Proof Explorer - Home Page - Metamath

The aleph null above is the symbol for the first infinite cardinal number, discovered by Georg Cantor in 1873 (see theorem aleph0). This is the starting page for the Metamath Proof Explorer subproject (set.mm database). See the main Metamath Home Page for an overview of Metamath and download links.

Contents of this page Metamath Proof Explorer Overview How Metamath Proofs Work The Axioms (Propositional Calculus, Predicate Calculus, Set Theory, The Tarski-Grothendieck Axiom) The Theory of Classes New 13-Dec-2015 A Theorem Sampler 2 + 2 = 4 Trivia Appendix 1: A Note on the Axioms Appendix 2: Traditional Textbook Axioms of Predicate Calculus Appendix 3: Distinct Variables Appendix 4: A Note on Definitions Appendix 5: How to Find Out What Axioms a Proof Depends On Appendix 6: Notation for Function and Operation Values Appendix 7: Some Predicate Calculus Subsystems Reading Suggestions Bibliography Browsers and Fonts

Related pages Theorem List (Table of Contents) Most Recent Proofs (this mirror) (latest) Bibliographic Cross-Reference Definition List (3MB) The Deduction Theorem Real and Complex Numbers ZFC Axioms With No Distinct Variables ASCII Symbol Equivalents for Text-Only Browsers Ghilbert (Metamath's next generation?) [external] A home page for THE AXIOM OF CHOICE [external] has some interesting set theory information. To search this site you can use Google [external] restricted to a mirror site. For example, to find references to infinity enter "infinity site:us.metamath.org". More efficient searching is possible with direct use of the Metamath program, once you get used to its ASCII tokens. See the wildcard features in "help search" and "help show statement".

Metamath Proof Explorer Overview   

From this proposition it will follow, when arithmetical addition has been defined, that 1+1=2.
—Principia Mathematica, Volume I, page 360.

David A. Wheeler has prepared an excellent 14-minute YouTube video, Metamath Proof Explorer: A Modern Principia Mathematica, on the history of formalization and the motivation for Metamath, the proof of 2+2=4, and more.

Inspired by Whitehead and Russell's monumental Principia Mathematica, the Metamath Proof Explorer has over 18,000 completely worked out proofs, starting from the very foundation that mathematics is built on and eventually arriving at familiar mathematical facts and beyond. Each proof is pieced together with razor-sharp precision using a simple substitution rule that practically anyone (with lots of patience) can follow, not just mathematicians. Every step can be drilled down deeper and deeper into the labyrinth until axioms of logic and set theory—the starting point for all of mathematics—will ultimately be found at the bottom. You could spend literally days exploring the astonishing tangle of logic leading, say, from the seemingly mundane theorem 2+2=4 back to these axioms.

Essentially everything that is possible to know in mathematics can be derived from a handful of axioms known as Zermelo-Fraenkel set theory, which is the culmination of many years of effort to isolate the essential nature of mathematics and is one of the most profound achievements of mankind.

The Metamath Proof Explorer starts with these axioms to build up its proofs. There may be symbols that are unfamiliar to you, but we show in detail how they are manipulated in the proofs, and in principle you don't have to know what they mean. In fact, there is a philosophy called formalism which says that mathematics is a game of symbols with no intrinsic meaning. With that in mind, Metamath lets you watch the game being played and the pieces manipulated according to simple and precise rules, one step at a time.

As humans, we observe interesting patterns in these "meaningless" symbol strings as they evolve from the axioms, and we attach meaning to them. One result is the set of natural numbers, whose properties match those we observe when we count everyday objects, and their extensions to rational and real numbers. Of course, numbers were discovered centuries before set theory, and historically they were "reversed engineered" back to the axioms of set theory. The proof of 2 + 2 = 4 shows what was involved in that reverse engineering, representing the work of many mathematicians from Dedekind to von Neumann. At the other extreme of abstraction is the theory of infinite sets or transfinite cardinal numbers. Some of the world's most brilliant mathematicians have given us deep insight into this mysterious and wondrous universe, which is sometimes called "Cantor's paradise."

Metamath's formal proofs are much more detailed than the proofs you see in textbooks. They are broken down into the most explicit detail possible so that you can see exactly what is going on. Each proof step represents a microscopic increment towards the final goal. But each step is derived from previous ones with a very simple rule, and you can verify for yourself the correctness of any proof with very little skill. All you need is patience. With no prior knowledge of advanced mathematics or even any mathematics at all, you can jump into the middle of any proof, from the most elementary to the most advanced, and understand immediately how the symbols were mechanically manipulated to go from one proof step to another, even if you don't know what the symbols themselves mean. In the next section we show you how.

How Metamath Proofs Work   

A mathematical theory is not to be considered complete until you have made it so clear that you can explain it to the first man whom you meet on the street.
—David Hilbert

The Floating Head of Wisdom says:     Read this section carefully to learn how to follow a Metamath proof.

What you need to know    The only rule you need to know in order to follow the symbol manipulations in a Metamath proof is substitution. Substitution consists of replacing the symbols for variables with expressions representing special cases of those variables. For example, in high-school algebra you learned that a + b = b + a, where a and b are variables (placeholders for numbers). Two substitution instances of this law are 5 + 3 = 3 + 5 and (x - 7) + c = c + (x - 7). That's the only mathematical concept you need! Substitution is just writing down a specific example of a more general formula.

[Note for logicians: The substitution in Metamath proofs is, indeed, simply the direct replacement of a variable with an expression. The more complex proper substitution of traditional logic is a derived concept in Metamath, broken down into multiple primitive steps. Distinct variable provisos, which accompany certain axioms and are inherited by theorems, forbid unsound substitutions.]

How it works    To show you how this works in Metamath, we will break down and analyze a proof step in the proof of 2 + 2 = 4. Once you grasp this example, you will immediately be able to verify for yourself any proof in the database—no further prerequisites are needed. You may not understand what all (or any) of the symbols mean, but you can follow the rules for how they are manipulated, like game pieces, to prove theorems.

An animated version of the 2+2=4 proof step in this section is presented starting at 7m32s into David A. Wheeler's Metamath Proof Explorer: A Modern Principia Mathematica.

Compare this with the years of study it might take to be able to follow and verify a proof in an advanced math textbook. Typically such proofs will omit many details, implicitly assuming you have a deep knowledge of prior material. If you want to be a mathematician, you will still need those years of study to achieve a high-level understanding. Metamath will not provide you with that. But if you just want the ability to convince yourself that a string of math symbols that mathematicians call a "theorem" is a mechanical consequence of the axioms, Metamath's proof method lets you accomplish that.

Metamath's conceptual simplicity has a tradeoff, which is the often large number of steps needed for a complete proof all the way back to the axioms. But the proofs have been computer-verified, and you can choose to study only the steps that interest you and still have complete confidence that the rest are correct.

Figure 1. Step 2 of the 2p2e4 proof references step 1, which in turn "feeds" the hypothesis of earlier theorem oveq2i (which used to be called opreq2i). The conclusion (assertion) of oveq2i then generates step 2 of 2p2e4. Carefully note the substitutions (lassoed in thin orange lines) that take place.

21-Mar-2007 See also Paul Chapman's Metamath browser screenshot, which shows the substitutions explicitly.

In the figure above we show part of the proof of the theorem 2 + 2 = 4, called 2p2e4 in the database. We will show how we arrived at proof step 2, which is an intermediate result stating that (2 + 2) = (2 + (1 + 1)). (This figure is from an older version of this site that didn't show indentation levels, and it is less cluttered for the purpose of this tutorial. The indentation levels and the little colored numbers can make a higher-level view of the proof easier to grasp.)

(1)   Look at Step 2 of the proof. In the Ref column, we see that it references a previously proved theorem, oveq2i. The theorem oveq2i requires a hypothesis, and in the Hyp column of Step 2 we indicate that Step 1 will satisfy (match) this hypothesis.

(2)   We make substitutions into the variables of the hypothesis of oveq2i so that it matches the string of symbols in the Expression column for Step 1. To achieve this, we substitute the expression "2" for variable A and the expression "(1 + 1)" for variable B. The middle symbol in the hypothesis of oveq2i is "=", which is a constant, and we are not allowed to substitute anything for a constant. Constants must match exactly.

Variables are always colored, and constants are always black (except the gray turnstile |-, which you may ignore). This makes them easy to recognize. The variables in our database have 3 possible colors, blue, red, and purple, representing wffs, sets, and classes respectively. Don't worry about what these terms mean right now. All variables, regardless of color, follow the same substitution rule. In our example, the purple letters are variables, whereas the symbols "(", ")", "1", "2", "=", and "+" are constants.

In this example, the constants are probably familiar symbols. In other cases they may not be. You should focus only on whether the symbols are variables or constants, not on what they "mean." Your only goal is to determine what substitutions into the variables of the referenced theorem are needed to make the symbol strings match.

(3)   In the Expression column of the Assertion box of oveq2i, there are 4 variables, A, B, C, and F. Because we have already made substitutions into the hypothesis, variables A and B have been committed to the assignments "2" and "(1 + 1)" respectively, and we can't change these assignments. However, the new variables C and F are free to be assigned with any expression we want (subject to the legal syntax requirement described below). By substituting "2" for C and "+" for F, we end up with (2 + 2) = (2 + (1 + 1)) that we show in the Expression column for Step 2 of the proof of 2p2e4.

[It may seem peculiar to substitute a + sign for a variable, because you wouldn't do that in high-school algebra. We can do this because the variables represent arbitrary objects called "classes," not just numbers. See the description for operation value df-ov (don't worry about right-hand side of the definition, for now). A number and a + sign are both classes. You have to free your mind to forget about high-school algebra—pretend you have no idea what a number or "+" is—and just look at what happens to the symbols, independent of any meaning. In fact (and ironically), it may be better to look at a proof where all the symbols are unfamiliar, perhaps aleph1re, so that you can observe the mechanical symbol substitutions without the distraction of preconceived notions.]

When we first created the proof, why did we choose these particular substitutions for C and F? The reason is simple—they make the proof work! But how did we know these particular substitutions should be picked, and not others? That's the hard part—we didn't know, nor did we know that oveq2i should be referenced in the second proof step, nor did we know that Step 1 would have the right expression to match the hypothesis of oveq2i. The choices were made using intelligent guesses, that were then verified to work. This is a skill a mathematician develops with experience. Some of the proofs in our database were discovered by famous mathematicians. The Metamath Proof Explorer recaptures their efforts and shows you in complete detail the proof steps and substitutions already worked out. This allows you to follow a proof even if you are not a mathematician, and be convinced that its conclusion is a consequence of the axioms.

Sometimes a referenced theorem (or axiom or definition) has no hypotheses. In that case we omit (1) and (2) above and immediately proceed to (3). When there are multiple hypotheses, we repeat (1) and (2) for each one.

The Floating Head of Wisdom says:     Done! You should now be able to figure out any Metamath proof. In other words, you should be able to draw a diagram like the one above for any proof step of any proof.

You may want to practice the above procedure for a few other proof steps to make sure you have grasped the idea.

The rest of this section has some notes on substitutions that you may find helpful and describes the additional requirements for correctness not mentioned above. As you will observe if you study a few proofs, the Metamath proof verifier has already ensured these requirements are met, so ordinarily you don't have to worry about them.

Notes on substitutions   

Substitutions are simultaneous. In other words each occurrence of a given variable in a referenced theorem must be replaced with the same expression. For example, there are two occurrences of F in the Assertion of oveq2i, and both occurrences must be replaced with the same expression, which is "+" in the above example.

Substitutions are made into the variables of the referenced theorem only, never into the variables of any proof step referenced in the Hyp column (of the theorem being proved). In other words you should pretend that all variables in the theorem being proved are constants for the purpose of figuring out the substitutions. You can see this by looking at examples such as theorem id1. To follow the proof of id1, you should treat the symbol ph as if it were a constant symbol, when you are figuring out the substitutions to make into the variables of the referenced theorems (or axioms).

If the variables of a referenced theorem (or axiom) happen to have the same names as those in the theorem being proved, you may want to temporarily rename the variables in the referenced theorem (or axiom) before substituting expressions for them, to avoid confusion. For example, the proof of id1 will be less confusing if the occurrences of ph in the referenced axioms are renamed to something else. Specifically, you can rewrite ax-1 as say (ch -> (ps -> ch)). Then, to obtain step 2 of the proof of id1, substitute "ph" for ch and "(ph -> ph)" for ps.

Legal syntax    There is a further requirement for substitutions we have not described yet. You can't substitute just any old string of symbols for a purple class variable. Instead, the symbol string must qualify as a class expression. For example, it would be illegal to substitute the nonsensical "(1 +" for variable B above. However, "(1 + 1)" is legal. Here is how you can tell. "1" is a legal class by c1. "+" is a legal class by caddc. Then, by making these class substitutions into the class variables of co, we see that "(1 + 1)" is a legal class. But there is no such construction that would let us show that the nonsensical "(1 +" is a legal class.

Similarly, blue wff variables and red set variables can be substituted only with expressions that qualify as those types.

In other words, we must "prove" that any expression we want to substitute for a variable qualifies as a legal expression for that type of variable, before we are allowed to make the substitution.

The actual proofs stored in the database have additional steps that construct, from syntax definitions, the expressions that are substituted for variables. We suppress these construction steps on the web pages because they would make the proofs very long and tedious. However, the syntax breakdown is straightforward to check by hand if you make use of the "Syntax hints" provided with each proof. Once you get used to the syntax, you should be able to "see" its breakdown in your head; in the meantime you can trust that the Metamath proof verifier did its job.

If you want to see for yourself the hidden steps that construct the variable substitutions for each proof step, you can display them using the Metamath program. For the proof above, use the commands "save proof 2p2e4 /normal" followed by "show proof 2p2e4 /all" in the Metamath program. (Follow the instructions for downloading and running the Metamath program. Try it, it's easy!) In the "/all" proof display, you will see that step 21 corresponds to step 2 of the figure above. Steps 14-17 are the hidden steps showing that "(1 + 1)" is a legal class as we described above. To see the substitutions we talked about for step 2, you can type "show proof 2p2e4 /detailed_step 21".

