬B∈Γ
Σor Φ3∗ ¬A∗B∈Γ
Σ. From this and the fact that Γ
Σis
closed under subsets we get that Φ1∗A∗ ¬B∈Γ
Σor Φ2∗ ¬A∗B∈Γ
Σ, which
contradicts our assumption.
∇
sat : Let Φ ∈Γ0
Σ. Assume neither Φ ∗Anor Φ ∗ ¬Ais in Γ0
Σ. Then there are
finite subsets Φ1and Φ2of Φ, such that Φ1∗A/∈Γ
Σand Φ2∗ ¬A/∈Γ
Σ.
As Ψ := Φ1∪Φ2is a finite subset of Φ, we have Ψ ∈Γ
Σ. Furthermore,
1070 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Ψ∗A∈Γ
Σor Ψ ∗ ¬A∈Γ
Σbecause Γ
Σis saturated. Γ
Σis closed under subsets,
so Φ1∗A∈Γ
Σor Φ2∗ ¬A∈Γ
Σ. This is a contradiction, so we can conclude
that if Φ ∈Γ0
Σ, then Φ ∗A∈Γ0
Σor Φ ∗ ¬A∈Γ0
Σ.
In case primitive equality is present in the signature, we check the corresponding
properties.
∇r
=: Let Φ ∈Γ0
Σand assume ¬(A=αA)∈Φ. {¬(A=αA)}is clearly a finite
subset of Φ and hence {¬(A=αA)} ∈ Γ
Σcontradicting ∇r
=in Γ
Σ.
∇.
=
=,∇s
=,∇=
.
=,∇.
=−
=−,∇=−
.
=−Analogous to ∇
¬.a
6.2. Hintikka sets. Hintikka sets connect syntax with semantics as they provide
the basis for the model constructions in the model existence theorems. We have
defined eight different notions of abstract consistency classes by first defining prop-
erties ∇
∗, then specifying which should hold in Acc∗. Similarly, we define Hintikka
sets by first defining the desired properties.
Definition 6.19 (Σ-Hintikka properties).Let Hbe a set of sentences. We define
the following properties which Hmay satisfy, where A,B∈cwff o,C,D∈cwff α,
F∈cwffα→o, and (ëXαM),(ëX N),G,H∈cwff α→â:
~
∇
c:A/∈Hor ¬A/∈H.
~
∇
¬: If ¬¬A∈H, then A∈H.
~
∇
â: If A∈Hand A≡âB, then B∈H.
~
∇
ç: If A∈Hand A≡âç B, then B∈H.
~
∇
∨: If A∨B∈H, then A∈Hor B∈H.
~
∇
∧: If ¬(A∨B)∈H, then ¬A∈Hand ¬B∈H.
~
∇
∀: If ΠαF∈H, then FW ∈Hfor each W∈cwffα.
~
∇
∃: If ¬ΠαF∈H, then there is a parameter wα∈Σαsuch that ¬(Fw)∈H.
~
∇
b: If ¬(A.
=oB)∈H, then {A,¬B} ⊆ Hor {¬A,B} ⊆ H.
~
∇
î: If ¬(ëXαM.
=α→âëX N)∈H, then there is a parameter wα∈Σαsuch that
¬([w/X ]M.
=â[w/X ]N)∈H.
~
∇
f: If ¬(G.
=α→âH)∈H, then there is a parameter wα∈Σαsuch that ¬(Gw.
=â
Hw)∈H.
~
∇
sat : Either A∈Hor ¬A∈H.
~
∇r
=:¬(C=αC)/∈H.
~
∇.
=
=: If C=αD∈H, then C.
=αD∈H.
Definition 6.20 (Σ-Hintikka set).A set Hof sentences is called a Σ-Hintikka
set if it satisfies ~
∇
c,~
∇
¬,~
∇
â,~
∇
∨,~
∇
∧,~
∇
∀and ~
∇
∃. When primitive equality is present
in the signature and His a Hintikka set satisfying ~
∇r
=and ~
∇.
=
=we call Ha Σ-
Hintikka set with primitive equality. We define the following collections of Hin-
tikka sets (with primitive equality): Hintâ,Hintâç,Hintâî,Hintâf,Hintâb,Hintâçb,
Hintâîb, and Hintâfb , where we indicate by indices which additional properties from
{~
∇
ç,~
∇
î,~
∇
f,~
∇
b}are required. If primitive equality is in the signature, we require
H∈Hint∗to be a Hintikka set with primitive equality.
We will construct Hintikka sets as maximal elements of abstract consistency
classes. To obtain a Hintikka set, we must explicitly show the property ~
∇
∃(and ~
∇
î
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1071
or ~
∇
fwhen appropriate). This will ensure that Hintikka sets have enough parameters
which act as witnesses.
Lemma 6.21 (Hintikka lemma).Let Γ
Σbe an abstract consistency class in Acc∗.
Suppose a set H∈Γ
Σsatisfies the following properties:
(1) His subset-maximal in Γ
Σ(i.e., for each sentence D∈cwffosuch that H∗D∈
Γ
Σ, we already have D∈H).
(2) Hsatisfies ~
∇
∃.
(3) If ∗ ∈ {âî,âîb}, then ~
∇
îholds in H.
(4) If ∗ ∈ {âf,âfb}, then ~
∇
fholds in H.
Then, H∈Hint∗. Furthermore, if Γ
Σis saturated, then Hsatisfies ~
∇
sat .
Proof. Hsatisfies ~
∇
∃by assumption. Also, if ∗ ∈ {âî, âîb}(∗ ∈ {âf,âfb}), then
we have explicitly assumed Hsatisfies ~
∇
î(~
∇
f). The fact that H∈Γ
Σsatisfies ~
∇
c
follows directly from non-atomic consistency (Lemma 6.10). Similarly, if primitive
equality is in the signature, then Hsatisfies ~
∇r
=since H∈Γ
Σand Γ
Σsatisfies ∇r
=.
Every other ~
∇
∗property follows directly from the corresponding ∇
∗property and
maximality of Hin Γ
Σ. For example, to show ~
∇
¬, suppose ¬¬A∈H. By ∇
¬,
we know H∗A∈Γ
Σ. By maximality of H, we have A∈H. Checking ~
∇
â,~
∇
ç
(if ∗ ∈ {âç,âçb}), ~
∇
∧,~
∇
∀, and ~
∇.
=
=hold for Hfollows exactly this same pattern.
Checking ~
∇
∨,~
∇
b(if ∗ ∈ {âb,âçb,âfb}) and ~
∇
sat (if Γ
Σis saturated) follows a
similar pattern, but with a simple case analysis. For example, to check ~
∇
sat , given
A∈cwffo(Σ), ∇
sat implies H∗A∈Γ
Σor H∗ ¬A∈Γ
Σ. So, either A∈Hor
¬A∈H.a
It is worth noting that the converse of ~
∇.
=
=also holds in Hintikka sets with
primitive equality.
Lemma 6.22. Suppose primitive equality is in the signature and His a Hintikka
set with primitive equality. Then, we have the following property for every type αand
A,B∈cwffα(Σ):
∇
.
=
=:A=αB∈Hiff A.
=αB∈H.
Proof. If A=αB∈H, then A.
=αB∈Hby ~
∇.
=
=. For the converse direction
assume that A.
=αB∈H. From this we get by ~
∇
∀with ëX A=Xand ∇
âthat
¬(A=A)∨A=B∈H. Since ¬(A=A)/∈Hby ~
∇r
=,~
∇
∨implies A=αB∈H.a
It is helpful to note the following properties of Leibniz equality in Hintikka sets.
Lemma 6.23. Suppose His a Hintikka set. For any F,G∈cwffα→â(Σ) and
A,B,C∈cwffα(Σ) ( for types αand â), we have the following:
~
∇r
.
=:¬(A.
=αA)/∈H.
~
∇tr
.
=:If A.
=αB∈Hand B.
=αC∈H, then A.
=αC∈H.
~
∇→
.
=:If (F.
=α→âG)∈Hand (A.
=αB)∈H, then (FA .
=âGB)∈H.
Proof. To show ~
∇r
.
=, suppose ¬(A.
=αA)∈H. By ~
∇
∃and ~
∇
â, there must be
some parameter qα→osuch that ¬(¬qA∨qA)∈H. By ~
∇
∧, we have ¬¬qA∈H
and ¬qA∈H, contradicting ~
∇
c.
To show ~
∇tr
.
=, suppose A.
=αB∈Hand B.
=αC∈H. Let Qα→obe the
closed formula (ëXαA.
=αX). Applying ~
∇
∀to B.
=αC∈Hand Q, we know
1072 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
¬(QB)∨QC ∈H. By ~
∇
∨, we know ¬(QB)∈Hor QC ∈H. If ¬(QB)∈H, then
¬(A.
=αB)∈Hby ~
∇
â, contradicting ~
∇
c. So, QC ∈Hand hence A.
=αC∈Has
desired.
To show ~
∇→
.
=, let P(α→â)→obe the closed formula (ëHα→âFA .
=âHA), Applying
~
∇
∀to (F.
