312 it harder to design programs for these Turing machines. In order |
312 it harder to design programs for these Turing machines. In order |
313 to construct a universal Turing machine we therefore do not follow |
313 to construct a universal Turing machine we therefore do not follow |
314 \cite{AspertiRicciotti12}, instead follow the proof in |
314 \cite{AspertiRicciotti12}, instead follow the proof in |
315 \cite{Boolos87} by translating abacus machines to Turing machines and in |
315 \cite{Boolos87} by translating abacus machines to Turing machines and in |
316 turn recursive functions to abacus machines. The universal Turing |
316 turn recursive functions to abacus machines. The universal Turing |
317 machine can then be constructed as a recursive function. |
317 machine can then be constructed by translating from a recursive function. |
318 |
318 |
319 \smallskip |
319 \smallskip |
320 \noindent |
320 \noindent |
321 {\bf Contributions:} We formalised in Isabelle/HOL Turing machines |
321 {\bf Contributions:} We formalised in Isabelle/HOL Turing machines |
322 following the description of Boolos et al \cite{Boolos87} where tapes |
322 following the description of Boolos et al \cite{Boolos87} where tapes |
328 universal Turing machine from \cite{Boolos87} by translating recursive |
328 universal Turing machine from \cite{Boolos87} by translating recursive |
329 functions to abacus machines and abacus machines to Turing |
329 functions to abacus machines and abacus machines to Turing |
330 machines. This works essentially like a small, verified compiler |
330 machines. This works essentially like a small, verified compiler |
331 from recursive functions to Turing machine programs. |
331 from recursive functions to Turing machine programs. |
332 When formalising the universal Turing machine, |
332 When formalising the universal Turing machine, |
333 we stumbled upon an inconsistent use of the definition of |
333 we stumbled in \cite{Boolos87} upon an inconsistent use of the definition of |
334 what partial function a Turing machine calculates. |
334 what partial function a Turing machine calculates. |
335 |
335 |
336 %Since we have set up in |
336 %Since we have set up in |
337 %Isabelle/HOL a very general computability model and undecidability |
337 %Isabelle/HOL a very general computability model and undecidability |
338 %result, we are able to formalise other results: we describe a proof of |
338 %result, we are able to formalise other results: we describe a proof of |
506 The @{text 0}-state is special in that it will be used as the |
506 The @{text 0}-state is special in that it will be used as the |
507 ``halting state''. There are no instructions for the @{text |
507 ``halting state''. There are no instructions for the @{text |
508 0}-state, but it will always perform a @{term Nop}-operation and |
508 0}-state, but it will always perform a @{term Nop}-operation and |
509 remain in the @{text 0}-state. Unlike Asperti and Riccioti |
509 remain in the @{text 0}-state. Unlike Asperti and Riccioti |
510 \cite{AspertiRicciotti12}, we have chosen a very concrete |
510 \cite{AspertiRicciotti12}, we have chosen a very concrete |
511 representation for programs, because when constructing a universal |
511 representation for Turing machine programs, because when constructing a universal |
512 Turing machine, we need to define a coding function for programs. |
512 Turing machine, we need to define a coding function for programs. |
513 This can be directly done for our programs-as-lists, but is |
513 This can be directly done for our programs-as-lists, but is |
514 slightly more difficult for the functions used by Asperti and Ricciotti. |
514 slightly more difficult for the functions used by Asperti and Ricciotti. |
515 |
515 |
516 Given a program @{term p}, a state |
516 Given a program @{term p}, a state |
517 and the cell being read by the head, we need to fetch |
517 and the cell being scanned by the head, we need to fetch |
518 the corresponding instruction from the program. For this we define |
518 the corresponding instruction from the program. For this we define |
519 the function @{term fetch} |
519 the function @{term fetch} |
520 |
520 |
521 \begin{equation}\label{fetch} |
521 \begin{equation}\label{fetch} |
522 \mbox{\begin{tabular}{l@ {\hspace{1mm}}c@ {\hspace{1mm}}l} |
522 \mbox{\begin{tabular}{l@ {\hspace{1mm}}c@ {\hspace{1mm}}l} |
1559 some slick mechanised proofs, our experience is that Turing machines |
1559 some slick mechanised proofs, our experience is that Turing machines |
1560 are not too daunting if one is only concerned with formalising the |
1560 are not too daunting if one is only concerned with formalising the |
1561 undecidability of the halting problem for Turing machines. This |
1561 undecidability of the halting problem for Turing machines. This |
1562 took us around 1500 loc of Isar-proofs, which is just one-and-a-half |
1562 took us around 1500 loc of Isar-proofs, which is just one-and-a-half |
1563 times of a mechanised proof pearl about the Myhill-Nerode |
1563 times of a mechanised proof pearl about the Myhill-Nerode |
1564 theorem. So our conclusion is that it not as daunting for this part of the |
1564 theorem. So our conclusion is that this part is not as daunting |
1565 work as we estimated when reading the paper by Norrish \cite{Norrish11}. The work |
1565 as we estimated when reading the paper by Norrish \cite{Norrish11}. The work |
1566 involved with constructing a universal Turing machine via recursive |
1566 involved with constructing a universal Turing machine via recursive |
1567 functions and abacus machines, we agree, is not a project |
1567 functions and abacus machines, we agree, is not a project |
