Nested Multisets, Hereditary Multisets, and Syntactic Ordinals in Isabelle/HOL

We present a collection of formalized results pertaining to (ﬁnite) nested multisets, developed using the Isabelle/HOL proof assistant. The nested multiset order is a generalization of the multiset order that can be used to prove termination of processes. Hereditary multisets, a variant of nested multisets, oﬀer a convenient representation of ordinals below (cid:15) 0 . In Isabelle, both nested and hereditary multisets can be comfortably deﬁned as inductive datatypes. Our formal library also provides, somewhat nonstandardly, multisets with negative multiplicities and ordinals with negative coeﬃcients. We present some applications of the library to formalizations of Goodstein’s theorem and the decidability of unary programming computable functions (PCF).


Introduction
In their seminal article on proving termination using multisets [12], Dershowitz and Manna introduced two orders of increasing strength.The multiset order lifts a base partial order on A to (finite) multisets over A. It forms the basis of the multiset path order, which has many applications in term rewriting and automatic theorem proving.The nested multiset order is a generalization of the multiset order that makes it possible to nest multisets in arbitrary ways.Nesting can increase the order's strength: If (A, <) has ordinal type α < 0 , the associated multiset order has ordinal type ω α , whereas the nested order has ordinal type 0 = ω ω ω . . . .In this paper, we present a formal proof of the main properties of the nested multiset order which are useful in applications, namely, preservation of well-foundedness and preservation of totality (linearity).The proof is developed in the Isabelle/HOL proof assistant [24].To our knowledge, this is the first development of its kind in any proof assistant.Our starting point is the following inductive datatype of nested multisets over a type a (Section 4): This Isabelle command introduces a unary postfix type constructor nmultiset equipped with two constructors, Elem : a → a nmultiset and MSet : ( a nmultiset) multiset → a nmultiset, where a is a type variable and multiset is the type constructor of (finite) multisets.It also introduces a recursor that can be used to define primitively recursive functions.In addition, the command provides an induction principle, which allows us to assume, in the MSet M case, that the desired property holds for all nested multisets belonging to M.
The definition of nmultiset exhibits recursion through a non-datatype: multiset.In recent versions of Isabelle/HOL, recursion is allowed under arbitrary type constructors that are bounded natural functors [5,31], a semantic criterion that is met by bounded sets, multisets, and other permutative functors.This very convenient feature is missing in other proof assistants, including Agda, Coq, Lean, and the members of the HOL family.
If we omit the Elem constructor, we obtain the hereditary multisets (Section 5): This type is similar to hereditarily finite sets, a model of set theory without the axiom of infinity, but with multisets instead of finite sets.It is easy to embed hmultiset in a nmultiset, and using Isabelle's Lifting and Transfer tools [17], we can lift definitions and results from the larger type to the smaller type, such as the definition of the nested multiset order.Hereditary multisets offer a convenient representation for ordinals below 0 (Section 6).These are the ordinals that can be expressed syntactically in Cantor normal form: The correspondence with hereditary multisets is straightforward:
When carrying out proofs, we sometimes find ourselves wishing that it would be possible to subtract an ordinal from another.To support this, we define a type of signed multisets, or hybrid multisets [1], and use it to define the signed ordinals (Section 7).
We employ our library to formalize two examples that require ordinals or the nested multiset order: Goodstein's theorem (Section 8) and the decidability of unary programming computable functions (Section 9).Together with colleagues, Blanchette also used the library to formalize a variant of the transfinite Knuth-Bendix order [2].We gave some thought to proof automation, generalizing existing simplification procedures and exploiting Isabelle's arithmetic type classes.Our work also demonstrates the usefulness of bounded natural functors.The Isabelle theory files are available as part of the Archive of Formal Proofs [3].