=α→âG)∈Hand P, we have ¬(PF)∨PG ∈H. By ~
∇
∨, we know
¬(PF)∈Hor PG ∈H. If ¬(PF)∈H, then ¬(FA .
=âFA)∈Hby ~
∇
â, which
contradicts ~
∇r
.
=. So, we must have PG ∈Hand hence (FA .
=âGA)∈H. Let Qα→o
be the closed formula (ëXαFA .
=âGX). Applying ~
∇
∀and ~
∇
∨to (A.
=αB)∈H,
we know ¬(QA)∈Hor QB ∈H. If ¬(QA)∈H, then ¬(FA .
=âGA)∈Hby ~
∇
â,
contradicting ~
∇
c. So, QB ∈Hand hence (FA .
=âGB)∈Has desired. a
Whenever a Hintikka set satisfies ~
∇
sat , we can prove far more closure properties.
For example, we can prove converses of ~
∇
¬,~
∇
â,~
∇
∨,~
∇
∧,~
∇
∀,~
∇
∃and ~
∇.
=
=(when
primitive equality is in the signature). Also, if any of ~
∇
ç,~
∇
b,~
∇
îor ~
∇
fhold, we can
prove the corresponding converse. (We could call these properties ←
∇
∗.) The proofs
of the stronger properties ∇
¬and ∇
∨in Lemma 6.25 indicate how one would prove
any of these converse properties.
Definition 6.24 (Saturated set).We say a set of sentences His saturated if it
satisfies ~
∇
sat .
By Lemma 6.21, any Hintikka set constructed as a maximal member of a saturated
abstract consistency class will be saturated. However, it is also possible for a
maximal member of an abstract consistency class Γ
Σto be saturated without Γ
Σ
being saturated.
Lemma 6.25 (Saturated sets lemma).Suppose His a saturated Hintikka set. Then
we have the following properties for every A,B∈cwffo(Σ),F∈cwffα→o(Σ), and
C∈cwffα(Σ) ( for any type α):
∇
¬:¬A∈Hiff A/∈H.
∇
∨: (A∨B)∈Hiff A∈Hor B∈H.
∇
∀: (ΠαF)∈Hif and only if FD ∈Hfor every D∈cwff α(Σ).
∇â
∀: (ΠαF)∈Hiff (FD)
yâ∈Hfor every D∈cwff α(Σ)
yâ.
∇
r: (C.
=αC)∈H.
Proof. If ¬A∈H, then A/∈Hby ~
∇
c. If A/∈H, then ¬A∈Hsince His
saturated. So, ∇
¬holds.
If (A∨B)∈H, then A∈Hor B∈Hby ~
∇
∨. We prove the converse by
contraposition. Suppose (A∨B)/∈H. By saturation we have ¬(A∨B)∈H, and
by ~
∇
∧we get ¬A∈Hand ¬B∈H. So, by ~
∇
c,A/∈Hand B/∈H. Thus, ∇
∨
holds.
One direction of ∇
∀is ~
∇
∀. For one direction of ∇â
∀, note that if (ΠαF)∈H, then
for any D∈cwffα(Σ)
yâwe have (FD)
yâ∈Hby ~
∇
∀and ~
∇
â.
Suppose (ΠαF)/∈H. By saturation, ¬(ΠαF)∈H. By ~
∇
∃, there is a parameter
wα∈Σαsuch that ¬(Fw)∈H. By ~
∇
c, we know (Fw)/∈H. This shows the other
direction of ∇
∀. Furthermore, by ~
∇
âwe know ¬(Fw)
yâ∈Hand so (Fw)
yâ/∈H.
Since wis â-normal, we also have the other direction of ∇â
∀.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1073
Finally, ∇
rfollows directly from saturation and ~
∇r
.
=.a
Lemma 6.26 (Saturated sets lemma for b).Suppose H∈Hint∗where ∗ ∈ {âb,
âçb,âîb, âfb}. If His saturated, then the following property holds for all A,B∈
cwffo(Σ).
∇
b:A.
=oB∈Hor A.
=o¬B∈H.
Proof. Suppose (A.
=oB)/∈Hand (A.
=o¬B)/∈H. By saturation, ¬(A.
=o
B)∈Hand ¬(A.
=o¬B)∈H. By ~
∇
b, we must have {A,¬B} ⊆ Hor {¬A,B} ⊆
H. We must also have {A,¬¬B} ⊆ Hor {¬A,¬B} ⊆ H. Each of the four cases
leads to an immediate contradiction to ~
∇
c.a
Lemma 6.27 (Saturated sets lemma for ç).Suppose H∈Hint∗where ∗ ∈ {âç,
âçb}. If His saturated, then the following property holds for every type αand
A∈cwffα(Σ):
∇
ç: (A.
=αA↓âç)∈H.
Proof. If (A.
=A↓âç )/∈H, then by saturation ¬(A.
=A↓âç)∈H. So, by ~
∇
çwe
have ¬(A↓âç
.
=αA↓âç)∈H. But this contradicts ~
∇r
.
=.a
Lemma 6.28 (Saturated sets lemma for î).Suppose H∈Hint∗where ∗ ∈ {âî,
âîb}. If His saturated, then the following properties hold for all α, â ∈Tand
(ëXαM),(ëX N)∈cwffα→â(Σ):
∇
î: (ëX M.
=α→âëX N)∈Hiff ([A/X ]M.
=â[A/X ]N)∈Hfor every A∈
cwffα(Σ).
∇â
î: (ëX M.
=α→âëX N)∈Hiff ([A/X ]M.
=â[A/X ]N)
yâ∈Hfor every A∈
cwffα(Σ)
yâ.
Proof. Suppose (ëX M.
=α→âëX N)∈Hand A∈cwffα(Σ). We can apply ~
∇
∀
and ~
∇
âusing the closed formula (ëKα→â[A/X ]M.
=âKA) to obtain
(¬([A/X ]M.
=â[A/X ]M)∨[A/X ]M.
=â[A/X ]N)∈H.
Since ¬([A/X ]M.
=â[A/X ]M)/∈H(by ~
∇r
.
=), we know ([A/X ]M.
=â[A/X ]N)∈
H. This shows one direction of ∇
î. By ~
∇
âwe have ([A/X ]M.
=â[A/X ]N)
yâ∈H.
Since this holds in particular for any A∈cwffα(Σ)
yâ, this shows one direction of
∇â
î.
Suppose (ëX M.
=α→âëX N)/∈H. We show that there is a (â-normal) A∈
cwffα(Σ) with [A/X ]M.
=â[A/X ]N/∈H. By saturation, ¬(ëX M.
=α→âëX N)∈
H. By ~
∇
î, there is a parameter wα∈Σαsuch that ¬([w/X ]M.
=â[w/X ]N)∈H.
By ~
∇
c, [w/X ]M.
=â[w/X ]N/∈H. Choosing A: = wwe have the other direction
of ∇
î. Since wis â-normal and ([w/X ]M.
=â[w/X ]N)
yâ/∈H(using ~
∇
â), we have
the other direction of ∇â
î.a
Lemma 6.29 (Saturated sets lemma for f).Suppose H∈Hint∗where ∗ ∈ {âf,âfb}.
If His saturated, then the following property holds for any types αand âand
G,H∈cwffα→â(Σ).
∇
f:G.
=α→âH∈Hiff GA .
=âHA ∈Hfor every A∈cwff α(Σ).
1074 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
∇â
f:G.
=α→âH∈Hiff (GA .
=âHA)
yâ∈Hfor every A∈cwff α(Σ)
yâ.
Proof. Suppose (G.
=α→âH)∈Hand A∈cwffα(Σ). Since (A.
=αA)∈Hby
∇
rwe have (GA .
=âHA)∈Hby ~
∇→
.
=(cf. Lemma 6.23). This shows one direction
of ∇
f. By ~
∇
âwe have (GA .
=âHA)
yâ∈H. Since this holds in particular for any
A∈cwffα(Σ)
yâ, this shows one direction of ∇â
f.
Suppose (G.
=α→âH)/∈H. By saturation, ¬(G.
=α→âH)∈H. By ~
∇
f, there is
a parameter wα∈Σαsuch that ¬(Gw.
=âHw)∈H. By ~
∇
c, (Gw.
=âHw)/∈H.
Choosing A:= wwe have the other direction of ∇
f. Since wis â-normal and
(Gw.
=âHw)
yâ/∈H(using ~
∇
â), we have the other direction of ∇â
f.a
In Lemma 3.24, we compared properties ç,îand fof models by showing f
is equivalent to çplus î. Similarly, Theorem 6.31 compares ~
∇
ç,~
∇
î, and ~
∇
fas
properties of Hintikka sets. Showing ~
∇
fimplies ~
∇
çrequires saturation and must be
shown in several steps reflected by Lemma 6.30.
Lemma 6.30. Let Hbe a saturated Hintikka set satisfying ~
∇
f.
(1) For all F∈cwffα→âwe have (ëXαFX).
=α→âF∈H.
(2) For all A,B∈cwffα(Σ), if Aç-reduces to Bin one step, then A.
=αB∈H.
(3) For all A∈cwffα(Σ),A.
=αA↓âç ∈H.
(4) For all A∈cwffo(Σ), if A∈H, then A↓âç ∈H.
