Algebraic Semiotics, ProofWebs, and Distributed ... - Semantic Scholar

4 downloads 42388 Views 324KB Size Report
website editor generator to generate new versions of kumoand accelerate our .... this is important because the best implementations often lie between. See 7] forĀ ...
Slightly revised, from Proceedings, User Interfaces for Theorem Provers `97 (Sophia Antipolis, 1{2 September 1997), pages 24{34.

Algebraic Semiotics, ProofWebs, and Distributed Cooperative Proving1 Joseph Goguen, Akira Mori and Kai Lin

Dept. Computer Science & Engineering, Univ. California at San Diego, La Jolla CA 92093-0114

Abstract: We describe a new approach to interface design called algebraic semiotics, combining semiotics

with algebraic speci cation to give a rigorous theory of representation quality, and we apply it to the

tatami distributed cooperative proving project. This project uses standard html, Java, etc. for remote

proof browsing, servers for remote proof execution, a protocol to maintain truth of distributed cooperative proofs, and a tool combining proof assistance with website editing. Its proof paradigm reduces theorems to problems solvable by proof servers. ProofWebs integrate browsing, execution, animation, and informal explanation with formal proofs, and their design has been driven by semiotic ideas.

1 Introduction

The landscape of theorem proving can be seen as two main peaks with a great plane between. These peaks represent fully automatic theorem provers and proof checking theorem provers; the plane represents the diculty of combining their virtues. The peaks are steep and dark because it is so hard to use such systems well, since the complexity of non-trivial formal proofs makes it hard for users (and machines) to navigate them, let alone understand or improve them. Hence proof mountaineers need better climbing tools. This paper describes the tatami2 project, which seeks to build a moderate size transparent mound between the peaks, by rst building exible construction equipment to support rapid system evolution, and by exploiting existing tools like html, Java, Netscape and JavaScript to present proofs as hypermedia websites. We let users do the hard proof planning while machines do the routine work, by reducing theorems to tractable subproblems for proof servers; we now use the OBJ3 term reduction engine, but our paradigm allows any combination of proof engines anywhere on the internet. The tatami system is thus about as far from being a proof checker as it is from being an automatic theorem prover3 . Our target application is behavioral proofs for concurrent distributed systems, using new coinduction proof methods [7]. The tremendous progress of theorem proving system performance makes it arguable that the most pressing open problems now concern user interfaces. Technology-driven approaches to interface design are common, and graphical user interfaces are popular. But HCI research shows that graphics is not always better than text, and that some multimedia combination is often better than any single medium [12]. For example, a clickable proof graph can be dicult to use for all but the smallest proofs4 ; [11] considers why many serious users may prefer command line interfaces to direct manipulation. General insights from HCI do not give enough insight; we need speci c work on the nature of proving, like that in [10]. This paper tackles user interface problems using semiotics, the study of signs. Unfortunately, this area has not developed in a mathematically rigorous way, has not systematically addressed quality of representation, and has not taken sucient account of social context. We address these problems with algebraic semiotics [2], which combines algebraic speci cation [6] with social semiotics in the sense of [3]. We have built a proof planning and website5 construction tool called kumo [4]. We are also building a 1 The

research reported in this paper has been supported in part by the CafeOBJ project of the Information Promotion Agency (IPA), Japan, as part of its Advanced Software Technology Program. 2 \Tatami" are natural ber mats used in traditional Japanese homes, about 5 by 3 feet. A 2 tatami room, like a 2 tatami proof, is pretty small, but a 20 tatami room (or proof) is large and should probably be subdivided. 3 In our experiments so far, about 20 to 200 times as many inferences are introduced by machines as by users, including many non-equational inference rules applied automatically; this ratio will improve as we learn more. 4 I rst learned this using the Jape and 2OBJ systems at Oxford. 5 Websites with complex interaction (buttons, popups, etc.) and complex links are dicult to build and even more dicult to maintain. Website editing is very di erent from webpage editing as supported by commercial products like MicroSoft's

