Set-theoretic Foundations for ACL2(zfc): The ZFC Theory of an ACL2 Session
Copyright (C) 2025, Matt Kaufmann
License: A 3-clause BSD license.  See the LICENSE file distributed with ACL2.

This note sketches the logical foundation for our integration of ZFG
(Zermelo Fraenkel set theory with global choice) with ACL2, which we
may call ACL2(zfc).  We assume familiarity with ACL2 and ZF as well as
the basics of the file base.lisp in this directory.  Note as is
well-known, that ZFG is conservative over ZFC (Zermelo Fraenkel set
theory with local choice).

It may seem that no such foundation is necessary; after all, the
set-theory books in the current directory (books/projects/set-theory/)
are all certifiable without trust tags.  But consider an event such as
the following from base.lisp, which says that a member of the union of
two sets is a member of (at least) one of those sets.

(defthmz in-union2
  (equal (in a (union2 x y))
         (or (in a x) (in a y)))
  :hints ...)

This expands to the following.

(defthm in-union2
   (implies (force? (zfc))
            (equal (in a (union2 x y))
                   (or (in a x) (in a y))))
   :hints ...)

The hypothesis (force? (zfc)) is logically just (zfc).  So this
theorem is vacuous is (zfc) is false.  In fact, (zfc) is introduced in
an encapsulate in base.lisp with a local witness of nil!  So how is it
that the theorem in-union2 means anything non-trivial?

This note outlines how we can view (zfc) as being true in a suitable
setting, assuming of course that ZF is consistent.  More generally,
this note outlines how we can interpret defthmz as being simply defthm
in that setting.

We introduce the following notions before presenting the key theorems.

(a) Defun, mutual-recursion (or defuns), defchoose, and non-trivial
encapsulates (those with non-empty signatures) are considered to be
"axiomatic events" when not within a non-trivial encapsulate; they
export formulas, or "axioms", in the obvious way.  A defthm event
outside a non-trivial encapsulate is a "theorem event".  (Technically,
"outside" references a process whereby every trivial encapsulate has
been replaced, recursively, by its sequence of non-local events.)  An
event is "logically admissible" if the proof obligations imposed by
ACL2 for that event are all logical consequences of the axioms
introduced so far.  So for example, a recursive defun is logically
admissible if the measure conjecture is a logical consequences of the
axioms introduced so far, regardless of whether the ACL2 system can
actually prove the measure conjecture.  (Note that we are ignoring
guards.)

(b) An "ACL2 session" is a sequence of events where every axiomatic
event is logically admissible and every formula of a theorem event is
indeed a theorem of the axiomatic events present at its introduction.
We consider it to be a correctness requirement for the ACL2
implementation that every ACL2 logical world represents an ACL2
session.  We do not consider include-book events to be part of an ACL2
session, but rather, we consider the non-local events introduced by an
include-book event (as though :puff had been used; see :DOC puff)..
The "theory of" a session is defined to be the deductive closure of
its axioms.

(c) Let EZ be the encapsulate that introduces the ACL2 versions of the
ZFG axioms.  (See base.lisp.)  An "EZ session" is a defaxiom-free ACL2
session that includes EZ among its axiomatic events.  Clearly we can
move EZ to the front of any ACL2 session that includes it; so without
loss of generality, we further specify that EZ is the first event in
an EZ session.

(d) Defthmz and similar macros use a table, called "zfc-table", whose
keys indicate assumptions besides (zfc) that are valid in the
set-theoretic setting developed in this note.  These assumptions are
all calls of zero-ary functions.  A "zfc prop" of an EZ session
indicates such functions: technically, it is either a key in the
zfc-table present after the the last event of that session, or else a
function call of that key that may be forced; it will be clear from
the context which of these is intended.

(e) The "zfc theory" of an EZ session is the extension of ZFG
axiomatized by all of the following:

  (e1) the axiomatic events of the session;

  (e2) all comprehension and replacement axioms for the extension of
       the language of ZFG by the function symbols of the session; and

  (e3) for each zfc prop P of the session, the formula (P) = t.

Here are the two key theorems that provide the basic foundation for
our integration of ZFG with ACL2.