Proof. To show part (1), suppose (ëXαFX).
=α→âF/∈H. By saturation,
¬((ëXαFX).
=α→âF)∈H. By ~
∇
f, there is a parameter wαsuch that
¬(((ëXαFX)w).
=â(Fw)) ∈H.
By ~
∇
â,¬((Fw).
=â(Fw)) ∈H, which contradicts ~
∇r
.
=(cf. Lemma 6.23).
We prove part (2) by induction on the position of the ç-redex in A. If Ais the ç-
redex reduced to obtain B, then this follows from part (1). Suppose A≡(Fã→αCã)
and B≡(Gã→αC) where Fç-reduces to Gin one step. By induction, we know
F.
=ã→αG∈H. By ∇
r,C.
=ãC∈H. By ~
∇→
.
=, we have (FC).
=α(GC)∈Has
desired. The case in which A≡(Fã→αCã) and B≡(FDã) where Cç-reduces to D
in one step is analogous.
Suppose A≡(ëYâCã) and B≡(ëYâDã) where Cç-reduces to Din one
step. Let pbe the position of the redex in C. Assume A.
=â→ãB/∈H. By
saturation, ¬(A.
=â→ãB)∈H. By ~
∇
f, there is some parameter wâsuch that
¬(Aw.
=ãBw)∈H. By ~
∇
â, we know ¬([w/Y ]C.
=ã[w/Y ]D)∈H. Note that
[w/Y ]Cç-reduces to [w/Y ]Din one step by reducing the redex at position pin
[w/Y ]C. So, by the induction hypothesis, [w/Y ]C.
=ã[w/Y ]D∈H, contradicting
~
∇
c.
Part (3) follows by induction on the number of âç-reductions from Ato A↓âç. If
Ais âç-normal, we have A.
=αA∈Hby ∇
r. If Areduces to A↓âç in n+ 1 steps,
then there is some Bαsuch that Areduces to Bin one step and Breduces to A↓âç in
nsteps. By induction, we have B.
=αA↓âç ∈H. If Aâ-reduces to Bin one step,
then A.
=αB∈Hby ∇
rand ~
∇
â. If Aç-reduces to Bin one step, then A.
=αB∈H
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1075
by part (2). Using ~
∇tr
.
=,A.
=αB∈Hand B.
=αA↓âç ∈Himply A.
=αA↓âç ∈H
as desired.
Finally, to show part (4), suppose A∈H. By part (3), A.
=oA↓âç ∈H. By ~
∇
∀,
¬(ëXoX)A∨(ëXoX)A↓âç ∈H. By ~
∇
âand ~
∇
∨, we have ¬A∈H(contradicting
~
∇
c) or A↓âç ∈H. Hence, A↓âç ∈H.a
Theorem 6.31. Let Hbe a Hintikka set.
(1) If Hsatisfies ~
∇
çand ~
∇
î, then Hsatisfies ~
∇
f.
(2) If Hsatisfies ~
∇
f, then Hsatisfies ~
∇
î.
(3) If His saturated and satisfies ~
∇
f, then Hsatisfies ~
∇
ç.
Proof. Suppose Hsatisfies ~
∇
çand ~
∇
î. Assume ¬(F.
=α→âG)∈H. By ~
∇
ç,
¬((ëXαFX).
=α→â(ëX GX)) ∈H. By ~
∇
î, there is a parameter wαsuch that
¬((Fw).
=â(Gw)) ∈H. Thus, ~
∇
fholds.
Suppose Hsatisfies ~
∇
fand ¬(ëXαM.
=α→âëX N)∈H. By ~
∇
f, there is
a parameter wαsuch that ¬((ëXαM)w.
=â(ëX N)w)∈H. By ~
∇
â, we have
¬([w/X ]M.
=â[w/X ]N)∈H. Thus, ~
∇
îholds.
Suppose His saturated and satisfies ~
∇
f. Assume A∈H,B∈cwffo(Σ), A≡âçB
and B/∈H. By saturation, we know ¬B∈H. By Lemma 6.30(4), we know
A↓âç ∈Hand ¬B↓âç ∈H. Since A↓âç ≡B↓âç, this contradicts ~
∇
c.a
6.3. Model existence theorems. We shall now present the proof of the abstract
extension lemma, which will nearly immediately yield the model existence theorems.
For the proof we adapt the construction of Henkin’s completeness proof from [26,
27].
Lemma 6.32 (Abstract extension lemma).Let Σbe a signature, Γ
Σbe a compact
abstract consistency class in Acc∗, where ∗ ∈ {â , âç, âî, âf,âb, âçb,âîb,âfb}, and let
Φ∈Γ
Σbe sufficiently Σ-pure. Then there exists a Σ-Hintikka set H∈Hint∗, such
that Φ⊆H. Furthermore, if Γ
Σis saturated, then His saturated.
Proof. In the following argument, note that α,â, and ãare types as usual, while
ä,å,óand ôare ordinals.
By Remark 3.16, there is an infinite cardinal ℵswhich is the cardinality of Σαfor
each type α. This easily implies cwff α(Σ) is of cardinality ℵsfor each type α. Let
åbe the first ordinal of this cardinality. (In the countable case, åis ù.) Since the
cardinality of cwffo(Σ) is ℵs, we can use the well-ordering principle to enumerate
cwffo(Σ) as (Aä)ä<å .
Let αbe a type. For each ä < å, let Uä
αbe the set of constants of type αwhich
occur in a sentence in the set {Aó|ó≤ä}. Since ä < å, the set {Aó|ó≤ä}
has cardinality less than ℵs. Hence, Uä
αhas cardinality less than ℵs. By sufficient
purity, we know there is a set of parameters Pα⊆Σαof cardinality ℵssuch that
the parameters in Pαdo not occur in the sentences of Φ. So, Pα\Uä
αmust have
cardinality ℵsfor any ä < å. Using the axiom of choice, we can find a sequence
(wä
α)ä<å where for each ä < å,wä
α∈Pα\(Uä
α∪ { wó
α|ó < ä }). That is, for each
type α, we know wä
αis a parameter of type αwhich does not occur in any sentence
in Φ ∪ { Aó|ó≤ä}. As a consequence, if wä
αoccurs in Aó, then ä < ó. Also, we
have ensured that if wä
α≡wó
α, then ä≡ófor any ä,ó < å.
1076 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
The parameters wä
αare intended to serve as witnesses. To ease the argument,
we define two sequences of witnessing sentences related to the sequence (Aä)ä<å.
For each ä < å, let Eä: = ¬(Bwä
α)ifAäis of the form ¬(ΠαB), and let Eä: = Aä
otherwise. If ∗ ∈ {âf,âfb}and Aäis of the form ¬(F.
=α→âG), let Xä: = ¬(Fwä
α
.
=â
Gwä
α). If ∗ ∈ {âî, âîb}and Aäis of the form ¬((ëXαM).
=α→â(ëX N)), let
Xä:= ¬([wä
α/X ]M.
=â[wä
α/X ]N). Otherwise, let Xä: = Aä. (Notice that any
sentence ¬(F.
=α→âG) is also of the form ¬(ΠãB), where ãis (α→â)→o. So,
whenever Xä6≡ Aä, we must also have Eä6≡ Aä.)
We construct Hby inductively constructing a transfinite sequence (Hä)ä<å such
that Hä∈Γ
Σfor each ä < å. Then the Σ-Hintikka set is H: = Sä<å Hä. We define
H0:= Φ. For limit ordinals ä, we define Hä:= Só<ä Hó.
In the successor case, if Hä∗Aä∈Γ
Σ, then we let Hä+1 := Hä∗Aä∗Eä∗Xä. If
Hä∗Aä/∈Γ
Σ, we let Hä+1 := Hä.
We show by induction that for every ä < å, type αand parameter wô
αwhich
occurs in some sentence in Hä, we have ô < ä. The base case holds since no wô
α
occurs in any sentence in H0≡Φ. For any limit ordinal ä, if wô
αoccurs in some
sentence in Hä, then by definition of Hä,wô
αalready occurs in some sentence in
Hófor some ó < ä. So, ô < ó < ä.
For any successor ordinal ä+ 1, suppose wô
αoccurs in some sentence in Hä+1 . If
it already occurred in a sentence in Hä, then we have ô < ä < ä + 1 by the inductive
assumption. So, we need only consider the case where wô
αoccurs in a sentence in
Hä+1 \Hä. Note that (Hä+1 \Hä)⊆ {Aä,Eä,Xä}. In any case, note that if ôis ä,
then we are done, since ä<ä+ 1. If wô
αis any parameter with ô6≡ äand occurs in
Eäor Xä, then it must also occur in Aä(by noting that wô
α6≡ wä
αand inspecting the
possible definitions of Eäand Xä), in which case ô < ä < ä + 1.
In particular, we now know wä
αdoes not occur in any sentence of Häfor any
ä < å and type α.
Next we show by induction that Hä∈Γ
Σfor all ä < å. The base case holds by
the assumption that H0≡Φ∈Γ
Σ. For any limit ordinal ä, assume Hó∈Γ
Σfor
every ó < ä. We have Hä≡Só<ä Hó∈Γ
Σby compactness, since any finite subset
of Häis a subset of Hófor some ó < ä.