In the case of axioms and definitions, we do show their detailed syntax breakdown, because there is free space on those web pages not used for anything else. These can help you become familiar with the syntax. For example, look at the definition of the number 2, df-2. You can see, at step 4, the demonstration that "(1 + 1)" is a legal expression that qualifies as a class, i.e. that can be substituted for a purple class variable.

Distinct variable restrictions    Our final requirement for substitutions is described in Appendix 3: Distinct Variables below. These restrictions have no effect on how you figure out the the substitutions that were made in a proof step. All they do is prohibit certain substitutions that would otherwise be legal based what we have described so far. Eventually you should learn how they work in order to complete your understanding of the mechanics of logic, but for now, you can trust that the Metamath proof verifier has ensured that they have been met.

Class variables    Our example of 2+2=4, with its purple class variables, depends on a definitional mechanism that extends the wff and set variables used in the axioms to greatly simplify our presentation. After the axiom section below, we describe the theory of classes, which you should read to understand how these tie into the primitive concepts used by the axioms.

The Axioms    

Perfection is when there is no longer anything more to take away.
—Antoine de Saint-Exupery

[The material in this section is intended to be self-contained. However, you may also find it helpful to review these suggestions. A more extensive but still informal overview is given in Chapter 3, "Abstract Mathematics Revealed," of the Metamath book (1.3 MB PDF file; click on the fourth bookmark in your PDF reader).]

An axiom is a fundamental assumption that provides a starting point for reasoning. The axioms for (essentially) all of mathematics can be conveniently divided into three groups: propositional calculus, predicate calculus, and set theory. Each axiom is a string of mathematical symbols of two kinds: constants, also called connectives, which we show in black; and variables, which we show using colors. The constants that occur in the axioms are (, ), ->, -., =, e., and A. (left parenthesis, right parenthesis, implies, not, equals, is contained in, for all).

Variables are placeholders that can be substituted with other expressions (strings of symbols). There are two kinds of variables in the axioms, set variables (red) and wff ("well-formed formula") variables (blue). A set variable can be substituted only with a set variable (in other words with an expression of length one, whose only symbol is a set variable), whereas a wff variable can be substituted with any expression qualifying as a wff (see below).

[In later proofs you will see a third kind of variable, called a class variable, which is shown in purple and is a kind of generalization of the set variable. The theory of classes will be discussed in the next section.]

Following the tradition in the literature, we use italic Greek letters for wff variables and lower-case italic letters for set variables.

[If you are colorblind or use a monochrome display or printout, the red variables are lowercase italic letters, the purple ones uppercase italic, and the blue ones italic Greek. Sometimes we use mathematical symbols (such as +) as class variables, and in that case they are distinguished by both the purple color and a dotted underline. In all cases, the colors are not necessary to disambiguate the symbols. You can see the list of all symbols including variables on the ASCII Symbol Equivalents page.]

Any mathematical object whatsoever, such as the number 2, the operation of taking a square root, or the surface of a sphere, is considered to be a set in set theory. The red set variables are placeholders that represent arbitrary sets.

A set can be equal to another set, can be contained in another set, and can contain other sets. For example, the set of real numbers contains, of course, all of the real numbers. A specific real number such as 2 is also a set, but not in such a familiar way—it contains a very complex construction of sets, a kind of machine inside of it that causes it to behave according to the laws for real numbers. The square root operation is a set containing an infinite number of ordered pairs, one for each nonnegative real number; the first member of each pair is the number and the second member its square root.

A wff is an expression (string of symbols) constructed as follows. A starting wff either is a wff variable, or it consists of two set variables connected with either = ("equals," "is identical to") or e. ("is an element of," "is contained in"). Two wffs may be connected with -> ("implies," "only if") to form a new wff, with parentheses around the result to prevent ambiguity. A wff may be prefixed with -. ("not") to form a new wff. And finally, a wff may be prefixed with A. ("for all," "for each," "for every") and a set variable to form a new wff.  To summarize: If ph is a wff variable and x and y are set variables, then ph, x = y, and x e. y are (starting) wffs. If ph and ps are wffs and x is a set variable, then (ph -> ps), -. ph, and A.xph are also wffs.

Note that a wff variable can be viewed as a wff in its own right as well as a placeholder for which other wffs can be substituted.

The axioms below are examples of wffs. Each page describing an axiom, for example ax-11, presents the axiom's construction in a syntax breakdown chart, showing that it follows these rules and is therefore a wff. You may want to look at a few of these to make sure you understand how wffs are constructed and how to deconstruct, or parse, them into their components.

Wffs are either true or false, depending on what is assigned to the variables they contain. For example, the wff x = y is true if x and y stand for the same set and false otherwise—there is no in-between.

An axiom (example: ax-1) is a wff that we postulate to be true no matter what (within the constraints of the syntax rules) we substitute for its variables. An inference rule (example: ax-mp) consists of one or more wffs called hypotheses, together with a wff called the conclusion (which on our web pages with proofs we also call its assertion) that we postulate to be true provided the hypotheses are true. A proof is a sequence of substitution instances of axioms and inference rules, where the hypotheses of the inference rules match previous steps in the sequence. The last step in a proof is a theorem (example: id1). For brevity, a proof may also refer to earlier theorems (example: id), but in principle it can be expanded into references to only the initial axioms and rules.

We also use the word "theorem" informally to denote the result of a proof that also allows references to local hypotheses and thus has the form of an inference rule (example: a1i); however, strictly speaking, such a theorem should be called a derived inference rule or deduction. In a derived inference rule, a proof is a sequence steps each of which is a substitution instance of an axiom, a hypothesis, or a substitution instance of an inference rule applied to previous steps. (Note that a proof with nothing but references to hypotheses still qualifies as a proof, even though neither axioms nor inference rules are involved. For example, the unusual derived inference rule dummylink is proved before we even introduce the first axiom!)

Propositional calculus deals with general truths about wffs regardless of how they are constructed. The simplest propositional truth is "(ph -> ph)", which can be read "if something is true, then it is true"—rather trivial and obvious, but nonetheless it must be proved from the axioms (see theorem id). In an application of this truth, we could replace ph with a more specific wff to give us, for example, "(x = y -> x = y)". (You might think that id would be a useless bit of trivia, but in fact it is frequently used. For example, look at its use in the proof of the law of assertion pm2.27.)

Our system of propositional calculus consists of three axioms and the modus-ponens inference rule. It is attributed to Jan Łukasiewicz (pronounced woo-kah-SHAY-vitch) and was popularized by Alonzo Church, who called it system P₂. (Thanks to Ted Ulrich for this information.)

Axioms of propositional calculus

Axiom Simp	ax-1	|- (ph -> (ps -> ph))
Axiom Frege	ax-2	|- ((ph -> (ps -> ch)) -> ((ph -> ps) -> (ph -> ch)))
Axiom Transp	ax-3	|- ((-. ph -> -. ps) -> (ps -> ph))
Rule of Modus Ponens	ax-mp	|- ph   &   |- (ph -> ps)   =>    |- ps

The turnstile |- is a symbol (introduced by Frege in 1879) used in formal logic to indicate that the wff that follows is provable (and is traditionally used even for an axiom, which is "provable" in one step, itself); it can be ignored for informal reading. (Technically, the Metamath program needs an initial token to disambiguate the kind of expression that follows. I figured, why not make it the turnstile that logic books use? In the Quantum Logic Explorer, on the other hand, I mapped it to a blank image because my physics colleague didn't like it.) The symbols & and => are used informally in the table above to indicate the relationship between hypotheses and conclusion; they are not part of the formal language.

Predicate calculus introduces three new symbols, = ("equals"), e. ("is a member of"), and A. ("for all"). The first two are called "predicates." A predicate specifies a true or false relationship between its two arguments. As an example, x = x always evaluates to true regardless of what x is, as the theorem equid demonstrates. The "for all" symbol, also called the "universal quantifier," ranges over or "scans" all possible values of its first (set variable) argument, applying them to the second (wff) argument, and returns true if and only if the second argument is true for every value of the first. The wff A.xph is read "for all x, it is the case that phi is true." The axioms of predicate calculus express the logical properties of these new symbols that are universally true, independent from any theory (like set theory) making use of them. (What we call "set variables" are more generally called "individual variables" in predicate calculus without set theory.)

Our axiom system is closely related to a system of Tarski (see the note on the axioms below). Our system is exactly equivalent to the traditional axiom system in most logic textbooks but has the advantage of being easy to manipulate with a computer program. Each of our axioms corresponds to an axiom scheme of the traditional system.

Axioms of predicate calculus with equality

Axiom of Quantified Implication	ax-5	|- (A.x(ph -> ps) -> (A.xph -> A.xps))
Axiom of Quantified Negation	ax-6	|- (-. A.xph -> A.x -. A.xph)
Axiom of Quantifier Commutation	ax-7	|- (A.xA.yph -> A.yA.xph)
Rule of Generalization	ax-gen	|- ph    =>    |- A.xph
Axiom of Equality (1)	ax-8	|- (x = y -> (x = z -> y = z))
Axiom of Existence	ax-9	|- -. A.x -. x = y
Axiom of Variable Substitution	ax-11	|- (x = y -> (A.yph -> A.x(x = y -> ph)))
Axiom of Quantifier Introduction (1)	ax-12	|- (-. x = y -> (y = z -> A.x y = z))
Axiom of Equality (2)	ax-13	|- (x = y -> (x e. z -> y e. z))
Axiom of Equality (3)	ax-14	|- (x = y -> (z e. x -> z e. y))
Axiom of Quantifier Introduction (2)	ax-17	|- (ph -> A.xph), where x does not occur in ph

The last axiom, ax-17, has a restriction on what substitutions we are allowed to make into its variables. This restriction is inherited by theorems that use this axiom, according to the substitutions made in their proofs, and you will often see distinct variable conditions associated with such theorems.

Ten other axioms, ax-4, ax-5o, ax-6o, ax-9o, ax-10, ax-10o, ax-11o, ax-12o, ax-15, and ax-16, are not included in the table above because they can be derived from the ones in the table. From the set consisting of these 10 axioms plus the 10 axioms in the table above, several subsystems can be of interest for certain studies and are described below under Some Predicate Calculus Subsystems.

Some definitions will simplify our presentation of the set theory axioms, although in principle they could be eliminated. Specifically,

• (ph /\ ps) is an abbreviation for -. (ph -> -. ps)
• (ph <-> ps) is an abbreviation for ((ph -> ps) /\ (ps -> ph))
• E.xph is an abbreviation for -. A.x -. ph

In our database, these are introduced (in a different order) by the statements df-bi (biconditional), df-an (logical AND), and df-ex (existential quantifier). To understand how definitions are introduced and justified in Metamath, see the note on definitions below. But for our purposes, you can just assume that df-bi, df-an, and df-ex are additional axioms (which they are in some axiomatizations of logic) so that you don't have to be concerned with their metalogical justification. Under this assumption, our primitive or basic connectives are extended with <->, /\, and E., and our wff construction rules are extended with wb, wa, and wex. Alternately, you can rewrite the set theory axioms below with these three definitions eliminated.

Set theory uses the formalism of propositional and predicate calculus to assert properties of arbitrary mathematical objects called "sets." A set can be contained in another set, and this relationship is indicated by the e. symbol. Starting with the simplest mathematical object, called the empty set, set theory builds up more and more complex structures whose existence follows from the axioms, eventually resulting in extremely complicated sets that we identify with the real numbers and other familiar mathematical objects. These axioms were developed in response to Russell's Paradox, a discovery that revolutionized the foundations of mathematics and logic.

Except for Extensionality, the axioms basically say, "given an arbitrary set x (and, in the cases of Replacement and Regularity, provided that an antecedent is satisfied), there exists another set y based on or constructed from it, with the stated properties." (The axiom of Extensionality can also be restated this way as shown by axext2.) The individual axiom links provide more detailed descriptions. We derive the redundant ZF axioms of Separation, Null Set, and Pairing from the others as theorems.

In the ZFC axioms that follow, all set variables are assumed to be distinct. If you click on their links you will see the explicit distinct variable conditions. (There is also an unusual formalization of these axioms that does not require that their variables be distinct.) There are no restrictions on the variables that may occur in wff ph below.

Zermelo-Fraenkel Set Theory with Choice (ZFC)

Axiom of Extensionality	ax-ext	|- (A.z(z e. x <-> z e. y) -> x = y)
Axiom of Replacement	ax-rep	|- (A.wE.yA.z(A.yph -> z = y) -> E.yA.z(z e. y <-> E.w(w e. x /\ A.yph)))
Axiom of Power Sets	ax-pow	|- E.yA.z(A.w(w e. z -> w e. x) -> z e. y)
Axiom of Union	ax-un	|- E.yA.z(E.w(z e. w /\ w e. x) -> z e. y)
Axiom of Regularity	ax-reg	|- (E.y y e. x -> E.y(y e. x /\ A.z(z e. y -> -. z e. x)))
Axiom of Infinity	ax-inf	|- E.y(x e. y /\ A.z(z e. y -> E.w(z e. w /\ w e. y)))
Axiom of Choice	ax-ac	|- E.yA.zA.w((z e. w /\ w e. x) -> E.vA.u(E.t((u e. w /\ w e. t) /\ (u e. t /\ t e. y)) <-> u = v))

There you have it, the axioms for (essentially) all of mathematics! Wonder at them and stare at them in awe. If you keep a copy in your wallet, you will carry with you the encoding for all theorems ever proved and that ever will be proved, from the most mundane to the most profound.

Note. Books sometimes make statements like "(essentially) all of mathematics can be derived from the ZFC axioms." This should not be taken literally—there's not much you can do with those 7 axioms by themselves! The authors are assuming that you will combine the ZFC axioms with logic (that is, the axioms and rules of propositional and predicate calculus). Between ZFC axioms and logic there is a total of 20 axioms and 2 rules in our system.

