B System Commands |
In this appendix, we describe all commands that the user can apply to control the system. Some commands are only applicable in declaration mode (when the system is processing declarations as described in Appendix "The Specification Language), others are only applicable in proving mode (when the system is constructing the proof of a formula under the guidance of the user); some commands are applicable in both modes.
Every command has a textual representation that can be typed in on the command line8. If the system is executed with its GUI and is running in proving mode, all applicable commands can be also selected from a menu that pops up when pressing the button . Additionally various commands can be applied by pressing a button in the prover's GUI or by selecting an item in the menu associated to every formula in a proof state (which specializes the command for the application to this formula). A few commands can be selected from the GUI's window menu "File".
The effect of some commands of the proof states is explained by derivation rules that sketch the logical foundation of these commands. For a command that generates from the current state with label [S] various child states [S1], [S2], ... which is displayed in the proof tree as
[S] c [S1] [S2] ...
the corresponding rule has the form
[E] A_1, ... |- B_1, ...
[E] A_2, ... |- B_2, ...
...
------------------------
[E] A, ... |- B, ...
where a sequent [E] A, ...|- B, ... represents a proof state with declaration environment E, assumptions A, ... and goals B, .... The sequent below the line represents the proof state labeled [S], the sequents above the line represent the child states [S1], [S2], ...generated by the application of the command. Consequently, the rule can be read "from bottom to top" as
In order to prove [E] A, ...|- B, ..., we have to prove [E] A_1, ...|- B_1, ..., and [E] A_2, ...|- B_2, ..., and ....
Furthermore, a sequent of the special form [E] |- a:T means "in environment E, expression e has type T"; a sequent [E] |- I:T=V means "in environment E, constant I has type T and value V" The environment [E,a:T] is derived from environment [E] by adding the declaration of a constant a of type T (shadowing any previous declaration of a constant with the same name).
If the prover command contains a value expression, it may give rise to a type checking condition. The prover handles this condition by generating a child state (in addition to the child states generated anyway by the command) with the type checking condition as a single goal (which may be automatically discharged by a decision procedure as in declaration mode, or by an user-controlled proof).
Every proof of a formula has a couple of status attributes which are displayed in the menu of the formula. These attributes are:
When a previously stored proof is replayed but the formula to be proved has changed since the generation of the proof, the proof is marked as "untrusted" and a warning is issued that errors may occur in the replay. There are two kinds of errors possible:
In the first kind of error, the possibility to substitute a proof command is mainly useful if the command has failed because it refers to the label of a formula that has changed since the proof was created. In this case, the user may investigate the proof state, find the corresponding formula, and then execute the command again with a reference to the new label; the remainder of the proof is thus preserved.
As an example for the second kind of error, let us assume that the command scatter has in the original proof of a formula f been applied to a goal a / b generating two child states, one with goal a and one with goal b. If afterwards the declaration of f has been changed such that in the corresponding state of the new proof the goal has form a / b / c, the proof replay gives the following dialog:
Formula f already has a (skeleton) proof (proof status: untrusted) Replay skeleton proof (y/n)? y Warning: proof is untrusted, errors may occur. Warning: problem in state [gda]. In the old proof, command "scatter" generated 2 states: 0: expand a 1: expand b In the new proof, the command generates 3 states with the following goals: 0: a 1: b 2: c You can now map ranges [a..b] of new states to equally sized ranges [c..] of old states. Enter start state a (0..2, -1 to abort): 0 Enter end state b (0..1, -1 to abort): 1 Enter start state c (0..0, -1 to abort): 0 Enter start state a (0..2, -1 to abort): -1 You have constructed the following mapping: New states [0..1] are mapped to old states [0..1]. Do you want to use this mapping (y/n)? y Proof state [wtn] is closed by decision procedure. Proof state [nxu] is closed by decision procedure. Proof replay successful.
If no mapping is provided by the user (answer -1 in the dialog), the proof trees generated for the child states in the old proof are lost.
B System Commands |