For any successor ordinal ä+ 1, we assume Hä∈Γ
Σ. We have to show that
Hä+1 ∈Γ
Σ. This is trivial in case Hä∗Aä/∈Γ
Σ(for all abstract consistency classes)
since Hä+1 ≡Hä. Suppose Hä∗Aä∈Γ
Σ. We consider three sub-cases:
(i) If Eä≡Aäand Xä≡Aä, then Hä∗Aä∗Eä∗Xä∈Γ
Σsince Hä∗Aä∈Γ
Σ.
(ii) If Eä6≡ Aäand Xä≡Aä, then Aäis of the form ¬ΠαBand Eä≡ ¬Bwä
α.
We conclude that Hä∗Aä∗Eä∈Γ
Σby ∇
∃since wä
αdoes not occur in Aä
or any sentence of Hä. Since Xä≡Aä, this is the same as concluding
Hä∗Aä∗Eä∗Xä∈Γ
Σ.
(iii) If Xä6≡ Aä, then ∗ ∈ {âî,âf, âîb,âfb}(by the definition of Xä). Hä∗Aä∗
Eä∈Γ
Σby ∇
∃since wä
(α→â)→odoes not occur in Aäor any sentence in Hä.
Now, wä
α(which is different from wä
(α→â)→osince it has a different type) does
not occur in any sentence in Hä∗Aä∗Eä. We have Hä∗Aä∗Eä∗Xä∈H
by ∇
î(if ∗ ∈ {âî, âîb}) or by ∇
f(if ∗ ∈ {âf,âfb}).
Since Γ
Σis compact, we also have H∈Γ
Σ.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1077
Now we know that our inductively defined set His indeed in Γ
Σand that Φ ⊆H.
In order to apply Lemma 6.21, we must check His maximal, satisfies ~
∇
∃,~
∇
î(if
∗ ∈ {âî, âîb}), and ~
∇
f(if ∗ ∈ {âf,âfb}). It is immediate from the construction
that ~
∇
∃holds since if ¬(ΠαF)∈H, then ¬(Fwä
α)∈Hwhere äis the ordinal
such that Aä≡ ¬(ΠαF). If ∗ ∈ {âî, âîb}, then we have ensured ~
∇
îholds since
¬([wä
α/X ]M.
=â[wä
α/X ]N)∈Hwhenever ¬((ëXαM).
=α→â(ëX N)) ∈H
where äis the ordinal such that Aä≡ ¬((ëXαM).
=α→â(ëX N)). Similarly, we
have ensured ~
∇
fholds when ∗ ∈ {âf,âfb}since ¬(Fwä
α
.
=âGwä
α)∈Hwhenever
¬(F.
=α→âG)∈Hwhere äis the ordinal such that Aä≡ ¬(F.
=α→âG).
It only remains to show that His maximal in Γ
Σ. So, let A∈cwffoand H∗A∈Γ
Σ
be given. Note that A≡Aäfor some ä < å. Since His closed under subsets we
know that Hä∗Aä∈Γ
Σ. By definition of Hä+1 we conclude that Aä∈Hä+1 and
hence A∈H.
So, Lemma 6.21 implies H∈Hint∗and His saturated if Γ
Σis saturated. a
We now use the Σ-Hintikka sets, guaranteed by Lemma 6.32, to construct a
Σ-valuation for the Σ-term evaluation that turns it into a model.
Theorem 6.33 (Model existence theorem for saturated sets).For all ∗ ∈ {â,âç,
âî, âf,âb, âçb,âîb,âfb}we have: If His a saturated Hintikka set in Hint∗(cf. Defi-
nition 6.20), then there exists a model M∈M∗(cf. Definition 3.49) that satisfies H.
Furthermore, each domain Dαof Mhas cardinality at most ℵs.
Proof. We start with the construction of a Σ-model MH
1for Hbased on the
term evaluation TE (Σ)â. This model may not be in the model class M∗as it may
not satisfy property q. However, we will be able to use Theorem 3.62 to obtain a
model of Hwhich is.
Note that since His saturated, by Lemma 6.25, Hsatisfies ∇
¬,∇
∨, and ∇â
∀.
The domain of type αof the evaluation TE(Σ)â(cf. Definition 3.35 and
Lemma 3.36) is cwff α(Σ)
yâ, which has cardinality ℵs. To construct MH
1, we simply
need to give a valuation function for this evaluation. This valuation function should
be a function õ: cwffo(Σ)
yâ−→ {T,F}. We define
õ(A) := Tif A∈H,
Fif A/∈H.
To show õis a valuation, we must check the logical constants are interpreted
appropriately. For each A∈cwffo(Σ)
yâ, we have õ(¬A)≡Tiff õ(A)≡Fsince
¬A∈Hiff A/∈Hby ∇
¬. For each A,B∈cwffo(Σ)
yâ, we have õ(A∨B)≡Tiff
õ(A)≡Tor õ(B)≡T, since (A∨B)∈Hiff A∈Hor B∈Hby ∇
∨. Finally,
for each type αand F∈cwffα→o(Σ)
yâ,∇â
∀implies (ΠαF)∈Hiff (FA)
yâ∈H
for every A∈cwffα(Σ)
yâ. Thus, we have õ(ΠαF)≡Tiff õ(F@âA)≡Tfor every
A∈cwffα(Σ)
yâ.
This verifies MH
1:= (cwff
yâ,@â,Eâ, õ) is a Σ-model. Clearly, MH
1|=Hsince
õ(A)≡Tfor every A∈Hby definition.
By Theorem 3.62, we have a congruence relation .
∼on MH
1induced by Leibniz
equality. Note that by Lemma 3.61 in the term model MH
1, for every type αand
1078 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
every A,B∈cwffα(Σ)
yâ, we have Aα
.
∼Bα, iff õ(A.
=B)≡T, iff (A.
=αB)∈H.
Furthermore, if primitive equality is in the signature, then H∈Hint∗is a Hintikka
set with primitive equality. Hence, Hsatisfies ∇
.
=
=by Lemma 6.22. We have A.
∼B,
iff (A.
=αB)∈H, iff (by ∇
.
=
=) (A=αB)∈H, iff õ(Eâ(=α)@âA@âB)≡T.
Let M:= MH
1/.
∼. Each domain of this model has cardinality at most ℵsas it
is the quotient of a set of cardinality ℵs. By Theorem 3.62, we know the quotient
model Mmodels H, satisfies property q, and is a model with primitive equality
(if primitive equality is in the signature). Hence, M∈Mâ. Now, we can use
Lemma 3.58 to check M∈M∗by checking certain properties of .
∼.
When ∗ ∈ {âb,âçb, âîb,âfb}, we must check that .
∼has only two equivalence
classes in Dâ
o. To show this, first note that ∇
bholds for Hby Lemma 6.26. Choose
any â-normal B∈H. By ~
∇
c,¬B/∈H. By ∇
b, for every A∈cwffo(Σ)
yâeither
(A.
=oB) or (A.
=o¬B). That is, in MH
1, for every A∈cwffo(Σ)
yâwe either have
A.
∼Bor A.
∼ ¬B. So, we know Msatisfies property b.
When ∗ ∈ {âç,âçb}, the fact that .
∼satisfies property çfollows from ∇
çwhich
holds for Hby Lemma 6.27.
When ∗ ∈ {âî,âîb}, we must show that .
∼satisfies property î. Let M,N∈
wffâ(Σ), an assignment ϕand a variable Xαbe given. Suppose Eâ
ϕ,[A/X ](M).
∼
Eâ
ϕ,[A/X ](N) for every A∈cwffα(Σ)
yâ. Let èbe the substitution defined by
è(Y) : = ϕ(Y) for each variable Y∈(free(M)∪free(N)) \ {X}. So, for each
A∈cwffα(Σ)
yâ,
([A/X ]è(M))
yâ≡Eâ
ϕ,[A/X ](M).
∼Eâ
ϕ,[A/X ](N)≡([A/X ]è(N))
yâ.
That is, ([A/X ]è(M).
=â[A/X ]è(N))
yâ∈Hfor every A∈cwffα(Σ)
yâ. By ∇â
î
(Lemma 6.28), we have ((ëX è(M)) .
=α→âëX è(N))
yâ∈H. So,
Eâ
ϕ(ëX M)≡(ëX è(M))
yâ
.
∼(ëX è(N))
yâ≡Eâ
ϕ(ëX N).
Thus, .
∼satisfies îas desired.
When ∗ ∈ {âf, âfb}, we must show .
∼is functional. Let αand âbe types and
G,H∈cwffα→â(Σ)
yâ. We need to show G.
∼Hiff (GA)
yâ
.
∼(HA)
yâfor every
A∈cwffα(Σ)
yâ. This follows directly from ∇â
f.
This verifies the fact that M∈M∗whenever H∈Hint∗.a
Theorem 6.34 (Model existence theorem).Let Γ
Σbe a saturated abstract con-
sistency class and let Φ∈Γ
Σbe a sufficiently Σ-pure set of sentences. For all
∗ ∈ {â, âç, âî , âf,âb, âçb,âîb,âfb}we have: If Γ
Σis an Acc∗(cf. Definition 6.7),
then there exists a model M∈M∗(cf. Definition 3.49) that satisfies Φ. Furthermore,
each domain of Mhas cardinality at most ℵs.
