298 %the algorithms as recursive functions, because internally in |
298 %the algorithms as recursive functions, because internally in |
299 %Isabelle/HOL, like in all HOL-based theorem provers, functions are |
299 %Isabelle/HOL, like in all HOL-based theorem provers, functions are |
300 %represented as inductively defined predicates too. |
300 %represented as inductively defined predicates too. |
301 |
301 |
302 \noindent |
302 \noindent |
303 One concete model of computation are Turing machines. We use them |
303 We like to enable Isabelle/HOL users to reason about computability |
304 in the theorem prover Isabelle/HOL for mechanising results from |
304 theory. Reasoning about decidability of predicates, for example, is not as |
305 computability theory, for example the undecidability of the halting problem. |
305 straightforward as one might think in Isabelle/HOL and other HOL |
306 Reasoning about decidability is not as straightforward as one might think |
306 theorem provers, since they are based on classical logic where the law |
307 in Isabelle/HOL and other HOL theorem provers, |
307 of excluded middle ensures that \mbox{@{term "P \<or> \<not>P"}} is always |
308 since they are based on classical logic where the law of excluded |
308 provable no matter whether the predicate @{text P} is constructed by |
309 middle ensures that \mbox{@{term "P \<or> \<not>P"}} is always provable no |
309 computable means. |
310 matter whether the predicate @{text P} is constructed by computable means. |
|
311 |
310 |
312 Norrish formalised computability |
311 Norrish formalised computability |
313 theory in HOL4. He choose the $\lambda$-calculus as the starting point |
312 theory in HOL4. He choose the $\lambda$-calculus as the starting point |
314 for his formalisation because of its ``simplicity'' \cite[Page |
313 for his formalisation because of its ``simplicity'' \cite[Page |
315 297]{Norrish11}. Part of his formalisation is a clever infrastructure |
314 297]{Norrish11}. Part of his formalisation is a clever infrastructure |
417 it harder to design programs for these Turing machines. In order |
416 it harder to design programs for these Turing machines. In order |
418 to construct a universal Turing machine we therefore do not follow |
417 to construct a universal Turing machine we therefore do not follow |
419 \cite{AspertiRicciotti12}, instead follow the proof in |
418 \cite{AspertiRicciotti12}, instead follow the proof in |
420 \cite{Boolos87} by translating abacus machines to Turing machines and in |
419 \cite{Boolos87} by translating abacus machines to Turing machines and in |
421 turn recursive functions to abacus machines. The universal Turing |
420 turn recursive functions to abacus machines. The universal Turing |
422 machine can then be constructed by translating from a recursive function. |
421 machine can then be constructed by translating from a (universal) recursive function. |
423 The part of mechanising the translation of recursive function to register |
422 The part of mechanising the translation of recursive function to register |
424 machines has already been done by Zammit in HOL \cite{Zammit99}, |
423 machines has already been done by Zammit in HOL \cite{Zammit99}, |
425 although his register machines use a slightly different instruction |
424 although his register machines use a slightly different instruction |
426 set than the one described in \cite{Boolos87}. |
425 set than the one described in \cite{Boolos87}. |
427 |
426 |
673 \end{tabular} |
672 \end{tabular} |
674 \end{center} |
673 \end{center} |
675 |
674 |
676 \noindent |
675 \noindent |
677 where @{term "read r"} returns the head of the list @{text r}, or if |
676 where @{term "read r"} returns the head of the list @{text r}, or if |
678 @{text r} is empty it returns @{term Bk}. It is impossible in |
677 @{text r} is empty it returns @{term Bk}. |
679 Isabelle/HOL to lift the @{term step}-function in order to realise a |
678 We lift this definition to an evaluation function that performs |
680 general evaluation function for Turing machines programs. The reason |
679 exactly @{text n} steps: |
681 is that functions in HOL-based provers need to be terminating, and |
|
682 clearly there are programs that are not.\footnote{There is the alternative |
|
683 to use partial functions, which do not necessarily need to terminate, but |
|
684 this does not provide us with a useful induction principle \cite{Krauss10}.} We can however define a |
|
685 recursive evaluation function that performs exactly @{text n} steps: |
|
686 |
680 |
687 \begin{center} |
681 \begin{center} |
688 \begin{tabular}{l@ {\hspace{1mm}}c@ {\hspace{1mm}}l} |
682 \begin{tabular}{l@ {\hspace{1mm}}c@ {\hspace{1mm}}l} |
689 @{thm (lhs) steps.simps(1)} & @{text "\<equiv>"} & @{thm (rhs) steps.simps(1)}\\ |
683 @{thm (lhs) steps.simps(1)} & @{text "\<equiv>"} & @{thm (rhs) steps.simps(1)}\\ |
690 @{thm (lhs) steps.simps(2)} & @{text "\<equiv>"} & @{thm (rhs) steps.simps(2)}\\ |
684 @{thm (lhs) steps.simps(2)} & @{text "\<equiv>"} & @{thm (rhs) steps.simps(2)}\\ |
1655 |
1649 |
1656 section {* Conclusion *} |
1650 section {* Conclusion *} |
1657 |
1651 |
1658 text {* |