Theorem 1.  The zfc theory of an EZ session is consistent, assuming
that ZF is consistent.

Theorem 2.  For every theorem proved in an EZ session, if we replace
all zfc props by t (and remove such from its hypotheses) then the
result is a theorem of the zfc theory of the session.

Remark 1.  Theorem 2 is trivial by clause (e3) from the definition of
zfc extension.  The import of Theorem 1 is that Theorem 2 is not
vacuous.  Moreover, Theorem 1 provides a natural set-theoretic
interpretation for an EZ session.

Remark 2.  Theorem 2 tells us that the formula of each defthmz (or
thmz or defthmdz) event, except when that event is inside a
non-trivial encapsulate event, is a theorem of the zfc theory of the
session.  Note that Theorem 2 is really about props being true; so for
example, when (make-event '(defthmz <name> <body> ...))  expands to
(defthm <name> (implies <props> <body>)), it's irrelevant that the
defthmz macro call may no longer be visible in the world; what matters
is that the props are true.

Notation.  If each of S1 and S2 is either a sequence of events or an
event, then S1^S2 is the sequence produced by concatenating S2 to the
end of S1.

We can improve Theorems 1 and 2 so that any defthmz+ form or suitable
with-props form may be viewed as providing theorems of the zfc theory
of its EZ session, rather than as providing axioms.  The idea is to
consider certain non-trivial encapsulates as producing theorems rather
than axioms, namely, those that introduce only props and theorems.  We
make that idea precise with the following definitions and theorem.

Definition.  The "sequence of sub-events" of an encapsulate event is
the sequence of top-level events following its signature.  A
"sub-event" of an encapsulate event is any member of its sequence of
sub-events, i.e., any top-level event within the encapsulate.

Definition.  The "e-measure" (or event measure) of an event or a
sequence of events is defined recursively as follows.  The e-measure
of an event is 1 if it is not an encapsulate event or it is an
encapsulate event with no non-local sub-events (e.g., generated by
defstub), and otherwise is, recursively, (omega)^(n+1) where n is the
e-measure of its sequence of sub-events.  The e-measure of a sequence
of events is the summation of c_n*(omega)^n, where for each n, c_n is
the number of events in the sequence of e-measure n.

Note that the e-measure is always a positive integer.

Definition.  We define two notions by mutual recursion on e-measure.

- For an EZ session S^E, the event E is a "zfc-trivial encapsulate
  with respect to" S if its signature introduces only zero-ary
  functions, all of which are keys of the zfc table in S^E, and no
  non-local sub-event of E is a zfc axiomatic event.

- The set of "zfc axiomatic events" Ax(S) of an EZ session S is
  defined as follows.  If S contains only EZ then Ax(S) is just the
  singleton set {EZ}.  Otherwise suppose S is S0^E.  If E is a
  zfc-trivial encapsulate then Ax(S) is Ax(S0) together with the
  equations (P) = t for all P in the signature of E.  Otherwise, if E
  is a trivial encapsulate then Ax(S) is Ax(S^SE), where SE is the
  sequence of non-local sub-events of S.  Otherwise, Ax(S) is the
  addition of E to Ax(S0) if E is an axiomatic event, else Ax(S) is
  Ax(S0).

Remark.  In the definition above, we could just as well extend Ax(S)
to Ax(S^E) with equations (P) = (P) in the case that E is a
zfc-trivial encapsulate.  What matters for the following theorem,
where axioms from (e3) are included, is that each P in the signature
of E is added to the language.

Theorem 3.  The zfc theory of an EZ session S is axiomatized by its
zfc axiomatic events (in place of all its axiomatic events, as in (e1)
above) together with (e2) and (e3) above.

We will prove Theorem 3 after completing the proof of Theorem 1.

Remark.  We use the usual notion of a "definitional extension of a
first-order theory", as follows.  Thus, for a given theory T0 (in
particular, ZFG), such an extension is by the addition of a new
formula in the language of T0, as follows, for each of a set of
function symbols not occurring in T0.  Consider a formula
phi_f(x1,...,xn,y) in the language of T0, such that T0 proves (forall
x1 ... xn) (exists unique y) phi_f(x1,...,xn,y), and add the following
axiom (or definition) for the new function symbol, f:
(forall x1 ... xn) phi_f(x1,...,xn,f(x1,...,xn)).