1

website editor generator to generate new versions of kumo and accelerate our evolutionary tool development cycle. Unfortunately, this paper is too short to give more than an overview of our work; but anyone can try the tatami system at http://lex.ucsd.edu/links, where further information is also available. 2 ProofWebs and the tatami Conventions Our rst major concept is the ProofWeb, a data structure to integrate formal proofs with information needed to understand them, based on the following tatami conventions: 1. The central narrative webpages, called tatami pages, describe proof steps in some detail; these are automatically generated from user supplied proof scores. 2. A user-supplied informal explanation page is linked to each tatami page, discussing proof strategies, obstacles, etc. 3. Each major proof part has its own homepage (major subproofs are traditionally called \lemmas"). 4. Proof homepages and explanation pages can have graphics, applets, and of course text. 5. Every formal proof step is linked to a tutorial background page; e.g., an application of quanti er elimination is hotlinked to a webpage explaining this proof rule. 6. Major proof parts have an optional \closing" webpage to sum up what can be learned. 7. A formal proof score is generated for each tatami page; workers can request executing these scores on a remote server, with results returned to the local site. 8. A frame with navigation buttons is provided for each kind of webpage. 9. Di erent kinds of webpage have di erent kinds of format, background, and frames, in a consistent way. These conventions will evolve as we gain more experience; an abstraction of the current ProofWeb structure is speci ed in Section 7. Figure 1 shows screendumps of some typical tatami pages, and Figure 3 shows the structure of a typical ProofWeb. The ProofWebs we have built so far show a very promising convergence of web capabilities with ways to make proofs more interesting and understandable. Each ProofWeb has a more abstract description as a ProofDag; this is our second major concept. \dag" stands for \directed acyclic graph," a generalization of tree that allows some nodes to be shared; further detail is given in [4]. While ProofWeb is an evolving approach for organizing proof information, ProofDag is a precise abstract data type used for distributed cooperative proving. ProofWebs can be browsed over the internet, executed on remote servers, and constructed locally using kumo. Tatami pages appear in a xed master window. Navigation buttons include UP , DOWN , LEFT , RIGHT , plus PREV and NEXT ; the latter two follow an order predetermined by the proof author. Web browsers like Netscape provide a local search capability that can be used for lemma lookup. The status of a proof part can be: proved, unknown, or untrue; this is displayed in a Status Window popup, which is locally updated by propagating changes up the ProofDag. The Status Window also supports proof navigation by mouse click. The third part of Figure 2 is a screendump of our current Status Window. Interactive Java applets can illustrate basic intuitions for a problem and for key proof steps, allowing users to explore issues for themselves. This is important because reading speci cations and proofs written by others can be painful. For example, because some readers might doubt the need for behavioral properties, the homepage for our simplest behavioral proof has applets that motivates behavioral speci cation and satisfaction (see Figure 1). In fact, our website is an interactive tutorial on hidden algebraic formal methods.

3 Logic

Our basic proof planning paradigm reduces problems to combinations of other problems solvable by existing theorem provers. Proof tasks have the form T j= P with T a speci cation and P a proof goal. Inference rules reduce such tasks to others. kumo uses hidden (order sorted rst order) predicate logic FrontPage, which do not address cross-page issues like link maintenance and website-wide design conventions; in fact, FrontPage makes such issues more dicult to address in some ways. A website editor can greatly reduce the e ort involved by doing many mechanical tasks, such as lling slots in prede ned templates. However, kumo does much more than this, since it helps with proof planning and produces executable proofs.