Isabelle/HOL
Isabelle is a generic proof assistant whose metalogic is an intuitionistic fragment of polymorphic higher-order logic (simple type theory).The types are built from type variables a, b, . . .and type constructors, written infix or postfix (e.g., →, multiset).All types are inhabited.Terms t, u are built from variables x, constants c, abstractions λx.t, and applications t u.
Constants may be higher-order, i.e., they may be of function type.A formula is a term of type prop.The metalogical operators are , = ⇒, and ≡, for universal quantification, implication, and equality.The notation x. t is syntactic sugar for (λx.t).Isabelle/HOL is the instantiation of Isabelle with classical higher-order logic (HOL) extended with type classes as its object logic, complete with a Boolean type bool, an equality predicate =, the usual connectives (¬, ∧, ∨, − →, ← →) and quantifiers (∀, ∃), and Hilbert choice.HOL formulas, of type bool, are embedded in the metalogic.The distinction between prop and bool is important operationally, but it is not essential to understand this paper.
Isabelle/HOL offers two primitive definitional mechanisms: The typedef command introduces a type that is isomorphic to a nonempty subset of an existing type, and the definition command introduces a constant as equal to an existing term.On top of these, Isabelle provides a rich specification language that includes inductive datatypes and predicates, recursive functions, and their coinductive counterparts, as well as quotient types.
Proofs are expressed either as a sequence of low-level proof methods, tactics, that manipulate the proof state directly or in a declarative format called Isar [33], which allows tactics only as terminal procedures.We generally prefer the more readable Isar style.The main proof methods are the simplifier, which rewrites terms using conditional oriented equations; the classical reasoner, which applies introduction and elimination rules; decision procedures for linear arithmetic; and metis, a complete first-order prover based on superposition.In addition, the Sledgehammer tool [26] integrates third-party automatic theorem provers.It can be applied to any proof goal.In case of success, it provides a short Isar proof, often using metis.

Multisets
Multisets over a are defined in Isabelle's standard library as isomorphic to the set of multiplicity functions f that are 0 at all but finitely many points x: Multiset values are constructed from the empty multiset ∅ and the add x A operation.For concrete multisets, we use standard set notation.The singleton multiset {x} is easy to define in terms of add and ∅.Multiset union , which adds the multiplicities of its arguments, is an instance of the polymorphic + : a → a → a operator.The relevant + type classes provide a wealth of lemmas and some proof automation.Other operations include −, ∪, ∩, ⊂, ⊆, <, and ≤.Given a type a equipped with a partial order <, the < operator on multisets corresponds to the Dershowitz-Manna extension [12].The extension operator is also available as Together with the type constructor multiset and the cardinal ℵ 0 , they form a bounded natural functor [5,31]: image is the functorial action, set is the natural transformation, and ℵ 0 is an upper bound on the cardinality of the sets returned by set.Induction and recursion through a multiset are expressed in terms of set and image, respectively.The cardinality bound is needed to construct the datatype as the least fixed point of an isomorphism equation.
Isabelle's theory of finite multisets is not as developed as other areas, such as lists and sets.Our first contribution has been to introduce some missing concepts and lemmas, which we added either directly to the Isabelle distribution or collected in a theory file in the Archive of Formal Proofs [3].These include a replicate n x operator, which constructs the multiset consisting of n copies of x, and the cartesian product ×.We also showed that the Huet-Oppen extension [16] of a partial order coincides with the Dershowitz-Manna extension as well as with the transitive closure of the one-step Dershowitz-Manna extension, allowing users to switch between the three characterizations.Remarkably, the characterizations do not coincide for arbitrary orders [7,Section 3]; each characterization has its advantages.[12] use the multiset order to prove the termination of a tail-recursive formulation of McCarthy's 91 function.Using Isabelle's definitional mechanism for recursive functions [20], the 91 function is specified as