The proof of Theorem 1 is based on a notion of "zfc puffing
procedure".  We define this procedure recursively, based on e-measure,
so that it obviously meets the following specification: it
monotonically maps an EZ session S to a definitional extension T of
ZFG with the same set of function symbols as S, such that the result
contains the theory of S.  (Here, "monotonically" means that the zfc
puffing procedure applied to any initial subsequence of a session S
produces a subset of the result of the zfc puffing procedure on S.)
For T to contain the zfc theory of S we need T to include the axioms
of (e1), (e2), and (e3) above.  We noted above that T will obviously
include the theory of S, which takes care of (e1).  T contains the
axioms of (e2) because T is a definitional extension of ZFG, which
ensures that it automatically contains all comprehension and
collection axioms in the language of T.  The Main Lemma below ensures
that T contains the axioms of (e3).  Theorem 1 then follows because
definitional extensions are conservative, hence preserve consistency.

To define the zfc puffing procedure, we start with the base case that
the session contains only EZ, by defining the ACL2 and EZ primitives
in ZFG.  Here are a few cases.

- y = (cons x1 x2) iff y = {{x1},{x1,x2}}.

- Atoms are encoded as specified in EZ.

- y = (car x1) iff either:
  - for some w, x1 = {{y},{y,w}}; or
  - for no y and w does x1 = {{y},{y,w}}, in which case z = nil.

- y = (equal x1 x2) iff x1 = x2.

Other primitives are defined as expected, though we omit their
definitions here.  For example, binary-+ is first defined on the
natural numbers, then extended to the integers, then the rationals,
and then the complexes.  For another example, symbolp is defined
according to the event symbol-as-ztriple in EZ, (symbolp x1) = t iff
x1 is of the form (0,6,<u,v>) where (stringp u) and (stringp v) hold
and u is a known package name; else (symbolp x1) = nil.  (As usual
when considering ACL2 semantics, we fix a known-package-alist.)  And
so on.  We assert that if ACL2 is programmed correctly, then the
ground-zero theory follows from these definitions.  For example, the
car of {{a},{a,b}} is provably a, according to the definition above of
car.

This concludes the base case of the recursion definition of the zfc
puffing procedure.

In general, suppose we have an EZ session S properly extending EZ with
event E, so that we may write S = S0^E.  Let T0 be the recursive
result of applying the puffing procedure to S0.  We define the zfc
puffing procedure on S as follows.

First suppose that E is an encapsulate event other than one that could
be generated by zsub or zfn.  Then recursively apply the zfc puffing
procedure to S0^S1 where S1 is the sequence of sub-events of E (both
local and non-local), to obtain a definitional extension T' of ZFG
that contains T and contains the theory of S0^S1.  Then the zfc
puffing procedure applied to S is the result of restricting T' to the
extension of T0 by definitions of function symbols of S.

If E is a defun or mutual-recursion (or defuns) event, then extend T0
with the corresponding explicit definitions.  Here we use an obvious
fact about set theory: (mutually) recursive definitions that are
provably terminating with an epsilon-0 measure can be given explicit
definitions in set theory, and function symbols in the bodies of those
definitions can be replaced by their explicit definitions in T0.

If E is a defchoose event then extend T0 with a definition that makes
the required choice using the global well-ordering provided by the
global choice function of ZFG, to choose witnesses that are least in
that order.  (This choice is suitable even when the defchoose event
specifies :strengthen t.)  As above, we can assume that all defined
function symbols in that result are eliminated.

Next suppose that E is an encapsulate event that could be generated by
zsub or zfn.  Then we add two explicit definitions: the obvious one
for the new function symbol F being introduced (the first argument of
zfn or zsub), and the other defining the new hypothesis function
F$PROP to be the constant function returning t.  The definition of F
is of course justified by Comprehension for zsub or Replacement for
zfn.  And again, we can then eliminate the function symbols introduced
by T0 so that F is explicitly definable in ZFG.

Otherwise, E is not an axiomatic event, and the puffing procedure
produces T0.

