721 Turing machines, we have to analyse two concrete Turing machine |
721 Turing machines, we have to analyse two concrete Turing machine |
722 programs and establish that they are correct---that means they are |
722 programs and establish that they are correct---that means they are |
723 ``doing what they are supposed to be doing''. Such correctness proofs are usually left |
723 ``doing what they are supposed to be doing''. Such correctness proofs are usually left |
724 out in the informal literature, for example \cite{Boolos87}. The first program |
724 out in the informal literature, for example \cite{Boolos87}. The first program |
725 we need to prove correct is the @{term dither} program shown in \eqref{dither} |
725 we need to prove correct is the @{term dither} program shown in \eqref{dither} |
726 and the other program is @{term "tcopy"} defined as |
726 and the second program is @{term "tcopy"} defined as |
727 |
727 |
728 \begin{equation} |
728 \begin{equation} |
729 \mbox{\begin{tabular}{@ {}l@ {\hspace{1mm}}c@ {\hspace{1mm}}l@ {}} |
729 \mbox{\begin{tabular}{@ {}l@ {\hspace{1mm}}c@ {\hspace{1mm}}l@ {}} |
730 @{thm (lhs) tcopy_def} & @{text "\<equiv>"} & @{thm (rhs) tcopy_def} |
730 @{thm (lhs) tcopy_def} & @{text "\<equiv>"} & @{thm (rhs) tcopy_def} |
731 \end{tabular}}\label{tcopy} |
731 \end{tabular}}\label{tcopy} |
732 \end{equation} |
732 \end{equation} |
733 |
733 |
734 \noindent |
734 \noindent |
735 whose three components are given in Figure~\ref{copy}. We introduce |
735 whose three components are given in Figure~\ref{copy}. For our |
736 the notion of total correctness defined in terms of |
736 correctness proofs, we introduce the notion of total correctness |
737 \emph{Hoare-triples}, written @{term "{P} p {Q}"} (this notion is |
737 defined in terms of \emph{Hoare-triples}, written @{term "{P} p |
738 very similar to \emph{realisability} in \cite{AspertiRicciotti12}). |
738 {Q}"}. They implement the idea that a program @{term |
739 The Hoare-triples implement the idea that a program @{term p} |
739 p} started in state @{term "1::nat"} with a tape satisfying @{term |
740 started in state @{term "1::nat"} with a tape satisfying @{term P} |
740 P} will after some @{text n} steps halt (have transitioned into the |
741 will after some @{text n} steps halt (have transitioned into the |
741 halting state) with a tape satisfying @{term Q}. This idea is very |
742 halting state) with a tape satisfying @{term Q}. We also have |
742 similar to \emph{realisability} in \cite{AspertiRicciotti12}. We |
743 \emph{Hoare-pairs} of the form @{term "{P} p \<up>"} implementing the |
743 also have \emph{Hoare-pairs} of the form @{term "{P} p \<up>"} |
744 case that a program @{term p} started with a tape satisfying @{term |
744 implementing the case that a program @{term p} started with a tape |
745 P} will loop (never transition into the halting state). Both notion |
745 satisfying @{term P} will loop (never transition into the halting |
746 are formally defined as |
746 state). Both notion are formally defined as |
747 |
747 |
748 \begin{center} |
748 \begin{center} |
749 \begin{tabular}{@ {}c@ {\hspace{4mm}}c@ {}} |
749 \begin{tabular}{@ {}c@ {\hspace{4mm}}c@ {}} |
750 \begin{tabular}[t]{@ {}l@ {}} |
750 \begin{tabular}[t]{@ {}l@ {}} |
751 \colorbox{mygrey}{@{thm (lhs) Hoare_halt_def}} @{text "\<equiv>"}\\[1mm] |
751 \colorbox{mygrey}{@{thm (lhs) Hoare_halt_def}} @{text "\<equiv>"}\\[1mm] |
782 Hoare-rules for sequentially composed Turing programs. In this way |
782 Hoare-rules for sequentially composed Turing programs. In this way |
783 we can reason about the correctness of @{term "tcopy_begin"}, for |
783 we can reason about the correctness of @{term "tcopy_begin"}, for |
784 example, completely separately from @{term "tcopy_loop"} and @{term |
784 example, completely separately from @{term "tcopy_loop"} and @{term |
785 "tcopy_end"}. |
785 "tcopy_end"}. |
786 |
786 |
787 It is realatively straightforward to prove that the small Turing program |
787 It is realatively straightforward to prove that the Turing program |
788 @{term "dither"} shown in \eqref{dither} is correct. This program |
788 @{term "dither"} shown in \eqref{dither} is correct. This program |
789 should be the ``identity'' when started with a standard tape representing |
789 should be the ``identity'' when started with a standard tape representing |
790 @{text "1"} but loop when started with @{text 0} instead, as pictured |
790 @{text "1"} but loops when started with @{text 0} instead, as pictured |
