f.sciencedirect.com -

direct« Electronic Notes in

Theoretical Computer

ELSEVIER Electronic Notes in Theoretical Computer Science 155 (2006) 341-359

www.elsevier.com/locate/entcs

Hiproofs: A Hierarchical Notion of Proof Tree

Ewen Denneya'1 '2, John Powerb'1,2 and Konstantinos Tourlasb'1,2

a RIACS, NASA Ames Research Center, Moffett Field, CA 94035, USA

b Laboratory for the Foundations of Computer Science, University of Edinburgh, King's Buildings, Edinburgh EH9 3JZ, Scotland

Abstract

Motivated by the concerns of theorem-proving, we generalise the notion of proof tree to that of hierarchical proof tree. Hierarchical trees extend ordinary trees by adding partial order structure to the set of nodes: that allows us to visualise a node as a rectangle in the plane rather than as a point, letting us use the containment relation to express structure additional to that given by a tree. A hierarchical proof tree, or hiproof for short, is a hierarchical tree with nodes labelled by tactics. We motivate the details of our definition by reference to the behaviour of tactics in tactical theorem proving. We characterise the construction of the ordinary proof tree underlying a hierarchical proof tree as a left adjoint. We then analyse the notion of proof refinement with respect to hierarchy, and we give a characterisation of hiproofs that is more directly suited to implementation.

Keywords: proof tree, hierarchical proof tree, skeleton, adjoint, refinement, tactical theorem proving

1 Introduction

Consider a proof by induction as represented by Figure 1(a): the nodes are labelled by tactic identifiers, inclusion of one node in another indicates a sub-tactic relationship, and the arrows represent sequential composition. The diagram is read as follows: the proof consists of invoking an induction tactic,

1 This work has been supported by EPSRC grants nos. GR/M45030 (Ewen Denney) GR/N64571/01 and GR/586372/01 (John Power) and GR/N12480 (Konstantinos Tourlas). The first author did most of this work while in Edinburgh.

2 Email: edenney@email.arc.nasa.gov, ajp@inf.ed.ac.uk, kosutamu@yahoo.co.uk

1571-0661/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2005.11.063

Induction

Ind-Rule

Rewrite

Normalise

Use-Hyp

Fig. 1. Two hierarchical proofs

Induction. That consists of applying an induction rule, Ind-Rule, which then generates two subgoals. The first subgoal is handled by the Base tactic, the second by the Step tactic. In turn, Step is defined as first applying the Rewrite tactic, and then the Use-Hyp tactic, with Base, Rewrite and Use-Hyp treated as primitive. In contrast to the usual presentations of a proof by induction, the emphasis is on tactics rather than on goals and proof steps.

For a structurally somewhat more complex proof, consider Figure 1(b). At the most abstract level, the proof consists of applying T1, and then DP. The tactic T1 first applies T2, generating two subgoals, the first of which is handled by WF. The second is handled by DP, which applies Normalise and then Taut.

These examples reflect, albeit very abstractly, the hierarchical structure of tactics as appear in proof assistants such as [5,8,10]. In this paper, we take a first abstract step towards developing a definition and mathematical theory of such hierarchy, ultimately aimed towards the development of interfaces, both graphical interfaces for individual theorem provers and interfaces between theorem provers based on common tactic structure (which is generally independent of the underlying logic). Our central definition, abstracting from Figures 1(a) and 1(b), is that of a hierarchical proof tree or hiproof. We analyse an appropriate choice of axioms for hiproofs in Section 2, the relationship between a hiproof and its underlying ordinary proof in Section 3, and a notion of refinement of hiproofs in Section 4. Finally, we characterise hiproofs in terms more amenable to implementation in Section 5.

Compared to the hierarchical structures typically implemented in modern

theorem provers, our work is an abstract first step: hiproofs abstract away many concrete and operational features. The key abstractions are as follows:

• we only model tactics, not goals. Hierarchy per se is independent of the underlying logic. Moreover, tactics alone support rich structure, and we seek the simplest possible framework in which to study it.

• we consider a tactic as a black box, giving no implementation details of it beyond a record of which other tactics define it. We treat inference rules and axioms as primitive tactics.

• we only model the static structure of tactics, not their dynamics. Our diagrams represent only the sequence of tactic applications leading to a proof, not the tactic definitions themselves or information about proof search.

• we consider tree structure rather than dags. Implementations often use dags, but formal logic generally does not. Our aim is to study the structure of proof rather than particular implementations, allowing us independence from specific notions of basic proof and implementation technology.

The central result of the paper, in Section 3, characterises the skeleton, or underlying ordinary proof, of a hiproof, as a left adjoint to the inclusion of ordinary proofs in hiproofs. One wants to lift constructions on ordinary proofs via the skeleton functor to constructions on hiproofs. So the central results of Sections 4 and 5, for refinement and towards implementation respectively, show that the relevant constructions respect skeletons.