This completes the definition of the zfc puffing procedure, in a way
that clearly meets its specification: when applied to an EZ session S,
it produces a definitional extension of ZFG with the same set of
function symbols of S, one which clearly contains the theory of S.

Notation.  The "zfc puff" of an EZ session S is the result of the
application of the zfc puffing procedure to S.

Since the zfc puff of an EZ session S contains the theory of S and is
a definitional extension of ZFG (hence includes all comprehension and
replacement axioms for its language), it remains only to show the
following.  It may seem obvious from the definition of the zfc puffing
procedure, but local events in encapsulates present somewhat of a
challenge.

Main Lemma.  For an EZ session S, every zfc prop of S is provably t in
the zfc puff of S.

In preparation for the proof of the Main Lemma, we make a couple of
definition and state three lemmas.

Definition.  A "weak EZ session" is like an EZ session except that
proof obligations are not considered -- only syntactic requirements
need to be met (including table guards).

Definition.  An event E is "visible" in a sequence S of events if
either E is in S or for some encapsulate event E0 of S, E is visible
in the sequence of non-local sub-events of E0.

Definition.  A function symbol is "defined" in a sequence S of events
if it is mentioned in the theory of S.

Proposition (Monotonicity of Visibility).  The notion of visible is
monotone: If S1 is a subsequence of S2 and E is visible in S1, then E
is visible in S2. -|

Proposition (Visible Events Define).  If E is an axiomatic event that
is visible in S, then its axiom is a theorem of S and every function
symbol of the axiom introduced by E is defined in S. -|

Lemma 1.  If the event E is the value of get-event in the ACL2 world
corresponding to S, a weak EZ session, then E is visible in S.

"Proof". We take Lemma 1 to be a consequence of the specification of
get-event when ld-skip-proofsp is t, hence evidently true of any
correct implementation of the ACL2 logic. -|

Lemma 2.  Assume that E_P is a zsub or zfn event introducing the
hypothesis function P, and assume that E_P is visible in S.  Then (P)
is provably equal to t in the zfc puff of S.

Proof. We induct on S.  Since P is not in EZ (as it is introduced by
zsub or zfn), we may write S as S0^E for some event, E.  We may assume
that E_P is not visible in S0, since otherwise we are done by the
inductive hypothesis (and the monotonicity of the zfc puffing
procedure).  If E is E_P then the formula (P) = t is added when the
zfc puffing procedure extends the zfc puff of S0 to E.  Otherwise,
since E_P is visible in S but not in S0, then E is an encapsulate
event and E_P is visible in the sequence of non-local sub-events of E.
By the monotonicity of visible, E_P is visible in the sequence S1 of
all events (local and non-local) of E.  By the inductive hypothesis
and definition of the puffing procedure, (P) = t is provable in the
zfc puff T1 of S0^S1.  But T1 is a definitional extension of (hence
conservative over) the zfc puff of S, and since P is a function symbol
of S (because E_P is visible in S), then (P) = t is provable in the
zfc puff of S. -|

Lemma 3.  Suppose P is a zfc prop in a weak EZ session S.  Then P is
defined in S.

For Lemma 3 we instead prove a generalization of it.  The notion of a
"P-weak EZ session" for zero-ary function symbol P is like the notion
of a weak EZ session, but with the table guard for the zfc-table
weakened to apply only when the key is P.

Lemma 3'.  Suppose P is a zfc prop in a P-weak EZ session S.  Then P
is defined in S.

Proof. Lemma 3' follows by induction on the e-measure of S.  Because
of the table-guard of zfc-table (restricted to P), the result is clear
if P is ZFC, since EZ is in every P-weak EZ session.  So suppose that
P is associated in the zfc-table of S with the event, E_P.  E_P is not
in EZ since the zfc-table is introduced after EZ (or, for another
reason, note that if E_P is in EZ then P is defined in S and we're
done); so we may write S as S0^E for some event, E.  If P is a key of
the zfc-table in S0, then the result follows by the inductive
hypothesis.  So assume that E introduces the association of P with E_P
in the zfc-table.  If E is a zfc-table event then by the table guard
applied to P and Lemma 1, E_P is visible in S; so P is defined in S.
Otherwise E must be an encapsulate event introducing E_P (hence E is
not a defstub).  If P is in the signature of E then P is defined in S
so we are done.  Otherwise, let S1 be the sequence of events beginning
with an appropriate defstub for each function symbol in the signature
of E and followed by the sequence of non-local sub-events of E.  Then
the concatenation S2 = S0^S1 is a P-weak EZ session with a smaller
e-measure, so by the induction hypothesis, P is defined in S2;
therefore P is defined in S, since clearly E and S1 introduce the same
function symbols. -|