1652 text {* |
1659 In previous works we were unable to formalise results about |
1653 In previous works we were unable to formalise results about |
1660 computability because in Isabelle/HOL we cannot represent the |
1654 computability because in Isabelle/HOL we cannot, for example, |
1661 decidability of a predicate @{text P}, say, as the formula @{term "P |
1655 represent the decidability of a predicate @{text P}, say, as the |
1662 \<or> \<not>P"}. For reasoning about computability we need to formalise a |
1656 formula @{term "P \<or> \<not>P"}. For reasoning about computability we need |
1663 concrete model of computations. We could have followed Norrish |
1657 to formalise a concrete model of computations. We could have |
1664 \cite{Norrish11} using the $\lambda$-calculus as the starting point for computability theory, |
1658 followed Norrish \cite{Norrish11} using the $\lambda$-calculus as |
1665 but then we would still have |
1659 the starting point for computability theory, but then we would have |
1666 %to reimplement his infrastructure for |
1660 to reimplement on the ML-level his infrastructure for rewriting |
1667 %reducing $\lambda$-terms on the ML-level. |
1661 $\lambda$-terms modulo $\beta$-equality: HOL4 has a simplifer that |
1668 %We would still need |
1662 can rewrite terms modulo an arbitrary equivalence relation, which |
1669 to connect his work to Turing machines for proofs that make essential use of them |
1663 Isabelle unfortunately does not yet have. Even though we would |
1670 (for example the undecidability proof for Wang's tiling problem \cite{Robinson71}). |
1664 still need to connect $\lambda$-terms somehow to Turing machines for |
|
1665 proofs that make essential use of them (for example the |
|
1666 undecidability proof for Wang's tiling problem \cite{Robinson71}). |
1671 |
1667 |
1672 We therefore have formalised Turing machines in the first place and the main |
1668 We therefore have formalised Turing machines in the first place and the main |
1673 computability results from Chapters 3 to 8 in the textbook by Boolos |
1669 computability results from Chapters 3 to 8 in the textbook by Boolos |
1674 et al \cite{Boolos87}. For this we did not need to implement |
1670 et al \cite{Boolos87}. For this we did not need to implement |
1675 anything on the ML-level of Isabelle/HOL. While formalising the six chapters |
1671 anything on the ML-level of Isabelle/HOL. While formalising the six chapters |
1677 definitions of what function a Turing machine calculates. In |
1673 definitions of what function a Turing machine calculates. In |
1678 Chapter 3 they use a definition that states a function is undefined |
1674 Chapter 3 they use a definition that states a function is undefined |
1679 if the Turing machine loops \emph{or} halts with a non-standard |
1675 if the Turing machine loops \emph{or} halts with a non-standard |
1680 tape. Whereas in Chapter 8 about the universal Turing machine, the |
1676 tape. Whereas in Chapter 8 about the universal Turing machine, the |
1681 Turing machines will \emph{not} halt unless the tape is in standard |
1677 Turing machines will \emph{not} halt unless the tape is in standard |
1682 form. If the title had not already been taken in \cite{Nipkow98}, we could |
1678 form. Like Nipkow \cite{Nipkow98} observed with his formalisation |
1683 have titled our paper ``Boolos et al are (almost) |
1679 of a textbook, we found that Boolos et al are (almost) |
1684 Right''. We have not attempted to formalise everything precisely as |
1680 right. We have not attempted to formalise everything precisely as |
1685 Boolos et al present it, but use definitions that make our |
1681 Boolos et al present it, but use definitions that make our |
1686 mechanised proofs manageable. For example our definition of the |
1682 mechanised proofs manageable. For example our definition of the |
1687 halting state performing @{term Nop}-operations seems to be |
1683 halting state performing @{term Nop}-operations seems to be |
1688 non-standard, but very much suited to a formalisation in a theorem |
1684 non-standard, but very much suited to a formalisation in a theorem |
1689 prover where the @{term steps}-function needs to be total. |
1685 prover where the @{term steps}-function needs to be total. |
1690 |
1686 |
1691 %The most closely related work is by Norrish \cite{Norrish11}, and by |
1687 Norrish mentions that formalising Turing machines would be a |
1692 %Asperti and Ricciotti \cite{AspertiRicciotti12}. |
1688 ``\emph{daunting prospect}'' \cite[Page 310]{Norrish11}. While |
1693 Norrish mentions |
1689 $\lambda$-terms indeed lead to some slick mechanised proofs, our |
1694 that formalising Turing machines would be a ``\emph{daunting prospect}'' |
1690 experience is that Turing machines are not too daunting if one is |
1695 \cite[Page 310]{Norrish11}. While $\lambda$-terms indeed lead to |
1691 only concerned with formalising the undecidability of the halting |
1696 some slick mechanised proofs, our experience is that Turing machines |
1692 problem for Turing machines. As a point of comparison, the halting |
1697 are not too daunting if one is only concerned with formalising the |
