\def\fontdefs{\psfamily{bsf}{r}{c}{b}{b}{ri}{ri}{ro}{bo}\def\mainmagstep{1200}} \input texinfo @c @c $Id$ @c @c NB: the first line of this file uses a non-standard TeXinfo @c hack to print in Serifa fonts. It has no effect if you don't have @c my hacked version of TeXinfo - da. @c @c @setfilename ProofGeneral.info @settitle Proof General @setchapternewpage odd @paragraphindent 0 @c A flag for whether to include the front image in the @c DVI file. You can download the front image from @c http://zermelo.dcs.ed.ac.uk/~proofgen/ProofGeneralPortrait.eps.gz @c then put it into this directory and 'make dvi' (pdf,ps) @c will set the flag below automatically. @clear haveeps @iftex @afourpaper @end iftex @c @c Some URLs. @c FIXME: unfortunately, broken in buggy pdftexinfo. @c so removed for now. @set URLxsymbol http://www.fmi.uni-passau.de/~wedler/x-symbol/ @set URLisamode http://zermelo.dcs.ed.ac.uk/~isamode @set URLpghome http://zermelo.dcs.ed.ac.uk/home/proofgen @set URLpglatestrpm http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-latest.noarch.rpm @set URLpglatesttar http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-latest.tar.gz @set URLpglatestdev http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-devel-latest.tar.gz @c @c @c @c IMPORTANT NOTES ABOUT THIS TEXINFO FILE: @c I've tried keep full node lines *out* of this file because Emacs makes a @c mess of updating them and they are a nuisance to do by hand. @c Instead, rely on makeinfo and friends to do the equivalent job. @c For this to work, we must follow each node @c immediately with a section command, i.e.: @c @c @node node-name @c @c @c And each section with lower levels must have a menu command in @c it. Menu updating with Emacs is a bit better than node updating, @c but tends to delete the first section of the file in XEmacs! @c (it's better in FSF Emacs at the time of writing). @c @c LINE BREAKS: For html generated from this to look good, it is @c important that there are lots of line breaks/blank lines, esp @c after @enddefn's and similar. Otherwise text flows on the same @c paragraph but gets coloured wrongly with Netscape's handling of @c style sheets. @c @c reminder about references: @c @xref{node} blah start of sentence: See [ref] @c blah (@pxref{node}) blah bla (see [ref]), best at end of sentence @c @ref{node} without "see". Careful for info. @c @set version 3.2prerelease @set xemacsversion 21.1 @set fsfversion 20.5 @set last-update September 2000 @set rcsid $Id$ @ifinfo @format START-INFO-DIR-ENTRY * Proof General: (ProofGeneral). Organize your proofs with Emacs! END-INFO-DIR-ENTRY @end format @end ifinfo @c @c MACROS @c @c define one here for a command with a key-binding? @c @c I like the idea, but it's maybe against the TeXinfo @c style to fix together a command and its key-binding. @c @c merge functions and variables into concept index. @c @syncodeindex fn cp @c @syncodeindex vr cp @c merge functions into variables index @c @syncodeindex fn vr @finalout @titlepage @title Proof General @subtitle Organize your proofs with Emacs! @subtitle Proof General @value{version} @subtitle @value{last-update} @c nested ifs fail here completely, WHY? @iftex @ifset haveeps @c @vskip 1cm @c The .eps file takes 8.4M! A pity texi can't seem @c to deal with gzipped files? (goes down to 1.7M). @c But this still seems too much to put into the @c PG distribution just for an image on the manual page, @c so we take it out for now. @c Ideally would like some way of generating eps from @c the .jpg file. @c image{ProofGeneralPortrait} @end ifset @end iftex @author David Aspinall with H. Goguen, T. Kleymann and D. Sequeira @page @vskip 0pt plus 1filll This manual and the program Proof General are Copyright @copyright{} 1998-2000 Poof General team, LFCS Edinburgh. @c @c COPYING NOTICE @c @ignore Permission is granted to process this file through TeX and print the results, provided the printed document carries copying permission notice identical to this one except for the removal of this paragraph (this paragraph not being relevant to the printed manual). @end ignore @sp 2 Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. @sp 2 This manual documents Proof General, Version @value{version}, for use with XEmacs @value{xemacsversion} and FSF GNU Emacs @value{fsfversion} or later versions. Version control: @code{@value{rcsid}} @end titlepage @page @ifinfo @node Top @top Proof General This file documents version @value{version} of @b{Proof General}, a generic Emacs interface for proof assistants. Proof General @value{version} has been tested with XEmacs @value{xemacsversion} and FSF GNU Emacs @value{fsfversion}. It is supplied ready customized for the proof assistants Coq, Lego, Isabelle, and HOL. @menu * Preface:: * Introducing Proof General:: * Basic Script Management:: * Proof by Pointing:: * Advanced Script Management:: * Support for other Packages:: * Hints and Tips:: * Customizing Proof General:: * LEGO Proof General:: * Coq Proof General:: * Isabelle Proof General:: * HOL Proof General:: * Obtaining and Installing:: * Known bugs and workarounds:: * References:: * Function Index:: * Variable Index:: * Keystroke Index:: * Concept Index:: @end menu @end ifinfo @node Preface @unnumbered Preface Welcome to Proof General! This preface has some news about the current release series, as well as some history about previous releases, and acknowledgements to those who have helped along the way. Proof General has a home page at @uref{http://www.lfcs.informatics.ed.ac.uk/proofgen}. Visit this page for the latest version of this manual, other documentation, system downloads, etc. @menu * Latest news for 3.2:: * News for 3.1:: * News for 3.0:: * History before 3.0:: * Credits:: @end menu @node Latest news for 3.2 @unnumberedsec Latest news for 3.2 @cindex news Proof General 3.2 has several new features and some bug fixes. One noticeable new feature is the addition of a prover-specific menu for each of the supported provers. This menu has a ``favourites'' feature that you can use to easily define new functions. Please contribute useful functions (or suggestions for functions) for things you would like to appear on these menus, to the maintainer for the instance of Proof General you use. Because of the new menus and to make room for more commands, we have made a new key map for prover specific functions. These now all begin with @kbd{C-c C-a}. This has changed a few key bindings slightly. Another new feature is the addition of prover-specific completion tables, to encourage the use of Emacs's completion facility, using @kbd{C-RET}. @xref{Support for completion}, for full details. A less obvious new feature is support for turning the proof assistant output on and off internally, to improve efficiency when processing large scripts. This means that more of your CPU cycles can be spent on proving theorems. The internal code of Proof General has been significantly overhauled for this version, which should make it more robust and readable. The generic code has an improved file structure, and there is support for automatic generation of autoload functions. There is also a new mechanism for defining prover-specific customization and instantiation settings which fits better with the customize library. These settings are named in the form @code{@i{PA}-setting-name} in the documentation; you replace @i{PA} by the symbol for the proof assistant you are interested in. @xref{Customizing Proof General}, for details. Adapting for new proof assistants continues to be made more flexible, and easier in several places. This has been motivated by adding experimental support for some new systems. Breaking the manual into two pieces was overdue: now all details on adapting Proof General, and notes on its internals, are in the @i{Adapting Proof General} manual. Finally, important bug fixes include the robustification against @code{write-file} (@kbd{C-x C-w}), @code{revert-buffer}, and friends. These are rather devious functions to use during script management, but Proof General now tries to do the right thing if you're deviant enough to try them out! The work on this release was undertaken by David Aspinall between May-August 2000, and also includes contributions from Markus Wenzel and Pierre Courtieu. @node News for 3.1 @unnumberedsec News for 3.1 @cindex news Proof General 3.1 (released March 2000) is a bug-fix improvement over version 3.0. There are some minor cosmetic improvements, but large changes have been held back to ensure stability. This release solves a few minor problems which came to light since the final testing stages for 3.0. It also solves some compatibility problems, so now it works with various versions of Emacs which we hadn't tested with before (non-mule FSF Emacs, certain Japanese Emacs versions). We're also pleased to announce HOL Proof General, a new instance of Proof General for HOL98. This is supplied as a "technology demonstration" for HOL users in the hope that somebody from the HOL community will volunteer to adopt it and become a maintainer and developer. (Otherwise, work on HOL Proof General will not continue). Apart from that there are a few other small improvements. Check the CHANGES file in the distribution for full details. The HOL98 support and much of the work on Proof General 3.1 was undertaken by David Aspinall while he was visiting ETL, Osaka, Japan, supported by the British Council and ETL. @node News for 3.0 @unnumberedsec News for 3.0 Proof General 3.0 (released November 1999) has many improvements over 2.x releases. First, there are usability improvements. The toolbar was somewhat impoverished before. It now has twice as many buttons, and includes all of the useful functions used during proof which were previously hidden on the menu, or even only available as key-presses. Key-bindings have been re-organized, users of previous versions may notice. The menu has been redesigned and coordinated with the toolbar, and now gives easy access to more of the features of Proof General. Previously several features were only likely to be discovered by those keen enough to read this manual! Second, there are improvements, extensions, and bug fixes in the generic basis. Proofs which are unfinished and not explicitly closed by a ``save'' type command are supported by the core, if they are allowed by the prover. The design of switching the active scripting buffer has been streamlined. The management of the queue of commands waiting to be sent to the shell has been improved, so there are fewer unnecessary "Proof Process Busy!" messages. The support for scripting with multiple files was improved so that it behaves reliably with Isabelle99; file reading messages can be communicated in both directions now. The proof shell filter has been optimized to give hungry proof assistants a better share of CPU cycles. Proof-by-pointing has been resurrected; even though LEGO's implementation is incomplete, it seems worth maintaining the code in Proof General so that the implementors of other proof assistants are encouraged to provide support. For one example, we can certainly hope for support in Coq, since the CtCoq proof-by-pointing code has been moved into the Coq kernel lately. We need a volunteer from the Coq community to help to do this. An important new feature in Proof General 3.0 is support for @uref{http://www.fmi.uni-passau.de/~wedler/x-symbol/,X-Symbol}, which means that real logical symbols, Greek letters, etc can be displayed during proof development, instead of their ASCII approximations. This makes Proof General a more serious competitor to native graphical user interfaces. Finally, Proof General has become much easier to adapt to new provers --- it fails gracefully (or not at all!) when particular configuration variables are unset, and provides more default settings which work out-of-the-box. An example configuration for Isabelle is provided, which uses just 25 or so simple settings. This manual has been updated and extended for Proof General 3.0. Amongst other improvements, it has a better description of how to add support for a new prover. See the @code{CHANGES} file in the distribution for more information about the latest improvements in Proof General. Developers should check the @code{ChangeLog} in the developer's release for detailed comments on internal changes. Most of the work for Proof General 3.0 has been done by David Aspinall. Markus Wenzel helped with Isabelle support, and provided invaluable feedback and testing, especially for the improvements to multiple file handling. Pierre Courtieu took responsibility from Patrick Loiseleur for Coq support, although the improvements in both the Coq and LEGO code for this release were made by David Aspinall. Markus Wenzel also provided support for his Isar language, a new proof language for Isabelle. David von Oheimb helped to develop and debug the generic version of his X-Symbol patch which he originally provided for Isabelle. A new instantiation of Proof General is being worked on for @emph{Plastic}, a proof assistant being developed at the University of Durham. @node History before 3.0 @unnumberedsec History before 3.0 @cindex @code{lego-mode} @cindex history It all started some time in 1994. There was no Emacs interface for LEGO. Back then, Emacs militants worked directly with the Emacs shell to interact with the LEGO system. David Aspinall convinced Thomas Kleymann that programming in Emacs Lisp wasn't so difficult after all. In fact, Aspinall had already implemented an Emacs interface for Isabelle with bells and whistles, called @uref{http://zermelo.dcs.ed.ac.uk/~isamode,Isamode}. Soon after, the package @code{lego-mode} was born. Users were able to develop proof scripts in one buffer. Support was provided to automatically send parts of the script to the proof process. The last official version with the name @code{lego-mode} (1.9) was released in May 1995. @cindex proof by pointing @cindex CtCoq @cindex Centaur The interface project really took off the ground in November 1996. Yves Bertot had been working on a sophisticated user interface for the Coq system (CtCoq) based on the generic environment Centaur. He visited the Edinburgh LEGO group for a week to transfer proof-by-pointing technology. Even though proof-by-pointing is an inherently structure-conscious algorithm, within a week, Yves Bertot, Dilip Sequeira and Thomas Kleymann managed to implement a first prototype of proof-by-pointing in the Emacs interface for LEGO [BKS97]. @cindex structure editor @cindex script management Perhaps we could reuse even more of the CtCoq system. It being a structure editor did no longer seem to be such an obstacle. Moreover, to conveniently use proof-by-pointing in actual developments, one would need better support for script management. @cindex generic In 1997, Dilip Sequeira implemented script management in our Emacs interface for LEGO following the recipe in [BT98]. Inspired by the project CROAP, the implementation made some effort to be generic. A working prototype was demonstrated at UITP'97. In October 1997, Healfdene Goguen ported @code{lego-mode} to Coq. Part of the generic code in the @code{lego} package was outsourced (and made more generic) in a new package called @code{proof}. Dilip Sequeira provided some LEGO-specific support for handling multiple files and wrote a few manual pages. The system was reasonably robust and we shipped out the package to friends. In June 1998, David Aspinall reentered the picture by providing an instantiation for Isabelle. Actually, our previous version wasn't quite as generic as we had hoped. Whereas LEGO and Coq are similar systems in many ways, Isabelle was really a different beast. Fierce re-engineering and various usability improvements were provided by Aspinall and Kleymann to make it easier to instantiate to new proof systems. The major technical improvement was a truly generic extension of script management to work across multiple files. It was time to come up with a better name than just @code{proof} mode. David Aspinall suggested @emph{Proof General} and set about reorganizing the file structure to disentangle the Proof General project from LEGO at last. He cooked up some images and bolted on a toolbar, so a naive user can replay proofs without knowing a proof assistant language or even Emacs hot-keys. He also designed some web pages, and wrote most of this manual. Proof General 2.0 was the first official release of the improved program, made in December 1998. Version 2.1 was released in August 1999. It was used at the Types Summer School held in Giens, France in September 1999 (see @uref{http://www-sop.inria.fr/types-project/types-sum-school.html}). About 50 students learning Coq, Isabelle, and LEGO used Proof General for all three systems. This experience provided invaluable feedback and encouragement to make the improvements now in Proof General 3.0. @c Why not adapt Proof General to your favourite proof assitant? @node Credits @unnumberedsec Credits @cindex @code{lego-mode} @cindex maintenance The main developers of Proof General have been: @itemize @bullet @item @b{David Aspinall}, @item @b{Healfdene Goguen}, @item @b{Thomas Kleymann} and @item @b{Dilip Sequeira}. @end itemize LEGO Proof General (the successor of @code{lego-mode}) was crafted by Thomas Kleymann and Dilip Sequeira. @c It is presently maintained by David Aspinall and Paul Callaghan @i{}. @c Coq Proof General was crafted by Healfdene Goguen, with later contributions from Patrick Loiseleur. It is now maintained by Pierre Courtieu @i{}. @c Isabelle Proof General was crafted and is being maintained by David Aspinall @i{}. It has benefited greatly from tweaks and suggestions by Markus Wenzel, who crafted and maintains Isabelle/Isar Proof General. Markus also added Proof General support inside Isabelle. David von Oheimb supplied the original patches for X-Symbol support. The generic base for Proof General was developed by Kleymann, Sequeira, Goguen and Aspinall. It follows some of the ideas used in Project @uref{http://www.inria.fr/croap/,CROAP}. The project to implement a proof mode for LEGO was initiated in 1994 and coordinated until October 1998 by Thomas Kleymann, becoming generic along the way. In October 1998, the project became Proof General and has been managed by David Aspinall since then. This manual was written by David Aspinall and Thomas Kleymann. Some words found their way here from the user documentation of LEGO mode, prepared by Dilip Sequeira. Healfdene Goguen supplied some text for Coq Proof General. Since Proof General 2.0, this manual has been maintained and improved by David Aspinall. Pierre Courtieu wrote the section on file variables. The Proof General project has benefited from funding by EPSRC (Applications of a Type Theory Based Proof Assistant), the EC (Types for Proofs and Programs) and the support of the LFCS. Version 3.1 was prepared whilst David Aspinall was visiting ETL, Japan, supported by the British Council. For testing and feedback for older versions of Proof General, thanks go to Rod Burstall, Martin Hofmann, and James McKinna, and some of those who continued to help with the latest 3.x series. @c FIXME HERE! During the development of Proof General 3.x releases, many people helped provide testing and other feedback, including the Proof General maintainers, Paul Callaghan, Pierre Courtieu, and Markus Wenzel, and other folk who tested pre-releases or sent bug reports, including Pascal Brisset, Martin Buechi, Matt Fairtlough, Kim Hyung Ho, Pierre Lescanne, John Longley, Tobias Nipkow, Leonor Prensa-Nieto, David von Oheimb, Randy Pollack, and Mike Squire. Thanks to all of you! @c @c CHAPTER: Introduction @c @node Introducing Proof General @chapter Introducing Proof General @cindex proof assistant @cindex Proof General @c would like the logo on the title page really but @c it doesn't seem to work there for html. @ifhtml [ Proof General logo ] @end ifhtml @dfn{Proof General} is a generic Emacs interface for interactive proof assistants,@footnote{A @dfn{proof assistant} is a computerized helper for developing mathematical proofs. For short, we sometimes call it a @dfn{prover}, although we always have in mind an interactive system rather than a fully automated theorem prover.