A key observation is that for a table with a strict table guard, table
events put the same key-value associations regardless of the context
in which those associations are made.  (The conservation of ground
evaluation results by sub-sessions is a consequence of conservativity
with respect to sub-sessions.)  Lemma 4 and its supporting lemma,
Lemma 4.1, are based on this observation.  Before turning to those, we
need the following definition, which weakens the notion of "weak EZ
session".

Definition.  A "very weak EZ session" is like a weak EZ session except
that every table guard is ignored except for whether it is strict.

The following pictures are provided in case they provide intuition
when reading Lemmas 4.1 and 4, where "ei" and "lei" indicate a
non-local and local event, respectively.

  Lemma 4.1:

  S0 S1............... E
  S0 SD S1'   ...   E

  Lemma 4:

  S0 E
  S0 SE.................................
  S0 S1..............
  S0 e1 le2 e3 le4 e5

Lemma 4.1.  Let E be an event and assume that the concatenation
S0^S1^E is a very weak session.  Also assume that the table TB has a
strict table guard.  Let SD be a sequence of defstub events and let
S1' be a subsequence of S1 such that S0^SD^S1'^E is a very weak
session for which TB associates key K with value V, where this
association does not hold in S0^SD^S1'.  Then TB associates key K with
value V in S0^S1^E.

Proof.  We induct on the e-measure of E.  If E is a table event then
it must be one that associates K with V, in which case the conclusion
is obvious since, because TB has a strict table guard, the same
association is guaranteed by E after S0^S1 as after S0^SD^S1'.
Otherwise E must be an encapsulate event, since that is the only way
besides a table event that TB can be modified.  Let SE be the sequence
of all sub-events (local and non-local) of E and let SE' be the
sequence of non-local sub-events of E.  Let E' be the final event in
SE' that changes the value of K in TB, let S2' be the sequence of all
non-local sub-events of E that strictly precede E', and let S2 be the
sequence of all sub-events of E (local and non-local) that strictly
precede E'.  Extend SD to SD' by adding defstub events for the
signatures of E.  So we can apply the inductive hypothesis by
substituting into the statement of the lemma as follows.

S0  <- S0
S1  <- S1^S2
S1' <- S1'^S2'
SD  <- SD'
E   <- E'

By the inductive hypothesis, TB associates key K with value V in
S0^S1^S2^E'.  Since E' is the last event of E that changes the value
of K in TB, TB associates key K with value V in S0^S1^E. -|

Lemma 4.  Assume that S0^E is a very weak session where E is an
encapsulate event.  Also assume that table TB, which has a strict
table guard, associates key K with value V in S0^E but not in S0.  Let
SE be the sequence of sub-events (both local and non-local) of E.
Then for some initial subsequence S1 of SE, TB associates K with V in
S0^S1.

Proof.  Consider pass 2 in the evaluation of E.  After the final
non-local event of SE during that evaluation, TB associates K with V.
Let S1 be a minimal-length initial subsequence of SE for which that is
the case; thus, if S'^E' is the subsequence of S1 consisting of
non-local events preceded by defstub events for the signature of E,
then TB associates K with V in the very weak session S0^S'^E' but not
in S0^S'.  Then by Lemma 4.1, TB associates K with V in S0^S1. -|

Finally we prove the Main Lemma.  Let P be a zfc prop of an EZ session
S, to prove that P is provably t in the zfc puff of S.  This is
trivial if P is ZFC, so assume that the zfc-table of S associates P
with E_P.  An easy induction shows that E_P is syntactically a zsub,
zfn, or defun event introducing P.  We proceed by inducting on the
e-measure of S.  It's also easy to see that S does not conclude with
EZ; so let S be S0^E for an event, E.  We may, and do, make the
following assumptions.