2

Figure 1: Screendumps of Typical Tatami Pages with behavioral and ordinary equality (so that ordinary rst order logic is a special case), but the paradigm is more general. kumo reduces general proof tasks to equational proof tasks using inference rules like:  elimination rules for 8, 9, ^, _, and );  lemma introduction, case analysis, substitution and proof by contradiction;  rewriting and equational deduction;  induction for data types (natural numbers, lists, etc.); and  coinduction for behavioral properties. This yields correctness proofs that are (relatively!) simple and mechanizable, and that handle all typical features of the object paradigm, including classes, subclasses (inheritance), attributes, methods, and local state, as well as concurrency, distribution, nondeterminism, plus logical variables (as in logic programming), abstract data types, and generic modules [7]. Hidden algebra generalizes the process algebra and transition system approaches to take advantage of equations for non-monadic methods and attributes. Hidden speci cations characterize how objects (and systems) behave, not how they are implemented. Coinduction is a new proof technique that is very e ective for proving behavioral properties, e.g., behavioral re nement. Sorts are used two ways in hidden logic: for data values (e.g., of attributes), and for states of objects. These are dual: induction establishes properties of data types while coinduction establishes properties of objects with states. Similarly, initiality is important for data types, while nality is important for states. However, data type implementations need not be initial, and object implementations need not be nal; this is important because the best implementations often lie between. See [7] for more information. 4 The kumo ProofWeb Assistant and Distributed Cooperative Proving ProofWebs have complex html for mathematics and interaction (hyper-links, buttons, popups, etc.). A website editor can greatly reduce e ort by automatically lling in prede ned templates with links to explanations, proof code, etc. kumo combines this capability with that of a proof assistant. For example, given M j= A ^ B , kumo automatically applies conjunction elimination, updating the tatami page and ProofDag with new subtasks for A and B . On the other hand, lemma introduction requires the user to state (or point to) a lemma; then kumo records the subtask of proving the lemma if it isn't already proved. Tatami pages should be made for subdags of about seven non-automatic rules (users can choose). 3

kumo runs in both batch and interactive modes; the former is incremental and supports evolutionary proof

development.

4.1 Truth Maintenance and Status Windows

tatami supports cooperative proving over the internet. This requires keeping careful track of proof tasks and speci cations. Consistency is maintained by storing ownership and truth status on ProofDag nodes; these are also displayed in the Status Window popup. Users can pick up un nished nodes of their own or others. Alternative proofs of the same goal are an additional complexity, handled by a data structure that we call a 2-dimensional dag, or 2-dag for short (this structure is a blend of proof status and ownership information [4]). Incomplete proofs are registered with the SUBMIT button, which updates the proof and its status at each concerned site. Before registration, proofs are \ghosts" available only locally. Users can delete their own proofs, but if some deleted subproof is used by others, then its ownership is reassigned to whoever used it rst. These (and other) ideas constitute our tatami protocol [4].

4.2 Proof Servers

Putting proof servers on the internet means tatami users do not need them locally. Any proof, whether local or remote, can be checked by pressing the EXECUTE button on a tatami page; then a (Java) client applet is downloaded from the server (for security, the client must come from the server through a socket); the proof score url is passed to the server; the server fetches the proof score, executes it, and sends the result back to the client applet. An OBJ3 server is now running at ucsd, and servers will be added for other provers (e.g., Presburger arithmetic) and other sites. We call our general Java server \barista" (Italian for a person who serves co ee).

5 Cinema and Narratology

The CafeOBJ project aims to help ordinary software engineers, so it is important to make speci cations and proofs as understandable, and even interesting, as possible. Typical \modern" proofs hide the often considerable con icts involved in their construction. Finding a non-trivial proof often requires exploring many misconceptions and errors, some of which may be very subtle. Published proofs bury all this, exhibiting only the tricks that nally conquered the obstacles, without showing why those tricks were needed. Whereas human proofs often omit details to highlight the main ideas, mechanical proofs generally bury proof structure in a mass of trivial detail, because features to exhibit large grain proof structure and motivation are absent. We suggest a \postmodern" approach to make proofs more understandable and interesting by recording the local con icts that motivate dicult proof steps on ProofWebs; as Aristotle said, \Drama is con ict." Syd Field's screen writing books (e.g., [1]) give a precise but naive dramatic structure: Hollywood plots should have three acts, for setup, con ict, and resolution, of 30, 60, 30 minutes, with \plot points" to move action from one act to the next. Proofs that are structured this way might be easier to understand. Another resource is the theory of stories. Labov [9] says oral narratives have a precise structure, involving a sequence of \narrative clauses" describing events whose order corresponds to their order in the story, interleaved with \evaluative material" which evaluate the events, in the sense of relating them to socially shared values; there are also optional opening and closing sections. This work motivated our linking informal explanation pages to formal proof pages; further study of how evaluative material connects to narrative material might give further ideas for structuring proof motivation. The study of embedded stories, ashbacks, and so on might also be useful in making proofs easier to understand.