Example 1 (McCarthy's 91 Function). Dershowitz and Manna
Before it can accept this definition, the command needs a well-founded relation R that includes g's call graph.(Otherwise, we could define a function f such that f n = f n + 1 and use this to derive 0 = 1, a contradiction.)The default automation [9,21] is not powerful enough to synthesize the relation, so we provide R ourselves.Following Dershowitz and Manna (but correcting < to ≤), we define R as {((n, z), (n , z )).(τ n z, τ n z ) ∈ mult {(a, b).b < a ∧ a ≤ 111}}, where τ is defined as follows, together with an auxiliary function f: The main proof obligation is to show that g's call graph is included in R-i.e., that the arguments (n, z) become smaller with each recursive call according to the measure τ n z and the multiset order.We followed the original proof, relying on existing lemmas about mult.
The verified SAT solver framework [4] developed mainly by Fleury as part of the IsaFoL (Isabelle Formalization of Logic) effort represents clauses as multisets of literals and problems as multisets of clauses.To improve automation, we developed simplifier plugins, or "simprocs," that cancel terms that appear on both sides of a subtraction, equality, or inequality, rewriting an expression such as A + {x, y} = add x A to y = ∅.Since multiset multiplicities are natural numbers, we could start with the cancellation simprocs for nat, due to Lawrence Paulson, and generalize them to arbitrary types and operations that enjoy certain properties, including nat, a multiset, and the hereditary and signed multiset types introduced in Sections 5 and 7.
The simprocs for nat depend on a 'k ×' operation.We first needed to define its multiset counterpart, repeat : nat → a multiset → a multiset, and to prove lemmas about it.The multiset instances of our simprocs collectively perform the following steps: 1. Normalize the goal by rewriting add a X to {a} + X and replicate n a to repeat n {a}.

Extract A and B from any occurrence of the pattern A ∼ B in the goal to normalize,
where ∼ is among −, =, <, ≤, ⊂, and ⊆.

Extract the summands in
to form two lists of multiplicity-term pairs.

4.
Find common terms on both sides, subtract the coefficients, and remove the element in the goal using an explicit lemma instantiation.

6.
Normalize {a} back to add a ∅ and simplify add (e.g., replacing M + add a ∅ + N with add a (M + N )).
In general, the normalization steps are parameterized by rewrite rules, which must be provided for each type instance.

Nested Multisets
The type of nested multisets defined in Section 1 is freely generated by the constructors Elem : a → a nmultiset and MSet : ( a nmultiset) multiset → a nmultiset.The characteristic theorems derived by the datatype command [5] include the induction rule The command also defines a recursor of type ( and derives its characteristic equations.Using the recursor, we can specify primitively recursive functions on nested multisets.A useful example is the depth of a nested multiset, depth : a nmultiset → nat, defined as 0:5 where snd is the second pair projection and Max returns the maximum of a nonempty finite set of linearly ordered elements.Even for a simple example like this, the recursor-based definition is cryptic.Isabelle's primrec command allows users to specify primitively recursive functions by their equations, such as depth Elem x = 0 and depth . Internally, primrec defines depth in terms of rec and derives the user's equations from rec's characteristic equations.
The next function we define is Dershowitz and Manna's nested multiset order [12]: There are several things to note here.First, we use function instead of primrec because we are nonprimitively recursing on two nested multisets simultaneously.Second, ext DM R A B is the Dershowitz-Manna multiset order extension of R applied to multisets A and Third, the function command expects a termination proof in the form of a well-founded relation.We provide the well-founded lexicographic product sub × lex sub of the immediate subterm relations sub : The termination proof crucially relies on the fact that ext DM applies the relation passed to its first argument only to nested multisets contained in its second and third arguments.This is easy to prove for arbitrary relations for ext DM , but would be significantly harder for mult.And since we have not established the transitivity of the function we are defining yet, we cannot use the equivalence of mult and ext DM on partial orders.This explains our decision to use ext DM in the definition.Fourth, after obtaining the termination proof, function generates an induction principle that matches the recursion schema used in the definition.
Next, we prove several closure properties of the nested multiset order.If < : a → a → bool is a (nonstrict) preorder, then < : a nmultiset → a nmultiset → bool yields a preorder.The same closure property holds for partial orders, total orders, and wellorders (i.e., well-founded total orders).Every closure property corresponds to a type class instantiation, and every type class instantiation gives us a wealth of lemmas and helpful reasoning infrastructure about the nested multiset order.
Only the proofs of transitivity and well-foundedness of the nested multiset order are challenging.For transitivity, we rely on ext DM being equivalent to mult on transitive relations.We prove transitivity inductively, and the induction hypothesis establishes that ext DM is only applied to a transitive relation.To prove well-foundedness, we start with an auxiliary lemma: < is well-founded on the set of nested multisets of a fixed depth i. Formally: The proof proceeds by induction on i and uses the equivalence of ext DM and mult (on transitive relations) as well as the proof of preservation of well-foundedness by mult.Finally, we obtain the well-foundedness of the entire relation by observing that depth M < depth N implies M < N and hence M < N can be rewritten to depth M < depth N ∨ depth M = depth N ∧ M < N .In other words, we lexicographically compare the depths and resort to the nested multiset order to break ties.The claim follows, since with the above lemma both components of the lexicographic comparison are well founded.