The Tarski-Grothendieck Axiom     Above we qualified the phrase "all of mathematics" with "essentially." The main important missing piece is the ability to do category theory, which requires huge sets (inaccessible cardinals) larger than those postulated by the ZFC axioms. The Tarski-Grothendieck Axiom postulates the existence of such sets. We have included it in a separate table below for two reasons: first, it is not normally considered to be part of ZFC set theory, and second, unlike the ZFC axioms, it is not "elementary," in that the known forms of it are very long when expanded to set theory primitives. Below we show it compacted with definitions. Theorem grothprim shows you what it looks like when the definitions are expanded into the primitives used by the other axioms. The Tarski-Grothendieck axiom can be viewed as a very strong replacement of the Axiom of Infinity and implies that axiom (theorem grothomex) as well as the Axiom of Choice (theorem grothac) and the Axiom of Power Sets (theorem grothpw).

The Tarski-Grothendieck axiom

The Tarski-Grothendieck Axiom

ax-groth

|- E.y(x e. y /\ A.z e. y (A.w(w (_ z -> w e. y) /\ E.w e. y A.v(v (_ z -> v e. w)) /\ A.z(z (_ y -> (z ~~ y \/ z e. y)))

What else is missing from our axioms? Gödel showed that no finite set of axioms or axiom schemes can completely describe any consistent theory strong enough to include arithmetic. But practically speaking, the ones above are the accepted foundation that almost all mathematicians explicitly or implicitly base their work on.

Set theorists often study the consequences of additional axioms that assert, for example, the existence of larger and larger infinities beyond those postulated by ZFC or even the Tarski-Grothendieck Axiom, to the point of flirting with inconsistency (although Gödel also showed that we can never know whether even the ZFC axioms are consistent). While this work is certainly profound and important, these axioms are not ordinarily used outside of set theory. To study such an additional axiom with Metamath, we can assert it as a new axiom, or alternately we can simply state it as a hypothesis to any theorem making use of it.

The Theory of Classes   

In Figure 1 above that shows part of the proof of 2+2=4, there are some purple-colored variables such as A and B that do not appear in any of the axioms of logic and set theory that we just presented. Even the number 2 is a symbol (a constant) that we cannot manipulate with the axioms, because of the rule that only set variables (and not constants or other expressions) can be substituted for set variables. You may at this point feel lost, wondering how our introductory 2+2=4 example bears any relationship at all to the axioms! In this section, we will discuss how this notation ties into our axioms and how to convert it to the primitive or basic language used by the axioms.

In principle, mathematics can be done using only the set and wff variables that appear in the axioms. But the notation can be awkward to work with and is not always intuitive for humans. To make mathematics more practical, we extend the set theory language with a definitional notation called the theory of classes. An expression of the form {x | ph}, where x is any set variable and ph is any wff, is interchangeably called a class builder, class abstract[ion], class term, or class comprehension by different authors. We call an object that can be represented in this form a class and read {x | ph} as "the class of all x such that ph holds". Every class is a (possibly empty) collection of sets, although not every such collection is itself a set (see the discussion for theorem ru). For example, {x | (x e. ZZ /\ 2 < x)} is the class (and also set) of all integers greater than 2.

We use upper-case variables A, B,... to range over class builders and call them class variables. More generally, we let them range over any object representing a class, such as other class variables. (A class variable A itself can be represented with the class builder {x | x e. A} and thus qualifies as a class; see theorem abid2.) Our language will now have three kinds of variables: ph, ps,... ranging over wffs, x, y,... ranging over sets, and A, B,... ranging over classes.

In the basic language, the e. and = connectives must connect two set variables, so all starting wffs (without wff variables) are of the form x e. y and x = y. We extend the language syntax, i.e. the definition of a wff, by allowing e. and = to connect to expressions representing classes, as exemplified in the three definitions below. Theorems involving the extended syntax are derived making use of those three definitions.

We can construct new classes from existing ones, a property we often exploit to define new concepts. For example, we introduce the symbol u. and define the union of two classes A and B in df-un: (A u. B) = {x | (x e. A \/ x e. B)}. Here the defined expression on the left of the "=" abbreviates the expression on the right. When eliminating the defined expression, we can chose for x any variable not occurring in A or B (theorem unjust); it is a bound or dummy variable similar to the x in the integral from 0 to 1 of x dx. By introducing this definition, we effectively extend the syntax with new class expressions of the form (A u. B) that can be substituted for class variables.

The number 2 in Figure 1 is another example of a defined class builder, in this case a constant with no arguments. Our definition df-2, 2 = (1 + 1), involves yet more defined class constants (1 defined in df-1 and + defined in df-plus), so it is not obviously a class builder at this point. But if we backtrack far enough through several definitions, we will eventually end up with 2 = {x | ...} where "..." is a wff in the extended language.

We still need to determine what the above examples correspond to in the basic language used by the axioms. In essence, there is an algorithm to translate each wff containing class builders to a unique equivalent wff in the basic language of predicate calculus used for set theory. Later in this section, we will show an example using the algorithm to provide a feel for how to recover the basic language from a wff in the extended language.

The class definitions    The algorithm for eliminating class builders is accomplished using the following three definitions, which in effect provide the recursive definition of wffs containing class builders.

Definitions for the theory of classes

Definition of class abstraction	df-clab	|- (x e. {y | ph} <-> [x / y]ph)
Definition of class equality	dfcleq	|- (A = B <-> A.x(x e. A <-> x e. B))
Definition of class membership	df-clel	|- (A e. B <-> E.x(x = A /\ x e. B))

Definition df-clab extends the e. connective, and thus the definition of a wff, to allow a class builder on the right-hand side of the e., instead of (previously) only set variables on each side. Note that the ph in df-clab is a wff in the extended language and thus may itself contain class builders. The proper substitution denoted by [x / y]ph has been previously defined by df-sb.

Definition df-cleq extends the = connective to allow classes on both sides. The definition itself has a hypothesis, and above we show the derived version dfcleq with the hypothesis eliminated for practical use.

Without its hypothesis, df-cleq would produce the axiom of extensionality ax-ext as a special case and thus is not sound (is not conservative) in the context of predicate calculus without set theory. If we assume our class theory definitionally extends set theory rather than just predicate calculus, the hypothesis is unnecessary and merely provides us with a somewhat nitpicking isolation from set theory. Most authors do not include this hypothesis. An advantage of the hypothesis for us is that we must explicitly use ax-ext to satisfy it as in theorem dfcleq, meaning we can more easily determine exactly where ax-ext was used by a proof.

Definition df-clel similarly extends the e. connective to allow classes on both sides. We do not need a hypothesis as we did for df-cleq because its instances are theorems of predicate calculus (see theorem cleljust).

As an important special case, a set variable x can be considered a class because it equals the class builder {y | y e. x} (theorem cvjust). This is the justification for syntax builder cv, which for convenience allows us to substitute a set variable directly for a class variable. (On the other hand, we may not substitute a class variable for a set variable in general.)

An example    To see an example of the algorithm, let us eliminate the class builder from the (extended) wff {x | x = a} = b. For simplicity we will assume all set variable pairs are distinct. Treating the set variable b as a class and applying dfcleq, we get A.y(y e. {x | x = a} <-> y e. b). Applying df-clab, we get A.y([y / x]x = a <-> y e. b). Applying df-sb, we get A.y((x = y -> x = a) /\ E.x(x = y /\ x = a)) <-> y e. b), which is our final expression in the basic language of predicate calculus (implicitly assuming we have expanded the defined connectives E., /\, <->). This expression is unique provided we have some canonical convention for traversing the extended wff syntax tree and for naming any new variables introduced at each step. By the way, this can be simplified with additional applications of predicate calculus to become A.y(y = a <-> y e. b).

Our example showed the elimination of class builders from a wff with no class variables. If the wff also contains class variables, these can be converted to wff variables by substituting {x | ph} for A, {y | ps} for B, and so on, where ph and ps are new wff variables that don't occur in the original extended wff. The variables x and y are arbitrary (and may be the same) as long as they don't conflict with any distinct variable requirements imposed on A and B. We then would follow the procedure of the above example. The description of theorem abeq2 goes into more detail and gives some actual database examples where this translation takes place.

Justification    The theory of classes can be shown to be an eliminable and conservative extension of set theory. The eliminability property shows that for every formula in the extended language we can build a logically equivalent formula in the basic language; so that even if the extended language provides more ease to convey and formulate mathematical ideas for set theory, its expressive power does not in fact strengthen the basic language's expressive power. The conservation property shows that for every proof of a formula of the basic language in the extended system we can build another proof of the same formula in the basic system; so that, concerning theorems on sets only, the deductive powers of the extended system and of the basic system are identical. Together, these properties mean that the extended language can be treated as a definitional extension that is sound.

A rigorous justification, which we will not give here, can be found in can be found in [Levy] pp. 357-366, supplementing his informal introduction to class theory on pp. 7-17. Two other good treatments of class theory are provided by [Quine] pp. 15-21 and [TakeutiZaring] pp. 10-14. Quine's exposition is nicely written and very readable. Our purple class variables are Greek letters in Quine, and he uses an archaic dot notation instead of parentheses, but this is is a relatively minor hurdle especially since you can compare the Metamath versions of many of the theorems.

History    According to [Levy] (p. 11), the way we introduce classes was first explicitly stated by [Quine] (1963), who built on ideas stemming from Paul Bernays, particularly in Bernays' book Axiomatic Set Theory (1958). Also according to Levy (pp. 11, 6, and 87), the informal idea of using classes that can't belong to other classes occurred to Cantor in 1899 after he became aware of the Burali-Forti paradox (1897) and the fact that Cantor's theorem fails for the universe V (1899). (Russell's paradox came later, in 1901.)

Definitions or axioms?    Levy presents our three definitions above as axioms rather than definitions. There is nothing wrong with this in principle, but because they are conservative and eliminable, they do not strengthen the underlying set theory. They just specify a mechanical transformation to and from a different but equivalent notation.

On the other hand, they have a character that is somewhat different from "ordinary" definitions such as df-an that simply introduce a new symbol (or unique symbol combination) to abbreviate a longer string of symbols. All such ordinary definitions can be verified for soundness with a relatively straightforward algorithm that is incorporated into the mmj2 program. But there is no simple way to verify automatically the soundness of our three class definitions. Instead, we must trust the relatively involved metamathematics of Levy's (or other authors') eliminability and conservation proofs that exist only on paper, at least until a sufficiently sophisticated definitional soundness checker becomes available. The requirement of such trust makes it tempting to call them axioms, since that would relieve us of responsibility in the unlikely event that a flaw is uncovered in one of the eliminability/conservation proofs.

Personally I feel that despite their formal complexity, the eliminability/conservation properties are still in some sense "obvious", particularly after gaining some experience with examples such as the above. Moreover, calling them axioms could be slightly misleading by suggesting that the axioms of ZFC set theory are not sufficient. For these reasons I chose to call them definitions, at the risk of slightly compromising the ideal of computer-verified perfect rigor. It is rather trivial in the Metamath language to switch them to axioms if we want to achieve this rigor, since the distinction between the two is merely a naming convention of "ax-" vs. "df-" prefixes; see the discussion below on definitions.

The specific reason that the current mmj2 definitional soundness checker will reject our three definitions for classes is that they overload (and thus in a naive sense redefine) existing connectives. There are two other definitions in the set.mm database that mmj2 is unable to check: df-sbc, which also overloads existing notation for convenience, and df-bi, which does not connect definiendum and definiens with <-> or =. For these five cases, it is assumed that we are satisfied with a soundness justification outside of Metamath or its tools, and we specify them as exceptions in mmj2's RunParms.txt file:

        SetMMDefinitionsCheckWithExclusions,ax-*,df-bi,df-clab,df-cleq,df-clel,df-sbc

A skeptic is free to rename these five to be axioms (with prefix "ax-"), but currently we consider the compromise acceptable. Moreover, the above mmj2 statement tells us exactly which definitions we are trusting without computer verification, so we can easily determine exactly what is being assumed.

A Theorem Sampler   

Set theory can be viewed as a form of exact theology.
—Rudy Rucker

Listed here are some examples of starting points for your journey through the maze. You should study some simple proofs from propositional calculus until you get the hang of it. Then try some predicate calculus and finally set theory. The Theorem List shows the complete set of theorems in the database. You may also find the Bibliographic Cross-Reference useful. The Metamath 100 list identifies the progress of Metamath formalizations of the "top 100" theorems as tracked by Freek Wiedijk.

Propositional calculus Law of identity Peirce's axiom Praeclarum theorema Law of excluded middle Proposition *5.18 from Principia Mathematica The consensus theorem for logic circuits Meredith's astonishing single axiom Predicate calculus Existential and universal quantifier swap Existentially quantified implication x = x Definition of proper substitution Double existential uniqueness Set theory Commutative law for union A basic relationship between class and wff variables Two ways of saying "is a set" Kuratowski's ordered pair definition and theorem Russell's paradox The value of a function Cantor's theorem Mathematical (finite) induction Peano's postulates for arithmetic: 1 2 3 4 5

Set theory (cont.) The existence of omega (the gateway to "Cantor's paradise") Burali-Forti paradox Transfinite induction Transfinite recursion part 1 2 3 The amazing recursive definition generator Schröder-Bernstein Theorem Pigeonhole principle Axiom of Infinity equivalent (neat!) Axiom of Choice equivalent (brainteaser!) Zermelo's well-ordering theorem Zorn's Lemma Generalized Continuum Hypothesis (GCH) equivalent Real and complex numbers (27 postulates) Archimedean property of real numbers Ordered pair theorem for non-negative integers The square root of 2 is irrational The nesting of natural numbers, integers, rationals, reals, and complex numbers Complex number in terms of real and imaginary parts Triangle inequality for absolute value Euler's identity e^(i*pi)=-1 There exist infinitely many primes The real numbers are uncountable

2 + 2 = 4 Trivia   

We used to think that if we knew one, we knew two, because one and one are two. We are finding that we must learn a great deal more about 'and.'
—Sir Arthur Eddington

The complete proof of a theorem all the way back to axioms can be thought of as a tree of subtheorems, with the steps in each proof branching back to earlier subtheorems, until axioms are ultimately reached at the tips of the branches. An interesting exercise is, starting from a theorem, to try to find the longest path back to an axiom. Trivia Question: What is the longest path for the theorem 2 + 2 = 4? Orange julia butterfly with 2+2=4 dots. Credit: N. Megill 2004. Public domain.