  (1) P is not a key of the zfc-table in S0.

  Otherwise, we are done by the inductive hypothesis (and monotonicity
  of the zfc puffing procedure).

  (2) E_P is not a zsub or zfn event that is visible in S.

  Otherwise we are done by Lemma 2.

  (3) P is not defined in S0.

  An easy proof shows that if P is defined in S0 but E_P is not
  visible in S0, then the zfc-table does not associate P with E_P in
  any extension of S0.  This contradicts the hypothesis of the Main
  Lemma.

We now return to the proof of the Main Lemma.  First consider the case
that E is a zfc-table event.  Then by (1) it must associate P with
E_P, hence by Lemma 1 and the table guard for the zfc-table, E_P is
visible in S0.  This contradicts (2) if E_P is a zsub or zfn event.
So E_P is a defun event defining P as a conjunction of props (by the
table guard).  By the Visible Events Define Proposition, P is provably
equal to that conjunction in the theory of S0.  So we are done by the
inductive hypothesis (and monotonicity of zfc puff), since the zfc
puff of S0 contains the theory of S.

Other than the cases that E is a zfc-table event or an encapsulate
event, then since by hypothesis the zfc-table associates P with E_P in
S, this association also holds in S0, contradicting (1).

The remaining case is that E is an encapsulate event.  Let SE be the
sequence of sub-events (both local and non-local) of E.  By (1) and
Lemma 4, we may choose an initial subsequence S1 of SE such that the
zfc-table associates P with E_P in S0^S1.  By the inductive
hypothesis, the zfc puff ZP1 of S0^S1 proves that P is t; hence by
monotonicity of zfc puff, so does the zfc puff ZPE of S0^SE.  Since
ZPE is a definitional and hence conservative extension of the zfc puff
of S, and since (by Lemma 3) P is defined in S, then the zfc puff of S
also proves that P is t. -|

Before proving Theorem 3, we introduce by recursion on e-measure a
generalization of the zfc puffing procedure.  Let I be an EZ session
and let T_I be a theory that contains the zfc theory of I and is
contained in the zfc puff of I.  The "relative zfc puff (with respect
to I and T_I)" of an EZ session extending I is defined by recursion on
e-measure, in analogy to how the zfc puffing procedure is defined
recursively.  The relative zfc puff of I is T_I.  (For what follows we
leave I and T_I implicit.)  Now let E be an event and let S0 be an EZ
session extending I; we define the relative zfc puff of S0^E.

First suppose that E is an encapsulate event other than one that could
be generated by zsub or zfn.  Let S1 be the sequence of sub-events of
E (both local and non-local).  Since S0^S1 is smaller in e-measure
than S0^E, let T' be the relative zfc puff of S0^S1.  Then the
relative zfc puff of S0^E is the result of restricting T' to the
extension of T0 by the definitions of function symbols in S0^E.

If E is any other event, then the relative zfc puff of S0^E is
obtained by extending the relative zfc puff of S0 with explicit
definitions exactly as in the definition of zfc puff.

An easy induction establishes that for any EZ session S extending I,
the relative zfc puff of S contains the zfc theory of S and is
contained in the zfc puff of S, which is a definitional extension of
T_I.

Proof of Theorem 3.  We induct on e-measure, according to the
recursive definition of the set of zfc axiomatic events.  It suffices
by the inductive hypothesis to show that if S^E is an EZ session and E
is a zfc-trivial encapsulate, then every theorem exported by E is in
the extension of the zfc theory of S by the formulas (P) = t for all P
in the signature of E.  Let Thm be such a theorem, and let Thm' be the
result of replacing by t each call in Thm of a signature function of
E.  Then by Theorem 2, Thm' is a theorem of the zfc theory T_E of S^E.
Therefor Thm' is a theorem of the relative zfc puff of E with respect
to S and the zfc theory of S.  But that is a definitional extension of
the zfc theory of S, hence conservative over that theory.  So Thm' is
a theorem of the zfc theory of S, from which it follows that Thm is
also in the zfc theory of S. -|