Hereditary Multisets
Many authors use nested multisets and the order on them in one way or another.However, most of them do not use the Elem constructor, or use it in an easily avoidable way.In this section, we consider nested multisets with no Elem constructor.In set theory, we could simply let a be the empty set to model this.Since this is not possible in HOL, we define Elem-freedom as an inductive predicate: In principle, we could now use typedef to carve out a new type consisting of nested multisets satisfying no_elem.However, the resulting type would be isomorphic to the datatype of hereditary multisets as introduced in Section 1, with its single injective constructor HMSet : hmultiset multiset → hmultiset.We prefer the datatype definition, since it offers convenient recursion and induction schemas.Nonetheless, the subtype view on hereditary multisets is also useful, as it allows us to lift the infrastructure from nested to hereditary multisets.Formally, we establish this view by providing an isomorphism, as two mutually inverse injections Abs : unit nmultiset → hmultiset and Rep : hmultiset → unit nmultiset defined by Abs (MSet M ) = HMSet (image Abs M ) and Rep (HMSet M ) = MSet (image Rep M ).The isomorphism follows by easy inductions (on hmultiset or on the definition of no_elem): The Lifting tool [17] exploits these properties to lift constants on nested multisets to hereditary multisets.Here is our definition of the hereditary multiset order: The lift_definition command produces the definition M < N ← → Rep M < Rep N, which hides the isomorphism.Moreover, the command also provides a setup for the companion Transfer tool [17], which reduces proof goals about the abstract type (hmultiset) to goals about the raw type (unit nmultiset).Nevertheless, the proof of the expected property HMSet M < HMSet N ← → ext DM (<) M N is not trivial, because we must ensure that the witnesses for the existential quantifiers in the definition of ext DM contain no Elem.With this property in place, it is easy to lift the instantiations of the various order type classes (up to and including wellorders) from nested to hereditary multisets.Finally, we prove that hmultiset is a cancellative commutative monoid by lifting the corresponding structure from the multiset type-i.e., by defining 0 = HMSet ∅, HMSet A + HMSet B = HMSet (A + B), and HMSet A − HMSet B = HMSet (A − B).This enables natural-number-like reasoning with multisets, including our generalized cancellation simprocs.

Syntactic Ordinals
Hereditary multisets are isomorphic to the ordinals below 0 , which we call the syntactic ordinals.Instead of defining a new type, we use hmultiset whenever we need such ordinals and provide the main ordinal operations on this type.Our notion of syntactic ordinal is similar to Dershowitz and Moser's "ordinal terms" [13], which they attribute to Takeuti [29, Section 2.11], but unlike them we do not need to treat the ordinal 0 specially.