Proof. Let Γ
Σbe an abstract consistency class. We can assume without loss of
generality (cf. Lemma 6.18) that Γ
Σis compact, so the preconditions of Lemma 6.32
are met. Therefore, there exists a saturated Hintikka set H∈Hint∗with Φ ⊆H.
The proof is completed by a simple appeal to the Theorem 6.33. a
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1079
Theorem 6.35 (Model existence for Henkin models).Let Γ
Σbe a saturated ab-
stract consistency class in Accâfb and let Φ∈Γ
Σbe a sufficiently Σ-pure set of sentences.
Then there is a Henkin model (cf. Definition 3.50) that satisfies Φ. Furthermore, each
domain of the model has cardinality at most ℵs.
Proof. By Theorem 6.34, there is a model M∈Mâfb with M|= Φ. By Theo-
rem 3.68, there is a Henkin model Mfr ∈Mâfb isomorphic to M. By the isomor-
phism, we have Mfr |= Φ and that each domain of Mfr has the same cardinality as
the corresponding domain of M.a
Remark 6.36.The model existence theorems show there are “enough” models
in each class M∗to model sufficiently pure sets in saturated abstract consistency
classes in Acc∗. These results are abstract forms of completeness. To complete the
analysis, we can show abstract forms of soundness. One way to show this is to
define a class of sentences
Γ∗
Σ:= {Φ⊆cwffo| ∃M∈M∗M|= Φ }
for each ∗ ∈ {â,âç, âî, âf, âb,âçb, âîb,âfb}and show Γ∗
Σis a (saturated) Acc∗. We
only sketch the proof here.
The fact that each Γ∗
Σsatisfy ∇
c,∇
â,∇
¬,∇
∨,∇
∧,∇
∀, and ∇
sat is straightforward.
The proof that ∇
∃holds has the technical difficulty that one must modify the
evaluation of a parameter. Showing ∇
b[∇
ç] holds when considering models with
property b[ç] is also easy.
When showing ∇
fholds in Γâf
Σ[Γâfb
Σ], one sees the importance of assuming prop-
erty qholds. Suppose Φ ∈Γâf
Σ[Γâfb
Σ] and ¬(F.
=α→âG)∈Φ. Then there
is a model M≡(D,@,E, õ)∈Mâf[Mâfb] such that M|= Φ. This implies
M|=¬(F.
=α→âG). Without using property q, it follows by Lemma 4.2(1) that
E(F)6≡ E(G). By functionality, there is an a∈Dαsuch that E(F)@a6≡ E(G)@a.
Let ϕbe any assignment into M. Then Eϕ,[a/X ](FX)6≡ Eϕ,[a/X ](GX). Now, using
property q, we can conclude Mϕ,[a/X ]|=¬((FX).
=â(GX)) by Lemma 4.2(2). Let
wα∈Σ be a parameter that does not occur in any sentence of Φ. With some
technical work which we omit, one can change the evaluation function to E0so that
E0(A)≡E(A) for all A∈Φ, and E0(w)≡a. In the new model M0≡(D,@,E0, õ),
we have M0|= Φ and M0|=¬(Fw.
=âGw). Also, M0∈Accâf[Accâfb ]. This shows
Φ∗ ¬(Fw.
=âGw)∈Γâf
Σ[Γâfb
Σ]. The proof that ∇
îholds in Γâî
Σ[Γâîb
Σ] is analogous.
We have now established a set of proof-theoretic conditions that are sufficient to
guarantee the existence of a model.
§7. Characterizing higher-order natural deduction calculi. In this section we apply
the model existence theorems above to prove some classical higher-order calculi of
natural deduction sound and complete with respect to the model classes introduced
in Section 3. The first calculus for such a formulation of higher-order logic was a
Hilbert-style system introduced by Alonzo Church in [18]10. Leon Henkin proves
completeness (with respect to Henkin models) for a similar calculus with full exten-
sionality in [26]. Peter Andrews introduced a weaker calculus Tâ[1], which lacks all
10Church included functional extensionality axioms but only mentions the Boolean extensionality
axiom as an option.
1080 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
A∈ΦNK(Hyp)
Φ`` A
A≡âBΦ`` A
NK(â)
Φ`` B
Φ∗A`` FoNK(¬I)
Φ`` ¬A
Φ`` ¬AΦ`` ANK(¬E)
Φ`` C
Φ`` ANK(∨IL)
Φ`` A∨B
Φ`` BNK(∨IR)
Φ`` A∨B
Φ`` A∨BΦ∗A`` CΦ∗B`` CNK(∨E)
Φ`` C
Φ`` Gwαwparameter not occurring in Φ or G
NK(ΠI)w
Φ`` ΠαG
Φ`` ΠαGNK(ΠE)
Φ`` GA
Φ∗ ¬A`` FoNK(Contr)
Φ`` A
Figure 6. Inference rules for NKâ.
forms of extensionality. This calculus has been widely used as a syntactic measure
of completeness for machine-oriented calculi [1, 32, 33, 34, 42, 36, 37].
Instead of applying our methods to Hilbert-style calculi, we will use a collection
of natural deduction calculi to avoid the tedious details of proving a deduction
theorem and propositional completeness. Moreover, natural deduction calculi are
more relevant in practice. They form the logical basis for semi-automated theorem
proving systems such as HOL [25], Isabelle [46], or Ωmega [51].
Definition 7.1 (The calculi NK∗).The calculus NKâconsists of the inference
rules11 in Figure 6 for the provability judgment `` between sets of sentences Φ and
sentences A. (We write `` Afor ∅ `` A.) The rule NK(â) incorporates â-equality
into ``. The others characterize the semantics of the connectives and quantifiers.
For ∗ ∈ {âç, âî, âf,âb, âçb,âîb, âfb}we obtain the calculus NK∗by adding the
rules shown in Figure 7 when specified in ∗.
Remark 7.2.It is worth noting that there is a derivation of `` To(i.e., `` ∀P0
P∨ ¬P) which only uses the rules in Figure 6. Let pbe a parameter of type o. A
derivation of ¬(p∨ ¬p)`` (p∨ ¬p) is shown in Figure 8. Using NK(Hyp) and
11Recall that Fois defined to be ¬(∀Po(P∨ ¬P)) and M6|=Fofor each Σ-model M(cf. Lemma 3.43).
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1081
A≡âçBΦ`` A
NK(ç)
Φ`` B
Φ`` ∀XαM.
=âNNK(î)
Φ`` (ëXαM).
=α→â(ëXαN)
Φ`` ∀XαGX.
=âHXNK(f)
Φ`` G.
=α→âH
Φ∗A`` BΦ∗B`` ANK(b)
Φ`` A.
=oB
Figure 7. Extensional inference rules.
NK(Hyp)
¬(p∨ ¬p), p `` ¬(p∨ ¬p)
NK(Hyp)
¬(p∨ ¬p), p `` pNK(∨IL)
¬(p∨ ¬p), p `` (p∨ ¬p)
NK(¬E)
¬(p∨ ¬p), p `` FoNK(¬I)
¬(p∨ ¬p)`` ¬pNK(∨IR)
¬(p∨ ¬p)`` (p∨ ¬p)
Figure 8. Derivation of ¬(p∨ ¬p)`` (p∨ ¬p).
NK(¬E), we obtain ¬(p∨ ¬p)`` Fo. So, we can conclude `` (p∨ ¬p) using
NK(Contr). Finally, we obtain a derivation of `` Tousing NK(ΠI)p. Hence, `` To
is derivable in each calculus NK∗where ∗ ∈ {â, âç, âî, âf,âb, âçb,âîb,âfb}. Also,
we can apply the rule NK(ΠE) to the end of this derivation with any sentence Ato
derive `` (A∨ ¬A).
Note that NKâand NKâfb correspond to the extremes of the model classes dis-
cussed in Section 3 (cf. Figure 1 in the introduction). Standard models do not admit
(recursively axiomatizable) calculi that are sound and complete, NKâfb is complete
for Henkin models, and NKâis complete for Mâ. We will now show soundness and
completeness of each NK∗with respect to each corresponding model class M∗by
using the model existence theorems in Section 6.
Theorem 7.3 (Soundness).NK∗is sound for M∗for ∗ ∈ {â,âç,âî,âf, âb,âçb,
âîb,âfb}. That is, if Φ``NK∗Cis derivable, then M|=Cfor all models M≡
(D,@,E, õ)in M∗such that M|= Φ.
Proof. This can be shown by a simple induction on the derivation of Φ ``NK∗C.
We distinguish based on the last rule of the derivation. The only base case is
NK(Hyp), which is trivial since M|=Cwhenever M|= Φ and C∈Φ.
1082 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
NK(â): Suppose Φ `` Cfollows from Φ `` Aand A≡âC. Let M∈M∗be a
model of Φ. By induction, we know M|=Aand so M|=Cusing
Remark 3.19.
NK(Contr): Suppose M∈M∗,M|= Φ and Φ `` Cfollows from Φ ∗ ¬C`` Fo. By
Lemma 3.43, M6|=Fo. So, we must have M6|=¬C. Hence, M|=C.