Trivia Answer: A longest path back to an axiom from 2 + 2 = 4 is 150 layers deep! By following it you will encounter a broad range of interesting and important set theory results along the way. You can follow them by drilling down this path. Or you can start at the bottom and work your way up, watching mathematics unfold from its axioms.

2p2e4 (2+2=4) <- 2cn <- 2re <- 1re <- ine0 <- mul01i <- subidi <- negsubi <- negidi <- negid <- pncan3 <- subadd <- subaddi <- negeui <- addcan <- addcani <- cnegexi <- cnegex <- axrnegex <- negexsr <- pn0sr <- distrsr <- dmaddsr <- addclsr <- addsrpr <- enrer <- addcanpr <- ltapr <- ltaprlem <- ltexpri <- ltexprlem7 <- ltaddpr <- addclpr <- addclprlem2 <- addclprlem1 <- ltrpq <- recclpq <- recidpq <- recmulpq <- mulcompq <- dmmulpq <- mulclpq <- mulpipq <- enqer <- mulasspi <- nnmass <- omass <- odi <- om00el <- om00 <- omword1 <- omwordi <- omword <- omord2 <- omordi <- oaword1 <- oaword <- oacan <- oaord <- oaordi <- oalim <- rdglim2a <- rdglim2 <- rdglim <- rdglimi <- rdgfnon <- tfr1 <- tfrlem13 <- tfrlem12 <- tfrlem11 <- tfrlem9 <- tfrlem7 <- tfrlem5 <- tfrlem2 <- tfrlem1 <- tfis2 <- tfis2f <- tfis <- tfi <- onss <- ordsson <- ordeleqon <- onprc <- ordon <- ordtri3or <- ordsseleq <- ordelssne <- tz7.7 <- tz7.5 <- wefrc <- epfrc <- epel <- epelc <- brab <- brabg <- opelopabg <- copsex2g <- copsexg <- eqvinop <- opth <- opth1 <- opi1 <- snex <- snprc <- neq0 <- n0 <- n0f <- noel <- dfnul2 <- eldif <- elab2g <- elabg <- elabgf <- vtoclgf <- hbeleq <- hbel <- hbeq <- hblem <- eleq1 <- eqeq2 <- eqeq1 <- bibi1d <- bibi2d <- imbi1d <- imbi2d <- pm5.74d <- pm5.74 <- anim12d <- prth <- imp4b <- imp4a <- impexp <- imbi1i <- impbii <- bi3 <- expi <- expt <- pm3.2im <- con2d <- con2 <- notnot2 <- pm2.18 <- pm2.43i <- pm2.43 <- pm2.27 <- id <- mpd <- a2i <- ax-2

(The list above was produced by typing the commands "read set.mm" then "show trace_back 2p2e4 /essential /count_steps" in the Metamath program, after changing the references to complex number axioms to their corresponding theorems, such as "ax-rnegex" to "axrnegex".) The complete proof of 2 + 2 = 4 involves 2,452 subtheorems including the 150 above. (The command "show trace_back 2p2e4 /essential" will list them.) These have a total of 25,933 steps — this is how many steps you would have to examine if you wanted to verify the proof by hand in complete detail all the way back to the axioms.

One of the reasons that the proof of 2 + 2 = 4 is so long is that 2 and 4 are complex numbers—i.e. we are really proving (2+0i) + (2+0i) = (4+0i)—and these have a complicated construction (see the Axioms for Complex Numbers) but provide the most flexibility for the arithmetic in our set.mm database. In terms of textbook pages, the construction formalizes perhaps 70 pages from Takeuti and Zaring's Introduction to Axiomatic Set Theory (and its predicate calculus prerequisite) to obtain natural number (finite ordinal) arithmetic, followed by essentially all of Landau's 136-page Foundations of Analysis.

We selected the theorem 2 + 2 = 4 for this example rather than 1 + 1 = 2 because the latter is essentially the definition we chose for 2 and thus has a trivial proof. In Principia Mathematica, 1 and 2 are cardinal numbers, so its proof of 1 + 1 = 2 is different: see pm110.643 for a translation into modern notation.

Appendix 1: A Note on the Axioms    The Metamath axiom system defined in set.mm is founded on a simplified formalization of predicate calculus with equality published by logician Alfred Tarski in 1965 (see [Tarski], system S2 mentioned in last paragraph of p. 77; reproduced as system S3 in Section 6 of [Megill]). Tarski's system is exactly equivalent to the traditional textbook formalization, but (by clever use of equality axioms) it eliminates the latter's primitive notions of "proper substitution" and "free variable," replacing them with direct substitution and the notion of a variable not occurring in a formula (which we express with distinct variable constraints).

In advocating his system, Tarski wrote, "The relatively complicated character of [free variables and proper substitution] is a source of certain inconveniences of both practical and theoretical nature; this is clearly experienced both in teaching an elementary course of mathematical logic and in formalizing the syntax of predicate logic for some theoretical purposes" [Tarski, p. 61].

Tarski's system was designed for proving specific theorems rather than more general theorem schemes (which we will define below). However, theorem schemes are much more efficient than specific theorems for building a body of mathematical knowledge, since they can be reused with different instances as needed. While Tarski does derive theorem schemes from his axioms, their proofs require concepts that are "outside" of the system, such as induction on formula length. The verification of such proofs is difficult to automate in a proof verifier. (Specifically, Tarski treats the formulas of his system as set-theoretical objects. In order to verify the proofs of his theorem schemes, a proof verifier would need a significant amount of set theory built into it.)

The Metamath axiom system (system S3' in Remark 9.6 of [Megill], shown as axioms ax-1 through ax-17 above, which we will call axiom schemes in this section) extends Tarski's system to eliminate this difficulty. The additional axiom schemes endow it with a nice property called metalogical completeness (defined in Remark 9.6 of [Megill]). As a result, we can prove any theorem scheme expressable in the "simple metalogic" of Tarski's system by using only Metamath's direct substitution rule applied to the axiom system (and no other metalogical or set-theoretical notions "outside" of the system). Simple metalogic consists of schemes containing wff metavariables (with no arguments) and/or set (also called "individual") metavariables, accompanied by optional provisos each stating that two specified set metavariables must be distinct or that a specified set metavariable may not occur in a specified wff metavariable. Metamath's logic and set theory axiom schemes are examples of simple metalogic.

[See also Question 15 on the Metamath Solitaire page. Note that when we say "Metamath's axioms" on this web page, we usually mean the axiom schemes in the set.mm database file, which was used to create the Metamath Proof Explorer web pages. Other axiom systems are also possible with the Metamath language and program.]

Axioms vs. axiom schemes   An important thing to keep in mind is that Metamath's "axioms" and "theorems" are not the actual axioms and theorems of first-order logic (i.e. the traditional predicate calculus of textbooks) but instead should be interpreted as schemes, or recipes, for generating those axioms and theorems. In particular, the (red) "set variables" in Metamath's axioms are not the individual variables of the actual axioms; instead, they are metavariables ranging over these individual variables (which in turn range over the individuals in the logic's universe of discourse—in our case of set theory, the universe of discourse is the collection of all sets). This can cause and has caused confusion, particularly because of the superficial resemblance between the two. For clarity, we will refer to Metamath's axioms as axiom schemes in this section and whenever we discuss Metamath in the context of first-order logic.

The actual language (also called the object language) of first-order logic consists of starting (or primitive or atomic) wffs (well-formed formulas) constructed from actual individual variables v₁, v₂, v₃,.... connected by = and e. (such as "v₂ = v₄" and "v₃ e. v₂"), which are then used to build up larger wffs with the connectives ->, -., and A. (such as "(-. v₂ = v₄ -> A.v₆ v₃ e. v₂)"). That is the complete language needed to express all of set theory and thus essentially all of mathematics. That's it; there is nothing else! There are no other variable types in the actual language; in particular there are no variables representing wffs. Each of our axiom schemes corresponds to (generates) an infinite set of such actual formulas that match its pattern. For example, "(A.v₁ -. v₃ e. v₂ -> -. v₃ e. v₂)" is an actual axiom since it matches axiom scheme ax-4, "(A.xph -> ph)," when we substitute "v₁" for "x" and "-. v₃ e. v₂" for "ph."

Even in propositional calculus, the "axioms" are really axiom schemes. Although logic textbooks may have "propositional variables" that are manipulated directly and even treated as primitive for convenience (or certain theoretical purposes), they are really wff metavariables when used as part of the foundations for mathematics. An actual axiom of propositional calculus has no propositional or wff variables but only the kinds of actual wffs we just described. Each axiom scheme is a template corresponding to an infinite number of actual axioms. For example, neither the general form of ax-1  "(ph -> (ps -> ph))"  nor the more restrictive substitution instance  "(x = y -> (x = y -> x = y))"  is an actual axiom—both are schemes ranging over an infinite number of actual axioms (fewer of them in the second case, of course). An example of an actual propositional calculus axiom is the instance  "(v₃ = v₅ -> (A.v₆ v₁ e. v₄ -> v₃ = v₅))".

Our axiom schemes vs. Tarski's original axiom schemes    In the figure below we compare Tarski's original axiom schemes for predicate calculus with equality (rightmost column) with the extensions that make our system "metalogically complete."

Metamath's axiom schemes

Tarski's system S2

All of our extensions are provable (outside of Metamath) as metatheorems of Tarski's original system, meaning that they are sound (and also logically redundant). Except for ax-9, our system includes all axiom schemes of Tarski's system. In the case of ax-9, Tarski's version is weakened by including a distinct variable proviso. If we wish, we can also weaken our version in this way and still have a metalogically complete system. Theorem ax9 shows this by deriving, in the presence of the other axioms, our ax-9 from Tarski's weaker version. However, we chose the stronger version for our system because it is simpler to state and easier to use.

Substitution instances of schemes    In Metamath, by default (i.e. when no distinct variable provisos are present; see below) there are no restrictions on substitutions that may be made into a scheme, provided we honor the metavariable types (wff variable or set variable). This is called direct substitution, in constrast to a more complicated "proper substitution" used in textbook predicate calculus. Consider, for example, axiom scheme ax-9, which can be abbreviated as "E.x x = y" (theorem scheme a9e), "there exists (E.) an x such that x equals y." In traditional predicate calculus, the first argument (a variable) of the quantifier E. is considered "bound" in the wff serving as its second argument (i.e. in the quantifier's "scope"), otherwise it is "free;" substitutions must follow careful rules taking into account of whether the variable is bound or free at a given position. In the Metamath language, E. is merely a 2-place prefix connective or "operation" that evaluates to a wff, taking a set variable as its first argument and a wff as its second, with no built-in concept of bound or free. In a9e, we place no restriction on what actual variables may be substituted for bound metavariable x and free metavariable y. We can even substitute them with the same variable, seemingly at odds with the traditional rule that free and bound variables must not clash. (When we do need to prohibit certain substitutions, they are done with "distinct variable" provisos we describe below, that apply to a theorem as a whole without consideration of whether a variable's occurrence is free or bound. This makes all substitutions very simple.)

The expression "E.x x = y" is just a recipe for generating an infinite number of actual axioms. In an actual axiom such as "E.v₃ v₃ = v₂," symbols v₂ and v₃ always represent distinct variables by definition, because they have different names. Another axiom that results from the recipe is "E.v₃ v₃ = v₃," which has a different meaning but is still perfectly sound. On the other hand, when working with the actual axioms there is no rule that allows us to infer "E.v₃ v₃ = v₃" from "E.v₃ v₃ = v₂": they are independent axioms generated by the scheme. In the actual logic, the only rules of inference are the (infinite) specific instances of the modus ponens and generalization schemes—for example, from "E.v₃ v₃ = v₂" we can infer "A.v₆E.v₃ v₃ = v₂" by generalization—and there is no substitution rule built in as a primitive notion.

The proper substitution rule of traditional predicate calculus is a by-product of the axiom schemes that were chosen, and the rule is necessary to ensure that these schemes generate only correct actual axioms. Metamath uses different axiom schemes that do not require proper substitution but generate exactly the same actual axioms as traditional predicate calculus. (A price we pay with Metamath is a larger number of axiom schemes.) In the actual axioms, there are no primitive concepts of "free", "bound", "distinct", or even "substitution"—these are all metamathematical notions at the scheme level.

See also technical notes 2 and 3 below.

Metamath is a metalanguage that describes first-order logic    ...and is not itself the language of first-order logic. But the "meta" aspect runs deeper than just the fact that its axioms represent schemes.

Traditional presentations of first-order logic also use schemes to describe the axioms. However, a substitution instance of one of their axiom schemes is intended to be one specific axiom of the actual logic. Formal proofs are defined so that they involve only actual axioms, to result in actual theorems. Often textbooks will derive theorem schemes to obtain more generally useful results, but such derivations are understood to be outside of the logic itself and may use metalogical techniques such as induction on formula length that are not part of the axiom system.

Metamath's key and very important difference is that an application of its substitution rule always creates a new scheme from an old one. Metamath works only with schemes and never with actual axioms or theorems. For example, the schemes "(x = y -> x = y)" and "((ps -> ph) -> (ps -> ph))" are two substitution instances that we can infer from the scheme "(ph -> ph)." These substitution instances are new schemes in their own right, into which we can make further substitutions to specialize them further if we wish.

The set and wff variables of the Metamath language are one level up, or "meta," from the point of view of the logic that it describes. (Hence the name Metamath, meaning "metavariable math.") Each "theorem" on our proof pages is a theorem scheme (metatheorem) that is a recipe for generating an infinite number of actual theorems. In fact, the Metamath language cannot even express specific, actual theorems such as "(v₁ = v₂ -> v₁ = v₂)." We would have to do that outside of the Metamath system. Ordinarily this is unnecessary; even logic textbooks work informally with theorem schemes after they explain how the formal system is constructed. Metamath formalizes the process for working directly with schemes and makes the necessary metalogic (its substitution rule) part of the axiom system itself, so that no techniques outside of the axiom system are needed to derive its theorem schemes.