The use of diagrams in logic is far from new [2]. Fitch-style boxed natural deduction is one way to draw the boxes on a given proof, contrasting with the situation here. But hierarchical proofs along our lines appear in proof planning [4]. For example, two different representations appear in [11]. We know of little analysis of algebraic features of proofs, but see [9], which studies the dynamics of a representation language: we only address statics here, but one needs such statics in order to study dynamics.

More generally, any system (such as Coq, HOL and PVS) in which tactics may be defined from other tactics leads naturally to the kind of hierarchical proof here. In particular, the notion of hierarchy we formalise relates to that underlying the Lambda Clam family of proof planners [10], although Lambda Clam does not yet allow tactics to leave open goals as we do in Figure 1(b) for example. The Tecton system [8] also supports hierarchical proof: its hierarchy is 'two level' while ours allows arbitrary nesting. The PDS data structure [5], implemented in Omega [3] and other systems, is of similar generality to our hiproofs but is less abstract and includes implementation features. A PDS consists of names, sequents, and elements called justifications and reasons. Of those, named nodes and justification elements have counterparts in hiproofs.

Ax -n-Refl

A I A A I x — x . i-r -—-:-;-:- And-1

A I A A (x — x)

h A ^ A A (x = x)

Fig. 2. A simple natural deduction proof.

Sequents and reasons implement goals and back-tracking, and so have no counterparts in hiproofs. Otherwise, a PDS (one which, moreover, happens to be a tree at the lowest level) corresponds closely to a concrete characterisation of hiproof.

In a different direction, hiproofs are closely related to higraphs (see for instance [1]), but the notions of refinement differ. This paper is to be understood as a first abstract step towards hierarchy in proofs, with no attempt to give the implementation structure of the languages and systems mentioned above.

2 Hierarchical proof trees

In this section, we define the notion of a hierarchical proof tree or hiproof. To motivate it, we first analyse, by means of an example, the relationship between tactics and standard notions of formal proof such as proofs in natural deduction style.

Example 2.1 Consider a natural deduction proof of A ^ A A (x = x), as in Figure 2. The obvious (backwards) proof is implication introduction, followed by conjunction introduction, and then applying axiom and reflexivity to the two subgoals. The essential information of the proof is the sequence of inference rules, with the order of those rules represented by a proof tree as in Figure 3(a). Typically, however, theorem provers allow the use of higher-level tactics that group together the application of a number of low-level inferences. For example, it is common to have an Intros command, which performs all possible introduction rules. We can indicate this on the proof diagram by grouping Imp-I and And-I together, as in Figure 3(b). We could go further and define a tactic, Prop, which first calls Intros, and then tries to use axioms wherever possible. This gives the hierarchical structure of Figure 3(c). □

Example 2.1 shows that proofs can be represented as tactic- (or axiom and inference)-labelled trees with hierarchical structure on the set of nodes. The tree structure is straightforward, but the hierarchical structure and its interaction with the tree structure are more complex. We formalise the hierarchical structure by a partial order, with v < w represented visually by depicting the node v as sitting inside the node w. The partial order satisfies axioms to the

Imp-I Imp-I

And-I And-I

Intros

Ax Refl Ax Refl

Intros

Imp-I | , 1 ,

And-I |

Fig. 3. Introducing hierarchy in proof diagrams by grouping.

effect that it is generated by a (finite) forest, and it is sometimes convenient to regard it as such. Our hierarchical trees are labelled by tactics, so we henceforth assume that A is a fixed non-empty set of tactic identifiers or method identifiers. We write isrootF (v) (or isrootfor the assertion that there is a tree in forest F with root v, and we write siblingsF(v,v') (or siblings^ (v, v')) if v and v' have the same parent or are both roots. Standard definitions of trees and forests are given in the appendix.

Definition 2.2 A hierarchical proof tree, or hiproof for short, consists of a (necessarily finite) forest qua poset i = (V, <;) and a forest s = (V, ^s), together with a function t : V ^ A which labels the nodes in V with tactic identifiers in A, subject to the following conditions:

(i) arrows always target outer nodes: whenever v w1 and w1 <; w2, then v <i W2

(ii) arrows always emanate from inner nodes: whenever w1 <i v and v w2 then v = wi

(iii) inclusion and sequence are mutually exclusive: whenever v <i w and v w, then v = w

(iv) given any two nodes v and v' which both lie at the top inclusion level, or are both immediately included in the same node, then at most one of v, v' has no incoming edge:

Vv,v' G V. siblingsi(u,u/) A isroots(v) A isroots(v')

v = v .

Note the subtlety in the first condition, especially in combination with the third: an arrow from a node v can only go to an outer node relative to

the inclusion level of v. So, for instance, Example 2.1 satisfies the condition. Observe that the fourth condition together with finiteness imply that there is a unique node that is maximal with respect to < and has no incoming edge, acting as a kind of hierarchical root.