} developed at the LFCS in the University of Edinburgh. It works best under XEmacs, but can also be used with FSF GNU Emacs. You do not have to be an Emacs militant to use Proof General! The interface is designed to be very easy to use. You develop your proof script@footnote{A @dfn{proof script} is a sequence of commands which constructs a proof, usually stored in a file.} in-place rather than line-by-line and later reassembling the pieces. Proof General keeps track of which proof steps have been processed by the prover, and prevents you editing them accidently. You can undo steps as usual. The aim of Proof General is to provide a powerful and configurable interface for numerous interactive proof assistants. We target Proof General mainly at intermediate or expert users, so that the interface should be useful for large proof developments. Please help us! Send us comments, suggestsions, or (the best) patches to improve support for your chosen proof assistant. Contact us at @code{proofgen@@dcs.ed.ac.uk}. If your chosen proof assistant isn't supported, read the accompanying @i{Adapting Proof General} manual to find out how to configure PG for a new prover. @menu * Quick start guide:: * Features of Proof General:: * Supported proof assistants:: * Prerequisites for this manual:: * Organization of this manual:: @end menu @node Quick start guide @section Quick start guide Proof General may have been installed for you already. If so, when you visit a proof script file for your proof assistant, the corresponding Proof General mode will be invoked automatically: @multitable @columnfractions .3 .3 .4 @item @b{Prover} @tab @b{Extensions} @tab @b{Mode} @item LEGO @tab @file{.l} @tab @code{lego-mode} @item Coq @tab @file{.v} @tab @code{coq-mode} @item Isabelle @tab @file{.thy},@file{.ML} @tab @code{isa-mode} @item Isabelle/Isar @tab @file{.thy} @tab @code{isar-mode} @item HOL98 @tab @file{.sml} @tab @code{hol98-mode} @end multitable You can also invoke the mode command directly, e.g., type @kbd{M-x lego-mode}, to turn a buffer into a lego script buffer. You'll find commands to process the proof script are available from the toolbar, menus, and keyboard. Type @kbd{C-h m} to get a list of the keyboard shortcuts for the current mode. The commands available should be easy to understand, but the rest of this manual describes them in some detail. The proof assistant itself is started automatically inside Emacs as an "inferior" process when you ask for some of the proof script to be processed. You can also start the proof assistant directly with the menu command "Start proof assistant". To follow an example use of Proof General on a LEGO proof, @pxref{Walkthrough example in LEGO}. If you know the syntax for proof scripts in another theorem prover, you can easily adapt the details given there. If Proof General has not already been installed, you should insert the line: @lisp (load "@var{proof-general-home}/generic/proof-site.el") @end lisp into your @file{~/.emacs} file, where @var{proof-general-home} is the top-level directory that was created when Proof General was unpacked. @xref{Obtaining and Installing}, if you need more information. @node Features of Proof General @section Features of Proof General @cindex Features @cindex Why use Proof General? Why would you want to use Proof General? @c FIXME: would like to keep this synched with web page, really. @c but web page needs extra markup. Proof General is designed to be useful for novices and expert users alike. It will be useful to you if you use a proof assistant, and you'd like an interface with the following features: simplified interaction, script management, multiple file scripting, a script editing mode, proof by pointing, toolbar and menus, syntax highlighting, real symbols, functions menu, tags, and finally, adaptability. Here is an outline of some of these features. Look in the contents page or index of this manual to find out about the others! @itemize @bullet @item @i{Simplified interaction}@* Proof General is designed for proof assistants which have a command-line shell interpreter. When using Proof General, the proof assistant's shell is hidden from the user. Communication takes place via three buffers (Emacs text widgets). Communication takes place via three buffers. The @dfn{script buffer} holds input, the commands to construct a proof. The @dfn{goals buffer} displays the current list of subgoals to be solved. The @dfn{response buffer} displays other output from the proof assistant. By default, only two of these three buffers are displayed. This means that the user normally only sees the output from the most recent interaction, rather than a screen full of output from the proof assistant. Proof General does not commandeer the proof assistant shell: the user still has complete access to it if necessary. For more details, @pxref{Summary of Proof General buffers} and @pxref{Display customization}. @item @i{Script management}@* Proof General colours proof script regions blue when they have been processed by the prover, and colours regions red when the prover is currently processing them. The appearance of Emacs buffers always matches the proof assistant's state. Coloured parts of the buffer cannot be edited. Proof General has functions for @emph{asserting} or @emph{retracting} parts of a proof script, which alters the coloured regions. For more details, @pxref{Basic Script Management}, @ref{Script processing commands}, and @ref{Advanced Script Management}. @item @i{Script editing mode}@* Proof General provides useful facilities for editing proof scripts, including syntax hilighting and a menu to jump to particular goals, definitions, or declarations. Special editing functions send lines of proof script to the proof assistant, or undo previous proof steps. For more details, @pxref{Script editing commands}, and @ref{Script processing commands}. @item @i{Toolbar and menus}@* A script buffer has a toolbar with navigation buttons for processing parts of the proof script. A menu provides further functions for operations in the proof assistant, as well as customization of Proof General. For more details, @pxref{Toolbar commands}, @ref{Proof assistant commands}, and @ref{Customizing Proof General}. @item @i{Proof by pointing}@* Proof General has support for proof-by-pointing and similar features. Proof by pointing allows you to click on a subterm of a goal to be proved, and automatically apply an appropriate proof rule or tactic. Proof by pointing is specific to the proof assistant (and logic) in use; therefore it is configured mainly on the proof assistant side. If you would like to see proof by pointing support for Proof General in a particular proof assistant, petition the developers of the proof assistant to provide it. @c Proof General expects to parse @c term-structure annotations on the output syntax of the prover. @c It uses these to construct a message to the prover indicating @c where the user has clicked, and the proof assistant can @c response with a suggested tactic. @end itemize @node Supported proof assistants @section Supported proof assistants Proof General comes ready-customized for these proof assistants: @c FLAG VERSIONS HERE @itemize @bullet @item @b{LEGO Proof General} for LEGO Version 1.3.1@* @xref{LEGO Proof General}, for more details. @item @b{Coq Proof General} for Coq Version 6.3@* @xref{Coq Proof General}, for more details. @item @b{Isabelle Proof General} for Isabelle99-1@* @xref{Isabelle Proof General}, for more details. @item @b{Isabelle/Isar Proof General} for Isabelle99-1@* @xref{Isabelle Proof General}, and documentation suplied with Isabelle for more details. @item @b{HOL Proof General} for HOL98@* @xref{HOL Proof General}, for more details. @end itemize Proof General is designed to be generic, so if you know how to write regular expressions, you can make: @itemize @bullet @item @b{Your Proof General} for your favourite proof assistant.@* For more details of how to make Proof General work with another proof assistant, see the accompanying manual @i{Adapting Proof General}. @end itemize Note that there is some variation between the features supported by different instances of Proof General. The main variation is proof by pointing, which is only supported in LEGO at the moment. For advanced features like this, some extensions to the output routines of the proof assistant are required, typically. @node Prerequisites for this manual @section Prerequisites for this manual @cindex Meta @cindex Alt @cindex key sequences This manual assumes that you understand a little about using Emacs, for example, switching between buffers using @kbd{C-x b} and understanding that a key sequence like @kbd{C-x b} means "control with x, followed by b". A key sequence like @kbd{M-z} means "meta with z". (@key{Meta} may be labelled @key{Alt} on your keyboard). The manual also assumes you have a basic understanding of your proof assistant and the language and files it uses for proof scripts. But even without this, Proof General is not useless: you can use the interface to @emph{replay} proof scripts for any proof assistant without knowing how to start it up or issue commands, etc. This is the beauty of a common interface mechanism. To get more from Proof General and adapt it to your liking, it helps to know a little bit about how Emacs lisp packages can be customized via the Customization mechanism. It's really easy to use. For details, @pxref{How to customize}. @inforef{Easy customization, ,(xemacs)}, for documentation in XEmacs. To get the absolute most from Proof General, to improve it or to adapt it for new provers, you'll need to know a little bit of Emacs lisp. Emacs is self-documenting, so you can begin from @kbd{C-h} and find out everything! Here are some useful commands: @table @asis @item @kbd{C-h i} @code{info} @item @kbd{C-h m} @code{describe-mode} @item @kbd{C-h b} @code{describe-bindings} @item @kbd{C-h f} @code{describe-function} @item @kbd{C-h v} @code{describe-variable} @end table @node Organization of this manual @section Organization of this manual This manual covers the user-level view and customization of Proof General. The accompanying @i{Adapting Proof General} manual considers adapting Proof General to new proof assistants, and documents some of the internals of Proof General. Three appendices of this manual contain some details about obtaining and installing Proof General and some known bugs. The contents of these final chapters is also covered in the files @file{INSTALL} and @file{BUGS} contained in the distribution. Refer to those files for the latest information. The manual concludes with some references and indexes. See the table of contents for full details. @c @c CHAPTER: Basic Script Management @c @node Basic Script Management @chapter Basic Script Management This chapter is an introduction to using the script management facilities of Proof General. We begin with a quick walkthrough example, then describe the concepts and functions in more detail. @menu * Walkthrough example in LEGO:: * Proof scripts:: * Script buffers:: * Summary of Proof General buffers:: * Script editing commands:: * Script processing commands:: * Toolbar commands:: * Proof assistant commands:: @end menu @node Walkthrough example in LEGO @section Walkthrough example in LEGO Here's a short example in LEGO to see how script management is used. The file you are asked to type below is included in the distribution as @file{lego/example.l}. If you're not using LEGO, substitute some lines from a simple proof for your proof assistant, or consult the file called something like @file{foo/example.foo} for proof assistant Foo. This walkthrough is keyboard based, but you could easily use the toolbar and menu functions instead. The best way to learn Emacs key bindings is by using the menus. You'll find the keys named below listed on the menus. @itemize @bullet @item First, find a new file by @kbd{C-x C-f} and typing as the filename @file{example.l}. This should load LEGO Proof General and the toolbar and Proof General menus will appear. You should have an empty buffer displayed. @end itemize The notation @kbd{C-x C-f} means control key with `x' followed by control key with `f'. This is a standard notation for Emacs key bindings, used throughout this manual. This function also appears on the @code{File} menu of Emacs. The remaining commands used will be on the @code{Proof-General} menu. If you're not using LEGO, you must choose a different file extension, appropriately for your proof assistant. If you don't know what to use, see the previous chapter for the list of supported assistants and file extensions. @itemize @bullet @item Turn on @dfn{electric terminator} by typing @kbd{C-c ;} and enter: @lisp Module example Import lib_logic; @end lisp This first command defines a file header and tells LEGO to use logic; these steps are usually not necessary in other proof assistants. @end itemize Electric terminator sends commands to the proof assistant as you type them. The exact key binding is based on the terminator used for your proof assistant, but you can always check the menu if you're not sure. Electric terminator mode is popular, but not enabled by default because of the principle of least surprise. You can customize Proof General to enable it everytime if you want, @xref{Customizing Proof General}. In XEmacs, this is particularly easy: just use the menu item @code{Options -> Save Options} to save some common options while using Proof General. The @code{Module} command should now be lit in pink (or inverse video if you don't have a colour display). As LEGO imports each module, a line will appear in the minibuffer showing the creation of context marks. Eventually the command should turn blue, indicating that LEGO has successfully processed it. @itemize @bullet @item Next type (on a new line if you like): @lisp Goal bland_commutes: @{A,B:Prop@} (and A B) -> (and B A); @end lisp @end itemize The goal should be displayed in the goals buffer. @itemize @bullet @item Now type: @lisp Intros; @end lisp @end itemize This will update the goals buffer. But whoops! That was the wrong command. @itemize @bullet @item Press @kbd{C-c C-BS} to pretend that didn't happen. @end itemize Note: @kbd{BS} means the backspace key. This key press sends an undo command to LEGO, and deletes the @code{Intros;} command from the proof script. If you just want to undo without deleting, you can type @kbd{C-c C-u} instead, or use the toolbar navigation button. @itemize @bullet @item Instead, let's try: @lisp intros; andI; @end lisp We've used the conjunction-introduction rule. To finish off, use these commands: @lisp Refine H; intros; Immed; Refine H; intros; Immed; @end lisp @end itemize Now you should see LEGO display the QED message. @itemize @bullet @item Finally, type: @lisp Save bland_commutes; @end lisp @end itemize This last command closes the proof and saves the proved theorem. Moving the mouse pointer over the locked region now reveals that the entire proof has been aggregated into a single segment. This reflects the fact that LEGO has thrown away the history of the proof, so if we want to undo now, the whole proof must be retracted. @itemize @bullet @item Suppose we decide to call the goal something more sensible. Move the cursor up into the locked region, somewhere between @samp{Goal} and @samp{Save}, enter @kbd{C-c C-RET}. @end itemize You see that the locked segment for the whole proof is now unlocked (and uncoloured): it is transferred back into the editing region. The command @kbd{C-c C-RET} moves the end of the locked region to the cursor position, sending undoing commands or proof commands as necessary. @itemize @bullet @item Now correct the goal name, for example: @lisp Goal and_commutes: @{A,B:Prop@} (and A B) -> (and B A); @end lisp Move the cursor to the end of the buffer, and type @kbd{C-c C-RET} again. @end itemize Proof General queues the commands for processing and executes them one by one. You should see the proof turn pink, then quickly command by command it is turned blue. The progress of pink to blue can be much