NK(¬I): Analogous to NK(Contr).
NK(¬E): Suppose Φ `` Cfollows from Φ `` ¬Aand Φ `` A. By induction, any
model in M∗of Φ would have to model both Aand ¬A. So, there is
no such model of Φ and we are done.
NK(∨IL): Suppose M∈M∗,M|= Φ, Cis (A∨B) and Φ `` Cfollows from
Φ`` A. By induction, M|=Aand so M|= (A∨B).
NK(∨IR): Analogous to NK(∨IL).
NK(∨E): Suppose Φ `` Cfollows from Φ `` (A∨B), Φ ∗A`` Cand Φ ∗B`` C.
Let M∈M∗be a model of Φ. By induction, M|=A∨B. If M|=A,
then by induction M|=Csince Φ ∗A`` C. If M|=B, then by
induction M|=Csince Φ ∗B`` C. In either case, Φ `` C.
NK(ΠI): Suppose Cis (ΠαG) and Φ `` (ΠαG) follows from Φ `` Gwwhere
wαis a parameter which does not occur in any sentence of Φ or in G.
Let M≡(D,@,E, õ)∈M∗be a model of Φ. Assume M6|= ΠαG.
Then there must be some a∈Dαsuch that õ(E(G)@a)≡F. From
the evaluation function E, one can define another evaluation function
E0such that E0(w)≡aand E0
ϕ(Aα)≡Eϕ(Aα) if wdoes not occur in
A. Let M0: = (D,@,E0, õ). One can check M0∈M∗using the fact
that M∈M∗. Since M0|= Φ, by induction we have M0|=Gw. This
contradicts õ(E0(G)@a)≡õ(E(G)@a)≡F. Thus, M|= ΠαG.
NK(ΠE): Suppose Cis (GA) and Φ `` Cfollows from Φ `` (ΠαG). Let M≡
(D,@,E, õ)∈M∗be a model of Φ. By induction, M|= (ΠαG) and
thus õ(E(G))@a≡Tfor every a∈Dα. In particular, M|=GA.
We now check soundness of the rules in Figure 7 with respect to their model classes:
NK(ç): Analogous to NK(â) using property ç.
NK(î): Suppose Cis (ëXαM).
=α→â(ëXαN) and Φ `` Cfollows from Φ ``
∀XαM.
=âN. Let M≡(D,@,E, õ )∈M∗be a model of Φ. By
induction, we have M|=∀XαM.
=âN. So, for any assignment ϕ
and a∈Dα,M|=ϕ,[a/X ]M.
=âN. Note that property qholds in M
since M∈M∗(cf. Definition 3.49). By Lemma 4.2(2), Eϕ,[a/X ](M)≡
Eϕ,[a/X ](N). By property î,Eϕ(ëXαM)≡Eϕ(ëXαN) and thus M|=
Cby Lemma 4.2(1).
NK(f): Suppose Cis G.
=α→âHand Φ `` Cfollows from Φ `` ∀XαGX.
=âHX.
Let M∈M∗be a model of Φ. By induction, we know M|=
∀XαGX.
=âHX. Note that property qholds for Msince M∈M∗.
By Theorem 4.3(3), we must have M|= (G.
=α→âH).
NK(b) Suppose Cis A.
=oBand Φ `` Cfollows from Φ∗A`` Band Φ ∗B`` A.
Let M≡(D,@,E, õ)∈M∗be a model of Φ. If M|=A, then M|=B
by induction. If M|=B, then M|=Aby induction. These facts imply
õ(E(A)) ≡õ(E(B)). By Lemma 3.48, we have M|= (A⇔B). By
Theorem 4.3(4), we must have M|= (A.
=oB). a
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1083
Definition 7.4 (NK∗-consistent).A set of sentences Φ is NK∗-inconsistent if
Φ``NK∗Fo, and NK∗-consistent otherwise.
Now, we use the model existence theorems for HOL to give short and elegant
proofs of completeness for NK∗.
Lemma 7.5. The class Γ∗
Σ:= {Φ⊆cwffo|Φis NK∗-consistent}is a saturated
Acc∗.
Proof. Obviously Γ∗
Σis closed under subsets, since any subset of an NK∗-
consistent set is NK∗-consistent. We now check the remaining conditions. We
prove all the properties by proving their contrapositive.
∇
c: Suppose A,¬A∈Φ. We have Φ `` Foby NK(Hyp) and NK(¬E).
∇
â: Let A∈Φ, A≡âBand Φ ∗Bbe NK∗-inconsistent. That is, Φ ∗B`` Fo. By
NK(¬I), we know Φ `` ¬B. Since A∈Φ, we know Φ `` Bby NK(Hyp) and
NK(â). Using NK(¬E), we know Φ `` Foand hence Φ is NK∗-inconsistent.
∇
¬: Suppose ¬¬A∈Φ and Φ ∗Ais NK∗-inconsistent. From Φ ∗A`` Foand
NK(¬I), we have Φ `` ¬A. Since ¬¬A∈Φ, we can apply NK(Hyp) and
NK(¬E) to obtain Φ `` Fo.
∇
∨: Suppose (A∨B)∈Φ and both Φ ∗Aand Φ ∗Bare NK∗-inconsistent. By
NK(Hyp) and NK(∨E), we have Φ `` Fo.
∇
∧: Suppose ¬(A∨B)∈Φ and Φ ∗ ¬A∗ ¬Bis NK∗-inconsistent. By NK(Contr)
and NK(∨IR), we have Φ,¬A`` A∨B. Using NK(¬E) with ¬(A∨B)∈Φ,
we have Φ,¬A`` Fo. By NK(Contr) and NK(∨IL), we have Φ `` A∨B. Using
NK(¬E) with ¬(A∨B)∈Φ, Φ is NK∗-inconsistent.
∇
∀: Suppose (ΠαG)∈Φ and Φ ∗(GA) is NK∗-inconsistent. By NK(¬I), Φ ``
¬(GA). By NK(Hyp) and NK(ΠE), Φ `` GA. Finally, NK(¬E) implies
Φ`` Fo.
∇
∃: Suppose ¬(ΠαG)∈Φ, wαis a parameter which does not occur in Φ, and
Φ∗ ¬(Gw) is NK∗-inconsistent. By NK(Contr), Φ `` Gw. By NK(ΠI)w,
Φ`` (ΠαG). Using NK(¬E) with ¬(ΠαG)∈Φ, Φ is NK∗-inconsistent.
∇
sat : Let Φ ∗Aand Φ∗¬Abe NK∗-inconsistent. We show that Φ is NK∗-inconsistent.
Using NK(¬I), we know Φ `` ¬Aand Φ `` ¬¬A. By NK(¬E), we have Φ `` Fo.
Thus we have shown that Γâ
Σis saturated and in Accâ. Now let us check the
conditions for the additional properties ç,î,f, and b.
∇
ç: If ∗includes ç, then the proof proceeds as in ∇
âabove, but with the rule NK(ç).
∇
î: Suppose ∗includes î,¬(ëX M.
=α→âëX N)∈Φ, and Φ ∗ ¬([w/X ]M.
=â
[w/X ]N) is NK∗-inconsistent for some parameter wαwhich does not occur in
any sentence of Φ. By NK(Contr), we have Φ `` ([w/X ]M.
=â[w/X ]N). By
NK(â), we have Φ `` ((ëX M.
=âN)w). By NK(ΠI), Φ `` (∀XM.
=âN).
By NK(î), Φ `` (ëX M.
=α→âëX N). By NK(¬E), Φ is NK∗-inconsistent.
∇
f: This case is analogous to the previous one, generalizing ëX M.
=ëX Nto
arbitrary G.
=Hand using the extensionality rule NK(f) instead of NK(î).
∇
b: Suppose ∗includes b. Assume that ¬(A.
=oB)∈Φ but both Φ ∗ ¬A∗B/∈Γ∗
Σ
and Φ ∗A∗ ¬B/∈Γ∗
Σ. So both are NK∗-inconsistent and we have Φ ∗A`` B
and Φ ∗B`` Aby NK(Contr). By NK(b), we have Φ `` (A.
=oB). Since
¬(A.
=oB)∈Φ, Φ is NK∗-inconsistent. a
1084 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
Theorem 7.6 (Henkin’s theorem for NK∗).Let ∗ ∈ {â, âç, âî, âf,âb, âçb,âîb,
âfb}. Every sufficiently Σ-pure NK∗-consistent set of sentences has an M∗-model.
Proof. Let Φ be a sufficiently Σ-pure NK∗-consistent set of sentences. By The-
orem 7.5 we know that the class of sets of NK∗-consistent sentences constitute a
saturated Acc∗, thus the Model Existence Theorem (Theorem 6.34) guarantees an
M∗model for Φ. a
Corollary 7.7 (Completeness theorem for NK∗).Let Φbe a sufficiently Σ-pure
set of sentences, Abe a sentence, and ∗ ∈ {â,âç, âî, âf, âb,âçb, âîb,âfb}. If Ais
valid in all models M∈M∗that satisfy Φ, then Φ``NK∗A.