0:7
The empty hereditary multiset 0 corresponds to the ordinal 0. Union + corresponds to Hessenberg addition, which is traditionally denoted by ⊕; we write + to exploit the Isabelle type classes for addition.The multiset order < conveniently coincides with its ordinal counterpart.Multiset subtraction also makes sense as a truncating subtraction on ordinals; for example, 1 − 3 = 0, ω − 3 = ω, and ω 2 + 3 − ω = ω 2 + 3. Notice that if α < β, then it is not necessarily the case that α − β = 0. To provide more complete support for ordinals, we define some additional constants and abbreviations on hmultiset, starting with the following basic concepts: ω α = HMSet {α}; 1 = ω 0 ; ω = ω 1 .Given 1 and +, Isabelle lets us enter arbitrary numerals and interprets them as The Hessenberg product is defined by taking the cartesian product of the operands' multisets and applying addition on the resulting pairs to obtain a multiset of ordinals, i.e., an ordinal: α • β = HMSet (image (+) (hmsetmset α × hmsetmset β)), where hmsetmset is HMSet's inverse.The expected properties are easy to prove: Multiplication is associative, commutative, and distributive over addition; 0 is absorbent; 1 is neutral; 0 = 1; etc.
It is interesting to compare our definition of the Hessenberg product with the literature.The following definition, by Ludwig and Waldmann [23], illustrates how suboptimal abstractions can lead to convoluted formulations: Subtraction is so ill behaved that multiplication does not distribute over it: For α = ω 2 +ω, β = 1, and γ = ω, we have α As a result, some Isabelle type classes for subtraction cannot be instantiated for the ordinals.
Given an ordinal n i=1 (ω αi • c i ) in Cantor normal form, its degree corresponds to the largest exponent, α 1 .Unfortunately, this definition does not gracefully handle the case where n = 0. We could extend the ordinal type with a special value (e.g., −∞), but this would require a distinct type and operations on that type.Instead, we introduce the concept of a head ω-factor.For 0, the head ω-factor is 0; for nonzero ordinals of degree α, it is ω α , which is always nonzero.The degree is the maximum element in the multiset that corresponds to the ordinal.Formally: head ω α = if α = 0 then 0 else ω Max (set (hmsetmset α)) .
The following decomposition lemma, which was brought to our attention by Uwe Waldmann, is useful when comparing ordinals.Given two ordinals α 1 , α 2 such that α 1 < α 2 , we can always express them as sums of the form α i = γ + β i , where the head ω-factor of β 1 is smaller than that of β 2 : lemma hmset_pair_decompose_less: Example 2 (Hydra Battle).The hydra battle [19] is a classic process whose termination cannot be proved by induction on the natural numbers.Following Dershowitz and Moser's reformulation [13], we use Lisp-style lists, or unlabeled binary trees, to represent hydras: datatype lisp = Nil | Cons lisp lisp.The functions car and cdr are defined to extract the first and second arguments of Cons, respectively; they return Nil when invoked on a Nil node.
A hydra consists of a list of heads.In a departure from standard Greek mythology, each head is recursively a list of heads.The battle also involve a hero, Hercules, who gets to chop off one of the hydra's "leaf" heads at each round.If the head has no grandparent node, the head is lost and there is no regrowth; otherwise, the branch issuing from the grandparent node is copied n times, where n starts at 1 and is increased by 1 in each round.We refer to the literature for more details (and some nice drawings of polycephalic monsters).
Formally, the battle is captured by the h function below, which depends on an auxiliary d: For d, termination is easy: The left subtree of x becomes smaller with each iteration, so we can take {((n , x ), (n, x)).|x | < |x|} as the relation, where |x| returns the number of nodes of a list x.For h, instead of |x|, we use encode x as the measure, where encode is defined primitively recursively by encode Nil = 0 and encode (Cons l r) = ω encode l + encode r.Thanks to well-foundedness of <, it suffices to show that the ordinal decreases in each recursive call to h-i.e., if x = Nil, then encode (d n x) < encode x.The proof is by structural induction on x.The Nil case is trivial.In the Cons l r case, if l = Nil, we have 0 < ω 0 + encode r.Otherwise, we distinguish two subcases.If car l = Nil, we must prove encode (f n (cdr l) r) < ω encode l + encode r, which amounts to n • ω encode (cdr l) + encode r < ω ω encode (car l) + encode (cdr l) + encode r.The right-hand side is greater because the exponent to ω has an additional nonzero term, ω encode (car l) , which dwarfs the n factor on the left.In the remaining case, we have car l = Nil.The proof obligation amounts to encode (d n l) < encode l, corresponding to the induction hypothesis for the left subtree.
The termination proof is about 30 lines long in Isabelle.As is often the case, the formalization revealed some inaccuracies in the informal argument.Although this is not mentioned by Dershowitz and Moser, the termination proof depends on car Nil = Nil.They also claim that Cons Nil Nil represents a "leaf of a hydra," but the car x = Nil test in d's definition can only mean that a simple Nil node is used for leaves.