The main theorem justifying the axioms is Theorem 3.9, which shows that every hiproof unfolds to give an ordinary proof. But before developing that result, we shall analyse the axioms by looking at some non-examples. The axioms are designed to ensure that none of the diagrams in Figure 4 forms a hiproof.

(b) (c) (d)

Fig. 4. Four non-examples of hiproofs

In tactical theorem proving, one tactic is followed by another, which unfolds to give another tactic, and so on. So tactics are invoked 'at the most abstract level.' But Figure 4(a) contradicts that because if T1 is followed by T3 and T2 unfolds to T3, the more abstract T2 should follow T1. Equivalently, it would be permissible for T3 to follow T1, but then the fact that T2 is an abstraction of T3 would be irrelevant to the proof and should not be added after the composition of T1 and T3. Conversely, when a tactic finishes executing, control flows from the most recently executed tactic, i.e., the innermost, outwards, but Figure 4(b) contradicts that. We want to exclude Figure 4(c) too in order to avoid circularity of unfolding and sequencing. Finally, Figure 4(d) fails because tactic T1 should unfold to give a unique subsequent tactic to execute, not two.

The first condition in the definition of hiproof prohibits the inclusion hierarchy from being 'downwards' transcended by composition, e.g., as in Figure 4(a). The second condition precludes Figure 4(b). The third condition precludes Figure 4(c): the similar structure with the arrow pointing the other direction is already precluded by the second condition. And the fourth condition precludes Figure 4(d) as well as the similar non-proof example obtained from Figure 4(d) by removing the node labelled T1. For a positive example of a hiproof, consider Figure 1(b).

The main ideas behind the definition of hiproof can be understood in terms of Figures 1(a) and 1(b). Although motivated by diagrams, we have abstracted away from geometry to discrete mathematical structure. The central features

are as follows:

• we do not require tactic identifiers to be unique as a tactic may be applied repeatedly in a proof. But we informally refer to proof nodes by their tactic identifiers where there is no ambiguity.

• there are only two relationships that can hold between nodes: inclusion, representing the unfolding of a tactic into its definition, with arrows representing sequential composition. For example, in Figure 1(b), the decision procedure DP unfolds to give the composition of Normalise with Taut.

• hiproofs are essentially tree-like in that subgoals are independent: a tactic acts on a single subgoal. That is not generally the case in tactical theorem proving, and we intend to extend the definition accordingly in future work. Tactics usually return a list of subgoals, but we abstract away from the order on child tactics.

A hiproof, therefore, consists of a finite collection of tactic-labelled nodes, related by inclusion and composition. Although the diagrams represent abstract versions of full proofs, we are interested in how such proofs are constructed, and so we consider partial proofs as well-formed.

3 Relating proof trees and hierarchical proof trees

In this section, we relate hierarchical proof trees with proof trees. Not only are proofs instances of hiproofs with trivial hierarchy, but, more importantly, every hiproof unfolds to give an ordinary proof, which we call its skeleton. As Example 2.1 illustrates, the relationship between ordinary proofs and hiproofs underlies our semantic understanding of the behaviour of hiproofs. So we should like to characterise our definition of skeleton axiomatically, and we do that here by showing that it acts as a left adjoint to the canonical inclusion. We retain the terminological conventions of Section 2.

Definition 3.1 A proof tree consists of a tree, (V, ^,r), together with a tactic labeling function, t: V ^ A. □

Definition 3.2 A proof tree map a : (V, r, t) ^ (V', r', t') is a function a : V ^ V' such that a preserves roots and satisfies the following:

• u ^ v ^ a(u) a(v)

• t(u) = t'(a(u)). □

Proof trees together with proof tree maps form a category we denote by Proof. The category Proof has finite products and finite coproducts. Such category theoretic structures allow one to build complex proofs from less com-

plex ones, and they provide transformations between proofs. The coproduct of a pair of proof trees is given by joining their roots. The product involves nodes with pairs of labellings, cf. Section 5. There are also sophisticated monoidal-like structures that, given a proof (V, r) and a family of proofs whose roots agree with the leaves of (V, r), allow one to attach the latter proofs at each of the leaves of (V, r), cf [7] and Section 4. In further work, we want to lift such constructions from proof trees to hierarchical proof trees. But first we need to establish the precise nature of the relationship between the two notions, and we do that by finding an adjunction.

In order to find an interesting adjunction, characterising a natural notion of skeleton of a hiproof, we need a delicate definition of the notion of hiproof map, using a refinement of the partial order <j.

Definition 3.3 In a hiproof, let <f denote the suborder of < generated by putting u <f v if u is a child of v and u has no incoming edge. □

It follows from the fourth condition of Definition 5.4 that <f is always a finite set of finite chains.