6 Sign Systems and Semiotic Morphisms

ProofWebs, tatami pages, and Status Windows are (compound) signs. A basic insight of Saussure was that every sign should be considered part of a system of interrelated signs. A rigorous foundation for discussing the structure of such representations is given in [2], but we must omit much detail here. De nition 1: A sign system consists of: 1. a set S of sorts for signs, not necessarily disjoint; 2. a partial ordering on S , called the subsort relation and denoted ; 4

3. a set V of data sorts, for information about signs, such as colors, locations, and truth values; 4. a partial ordering of sorts by level, such that data sorts are lower than sign sorts; 5. for each n > 0, a set C of level n constructors used to build level n signs from signs at levels n or less, and written r : s1 :::s d1 :::d ! s, indicating that its ith argument must have sort s , its j th parameter data sort d , and its result sort is s; constants c : ! s are also allowed; 6. a priority (partial) ordering on each C ; 7. some relations and functions on signs, for use in application conditions; and 8. a set A of axioms, constraining possible signs. n

k

i

l

j

n

2

A sign system is an abstract data type [6] enriched with levels and priority; hence it can be speci ed by initial algebra semantics [6]; we exploit this by using OBJ3 in Section 7. We now consider the movement (mapping, translation, interpretation, representation) of signs in one system to signs in another. For example, tatami pages and Status Windows result from translating ProofWebs. Perhaps proof structures that map into the \Syd Field" sign system [1] would be easier to understand; in fact, we used this structure in our flag ProofWeb, where con ict arises from the failure of a reduction, and is resolved when the appropriate lemma is provided (see Figure 2). The following gives a foundation for making such considerations rigorous. De nition 2: Given sign systems S1 ; S2, a semiotic morphism M : S1 ! S2, from S1 to S2, consists of the following partial functions (all denoted M ): 1. sorts of S1 ! sorts of S2 , 2. constructors of S1 ! constructors of S2 , and 3. predicates and functions of S1 ! predicates and functions of S2 , such that 1. if s  s then M (s)  M (s ), 2. if c : s1 :::s ! s is a constructor (or function) of S1 , then M (c) : M (s1 ):::M (s ) ! M (s) is a constructor (or function) of S2 if it is de ned, 3. if p : s1 :::s is a predicate of S1 , then (if de ned) M (p) : M (s1 ):::M (s ) is a predicate of S2 , and 4. M is the identity on all sorts and operations for data in S1 . 2 Any semiotic morphism M : S1 ! S2 gives representations in S2 for compound signs in S1 , by extending the preservation of constructors to all terms. The class of semiotic morphisms between two xed sign systems can be ordered in various ways to measure representation quality: 1. M is level preserving i there is a function M from levels of S1 to levels of S2 such that if c is a constructor at level i in S1 then M (c) has level M (i) in S2 . 2. M is priority preserving i c > c in S1 implies M (c) > M (c ) in S2 . 3. M is axiom preserving i for every axioms a of S1 , its translation M (a) to S2 is a logical consequence of the axioms in S2 . in S2 . 4. Given also M : S1 ! S2 , then M is as de ned as M , written M  M , i for each constructor c of S1 , M (c) is de ned whenever M (c) is. The intuition is that structure is preserved if there is some way to retrieve the data values that have been stored in that structure. 5. Given also M : S1 ! S2 , then M preserves as much content as M , written M  M , i M is as de ned as M and M preserves every selector that M does, where a morphism M : S1 ! S2 preserves a selector f1 of S1 i there is a selector f2 for S2 such that for every sign x of S1 where M is de ned, f2(M (x)) = f1(x). It may be that neither of M; M preserves strictly more than the other; for example, M might preserve more constructors while M preserves more content. Other orderings on morphisms may be useful in some applications; for example, priority on constructors might play a role, as might special measures at certain levels, such as phonological complexity (i.e., e ort of pronunciation). \Designer" orderings that combine various preservation properties in a speci c way may be useful for speci c applications. Experiments reported in [5] show that preserving high levels is more important than preserving priorities, which in turn 0

