Each script resides in an Emacs buffer, called a script buffer, which is divided into three regions:
These three regions appear in the buffer in the order above; that is, the locked region is always at the start of the buffer, and the editing region always at the end. The queue region only exists if there is input waiting to be sent to the proof process.
Proof mode has two operations which transfer commands between these regions: assertion and retraction. These cause commands to be sent to the proof process, and Emacs will summarise the results in the Response Buffer.
Assertion causes commands from the editing region to be transferred to the queue region and sent one by one to the proof process. If the command is accepted, it is transferred to the locked region, but if an error occurs it is signalled to the user, and the offending command is transferred back to the editing region together with any remaining commands in the queue. Retraction causes commands to be transferred from the locked region to the editing region (again via the queue region) and the appropriate 'undo' commands to be sent to the proof process.
As commands are transferred to the locked region, they are aggregated into segments which constitute the smallest units which can be undone. Typically a segment consists of a declaration or definition, or all the text from a `goal' command to the corresponding `save' command, or the individual commands in the proof of an unfinished goal. As the mouse moves over the the region, the segment containing the pointer will be highlighted.
Commands in the editing region can be freely edited while commands in the queue are transferred to the proof process. However, assertion and retraction commands can only be issued when the queue is empty.
The command proof-restart-script can be used to completely
restart script management.
Proof mode has a rudimentary facility for operating with multiple files in a LEGO proof development. If the user invokes script management in a different buffer from the one in which it is running, one of two prompts will appear:
Currently this facility requires each script buffer to have a corresponding file.
When working with script management in multiple buffers, it is easy to lose track of which buffer is the current script buffer. As a mnemonic aid, the word `Scripting' appears in the minor mode list of the active scripting buffer.
Caveats:
Proof mode has a minor mode which causes the terminator to become active. When this mode is active, pressing the terminator key (; for LEGO, . for Coq) outside a comment or quote will cause the character to be entered into the buffer, and all the commands in the editing region up to the point to be asserted.
This mode can be toggled with the command `proof-active-terminator-minor-mode' (C-c ; or C-c .)
This mode is currently very unreliable, and we do not guarantee that it will work as discussed in this document.
Proof by pointing is a facility whereby proof commands can be generated by using the mouse to select terms. When proving a goal, a summary of the current proof state will appear in the response buffer. By moving the mouse over the buffer, the structure of the goal and hypothesis terms will be shown by highlighting.
If a selection is made using the second (usually the middle) mouse button, Emacs will generate the appropriate commands, insert them in the script buffer, and send them to the proof process. These commands are aggregated in the locked region as a single segment, so that a mouse-generated command sequence can be retracted with a single retraction command.
Further Information about proof by pointing may be found in the paper User Interfaces for Theorem Provers by Yves Bertot and Laurent Thery, to appear in Information and Computation, from which the following example is taken.
Suppose we wish to prove the lego term:
(((p a) \/ (q b)) /\ {x:Prop}(p x) -> (q x)) -> (Ex ([x:Prop] q(x)));
Asserting this goal will result in the proof state
?0 : ((p a \/ q b) /\ {x:Prop}(p x)->q x)->Ex ([x:Prop]q x)
appearing in the response buffer. Suppose our strategy is to use a case analysis on the disjunction, starting with the `p(a)' subterm. Clicking on this term will cause script management to insert the following command sequence in the script buffer, and execute it.
Intros H; Refine H; Intros H0 H1; Refine or_elim H0 Then Intros H2; Try Refine H2;
The response buffer will then read
H : (p a \/ q b) /\ {x:Prop}(p x)->q x
H0 : p a \/ q b
H1 : {x:Prop}(p x)->q x
H2 : p a
?10 : Ex ([x:Prop]q x)
Clicking on the subterm `(p x)' in the hypothesis H1 will instruct script management to prove an instance of `(p x)' and deduce the corresponding `(q x)'. The commands
allE H1; intros +1 H3; Refine impl_elim H3; Try Assumption;
are inserted and executed, leaving the proof state as
H : (p a \/ q b) /\ {x:Prop}(p x)->q x
H0 : p a \/ q b
H1 : {x:Prop}(p x)->q x
H2 : p a
H3 : (p a)->q a
?20 : (q a)->Ex ([x:Prop]q x)
Now clicking on the `q x)' subterm in ?20 will prove the subgoal. We are left with the other half of the original case analysis:
H : (p a \/ q b) /\ {x:Prop}(p x)->q x
H0 : p a \/ q b
H1 : {x:Prop}(p x)->q x
H2 : q b
?26 : Ex ([x:Prop]q x)
Clicking on `q x' proves the goal.
Here's a LEGO example of how script management is used.
First, we turn on active terminator minor mode by typing C-c ; Then we enter
`Module Walthrough Import lib_logic;'
The command should be lit in pink (or inverse video if you don't have a colour display). As LEGO imports each module, a line will appear in the response buffer showing the creation of context marks. Eventually the command should turn blue, indicating that LEGO has successfully processed it. Then type (on a separate line if you like)
`Goal bland_commutes: {A,b:Prop} and A B -> and B A;'
The goal should be echoed in the response buffer.
`Intros;'
Whoops! C-c C-u to pretend that didn't happen.
`intros; andI;'
A proof summary will appear in the response buffer. We could solve the goal by pointing now, but we'll stay with the keyboard.
`Refine H; intros; Immed; Refine H; intros; Immed;'
finishes the Goal.
`Save;'
Moving the mouse pointer over the locked region now reveals that the entire proof has been aggregated into a single segment. Suppose we decide to call the goal something more sensible. Moving the cursor up into the locked region, somewhere between `Goal' and `Save', we enter C-c u. The segment is transferred back into the editing region. Now we correct the goal name, move the cursor to the end of the buffer, and type C-c return. Proof mode queues the commands for processing and executes them.
LEGO mode is a mode derived from proof mode for editing LEGO scripts. As well as custom popup menus, it has the following commands:
In addition, there are some abbreviations for common commands
Coq mode is a mode derived from proof mode for editing Coq scripts. As well as custom popup menus, it has the following commands:
In addition, there are some abbreviations for common commands:
Since Emacs is pretty flexible, there are a whole bunch of things you
can do to confuse script management. When it gets confused, it may
become distressed, and may eventually sulk. In such instances
proof-restart-script-management may be of use.
A few things to avoid:
Discharge
commands in LEGO, and any attempts it makes to do so may leave it in an
inconsistent state. If you're undoing the effects of a Discharge
command, retract back to the declaration of whatever gets discharged.
Fixes for some of these may be provided in a future release.
I may one day document the script management internals here. Until then, UtSL.