Definition 3.4 A hiproof map a : (V, <», t) ^ (V', <i, ¿') is a function a : V ^ V such that a preserves ^-roots and satisfies the following:

• u <f v ^ a(u) <f a(v)

• u v ^ a(u) ^S* a(v)

• t(u) = t'(a(u)). □

Hiproofs and hiproof maps form a category Hiproof. Proofs can naturally be considered as flat hiproofs as follows:

Definition 3.5 Let E : Proof ^ Hiproof send the proof 7 = (V, r, t) to

(V, idv, ^,t). □

Proposition 3.6 The functor E is fully faithful and 'preserves finite products and finite coproducts. □

The most important relationship between proofs and hiproofs is given by the unfolding of a hiproof into an ordinary proof, called its skeleton, as we discussed in analysing the non-examples of Figure 4. In order to describe and characterise the skeleton in general, we use the following correspondence between trees and partial orders: note, in the following, that vi < v2 means that, in the corresponding tree, there is a path in the opposite direction, i.e., from v2 to v1.

Fig. 5. Skeleton of a hiproof

Proposition 3.7 To give a tree is equivalent to giving a finite poset T = (V, <) that satisfies the 'non-sharing' condition

V x, y, z G F. x < y and x < z implies y < z or z < y ,

and has a top element T. The resulting tree is (V, T), where v ^ v' whenever v' G cover<(v), and the cover of a node is defined to be the set of nodes immediately below it. □

Corollary 3.8 To give a forest is equivalent to giving a finite poset (V, <) subject to the 'non-sharing' condition of Prop. 3.7: V x, y, z G V. x < y and x < z implies y < z or z < y. □

Now we can define and characterise the skeleton of a hiproof as a left adjoint as follows:

Theorem 3.9 The functor E has a left adjoint, denoted by sk, sending a hiproof h = (V, <i, ^s,t) to what we call its skeleton, given as follows: the A-labelled tree (VT, ^t, r), corresponding to the finite poset T = (VT, <T), where VT is the set of leaves of <i, and vi < v2 if and only if there exists v G V such that v2 <i v and vi v. □

Example 3.10 The skeleton of the hiproof in Figure 1(b) is given by Figure 5, and the skeleton of the hiproof depicted in Figure 3(c) is the proof depicted in Figure 3(a). □

The skeleton of a hiproof gives us a notion of an unfolding of a hiproof, given by the tree of underlying atomic tactics. If we think of atomic tactics as inferences and axioms, this gives us a standard non-hierarchical proof. We sometimes regard a skeleton as a proof and sometimes as a flat hiproof: formally, this amounts to applying the composite functor E sk and freely using

(a) (b) (c) (d)

Fig. 6. Refinement of hiproofs

the fully faithfulness of E, which allows us to regard Proof as a full subcategory of Hiproof. Any construction or transformation we make of a hiproof, as we consider in the following sections, needs to be justified by preservation of, or a corresponding construction on, its skeleton.

4 Hiproof refinement

The fundamental construction one wants to make on a hiproof is refinement: the idea is that h refines to h2 when h2 extends the proof in hi, where extension is to be understood informally as "proving more". So our goal here is to formalise that. Proofs can grow in two ways: either by a tactic calling a subtactic, or by applying a new tactic to a subgoal. These correspond, respectively, to inclusion of and sequential composition with a tactic. Since we want to formalise a semantic, rather than operational, notion of refinement, our definition of refinement amounts to allowing trees to grow arbitrarily 'at the bottom' and, in the case of forests, adding additional trees. The definitions in this section make this precise.

Example 4.1 Figure 6 shows a refinement, from left to right, of a hiproof. Refinement generates a partial order, and this is not the only possible sequence.

We first define refinement for trees and forests, the simple structures from which hiproofs are constructed. We need a few supplementary definitions.

Definition 4.2 A rooted subtree T' of a tree T = (V, r) is a tree (V', r) where

• V' is an upwards-closed non-empty subset of V: whenever v' G V' then for all v'' such that v'' ^ v' one also has v'' G V; and thus also r G V'

• is the restriction of ^ to V' x V'. □

Henceforth, we refer to rooted subtrees simply as subtrees. Intuitively, refining a tree amounts to the addition, at possibly any level below the root,

of any (finite) number of new nodes. Thus the original tree is always a subtree of any tree that refines it:

Definition 4.3 A tree (Vi, ^i,ri) refines to the tree (V2, r2), written

(Vi, ^i, ri) Ct (V2, ^2, r2) ,

if the former is a subtree of the latter. □

Definition 4.4 A forest Fi refines to the forest F2, written Fi CF F2, if there exists an injective function i: Fi ^ F2 such that for all trees T G Fi, T Ct i(T) □

In practice, it is easier to use the following characterisations of forest refinement, given by regarding a forest as a graph or poset:

Proposition 4.5 Given forests F = (Vi, and F2 = (V2, ^2), Fi CF F2 if and only if Vi C V2 and for all v,v' G Vi, isrootFl (v) ^^ isrootF2 (v) and v v' ^^ v v'. □

Proposition 4.6 Given forests F = (Vi, <i) and F2 = (V2, <2), Fi CF F2 if and only if for all v,v' G Vi, isrootFl (v) ^^ isrootp2 (v) and v G coverFl (v') v G coverf2 (v'). □

Thus forest refinement can be characterised in terms of preservation of roots and inclusion of the corresponding order. This justifies the way we define hiproof refinement.