0

k

k

k

k

0

0

0

0

0

0

0

0

0

0

0

0

5

0

is more important than preserving content. They also show a strong tendency to preserve higher levels at the expense of lower levels. This may be surprising, because of emphasis by cognitive psychologists on the \basic level" of lexical concepts (e.g., \bird", see Rosch [13, 14]). The sentential level of natural language was long considered basic, but research like that of [5] shows that the discourse level is higher in our technical sense, and thus more important. This suggests the general principle that preserving form is more important than preserving content; let us call this Principle F/C, where our de nitions above allow us to be quite precise in saying that form and content preservation mean preserving constructors and selectors, respectively. Although this principle might seem counterintuitive at rst, we will soon see examples of it in our ProofWeb design. (The principle really asserts a tradeo between form and content, where form is more heavily weighted than content, and where the right balance between them can only be determined based on information about how the representation will actually be used.)

6.1 Some Design Decisions

Semiotic considerations guided some decisions in advance of construction, and in other cases were mobilized after the fact to better understand decisions or suggest further improvements. The basic insight is that any tatami implementation can be seen as a morphism to from the TATAMI sign system in Section 7 into a website sign system; moreover, semiotic morphisms correspond to OBJ views, with partial morphisms given by views from a sub-sign system, as illustrated by the view STAT in Section 7. Background patterns. The main content bearing sorts of ProofWebs are for proof steps, informal explanations, tutorials, and executable proof scores. Tatami pages have a tatami mat background, explanation pages have a pink marble background, tutorial pages have a yellow marble background, and proof score pages have a blue raindrop background. These four sorts are the arguments of the constructor PfOfBy in the spec of Section 7, and they should be preserved by any tatami implementation. Persistent popups. Each kind of important auxiliary information { tutorials, lemma proofs, and proof scores { appears in a persistent Netscape window; as a bonus, the BACK button retrieves information previously seen. This design choice can be justi ed as above, but a more detailed speci cation would be needed. Separating form and content. A uniform multi-frame layout helps reduce confusion. A top \title" frame names the current ProofWeb and current node; a \button" frame supports navigation; and a third frame holds content, e.g., tatami pages for proof steps. Uniform look-and-feel and consistent transition. Each persistent window has its own xed layout, frames and backgrounds. Each tatami document page has a button that returns to the page where it was requested. Only navigation buttons change the master window. Mathematics. Formulae are dicult in current html; proposals exist for LATEX-like notation, but there is no standard. Therefore we use gif les for mathematical symbols in a distinctive color (blue), because mathematical signs come from a system quite distinct from that of text. As the tatami project progressed, di erent versions of the Status Window developed; some are shown in Figure 2. Section 7 shows that these obsolete versions do not admit semiotic morphisms from the ProofWeb sign system.

7 Abstract Data Type for ProofWebs

A (partial) algebraic speci cation for the ProofWeb sign system is given in the rst three OBJ modules below. For concision we use T, ? and F for proof status values, instead of proved, etc. obj TATAMI-BASE is sorts Pf TStat . dfn Name is QID . dfn Rule is QID . dfn LPf is LIST[Pf]. dfn LRule is LIST[Rule]. dfn Obj is QID . dfn ExPg is QID . ops T ? F : -> TStat . endo obj TATAMI-PF is pr TATAMI-BASE . sort HPg . dfn Goal is QID . dfn Rule is QID .