791 below. |
791 below. |
792 |
792 |
793 |
793 |
794 \begin{center} |
794 \begin{center} |
795 \begin{tabular}{l@ {\hspace{3mm}}lcl} |
795 \begin{tabular}{l@ {\hspace{3mm}}lcl} |
849 @{thm dither_loops} |
849 @{thm dither_loops} |
850 \end{tabular} |
850 \end{tabular} |
851 \end{center} |
851 \end{center} |
852 |
852 |
853 \noindent |
853 \noindent |
854 The first is by a simple calculation. The second is by induction on the |
854 The first is by a simple calculation. The second is by an induction on the |
855 number of steps we can perform starting from the input tape. |
855 number of steps we can perform starting from the input tape. |
856 |
856 |
857 The program @{term tcopy} defined in \eqref{tcopy} has 15 states; |
857 The program @{term tcopy} defined in \eqref{tcopy} has 15 states; |
858 its purpose is to produce the standard tape @{term "(DUMMY, <(n, |
858 its purpose is to produce the standard tape @{term "(DUMMY, <(n, |
859 n::nat)>)"} when started with @{term "(DUMMY, <(n::nat)>)"}, that is |
859 n::nat)>)"} when started with @{term "(DUMMY, <(n::nat)>)"}, that is |
876 \end{tabular} |
876 \end{tabular} |
877 \end{center} |
877 \end{center} |
878 |
878 |
879 \noindent |
879 \noindent |
880 The first corresponds to the usual Hoare-rule for composition of two |
880 The first corresponds to the usual Hoare-rule for composition of two |
881 terminating programs. The second rule is for cases where the first program |
881 terminating programs. The second rule gives the conditions for when |
882 terminates generating a tape for which the second program loops. |
882 the first program terminates generating a tape for which the second |
883 The side-condition about @{thm (prem 3) HR2} is needed in both rules |
883 program loops. The side-conditions about @{thm (prem 3) HR2} are |
884 in order to ensure that the redirection of the halting and initial |
884 needed in order to ensure that the redirection of the halting and |
885 state in @{term "p\<^isub>1"} and @{term "p\<^isub>2"} match up correctly. |
885 initial state in @{term "p\<^isub>1"} and @{term "p\<^isub>2"} match up correctly. |
886 |
886 |
887 The Hoare-rules above allow us to prove the correctness of @{term tcopy} |
887 The Hoare-rules allow us to prove the correctness of @{term |
888 by considering the correctness of the components @{term "tcopy_begin"}, @{term "tcopy_loop"} |
888 tcopy} by considering the correctness of the components @{term |
889 and @{term "tcopy_end"} in isolation. We will show the details for |
889 "tcopy_begin"}, @{term "tcopy_loop"} and @{term "tcopy_end"} in |
890 the program @{term "tcopy_begin"}. Given the invariants @{term "inv_begin0"},\ldots, @{term "inv_begin4"} |
890 isolation. We will show the details for the program @{term |
891 shown in Figure~\ref{invbegin}, |
891 "tcopy_begin"}. Given the invariants @{term "inv_begin0"},\ldots, |
892 we define the following invariant for @{term "tcopy_begin"}. |
892 @{term "inv_begin4"} shown in Figure~\ref{invbegin} corresponding to |
|
893 each state of @{term tcopy_begin}, we define the |
|
894 following invariant for the whole program: |
893 |
895 |
894 \begin{figure} |
896 \begin{figure} |
895 \begin{center} |
897 \begin{center} |
896 \begin{tabular}{@ {}lcl@ {\hspace{-2cm}}l@ {}} |
898 \begin{tabular}{@ {}lcl@ {\hspace{-2cm}}l@ {}} |
897 @{thm (lhs) inv_begin0.simps} & @{text "\<equiv>"} & @{thm (rhs) inv_begin01} @{text "\<or>"}& (halting state)\\ |
899 @{thm (lhs) inv_begin0.simps} & @{text "\<equiv>"} & @{thm (rhs) inv_begin01} @{text "\<or>"}& (halting state)\\ |
920 & & @{text else} @{thm (rhs) inv_begin_print(6)} |
922 & & @{text else} @{thm (rhs) inv_begin_print(6)} |
921 \end{tabular} |
923 \end{tabular} |
922 \end{center} |
924 \end{center} |
923 |
925 |
924 \noindent |
926 \noindent |
925 This definition depends on @{term n}, which represents the number |
927 This invariant depends on @{term n} representing the number of |
926 of @{term Oc}s on the tape. It is not hard (26 lines of automated proof script) |
928 @{term Oc}s on the tape. It is not hard (26 lines of automated proof |
927 to show that for @{term "n > (0::nat)"} this invariant is preserved under @{term step} and @{term steps}. |
929 script) to show that for @{term "n > (0::nat)"} this invariant is |
928 |
930 preserved under computation rules @{term step} and @{term steps}. |
929 |
931 |
930 measure for the copying TM, which we however omit. |
932 measure for the copying TM, which we however omit. |
931 |
933 |
932 |
934 |
933 \begin{center} |
935 \begin{center} |