Definition 4.7 A hiproof h = (V, <;, ^s,t) is said to refine to the hiproof h' = (V', <i, ^S,t'), written h Ci h', if (V, <i) Cf (V', <'), (V, Cf (V', ^S) and labels are preserved, i.e., t C t' (regarding each of t and t' as a finite set of pairs, e.g., (v,t(v))). □

Refinement for ordinary proofs is defined by tree refinement, as in Definition 4.3, subject to respect for labelling. It follows by inspection of the definitions that refinement for hiproofs restricts along E to refinement for ordinary proofs. More importantly, sk sends hiproof refinement to ordinary refinement as follows.

Theorem 4.8 If a hiproof h refines to h!, then sk(h) refines to sk(h'). □

We shall not prove this in this section, as a stronger result follows from our characterisation of hiproofs in terms of ordinary labelled trees with more complex labelling in Section 5. So we shall formulate the stronger statement later.

5 A concrete characterisation of hiproofs

In this section, we characterise hiproofs in terms more amenable to implementation. The definition of hiproof consists of two forests. But they can be combined into a single tree with more complex labelling by dint of the following. Let R+ denote the transitive closure of a binary relation R.

Proposition 5.1 No 'composite cycles' exist in a hiproof: writing v <i1 v' whenever v G cover<i(v'), then for all v,v' G V, whenever v (>1 U v' one has v = v'. □

So, as a first attempt at a characterisation of hiproofs in such terms, we might try to represent Figure 1(b) as follows, cf. [11]:

Normalise

The solid lines denote composition and the dashed lines inclusion. But this representation does not distinguish the similar hiproof in which DP is a sub-tactic of T1. That can be resolved by pairing tactics with their level in the inclusion hierarchy: in Figure 1(b), T1 and DP have level 0, T2 has level 1, and so on. But then we do not need to distinguish between two kinds of arrow, as that information is determined by the respective levels of adjacent nodes. This motivates the following definition:

Definition 5.2 A hiproof of type 2 is a tree (V, r) together with functions: t : V ^ A and l : V ^ N, subject to the following conditions:

(i) l(r) = 0

(ii) if v ^ v', then l(v') < l(v) + 1

(iii) if v ^ v1, v ^ v2 and l(v1) = l(v) + 1, then v1 = v2. □

We shall often identify a node v with a pair (A, l), thereby implicitly asserting that t(v) = A and l(v) = /. The function l : V ^ N sends a node to what we call its inclusion level. So the first condition of the definition asserts that the root of the tree lies at inclusion level 0. The second condition states that nodes are only (directly) connected to those nodes that they directly include or with which they are composed. In the latter case, the node can 'escape' to

an arbitrarily lower inclusion level. The third condition asserts uniqueness of children if one increases inclusion level.

In Definition 5.2, both composition and inclusion depth are implicit in the structure of the nodes. So, in terms of cognitive properties, the diagrams arising from hiproofs of type 2 seem less suitable for human users than the diagrams arising from hiproofs of type 1. In the latter, two distinct visual relations, spatial containment and edge connectivity, are used to represent tactic inclusion and composition (see Figure 1(b)), thus giving less scope for confusion. In contrast, owing to their economy, type 2 hiproofs have advantages as internal, machine-oriented representations.

With a little thought about levels, hiproofs of type 2 readily form a category we denote by Hiproof2. We sometimes refer to the hiproofs of Definition 2.2 as hiproofs of type 1.

Example 5.3 Figure 1(b) not only forms a hiproof but also a hiproof of type 2. The partial order information in Figure 1(b) may be unfolded as follows:

DP T2 Normalise

/ \ IX A sl

T2 WF Normalise Taut WF DP Taut

where the labels on the arrows distinguish between the inclusion and composition forests. If we recombine this data using all the s-labelled arrows but only those i-labelled arrows whose codomain has no incoming s-labelled edge, we obtain a hiproof of type 2 as follows:

(T1,0)

(T2,1)

(WF,1) (DP,0)

(Normalise,1)

(Taut,1)

where nodes are informally represented by their tactic identifiers and inclusion levels. Now compare this hiproof of type 2 with Figure 5, which is the skeleton of the hiproof of Figure 1(b). In terms of our hiproof of type 2, the skeleton is determined by those nodes v for which /(v) is locally maximum, so if v ^ v' and l(v') < /(v), it follows that v is in the skeleton. □

Example 5.3 suggests that any proof may be equivalently represented in either type of hiproof. Indeed, the two definitions of hiproof are related by an

isomorphism of categories. Moreover, we can directly and naturally describe the skeleton of a hiproof in terms of hiproofs of type 2, so the correspondence between the two notions of hiproof respects the underlying proof structure.

