1364 |
1364 |
1365 section {* Conclusion *} |
1365 section {* Conclusion *} |
1366 |
1366 |
1367 text {* |
1367 text {* |
1368 In previous works we were unable to formalise results about |
1368 In previous works we were unable to formalise results about |
1369 computability because in a Isabelle/HOL we cannot represent the |
1369 computability because in Isabelle/HOL we cannot represent the |
1370 decidability of a predicate @{text P}, say, as the formula @{term "P |
1370 decidability of a predicate @{text P}, say, as the formula @{term "P |
1371 \<or> \<not>P"}. For reasoning about computability we need to formalise a |
1371 \<or> \<not>P"}. For reasoning about computability we need to formalise a |
1372 concrete model of computations. We could have followed Norrish |
1372 concrete model of computations. We could have followed Norrish |
1373 \cite{Norrish11} using the $\lambda$-calculus as the starting point, |
1373 \cite{Norrish11} using the $\lambda$-calculus as the starting point, |
1374 but then we would have to reimplement his infrastructure for |
1374 but then we would have to reimplement his infrastructure for |
1375 reducing $\lambda$-terms on the ML-level. We would still need to |
1375 reducing $\lambda$-terms on the ML-level. We would still need to |
1376 connect his work to Turing machines for proofs that make use of them |
1376 connect his work to Turing machines for proofs that make essential use of them |
1377 (for example the proof of Wang's tiling problem \cite{Robinson71}). |
1377 (for example the proof of Wang's tiling problem \cite{Robinson71}). |
1378 |
1378 |
1379 We therefore have formalised Turing machines and the main |
1379 We therefore have formalised Turing machines and the main |
1380 computability results from Chapters 3 to 8 in the textbook by Boolos |
1380 computability results from Chapters 3 to 8 in the textbook by Boolos |
1381 et al \cite{Boolos87}. For this we did not need to implement |
1381 et al \cite{Boolos87}. For this we did not need to implement |
1382 anything on the ML-level of Isabelle/HOL. While formalising |
1382 anything on the ML-level of Isabelle/HOL. While formalising |
1383 \cite{Boolos87} have found an inconsistency in Bolos et al's usage |
1383 \cite{Boolos87} we have found an inconsistency in Bolos et al's |
1384 of definitions of what function a Turing machine calculates. In |
1384 definitions of what function a Turing machine calculates. In |
1385 Chapter 3 they use a definition such that the function is undefined |
1385 Chapter 3 they use a definition that states a function is undefined |
1386 if the Turing machine loops \emph{or} halts with a non-standard |
1386 if the Turing machine loops \emph{or} halts with a non-standard |
1387 tape. Whereas in Chapter 8 about the universal Turing machine, the |
1387 tape. Whereas in Chapter 8 about the universal Turing machine, the |
1388 Turing machines will \emph{not} halt unless the tape is in standard |
1388 Turing machines will \emph{not} halt unless the tape is in standard |
1389 form. Following in the footsteps of another paper \cite{Nipkow98} |
1389 form. Following in the footsteps of another paper \cite{Nipkow98} |
1390 formalising the results from a semantics textbook, we could |
1390 formalising the results from a semantics textbook, we could |
1394 mechanised proofs manageable. For example our definition of the |
1394 mechanised proofs manageable. For example our definition of the |
1395 halting state performing @{term Nop}-operations seems to be |
1395 halting state performing @{term Nop}-operations seems to be |
1396 non-standard, but very much suited to a formalisation in a theorem |
1396 non-standard, but very much suited to a formalisation in a theorem |
1397 prover where the @{term steps}-function need to be total. |
1397 prover where the @{term steps}-function need to be total. |
1398 |
1398 |
1399 The most closely related work is by Norrish \cite{Norrish11}, and |
1399 The most closely related work is by Norrish \cite{Norrish11}, and by |
1400 Asperti and Ricciotti \cite{AspertiRicciotti12}. Norrish formalises |
1400 Asperti and Ricciotti \cite{AspertiRicciotti12}. Norrish mentions |
1401 computability theory using $\lambda$-terms. For this he introduced a |
1401 that formalising Turing machines would be a ``daunting prospect'' |
1402 clever rewriting technology based on combinators and de-Bruijn |
1402 \cite[Page 310]{Norrish11}. While $\lambda$-terms indeed lead to |
1403 indices for rewriting modulo $\beta$-equivalence (in order to avoid |
1403 some slick mechanised proofs, our experience is that Turing machines |
1404 explicit $\alpha$-renamings). He mentions that formalising Turing |
1404 are not too daunting if one is only concerned with formalising the |
1405 machines would be a ``daunting prospect'' \cite[Page |
|
1406 310]{Norrish11}. While $\lambda$-terms indeed lead to some slick |
|
1407 mechanised proofs, our experience is that Turing machines are not |
|
1408 too daunting if one is only concerned with formalising the |
|
1409 undecidability of the halting problem for Turing machines. This |
1405 undecidability of the halting problem for Turing machines. This |
1410 took us around 1500 loc of Isar-proofs, which is just one-and-a-half |
1406 took us around 1500 loc of Isar-proofs, which is just one-and-a-half |
1411 times longer than a mechanised proof pearl about the Myhill-Nerode |
1407 times of a mechanised proof pearl about the Myhill-Nerode |
1412 theorem. So our conclusion is it not as daunting as we imagined |
1408 theorem. So our conclusion is it not as daunting as we estimated |
1413 reading the paper by Norrish \cite{Norrish11}. The work involved |
1409 when reading the paper by Norrish \cite{Norrish11}. The work |
1414 with constructing a universal Turing machine via recursive |
1410 involved with constructing a universal Turing machine via recursive |
1415 functions and abacus machines, on the other hand, is not a |
1411 functions and abacus machines, on the other hand, is not a project |
1416 project one wants to undertake too many times (our formalisation |
1412 one wants to undertake too many times (our formalisation of abacus |
1417 of abacus machines and their correct translation is approximately |