6

op HPg_[___] : Name Goal Pf TStat -> HPg . op PfOf_By_[___]_ : Goal LRule ExPg LPf Obj TStat -> Pf . op ALT : LPf -> Pf . op subg : Pf -> Rule . endo obj TATAMI is pr TATAMI-PF . sort Tatami . dfn LHPg is LIST[HPg]. op Tat : LHPg -> Tatami . endo

The top level signs of this system have sort Tatami with primary (and only) constructor Tat, which takes one argument of sort LHPg, which in turn has as its primary constructor the concatenation operation for lists of HPgs, proof homepages (there is also a secondary constructor for LHPg, namely the empty list, denoted []). HPg has primary (and only) constructor HPg, with arguments of sorts Name, Goal, Pf and TStat; technically these are fourth level sorts, but since Tatami and Hpg each have just one unary constructor, let's agree to call all these sorts second level. The only interesting one is Pf, for proofs, with primary constructor PfOfBy; this has LPf, for lists of proofs, as an argument sort; Pf also has a secondary constructor ALT with LPf as its only argument sort; this allows multiple proof attempts for a single goal. Therefore Pf is a recursive sign sort in two di erent ways; it is the sort of our tatami pages. The third level sorts are LRule, ExPg and Obj, for rule list, explanation page, and OBJ code, respectively. Finally, Rule is a fourth level sort, with constructor subg which allows introducing new results (usually called \lemmas"). Since these still must be proved, subg has argument sort Pf, giving another recursion. Next we give the structures of two proofs that are already on the web, as test cases; Figure 3 shows them as trees. The operations with Nat as argument just provide a collection of named objects of their target sort. obj TESTAMI is pr TATAMI . op ex : Nat -> ExPg . op pf : Nat -> Pf . op g : Nat -> Goal . op obj : Nat -> Obj . let flag = HPg('flag)[g(1) pf(1) T] . let sum = HPg('sum) [g(2) pf(2) T] . let t = Tat(flag sum). eq pf(1) = PfOf g(1) By('coind) [ex(1) (pf(11) pf(12) ALT(pf(13) pf(131))) obj(1)] T . eq pf(13) = PfOf g(13) By('red) [ex(13) (nil) obj(13)] ? . eq pf(131)= PfOf g(13) By(subg(pf(14)) 'red) [ex(131) (nil) obj(131)] T . eq pf(2) = PfOf g(2) By('ind) [ex(2) (pf(21) pf(22)) obj(2)] T . eq pf(21) = PfOf g(21) By('qelim 'red) [ex(21) (nil) obj(21)] T . eq pf(22) = PfOf g(22) By('qelim 'ielim 'red) [ex(22) (nil) obj(22)] T . endo red sum . red flag . red t .

Running the above OBJ code gives exactly (terms for) the trees shown in Figure 3, where the large dot nodes indicate the list concatenation operation. Note that the flag structure has an ALT constructor with two proofs for the third step of the coinduction; the rst uses just reduction and fails (giving truth status ?) while the second succeeds by making use of a lemma. The forms in Figure 2 represent this situation in three di erent ways. The left display gives very little information about the proof, and represents ALT using a prime for the failed subproof; this notation does not generalize to multiple attempts where some fail and some succeed. The middle display gives more information, e.g., goals, but represents ALT the same way as the left display, and fails to indicate the initial (coinduction) proof step; giving goals is not such a good idea, because these can be very complex; this is an instance of Principle F/C. Both displays have redundant proof status information, e.g., \proved" and the color green6 ; neither indicates the proof homepage. The right display gives generic proof step names 6 Figure

2 uses black print for green representing T, and gray for yellow representing ?.

7

instead of goals and lists all proof rules7 , but also represents the initial step the same way as its three subgoals, and thus fails to preserve the PfOfBy constructor. Thus none of these three displays can be an instance of a semiotic morphism from the TATAMI spec, because in each case some key constructor is not preserved.