slower with long and complicated proofs! @node Proof scripts @section Proof scripts @cindex proof script @cindex scripting A @dfn{proof script} is a sequence of commands which constructs definitions, declarations, theories, and proofs in a proof assistant. Proof General is designed to work with text-based @i{interactive} proof assistants, where the mode of working is usually a dialogue between the human and the proof assistant. Primitive interfaces for proof assistants simply present a @dfn{shell} (command interpreter) view of this dialogue: the human repeatedly types commands to the shell until the proof is completed. The system responds at each step, perhaps with a new list of subgoals to be solved, or perhaps with a failure report. Proof General manages the dialogue to show the human only the information which is relevant at each step. Often we want to keep a record of the proof commands used to prove a theorem, to build up a library of proved results. An easy way to store a proof is to keep a text file which contains a proof script; proof assistants usually provide facilities to read a proof script from a file instead of the terminal. Using the file, we can @dfn{replay} the proof script to prove the theorem again. @c Re-playing a proof script is a non-interactive procedure, @c since it is supposed to succeed. Using only a primitive shell interface, it can be tedious to construct proof scripts with cut-and-paste. Proof General helps out by issuing commands directly from a proof script file, while it is being written and edited. Proof General can also be used conveniently to replay a proof step-by-step, to see the progress at each stage. @c developing them in proof script files. @dfn{Scripting} is the process of building up a proof script file or replaying a proof. When scripting, Proof General sends proof commands to the proof assistant one at a time, and prevents you from editing commands which have been successfully completed by the proof assistant, to keep synchronization. Regions of the proof script are analysed based on their syntax and the behaviour of the proof assistant after each proof command. @node Script buffers @section Script buffers @cindex script buffer @cindex proof script mode A @dfn{script buffer} is a buffer displaying a proof script. Its Emacs mode is particular to the proof assistant you are using (but it inherits from @dfn{proof-mode}). A script buffer is divided into three regions: @emph{locked}, @emph{queue} and @emph{editing}. The proof commands in the script buffer can include a number of @emph{Goal-save sequences}. @menu * Locked queue and editing regions:: * Goal-save sequences:: * Active scripting buffer:: @end menu @node Locked queue and editing regions @subsection Locked, queue, and editing regions @cindex Locked region @cindex Queue region @cindex Editing region @cindex blue text @cindex pink text The three regions that a script buffer is divided into are: @c @itemize @bullet @item The @emph{locked} region, which appears in blue (underlined on monochrome displays) and contains commands which have been sent to the proof process and verified. The commands in the locked region cannot be edited. @item The @emph{queue} region, which appears in pink (inverse video) and contains commands waiting to be sent to the proof process. Like those in the locked region, these commands can't be edited. @item The @emph{editing} region, which contains the commands the user is working on, and can be edited as normal Emacs text. @end itemize These three regions appear in the buffer in the order above; that is, the locked region is always at the start of the buffer, and the editing region always at the end. The queue region only exists if there is input waiting to be processed by the proof process. Proof General has two fundamental operations which transfer commands between these regions: @emph{assertion} (or processing) and @emph{retraction} (or undoing). @cindex Assertion @strong{Assertion} causes commands from the editing region to be transferred to the queue region and sent one by one to the proof process. If the command is accepted, it is transferred to the locked region, but if an error occurs it is signalled to the user, and the offending command is transferred back to the editing region together with any remaining commands in the queue. Assertion corresponds to processing proof commands, and makes the locked region grow. @cindex Retraction @strong{Retraction} causes commands to be transferred from the locked region to the editing region (again via the queue region) and the appropriate 'undo' commands to be sent to the proof process. Retraction corresponds to undoing commands, and makes the locked region shrink. For details of the commands available for doing assertion and retraction, @xref{Script processing commands}. @node Goal-save sequences @subsection Goal-save sequences @cindex goal @cindex save @cindex goal-save sequences A proof script contains a sequence of commands used to prove one or more theorems. As commands in a proof script are transferred to the locked region, they are aggregated into segments which constitute the smallest units which can be undone. Typically a segment consists of a declaration or definition, or all the text from a @dfn{goal} command to the corresponding @dfn{save} command, or the individual commands in the proof of an unfinished goal. As the mouse moves over the the region, the segment containing the pointer will be highlighted. Proof General therefore assumes that the proof script has a series of proofs which look something like this: @lisp goal @var{mythm} is @var{G} @dots{} save theorem @var{mythm} @end lisp interspersed with comments, definitions, and the like. Of course, the exact syntax and terminology will depend on the proof assistant you use. The name @var{mythm} can appear in a menu for the proof script to help quickly find a proof (@pxref{Support for function menus}). @c Proof General recognizes the goal-save sequences in proof scripts. @c once a goal-save region has been fully processed by the proof assistant, @c it is treated as atomic when undoing proof steps. This reflects the @c fact that most proof assistants discard the history of a proof once a it @c is completed or once a new proof is begun. @node Active scripting buffer @subsection Active scripting buffer @cindex active scripting buffer You can edit as many script buffers as you want simultaneously, but only one buffer at a time can be used to process a proof script incrementally: this is the @dfn{active scripting buffer}. The active scripting buffer has a special indicator: the word @code{Scripting} appears in its mode line. When you use a scripting command, it will automatically turn a buffer into the active scripting mode. You can also do this by hand, via the menu command 'Toggle Scripting' or the key @kbd{C-c C-s}. @table @asis @item @kbd{C-c C-s} @code{proof-toggle-active-scripting} @end table When active scripting mode is turned on, several things may happen to get ready for scripting (exactly what happens depends on which proof assistant you are using and some user settings). First, the proof assistant is started if it is not already running. Second, a command is sent to the proof assistant to change directory to the directory of the current buffer. If the current buffer corresponds to a file, this is the directory the file lives in. This is in case any scripting commands refer to files in the same directory as the script. The third thing that may happen is that you are prompted to save some unsaved buffers. This is in case any scripting commands may read in files which you are editing. Finally, some proof assistants may automatically read in files which the current file depends on implicitly. In Isabelle, for example, there is an implicit dependency between a @code{.ML} script file and a @code{.thy} theory file which defines its theory. If you have a partly processed scripting buffer and use @kbd{C-c C-s}, or you attempt to use script processing in a new buffer, Proof General will ask you if you want to retract what has been proved so far, @code{Scripting incomplete in buffer myproof.l, retract?} or if you want to process the remainder of the active buffer, @code{Completely process buffer myproof.l instead?} before you can start scripting in a new buffer. If you refuse to do either, Proof General will give an error message: @code{Cannot have more than one active scripting buffer!}. To turn off active scripting, the buffer must be completely processed (all blue), or completely unprocessed. There are two reasons for this. First, it would certainly be confusing if it were possible to split parts of a proof arbitrarily between different buffers; the dependency between the commands would be lost and it would be tricky to replay the proof.@footnote{Some proof assistants provide some level of support for switching between multiple concurrent proofs, but Proof General does not use this. Generally the exact context for such proofs is hard to define to easily split them into multiple files.} Second, we want to interface with file management in the proof assistant. Proof General assumes that a proof assistant may have a notion of which files have been processed, but that it will only record files that have been @i{completely} processed. For more explanation of the handling of multiple files, @xref{Switching between proof scripts}. @c TEXI DOCSTRING MAGIC: proof-toggle-active-scripting @deffn Command proof-toggle-active-scripting &optional arg Toggle active scripting mode in the current buffer.@* With @var{arg}, turn on scripting iff @var{arg} is positive. @end deffn @node Summary of Proof General buffers @section Summary of Proof General buffers @cindex shell buffer @cindex goals buffer @cindex response buffer @cindex proof by pointing Proof General manages several kinds of buffers in Emacs. Here is a summary of the different kinds of buffers you will use when developing proofs. @itemize @bullet @item The @dfn{proof shell buffer} is an Emacs shell buffer used to run your proof assistant. Usually it is hidden from view (but @pxref{Escaping script management}). Communication with the proof shell takes place via two or three intermediate buffers. @item A @dfn{script buffer}, as we have explained, is a buffer for editing a proof script. The @dfn{active scripting buffer} is the script buffer which is currently being used to send commands to the proof shell. @item The @dfn{goals buffer} displays the list of subgoals to be solved for a proof in progress. During a proof it is usually displayed together with the script buffer. The goals buffer has facility for @dfn{proof-by-pointing}. @item The @dfn{response buffer} displays other output from the proof assistant, for example error messages or informative messages. The response buffer is displayed whenever Proof General puts a new message in it. @end itemize Normally Proof General will automatically reveal and hide the goals and response buffers as necessary during scripting. However there are ways to customize the way the buffers are displayed (@pxref{Display customization}). The menu @code{Proof General -> Buffers} provides a convenient way to display or switch to one of the four buffers: active scripting, goals, response, or shell. @c When @c Proof General sees an error in the shell buffer, it will highlight the @c error and display the buffer automatically. @c This facility was not added: @c @c Optionally, the goals buffer and script buffer can be identified @c @pxref{Identify goals and response}. The disadvantage of this is that @c the goals display can be replaced by other messages, so you must ask for @c it to be refreshed. The advantage is that it is simpler to deal with @c fewer Emacs buffers. @node Script editing commands @section Script editing commands Proof General provides a few functions for editing proof scripts. The generic functions mainly consist of commands to navigate within the script. Specific proof assistant code may add more to these basics. @findex indent-for-tab-command @vindex proof-script-indent Indentation is controlled by the user option @code{proof-script-indent} (@pxref{User options}). When indentation is enabled, Proof General will indent lines of proof script with the usual Emacs functions, particularly @kbd{TAB}, @code{indent-for-tab-command}. @c FIXME: remove when indentation is fixed. Unfortunately, indentation in Proof General @value{version} is somewhat slow. Therefore with large proof scripts, we recommend @code{proof-script-indent} is turned off. Here are the commands for moving around in a proof script, with their default key-bindings: @kindex C-c C-a @kindex C-c C-e @kindex C-c C-. @table @kbd @item C-c C-a @code{proof-goto-command-start} @item C-c C-e @code{proof-goto-command-end} @item C-c C-. @code{proof-goto-end-of-locked} @end table @c TEXI DOCSTRING MAGIC: proof-goto-command-start @deffn Command proof-goto-command-start Move point to start of current (or final) command of the script. @end deffn @c TEXI DOCSTRING MAGIC: proof-goto-command-end @deffn Command proof-goto-command-end Set point to end of command at point. @end deffn @vindex proof-terminal-char The variable @code{proof-terminal-char} is a prover-specific character to terminate proof commands. LEGO and Isabelle use a semicolon, @samp{;}. Coq employs a full-stop @samp{.}. @c TEXI DOCSTRING MAGIC: proof-goto-end-of-locked @deffn Command proof-goto-end-of-locked &optional switch Jump to the end of the locked region, maybe switching to script buffer.@* If interactive or @var{switch} is non-nil, switch to script buffer first. @end deffn During the course of a large proof, it may be useful to copy previous commands. As you move the mouse over previous portions of the script, you'll notice that each proof command is highlighted individually. (Once a goal...save sequence is ``closed'', the whole sequence is highlighted). There is a useful mouse binding for copying the highlighted command under the mouse: @kindex C-button1 @table @kbd @item C-button1 @code{proof-mouse-track-insert} @end table @c TEXI DOCSTRING MAGIC: proof-mouse-track-insert @deffn Command proof-mouse-track-insert event Copy highlighted command under the mouse to point. Ignore comments.@* If there is no command under the mouse, behaves like @code{mouse-track-insert}. @end deffn Read the documentation in Emacs to find out about the normal behaviour of @code{proof-mouse-track-insert}, if you don't already know what it does. @node Script processing commands @section Script processing commands @kindex C-c C-n @kindex C-c C-u @kindex C-c C-BS @kindex C-c C-b @kindex C-c C-r @kindex C-c C-RET @cindex prefix argument Here are the commands for asserting and retracting portions of the proof script, together with their default key-bindings. Sometimes assertion and retraction commands can only be issued when the queue is empty. You will get an error message @code{Proof Process Busy!} if you try to assert or retract when the queue is being processed.@footnote{In fact, this is an unnecessary restriction imposed by the original design of Proof General. There is nothing to stop future versions of Proof General allowing the queue region to be extended or shrunk, whilst the prover is processing it. Proof General 3.0 already relaxes the original design, by allowing successive assertion commands without complaining.} @table @kbd @item C-c C-n @code{proof-assert-next-command-interactive} @item C-c C-u @code{proof-undo-last-successful-command} @item C-c C-BS @code{proof-undo-and-delete-successful-command} @item C-c C-RET @code{proof-goto-point} @item C-c C-b @code{proof-process-buffer} @item C-c C-r @code{proof-retract-buffer} @item C-c @var{terminator-character} @code{proof-electric-terminator-toggle} @end table The last command, @code{proof-electric-terminator-toggle}, is triggered using the character which terminates proof commands for your proof assistant's script language. For LEGO and Isabelle, use @kbd{C-c ;}, for Coq, use @kbd{C-c .}. This not really a script processing command. Instead, if enabled, it causes subsequent key presses of @kbd{;} or @kbd{.} to automatically activate @code{proof-assert-next-command-interactive} for convenience. Rather than use a file command inside the proof assistant to read a proof script, a good reason to use @kbd{C-c C-b} (@code{proof-process-buffer}) is that with a faulty proof script (e.g., a script you are adapting to prove a different theorem), Proof General will stop exactly where the proof script fails, showing you the error message and the last processed command. So you can easily continue development from exactly the right place in the script. Here is the full set of script processing commands. @c TEXI DOCSTRING MAGIC: proof-assert-next-command-interactive @deffn Command proof-assert-next-command-interactive Process until the end of the next unprocessed command after point.@* If inside a comment, just process until the start of the comment. @end deffn @c TEXI DOCSTRING MAGIC: proof-undo-last-successful-command @deffn Command proof-undo-last-successful-command Undo last successful command at end of locked region. @end deffn @c TEXI DOCSTRING MAGIC: proof-undo-and-delete-last-successful-command @deffn Command proof-undo-and-delete-last-successful-command Undo and delete last successful command at end of locked region.@* Useful if you typed completely the wrong command. Also handy for proof by pointing, in case the last proof-by-pointing command took the proof in a direction you don't like. Notice that the deleted command is put into the Emacs kill ring, so you can use the usual @samp{yank} and similar commands to retrieve the deleted text. @end deffn @c TEXI DOCSTRING MAGIC: proof-goto-point @deffn Command proof-goto-point Assert or retract to the command at current position.@* Calls @code{proof-assert-until-point} or @code{proof-retract-until-point} as appropriate. @end deffn @c TEXI DOCSTRING MAGIC: proof-process-buffer @deffn Command proof-process-buffer Process the current buffer, and maybe move point to the end. @end deffn @c TEXI DOCSTRING MAGIC: proof-retract-buffer @deffn Command proof-retract-buffer Retract the current buffer, and maybe move point to the start. @end deffn @c TEXI DOCSTRING MAGIC: proof-electric-terminator-toggle @deffn Command proof-electric-terminator-toggle arg Toggle @samp{@code{proof-electric-terminator-enable}}. With @var{arg}, turn on iff ARG>0.