Distinct variables    Sometimes we must place restrictions on the formulas generated by a scheme in order to ensure their soundness, and we use distinct variable restrictions for this purpose. For example, the theorem scheme dtru, -. A.x x = y, has the restriction that metavariables x and y cannot be substituted with the same actual variable, otherwise we could end up with the nonsense substitution instance "-.A.v₁ v₁ = v₁" which would mean "it is not true that every object v₁ equals itself." The substitution rule of Metamath ensures that distinct variable restrictions "propagate" from axiom schemes having such restrictions into theorem schemes using those axioms.

Note that distinct variable restrictions are metalogical conditions imposed on certain axiom and theorem schemes. They have no role in the actual logic, where two actual variables with different names are distinct by definition—simply because they have different names, which is what "distinct" means. Thus in an actual theorem generated by dtru, such as "-.A.v₁ v₁ = v₂," it would be redundant (and meaningless) to require that v₁ and v₂ be distinct. There is no danger of inferring from this the falsehood "-.A.v₁ v₁ = v₁", because there is no substitution rule in the actual language that lets us do so.

As we mentioned (three paragraphs earlier), the Metamath language itself cannot express actual theorems such as "-.A.v₁ v₁ = v₂." Instead, the distinct variable restriction on dtru is enforced at the level of theorem schemes. In this example, we are not allowed to substitute the same metavariable, say z, for both x and y whenever we reference dtru in a proof step.

Technical notes    1. For anyone interested, here are some technical notes on the [Megill] paper. The claim in Remark 9.6, "C14' is omitted from S3' because it can be proved from the others using only simple metalogic," is proved in theorem ax15. Axiom C16' is also redundant—see theorem ax16, whose proof was discovered in 2006 and not known at the time of the paper. The somewhat strange-looking axiom C10' (ax-9o) was found to be equivalent to the simpler ax-9 after the paper was submitted; see theorem ax9from9o. In the proof of the metalogical completeness theorem, Theorem 9.7, some details that are stated without proof as "provable in S3' with simple metalogic," but which are nonetheless are tricky, are proved by theorems sbequ, sbcom2, and sbid2v.

2. Some people find it counter-intuitive that ax-9 combines two conceptually different axiom schemes, one where x and y are always distinct variables (one bound, one free) and another which really means "E.x x = x." Raph Levien calls this "bundling" (see "Principal instances of metatheorems" [accessed 14-Jul-2015]). We chose an axiomatization with maximally bundled axiom schemes, making them more general, fewer in number, and easier to use. It also allows us to allow us to postpone the introduction of distinct variables and to study subsystems with no distinct variable restrictions. Other (longer) axiomatizations with less bundling are possible, of course.

3. Tarski used the bundled axiom scheme "E.x x = y" in one of his systems without requiring that x and y be distinct variables (see [KalishMontague], footnote on p. 81). In other words, he bundled it like we do to make it more general and able to prove instances of "E.x x = x" without requiring a separate axiom scheme. On the other hand, he required that x and y be distinct in this scheme of his system S2 mentioned above, since instances of "E.x x = x" could be derived in another way (see the proof of equid1). Tarski considered it better to include the distinct variable condition since he wanted to show the weakest possible axiom scheme needed for completeness, even though it made the statement of the scheme more complex.

4. An interesting feature of Metamath's axiom system is that it is finitely axiomatized in the following strong sense: at any point in a proof, there are only finitely many axiom schemes in the system from which the next step can be chosen, and whenever the choice is valid i.e. unifies, there is a unique most general theorem that that results. This fact is exploited and illustrated in the Metamath Solitaire applet: you are presented with exactly all possible allowed (unifiable) choices, and when you choose one you are shown the most general theorem that results. This is in sharp contrast to traditional predicate calculus (and even Tarski's system), where we must choose from an infinite number of substitution possibilities in order to apply an axiom. In particular, ZFC set theory also becomes finitely axiomatized in this strong sense, because the Replacement Scheme of ZFC becomes a single "axiom" (or more precisely, a single scheme expressable in simple metalogic) under Metamath's formalization. (Note that the terminology "finitely axiomatized" is also used in the literature in a different way, to mean a theory with finitely many actual axioms on top of predicate calculus, without counting the infinite number of axioms of predicate calculus itself. For example, under that meaning, ZFC set theory is not finitely axiomatized because its Axiom of Replacement is a scheme describing an infinite number of axioms.)

5. Interestingly, Raph Levien has shown (see Item 16 on the Workshop Miscellany page) that in the actual logic, if we are given "E.v₃ v₃ = v₃" as a hypothesis, it is impossible to infer from it, in the absence of scheme ax-9, even the obvious equivalent "E.v₄ v₄ = v₄."

Appendix 2: Traditional Textbook Axioms of Predicate Calculus with Equality   

If you want to acquire a practical working ability in logic, it is a good idea to become familiar with the traditional textbook axioms. Their built-in concepts of free and bound variables and proper substitution are a little more complex than Metamath's simple substitution rule, but they allow you to work at a somewhat higher level and are better suited than Metamath's for humans to understand intuitively. In fact, many of the proofs here were sketched out informally using traditional methods before being formalized with Metamath's axioms.

For classical propositional calculus, the traditional axiom and rule schemes are exactly the same as Metamath's axioms and rule (interpreted as schemes), namely ax-1, ax-2, ax-3, and rule ax-mp. The additional axiom and rule schemes for traditional predicate calculus with equality are the following. The first three are the axiom and rule schemes for traditional predicate calculus, and the last two are the axiom schemes for the traditional theory of equality. We link to the approximately equivalent theorem schemes in the Metamath formalization.

stdpc4	|- A.xph(x) -> ph(y), provided that y is free for x in ph(x)
stdpc5	|- A.x(ph -> ps) -> (ph -> A.xps), provided that x is not free in ph
ax-gen	|- ph    =>    |- A.xph
stdpc6	|- A.x x = x
stdpc7	|- x = y -> (ph(x, x) -> ph(x, y)), provided that y is free for x in ph(x, x)

Three of these axiom schemes have informal English-language conditions on them. These conditions are somewhat awkward to formalize, but they are not hard to grasp intuitively. You can look them up in any elementary logic book. They are also explained in Hirst and Hirst's A Primer for Logic and Proof [external] (PDF, 0.5MB); Section 2.4 (pp. 36-37; add 6 for the PDF page number) defines "free variable," and Section 2.11 (pp. 48-51) defines "free for." See pp. 15, 51, & 64 for the propositional calculus, predicate calculus, and equality axioms respectively.

Stefan Bilaniuk's A Problem Course in Mathematical Logic [external], another free on-line book, provides a more extensive study of logic.

Even though the traditional axiom system looks different from Metamath's, the two axiom systems generate exactly the same set of actual theorems. (Read about schemes in the previous section to understand what "actual" means.) Specifically, all of Metamath's axiom schemes ax-4 through ax-17 can be proved as theorem schemes of the traditional system. Conversely, every instance of the traditional axiom schemes is an instance of a theorem scheme provable from Metamath's axiom schemes.

Although in some sense the traditional axiom schemes are more compact than Metamath's ax-4 through ax-17, their goal is simply to provide recipes for generating actual axioms, from which we then prove actual theorems. Theorem schemes can also be proved from the traditional axiom schemes, but their proofs use informal metalogical techniques that are not part of the axiom system. In Metamath, on the other hand, we deal only with schemes and never with actual axioms, and its formalization is designed to let us prove directly all possible theorem schemes of a certain kind (specifically, all possible schemes expressible in simple metalogic).

Metamath's system does not have the traditional system's (metalogical) notions of "not free in" and "free for" built in, so the traditional system's schemes cannot be translated exactly to schemes in the Metamath language. However, we can emulate these notions (in either system, actually, since every scheme in Metamath's system is a scheme of the traditional system) with conventions that are based on a formula's logical properties (rather than its structure, as is the case with the traditional axioms). To say that "x is effectively not free in ph," we can use the hypothesis ph -> A.xph. This hypothesis holds in all cases where x is not free in ph in the traditional system (and in a few other cases as well, which is why we say "effectively"—for example, the wff x=x will satisfy the hypothesis, as shown by theorem hbequid, even though x is technically free in it). We can emulate "free for" through the use of our definition of proper substitution df-sb.

Both our system and the traditional system are called Hilbert-style systems. Another very powerful approach, called a Gentzen-style system, embeds the deduction (meta)theorem into its axiom system, but we do not discuss it here. Frédéric Liné has been developing a Gentzen-style system called natural deduction [external] in the Metamath language.

Appendix 3: Distinct Variables    In logic and set theory literature, theorems (or more precisely, theorem schemes) are often accompanied by side conditions, or provisos, written in informal English. Typically these are written after the statement of the theorem and expressed in a form such as "where x is a variable that [satisfies some constraint]." In order to satisfy the metalogical requirements of Tarski's axiom system on which it is based, Metamath implements three kinds of provisos through the use of its "distinct variable" conditions. These restrict what substitutions are allowed, and often you will see a proviso such as the following accompanying an axiom or theorem (for example, ax-17 and dtru):

Distinct variable groups:   x,y   x,ph   x,A

These three groups (in this example 3 pairs) have the following meanings, respectively, as side conditions of the theorem scheme or axiom scheme shown above them:

1. where x and y may not be substituted with the same set variable,
2. where whatever set variable is substituted for x may not appear in the wff expression substituted for ph, and
3. where whatever set variable is substituted for x may not appear in the class expression substituted for A.

For brevity we may say more informally,

1. where x and y are distinct,
2. where x does not occur in ph, and
3. where x does not occur in A.

[Actually, there is only one rule in the Metamath language itself: the two expressions that are substituted for the two variables in a distinct variable pair must not have any variables in common. This is why a distinct variable pair is officially called a "disjoint variable pair" in the Metamath specification. We present the rule as three separate cases above for clarity. In the set theory database file, set.mm, we adopt the convention that at least one set variable always appears in a distinct variable pair, so these are the only cases you will see. Under this convention, a distinct variable pair such as "A,ph" will never occur, even though technically it is not illegal.]

Note that

Distinct variable group:   ph,x

means the same thing as

Distinct variable group:   x,ph

Finally, if more than two variables appear in a group, this is an abbreviated way of saying that the restrictions apply to all possible pairs in the group. So,

Distinct variable group:   x,y,ph

means the same thing as

Distinct variable groups:   x,y   x,ph   y,ph

The basic rule to remember is that distinct variable provisos are inherited by substitutions (that take place in a proof step). For example, look at step 1 of the proof of cleljust, which has a substitution instance of ax-17. As you can see, ax-17 requires the distinct variable pair x,ph. Step 1 substitutes z for x and x e. y for ph. This substitution transforms the original distinct variable requirement into the two distinct variable pairs z,x and z,y, which will implicitly accompany step 1 (although not shown explicitly in step 1 of the proof listing). Thus step 1 can be read in full, "(x e. y -> A.z x e. y) where z,x are distinct and z,y are distinct." The proof verifier will check that this requirement accompanies the final theorem, otherwise it will flag the proof step as invalid. You can see this requirement in the "Distinct variable groups" list on the cleljust page.

In the Metamath language, distinct variable requirements are specified with $d statements, placed before an assertion ($a or $p) and in the same scope. Each theorem must be accompanied by those $d statements needed to satisfy all distinct variable requirements implicitly attached the proof steps.

To get a concrete feel for distinct variable restrictions, you can temporarily comment out the "$d x z" condition for theorem cleljust in the database file set.mm. When you try to verify the proof with the Metamath program, the resulting error message will read as follows. (Note that step 25 is the same as step 1 on the web page; steps 1-24 are syntax building steps that can be seen with "show proof cleljust /all".)

    MM> verify proof cleljust
    cleljust
    ?Error at statement 5305, label "cleljust", type "$p":
          wel vz ax-17 vz vx vy elequ1 equsex bicomi $.
                 ^^^^^
    There is a disjoint variable ($d) violation at proof step 25.  Assertion
    "ax-17" requires that variables "ph" and "x" be disjoint.  But "ph" was
    substituted with "x e. y" and "x" was substituted with "z".
    Variables "x" and "z" do not have a disjoint variable requirement in the
    assertion being proved, "cleljust".

Such error messages can also be used to determine any missing $d statements during proof development. Alternately, the mmj2 program will compute the necessary $d's automatically.

For a dynamic example of distinct variables in action, enter the first proof of x=x into the Metamath Solitaire applet. Watch the transformation of the distinct variable requirement that appears at the tenth step (ax-16).

Constants are considered distinct from all variables and never appear (nor are allowed to appear) in a distinct variable group. See the comment for isset.

Note 1    Sometimes new or "dummy" variables are used inside of a proof but do not occur in the theorem being proved. Usually they must be distinct from other variables (this is always a safe assumption, whether they really need to be or not), but on the web pages we always omit them from the "Distinct variable group(s)". The purpose of the "Distinct variable group(s)" list is to show only those distinct variable requirements that need to be satisfied by any proof that references the theorem. These are the only ones relevant the theorem itself (dummy variables can come and go as people find alternate proofs), and omitting dummy variables makes the list less cluttered and easier to read.

The additional distinct variable requirements for dummy variables used by a proof can be found in the $d statements for the theorem in the database file set.mm, as is required by the Metamath language spec. An example is the variable w that must be distinct from the others in the proof of ax15. You will find "$d w y $. $d w z $. $d w x $." above the statement of ax15 in the set.mm file, even though these are not shown on the web page.

Note 2    An issue that has been debated is whether the Metamath language specification should be changed so that $d statements associated with dummy variables are assumed implicitly. This is partly a matter of taste, but so far I have felt it better to require explicit $d statements for them. There are good arguments both ways, but to me, philosophically it makes the language more transparent, if more tedious. Beginners may find an explicit list helpful for understanding proofs, since nothing is hidden. Making it optional would complicate the Metamath spec slightly, since it would require an exception added to $d verification. If we want to use a proof step as a theorem (such as when breaking a proof into lemmas), its subproof may fail if the step has previously dummy variables whose $d statements are hidden.

Some people who dislike this requirement have made $d statements for dummy variables optional for their Metamath language verifiers (although strictly speaking this violates the current Metamath spec); an example is Hmm. There is nothing wrong with this in principle, and we could even make all $d statements for theorems optional—see Note 5 below.