Figure 2: Screendumps of Various Status Window Designs We now (partially) specify the Status Window structure used in our current kumo prototype, and again give the flag proof as test case. Note the ALT constructor in the rst module below. obj STATWIN is pr TATAMI-BASE . sorts SWin SItem . dfn LSItem is LIST[SItem]. dfn LLSItem is LIST[LSItem]. op Swin_[_]_ : Name SItem TStat -> SWin . op SItem_[_]_ : LRule LSItem TStat -> SItem . op ALT : LSItem -> SItem . op subg : SItem -> Rule . endo obj TESTSWIN is pr STATWIN . op w : Nat -> SItem . let wflag = Swin('flag) [w(1)] T . eq w(1) = SItem('coind) [w(11) w(12) w(13)] T . eq w(12) = SItem('red) [nil] T . eq w(13) = ALT((SItem('red) [nil] ?) (SItem(subg(w(14)) 'red) [nil] T)). endo red wflag .

Finally we de ne a window view for single ProofWebs (i.e., the TATAMI-PF spec, not the TATAMI spec); thus this is a partial semiotic morphism from TATAMI to STATWIN, as is typical, and indeed, necessary for this application, because the status window only displays information for one proof at a time. view STATV from TATAMI-PF to STATWIN is sort HPg to SWin . sort Pf to SItem . sort LPf to LSItem . var G : Goal . var LR : LRule . var E : ExPg . var O : Obj . var S : TStat . var LP : LPf . var N : Name . var P : Pf . op (PfOf G By LR [E LP O] S) to (SItem(LR) [LP] S) . op (HPg N [G P S]) to (Swin N [P] S) . endv

All the above OBJ code runs and gives the expected results. Informal arguments about the complexity of representations, as when we noted above that subgoals can be too long, can also be formalized in our 7 In

practice, a lter is needed if there are many rules. This is another example of our Principle F/C: it is important to preserve proof structure as support for proof overview and navigation, so that if long lists of rules interfere with the clarity of structure, then the rules must be cut or even eliminated from the display.

8

framework, but we do not have space here to explain how. Tat



SWin

HPg

ag g1

HPg T sum g2

PfOfBy



g1 coind ex1

PfOfBy g2 ind ex2

obj1 T

pf11 pf12 ALT

PfOfBy



PfOfBy g13 red ex13 [] obj13 ? g13

PfOfBy



subg red

g21

ag SItem T



T obj2 T

w11 SItem

PfOfBy

 ex21 [] obj21 T g22  e22 [] obj22 T

qelim red

qelim ielim red



coind

red [] T

T ALT



SItem

SItem

red [] ?



ex131 [] obj131 T

[] T

subg red w14

pf14

Figure 3: Structures for Two Typical ProofWebs and a Status Window

8 Current Status and Further Research

We hope to have presented evidence that a scienti c approach to semantic issues in user interface design is possible that avoids the tedious and expensive methods of experimental psychology as well as ad hoc assumptions; if so, this may be a useful new area of cognitive psychology. In any case, we have found algebraic semiotics very useful in designing our tatami system. We now have several ProofWebs on our website, with applets, tutorials, and executable proofs via an OBJ3 barista server; later there will be servers for other provers and sites around the world, and of course more proofs, including correctness of our tatami protocol and of an optimizing compiler for OBJ [8]. A prototype of kumo is also available over the web. Akiyoshi Sato is building a generator for kumo-like systems; he is also implementing the tatami protocol, so that we can experiment with distributed cooperative proofs. Finally, we are constructing a \UC San Diego Semiotic Zoo," to contain examples where bad design arises from preservation failures of semiotic morphisms (http://lex.ucsd.edu/zoo), including the Status Window examples of Section 7.

Acknowledgements

Thank to members of the \links" group for support and comments during the laborious development of the material in this paper, particularly Grigore Rosu and Razvan Diaconescu for help with formalization (described in [2]), and Eric Livingston for discussions on social issues; thanks to Duncan Shand for comments. and special thanks to Kokichi Futatsugi for encouragement and support through the CafeOBJ project.