Example 3 (Ludwig and Waldmann).
The following Isar proof outline closely follows the pen-and-paper proof of a property Ludwig and Waldmann needed to reason about their transfinite Knuth-Bendix order [23].The informal proof was communicated to us privately by Waldmann.A more restrictive formulation is claimed as Lemma 10 in their paper.The steps are justified by short proofs, omitted below, most of which were generated by Sledgehammer.Using Isabelle's built-in automation and the cancellation simprocs, it would be possible to eliminate some of the intermediate steps.

Signed Variants of Multisets and Hereditary Multisets
Syntactic ordinals do not enjoy the property that Ludwig and Waldmann refer to as "continuity" [23]: Given syntactic ordinals α, β such α < β, there does not necessarily exist an ordinal γ such that α + γ = β.Yet, syntactic ordinals correspond formally to polynomials over the indeterminate ω.Why not allow negative coefficients (e.g., ω 2 − 2ω + 1) and take γ = β − α?The practical motivation arose in the context of the formalization of a transfinite Knuth-Bendix order [2].Although it is a simple idea, we could not find it in the literature.We start by defining the signed multisets, also called the hybrid multisets [1].In principle, we could define them in a similar way as the plain multisets (Section 3), by substituting int for nat in the typedef command.However, we prefer to perform a quotient construction, so as to be able to lift operations and lemmas about plain multisets: where R = λ(P 1 , N 1 ) (P 2 , N 2 ).P 1 + N 2 = P 2 + N 1 .The quotient_type command [18] introduces a type that is isomorphic to the set of R-equivalence classes.In the same way as a pair (m, n) of natural numbers can represent the integer m − n, we use a pair (P, N ) of plain multisets to capture the signed multiset P − N, whose multiplicities can be negative.For example, both (∅, {7}) and ({3}, {3, 7}) correspond to the signed multiset that contains 7 with multiplicity −1 and no other element.Notice that R (∅, {7}) ({3}, {3, 7}), since ∅ + {3, 7} = {7} + {3}.The pos and neg functions, of type a zmultiset → a multiset, return normalized P and N components, with P ∩ N = ∅.
The main signed multiset operations are defined by specifying them on the raw level of multiset pairs and lifting them to the abstract level of equivalence classes.The Lifting tool emits a proof obligation stating that equivalence classes are respected.For example, for unary functions f on multisets, this means that when f is invoked on R-equivalent arguments x and y, the results f x and f y are R-equivalent.A few definitions are given below: Many lemmas about such definitions can be lifted from the raw types using the Transfer tool, which exploits parametricity to transfer results across types.Most HOL functions arising in practice are parametric.The type zhmultiset of signed hereditary multisets is defined using the typedef command as isomorphic to hmultiset zmultiset.Notice that the multisets contained in such a signed multiset are not signed.We leave the study of "hereditarily signed multisets," and of ordinals in which the exponents of ω can recursively contain negative coefficients, to other researchers.
The ι function embeds hmultiset into zhmultiset.Operations such as +, −, and < are lifted from the underlying multisets.Ordinal multiplication is by far the most problematic operation.It can be defined in terms of the cartesian product on signed multisets: It is difficult to prove the associativity of this multiplication operator.Using the Transfer tool, we can quickly reduce the proof obligation to the following property on unsigned ordinals: After staring at this goal for a few hours, we discovered the lemma α truncating subtraction, which must be applied four times.We instantiated our generalized cancellation simprocs for zmultiset and zhmultiset.As preprocessing steps, we normalize unary minuses, rewriting −A + B + A to (B + A) − A; the subtraction simproc then cancels the two A's, yielding B.
Example 4 (Ludwig and Waldmann, Continued).By exploiting signed ordinals, we obtain a much simpler proof of Ludwig and Waldmann's property from Example 3: {by algebraic manipulations} also have The next-to-last step eliminates the subtraction ι δ − ι γ, paving the way for the final step, which removes the ι casts.Waldmann privately confirmed that he was aware of this shortcut but did not dare take it without a solid theoretical foundation for signed ordinals.