@* This function simply uses @code{customize-set-variable} to set the variable. It was constructed with @samp{@code{proof-deftoggle-fn}}. @end deffn @c TEXI DOCSTRING MAGIC: proof-assert-until-point-interactive @deffn Command proof-assert-until-point-interactive Process the region from the end of the locked-region until point.@* Default action if inside a comment is just process as far as the start of the comment. @end deffn @c TEXI DOCSTRING MAGIC: proof-retract-until-point-interactive @deffn Command proof-retract-until-point-interactive &optional delete-region Tell the proof process to retract until point.@* If invoked outside a locked region, undo the last successfully processed command. If called with a prefix argument (@var{delete-region} non-nil), also delete the retracted region from the proof-script. @end deffn As experienced Emacs users will know, a @i{prefix argument} is a numeric argument supplied by some key sequence typed before a command key sequence. You can supply a specific number by typing @key{Meta} with the digits, or a ``universal'' prefix of @kbd{C-u}. See @inforef{Arguments, ,(xemacs)} for more details. Several Proof General commands, like @code{proof-retract-until-point-interactive}, may accept a @i{prefix argument} to adjust their behaviour somehow. @node Proof assistant commands @section Proof assistant commands @kindex C-c C-p @kindex C-c C-h @kindex C-c C-c @kindex C-c C-v @kindex C-c C-f @kindex C-c C-t There are several commands for interacting with the proof assistant away from a proof script. Here are the key-bindings and functions. @table @kbd @item C-c C-l @code{proof-display-some-buffers} @item C-c C-p @code{proof-prf} @item C-c C-t @code{proof-ctxt} @item C-c C-h @code{proof-help} @item C-c C-f @code{proof-find-theorems} @item C-c C-c @code{proof-interrupt-process} @item C-c C-v @code{proof-minibuffer-cmd} @end table @c TEXI DOCSTRING MAGIC: proof-display-some-buffers @deffn Command proof-display-some-buffers Display the reponse buffer, and maybe also the goals buffer.@* If in three window or multiple frame mode, the goals buffer is also displayed. @end deffn @c TEXI DOCSTRING MAGIC: proof-prf @deffn Command proof-prf Show the current proof state.@* Issues a command to the assistant based on @code{proof-showproof-command}. @end deffn @c TEXI DOCSTRING MAGIC: proof-ctxt @deffn Command proof-ctxt Show the current context.@* Issues a command to the assistant based on @code{proof-context-command}. @end deffn @c TEXI DOCSTRING MAGIC: proof-help @deffn Command proof-help Show a help or information message from the proof assistant.@* Typically, a list of syntax of commands available. Issues a command to the assistant based on @code{proof-info-command}. @end deffn @c TEXI DOCSTRING MAGIC: proof-find-theorems @deffn Command proof-find-theorems arg Search for items containing given constants.@* Issues a command based on @var{arg} to the assistant, using @code{proof-find-theorems-command}. The user is prompted for an argument. @end deffn @c TEXI DOCSTRING MAGIC: proof-interrupt-process @deffn Command proof-interrupt-process Interrupt the proof assistant. Warning! This may confuse Proof General.@* This sends an interrupt signal to the proof assistant, if Proof General thinks it is busy. This command is risky because when an interrupt is trapped in the proof assistant, we don't know whether the last command succeeded or not. The assumption is that it didn't, which should be true most of the time, and all of the time if the proof assistant has a careful handling of interrupt signals. @end deffn @c TEXI DOCSTRING MAGIC: proof-minibuffer-cmd @deffn Command proof-minibuffer-cmd cmd Prompt for a command in the minibuffer and send it to proof assistant.@* The command isn't added to the locked region. If a prefix arg is given and there is a selected region, that is pasted into the command. This is handy for copying terms, etc from the script. If @samp{@code{proof-strict-state-preserving}} is set, and @samp{@code{proof-state-preserving-p}} is configured, then the latter is used as a check that the command will be safe to execute, in other words, that it won't ruin synchronization. If when applied to the command it returns false, then an error message is given. @var{warning}: this command risks spoiling synchronization if the test @samp{@code{proof-state-preserving-p}} is not configured, if it is only an approximate test, or if @samp{@code{proof-strict-state-preserving}} is off (nil). @end deffn As if the last two commands weren't risky enough, there's also a command which explicitly adjusts the end of the locked region, to be used in extreme circumstances only. @xref{Escaping script management}. There are a few commands for stopping, starting, and restarting the proof assistant process which have menu entries but no key-bindings. As with any Emacs command, you can invoke these with @kbd{M-x}. Here's a tip: if you accidently kill one of the Proof General special buffers (goals or response), exiting the proof assistant and restarting it will solve the problem. @c TEXI DOCSTRING MAGIC: proof-shell-start @deffn Command proof-shell-start Initialise a shell-like buffer for a proof assistant. Also generates goal and response buffers. Does nothing if proof assistant is already running. @end deffn @c TEXI DOCSTRING MAGIC: proof-shell-restart @deffn Command proof-shell-restart Clear script buffers and send @code{proof-shell-restart-cmd}.@* All locked regions are cleared and the active scripting buffer deactivated. If the proof shell is busy, an interrupt is sent with @code{proof-interrupt-process} and we wait until the process is ready. The restart command should re-synchronize Proof General with the proof assistant, without actually exiting and restarting the proof assistant process. It is up to the proof assistant how much context is cleared: for example, theories already loaded may be "cached" in some way, so that loading them the next time round only performs a re-linking operation, not full re-processing. (One way of caching is via object files, used by Lego and Coq). @end deffn @c TEXI DOCSTRING MAGIC: proof-shell-exit @deffn Command proof-shell-exit Query the user and exit the proof process. This simply kills the @code{proof-shell-buffer} relying on the hook function @code{proof-shell-kill-function} to do the hard work. @end deffn @node Toolbar commands @section Toolbar commands The toolbar provides a selection of functions for asserting and retracting portions of the script, issuing non-scripting commands, and inserting "goal" and "save" type commands. The latter functions are not available on keys, but are available from the from the menu, or via @kbd{M-x}, as well as the toolbar. @c TEXI DOCSTRING MAGIC: proof-issue-goal @deffn Command proof-issue-goal arg Write a goal command in the script, prompting for the goal.@* Issues a command based on @var{arg} to the assistant, using @code{proof-goal-command}. The user is prompted for an argument. @end deffn @c TEXI DOCSTRING MAGIC: proof-issue-save @deffn Command proof-issue-save arg Write a save/qed command in the script, prompting for the theorem name.@* Issues a command based on @var{arg} to the assistant, using @code{proof-save-command}. The user is prompted for an argument. @end deffn @c @c CHAPTER: Proof by Pointing @c @node Proof by Pointing @chapter Proof by Pointing This chapter describes what you can do from inside the goals buffer, providing support for these features exists for your proof assistant. As of Proof General 3.0, it only exists for LEGO. If you would like to see proof by pointing support for Proof General in another proof assistant, please petition the developers of that proof assistant to provide it! @menu * Goals buffer commands:: @end menu @node Goals buffer commands @section Goals buffer commands When you are developing a proof, the input focus (Emacs cursor) is usually on the script buffer. Therefore Proof General binds mouse buttons for commands in the goals buffer, to avoid the need to move the cursor between buffers. The mouse bindings are these: @table @kbd @item button2 @code{pbp-button-action} @item C-button2 @code{proof-undo-and-delete-last-successful-command} @item button3 @code{pbp-yank-subterm} @end table Where @kbd{button2} indicates the middle mouse button, and @kbd{button3} indicates the right hand mouse button. The idea is that you can automatically construct parts of a proof by clicking. Using the middle mouse button asks the proof assistant to try to do a step in the proof, based on where you click. If you don't like the command which was inserted into the script, you can use the control key with the middle button to undo the step, and delete it from your script. Note that proof-by-pointing may construct several commands in one go. These are sent back to the proof assistant altogether and appear as a single step in the proof script. However, if the proof is later replayed (without using PBP), the proof-by-pointing constructions will be considered as separate proof commands, as usual. @c TEXI DOCSTRING MAGIC: pbp-button-action @deffn Command pbp-button-action event Construct a proof-by-pointing command based on the mouse-click @var{event}.@* This function should be bound to a mouse button in the Proof General goals buffer. The @var{event} is used to find the smallest subterm around a point. A position code for the subterm is sent to the proof assistant, to ask it to construct an appropriate proof command. The command which is constructed will be inserted at the end of the locked region in the proof script buffer, and immediately sent back to the proof assistant. If it succeeds, the locked region will be extended to cover the proof-by-pointing command, just as for any proof command the user types by hand. @end deffn Proof-by-pointing uses markup describing the term structure of the concrete syntax output by the proof assistant. This markup is useful in itself: it allows you to explore the structure of a term using the mouse (the smallest subexpression that the mouse is over is highlighted), and easily copy subterms from the output to a proof script. The right-hand mouse button provides this convenient way to copy subterms from the goals buffer, using the function @code{pbp-yank-subterm}. @c TEXI DOCSTRING MAGIC: pbp-yank-subterm @deffn Command pbp-yank-subterm event Copy the subterm indicated by the mouse-click @var{event}.@* This function should be bound to a mouse button in the Proof General goals buffer. The @var{event} is used to find the smallest subterm around a point. The subterm is copied to the @code{kill-ring}, and immediately yanked (copied) into the current buffer at the current cursor position. In case the current buffer is the goals buffer itself, the yank is not performed. Then the subterm can be retrieved later by an explicit yank. @end deffn @c Proof General expects to parse @c term-structure annotations on the output syntax of the prover. @c It uses these to construct a message to the prover indicating @c where the user has clicked, and the proof assistant can @c response with a suggested tactic. @c @c CHAPTER: Advanced Script Management @c @node Advanced Script Management @chapter Advanced Script Management @cindex Multiple Files If you are working with large proof developments, you may want to know about the advanced script management features of Proof General covered in this chapter. Large proof developments are typically spread across various files which depend on each other in some way. Proof General knows enough about the dependencies to allow script management across multiple files. With large developments particularly, users may occasionally need to escape from script management, in case Proof General loses synchronization with the proof assistant. Proof General provides you with several escape mechanisms if you want to do this. @menu * Switching between proof scripts:: * View of processed files :: * Retracting across files:: * Asserting across files:: * Automatic multiple file handling:: * Escaping script management:: @end menu @node Switching between proof scripts @section Switching between proof scripts @cindex Switching between proof scripts Basic modularity in large proof developments can be achieved by splitting proof scripts across various files. Let's assume that you are in the middle of a proof development. You are working on a soundness proof of Hoare Logic in a file called@footnote{The suffix may depend of the specific proof assistant you are using e.g, LEGO's proof script files have to end with @file{.l}.} @file{HSound.l}. It depends on a number of other files which develop underlying concepts e.g. syntax and semantics of expressions, assertions, imperative programs. You notice that the current lemma is too difficult to prove because you have forgotten to prove some more basic properties about determinism of the programming language. Or perhaps a previous definition is too cumbersome or even wrong. At this stage, you would like to visit the appropriate file, say @file{sos.l} and retract to where changes are required. Then, using script management, you want to develop some more basic theory in @file{sos.l}. Once this task has been completed (possibly involving retraction across even earlier files) and the new development has been asserted, you want to switch back to @file{HSound.l} and replay to the point you got stuck previously. Some hours (or days) later you have completed the soundness proof and are ready to tackle new challenges. Perhaps, you want to prove a property that builds on soundness or you want to prove an orthogonal property such as completeness. Proof General lets you do all of this while maintaining the consistency between proof script buffers and the state of the proof assistant. However, you cannot have more than one buffer where only a fraction of the proof script contains a locked region. Before you can employ script management in another proof script buffer, you must either fully assert or retract the current script buffer. @node View of processed files @section View of processed files Proof General tries to be aware of all files that the proof assistant has processed or is currently processing. In the best case, it relies on the proof assistant explicitly telling it whenever it processes a new file which corresponds@footnote{For example, LEGO generates additional compiled (optimised) proof script files for efficiency.} to a file containing a proof script. If the current proof script buffer depends on background material from other files, proof assistants typically process these files automatically. If you visit such a file, the whole file is locked as having been processed in a single step. From the user's point of view, you can only retract but not assert in this buffer. Furthermore, retraction is only possible to the @emph{beginning} of the buffer. @c This isn't strictly true, is it? We lock off buffers atomically, @c but spans in them to start with stay there. (Only meaningful @c for reading currently active scripting file) Unlike a script buffer that has been processed step-by-step via Proof General, automatically loaded script buffers do not pass through a ``red'' phase to indicate that they are currently being processed. This is a limitation of the present implementation. Proof General locks a buffer as soon as it sees the appropriate message from the proof assistant. Different proof assistants may use different messages: either @emph{early locking} when processing a file begins (e.g. LEGO) or @emph{late locking} when processing a file ends (e.g. Isabelle). With @emph{early locking}, you may find that a script which has only been partly processed (due to an error or interrupt, for example), is wrongly completely locked by Proof General. Visit the file and retract back to the start to fix this. With @emph{late locking}, there is the chance that you can break synchronization by editing a file as it is being read by the proof assistant, and saving it before processing finishes. In fact, there is a general problem of editing files which may be processed by the proof assistant automatically. Synchronization can be broken whenever you have unsaved changes in a proof script buffer and the proof assistant processes the corresponding file. (Of course, this problem is familiar from program development using separate editors and compilers). The good news is that Proof General can detect the problem and flashes up a warning in the response buffer. You can then visit the modified buffer, save it and retract to the beginning. Then you are back on track. @c only true for LEGO! @c If the proof assistant is not happy with the script and @c complains with an error message, the buffer will still be marked as @c having been completely processed. Sorry. You need to visit the @c troublesome file, retract (which will always retract to the beginning of @c the file) and debug the problem e.g., by asserting all of the buffer @c under the supervision of Proof General, see @ref{Script processing @c commands}. @node Retracting across files @section Retracting across files @cindex Retraction Make sure that the current script buffer has either been completely asserted or retracted (Proof General enforces this). Then you can retract proof scripts in a different file. Simply visit a file that has been processed earlier and retract in it, using the retraction commands from @pxref{Script processing commands}. Apart from removing parts of the locked region in this buffer, all files which depend on it will be retracted (and thus unlocked) automatically. Proof General reminds you that now is a good time to save any unmodified buffers. @node Asserting across files @section Asserting across files @cindex Assertion Make sure that the current script buffer has either been completely asserted or retracted. Then you can assert proof scripts in a different file. Simply visit a file that contains