Note 3    Textbooks often use the notation ph(x) to denote that variable x may appear in a wff substituted for ph. The Metamath language doesn't have a notation like this, but we can achieve the logical equivalent simply by omitting the distinct variable group x,ph, as the example axsep shows.

We can reconstruct the ph(x) notation from the distinct variable conditions that are omitted. On the individual web pages, this reconstruction for wff and class variables is shown under the "Distinct variable groups" list and called "Allowed substitution hints". The notation ph(x) there means that x may appear (free, bound, or both) in any expression substituted for wff variable ph. Note that this is an informal, unofficial notation, not part of the Metamath language.

Keep in mind that the "Allowed substitution hints" are not necessarily a complete list of all possible substitutions but are provided as a convenience to help you more easily determine out what substitutions are allowed, in contrast to the "Distinct variable groups" which tell you which ones are forbidden. There are six things to be aware of.

First, if the theorem has no "Distinct variable groups", such as mpteq2ia, any substitution at all (honoring the variable types) is permissable, so an "Allowed substitution hints" list would be pointless and is not shown to reduce possibly-confusing clutter.

Second, if the theorem has "Distinct variable groups" and a wff or class variable is missing from the "Allowed substitution hints", such as the A in copsexg, it means (in this case) that neither of the set variables x or y may appear in a class expression substituted for A. It is acceptable to substitute any class expression for A that doesn't contain these two variables but possibly contains others such as z.

Third, if the theorem has "Distinct variable groups" but does not have an "Allowed substitution hints" list, such as dftr5, it means that none of the set variables in the theorem or its hypotheses may appear in expressions substituted for its wff or class variables; in this case, neither x nor y may appear in an expression substituted for A. Other set variables such as z may appear, though.

Fourth, the list of variables in parentheses after a wff or class variable shows the permissable set variables that may appear in a substitution among those in the theorem (or its hypotheses). There is nothing preventing the use of set variables that do not appear in the theorem. For example, in axsep, x and w may appear in an expression substituted for ph, but not y or z.

Fifth, the set variable list in parentheses says nothing about whether those set variables need to be mutually distinct. Only the "Distinct variable groups" list provides this information. For example, ph(x,y) appears in the "Allowed substitution hints" for both ralcom and ralcom2; x and y must be distinct in the former but not the latter.

Finally, the hypotheses of a theorem may impose additional conditions on how the variables in parentheses may appear in the wff or class variable. For example, in vtoclef, although x may appear in the expression substituted for ph, it must appear in a way that allows the first hypothesis (ph -> A.xph) to be satisfied. Thus x usually can't occur as a free variable in ph because the first hypothesis won't be satisfied. This is in contrast to informal textbook usage where ph(x) typically means x occurs as a free variable in ph. The way to tell whether the meaning is "may occur free or bound" or "may occur if bound by a quantifier" is to look for a hypothesis of this form.

Note 4    Distinct variable requirements are sometimes confusing to Metamath newcomers. Unlike traditional predicate calculus, Metamath does not confer a special status to a bound variable (e.g. the quantifier variable x in A.xph); there is no built-in concept of its "scope." All variables, whether free or bound, are subject to the same direct substitution rule. Metamath's substitution rule does not treat a variable after the quantifier symbol "A." any differently from a variable after any other constant connective such as "-.". The only thing that matters is that the syntax is legal for the variable type (wff, set, or class), and that any distinct variable requirements are satisfied. This different paradigm may take some getting used to by someone used to traditional "proper substitution" (which involves analyzing the scopes of bound variables and renaming them if necessary), even though it is significantly simpler than the traditional approach. (Indeed, as described above, this simplicity was a primary motivation for Tarski's predicate calculus that the Metamath/set.mm axioms are based on.) Unless otherwise restricted by a distinct variable condition, a quantified (or any other) variable is by default not necessarily distinct from other variables in the same expression, whether bound or not. This is opposite the usual implicit assumption in traditional mathematics. For example, in many textbooks, it would be implicit that the two variables in theorem scheme dtru must be distinct (since one is bound and the other is free), but in Metamath this requirement must be made explicit. (On the other hand, in an instance of dtru in the actual logic, which Metamath cannot express directly, the two variables are implicitly distinct by definition, as explained the "Distinct variables" subsection of Appendix 1 above.)

Note 5    Interestingly, the distinct variable requirements ($d statements) accompanying theorems are theoretically redundant, because the proof verifier could in principle infer and propagate them forward from the distinct variable requirements of the axioms. The Metamath Solitaire applet does this, inferring both the resulting proof steps and their distinct variable requirements as you feed it axioms to build a proof. (The mmj2 program will also infer the necessary $d statements for a proof under development.) The Metamath language spec, on the other hand, requires them to be explicit partly to speed up the verifier (for example, otherwise we couldn't verify a proof in isolation but would have to analyze every proof it depends on), but making them explicit also allows someone writing a proof to easily determine by inspection the distinct variable requirements of a theorem he or she wishes to reference.

A curiosity    Two otherwise identical theorems with different distinct variable requirements can express different mathematical facts. Compare, for example, dvdemo1 and dvdemo2.

Appendix 4: A Note on Definitions   

The bottom line    The Metamath language itself doesn't have a separate mechanism for introducing definitions and in particular ensuring their soundness. The only way to add a definition to a database is to introduce it as a new axiom. In the same way that an axiom system can be inconsistent, an unsound definition may lead to an inconsistency.

If you don't know what we mean by an unsound definition, here is a simple example. Suppose we modify df-2 to become the self-referential expression "2 = ( 1 + 2 )" instead of its present "2 = ( 1 + 1 )". From this, we can easily prove the contradiction 0 = 1. Therefore, this "definition" leads to inconsistency and is unsound. But since it is an axiomatic ($a) assertion in the database, the Metamath proof verifier is perfectly content to use it as a new fact and does not issue an error message.

Thus, the soundness of definitions must be verified independently of the Metamath proof verifier, either by hand or with through the use of a separate automated tool customized for the logic used by the database.

For the specific case of the set theory database set.mm, Mario Carneiro added an enhancement to the mmj2 program that will verify the soundness of all but 5 definitions. This test can be turned on by adding

SetMMDefinitionsCheckWithExclusions,ax-*,df-bi,df-clab,df-cleq,df-clel,df-sbc

to the RunParms.txt file. (The 5 excluded definitions, df-bi, df-clab, df-cleq, df-clel, and df-sbc, need to be justified with metalogic outside of mmj2's capabilities. You can consider them additional axioms if it bothers you. See also the discussion "Definitions or Axioms?" in the Theory of Classes section above.)

Discussion    The Metamath language provides a very simple and general framework for describing arbitrary formal systems. Intrinsically it "knows" nothing about logic or math; all it does is blindly assure us that we cannot prove anything not permitted by whatever formal system we have described to it. What we call an "axiom" is to Metamath merely a new pattern for combining symbols that we have told it is permissable. The same holds for what we call "definitions"—to Metamath, definitions merely extend the formal system with new patterns and are indistinguishable from axioms by the proof verifier.

For convenience, we usually make an artificial distinction by prefixing definition names with "df-". But every definition is assumed to have been metalogically justified outside of the Metamath formalism as being sound. A definition is sound provided (1) it is eliminable (the wff for any theorem containing a defined symbol can be converted to an equivalent wff without it) and (2) it is conservative (a theorem should be provable from the original axioms after the definition is eliminated).

This method of introducing definitions as new axioms keeps the Metamath language simple and not tied to any specific formal system. A definition that is sound in one formal system may be unsound in another. For example, a recursive definition may not be eliminable in a system too weak to prove the necessary recursion theorem (and even when it is, its elimination can be quite complex; see e.g. the discussion of df-rdg).

One extreme viewpoint is to consider all definitions to be additional axioms, following logicians such as Leśniewski [C. Lejewski, "On implicational definitions," Studia Logica 8:189-208 (1958)].

Leśniewski regards definitions as theses of the system. In this respect they do not differ either from the axioms or from theorems, i. e. from the theses added to the system on the basis of the rule of substitution or the rule of detachment. Once definitions have been accepted as theses of the system, it becomes necessary to consider them as true propositions in the same sense in which axioms are true. [p. 190]

This was roughly the original idea when Metamath was first designed. The concept of definitional soundness was considered outside of the scope of the proof verification engine, because it is intrinsically dependent on the strength of the axiom system. Instead, definitional soundness was expected to be verified independently, either by hand or by an automated tool customized for the particular logic system used by the database. (Such a tool might recognize the "df-" prefix as a keyword meaning "definition" and would impose constraints to guarantee that the definition is sound under the axiom system of that database.)

In the set theory database set.mm, we have adopted the conservative convention that most definitions, beyond the basics needed for a practical development of set theory, consist of a single new class constant symbol followed by an equal sign followed by a class expression built from earlier symbols, for example the definition of rational numbers df-q. Thus the definition is more or less a drop-in replacement that abbreviates a fixed, more complicated expression (with possible renaming of bound variables). The soundness of such definitions is simple to check by inspection: if (1) the left-hand constant symbol is new and doesn't appear in the right-hand side, (2) all variables are distinct (all of them appear in a single $d statement), and (3) we can prove (with a Metamath theorem, e.g. qjust for df-q) that the right-hand expression equals itself with all variables renamed, then the definition is sound. This convention allows all but 5 definitions to be verified automatically by mmj2 as described above.

A non-mathematical (human) issue with a definition is whether it matches the generally understood meaning of a concept. For example, if we swapped the symbols 4 (df-4) and 5 (df-5) everywhere, all definitions would remain sound, but we could "prove" that ( 2 + 2 ) = 5. For this reason, all definitions still must be carefully scrutinized by a competent mathematician, and obviously there is no way to automate this inspection.

The definition list (3MB) shows all of the definitions in the database. The web page for each proof lists all definitions that were used somewhere along its path back to the axioms, so that nothing is hidden from the user in this sense.

(Thanks to Raph Levien, Freek Wiedijk, Bob Solovay, and Mario Carneiro for discussions on this topic.)

Appendix 5: How to Find Out What Axioms a Proof Depends On    At the end of each proof there is a list called "This theorem was proved from these axioms." These are the axioms needed to prove the theorem from scratch, if all definitions were eliminated. (You can also do this from within the Metamath program: type "show trace_back 2p2e4 /essential /axioms" to get the list for theorem 2p2e4.)

You shouldn't expect to see immediately the relationship between them and the proof you are looking at—it is usually not obvious at all. This list of axioms was determined by scanning back through the proof tree until axioms were reached, and in fact required a considerable amount of CPU power. Mathematicians generally like to prove theorems using as few axioms as possible, which I also usually tried to do, so this list is often the minimum set needed for the proof you are seeing.

For example, we see that the Axiom of Choice ax-ac was not needed to prove 2 + 2 = 4 2p2e4, but we did need the Axiom of Infinity ax-inf2. Why did we need Infinity? Well, our number 2 is a real number, and the Axiom of Infinity is needed to prove that any real number exists. (And why is this? Very informally, we can think of an arbitrary real number as having an infinite list of digits after the decimal point, and we need an axiom that tells us that such infinite lists exist before we can manipulate them with set variables.) But the place where Infinity is used is buried deep inside the proof tree—you have to drill down through 49 layers of proofs to find it. If you want to see its path all the way to 2 + 2 = 4, locate mulpipq in the 2 + 2 = 4 Trivia path list above. Then branch off from that path and follow this one back to the Axiom of Infinity: mulpipq <- enqex <- niex <- omex <- zfinf <- ax-inf2.

To find out the path above, in the Metamath program I saved the outputs of "show usage ax-inf2 /recursive" and "show trace_back 2p2e4" into two lists then determined their common members with some text processing.

Appendix 6: Notation for Function and Operation Values    In general I tried to choose notation that is conventional or familiar, but I had to weigh it against introducing ambiguity or making the collection of notations too bloated. Traditional notation includes many prefix and infix operations; parsing this in an unambiguous way can be complicated. Sometimes I favored simplicity and consistency over convention. An important example is the notation for a function value cfv, expressed by "(F` A)". Here "F" is a class that normally is a function, the argument "A" is a class that normally belongs to the domain of the function, and "(F` A)" is the class that results when the function is evaluated at the argument. (The result, however, is well-defined for any classes whatsoever substituted for the class variables, and our definition ends up evaluating to the empty set when it is not meaningful—see for example theorem ndmfv.)

Textbooks often use the familiar notation "F(A)" for the value of a function. Outside of context, this notation is ambiguous: it could also mean the expression that results when A is substituted into the expression that F represents. Our left-apostrophe notation, invented by Peano, is often used by set theorists and has the advantage for us that it is unambiguous and independent of context.

For special functions such as square root, textbooks indicate function values with an assortment of two-dimensional glyphs and syntactical idioms that may be ambiguous outside of context. Our versions may seem unfamiliar because we are constrained to a linear language and we need context-independent, unambiguous notation. We also prefer a single notation for function value to be able to reuse our rich collection of theorems about function values. For example, in the square root theorem sqrthi, the square root symbol "sqr" is a function i.e. a class (csqr), and we display the square root of 2 as "(sqr` 2)". Two other examples are the real part of an complex number A, where we use "(Re` A)" instead of "ReA", and the conjugate of a complex number, where we use "(*` A)" instead of "A*" (or sometimes with an overbar), both of which you can see in theorem cjval. Another example is the factorial function, which we express as "(!` A)" instead of "A!" in facnn2. In the conventional textbook notation, these four examples use four different positional relationships to indicate one concept (the value of a function), but I decided to use a single syntax for all four to make the development of proofs simpler.

There is an exception to the above convention: the unary minus function df-neg is so common I decided to create a special syntax for it. So, the negative of a complex number is represented as the visually more familiar "-uA" rather than the more tedious "(-u` A)". A drawback is that we have to prove separately certain theorems such as the equality theorem negeq instead of being able to reuse the general-purpose fveq2.

Another very important exception is the notation for an operation value, which is the function value of an ordered pair as defined by df-ov. It is so commonly used that we adopted the convenient and familiar notation of three juxtaposed class expressions surrounded by parentheses, such as "( 3 + 2 )". While this may appear to be syntactically ambiguous with such expressions as the union of two classes (cun), "(A u. B)", the difference is that operation value notation requires that the center symbol be a class expression: "+" is a class expression (caddc) but a stand-alone "u." is not. (We do not define the union of two classes as an operation because it must work with proper classes as arguments—not to mention that the operation value definition ultimately depends on it anyway.)