Application to Goodstein's Theorem
Goodstein's theorem [14] states that every Goodstein sequence eventually terminates at 0. Before we can define these sequences, we must first introduce an auxiliary notion.A natural number is in hereditary base n if it is expressed as a product where 0 ≤ c i < n for each i, c 1 = 0, and the exponents k, k − 1, . . ., 1 are recursively expressed in hereditary base n.For example, 500 is written as 2 • 3 2•3+2 + 3 2 + 3 + 2 in hereditary base 3.The Goodstein sequence G s of natural numbers is defined as follows.The starting value is given by s: G s (0) = s.The remaining values G s (i + 1) are obtained by expressing G s (i) in base i + 2, replacing all occurrences of i + 2 by i + 3, and subtracting 1.For example, we have Somewhat counterintuitively, the sequence eventually converges to 0: G 4 (3•2 402 653 211 −1) = 0.
Our formal proof relies on two functions encode and decode that convert between natural numbers and hereditary base n.The adjective 'hereditary' suggests that hereditary multisets, or syntactic ordinals, are a suitable data structure.Following this idea, 2 The argument e gives the exponent of the current base, starting from 0. The recursion scheme for encode is somewhat unusual.Termination is established using the measure λ(e, n).n • (base e + 1).The Goodstein sequence is defined as follows, where start is fixed: If goodstein i > 0, then the ordinal associated with goodstein (i + 1) is smaller than the one for goodstein i.Let E i = encode i+2 0 (goodstein i).The proof sketch is as follows: {by less_imp_encode_less, decode i+3 0 The main lemmas that are directly or indirectly needed are listed below: The first and second properties are the most difficult ones.The first one is proved by well-founded induction, following the recursion of encode.This induction principle is derived automatically by the function command and is available as encode.induct.The second property is proved by strong induction on α.The assumptions ensure that the coefficients stored in α are smaller than the base (well_base) and that the last e digits are all 0s (aligned).
The entire formalization is about 580 lines long.The main difficulty was to come up with the right lemmas and inductions, especially given that we did not consult the literature.Reasoning about ordinals was fairly comfortable.Nevertheless, we are very impressed by Zankl, Winkler, and Middeldorp's automatic proof of the termination of a term rewriting system that computes Goodstein's sequence [34].Possibly the key to their success is that they avoid converting back and forth between the natural numbers and hereditary base notation.