1568 one wants to undertake too many times (our formalisation of abacus |
1568 one wants to undertake too many times (our formalisation of abacus |
1569 machines and their correct translation is approximately 4300 loc; |
1569 machines and their correct translation is approximately 4300 loc; |
1570 recursive functions 5000 loc and the universal Turing machine 10000 loc). |
1570 recursive functions 5000 loc and the universal Turing machine 10000 loc). |
1571 |
1571 |
1572 Our work was also very much inspired by the formalisation of Turing |
1572 Our work is also very much inspired by the formalisation of Turing |
1573 machines by Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1573 machines by Asperti and Ricciotti \cite{AspertiRicciotti12} in the |
1574 Matita theorem prover. It turns out that their notion of |
1574 Matita theorem prover. It turns out that their notion of |
1575 realisability and our Hoare-triples are very similar, however we |
1575 realisability and our Hoare-triples are very similar, however we |
1576 differ in some basic definitions for Turing machines. Asperti and |
1576 differ in some basic definitions for Turing machines. Asperti and |
1577 Ricciotti are interested in providing a mechanised foundation for |
1577 Ricciotti are interested in providing a mechanised foundation for |
1579 (which differs from ours by using a more general alphabet), but did |
1579 (which differs from ours by using a more general alphabet), but did |
1580 not describe an undecidability proof. Given their definitions and |
1580 not describe an undecidability proof. Given their definitions and |
1581 infrastructure, we expect however this should not be too difficult |
1581 infrastructure, we expect however this should not be too difficult |
1582 for them. |
1582 for them. |
1583 |
1583 |
1584 For us the most interesting aspect of our work are the correctness |
1584 For us the most interesting aspects of our work are the correctness |
1585 proofs for Turing machines. Informal presentations of computability |
1585 proofs for Turing machines. Informal presentations of computability |
1586 theory often leave the constructions of particular Turing machines |
1586 theory often leave the constructions of particular Turing machines |
1587 as exercise to the reader, for example \cite{Boolos87}, deeming |
1587 as exercise to the reader, for example \cite{Boolos87}, deeming |
1588 it to be just a chore. However, as far as we are aware all informal |
1588 it to be just a chore. However, as far as we are aware all informal |
1589 presentations leave out any arguments why these Turing machines |
1589 presentations leave out any arguments why these Turing machines |
1590 should be correct. This means the reader is left |
1590 should be correct. This means the reader is left |
1591 with the task of finding appropriate invariants and measures for |
1591 with the task of finding appropriate invariants and measures for |
1592 showing correctness and termination of these Turing machines. |
1592 showing the correctness and termination of these Turing machines. |
1593 Whenever we can use Hoare-style reasoning, the invariants are |
1593 Whenever we can use Hoare-style reasoning, the invariants are |
1594 relatively straightforward and much smaller than for example the |
1594 relatively straightforward and much smaller than for example the |
1595 invariants used by Myreen in a correctness proof of a garbage collector |
1595 invariants used by Myreen in a correctness proof of a garbage collector |
1596 written in machine code \cite[Page 76]{Myreen09}. However, the invariant |
1596 written in machine code \cite[Page 76]{Myreen09}. However, the invariant |
1597 needed for the abacus proof, where Hoare-style reasoning does not work, is |
1597 needed for the abacus proof, where Hoare-style reasoning does not work, is |
1598 similar in size as the one by Myreen and finding a sufficiently |
1598 similar in size as the one by Myreen and finding a sufficiently |
1599 strong one took us, like Myreen for his, something on the magnitude of |
1599 strong one took us, like Myreen, something on the magnitude of |
1600 weeks. |
1600 weeks. |
1601 |
1601 |
1602 Our reasoning about the invariants is not much supported by the |
1602 Our reasoning about the invariants is not much supported by the |
1603 automation beyond the standard automation tools available in Isabelle/HOL. |
1603 automation beyond the standard automation tools available in Isabelle/HOL. |
1604 There is however a tantalising connection |
1604 There is however a tantalising connection |
1605 between our work and very recent work \cite{Jensen13} on verifying |
1605 between our work and very recent work \cite{Jensen13} on verifying |
1606 X86 assembly code that might change that. They observed a similar phenomenon with assembly |
1606 X86 assembly code that might change that. They observed a similar phenomenon with assembly |
1607 programs that Hoare-style reasoning is sometimes possible, but |
1607 programs where Hoare-style reasoning is sometimes possible, but |
1608 sometimes it is not. In order to ease their reasoning, they |
1608 sometimes it is not. In order to ease their reasoning, they |
1609 introduced a more primitive specification logic, on which |
1609 introduced a more primitive specification logic, on which |
1610 Hoare-rules can be provided for special cases. It remains to be |
1610 Hoare-rules can be provided for special cases. It remains to be |
1611 seen whether their specification logic for assembly code can make it |
1611 seen whether their specification logic for assembly code can make it |
1612 easier to reason about our Turing programs. That would be an |
1612 easier to reason about our Turing programs. That would be an |