Proof. Let Abe given such that Ais valid in all M∗models that satisfy Φ. So,
Φ∗ ¬Ais unsatisfiable in M∗. Since only finitely many constants occur in ¬A,
Φ∗ ¬Ais sufficiently Σ-pure. So, Φ ∗ ¬Amust be NK∗-inconsistent by Henkin’s
theorem above. Thus, Φ ``NK∗Aby NK(Contr). a
Finally we can use the completeness theorems obtained so far to prove a com-
pactness theorem for our semantics.
Corollary 7.8 (Compactness theorem for NK∗).Let Φbe a sufficiently Σ-pure
set of sentences and ∗ ∈ {â, âç, âî, âf,âb, âçb,âîb,âfb}.Φhas an M∗-model iff
every finite subset of Φhas an M∗-model.
Proof. If Φ has no M∗-model, then by Theorem 7.6 Φ is NK∗-inconsistent. Since
every NK∗-proof is finite, this means some finite subset Ψ of Φ is NK∗-inconsistent.
Hence, Ψ has no M∗-model. a
Remark 7.9 (Calculi with primitive equality).If primitive equality is included in
the signature, a simple way of extending the calculi NK∗in a sound and complete
way is to include the rules NK(=r) and NK(=l) in Figure 9. These rules are clearly
sound for models with primitive equality. One can argue completeness by showing
Γ∗
Σ:= {Φ⊆wffo(Σ) |Φ is NK∗-consistent}is a saturated Acc∗with primitive
equality. By Lemma 7.5, we already know Γ∗
Σis a saturated Acc∗. To show the
conditions for primitive equality, one can show Γ∗
Σsatisfies ∇r
=using NK(=r) and
∇.
=
=using NK(=l).
NK(=r)
Φ`` A=αA
Φ`` C=αDNK(=l)
Φ`` C.
=αD
Figure 9. Primitive equality in NK∗.
§8. Conclusion. In this article, we have given an overview of the landscape of
semantics for classical higher-order logics. We have differentiated nine different
possible notions and have tied the discerning properties to conditions of corre-
sponding abstract consistency classes. The practical relevance of these notions has
been illustrated by pointing to application scenarios within mathematics, program-
ming languages, and computational linguistics.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1085
Our model existence theorems are strong proof tools connecting syntax and
semantics. A standard application is in completeness analysis of higher-order
calculi. A calculus Cis shown to be complete for a model class M∗by showing
that the class of C-consistent or C-irrefutable sets of sentences is in Acc∗. Then
completeness follows from the model existence results. We have given an example
of this by showing completeness for natural deduction calculi in Section 7.
8.1. Applications and related work. The generalized model classes M∗have many
possible applications. An example is higher-order logic programming [45] where
the denotational semantics of programs can induce non-standard meanings for
the classical connectives. For instance, given an SLD-like search strategy as in
ë-PROLOG [43], conjunction is not commutative any more. Therefore, various au-
thors have proposed model-theoretic semantics where property bfails. David Wol-
fram, for instance, uses Andrews’ õ-complexes [58] as a semantics for ë-PROLOG
and Gopalan Nadathur uses “labeled structures” for the same purpose in [45].
Mary DeMarco [20] also develops a model theory for intuitionistic type theory
and ë-prolog in which property bmay fail (James Lipton and Mary DeMarco are
continuing this work). Till Mossakowski and Lutz Schr ¨
oder have been studying
non-functional Henkin models for a partial ë-calculus in the context of the Has-
Casl specification language [48, 49]. It is plausible to assume that the results of this
article will be useful for further development in this direction. Further relevance
of model-theoretic semantics where property qfails, however, is not sufficiently
investigated yet, but seems a promising line of research.
The article also provides a basis for the investigation of hyper-intensional seman-
tics of natural languages. In fact early versions of this article have already influenced
the work of Lappin and Pollard [40]. Hyper-intensional semantics provide theories
for logics where Boolean extensionality (and thus the substitutability of equivalents)
can fail. Linguistically motivated theories like the ones presented in [56, 17, 41, 40]
introduce intensional (non-standard) variants of the connectives and quantifiers
acting on a generalized domain of truth values. Interestingly, only [41] and [40]
present formal model-theoretic semantics. The model construction in [41] strongly
resembles Peter Andrew’s õ-complexes (semantic objects are paired with syntactic
representations; in this case linguistic parse trees). In [40], Dois taken to be a
pre-Boolean algebra, and possible worlds are associated with ultrafilters. A direct
comparison is aggravated by the fact that Lappin and Pollard’s work is situated in a
Montague-style intensional (i.e., modal) context. A generalization of our work by
techniques from [23] seems the way to go here.
8.2. Relaxing the saturation assumption. Unfortunately, the model existence the-
orems presented in this article do not support completeness proofs for most higher-
order machine-oriented calculi, such as higher-order resolution [33, 13], higher-
order paramodulation [11], or tableau-based calculi [5, 37]. This is because we had
to assume saturation of abstract consistency classes to prove the model existence
theorems. The problem is that machine oriented calculi are typically, in some sense,
cut-free. This makes saturation very difficult to show.
For the same reason the results of this article also do not apply to another
prominent application of model existence theorems: relatively simple (but non-
constructive) cut-elimination theorems. In [1] Peter Andrews applies his “Unifying
Principle” to cut-elimination in a cut-free non-extensional sequent calculus, by
1086 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
proving the calculus complete (relative to Tâ). He concludes that cut-elimination
is valid for this calculus. Again, the saturation condition prevents us from obtain-
ing variants of the extensional cut-elimination theorems in [54, 55] by Andrews’
approach using our model existence theorem for Henkin models. In fact one can
prove (cf. [12]) that the problem of showing that an abstract consistency class can
be extended to a saturated one is equivalent to showing cut elimination for certain
sequent or resolution calculi.
To account for the saturation problem we have additionally investigated model
existence for the model classes presented in this article using an extension of Peter
Andrews’ õ-complexes (cf. [12]). The model construction in this technique requires
an abstract consistency class to satisfy certain acceptability conditions which are
much weaker than saturation. (For example, the acceptability conditions can be
shown to hold for abstract consistency classes obtained from certain cut-free sequent
calculi.) Because this technique is much more complex and subtle thanthe relatively
simple quotients of term evaluations used in this article, we did not include the
extended results here. The unsaturated model existence theorems imply that every
acceptable abstract consistency class can be extended to a saturated one. Armed
with this fact, we can use the model existence theorems presented here to rescue the
general completeness and cut elimination results mentioned above. To show, for
example, completeness of a higher-order machine-oriented calculus C, we define the
class Γ of C-irrefutable sentences and show that it is an acceptable (but unsaturated)
abstract consistency class. By the extension result in [12] there is a saturatedabstract
consistency class Γ0⊇Γ. By application of saturated model existence from this
article we obtain a suitable model for every (sufficiently Σ-pure) Φ ∈Γ0and thus for
every (sufficiently Σ-pure) Φ ∈Γ. This immediately gives us completeness. Hence,
the leverage added by this article together with [12] is that we can now extend
non-extensional cut-elimination results to extensional cases.
Acknowledgments. The work presented in this paper has been supported by the
“Deutsche Forschungsgemeinschaft” (DFG) under Grant SI 372/4 Hotel, the
National Science Foundation under Grant CCR-0097179 and a DFG Heisenberg
stipend (Ko-1370/6-1) to the third author. The authors would like to thank Peter
Andrews and Frank Pfenning for stimulating discussions and Claus-Peter Wirth
and Andrey Paskevich for proof reading. We furthermore thank the referee of this
article for his very fruitful comments.
REFERENCES
[1] Peter B. Andrews,Resolution in type theory, this Journal, vol. 36 (1971), no. 3, pp. 414–432.
[2] ,General models and extensionality, this Journal, vol. 37 (1972), no. 2, pp. 395–397.
[3] ,General models descriptions and choice in type theory, this Journal, vol. 37 (1972), no. 2,
pp. 385–394.
[4] , letter to Roger Hindley dated January 22, 1973.
[5] ,On connections and higher order logic,Journal of Automated Reasoning, vol. 5 (1989),
pp. 257–291.
[6] , An introduction to mathematical logic and type theory: To truth through proof, second ed.,
Kluwer Academic Publishers, 2002.
[7] Peter B. Andrews, Matthew Bishop, and Chad E. Brown,TPS: A theorem proving system for
type theory,Proceedings of the 17th international conference on automated deduction (Pittsburgh, USA)
(David McAllester, editor), Lecture Notes in Artifical Intelligence, no. 1831, Springer-Verlag, 2000,
pp. 164–169.
HIGHER-ORDER SEMANTICS AND EXTENSIONALITY 1087
[8] Peter B. Andrews, Matthew Bishop, Sunil Issar, Dan Nesmith, Frank Pfenning, and Hong-
wei Xi,TPS: A theorem proving system for classical type theory,Journal of Automated Reasoning, vol. 16
(1996), no. 3, pp. 321–353.
[9] Henk P. Barendregt,The lambda calculus, North-Holland, 1984.
[10] Christoph Benzm ¨
uller,Equality and extensionality in automated higher-order theorem proving,
Ph.D. thesis, Saarland University, 1999.