References

[1] Syd Field. Screenplay: The Foundations of Screenwriting. Dell, 1982. Third edition. [2] Joseph Goguen. Semiotic morphisms. Technical Report CS97{553, Dept. Computer Science & Engineering, University of California at San Diego, 1997. Early version in Intelligent Systems: A Semiotic Perspective, Vol. II, ed. James Albus, Alex Meystel and Richard Quintero, National Inst. Science & Technology (Gaithersberg MD, 20{23 October 1996), pages 26{31.

9

[3] Joseph Goguen. Towards a social, ethical theory of information. In Geo rey Bowker, Les Gasser, Leigh Star, and William Turner, editors, Social Science, Technical Systems and Cooperative Work: Beyond the Great Divide, pages 27{56. Erlbaum, 1997. [4] Joseph Goguen, Kai Lin, Akira Mori, Grigore Rosu, and Akiyoshi Sato. Distributed cooperative formal methods tools. In Michael Lowry, editor, Proceedings, Automated Software Engineering. NASA, 1997. Lake Tahoe CA, 3{5 November 1997. [5] Joseph Goguen and Charlotte Linde. Optimal structures for multi-media instruction. Technical report, SRI International, 1984. To Oce of Naval Research, Psychological Sciences Division. [6] Joseph Goguen and Grant Malcolm. Algebraic Semantics of Imperative Programs. MIT, 1996. [7] Joseph Goguen and Grant Malcolm. A hidden agenda. Technical Report CS97{538, UCSD, Dept. Computer Science & Engineering, May 1997. Early version in Proceedings, Conference on Intelligent Systems: A Semiotic Perspective, Vol. I, ed. James Albus, Alex Meystel and Richard Quintero, National Inst. Standards & Technology (Gaithersberg MD, 20{23 October 1996), pages 159{167. [8] Lutz Hamel. Behavioural Veri cation and Implementation of an Optimizing Compiler for OBJ3. PhD thesis, Oxford University Computing Lab, 1996. [9] William Labov. The transformation of experience in narrative syntax. In Language in the Inner City, pages 354{396. University of Pennsylvania, 1972. [10] Eric Livingston. The Ethnomethodology of Mathematics. Routledge & Kegan Paul, 1987. [11] Nicholas Merriam and Michael Harrison. What is wrong with GUIs for theorem provers? In Yves Bartot, editor, Proceedings, User Interfaces for Theorem Provers, pages 67{74. INRIA, 1997. Sophia Antipolis, 1{2 September 1997. [12] Marian Petre and Blaine Price. Why computer interfaces are not like paintings: the user as a deliberate reader. In Proceedings, East-West HCI'92, Vol. I, pages 217{224. Int. Centre for Scienti c and Technical Information, Moscow, 1992. [13] Eleanor Rosch. On the internal structure of perceptual and semantic categories. In T.M. Moore, editor, Cognitive Development and the Acquisition of Language. Academic, 1973. [14] Eleanor Rosch. Cognitive reference points. Cognitive Psychology, 7, 1975.

Appendix A Words from the Master

The desire to make mathematics easier has a long history, as shown by the following extract from a letter from Renee Descartes to Girard Desargues, dated 19 June 1639, quoted in The Geometrical Work of Girard Desargues, by J.V. Field and J.J. Gray (Springer, 1986, pages 176{177): If [it] is your intention ... to write for people who are interested but not learned, and make this subject, which until now has been understood by very few people, but which is nevertheless very useful ..., accessible to the common people and easily understood by anyone who studies it from your book, then you must steel yourself to ... explain everything so fully, so clearly and so distinctly that these gentlemen, who cannot study a book without yawning and cannot exert their imagination to understand a proposition of Geometry, nor turn the page to look at the letters on a gure, will not nd anything in your discourse which seems to them to be less easy of understanding than the description of an enchanted palace in a novel.

10