1693 problem took us around 1500 loc of Isar-proofs, which is just |
1698 undecidability of the halting problem for Turing machines. As a point of |
1694 one-and-a-half times of a mechanised proof pearl about the |
1699 comparison, the halting problem |
1695 Myhill-Nerode theorem. So our conclusion is that this part is not as |
1700 took us around 1500 loc of Isar-proofs, which is just one-and-a-half |
1696 daunting as we estimated when reading the paper by Norrish |
1701 times of a mechanised proof pearl about the Myhill-Nerode |
1697 \cite{Norrish11}. The work involved with constructing a universal |
1702 theorem. So our conclusion is that this part is not as daunting |
1698 Turing machine via recursive functions and abacus machines, we |
1703 as we estimated when reading the paper by Norrish \cite{Norrish11}. The work |
1699 agree, is not a project one wants to undertake too many times (our |
1704 involved with constructing a universal Turing machine via recursive |
1700 formalisation of abacus machines and their correct translation is |
1705 functions and abacus machines, we agree, is not a project |
1701 approximately 4600 loc; recursive functions 2800 loc and the |
1706 one wants to undertake too many times (our formalisation of abacus |
1702 universal Turing machine 10000 loc). |
1707 machines and their correct translation is approximately 4600 loc; |
|
1708 recursive functions 2800 loc and the universal Turing machine 10000 loc). |
|
1709 |
1703 |
1710 Our work is also very much inspired by the formalisation of Turing |
1704 Our work is also very much inspired by the formalisation of Turing |
1711 machines of Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1705 machines of Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1712 Matita theorem prover. It turns out that their notion of |
1706 Matita theorem prover. It turns out that their notion of |
1713 realisability and our Hoare-triples are very similar, however we |
1707 realisability and our Hoare-triples are very similar, however we |
1736 similar in size as the one by Myreen and finding a sufficiently |
1730 similar in size as the one by Myreen and finding a sufficiently |
1737 strong one took us, like Myreen, something on the magnitude of |
1731 strong one took us, like Myreen, something on the magnitude of |
1738 weeks. |
1732 weeks. |
1739 |
1733 |
1740 Our reasoning about the invariants is not much supported by the |
1734 Our reasoning about the invariants is not much supported by the |
1741 automation beyond the standard automation tools available in Isabelle/HOL. |
1735 automation beyond the standard automation tools available in |
1742 There is however a tantalising connection |
1736 Isabelle/HOL. There is however a tantalising connection between our |
1743 between our work and very recent work by Jensen et al \cite{Jensen13} on verifying |
1737 work and very recent work by Jensen et al \cite{Jensen13} on |
1744 X86 assembly code that might change that. They observed a similar phenomenon with assembly |
1738 verifying X86 assembly code that might change that. They observed a |
1745 programs where Hoare-style reasoning is sometimes possible, but |
1739 similar phenomenon with assembly programs where Hoare-style |
1746 sometimes it is not. In order to ease their reasoning, they |
1740 reasoning is sometimes possible, but sometimes it is not. In order |
1747 introduced a more primitive specification logic, on which |
1741 to ease their reasoning, they introduced a more primitive |
1748 Hoare-rules can be provided for special cases. It remains to be |
1742 specification logic, on which Hoare-rules can be provided for |
1749 seen whether their specification logic for assembly code can make it |
1743 special cases. It remains to be seen whether their specification |
1750 easier to reason about our Turing programs. Myreen ??? That would be an |
1744 logic for assembly code can make it easier to reason about our |
1751 attractive result, because Turing machine programs are very much |
1745 Turing programs. That would be an attractive result, because Turing |
1752 like assembly programs and it would connect some very classic work on |
1746 machine programs are very much like assembly programs and it would |
1753 Turing machines to very cutting-edge work on machine code |
1747 connect some very classic work on Turing machines to very |
1754 verification. In order to try out such ideas, our formalisation provides the |
1748 cutting-edge work on machine code verification. In order to try out |
1755 ``playground''. The code of our formalisation is available from the |
1749 such ideas, our formalisation provides the ``playground''. The code |
|
1750 of our formalisation is available from the |
1756 Mercurial repository at \url{http://www.dcs.kcl.ac.uk/staff/urbanc/cgi-bin/repos.cgi/tm/}. |
1751 Mercurial repository at \url{http://www.dcs.kcl.ac.uk/staff/urbanc/cgi-bin/repos.cgi/tm/}. |
1757 \medskip |
1752 \medskip |
1758 |
1753 |
1759 \noindent |
1754 \noindent |
1760 {\bf Acknowledgements:} We are very grateful for the extremely helpful |
1755 {\bf Acknowledgements:} We are very grateful for the extremely helpful |