no locked region and assert some command with the usual assertion commands, @pxref{Script processing commands}. Proof General reminds you that now is a good time to save any unmodified buffers. This is particularly useful as assertion may cause the proof assistant to automatically process other files. @node Automatic multiple file handling @section Automatic multiple file handling To make it easier to adapt Proof General for a proof assistant, there is another possibility for multiple file support --- that it is provided automatically by Proof General and not integrated with the file-management system of the proof assistant. In this case, Proof General assumes that the only files processed are the ones it has sent to the proof assistant itself. Moreover, it (conservatively) assumes that there is a linear dependency between files in the order they were processed. If you only have automatic multiple file handling, you'll find that any files loaded directly by the proof assistant are @emph{not} locked when you visit them in Proof General. Moreover, if you retract a file it may retract more than is strictly necessary (because it assumes a linear dependency). For further technical details of the ways multiple file scripting is configured, see @i{Handling multiple files} in the @i{Adapting Proof General} manual. @node Escaping script management @section Escaping script management @cindex Shell Occasionally you may want to review the dialogue of the entire session with the proof assistant, or check that it hasn't done something unexpected. Experienced users may also want to directly communicate with the proof assistant rather than sending commands via the minibuffer, @pxref{Proof assistant commands}. Although the proof shell is usually hidden from view, it is run in a buffer which provides the usual full editing and history facilities of Emacs shells (see the package @file{comint.el} distributed with your version of Emacs). You can switch to it using the menu: @lisp Proof-General -> Buffers -> Shell @end lisp @b{Warning:} you can probably cause confusion by typing in the shell buffer! Proof General may lose track of the state of the proof assistant. Output from the assistant is only fully monitored when Proof General is in control of the shell. When in control, Proof General watches the output from the proof assistant to guess when a file is loaded or when a proof step is taken or undone. What happens when you type in the shell buffer directly depends on how complete the communication is between Proof General and the prover (which depends on the particular instantiation of Proof General). If synchronization is lost, you have two options to resynchronize. If you are lucky, it might suffice to use the key: @table @kbd @item C-c C-z @code{proof-frob-locked-end} @end table This command is disabled by default, to protect novices using it accidently. If @code{proof-frob-locked-end} does not work, you will need to restart script management altogether (@pxref{Proof assistant commands}). @c TEXI DOCSTRING MAGIC: proof-frob-locked-end @deffn Command proof-frob-locked-end Move the end of the locked region backwards to regain synchronization.@* Only for use by consenting adults. This command can be used to repair synchronization in case something goes wrong and you want to tell Proof General that the proof assistant has processed less of your script than Proof General thinks. You should only use it to move the locked region to the end of a proof command. @end deffn @node Support for other Packages @chapter Support for other Packages Proof General makes some configuration for other Emacs packages which provide various useful facilities that can make your editing more effective. Sometimes this configuration is purely at the proof assistant specific level (and so not necessarily available), and sometimes it is made using Proof General settings. When adding support for a new proof assistant, we suggest that these other packages are supported, as a convention. The packages currently supported are @code{font-lock}, @code{x-symbol}, @code{func-menu}, @code{outline-mode}, @code{completion}, and @code{etags}. @menu * Syntax highlighting:: * X-Symbol support:: * Support for function menus:: * Support for outline mode:: * Support for completion:: * Support for tags:: @end menu @node Syntax highlighting @section Syntax highlighting @vindex lego-mode-hooks @vindex coq-mode-hooks @vindex isa-mode-hooks @cindex font lock @cindex colour @c Proof General specifics Proof script buffers are decorated (or @i{fontified}) with colours, bold and italic fonts, etc, according to the syntax of the proof language and the settings for @code{font-lock-keywords} made by the proof assistant specific portion of Proof General. Moreover, Proof General usually decorates the output from the proof assistant, also using @code{font-lock}. In XEmacs, fontification is automatically turned on. To automatically switch on fontification in FSF GNU Emacs 20.4, you may need to engage @code{M-x global-font-lock-mode}. The old mechanism of adding hooks to the mode hooks (@code{lego-mode-hooks}, @code{coq-mode-hooks}, etc) is no longer recommended; it should not be needed in latest Emacs versions which have more flexible customization. Fontification for output is controlled by a separate switch in Proof General. Set @code{proof-output-fontify-enable} to @code{nil} if you don't want the output from your proof assistant to be fontified according to the setting of @code{font-lock-keywords} in the proof assistant specific portion of Proof General. @xref{User options}. By the way, the choice of colour, font, etc, for each kind of markup is fully customizable in Proof General. Each @emph{face} (Emacs terminology) controlled by its own customization setting. You can display a list of all of them using the customize menu: @lisp Proof General -> Customize -> Faces -> Proof Faces. @end lisp @node X-Symbol support @section X-Symbol support @cindex real symbols @cindex X-Symbols @cindex Greek letters @cindex logical symbols @cindex mathematical symbols The X-Symbol package displays characters from a variety of fonts in Emacs buffers, automatically converting between codes for special characters and @i{tokens} which are character sequences stored in files. Proof General uses X-Symbol to allow interaction between the user and the proof assistant to use tokens, yet appear to be using special characters. So proof scripts and proofs can be processed with real mathematical symbols, Greek letters, etc. You will be able to enable X-Symbol support if you have installed the X-Symbol package and support has been provided in Proof General for a token language for your proof assistant. The X-Symbol package is available from @uref{http://www.fmi.uni-passau.de/~wedler/x-symbol/}. Notice that for proper symbol support, the proof assistant needs to have a special @i{token language}, or a special character set, to use symbols. In this case, the proof assistant will output, and accept as input, tokens like @code{\longrightarrow}, which display as the corresponding symbols. However, for proof assistants which do not have such token support, we can use "fake" symbol support quite effectively, displaying ordinary character sequences such as @code{-->} with symbols. The only problem with this hack is that it can cause surprising results, when you really want character sequences instead of, for example, Greek letters! @c @xref{Configuring X-Symbol}, for notes about how to configure @c a proof assistant to use X-Symbol in Proof General. @node Support for function menus @section Support for function menus @vindex proof-goal-with-hole-regexp @cindex func-menu @cindex fume-func The Emacs package @code{func-menu} (formerly called @code{fume-func}) is a handy facility to make a menu from the names of entities declared in a buffer. Proof General configures @code{func-menu} so that you can quickly jump to particular proofs in a script buffer. (This is done with the configuration variables @code{proof-goal-with-hole-regexp} and @code{proof-save-with-hole-regexp}.) @c , @pxref{Proof script mode} for further details. If you want to use function menu, you can simply select "Function menu" from the Proof General menu, or type @kbd{M-x function-menu}. Although the package is distributed with XEmacs, it is not enabled by default every time you visit a buffer. To enable it by default (i.e. avoid typing @code{M-x function-menu}), you should find the file @file{func-menu.el} and follow the instructions there. FSF Emacs 20.4 does not have the function menu library built in, but you may be able to download it from the elisp archives. A similar mode which is supported is @code{imenu}, also in XEmacs. Proof General would be grateful if anyone can send patches for using @code{imenu} as an alternative to function menu. @node Support for outline mode @section Support for outline mode @cindex outline mode Proof General configures Emacs variables (@code{outline-regexp} and @code{outline-heading-end-regexp}) so that outline minor mode can be used on proof script files. The headings taken for outlining are the "goal" statements at the start of goal-save sequences, @pxref{Goal-save sequences}. If you want to use @code{outline} to hide parts of the proof script in the @emph{locked} region, you need to disable @code{proof-strict-read-only}. Use @kbd{M-x outline-minor-mode} to turn on outline minor mode. Functions for navigating, hiding, and revealing the proof script are available in menus. See @inforef{Outline Mode, ,(xemacs)} for more information about outline mode. @node Support for completion @section Support for completion @cindex completion You might find the @emph{completion} facility of Emacs useful when you're using Proof General. The key @kbd{C-RET} is defined to invoke the @code{complete} command. Pressing @kbd{C-RET} cycles through completions displaying hints in the minibuffer. Completions are filled in according to what has been recently typed, from a database of symbols. The database is automatically saved at the end of a session. Proof General has the additional facility for setting a completion table for each supported proof assistant, which gets loaded into the completion database automatically. Ideally the completion table would be set from the running process according to the identifiers available are within the particular context of a script file. But until this is available, this table may be set to contain a number of standard identifiers available for your proof assistant. The setting @code{@emph{PA}-completion-table} holds the list of identifiers for a proof assistant. The function @code{proof-add-completions} adds these into the completion database. @c TEXI DOCSTRING MAGIC: PA-completion-table @defvar PA-completion-table List of identifiers to use for completion for this proof assistant.@* Completion is activated with C-return. If this table is empty or needs adjusting, please make changes using @samp{@code{customize-variable}} and send suggestions to proofgen@@dcs.ed.ac.uk. @end defvar The completion facility uses a library @file{completion.el} which usually ships with XEmacs and FSF Emacs, and supplies the @code{complete} function. @c FIXME: edited from default. @c NOT DOCSTRING MAGIC: complete @deffn Command complete Fill out a completion of the word before point. @* Point is left at end. Consecutive calls rotate through all possibilities. Prefix args: @table @kbd @item C-u leave point at the beginning of the completion, not the end. @item a number rotate through the possible completions by that amount @item 0 same as -1 (insert previous completion) @end table See the comments at the top of @samp{completion.el} for more info. @end deffn @node Support for tags @section Support for tags @cindex tags An Emacs "tags table" is a description of how a multi-file system is broken up into files. It lists the names of the component files and the names and positions of the functions (or other named subunits) in each file. Grouping the related files makes it possible to search or replace through all the files with one command. Recording the function names and positions makes possible the @kbd{M-.} command which finds the definition of a function by looking up which of the files it is in. Some instantiations of Proof General (currently LEGO and Coq) are supplied with external programs (@file{legotags} and @file{coqtags}) for making tags tables. For example, invoking @samp{coqtags *.v} produces a file @file{TAGS} for all files @samp{*.v} in the current directory. Invoking @samp{coqtags `find . -name \*.v`} produces a file @file{TAGS} for all files ending in @samp{.v} in the current directory structure. Once a tag table has been made for your proof developments, you can use the Emacs tags mechanisms to find tags, and complete symbols from tags table. One useful key-binding you might want to make is to set the usual tags completion key @kbd{M-tab} to run @code{tag-complete-symbol} to use completion from names in the tag table. To set this binding in Proof General script buffers, put this code in your @file{.emacs} file: @lisp (add-hook 'proof-mode-hook (lambda () (local-set-key '(meta tab) 'tag-complete-symbol))) @end lisp Since this key-binding interferes with a default binding that users may already have customized (or may be taken by the window manager), Proof General doesn't do this automatically. Apart from completion, there are several other operations on tags. One common one is replacing identifiers across all files using @code{tags-query-replace}. For more information on how to use tags, @inforef{Tags, ,(xemacs)}. To use tags for completion at the same time as the completion mechanism mentioned already, you can use the command @kbd{M-x add-completions-from-tags-table}. @c TEXI DOCSTRING MAGIC: add-completions-from-tags-table @deffn Command add-completions-from-tags-table Add completions from the current tags table. @end deffn @node Hints and Tips @chapter Hints and Tips Apart from the packages officially supported in Proof General, many. many other features of Emacs are useful when using Proof General, even though they need no specific configuration for Proof General. It is worth taking a bit of time to explore the Emacs manual to find out about them. Here we provide some hints and tips for a couple of Emacs features which users have found valuable with Proof General. Further contributions to this chapter are welcomed! @menu * Using file variables:: * Using abbreviations:: @end menu @node Using file variables @section Using file variables @cindex file variables A very convenient way to customize file-specific variables is to use the File Variables (@inforef{File Variables, ,xemacs}). This feature of Emacs allows to specify the values to use for certain Emacs variables when a file is loaded. Those values are written as a list at the end of the file. For example, in projects involving multiple directories, it is often useful to set the variables @code{proof-prog-name} and @code{compile-command} for each file. Here is an example for Coq users: for the file @file{.../dir/bar/foo.v}, if you want Coq to be started with the path @code{.../dir/theories/} added in the libraries path (@code{"-I"} option), you can put at the end of @file{foo.v}: @lisp (* Local Variables: coq-prog-name: "coqtop -emacs -full -I ../theories" End: *) @end lisp That way the good command is called when the scripting starts in @file{foo.v}. Notice that the command argument @code{"-I ../theories"} is specific to the file @file{foo.v}, and thus if you set it via the configuration tool, you will need to do it each time you load this file. On the contrary with this method, Emacs will do this operation automatically. Extending the previous example, if the makefile for @file{foo.v} is located in directory @file{.../dir/}, you can add the right compile command: @lisp (* Local Variables: coq-prog-name: "coqtop -emacs -full -I ../theories" compile-command: "make -C .. -k bar/foo.vo" End: *) @end lisp And then the right call to make will be done if you use the @kbd{M-x compile} command. Notice that the lines are commented in order to be ignored by the proof assistant. It is possible to use this mechanism for any other buffer local variable. @inforef{File Variables, ,xemacs}. @node Using abbreviations @section Using abbreviations A very useful package of Emacs supports automatic expansions of abbreviations as you type, @inforef{Abbrevs, ,(xemacs)}. Proof General has no special support for abbreviations, we just mention it here to encourage its use. For example, the proof assistant Coq has many command strings that are long, such as ``Reflexivity,'' ``Inductive,'' ``Definition'' and ``Discriminate.'' Here is the Coq Proof General author's suggested abbreviations for Coq: @lisp "assn" 0 "Assumption" "ax" 0 "Axiom" "coern" 0 "Coercion" "cofixpt" 0 "CoFixpt" "coindv" 0 "CoInductive" "constr" 0 "Constructor" "contradn" 0 "Contradiction" "defn" 0 "Definition" "discr" 0 "Discriminate" "extrn" 0 "Extraction" "fixpt" 0 "Fixpoint" "genz" 0 "Generalize" "hypo" 0 "Hypothesis" "immed" 0 "Immediate" "indn" 0 "Induction" "indv" 0 "Inductive" "injn" 0 "Injection" "intn" 0 "Intuition" "invn" 0 "Inversion" "pmtr" 0 "Parameter" "refly" 0 "Reflexivity" "rmk" 0 "Remark" "specz" 0 "Specialize" "symy" 0 "Symmetry" "thm" 0 "Theorem" "transpt" 0 "Transparent" "transy" 0 "Transitivity" "trivial" 0 "Trivial" "varl" 0 "Variable" @end lisp The above list was taken from the file that Emacs saves between sessions. The easiest way to configure abbreviations is as you write, by using the key presses @kbd{C-x a g} (@code{add-global-abbrev}) or @kbd{C-x a i g} (@code{inverse-add-global-abbrev}). To enable expansion of abbreviations, the @code{Abbrev} minor mode, type @kbd{M-x abbrev-mode RET}. See the Emacs manual for more details. @node Customizing Proof General @chapter Customizing Proof General @cindex Customization There are two ways of customizing Proof General: it can be customized for a user's preferences using a particular proof assistant, or it can be customized by a developer to add support for a new proof assistant. The latter kind of customization we call