Definition 5.4 Define the functor ^12 : Hiproof — Hiproof2 by sending a hiproof (V, <;, ^g, t) of type 1 to the hiproof (V, —, r, t, l) of type 2 given by the following data:

• l(v) is defined to equal 0 whenever isroot<(v), and, inductively, to equal l(parent<. (v)) + 1 otherwise; (explicitly in forest-qua-poset notation: for each v' = T, parent< (v') is the unique v such that v' e cover<. (v));

• v — v' whenever v —g v' or, v' e cover<. (v) and isroot(v'); and

• r is the root of the hiproof (see the remark after the definition). □

Definition 5.5 Define the functor ^21 : Hiproof2 — Hiproof by sending a hiproof (V, —, r, t, l) of type 2 to the hiproof (V, <;, —g, t) of type 1 given by the following data:

• v —g v' whenever v — v' and l (v') < l (v)

• <; is the reflexive and transitive closure of <1, the latter being defined thus: v <1 v' whenever a (non-empty) path v' = v0 — ... — vn — vn+1 = v exists such that l(v1) = l(v0) + 1 and l(v^) = l(vi+1) for 1 < i < n. □

The proofs of well-definedness of ^12 and ^21 amount to Propositions A.3 and A.5 in Appendix A. We now show that they are mutually inverse.

Theorem 5.6 The functors ^12 : Hiproof — Hiproof2 and ^21: Hiproof2 — Hiproof 1 are mutually inverse.

Proof. We only sketch one direction of the argument as the other is similar. Let h = (V, <i, —g,t), h = ^12(^1) = (V2, —,r,t2) and h = ^(M = (V', <i, ^g,t'). It follows directly from the definitions that V = V' = V2 and t = t2 = t'.

We first show <i C<i (required to show <' = <i). Assume v <i v' and proceed by induction on the length of the path linking v' to v in the forest (V, <i). The base case is trivial. For the inductive case, assume v <i v'' by the induction hypothesis and v'' e cover</(v'). From the latter and Def. 5.5, a path v' = v0 ^ ... ^ vn ^ vn+1 = v'' must exist in h2 such that l (v1) = l(v0) + 1 and l(vi+1) = l(vi) for 1 < i < n. It follows from Def. 5.4 that v' = v0 — parent<. (v1) or, equivalently, v1 e cover<. (v'). From vi —> vi+1 and l(vi) = l(vi+1), it follows that vi and vi+1, for i ranging as above, share v' = v0 as their parent in <i. So v'' e cover<. (v'). Together with the inductive hypothesis v'' <i v', this proves v <i v'.

The proof of <; C <i is similar. And the equality —s = —S can also be proved similarly. □

We now turn to skeletons. We need to characterise the construction of the skeleton in terms of hiproofs of type 2. Given a type 2 hiproof h2 = (V, —r, t, /), we call a node an inclusion node if it has a child with greater inclusion level.

Theorem 5.7 Given a type 2 hiproof h2 = (V, —, r, t, /), the following data, which we denote by sk2(h2), agrees, via ^i2, with sk: the A-labelled tree (VT, — T, r) where VT is the set of non-inclusion nodes of h2, and v —T v' if and only if v — vi — ••• — vn — v', where vi,..., vn are inclusion nodes, r is the maximum non-inclusion node, and labelling is given by the restriction of the labelling function to VT. □

Proof. By well-founded induction on the hiproofs. At each stage one extends the hiproof by one leaf and shows that sk and sk2 and the ¡ijs respect the extension. □

Finally, as promised at the end of Section 4, we formulate refinement in terms of hiproofs of type 2 and show that the formulation agrees, relative to the equivalence, with our formulation of refinement for hiproofs of type 1 in Definition 4.7.

Definition 5.8 A hiproof h = (V, —, r, t, l) of type 2 refines to a hiproof h' = (V', —, r', t', l') of the same type, written h C2 h', if and only if (V, —, r) Ct (V', —', r') and, moreover, t C t' and l C l'. □

Theorem 5.9 Let hi and hi be hiproofs. Then, hi Ci hi holds if and only if ^i2(hi) C2 Mhi) does. □

This shows that the two formulations of hiproofs are equivalent with respect to refinement. A proof of Theorem 4.8 follows directly.

6 Conclusions and Further Work

We have introduced and begun to develop a notion of hierarchical proof tree or hiproof, abstractly reflecting the use of tactics in theorem proving. We have presented axioms that allow one to unfold a hiproof to yield an ordinary proof, and we have illustrated the axioms by examples and non-examples. We have outlined how refinement works and we have given an alternative presentation of the definition that is better suited to implementation.

