We present issues that arose in the design of the CtCoq user-interface for proof development. Covered issues include multi-processing, data display, mouse interaction, and script management.

. This paper proposes a set of guidelines for use in the design of automated support for theorem proving. In particular they are aimed at graphical user interfaces to existing interactive proof engines. The application of these guidelines to the design of a graphical user interface to Isabelle is described. 1 Introduction This paper presents a number of principles formulated to guide the design of enhancements to a graphical user interface of an interactive theorem prover. An interactive theorem prover is a tool in which a user chooses and applies proof steps to terms in a given logic, to produce theorems. The prover actually performs the proof steps and ensures that only valid chains of inference are developed. Although there are many standards and texts which provide general guidelines for designing GUIs there is great benefit in attempting to formulate principles and guidelines that are specific to the problem domain of an application. Such specific principles can be informed by th...

. The state machine paradigm is a popular and convenient means for expressing designs of critical systems. State machines can be readily represented by transition graphs, thus enhancing human understanding of even quite complex problems. In the case of state machines, tracing a path through the transition graph can represent a critical sequence in the execution of a machine. State machine notations are also amenable to formal treatment. A high-level of assurance can be gained by a combination of both these aspects: a machine-checked, formal proof together with a higher-level argument that can be understood by humans. This paper describes proof tactics that support reasoning about state machines at the level of diagrams and paths, and the construction of a corresponding formal proof. A tool, called Veracity [3], has been developed, which links these powerful proof tactics to a graphical userinterface. The proof tactics are implemented in Isabelle, and the paper discusses s...

We propose tools to visualize large proof developments as graphs of theorems and definitions where edges denote the dependency between two theorems. In particular, we study means to limit the size of graphs. Experiments have been done with the Coq theorem prover [DFH + 93] and the GraphViz [EGKN] and daVinci [FW98] graph visualization suites.

loring symbolic execution of the machine; and a Proof Mode, for formally verifying that critical properties of the machine specification hold. State machine definitions have two parts: a topology or state transition diagram part and a transition definition part. The presence of an edge(transition) between two states in the diagram indicates the possibility that the state machine may undergo a transition between them. The definition of the transition determines if, and how, such a transition can occur. The Edit Mode is used to specify state machine designs by providing the means for laying out the state transition graph of a machine; declaring types, constants, variables and inputs; defining the associated transitions; and checking occurrences of variables (e.g. variables declared and not used, or idenitifiers used and not declared). The Animation Mode is used to observe how variables and terms evolve during exec

. This paper describes the design of a proof tree package for the Isabelle theorem prover. Proof trees are a popular structure for representing the form and history of a proof. However, for higher-order logics with scheme variables, proof trees present a problem. The occurrence of the same scheme variable in different branches of the tree introduces dependencies among the tree's branches. Such dependencies impair the predicatibility of proof commands as their effect is not local and it may not be clear to the user which branches of the tree will be affected. The proof tree package aims at limiting the negative effects of interbranch dependencies. Both the proof state and the proof history are represented by the proof tree. Dependencies between branches caused by scheme variables is managed by maintaining a list of global constraints on variables. Using a modified unification procedure, the instantiation of a scheme variable in one branch limits the instantiations possible for that vari...