Return-Path: Return-Path: Received: from ted.cs.uidaho.edu by swan.cl.cam.ac.uk with SMTP (PP) to cl id <02068-0@swan.cl.cam.ac.uk>; Thu, 7 Nov 1991 18:54:16 +0000 Received: by ted.cs.uidaho.edu (15.11/1.34) id AA15342; Thu, 7 Nov 91 10:43:03 pst Reply-To: info-hol@ted Sender: info-hol-request@edu.uidaho.cs.ted Errors-To: info-hol-request@ted.cs.uidaho.edu Received: from cis.Stanford.EDU by ted.cs.uidaho.edu (15.11/1.34) id AA15338; Thu, 7 Nov 91 10:42:56 pst Received: by cis.Stanford.EDU (5.57/Ultrix2.4-C) id AA23035; Thu, 7 Nov 91 10:43:15 PST Date: Thu, 7 Nov 91 10:43:15 PST From: paul@edu.stanford.cis (Paul N. Loewenstein) Message-Id: <9111071843.AA23035@cis.Stanford.EDU> To: info-hol@edu.uidaho.cs.ted In-Reply-To: "Phil Windley"'s message of Thu, 07 Nov 91 08:07:34 -0800 <199111071607.AA10112@panther.cs.uidaho.edu> Subject: witnesses The implicit universal quantification of types does lead to some inelegant theorems, especially theorems stating counterexamples, where one would like to existentially quantify the type. In practice, one can (usually) merely prove the theorem for a specific existential witness. (The exception would be for non-constructive proofs by contradiction, but I can't think of any example). Since types are not printed by default, the theorem "looks" clean. The implicit universal quantification of types often precludes the generation of theorems which are negations of (failed) goals containing type variables, since it is not possible to propagate the ~ to the outside of the implicit universal quantifiers. These circumstances usually occur in the derivation of background theory, rather than in proofs of hardware correctness. Paul.