In practice, tactics possess much more complex structure than we have addressed here, where we have restricted ourselves to simple notions of tac-

tic and proof. We regard this work as just a first step towards providing a semantic foundation for the topic. We believe that, suitably developed, the study of general properties and operations on hiproofs and extensions of the notion will help to give a principled way in which to design interfaces that are independent of the specifics of hiproof representation and allow one to reason about the correctness of implementation. We are actively investigating the application of hiproofs as a foundation for prover protocols, using an operational semantics which formalises how hiproofs are constructed from sequences of tactic applications.

To develop hiproofs as we have defined them, we next seek to define natural operations on hiproofs that are supported by the various proof assistants. Examples are the various abstraction operations. Such 'zooming' operations have been considered for higraphs and statecharts [1,6], and there are natural operations to consider on them. We also plan to characterise the relationship between our semantic structures and the underlying logic, introducing a notion of stepwise refinement.

Acknowledgement

The first author thanks Alan Bundy for his encouragement and interest in this work.

References

[1] Stuart Anderson, John Power, and Konstantinos Tourlas. Zooming out of higraph-based diagrams: syntactic and semantic issues. In Proceedings of CATS 2002, the Australasian Symposium on Theory of Computing, volume 61 of Electronic Notes in Theoretical Computer Science (ENTCS). Elsevier, 2002.

[2] Jon Barwise and Eric Hammer. Diagrams and the concept of logical system. In G. Allwein and J. Barwise, editors, Logical Reasoning with Diagrams, pages 49-78. Oxford University Press, 1996.

[3] Christoph Benzmüller, Lassaad Cheikhrouhou, Detlef Fehrer, Armin Fiedler, Xiaorong Huang, Manfred Kerber, Michael Kohlhase, Karsten Konrad, Andreas Meier, Erica Melis, Wolf Schaarschmidt, Jürg Siekmann, and Volker Sorge. Omega: Towards a mathematical assistant. In Proceedings of CADE-14, volume 1249 of LNAI. Springer, 1997.

[4] A. Bundy. Proof planning. In B. Drabble, editor, Proceedings of the 3rd International Conference on AI Planning Systems, (AIPS) 1996, pages 261-267, 1996. Also available as DAI Research Report 886.

[5] Lassaad Cheikhrouhou and Volker Sorge. PDS — A Three-Dimensional Data Structure for Proof Plans. In Proceedings of the International Conference on Artificial and Computational Intelligence for Decision, Control and Automation in Engineering and Industrial Applications (A CID CA '2000), Monastir, Tunisia, March 2000.

[6] David Harel. On visual formalisms. Communications of the ACM, 31(5):514-530, 1988.

[7] C. Hermida, M. Makkai, and A. J. Power. Higher dimensional multigraphs. In Proceedings of 13th LICS, pages 199-206. IEEE Press, 1998.

[8] D. Kapur, X. Nie, and D. R. Musser. An overview of the Tecton proof system. Theoretical Computer Science, 133(2):307-340, 1994.

[9] J. D. C. Richardson and A. Smaill. Continuations of proof strategies. In International Joint Conference on Automated Reasoning, IJCAR 2001 — Short Papers, June 2001. Technical Report DII 11/01, Dipartimento di Ingegneria dell'Informazione, Universita di Siena, Italy.

[10] J. D. C Richardson, A. Smaill, and I. Green. System description: proof planning in higherorder logic with Lambda-Clam. In 15th International Conference on Automated Deduction, pages 129-133, 1998.

[11] Julian Richardson and Alan Bundy. Proof Planning Methods as Schemas. DAI Technical Report, Division of Informatics, University of Edinburgh, 1999.

A Definitions and Technical proofs

Definition A.1 A tree T = (V, —, r) is a finite dag (V, —) together with a distinguished vertex r e V, called the root, such that there is exactly one path from r to every other vertex v = r. For every edge (v, v') e—, which we shall conventionally write as v — v', one says that v' is a child of v or, equivalently, that v' has parent v. The vertices V in a tree are conventionally also called nodes. □

Definition A.2 A forest F is a finite set {Ti,..., Tn} of trees Tj = (Vj, — j, rj). We shall write v —F v' (or just v — v' when F understood) to mean that there exists tree Tj in F such that v, v' e Vj and v —j v'. Consequently we shall often also write the forest F as (V, —F) where V is the disjoint union of all Vj. □

Proposition A.3 ^i2 is well-defined, i.e., each ^i2((V, <;, —s,t)) conforms to Def. 522.

Proof. By Prop. 5.1 and observing that —+C (>;i u — s)+, it follows that (V, —) is an acyclic graph. Moreover, whenever v; — v and v2 — v one has v; = v2: for the only possible cases are v; — s v and v; — s v, or, v e cover<;(vi) and v e cover<;(v2); v; = v2 immediately follows from (V, —s) and (V, <;) being forests. Thus, whenever a path v0 —* v exists, it must be unique. We show that r —* v for all v e V by induction on d(v), the 'depth' of v with respect to —s, which is defined thus: d(v) = d(v') + 1 whenever v' — v and d(v) = 0 otherwise. When d(v) = 0 then clearly isroot(v) and siblings<. (v, r) (in the sense that isroot<. (v)). Now r = v and r —* v holds trivially. In the inductive case assume true for v' and v' — v. Then the induction hypothesis yields r — v' and so, transitively, also r —* v.