instantiation, or @emph{adapting}. See the @i{Adapting Proof General} manual for how to do this. Here we cover the user-level customization for Proof General. There are two kinds of user-level settings in Proof General: @itemize @bullet @item Settings that apply @emph{globally} to all proof assistants. @item those that can be adjusted for each proof assistant @emph{individually}. @end itemize The first sort have names beginning with @code{proof-}. The second sort have names which begin with a symbol corresponding to the proof assistant: for example, @code{isa-}, @code{coq-}, etc. The symbol is the root of the mode name. @xref{Quick start guide}, for a table of the supported modes. To stand for an arbitrary proof assistant, we write @code{@emph{PA}-} for these names. In this chapter we only consider the generic settings: ones which apply to all proof assistants (globally or individually). The support for a particular proof assistant may provide extra individual customization settings not available in other proof assistants. See the chapters covering each assistant for details of those settings. @menu * Basic options:: * How to customize:: * Display customization:: * User options:: * Changing faces:: * Tweaking configuration settings:: @end menu @node Basic options @section Basic options Proof General has some common options which you can toggle directly from the menu: @lisp Proof-General -> Options @end lisp The effect of changing one of these options will be seen immediately (or in the next proof step). The window-control options on this menu are described shortly. @xref{Display customization}. To save the current settings, use the usual Emacs save options command, for XEmacs on the menu: @lisp Options -> Save Options @end lisp or @code{M-x customize-save-customized}. The options on this sub-menu are also available in the complete user customization options group for Proof General. For this you need to know a little bit about how to customize in Emacs. @node How to customize @section How to customize @cindex Using Customize @cindex Emacs customization library Proof General uses the Emacs customization library to provide a friendly interface. You can access all the customization settings for Proof General via the menu: @lisp Proof-General -> Customize @end lisp Using the customize facility is straightforward. You can select the setting to customize via the menus, or with @code{M-x customize-variable}. When you have selected a setting, you are shown a buffer with its current value, and facility to edit it. Once you have edited it, you can use the special buttons @var{set}, @var{save} and @var{done}. You must use one of @var{set} or @var{save} to get any effect. The @var{save} button stores the setting in your @file{.emacs} file. In XEmacs, the menu item @code{Options -> Save Options} saves all settings you have edited. A technical note. In the customize menus, the variable names mentioned later in this chapter may be abbreviated --- the "@code{proof}-" or similar prefixes are omitted. Also, some of the option settings may have more descriptive names (for example, @var{on} and @var{off}) than the low-level lisp values (non-@code{nil}, @code{nil}) which are mentioned in this chapter. These features make customize rather more friendly than raw lisp. You can also access the customize settings for Proof General from other (non-script) buffers. In XEmacs, the menu path is: @lisp Options -> Customize -> Emacs -> External -> Proof General @end lisp in XEmacs. In FSF GNU Emacs, use the menu: @lisp Help -> Customize -> Top-level Customization Group @end lisp and select the @code{External} and then @code{Proof-General} groups. The complete set of customization settings will only be available after Proof General has been fully loaded. Proof General is fully loaded when you visit a script file for the first time, or if you type @kbd{M-x load-library RET proof RET}. For more help with customize, see @inforef{Easy Customization, ,xemacs}. @node Display customization @section Display customization @cindex display customization @cindex multiple windows @cindex buffer display customization @cindex frames @cindex multiple frames @cindex three-buffer interaction By default, Proof General displays two buffers during scripting, in a split window on the display. One buffer is the script buffer. The other buffer is either the goals buffer (e.g. @code{*isabelle-goals*}) or the response buffer (@code{*isabelle-response*}). Proof General switches between these last two automatically. Proof General allows several ways to customize this default display model. If your screen is large enough, you may prefer to display all three of the interaction buffers at once. This is useful, for example, to see output from the @code{proof-find-theorems} command at the same time as the subgoal list. Set the user option @code{proof-dont-switch-windows} to make Proof General keep both the goals and response buffer displayed. @c TEXI DOCSTRING MAGIC: proof-dont-switch-windows @defopt proof-dont-switch-windows Whether response and goals buffers have dedicated windows.@* If non-nil, Emacs windows displaying messages from the prover will not be switchable to display other windows. This option can help manage your display. Setting this option triggers a three-buffer mode of interaction where the goals buffer and response buffer are both displayed, rather than the two-buffer mode where they are switched between. It also prevents Emacs automatically resizing windows between proof steps. If you use several frames (the same Emacs in several windows on the screen), you can force a frame to stick to showing the goals or response buffer. For single frame use this option may be inconvenient for experienced Emacs users. The default value is @code{nil}. @end defopt Sometimes during script management, there is no response from the proof assistant to some command. In this case you might like the empty response window to be hidden so you have more room to see the proof script. The setting @code{proof-delete-empty-windows} helps you do this. @c TEXI DOCSTRING MAGIC: proof-delete-empty-windows @defopt proof-delete-empty-windows If non-nil, automatically remove windows when they are cleaned.@* For example, at the end of a proof the goals buffer window will be cleared; if this flag is set it will automatically be removed. If you want to fix the sizes of your windows you may want to set this variable to @code{'nil'} to avoid windows being deleted automatically. If you use multiple frames, only the windows in the currently selected frame will be automatically deleted. The default value is @code{nil}. @end defopt This option only has an effect when you have set @code{proof-dont-switch-windows}. If you are working on a machine with a window system, you can use Emacs to manage several @i{frames} on the display, to keep the goals buffer displayed in a fixed place on your screen and in a certain font, for example. A convenient way to do this is via the user option @c TEXI DOCSTRING MAGIC: proof-multiple-frames-enable @defopt proof-multiple-frames-enable Whether response and goals buffers have separate frames.@* If non-nil, Emacs will make separate frames (screen windows) for the goals and response buffers, by altering the Emacs variable @samp{@code{special-display-regexps}}. The default value is @code{nil}. @end defopt Multiple frames work best when @code{proof-delete-empty-windows} is off and @code{proof-dont-switch-windows} is on. @node User options @section User options @c Index entries for each option 'concept' @cindex User options @cindex Strict read-only @cindex Query program name @cindex Dedicated windows @cindex Remote host @cindex Toolbar follow mode @cindex Toolbar disabling @cindex Toolbar button enablers @cindex Proof script indentation @cindex Indentation @cindex Remote shell @cindex Running proof assistant remotely @c @cindex formatting proof script Here is the complete set of user options for Proof General, apart from the three display options mentioned above. User options can be set via the customization system already mentioned, via the old-fashioned @code{M-x edit-options} mechanism, or simply by adding @code{setq}'s to your @file{.emacs} file. The first approach is strongly recommended. Unless mentioned, all of these settings can be changed dynamically, without needing to restart Emacs to see the effect. But you must use customize to be sure that Proof General reconfigures itself properly. @c TEXI DOCSTRING MAGIC: proof-splash-enable @defopt proof-splash-enable If non-nil, display a splash screen when Proof General is loaded. The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: proof-electric-terminator-enable @defopt proof-electric-terminator-enable If non-nil, use electric terminator mode.@* If electric terminator mode is enabled, pressing a terminator will automatically issue @samp{@code{proof-assert-next-command}} for convenience, to send the command straight to the proof process. If the command you want to send already has a terminator character, you don't need to delete the terminator character first. Just press the terminator somewhere nearby. Electric! The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-toolbar-enable @defopt proof-toolbar-enable If non-nil, display Proof General toolbar for script buffers.@* NB: the toolbar is only available with XEmacs. The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: PA-x-symbol-enable @defopt PA-x-symbol-enable Whether to use x-symbol in Proof General for this assistant.@* If you activate this variable, whether or not you really get x-symbol support depends on whether your proof assistant supports it and whether X-Symbol is installed in your Emacs. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-output-fontify-enable @defopt proof-output-fontify-enable Whether to fontify output from the proof assistant.@* If non-nil, output from the proof assistant will be highlighted in the goals and response buffers. (This is providing @code{font-lock-keywords} have been set for the buffer modes). The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: proof-strict-read-only @defopt proof-strict-read-only Whether Proof General is strict about the read-only region in buffers.@* If non-nil, an error is given when an attempt is made to edit the read-only region. If nil, Proof General is more relaxed (but may give you a reprimand!). If you change @code{proof-strict-read-only} during a session, you must use the "Restart" button (or M-x @code{proof-shell-restart}) before you can see the effect in buffers. The default value for @code{proof-strict-read-only} depends on which version of Emacs you are using. In FSF Emacs, strict read only is buggy when it used in conjunction with font-lock, so it is disabled by default. The default value is @code{strict}. @end defopt @c TEXI DOCSTRING MAGIC: proof-toolbar-use-button-enablers @defopt proof-toolbar-use-button-enablers If non-nil, toolbars buttons may be enabled/disabled automatically.@* Toolbar buttons can be automatically enabled/disabled according to the context. Set this variable to nil if you don't like this feature or if you find it unreliable. Notes: * Toolbar enablers are only available with XEmacs 21 and later. * With this variable nil, buttons do nothing when they would otherwise be disabled. * If you change this variable it will only be noticed when you next start Proof General. * The default value for XEmacs built for solaris is nil, because of unreliabilities with enablers there. The default value is @code{t}. @end defopt @c This one removed: proof-auto-retract @c TEXI DOCSTRING MAGIC: proof-query-file-save-when-activating-scripting @defopt proof-query-file-save-when-activating-scripting If non-nil, query user to save files when activating scripting. Often, activating scripting or executing the first scripting command of a proof script will cause the proof assistant to load some files needed by the current proof script. If this option is non-nil, the user will be prompted to save some unsaved buffers in case any of them corresponds to a file which may be loaded by the proof assistant. You can turn this option off if the save queries are annoying, but be warned that with some proof assistants this may risk processing files which are out of date with respect to the loaded buffers! The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: PA-script-indent @defopt PA-script-indent If non-nil, enable indentation code for proof scripts. The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: proof-one-command-per-line @defopt proof-one-command-per-line If non-nil, format for newlines after each proof command in a script.@* This option is not fully-functional at the moment. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-prog-name-ask @defopt proof-prog-name-ask If non-nil, query user which program to run for the inferior process. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-prog-name-guess @defopt proof-prog-name-guess If non-nil, use @samp{@code{proof-guess-command-line}} to guess @code{proof-prog-name}.@* This option is compatible with @code{proof-prog-name-ask}. No effect if @code{proof-guess-command-line} is nil. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-tidy-response @defopt proof-tidy-response Non-nil indicates that the response buffer should be cleared often.@* The response buffer can be set either to accumulate output, or to clear frequently. With this variable non-nil, the response buffer is kept tidy by clearing it often, typically between successive commands (just like the goals buffer). Otherwise the response buffer will accumulate output from the prover. The default value is @code{t}. @end defopt @c TEXI DOCSTRING MAGIC: proof-show-debug-messages @defopt proof-show-debug-messages Whether to display debugging messages in the response buffer.@* If non-nil, debugging messages are displayed in the response giving information about what Proof General is doing. To avoid erasing the messages shortly after they're printed, you should set @samp{@code{proof-tidy-response}} to nil. The default value is @code{nil}. @end defopt @c ******* NON-BOOLEANS ******* @c TEXI DOCSTRING MAGIC: proof-follow-mode @defopt proof-follow-mode Choice of how point moves with script processing commands.@* One of the symbols: @code{'locked}, @code{'follow}, @code{'ignore}. If @code{'locked}, point sticks to the end of the locked region. If @code{'follow}, point moves just when needed to display the locked region end. If @code{'ignore}, point is never moved after movement commands or on errors. If you choose @code{'ignore}, you can find the end of the locked using @samp{M-x @code{proof-goto-end-of-locked}}. The default value is @code{locked}. @end defopt @c TEXI DOCSTRING MAGIC: proof-auto-action-when-deactivating-scripting @defopt proof-auto-action-when-deactivating-scripting If @code{'retract} or @code{'process}, do that when deactivating scripting. With this option set to @code{'retract} or @code{'process}, when scripting is turned off in a partly processed buffer, the buffer will be retracted or processed automatically. With this option unset (nil), the user is questioned instead. Proof General insists that only one script buffer can be partly processed: all others have to be completely processed or completely unprocessed. This is to make sure that handling of multiple files makes sense within the proof assistant. NB: A buffer is completely processed when all non-whitespace is locked (coloured blue); a buffer is completely unprocessed when there is no locked region. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: proof-script-command-separator @defopt proof-script-command-separator String separating commands in proof scripts.@* For example, if a proof assistant prefers one command per line, then this string should be set to a newline. Otherwise it should be set to a space. The default value is @code{" "}. @end defopt @c TEXI DOCSTRING MAGIC: proof-rsh-command @defopt proof-rsh-command Shell command prefix to run a command on a remote host. @* For example, @lisp ssh bigjobs @end lisp Would cause Proof General to issue the command @samp{ssh bigjobs isabelle} to start Isabelle remotely on our large compute server called @samp{bigjobs}. The protocol used should be configured so that no user interaction (passwords, or whatever) is required to get going. The default value is @code{""}. @end defopt @node Changing faces @section Changing faces The fonts and colours that Proof General uses are configurable. If you alter faces through the customize menus (or the command @kbd{M-x customize-face}), only the particular kind of display in use (colour window system, monochrome window system, console, @dots{}) will be affected. This means you can keep separate default settings for each different display environment where you use Proof General. As well as the faces listed below, Proof General may use the regular @code{font-lock-} faces (eg @code{font-lock-keyword-face}, @code{font-lock-variable-name-face}, etc) for fontifying the proof script or proof assistant output. These can be altered to your taste just as easily, but note that changes will affect all other modes which use them! @c TEXI DOCSTRING MAGIC: proof-queue-face @deffn Face proof-queue-face Face for commands in proof script waiting to be processed. @end deffn @c TEXI DOCSTRING MAGIC: proof-locked-face @deffn Face proof-locked-face Face for locked region of proof script (processed commands). @end deffn @c TEXI DOCSTRING MAGIC: proof-error-face @deffn Face proof-error-face Face for error messages from proof assistant. @end deffn @c TEXI DOCSTRING MAGIC: proof-warning-face @deffn Face proof-warning-face Face for warning messages.@* Warning messages can come from proof assistant or from Proof General itself. @end deffn @c TEXI DOCSTRING MAGIC: proof-debug-message-face @deffn Face proof-debug-message-face Face for debugging messages from Proof General. @end deffn @c TEXI DOCSTRING MAGIC: proof-declaration-name-face @deffn Face proof-declaration-name-face Face for declaration names in proof scripts.