1413 machines and their correct translation is approximately 4300 loc; |
1418 4300 loc; \ldots) |
1414 recursive functions XX loc and the universal Turing machine XX loc). |
1419 |
1415 |
1420 Our work was also very much inspired by the formalisation of Turing |
1416 Our work was also very much inspired by the formalisation of Turing |
1421 machines by Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1417 machines by Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1422 Matita theorem prover. It turns out that their notion of |
1418 Matita theorem prover. It turns out that their notion of |
1423 realisability and our Hoare-triples are very similar, however we |
1419 realisability and our Hoare-triples are very similar, however we |
1424 differ in some basic definitions for Turing machines. Asperti and |
1420 differ in some basic definitions for Turing machines. Asperti and |
1425 Ricciotti are interested in providing a mechanised foundation for |
1421 Ricciotti are interested in providing a mechanised foundation for |
1426 complexity theory. They formalised a universal Turing machine |
1422 complexity theory. They formalised a universal Turing machine |
1427 (which differs from ours by using a more general alphabet), but did |
1423 (which differs from ours by using a more general alphabet), but did |
1428 not describe an undecidability proof. Given their definitions and |
1424 not describe an undecidability proof. Given their definitions and |
1429 infrastructure, we expect this should not be too difficult for them. |
1425 infrastructure, we expect however this should not be too difficult |
|
1426 for them. |
1430 |
1427 |
1431 For us the most interesting aspect of our work are the correctness |
1428 For us the most interesting aspect of our work are the correctness |
1432 proofs for some Turing machines. Informal presentation of computability |
1429 proofs for Turing machines. Informal presentations of computability |
1433 theory often leave the constructions of particular Turing machines |
1430 theory often leave the constructions of particular Turing machines |
1434 as exercise to the reader, as \cite{Boolos87} for example, deeming it |
1431 as exercise to the reader, as for example \cite{Boolos87}, deeming |
1435 too easy for wasting space. However, as far as we are aware all |
1432 it to be just a chore. However, as far as we are aware all informal |
1436 informal presentation leave out any correctness proofs---do the |
1433 presentations leave out any arguments why these Turing machines |
1437 Turing machines really perform the task they are supposed to do. |
1434 should be correct. This means the reader or formalsiser is left |
1438 This means we have to find appropriate invariants and measures |
1435 with the task of finding appropriate invariants and measures for |
1439 that can be established for showing correctness and termination. |
1436 showing correctness and termination of these Turing machines. |
1440 Whenever we can use Hoare-style reasoning, the invariants are |
1437 Whenever we can use Hoare-style reasoning, the invariants are |
1441 relatively straightforward and much smaller than for example |
1438 relatively straightforward and much smaller than for example the |
1442 the invariants by Myreen for a correctness proof of a garbage |
1439 invariants used by Myreen in a correctness proof of a garbage collector |
1443 collector \cite[Page 76]{}. The invariant needed for the abacus proof, |
1440 written in machine code \cite[Page 76]{Myreen09}. Howvere, the invariant |
1444 where Hoare-style reasoning does not work, is similar in size as |
1441 needed for the abacus proof, where Hoare-style reasoning does not work, is |
1445 the one by Myreen and finding a sufficiently strong one took |
1442 similar in size as the one by Myreen and finding a sufficiently |
1446 us, like Myreen, something on the magnitude of weeks. |
1443 strong one took us, like Myreen for his, something on the magnitude of |
1447 |
1444 weeks. |
1448 Our reasoning about the invariants is also not very much |
1445 |
1449 supported by the automation in Isabelle. There is however a tantalising |
1446 Our reasoning about the invariants is not much supported by the |
1450 connection between our work and recent work \cite{Jensen13} |
1447 automation in Isabelle. There is however a tantalising connection |
1451 on verifying X86 assembly code. They observed a similar phenomenon |
1448 between our work and very recent work \cite{Jensen13} on verifying |
1452 with assembly programs that Hoare-style reasoning is sometimes |
1449 X86 assembly code. They observed a similar phenomenon with assembly |
1453 possible, but sometimes not. In order to ease their reasoning they |
1450 programs that Hoare-style reasoning is sometimes possible, but |
|
1451 sometimes it is not. In order to ease their reasoning they |
1454 introduced a more primitive specification logic, on which |
1452 introduced a more primitive specification logic, on which |
1455 for special cases Hoare-rules can be provided. |
1453 Hoare-rules can be provided for special cases. It remains to be |
1456 It remains to be seen whether their specification logic |
1454 seen whether their specification logic for assembly code can make it |
1457 for assembly code can make it easier to reason about our Turing |
1455 easier to reason about our Turing programs. That would be an |
1458 programs. That would be an attractive result, because Turing |
1456 attractive result, because Turing machine programs are very much |
1459 machine programs are |
1457 like assmbly programs and it would connect some very classic work on |
1460 |
1458 Turing machines with very cutting-edge work on machine code |
1461 The code of our formalisation is available from the Mercurial repository at |
1459 verification. In order to try out such ideas, our formalisation provides the |
1462 \url{http://www.dcs.kcl.ac.uk/staff/urbanc/cgi-bin/repos.cgi/tm/} |
1460 ``playground''. The code of our formalisation is available from the |
|
1461 Mercurial repository at\\ |
|
1462 \url{http://www.dcs.kcl.ac.uk/staff/urbanc/cgi-bin/repos.cgi/tm/}. |
1463 *} |
1463 *} |
1464 |
1464 |
1465 |
1465 |
1466 |
1466 |
1467 (*<*) |
1467 (*<*) |