Prefix expressions (those beginning with a constant, such as the unary minus above, logical negation, and the "for all" quantifier) have tighter binding than infix expressions and don't require parentheses. Also, whenever an infix expression is a predicate—i.e. has class variable arguments but evaluates to a wff, such as A = B—parentheses are not needed for disambiguation. The infix predicates that are not surrounded by parentheses are:

A = B
x = y
A e. B
x e. y
A =/= B
A e/ B
A C_ B
A C. B
A R B
R Po A
R Or A
R Fr A
R We A
A Fn B
R _Se A
R _FrSe A

There are a few other cases in the notation where infix is used without parentheses:

F : A --> B
F : A -1-1-> B
F : A -onto-> B
F : A -1-1-onto-> B
H Isom R , S ( A , B )

Appendix 7: Some Predicate Calculus Subsystems   

In the set.mm database, there are 10 other axiom schemes of predicate calculus (ax-4, ax-5o, ax-6o, ax-9o, ax-10, ax-10o, ax-11o, ax-12o, ax-15, and ax-16) that are not included in our "official" list of 10 predicate calculus axiom schemes (and one rule) above, because they can be derived as theorems from the official ones. We used to include them, but they were removed from the official list over time when they were discovered to be redundant or were replaced by new versions (in the case of the ones suffixed with "o" for "old"). However, we have kept them in the database, because from the set consisting of these 10 axiom schemes plus the "official" ones, several subsystems can be of interest for certain studies. For brevity, "axiom" always means "axiom scheme" in the table below. In the table, we assume that all 19 axiom schemes and 1 rule (22 axioms and 2 rules if we include propositional calculus) are present, except for the ones listed in the "Omit axioms" column.

Omit axioms	Discussion of resulting subsystem
ax-4, ax-5o, ax-6o, ax-9o, ax-10, ax-10o, ax-11o, ax-12o, ax-15, and ax-16	As mentioned above, these 10 omitted axioms can be derived from the others (see theorems ax4, ax5o, ax6o, ax9o, ax10o, ax11o, ax12o, ax15, ax16). This system is metalogically complete and is the one we ordinarily use. It is equivalent to system S3' in Remark 9.6 of [Megill]. Even though we reference these 10 redundant axioms in proofs for better granularity, each of them is proved from the others in the corresponding theorem immediately before each redundant axiom is introduced, so if desired all references to them can be eliminated easily.
ax-17	This system is logically complete (see comments in ax-17), but we lose the powerful metalogic afforded by the concept of "a variable not occurring in a wff". It is conjectured that ax-4, ax-11o, and ax-15 (and possibly other otherwise redundant ones as well) cannot be derived from the others in this system. Proofs in any system omitting ax-17 tend to be long.
ax-11, ax-11o	This system is logically complete. Any specific substitution instance of the omitted axioms that contains no wff metavariables can be derived from from the axioms of this subsystem (see theorems ax11eq, ax11el, ax11indn, ax11indi, and ax11inda), but, as Juha Arpiainen proved, the omitted axioms themselves cannot be derived (see comments in ax-11). In other words, this system is logically complete but is not metalogically complete.
ax-10, ax-11, ax-11o, ax-16, ax-17	System with no distinct variables. This system has no distinct variable contraints, making the concept of substitution as simple as it can possibly be and also significantly simplifying the algorithm for verifying proofs. It is equivalent to system S2 in Section 4 of [Megill]. The primary drawback of this system is that for it to be considered complete, we must ignore antecedents called "distinctors" that stand in for what would be distinct variable constraints (see the linked discussion). We can optionally include ax-11o or ax-11 for a somewhat more powerful metalogic, since these also involve no distinct variable restrictions (although without them we can still derive any instance of them not containing wff metavariables). Proofs in this system tend to be long.
ax-11o, ax-16, ax-17	It is conjectured that ax-11o cannot be derived from the axioms of this subsystem. See Item 9b on the Workshop Miscellany page.
ax-11, ax-16, ax-17	It is known that ax-11 can be derived from the axioms of this subsystem (see theorem ax11).
ax-10o and ax-11	It is conjectured that ax-10o cannot be derived from the axioms of this subsystem.
Omit all predicate calculus axioms except ax-4, ax-5, ax-6, ax-7, and ax-gen	The subsystem ax-1 through ax-7, ax-mp, and ax-gen, i.e. the axioms not involving equality, is weaker than traditional predicate calculus without equality (i.e. that omits the equality axioms labeled stdpc6 and stdpc7 in the table in the traditional predicate calculus section). The reason is that traditional predicate calculus incorporates proper substitution as part of its metalogic, whereas in our system proper substitution is accomplished directly by the logic itself through our more complex axioms ax-8 through ax-17. In our system, substitution and equality are intimately tied in with each other. This "pure" subsystem in effect represents the fragment of logic that remains when equality, proper substitution, and the concept of distinct variables are completely stripped out. Interestingly, if we map "for all" to "necessity" and omit ax-7 from the "pure" subsystem, the result is exactly the modal logic system known as S5 (thanks to Bob Meyer for pointing this out). See also Item 12 on the Workshop Miscellany page. Optionally, we can replace ax-5 and ax-6 with ax-5o and ax-6o (provided we replace them both) to obtain an equivalent subsystem. Theorems ax5, ax6, ax5o, and ax6o prove the equivalence. In this subsystem, ax467 can replace ax-4, ax-6o, and ax-7.

Reading Suggestions    Logic and set theory provide a foundation for all of mathematics. One possible way to start to learn about them is to use the Metamath Proof Explorer in conjunction with one or more textbooks listed in the Bibliography of the next section. The textbooks provide a motivation for what we are doing, whereas the Metamath Proof Explorer lets you see in detail all hidden and implicit steps. Most standard theorems are accompanied by literature cross references, and it will probably be easier to acquire a higher-level understanding of them if you consult these.

For propositional and predicate calculus, Margaris is now available in an inexpensive Dover edition and is reasonably readable for beginners, once you get used to the archaic dot notation used in place of parentheses. Our 19.x series of theorems, such as 19.35, corresponds to Margaris' handy predicate calculus table on pp. 89-90. Hirst and Hirst's on-line A Primer for Logic and Proof, mentioned above, uses modern notation and is also highly recommended.

For set theory, Quine is wonderfully written and a pleasure to read. The first part on virtual classes (pp. 15-21) is a must-read if you want to understand our purple class variables (which in Quine are Greek letters). (See also the Theory of Classes above.) Quine also uses the archaic dot notation, but this is really a very minor hurdle, especially since you can compare the Metamath versions of many of the theorems. Takeuti and Zaring is the set theory reference we follow most closely, including most of our notation, and its rigor makes it straightforward to formalize proofs; but some people find it a dry and technical read, and it is also out of print. Suppes, which is available in a Dover edition, goes to extremes to avoid virtual classes, leading to bizarre theorems like "the set of all sets is empty" (Theorem 50, p. 35); nonetheless, it provides a gentle introduction that we reference surprisingly frequently.

Some closely followed texts in the Metamath Proof Explorer are listed below. I am not specifically endorsing them but just indicating which books and papers I consulted frequently while building the database.

Axioms of propositional calculus—Margaris.

Theorems of propositional calculus—Whitehead and Russell.

Axioms of predicate calculus—Megill (System S3' in the article referenced).

Theorems of pure predicate calculus—Margaris.

Theorems of equality and substitution—Monk2, Tarski, Megill.

Axioms of set theory—Bell and Machover.

Virtual classes in set theory (our class builder notation and our purple class variables)—Quine.

Development of set theory (including most of the notation we use)—Takeuti and Zaring.

Construction of real and complex numbers—Gleason

Elementary theorems about real numbers—Apostol

Bibliography    This is the complete list of books and articles that are cross referenced in the Metamath Proof Explorer database. The numbers in brackets are the Library of Congress classifications to make them easier to find on your university library shelves.