@* Exactly what uses this face depends on the proof assistant. @end deffn @c TEXI DOCSTRING MAGIC: proof-tacticals-name-face @deffn Face proof-tacticals-name-face Face for names of tacticals in proof scripts.@* Exactly what uses this face depends on the proof assistant. @end deffn @c TEXI DOCSTRING MAGIC: proof-eager-annotation-face @deffn Face proof-eager-annotation-face Face for important messages from proof assistant. @end deffn @c Maybe this detail of explanation belongs in the internals, @c with just a hint here. The slightly bizarre name of the last face comes from the idea that while large amounts of output are being sent from the prover, some messages should be displayed to the user while the bulk of the output is hidden. The messages which are displayed may have a special annotation to help Proof General recognize them, and this is an "eager" annotation in the sense that it should be processed as soon as it is observed by Proof General. @node Tweaking configuration settings @section Tweaking configuration settings This section is a note for advanced users. Configuration settings are the per-prover customizations of Proof General. These are not intended to be adjusted by the user. But occasionally you may like to test changes to these settings to improve the way Proof General works. You may want to do this when a proof assistant has a flexible proof script language in which one can define new tactics or even operations, and you want Proof General to recognize some of these which the default settings don't mention. So please feel free to try adjusting the configuration settings and report to us if you find better default values than the ones we have provided. The configuration settings appear in the customization group @code{prover-config}, or via the menu @lisp Proof-General -> Internals -> Prover Config @end lisp One basic example of a setting you may like to tweak is: @c TEXI DOCSTRING MAGIC: proof-assistant-home-page @defvar proof-assistant-home-page Web address for information on proof assistant.@* Used for Proof General's help menu. @end defvar Most of the others are more complicated. For more details of the settings, see @i{Adapting Proof General} for full details. To browse the settings, you can look through the customization groups @code{prover-config}, @code{proof-script} and @code{proof-shell}. The group @code{proof-script} contains the configuration variables for scripting, and the group @code{proof-shell} contains those for interacting with the proof assistant. Unfortunately, although you can use the customization mechanism to set and save these variables, saving them may have no practical effect because the default settings are mostly hard-wired into the proof assistant code. Ones we expect may need changing appear as proof assistant specific configurations. For example, @code{proof-assistant-home-page} is set in the LEGO code from the value of the customization setting @code{lego-www-home-page}. At present there is no easy way to save changes to other configuration variables across sessions, other than by editing the source code. (In future versions of Proof General, we plan to make all configuration settings editable in Customize, by shadowing the settings as prover specific ones using the @code{@emph{PA}-} mechanism). @c Please contact us if this proves to be a problem for any variable. @c @c CHAPTER: LEGO Proof General @c @node LEGO Proof General @chapter LEGO Proof General @cindex LEGO Proof General LEGO proof script mode is a mode derived from proof script mode for editing LEGO scripts. An important convention is that proof script buffers @emph{must} start with a module declaration. If the proof script buffer's file name is @file{fermat.l}, then it must commence with a declaration of the form @lisp Module fermat; @end lisp If, in the development of the module @samp{fermat}, you require material from other module e.g., @samp{lib_nat} and @samp{galois}, you need to specify this dependency as part of the module declaration: @lisp Module fermat Import lib_nat galois; @end lisp No need to worry too much about efficiency. When you retract back to a module declaration to add a new import item, LEGO does not actually retract the previously imported modules. Therefore, reasserting the extended module declaration really only processes the newly imported modules. Using the LEGO Proof General, you never ever need to use administrative LEGO commands such as @samp{Forget}, @samp{ForgetMark}, @samp{KillRef}, @samp{Load}, @samp{Make}, @samp{Reload} and @samp{Undo} again @footnote{And please, don't even think of including those in your LEGO proof script!}. You can concentrate on your actual proof developments. Script management in Proof General will invoke the appropriate commands for you. Proving with LEGO has never been easier. @menu * LEGO specific commands:: * LEGO tags:: * LEGO customizations:: @end menu @node LEGO specific commands @section LEGO specific commands In addition to the commands provided by the generic Proof General (as discussed in the previous sections) the LEGO Proof General provides a few extensions. In proof scripts, there are some abbreviations for common commands: @kindex C-c i @kindex C-c I @kindex C-c R @table @kbd @item C-c C-a C-i intros @item C-c C-a C-I Intros @item C-c C-a C-R Refine @end table @node LEGO tags @section LEGO tags You might want to ask your local system administrator to tag the directories @file{lib_Prop}, @file{lib_Type} and @file{lib_TYPE} of the LEGO library. See @ref{Support for tags}, for further details on tags. @node LEGO customizations @section LEGO customizations We refer to chapter @ref{Customizing Proof General}, for an introduction to the customisation mechanism. In addition to customizations at the generic level, for LEGO you can also customize: @c TEXI DOCSTRING MAGIC: lego-tags @defopt lego-tags The directory of the @var{tags} table for the @var{lego} library The default value is @code{"/usr/lib/lego/lib_Type/"}. @end defopt @c TEXI DOCSTRING MAGIC: lego-www-home-page @defvar lego-www-home-page Lego home page URL. @end defvar @c We don't worry about the following for now. These are too obscure. @c lego-indent @c lego-test-all-name @c We also don't document any of the internal variables which have been @c set to configure the generic Proof General and which the user should @c not tamper with @node Coq Proof General @chapter Coq Proof General Coq Proof General is an instantiation of Proof General for the Coq proof assistant. It supports most of the generic features of Proof General, but does not have integrated file management or proof-by-pointing yet. @menu * Coq-specific commands:: * Editing multiple proofs:: * User-loaded tactics:: @end menu @node Coq-specific commands @section Coq-specific commands @kindex C-c I @kindex C-c a @kindex C-c s @kindex C-c e Coq Proof General supplies the following key-bindings: @table @kbd @item C-c C-a C-i Inserts ``Intros '' @item C-c C-a C-a Inserts ``Apply '' @item C-c C-a C-s Inserts ``Section '' @item C-c C-a C-e Inserts ``End .'' (this should work well with nested sections). @item C-c C-a C-o Prompts for a SearchIsos argument. @end table @node Editing multiple proofs @section Editing multiple proofs Coq allows the user to enter top-level commands while editing a proof script. For example, if the user realizes that the current proof will fail without an additional axiom, he or she can add that axiom to the system while in the middle of the proof. Similarly, the user can nest lemmas, beginning a new lemma while in the middle of an earlier one, and as the lemmas are proved or their proofs aborted they are popped off a stack. Coq Proof General supports this feature of Coq. Top-level commands entered while in a proof are promoted immediately above the outermost active proof. If new lemmas are started, Coq Proof General lets the user work on the proof of the new lemma, and when the lemma is finished the full proof of that lemma is promoted. This is supported to any nesting depth that Coq allows. @b{Special note:} this feature is disabled since version 3.0 because the implementation was unreliable. (Patches to improve the code in @file{coq.el} are welcome). @node User-loaded tactics @section User-loaded tactics Another feature that Coq allows is the extension of the grammar of the proof assistant by new tactic commands. This feature interacts with the proof script management of Proof General, because Proof General needs to know when a tactic is called that alters the proof state. Unfortunately, Coq Proof General does not currently support tactic extension in Coq. When the user tries to retract across an extended tactic in a script, the algorithm for calculating how far to undo does not recognize the extension, and so the proof buffer and Coq are not synchronized. Until this feature is incorporated into Coq Proof General, the user can use C-c C-v to resynchronize. For example, if the user does C-c C-u to move the point back past one extended tactic, he or she can type C-c C-v ``Undo 1.'' This then undoes the tactic that Proof General failed to recognize. @c Sorry, there is currently very little specific documentation written for @c Coq Proof General. If any Coq user would like to contribute, please send @c a message to @code{proofgen@@dcs.ed.ac.uk}. @c Type @kbd{C-h C-m} to get a list of all Coq specific commands and @c browse the customize menus to find out what customization @c options there are for Coq. @c @c CHAPTER: Isabelle Proof General @c @node Isabelle Proof General @chapter Isabelle Proof General @cindex Isabelle Proof General Isabelle Proof General supports all of the generic features of Proof General, including integration with Isabelle's theory loader for proper automatic multiple file handling. Isabelle Proof General includes a mode for editing theory files taken from David Aspinall's Isamode interface, see @uref{http://zermelo.dcs.ed.ac.uk/~isamode}. Detailed documentation for the theory file mode is included with @code{Isamode}, there are some notes on the special functions available and customization settings below. Note that in ``classic'' Isabelle, @file{.thy} files contain definitions and declarations for a theory, while @file{.ML} contain proof scripts. So most of Proof General's functions only make sense in @file{.ML} files, and there is no toolbar and only a short menu for @file{.thy} files. In Isabelle/Isar, on the other hand, @file{.thy} files contain proofs as well as definitions for theories, so scripting takes place there and you see the usual toolbar and scripting functions of Proof General. There is no specific documentation here for the Isabelle/Isar instance of Proof General. Check the Isar manuals shipped with Isabelle for useful information. Note that it is @b{not} possible to use both Isabelle and Isabelle/Isar modes of Proof General at the same time. To load the Isabelle/Isar instance of Proof General, you can set @code{PROOFGENERAL_ASSISTANTS=isar} in the shell before starting Emacs, to make sure ordinary Isabelle theory file mode isn't loaded instead. Another way of selecting Isar is to put a special modeline like this: @lisp (* -*- isar -*- *) @end lisp near the top of your Isar @file{.thy} files (or at least, the first file you visit). This Emacs feature overrides the default choice of mode based on the file extension. Yet another way to select Isar is to use the "interface" script to start Emacs (see the Isabelle documentation for details on that method). @menu * ML files:: * Theory files:: * General commands for Isabelle:: * Specific commands for Isabelle:: * Isabelle customizations:: @end menu @node ML files @section ML files @cindex ML files (in Isabelle) @cindex Isabelle proof scripts In Isabelle, ML files are used to hold proof scripts, as well as definitions of tactics, proof procedures, etc. So ML files are the normal domain of Proof General. But there are some things to be wary of. Proof General does not understand full ML syntax(!), so ideally you should only use Proof General's scripting commands on @file{.ML} files which contain proof commands (no ML functions, structures, etc). If you do use files with Proof General which declare functions, structures, etc, you should be okay provided your code doesn't include non top-level semi-colons (which will confuse Proof General's simplistic parser), and provided all value declarations (and other non proof-steps) occur outside proofs. This is because within proofs, Proof General considers every ML command to be a proof step which is undoable. For example, do this: @lisp structure S = struct val x = 3 val y = 4 end; @end lisp instead of this: @lisp structure S = struct val x = 3; val y = 4; end @end lisp In the second case, just the first binding in the structure body will be sent to Isabelle and Proof General will wait indefinitely. And do this: @lisp val intros1 = REPEAT (resolve_tac [impI,allI] 1); Goal "Q(x) --> (ALL x. P(x) --> P(x))"; br impI 1; by intros1; ba 1; qed "mythm"; @end lisp instead of this: @lisp Goal "Q(x) --> (ALL x. P(x) --> P(x))"; br impI 1; val intros1 = REPEAT (resolve_tac [impI,allI] 1); by intros1; ba 1; qed "mythm"; @end lisp In the last case, when you undo, Proof General wrongly considers the @code{val} declaration to be a proof step, and it will issue an @code{undo} to Isabelle to undo it. This leads to a loss of synchronization. To fix things when this happens, simply retract to some point before the @code{Goal} command and fix your script. Having ML as a top-level, Isabelle even lets you redefine the entire proof command language, which will certainly confuse Proof General! Stick to using the standard functions, tactics, and tacticals and there should be no problems. (In fact, there should be no problems provided you don't use your own "goal" or "qed" forms, which Proof General recognizes. As the example above shows, Proof General makes no attempt to recognize arbitrary tactic applications). @node Theory files @section Theory files @cindex Theory files (in Isabelle) @cindex ML files (in Isabelle) As well as locking ML files, Isabelle Proof General locks theory files when they are loaded. Theory files are always completely locked or completely unlocked, because they are processed atomically. Proof General tries to load the theory file for a @file{.ML} file automatically before you start scripting. This relies on new support especially for Proof General built into Isabelle99's theory loader. However, because scripting cannot begin until the theory is loaded, and it should not begin if an error occurs during loading the theory, Proof General @strong{blocks} waiting for the theory loader to finish. If you have a theory file which takes a long time to load, you might want to load it directly, from the @file{.thy} buffer. Extra commands are provided in theory mode for this: @c FIXME: should say something about this: @c This can cause confusion in the theory loader later, @c especially with @code{update()}. To be safe, try to use just the Proof @c General interface, and report any repeatable problems to @c @code{isabelle@dcs.ed.ac.uk}. @c Compared to Isamode's theory editing mode, some of the functions and key @c bindings for interacting with Isabelle have been removed, and two new @c functions are available. The key @kbd{C-c C-b} (@code{isa-process-thy-file}) will cause Isabelle to read the theory file being edited. This causes the file and all its children (both theory and ML files) to be read. Any top-level ML file associated with this theory file is @emph{not} read, in contrast with the @code{use_thy} command of Isabelle. The key @kbd{C-c C-u} (@code{isa-retract-thy-file}) will retract (unlock) the theory file being edited. This unlocks the file and all its children (theory and ML files); no changes occur in Isabelle itself. @c TEXI DOCSTRING MAGIC: isa-process-thy-file @deffn Command isa-process-thy-file file Process the theory file @var{file}. If interactive, use @code{buffer-file-name}. @end deffn @c TEXI DOCSTRING MAGIC: isa-retract-thy-file @deffn Command isa-retract-thy-file file Retract the theory file @var{file}. If interactive, use @code{buffer-file-name}.@* To prevent inconsistencies, scripting is deactivated before doing this. So if scripting is active in an ML file which is not completely processed, you will be asked to retract the file or process the remainder of it. @end deffn @node General commands for Isabelle @section General commands for Isabelle This section has some notes on the instantiation of the generic part of Proof General for Isabelle. (The generic part of Proof General applies to all proof assistants supported, and is described in detail in the rest of this manual). @strong{Find theorems}. This toolbar/menu command invokes a special version of @code{theorems_containing}. To give several constants, separate their names with commas. @node Specific commands for Isabelle @section Specific commands for Isabelle This section mentions some commands which are added specifically to the Isabelle Proof General instance. @cindex Switching to theory files @kindex C-c C-o In Isabelle proof script mode, @kbd{C-c C-o} (@code{thy-find-other-file}) finds and switches to the associated theory file, that is, the file with the same base name but extension @file{.thy} swapped for @file{.ML}. The same function (and key-binding) switches back to an ML file from the theory file. @c TEXI DOCSTRING MAGIC: thy-find-other-file @deffn Command thy-find-other-file &optional samewindow Find associated .ML or .thy file.@* Finds and switch to the associated ML file (when editing a theory file) or theory file (when editing an ML file). If @var{samewindow} is non-nil (interactively, with an optional argument) the other file replaces the one in the current window. @end deffn @node Isabelle customizations @section Isabelle customizations Here are some of the user options specific to Isabelle. You can set these as usual with the customization mechanism. @c TEXI DOCSTRING MAGIC: isabelle-web-page @defvar isabelle-web-page URL of web page for Isabelle. @end defvar @c @unnumberedsubsec Theory file editing customization @c TEXI DOCSTRING MAGIC: thy-use-sml-mode @defopt thy-use-sml-mode If non-nil, invoke @code{sml-mode} inside "ML" section of theory files.