Showing that l(v') < l(v) + 1 whenever v — v' proceeds by case analysis. Case v' e cover<. (v) and isroot(v') is immediate. When v — s v' one examines whether isroot<. (v') or not. When so, l(v') = 0 < l(v) + 1. When

v' e cover< (v'') for some v'', condition i yields v' e cover< (v''), from which l(v) = l(v'') + 1 = l(v') follows.

Assume v — v1 and v — v2 such that l(v1) = l(v) + 1. Then one must have v — parent<. (v1) and hence v1 <i v in the type 1 hiproof. Further, we distinguish two cases: first, if 1(v2) = 1(v1), one has siblings<. (v1, v2) while also isroot(v1) A isroot(v2). Then condition iv of Def. 2.2 establishes v1 = v2 as required. Similarly the case 1(v2) < l(v) means v —g v2 while v1 <i v, hence v1 = v2 by the first condition in the definition of type 1 hiproofs. Finally, that l(r) = 0 is obvious. □

Lemma A.4 In the context of Def. 5.5, isroot(v) is equivalent to Vv0 e V. (vo — v l(vo) + 1 < l(v)).

Proof. Using the definition of —g and the tautology (p q) ^^ (-pVq): isroot(v) ^^ ^v0. (v0 — v A l (v) < l (v0)) ^^ Vvo. (vo — v V l(v) > l(vo)) « Vvo. (vo — v V l(v) > l(vo) + 1) « Vvo. (vo — v l(vo) + 1 < l(v))

Proposition A.5 ^21 is well-defined, i.e., each ^21((V, —, r, t, l)) is a hiproof of type 1.

Proof. (Sketch) <i is manifestly irreflexive and transitive. On the other hand, <i is clearly antisymmetric, as follows from observing that <iC (—g)-1 while (V, —, r) is a tree. Thus, the definition of <i as the reflexive closure of <1 makes (V, <i) a poset.

The non-sharing condition, needed by Corol. 3.8 to show (V, <i) a forest, as required, also follows from (V, — ,r) being a tree and <iC (—*)_1:

to assume v <i w1 and v <i w2 while w1 = w2 would mean the existence of two distinct paths in (V, —, r) from the root r to v, one via w1 and the other via w2, thus contradicting the fact of (V, —, r) being a tree. One must therefore admit that, whenever v <i w1 and v <i w2, w1 must equal w2.

To show (V, —g) a forest, as required, we shall show that (V, (—g)-1) is a forest-qua-poset and appeal to Corol. 3.8. The poset structure of (V, (—g)-1) is immediate as — is clearly antisymmetric. Again, observing that —gc—g, the 'non-sharing' condition required by Corol. 3.8 follows, as above, from (V, —, r) being a tree.

To show that <i and —g are mutually exclusive in the sense of condition (iii) of Def. 2.2, consider first the case of v <i w and v —g w: as the former implies w —g v and the latter implies v —g w, v = w follows easily from the acyclicity of the tree (V, —, r). In the case of v <i w (hence also l(w) < l(v))

while w —* v (and hence l(v) < l(w)), one must have l(v) = l(w) and so, according to the definition of <;, v = w.

To establish condition i, first observe that w; e cover<;(w2) means the existence of a non-empty path w2 — v; — ... — vn — w; in the tree (V, —, r) such that l(v;) = l(w2) + 1 and l(v;) = ... = l(vn) = l(w;). Assuming also that v — s w;, i.e., also v — w;, forces v = vn, for (V, —, r) is a tree. That v e cover<. (w2) now follows immediately from Def. 5.5.

For condition ii, suppose that w; < v and v — s w2. We must show that v = w;. By the definition of ^21, we have that w; (<;1)* v and v — w2, with 1(w2) < l(v). Suppose that the path from w; to v is non-empty, i.e., w; <i w0 (<;)* v, for some w0. Then, by definition of <i, there exists w0 such that v — w0 and 1(w0) = l(v) + 1. Now, by condition iii of Def. 5.2, we have that w2 = w0, but this is impossible because they have different levels. Therefore the path from wi to v must be be empty, and so wi = v.

For showing condition iv assume first that siblings< (v,v'). Then either v = v', or else (by unfolding the definition of cover<) there must exist v0 such that, at least, v0 — v, and v0 — v'. Thus, by condition ii of Def. 5.2, l(v) < l(v0) + 1 and l(v') < l(v0) + 1 also hold. Assuming further that isroot(v) A isroot(v'), v0 — v and v0 — v' additionally yield, by Lemma A.4, that l(v0) + 1 < l(v) and l(v0) + 1 < l(v'). Hence, l(v) = l(v') = l+ 1 and, by condition (iii) of Def. 5.2, it now follows that v; = v2, as required. □