[11] , Extensional higher-order paramodulation and RUE-resolution,Proceedings of the 16th
international Conference on Automated Deduction (Trento, Italy) (Harald Ganzinger, editor), Lecture
Notes in Artificial Intelligence, vol. 1632, Springer-Verlag, 1999, pp. 399–413.
[12] Christoph Benzm ¨
uller, Chad E. Brown, and Michael Kohlhase,Semantic techniques
for higher-order cut-elimination, manuscript, http://www.ags.uni-sb.de/∼chris/papers/R19.pdf,
2002.
[13] Christoph Benzm ¨
uller and Michael Kohlhase,Extensional higher order resolution, in Kirch-
ner and Kirchner [35], pp. 56–72.
[14] ,LEO—a higher order theorem prover, in Kirchner and Kirchner [35], pp. 139–144.
[15] ,Model existence for higher-order logic,SEKI-Report SR-97-09, Saarland University,
1997.
[16] Wolfgang Bibel and Peter Schmitt (editors), Automated deduction—a basis for applications,
Kluwer, 1998.
[17] Gennaro Chierchia and Raymond Turner,Semantics and property theory,Linguistics and
Philosophy, vol. 11 (1988), pp. 261–302.
[18] Alonzo Church,A formulation of the simple theory of types, this Journal, vol. 5 (1940),
pp. 56–68.
[19] Nicolaas Govert de Bruijn,Lambda calculus notation with nameless dummies, a tool for auto-
matic formula manipulation, with an application to the Church-Rosser theorem,Indagationes Mathemati-
cae, vol. 34 (1972), no. 5, pp. 381–392.
[20] Mary DeMarco,Intuitionistic semantics for heriditarily harrop logic programming,Ph.D. thesis,
Wesleyan University, 1999.
[21] Gilles Dowek, Th´
er`
ese Hardin, and Claude Kirchner,HOL-ëó an intentional first-order
expression of higher-order logic,Mathematical Structures in Computer Science, vol. 11 (2001), no. 1,
pp. 1–25.
[22] Melvin Fitting,First-order logic and automated theorem proving, second ed., Graduate Texts in
Computer Science, Springer-Verlag, 1996.
[23] ,Types, tableaus, and G¨
odel’s God, Kluwer, 2002.
[24] Kurt G ¨
odel,¨
Uber formal unentscheidbare S¨atze der Principia Mathematica und verwandter
Systeme I,Monatshefte der Mathematischen Physik, vol. 38 (1931), pp. 173–198, English version in [57].
[25] M. J. C. Gordon and T. F. Melham,Introduction to HOL—a theorem proving environment for
higher order logic, Cambridge University Press, 1993.
[26] Leon Henkin,Completeness in the theory of types, this Journal, vol. 15 (1950), no. 2, pp. 81–91.
[27] , The discovery of my completeness proofs,The Bulletin of Symbolic Logic, vol. 2 (1996),
no. 2, pp. 127–158.
[28] Roger J. Hindley and Jonathan P. Seldin,Introduction to combinators and lambda-calculs,
Cambridge University Press, Cambridge, 1986.
[29] K. J. J. Hintikka,Form and content in quantification theory,Acta Philosophica Fennica, vol. 8
(1955), pp. 7–55.
[30] Furio Honsell and Marina Lenisa,Coinductive characterizations of applicative structures,
Mathematical Structures in Computer Science, vol. 9 (1999), pp. 403– 435.
[31] Furio Honsell and Donald Sannella,Pre-logical relations,Proceedings of computer science
logic (CSL ’99), Lecture Notes in Computer Science, vol. 1683, Springer-Verlag, 1999, pp. 546–561.
[32] G´
erard P. Huet,Constrained resolution: A complete method for higher order logic,Ph. D. thesis,
Case Western Reserve University, 1972.
[33] ,A mechanization of type theory,Proceedings of the 3rd international joint conference on
artificial intelligence (Donald E. Walker and Lewis Norton, editors), 1973, pp. 139–146.
[34] D. C. Jensen and Thomasz Pietrzykowski,A complete mechanization of (ù)-order type theory,
Proceedings of the ACM annual conference, vol. 1, 1972, pp. 82–92.
[35] Claude Kirchner and H ´
el`
ene Kirchner (editors), Proceedings of the 15th Conference on Auto-
mated Deduction, Lecture Notes in Artificial Intelligence, vol. 1421, Springer-Verlag, 1998.
1088 CHRISTOPH BENZM ¨
ULLER, CHAD E. BROWN, AND MICHAEL KOHLHASE
[36] Michael Kohlhase,A mechanization of sorted higher-order logic based on the resolution principle,
Ph. D. thesis, Saarland University, 1994.
[37] ,Higher-ordertableaux,Theorem proving with analytic tableaux and related methods (Peter
Baumgartner, Reiner H¨
ahnle, and Joachim Posegga, editors), Lecture Notes in Artificial Intelligence,
vol. 918, Springer-Verlag, 1995, pp. 294–309.
[38] Michael Kohlhase and Ortwin Scheja,Higher-order multi-valued resolution,Journal of Ap-
plied Non-Classical Logics, vol. 9 (1999), no. 4, pp. 155–178.
[39] Shalom Lappin and Carl Pollard,Strategies for hyperintensional semantics, manuscript,
King’s College, London and Ohio State University, 2000.
[40] ,A higher-order fine-grained logic for intensional semantics, manuscript, 2002.
[41] Richard Larson and Gabriel Segal,Knowledge of meaning, MIT Press, 1995.
[42] Dale Miller,Proofs in higher-order logic,Ph. D. thesis, Carnegie-Mellon University, 1983.
[43] ,A logic programming language with lambda-abstraction, function variables, and simple
unification,Journal of Logic and Computation, vol. 4 (1991), no. 1, pp. 497–536.
[44] John C. Mitchell,Foundations for programming languages, Foundations of Computing, MIT
Press, 1996.
[45] Gopalan Nadathur and Dale Miller,Higher-order logic programming,Technical Report CS-
1994-38, Department of Computer Science, Duke University, 1994.
[46] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel,Isabelle/HOL—a proof assistant
for higher-order logic, Lecture Notes in Computer Science, vol. 2283, Springer-Verlag, 2002.
[47] J. Alan Robinson and Andrei Voronkov,Handbook of automated reasoning, MIT Press, 2001.
[48] L. Schr ¨
oder and T. Mossakowski,Hascasl: towards integrated specification and development
of functional programs,Algebraic methodology and software technology, Lecture Notes in Computer
Science, vol. 2422, Springer-Verlag, 2002, pp. 99–116.
[49] Lutz Schr ¨
oder,Henkin models for the partial ë-calculus, manuscript, http://www.
informatik.uni-bremen.de/∼lschrode/hascasl/henkin.ps, 2002.
[50] Kurt Sch ¨
utte,Semantical and syntactical properties of simple type theory, this Journal, vol. 25
(1960), pp. 305–326.
[51] J¨
org Siekmann, Christoph Benzm ¨
uller, et al., Proof development with OMEGA,Proceedings
of the 18th international conference on automated deduction (Copenhagen, Denmark) (Andrei Voronkov,
editor), Lecture Notes in Artificial Intelligence, vol. 2392, Springer-Verlag, 2002, pp. 144–149.
[52] Raymond M. Smullyan,A unifying principle for quantification theory,Proceedings of the National
Academy of Sciences, vol. 49 (1963), pp. 828–832.
[53] ,First-order logic, Springer-Verlag, 1968.
[54] Moto-o Takahashi,Cut-elimination in simple type theory with extensionality,Journal of the
Mathematical Society of Japan, vol. 19 (1967), pp. 399–410.
[55] Gaisi Takeuti,Proof theory, North-Holland, 1987.
[56] R. Tomason,A model theory for proposistional attitudes,Linguistics and Philosophy, vol. 4 (1980),
pp. 47–70.
[57] Jean van Heijenoort,From Frege to G¨
odel: a source book in mathematical logic 1879–1931,
3rd printing, 1997 ed., Source books in the history of the sciences series, Harvard University Press,
Cambridge, MA, 1967.
[58] DavidA. Wolfram,A semantics for ë-PROLOG,Theoretical Computer Science, vol. 136 (1994),
no. 1, pp. 277–289.
DEPARTMENT OF COMPUTER SCIENCE
SAARLAND UNIVERSITY
SAARBR ¨
UCKEN, GERMANY
E-mail: chris@ags.uni-sb.de
URL: http://www.ags.uni-sb.de/∼chris
DEPARTMENT OF MATHEMATICS
CARNEGIE MELLON UNIVERSITY
PITTSBURGH, PA 15213, USA
E-mail: cebrown@andrew.cmu.edu
URL: http://www.andrew.cmu.edu/∼cebrown/
SCHOOL OF ENGINEERING AND SCIENCES
INTERNATIONAL UNIVERSITY BREMEN
BREMEN, GERMANY
and
SCHOOL OF COMPUTER SCIENCE
CARNEGIE MELLON UNIVERSITY
PITTSBURGH, USA
E-mail: m.kohlhase@iu-bremen.de
URL: http://www.cs.cmu.edu/∼kohlhase