@* This option is left-over from Isamode. Really, it would be more useful if the script editing mode of Proof General itself could be based on @code{sml-mode}, but at the moment there is no way to do this. The default value is @code{nil}. @end defopt @c TEXI DOCSTRING MAGIC: thy-indent-level @defopt thy-indent-level Indentation level for Isabelle theory files. An integer. The default value is @code{2}. @end defopt @c TEXI DOCSTRING MAGIC: thy-sections @defvar thy-sections Names of theory file sections and their templates.@* Each item in the list is a pair of a section name and a template. A template is either a string to insert or a function. Useful functions are: @lisp @code{thy-insert-header}, @code{thy-insert-class}, @code{thy-insert-default-sort}, @code{thy-insert-const}, @code{thy-insert-rule}. @end lisp The nil template does nothing. You can add extra sections to theory files by extending this variable. @end defvar @c TEXI DOCSTRING MAGIC: thy-template @defvar thy-template Template for theory files.@* Contains a default selection of sections in a traditional order. You can use the following format characters: @samp{%t} --- replaced by theory name. @samp{%p} --- replaced by names of parents, separated by @samp{+} characters. @end defvar @c ideal for above: @c @defopt thy-template @c Template for theory files. @c Contains a default selection of sections in a traditional order. @c You can use the following format characters: @c @code{%t} -- replaced by theory name @c @code{%p} -- replaced by names of parents, separated by @code{+}'s @c @end defopt @c @c CHAPTER: HOL Proof General @c @node HOL Proof General @chapter HOL Proof General @cindex HOL Proof General HOL Proof General is a "technology demonstration" of Proof General for HOL98. This means that only a basic instantiation has been provided, and that it is not yet supported as a maintained instantiation of Proof General. HOL Proof General has basic script management support, with a little bit of decoration of scripts and output. It does not rely on a modified version of HOL, so the pattern matching may be fragile in certain cases. Support for multiple files deduces dependencies automatically, so there is no interaction with the HOL make system yet. See the @file{example.sml} file for a demonstration proof script which works with Proof General. Note that HOL proof scripts often use batch-oriented single step tactic proofs, but Proof General does not (yet) offer an easy way to edit these kind of proofs. They will replay simply as a single step proof and you will need to convert from the interactive to batch form as usual if you wish to obtain batch proofs. Also note that Proof General does not contain an SML parser, so there can be problems if you write complex ML in proof scripts. @xref{ML files}, for the same issue with Isabelle. HOL Proof General may work with variants of HOL other than HOL98, but is untested. Probably a few of the settings would need to be changed in a simple way, to cope with small differences in output between the systems. (Please let us know if you modify the HOL98 version for another variant of HOL). Hopefully somebody from the HOL community is willing to adopt HOL Proof General and support and improve it. Please volunteer! It needn't be a large or heavy committment. @c @c @c APPENDIX: Obtaining and Installing @c @c @node Obtaining and Installing @appendix Obtaining and Installing Proof General has its own @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen,home page} hosted at Edinburgh. Visit this page for the latest news! STOP PRESS: the Proof General web pages are temporarily being hosted at @uref{zermelo.dcs.ed.ac.uk}. The canonical address used to be @uref{www.dcs.ed.ac.uk}, and it may one day revert to this. @menu * Obtaining Proof General:: * Installing Proof General from tarball:: * Installing Proof General from RPM package:: * Setting the names of binaries:: * Notes for syssies:: @end menu @node Obtaining Proof General @section Obtaining Proof General You can obtain Proof General from the URL @example @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen}. @end example The distribution is available in three forms @itemize @bullet @item A source tarball, @* @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-devel-latest.tar.gz} @item A Linux RPM package (for any architecture), @* @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-latest.noarch.rpm} @item A developer's tarball, @* @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral-devel-latest.tar.gz} @end itemize Both the source tarball and the RPM package include the generic elisp code, code for LEGO, Coq, and Isabelle, installation instructions (reproduced below) and this documentation. The developer's tarball contains our full source tree, including all of the elisp and documentation, along with our low-level list of things to do, sources for the images, some make files used to generate the release itself from our CVS repository, and some test files. Developers interested in accessing our CVS repository directly should contact @code{proofgen@@dcs.ed.ac.uk}. @c was Installing Proof General from @file{.tar.gz} @node Installing Proof General from tarball @section Installing Proof General from tarball Copy the distribution to some directory @var{mydir}. Unpack it there. For example: @example # cd @var{mydir} # gunzip ProofGeneral-@var{version}.tar.gz # tar -xpf ProofGeneral-@var{version}.tar @end example If you downloaded the version called @var{latest}, you'll find it unpacks to a numeric version number. Proof General will now be in some subdirectory of @var{mydir}. The name of the subdirectory will depend on the version number of Proof General. For example, it might be @file{ProofGeneral-2.0}. It's convenient to link it to a fixed name: @example # ln -sf ProofGeneral-2.0 ProofGeneral @end example Now put this line in your @file{.emacs} file: @lisp (load-file "@var{mydir}/ProofGeneral/generic/proof-site.el") @end lisp @node Installing Proof General from RPM package @section Installing Proof General from RPM package To install an RPM package you need to be root. Then type @example # rpm -Uvh ProofGeneral-latest.noarch.rpm @end example Now add the line: @lisp (load-file "/usr/share/emacs/ProofGeneral/generic/proof-site.el") @end lisp to your @file{.emacs} or the site-wide initialisation file @file{site-start.el}. @node Setting the names of binaries @section Setting the names of binaries The @code{load-file} command you have added will load @file{proof-site} which sets the Emacs load path for Proof General and add auto-loads and modes for the supported assistants. The default names for proof assistant binaries may work on your system. If not, you will need to set the appropriate variables. The easiest way to do this (and most other customization of Proof General) is via the Customize mechanism, see the menu item: @example Proof-General -> Customize -> @var{Name of Assistant} -> Prog Name @end example The Proof-General menu is available from script buffers after Proof General is loaded. To load it manually, type @lisp M-x load-library RET proof RET @end lisp If you do not want to use customize, simply add a line like this: @lisp (setq coq-prog-name "/usr/bin/coqtop -emacs") @end lisp to your @file{.emacs} file. @node Notes for syssies @section Notes for syssies Here are some more notes for installing Proof General in more complex ways. Only attempt things in this section if you really understand what you're doing. @unnumberedsubsec Byte compilation Compilation of the Emacs lisp files improves efficiency but can sometimes cause compatibility problems, especially if you use more than one version of Emacs with the same @code{.elc} files. Furthermore, we develop Proof General with source files so may miss problems with the byte compiled versions. If you discover problems using the byte-compiled @code{.elc} files which aren't present using the source @code{.el} files, please report them to us. You can compile Proof General by typing @code{make} in the directory where you installed it. @unnumberedsubsec Site-wide installation If you are installing Proof General site-wide, you can put the components in the standard directories of the filesystem if you prefer, providing the variables in @file{proof-site.el} are adjusted accordingly (see @i{Proof General site configuration} in @i{Adapting Proof General} for more details). Make sure that the @file{generic/} and assistant-specific elisp files are kept in subdirectories (@file{coq/}, @file{isa.}, @file{lego.}) of @code{proof-home-directory} so that the autoload directory calculations are correct. To prevent every user needing to edit their own @file{.emacs} files, you can put the @code{load-file} command to load @file{proof-site.el} into @file{site-start.el} or similar. Consult the Emacs documentation for more details if you don't know where to find this file. @unnumberedsubsec Removing support for unwanted provers You cannot run more than one instance of Proof General at a time: so if you're using Coq, visiting an @file{.ML} file will not load Isabelle Proof General, and the buffer remains in fundamental mode. If there are some assistants supported that you never want to use, you can adjust the variable @code{proof-assistants} in @file{proof-site.el} to remove the extra autoloads. This is advisable in case the extensions clash with other Emacs modes, for example @code{sml-mode} for @file{.ML} files, or Verilog mode for @file{.v} files. See @i{Proof General site configuration} in @i{Adapting Proof General}, to find out how to disable support for provers you don't use. @c Via the Customize mechanism, see the menu: @c @example @c Options -> Customize -> Emacs -> External -> Proof General @c @end example @c or, after loading Proof General, in a proof script buffer @c @example @c Proof-General -> Customize @c @end example @c @c @c APPENDIX: Known bugs and workarounds @c @c @node Known bugs and workarounds @appendix Known bugs and workarounds We mention some of the known problems with Proof General here. The list was written for Proof General 2.0. It is not a description of all bugs and may be out of date. @* Please consult the file @uref{http://zermelo.dcs.ed.ac.uk/home/proofgen/ProofGeneral/BUGS,@file{BUGS}} in the distribution for more detailed and up-to-date information. @* If you discover a problem which isn't mentioned in @file{BUGS}, please let us know by sending a note to @code{proofgen@@dcs.ed.ac.uk}. @menu * Bugs at the generic level:: * Bugs specific to LEGO Proof General:: * Bugs specific to Coq Proof General:: * Bugs specific to Isabelle Proof General:: @end menu @node Bugs at the generic level @section Bugs at the generic level @subsection Undo in XEmacs When @code{proof-strict-read-only} is non-nil, ordinary undo in the script buffer can edit the "uneditable region" in XEmacs. This doesn't happen in FSF GNU Emacs. Test case: Insert some nonsense text after the locked region. Kill the line. Process to the next command. Press @kbd{C-x u}, nonsense text appears in locked region. @strong{Workaround:} be careful with undo. @subsection Font locking and read-only in FSF GNU Emacs When @code{proof-strict-read-only} is set and font lock is switched on, spurious "Region read only" errors are given which break font lock. @strong{Workaround:} turn off @code{proof-strict-read-only}, font lock, or for the best of all possible worlds, switch to XEmacs. @subsection Pressing keyboard quit @kbd{C-g} Using @kbd{C-g} can leave script management in a mess. The code is not properly protected from Emacs interrupts. @strong{Workaround:} Don't type @kbd{C-g} while script management is processing. If you do, use @code{proof-shell-restart} to restart the system. @c da: Removed 11.12.98: since PG handles this gracefully now, @c I no longer consider it a bug really. @c @subsection One prover at a time @c You can't use more than one proof assistant at a time in the same Emacs @c session. Attempting to load Proof General for a second prover will @c fail, leaving a buffer in fundamental mode instead of the Proof General @c mode for proof scripts. @c @strong{Workaround:} stick to one prover per Emacs session, make sure @c that the @code{proof-assistants} variable only enables Proof General @c for the provers you need. @node Bugs specific to LEGO Proof General @section Bugs specific to LEGO Proof General @menu * Retraction and Discharge:: * Non writable directories:: @end menu @node Retraction and Discharge @subsection Retraction and Discharge After a @code{Discharge}, retraction ought to only be possible back to the first declaration/definition which is discharged. However, LEGO Proof General does not know that @code{Discharge} has such a non-local effect. @c See @ref{Granularity of atomic command sequences}, for a proposal @c on how to fix this bug. @strong{Workaround:} retract back to the first declaration/definition which is discharged. @subsubsection Definitions in a proof state A thorny issue are local definitions in a proof state. LEGO cannot undo them explicitly. @strong{Workaround:} retract back to a command before a definition. @subsubsection Normalisation in proofs Normalisation commands such as @samp{Dnf}, @samp{Hnf} @samp{Normal} cannot be undone in a proof state by Proof General. @strong{Workaround:} retract back to the start of the proof. @c @subsubsection Not saving proofs. @c After LEGO has issued a @samp{*** QED ***} you may undo steps in the @c proof as long as you don't issue a @samp{Save} command or start a new @c proof. LEGO Proof General assumes that all proofs are terminated with a @c proper @samp{Save} command. @c @strong{Workaround:} Always issue a @samp{Save} command after completing @c a proof. If you forget one, you should retract to a point before the @c offending proof development. @node Non writable directories @subsection Non-writable directories If LEGO 1.3.1 attempts to write a (object) file in a non-writable directory, it forgets the protocol mechanism on how to interact with Proof General and gets stuck. @strong{Workaround:} Directly enter @kbd{Configure AnnotateOn;} in the Proof Shell to recover. @node Bugs specific to Coq Proof General @section Bugs specific to Coq Proof General @subsection Hard-wired tactics The collection of tactics which Proof General is aware of is hard-wired. Thus, user-defined tactics cannot be retracted. @strong{Workaround:} You may need to retract to the start of the proof. @subsection Sections Coq Proof General does not know about Coq's Section mechanism. Problems similar to LEGO's discharge. Proof General needs some improvements to cope with these cases. @c @c Isabelle Bugs @c @node Bugs specific to Isabelle Proof General @section Bugs specific to Isabelle Proof General Here are some bugs and problems specific to Isabelle Proof General. @subsection Clash with @code{sml-mode} Since Isabelle proof scripts are not differentiated from @file{.ML} files, Proof General may compete with @code{sml-mode} (if you use it) for controlling these buffers. To ensure Proof General wins, load it last. @strong{Workaround:} use another extension for real ML files, e.g. @code{.sml}, and disable @code{.ML} from entering @code{sml-mode}. @subsection Indentation Isabelle Proof General doesn't support Proof General's indentation code to indent proof scripts. In any case, Proof General's indentation code is somewhat broken. @strong{Workaround:} indent your script by hand. @subsection Scripting language limitations Since Isabelle uses ML as a top-level language for writing proof-scripts, Proof General may have difficulty understanding scripts which stray too far away from the standard functions, tactics, and tacticals, or include nested structure with semicolons within a top-level phrase. You will usually notice when a function, or whatever, doesn't get highlighted as you might expect, or when only part of a top-level phrase gets parsed as a command and Proof General gets ``stuck''. Sometimes you will be able to fix things by changing the script. Generally this probably has no detrimental impact on the interface unless you use your own variants of the @code{goal} or @code{qed} forms. @strong{Workaround:} Restrict yourself to standard proof script functions, or customize some of the variables from @file{isa.el} and @file{isa-syntax.el} appropriately. @subsection Interaction with theory database Isabelle Proof General uses some support from Isabelle to remove and reload theories from the theory database. To maintain consistency, Isabelle is rather conservative. So re-asserting a retracted file will often re-load it, even if it has not changed. (This is because the file may have implicit dependencies on things in the global ML environment not made apparent by the theory structure). This may lead to seemingly unnecessary repetition of time-consuming proofs, so be careful not to retract more than you need! @node References @unnumbered References A short overview of the Proof General system is described in the note: @itemize @bullet @item @b{[Asp00]} David Aspinall. @i{Proof General: A Generic Tool for Proof Development}. Tools and Algorithms for the Construction and Analysis of Systems, Proc TACAS 2000. LNCS 1785. @end itemize Script management as used in Proof General is described in the paper: @itemize @bullet @item @b{[BT98]} Yves Bertot and Laurent Th@'ery. @i{A generic approach to building user interfaces for theorem provers}. Journal of Symbolic Computation, 25(7), pp. 161-194, February 1998. @end itemize Proof General has support for proof by pointing, as described in the document: @itemize @bullet @item @b{[BKS97]} Yves Bertot, Thomas Kleymann-Schreiber and Dilip Sequeira. @i{Implementing Proof by Pointing without a Structure Editor}. LFCS Technical Report ECS-LFCS-97-368. Also published as Rapport de recherche de l'INRIA Sophia Antipolis RR-3286 @end itemize @node Function Index @unnumbered Function and Command Index @printindex fn @node Variable Index @unnumbered Variable and User Option Index @printindex vr @node Keystroke Index @unnumbered Keystroke Index @printindex ky @node Concept Index @unnumbered Concept Index @printindex cp @page @contents @bye