1. [AitkenIBG] Aitken, Wayne, "Incidence Betweenness Geometry," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/betweenness.08.pdf (accessed 6 Apr 2016). [The series of handouts is available at http://public.csusm.edu/aitken_html/m410/ (accessed 6 Apr 2016).]
2. [AitkenIBCG] Aitken, Wayne, "IBC Geometry," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/congruence.08.pdf (accessed 6 Apr 2016).
3. [AitkenNG] Aitken, Wayne, "Neutral Geometry," Handout (2010); available at http://public.csusm.edu/aitken_html/m410/neutral.10.pdf (accessed 6 Apr 2016).
4. [AitkenEG] Aitken, Wayne, "Euclidean Geometry," Handout (2010); available at http://public.csusm.edu/aitken_html/m410/euclidean.10.pdf (accessed 6 Apr 2016).
5. [AitkenQ] Aitken, Wayne, "Quadrilaterals," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/quad.08.pdf (accessed 6 Apr 2016).
6. [AitkenLDZT] Aitken, Wayne, "Legendre's Defect Zero Theorem," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/defectzero.08.pdf (accessed 6 Apr 2016).
7. [AitkenEHC] Aitken, Wayne, "Euclidean and Hyperbolic Conditions," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/conditions.08.pdf (accessed 6 Apr 2016).
8. [AitkenTHG] Aitken, Wayne, "Topics in Hyperbolic Geometry," Handout (2008); available at http://public.csusm.edu/aitken_html/m410/hyperbolic.08.pdf (accessed 6 Apr 2016).
9. [AkhiezerGlazman] Akhiezer, N. I., and I. M. Glazman, Theory of Linear Operators in Hilbert Space, Vol. I, Dover Publications, Mineola, New York (1993) [QA322.4.A3813 1993].
10. [Apostol] Apostol, Tom M., Calculus, vol. 1, 2nd ed., John Wiley & Sons Inc. (1967) [QA300.A645 1967].
11. [Baer] Baer, Reinhold, Linear Algebra and Projective Geometry, Academic Press, New York (1952) [QA471.B34].
12. [BellMachover] Bell, J. L., and M. Machover, A Course in Mathematical Logic, North-Holland, Amsterdam (1977) [QA9.B3953].
13. [BeltramettiCassinelli1] Enrico G. Beltrametti and Gianni Cassinelli, "Logical and Mathematical Structures of Quantum Mechanics," La Rivista del Nuovo cimento 6:321-404 (1976) [QC.R625].
14. [BeltramettiCassinelli] Enrico G. Beltrametti and Gianni Cassinelli, The Logic of Quantum Mechanics (Encyclopedia of Mathematics and Its Applications; v. 15, Mathematics of Physics), Addison-Wesley, Reading, Massachusetts (1981) [QC174.12.B45].
15. [Beran] Ladislav Beran, Orthomodular Lattices; Algebraic Approach, D. Reidel, Dordrecht (1985) [QA171.5.B4].
16. [BourbakiEns] Bourbaki, Nicolas, Théorie des ensembles, Springer-Verlag, Berlin Heidelberg (2007); available in English (for purchase) at http://www.springer.com/us/book/9783540225256 (accessed 15-Aug-2016). Page references in set.mm are for the French edition.
17. [BourbakiAlg1] Bourbaki, Nicolas, Algèbre, Chapitres 1 à 3, Springer-Verlag, Berlin Heidelberg (2007); available in English (for purchase) at /http://www.springer.com/us/book/9783540642435 (accessed 15-Aug-2016). Page references in set.mm are for the French edition.
18. [BourbakiTop1] Bourbaki, Nicolas, Topologie générale, Chapitres 1 à 4, Springer-Verlag, Berlin Heidelberg (2007); available in English (for purchase) at http://www.springer.com/us/book/9783540642411 (accessed 15-Aug-2016). Page references in set.mm are for the French edition.
19. [BourbakiTop2] Bourbaki, Nicolas, Topologie générale, Chapitres 5 à 10, Springer-Verlag, Berlin Heidelberg (2007); available in English (for purchase) at http://www.springer.com/us/book/9783540645634 (accessed 15-Aug-2016). Page references in set.mm are for the French edition.
20. [BourbakiFVR] Bourbaki, Nicolas, Fonctions d'une variable réelle, Springer-Verlag, Berlin Heidelberg (2007); available in English (for purchase) at http://www.springer.com/us/book/9783540653400 (accessed 15-Aug-2016). Page references in set.mm are for the French edition.
21. [Cohen] Cohen, David, Precalculus With Unit-Circle Trigonometry, Brooks-Cole, Pacific Grove, CA (1988) [QA331.3.C64].
22. [ChoquetDD] Choquet-Bruhat, Yvonne and Cecile DeWitt-Morette, with Margaret Dillard-Bleick, Analysis, Manifolds and Physics, Elsevier Science B.V., Amsterdam (1982) [QC20.7.A5C48 1981].
23. [CormenLeisersonRivest] Cormen, Thomas, Charles E. Leiserson, and Ronald L. Rivest, Introduction to Algorithms, The MIT Press, Cambridge, Massachusetts (1989) [QA76.6.C662].
24. [Crawley] Crawley, Peter and Robert P. Dilworth, Algebraic Theory of Lattices, Prentice-Hall, Englewood Cliffs, New Jersey (1973) [QA171.5.C7].
25. [Diestel] Diestel, Reinhard, Graph Theory, Electronic Edition, Springer-Verlag, Heidelberg (2005) [QA166.D51413]. URL: http://diestel-graph-theory.com/index.html
26. [Eisenberg] Eisenberg, Murray, Axiomatic Theory of Sets and Classes, Holt, Rinehart and Winston, Inc., New York (1971) [QA248.E36].
27. [Enderton] Enderton, Herbert B., Elements of Set Theory, Academic Press, Inc., San Diego, California (1977) [QA248.E5].
28. [Euclid1] Euclid, The Thirteen Books of Euclid's Elements, Vol. I: Introduction and books I—II, translated by Thomas L. Heath, Cambridge University Press, Cambridge (1908); available at https://archive.org/details/thirteenbookseu03heibgoog (accessed 9 Apr 2016). See also David Joyce's web pages at http://aleph0.clarku.edu/~djoyce/java/elements/ for interactive Java applets and detailed expositions.
29. [Euclid2] Euclid, The Thirteen Books of Euclid's Elements, Vol. II: Books III—IX, translated by Thomas L. Heath, Cambridge University Press, Cambridge (1908); available at https://archive.org/details/thirteenbookseu03heibgoog (accessed 9 Apr 2016).
30. [Euclid3] Euclid, The Thirteen Books of Euclid's Elements, Vol. III: Books X—XIII and appendix, translated by Thomas L. Heath, Cambridge University Press, Cambridge (1908); available at https://archive.org/details/thirteenbookseu03heibgoog (accessed 9 Apr 2016).
31. [Fremlin1] Fremlin, D. H., Measure Theory, Vol. 1: The Irreducible Minimum, 2nd ed., Lulu Press, Morrisville, North Carolina (2011) [QA312.F72]; available at https://wiki.math.ntnu.no/_media/tma4225/2011/fremlin-mt1.pdf (accessed 14 Apr 2015).
32. [Fremlin5] Fremlin, D. H., Measure Theory, Vol. 5: Set-theoretic Measure Theory Lulu Press, Morrisville, North Carolina (2008) [QA312.F72]; available at https://www.essex.ac.uk/maths/people/fremlin/mt.htm (accessed 14 Apr 2015).
33. [FreydScedrov] Freyd, Peter J. and Andre Scedrov, Categories, Allegories, Elsevier Science Publishers B.V., Amsterdam (1990) [QA169.F73 1990].
34. [Gleason] Gleason, Andrew M., Fundamentals of Abstract Analysis, Jones and Bartlett Publishers, Boston (1991) [QA300.G554].
35. [Hamilton] Hamilton, A. G., Logic for Mathematicians, Cambridge University Press, Cambridge, revised edition (1988) [QA9.H298 1988].
36. [Hatcher] Hatcher, Allen, Algebraic Topology, Cambridge University Press, Cambridge (2002) [QA612.H42 2002]; available at http://www.math.cornell.edu/~hatcher/AT/ATpage.html (accessed 11 Nov 2014).
37. [Herstein] Herstein, I. N., Abstract Algebra, Macmillan Publishing Company, New York (1986) [QA162.H47 1986].
38. [Hitchcock] Hitchcock, David, The peculiarities of Stoic propositional logic, McMaster University; available at http://www.humanities.mcmaster.ca/~hitchckd/peculiarities.pdf (accessed 3 Jul 2016).
39. [Holland95] Holland, Samuel S., "Orthomodularity in infinite dimensions; a theorem of M. Solèr," Bull. Am. Math. Soc. 32:205-234 (1995) [QA.A513]; available at http://arxiv.org/abs/math/9504224v1 (accessed 11 Nov 2014).
40. [Jech] Jech, Thomas, Set Theory, Academic Press, San Diego (1978) [QA248.J42].
41. [JonesMatijasevic] Jones, J. P. and Y. V. Matijasevič (Matiyasevich), "Proof of Recursive Unsolvability of Hilbert's Tenth Problem," American Mathematical Monthly, 98:689-709 (1991) [QA.A5125]; available at http://www.williamstein.org/edu/Spring2003/21n/papers/hilbert10.pdf (accessed 11 Nov 2014).
42. [JustWeese] Just, Winfried, and Martin Weese, Discovering Modern Set Theory I: The Basics, The American Mathematical Society, Providence, R.I. (1995) [QA248.J87].
43. [KalishMontague] Kalish, D. and R. Montague, "On Tarski's formalization of predicate logic with identity," Archiv für Mathematische Logik und Grundlagenforschung, 7:81-101 (1965) [QA.A673].
44. [Kalmbach] Gudrun Kalmbach, Orthomodular Lattices, Academic Press, London (1983) [QA171.5.K34].
45. [KanamoriPincus] Kanamori, A. and D. Pincus, "Does GCH Imply AC Locally?", in Gábor Halász, et al.(eds.), Paul Erdős and his Mathematics, Bolyai Society Mathematical Studies 11:413-426, János Bolyai Mathematical Society, Budapest (2002) [QA1.P194 2002]; available at http://math.bu.edu/people/aki/7.pdf (accessed 4 Jun 2015).
46. [Kreyszig] Kreysig, Erwin, Introductory Functional Analysis with Applications, John Wiley & Sons, New York (1989) [QA320.K74].
47. [Kunen] Kunen, Kenneth, Set Theory: An Introduction to Independence Proofs, Elsevier Science B.V., Amsterdam (1980) [QA248.K75].
48. [KuratowskiMostowski] Kuratowski, K. and A. Mostowski, Set Theory: with an Introduction to Descriptive Set Theory, 2nd ed., North-Holland, Amsterdam (1976) [QA248.K7683 1976].
49. [LarsonHostetlerEdwards] Larson, Ron, Robert P. Hostetler, and Bruce H. Edwards, Calculus: Early Transcendental Functions, 3rd ed., Houghton Mifflin Company (2003) [QA303.L3274 2003]
50. [LeBlanc] LeBlanc, Hugues, "On Meyer and Lambert's Quantificational Calculus FQ," J. Symb. Logic 33:275-280 (1968) [QA.J87].
51. [Levy58] Lévy, A., "The independence of various definitions of finiteness," Fundamenta Mathematicae, 46:1-13 (1958) [QA.F981]
52. [Levy] Levy, Azriel, Basic Set Theory, Dover Publications, Mineola, N.Y. (2002) [QA248.L398 2002].
53. [Lopez-Astorga] Lopez-Astorga, Miguel, "The First Rule of Stoic Logic and its Relationship with the Indemonstrables", Revista de Filosofía Tópicos (2016); available at http://www.scielo.org.mx/pdf/trf/n50/n50a1.pdf (accessed 3 Jul 2016).
54. [MaedaMaeda] Maeda, Fumitomo (1897-1965) and Shuichiro Maeda, Theory of Symmetric Lattices, Springer-Verlag, New York (1970) [Q171.5.M184].
55. [Margaris] Margaris, Angelo, First Order Mathematical Logic, Blaisdell Publishing Company, Waltham, Massachusetts (1967) [QA9.M327].
56. [McKMegPav] McKay, B., N. Megill, and M. Pavicic, "Algorithms for Greechie Diagrams," Int. J. Theor. Phys., 39:2393-2417 (2000) [QC.I626]; available at http://xxx.lanl.gov/abs/quant-ph/0009039 (accessed 11 Nov 2014).
57. [Megill] Megill, N., "A Finitely Axiomatized Formalization of Predicate Calculus with Equality," Notre Dame Journal of Formal Logic, 36:435-453 (1995) [QA.N914]; available at http://projecteuclid.org/euclid.ndjfl/1040149359 (accessed 11 Nov 2014); the PDF preprint has the same content (with corrections) but pages are numbered 1-22, and the database references use the numbers printed on the page itself, not the PDF page numbers. See technical note 1 above for some additional notes on this paper.
58. [MegPav2000] Megill, N. and M. Pavičić, "Equations, States, and Lattices of Infinite-Dimensional Hilbert Space," Int. J. Theor. Phys. 39:2337-2379 (2000) [QC.I626]; available at http://xxx.lanl.gov/abs/quant-ph/0009038 (accessed 11 Nov 2014).
59. [MegPav2002] Megill, N. and M. Pavičić "Deduction, Ordering, and Operations in Quantum Logic," Found. Phys. 32:357-378 (2002) QC.F771; available at http://xxx.lanl.gov/abs/quant-ph/0108074 (accessed 11 Nov 2014).
60. [Mendelson] Mendelson, Elliott, Introduction to Mathematical Logic, 2nd ed., D. Van Nostrand (1979) [QA9.M537].
61. [Monk1] Monk, J. Donald, Introduction to Set Theory, McGraw-Hill, Inc. (1969) [QA248.M745].
62. [Monk2] Monk, J. Donald, "Substitutionless Predicate Logic with Identity," Archiv für Mathematische Logik und Grundlagenforschung, 7:103-121 (1965) [QA.A673].
63. [Moschovakis] Moschovakis, Yiannis N., Notes on Set Theory, Springer, New York, second edition (2006) [QA248.M665 2006].
64. [Munkres] Munkres, James Raymond, Topology: a first course, Prentice-Hall, Englewood Cliffs, New Jersey (1975) [QA611.M82].
65. [Ponnusamy] Ponnusamy, S., Foundations of Functional Analysis, Alpha Science International Ltd., Pangbourne (2002) [QA320.P66 2002].
66. [PtakPulmannova] Pavel Pták and Sylvia Pulmannová, Orthomodular Structures as Quantum Logics, Kluwer Academic Publishers, Dordrecht (1991) [QC174.17.M35P7713].
67. [Quine] Quine, Willard van Orman, Set Theory and Its Logic, Harvard University Press, Cambridge, Massachusetts, revised edition (1969) [QA248.Q7 1969].
68. [ReedSimon] Michael Reed and Barry Simon, Methods of Modern Mathematical Physics, Vol. I: Functional Analysis, Academic Press, New York (1972) [QC20.7.F84.R43].
69. [Rudin] Rudin, Walter, Principles of Mathematical Analysis, McGraw-Hill, New York, second edition (1964) [QA300.R916 1964].
70. [Sanford] Sanford, David H., If P, then Q: Conditionals and the Foundations of Reasoning, 2nd ed., Routledge Taylor & Francis Group (2003); ISBN 0-415-28369-8; available at https://books.google.com/books?id=h_AUynB6PA8C&pg=PA39#v=onepage&q&f=false (accessed 3 Jul 2016).
71. [Schechter] Schechter, Eric, Handbook of Analysis and Its Foundations, Academic Press, San Diego (1997) [QA300.S339].
72. [Schwabhauser] Schwabhauser, Wolfram, Wanda Szmielew, and Alfred Tarski, Metamathematische Methoden in der Geometrie, Springer-Verlag, Berlin, New York (1983) [QA481.S38]
73. [Shapiro] Shapiro, Harold N., Introduction to the Theory of Numbers, Dover Publications, Inc. (2008) [QA241.S445 1983].
74. [Stoll] Stoll, Robert R., Set Theory and Logic, Dover Publications, Inc. (1979) [QA248.S7985 1979].
75. [Strang] Strang, Gilbert, Calculus, 1st ed., Wellesley-Cambridge Press (1991) [QA303.S8839 1991]; ISBN 978-09802327-45; available at http://ocw.mit.edu/resources/res-18-001-calculus-online-textbook-spring-2005/ (accessed 24 Nov 2015).
76. [Suppes] Suppes, Patrick, Axiomatic Set Theory, Dover Publications, Inc. (1972) [QA248.S959].
77. [TakeutiZaring] Takeuti, Gaisi, and Wilson M. Zaring, Introduction to Axiomatic Set Theory, Springer-Verlag, New York, second edition (1982) [QA248.T136 1982].
78. [Tarski] Tarski, Alfred, "A Simplified Formalization of Predicate Logic with Identity," Archiv für Mathematische Logik und Grundlagenforschung, 7:61-79 (1965) [QA.A673].
79. [Truss] Truss, John Kenneth, Foundations of Mathematical Analysis, Oxford University Press, Oxford (1997) [QA299.8.T78 1997].
80. [vandenDries] van den Dries, Lou, "Recursion Theory Notes, Fall 2011," available at http://www.math.uiuc.edu/~vddries/recursion.pdf (accessed 11 Nov 2014).
81. [WhiteheadRussell] Whitehead, Alfred North, and Bertrand Russell, Principia Mathematica to *56, Cambridge University Press, Cambridge, 1962 [QA9.W592 1962].

Browsers and Fonts

Browsing with the Unicode font     By default, the Metamath Proof Explorer uses GIF images for all math symbols. Depending on your computer, browser, and Internet connection, this may result in slow rendering of large proofs, such as projlem7 (870K), which is the largest in the database. On each page with a proof, at the top there is a link to switch to the Unicode font version. You will stay in the Unicode font directory (you will see "mpeuni" instead of "mpegif" in the URL) until you switch back to the GIF version on a page with a proof.

Unfortunately, Internet Explorer versions 6 and 7 do not implement some of the standard Unicode math symbols, which is why I chose GIF images as the default. The missing symbols are displayed as blank rectangular boxes, making the page unreadable. The free Firefox and Mozilla [external] browsers implement them correctly. Safari on MacOS X (10.3.9) has also been reported to work (and quite nicely, based on a screenshot sent to me).

If you know of any other browsers that work correctly with Metamath's Unicode symbols, let me know so that I can put the information here. To check for correctness, compare the symbols in Unicode and GIF versions of the ASCII token chart.

Display font     Since some people spend a great deal of time studying this site, I purposely left the main font unspecified so that you can choose the one you find the most comfortable. In Firefox, select Tools -> Options -> Content -> Default font. In Internet Explorer, select Tools -> Internet Options -> Fonts. On Windows, Times New Roman is the standard font. If you prefer a sans-serif font, Arial will align correctly with our math symbol GIF images. By the way, the minty green background color (#EEFFFA=r238,g255,b250) used for the proofs was chosen because it has been claimed to be less fatiguing for long periods of work, but most browsers will let you override it if you wish.

If you are viewing the GIF version of these pages, the appearance may be more consistent if font antialiasing is turned off. If you are viewing the Unicode version, the Unicode symbols may be more legible if it is turned on.

Viewing with a text browser    The Metamath Proof Explorer can be viewed with a text-only browser. All symbols will be shown as ASCII tokens. The most common text browser, Lynx, does not format tables, making proofs somewhat confusing to read. But good results are achieved with the table-formatting text browsers w3m [external] and links [external]. Of these, I personally find w3m the most readable.

One advantage of a text browser is that you can select and copy the formulas in a convenient ASCII form that can be pasted into text documents, emails, etc. (The Mozilla browser will also do this if the copy buffer is pasted into a text editor.) Text browsers are also extremely fast if you have a slow connection. If you are blind, a text browser can make this site accessible, although for theorem and proof displays, direct use of the Metamath program CLI (command-line interface) might be more efficient—I would be interested in any feedback on this.