9
Application to Decidability of Unary PCF Plotkin's programming computable functions (PCF) language [27] is a simply typed λcalculus that has natural numbers N as a base type and permits recursion on them.Types are interpreted as Scott domains, i.e., N = N ∪ {⊥}.For unary PCF-a fragment of PCF which has only the base type o with the single value (in addition to the domain's ⊥)-behavioral equivalence is decidable [22,28].Schmidt-Schauß's elegant proof [28] is based on an inductive enumeration of representative terms.The termination of the enumeration is ensured by abstracting types into hereditary multisets.In our ongoing formalization effort of this decidability result (which poses many challenges unrelated to multisets), we proved Schmidt-Schauß's key Lemma 11 about hereditary multisets.Types of unary PCF are defined as datatype type = o | type ⇒ type, where ⇒ is a right-associative infix datatype constructor.For a type T = U 0 ⇒ • • • ⇒ U n−1 ⇒ o, we write ar T for its arity n and T i for the type of its (i + 1)st argument U i .We measure a type using a primitively recursive function δ : type → hmultiset defined by δ o = 0 and δ (T ⇒ U ) = ω δ T + δ U .For a type T , Schmidt-Schauß constructs a set of representative closed terms of behavioral equivalence classes.The construction is recursive and relies on a decrease in the involved types' measures for termination.More precisely, given T , the construction recursively computes sets of representative terms for types π j i T for all i < ar T and j ≤ ar T i , where the operator π is defined recursively as follows: Ti)j j T i ⇒ π 0 i T else o Finally, we prove that π indeed decreases the measure of types using the induction principle that follows the structure of π's definition and is provided by Isabelle's fun command [20].The key step to help automation is to define X, Y, and Z (all of type hmultiset multiset) such that after unfolding the Dershowitz-Manna definition of the multiset order, the inequality is easily fulfilled (given the induction hypotheses).
Our formal proof is very close to Schmidt-Schauß's informal argument.It is rare to be able to formalize a technical proof so closely.This can be due to the care taken by the informal proof writer, due to good formal library support, or due to a combination of both.

Related Work
The nonnested multiset order has been formalized in several proof assistants, including Coq [8,11], HOL4, and Isabelle/HOL [30].Norrish and Huffman [25] present two formalizations of ordinals, in HOL4 and Isabelle/ HOL.The HOL4 formalization models ordinals as quotients of wellorders with respect to wellorder isomorphism.The Isabelle/HOL development also relies on a quotient construction, but from a more syntactic notion of raw ordinals, defined as datatype preordinal = Zero | StrictLim (nat → preordinal).Independently, Blanchette, Popescu, and Traytel [6] formalized ordinals and cardinals in Isabelle/HOL, representing ordinals by well-ordered relations dispersed over arbitrary types.Thereby they avoided fixing an a priori bound on the ordinals that can be constructed.All these formalizations go beyond 0 but are ultimately limited by the expressiveness of HOL, which is strictly weaker than set theory.Another difference with our current work is that they use the standard addition and product and not Hessenberg's.
In Coq, Castéran and Contejean [10] formalized ordinal notations up to Γ 0 .As case studies, they considered the hydra battle and Goodstein's theorem.Grimm [15] ported and extended this work, covering three alternative notions of ordinals.Vermaat [32] formalized tree ordinals, a syntactic representation similar to Norrish and Huffman's.

Conclusion
We presented a formalization in Isabelle/HOL of nested multisets, hereditary multisets, and ordinals below 0 .Their datatype definitions emphasize the close connections between the three notions.The signed generalizations of these types, with potentially negative multiplicities, offer a subtraction operator that enjoys nice algebraic properties.The signed syntactic ordinals do not appear to have been studied before.We found the Lifting and Transfer tools invaluable for carrying definitions across the different related multiset types.We relied heavily on Sledgehammer; it sometimes generated complex Isar proofs, which we occasionally inserted in our development.The cancellation simprocs also played a role, after we had adapted them so that they work on multisets.Well-founded recursion using function was vital, as it often is.But perhaps the most noteworthy aspect of our work is that all the necessary types could be introduced easily, either as inductive datatypes, as subsets of existing types, or as quotients.The support for recursion through bounded natural functors, a distinguishing feature of Isabelle, was crucial to define nested and hereditary multisets.
a function mult : ( a × a) set → ( a multiset × a multiset) set.It is defined as the transitive closure of the one-step Dershowitz-Manna extension ∃b C. a ∈ B ∧ A = (B − {b}) + C ∧ (∀k ∈ C. (k, a) ∈ R).The operation image : ( a → b) → a multiset → b multiset applies a function elementwise to a multiset, and set : a multiset → a set returns the set of elements in the multiset.