Turing Machines and Separation Logic (Work in Progress) Jian Xu Xingyuan Zhang PLA University of Science and Technology Christian Urban King's College London Imperial College, 24 November 2013 -- p. 1/26 Why Turing Machines? we wanted to formalise computability theory at the beginning, it was just a student project Computability and Logic (5th. ed) Boolos, Burgess and Jeffrey found an inconsistency in the definition of halting computations (Chap. 3 vs Chap. 8) Imperial College, 24 November 2013 -- p. 2/26 Why Turing Machines? we wanted to formalise computability theory atTMs the beginning, are a fantastic it was model just a of student low-level project code completely unstructured Spaghetti Code good testbed for verification techniques . Can we verify a program with 38 Mio instructions? we can delayComputability implementing and Logic a (5th.concrete ed) machine model (for OS/low-levelBoolos, Burgess code and Jeffrey verification) found an inconsistency in the definition of halting computations (Chap. 3 vs Chap. 8) Imperial College, 24 November 2013 -- p. 2/26 Why Turing Machines? we wanted to formalise computability theory atTMs the beginning, are a fantastic it was model just a of student low-level project code completely unstructured Spaghetti Code good testbed for verification techniques . Can we verify a program with 38 Mio instructions? we can delayComputability implementing and Logic a (5th.concrete ed) machine model (for OS/low-levelBoolos, Burgess code and Jeffrey verification) found an inconsistency in the definition of halting computations (Chap. 3 vs Chap. 8) Imperial College, 24 November 2013 -- p. 2/26 Some Previous Works (but not interested in low-level code) Norrish formalised computability theory in HOL starting from the lambda-calculus for technical reasons we could not follow his work some proofs use TMs (Wang tilings) Asperti and Ricciotti formalised TMs in Matita no undecidability result ) interest in complexity their UTM operates on a different alphabet than the TMs it simulates "In particular, the fact that the universal machine operates with a different alphabet with respect to the machines it simulates is annoying." (Asperti and Ricciotti) Imperial College, 24 November 2013 -- p. 3/26 The Big Picture undecidability of the halting. problem Register Recursive TMs. Machines Functions Imperial College, 24 November 2013 -- p. 4/26 The Big Picture undecidability of the halting. problem Register Recursive TMs. Machines Functions . verified verified translator translator Imperial College, 24 November 2013 -- p. 4/26 The Big Picture undecidability of the halting. problem UF. Register Recursive TMs. Machines Functions . verified verified translator translator Imperial College, 24 November 2013 -- p. 4/26 The Big Picture undecidability of the halting. problem UF. Register Recursive TMs. Machines Functions . verified verified translator translator a correct UTM. by translation Imperial College, 24 November 2013 -- p. 4/26 steps function: What does the TM calculate after it has executed n steps? designate the 0-state as "halting state" and remain there forever, i.e. have a Nop-action Turing Machines tapes are lists and contain 0s or 1s only head … . … left list right list Imperial College, 24 November 2013 -- p. 5/26 designate the 0-state as "halting state" and remain there forever, i.e. have a Nop-action Turing Machines tapes are lists and contain 0s or 1s only head … . … left list right list steps function: What does the TM calculate after it has executed n steps? Imperial College, 24 November 2013 -- p. 5/26 Turing Machines tapes are lists and contain 0s or 1s only head … . … left list right list steps function: What does the TM calculate after it has executed n steps? designate the 0-state as "halting state" and remain there forever, i.e. have a Nop-action Imperial College, 24 November 2013 -- p. 5/26 Register Machines programs are lists of instructions I ::= Goto L jump to instruction L j Inc R increment register R by one j Dec R L if the content of R is non-zero, then decrement it by one otherwise jump to instruction L Imperial College, 24 November 2013 -- p. 6/26 Register Machines programs are lists of instructions I ::= Goto L jump to instruction L j Inc R increment register R by one j Dec R L if the content of R is non-zero, then decrement it by one otherwise jump to instruction L Spaghetti. Code! Imperial College, 24 November 2013 -- p. 6/26 Recursive Functions rec ::= Z zero-function j S successor-function n j Idm projection j Cnn f gs composition j Prn f g primitive recursion j Mnn f minimisation eval :: rec ) nat list ) nat can be defined by recursion (HOL has Least) you define addition, multiplication, logical operations, quantifiers… coding of numbers (Cantor encoding), UF Imperial College, 24 November 2013 -- p. 7/26 Copy Turing Machine TM that copies a number on the input tape copy =def cbegin ; cloop ; cend ) ) ) . z }| { z }| { z}|{ cbegin cloop cend def def def cbegin = cloop = cend = [(W0, 0), (R, 2), (R, 3), [(R, 0), (R, 2), (R, 3), [(L, 0), (R, 2), (W1, 3), (R, 2), (W1, 3), (L, 4), (W0, 2), (R, 3), (R, 4), (L, 4), (R, 2), (R, 2), (L, 4), (L, 0)] (W1, 5), (R, 4), (L, 6), (L, 5), (W0, 4), (R, 0), (L, 5), (L, 6), (L, 1)] (L, 5)] Imperial College, 24 November 2013 -- p. 8/26 Dither Machine TM that is the identity with 1 and loops with 0 start tape ) halting case: … . … . ) non-halting case: … . loops def dither = [(W0, 1), (R, 2), (L, 1), (L, 0)] Imperial College, 24 November 2013 -- p. 9/26 and Hoare-pairs: def {P} p " = 8 tp. if P tp holds then 8 n. : is_final (steps (1, tp) p n) Hoare Logic for TMs Hoare-triples def {P} p {Q} = 8 tp. if P tp holds then 9 n. such that is_final (steps (1, tp) p n) ^ Q holds_for (steps (1, tp) p n) Imperial College, 24 November 2013 -- p. 10/26 Hoare Logic for TMs Hoare-triples and Hoare-pairs: def def {P} p {Q} = {P} p " = 8 tp. 8 tp. if P tp holds then if P tp holds then 9 n. such that 8 n. : is_final (steps (1, tp) p n) is_final (steps (1, tp) p n) ^ Q holds_for (steps (1, tp) p n) Imperial College, 24 November 2013 -- p. 10/26 Some Derived Rules P' 7! P {P} p {Q} Q 7! Q' {P'} p {Q'} {P} p1 {Q} {Q} p2 {R} {P} p1 {Q} {Q} p2 " {P} p1 ; p2 {R} {P} p1 ; p2 " Imperial College, 24 November 2013 -- p. 11/26 Undecidability contra =def copy ; H ; dither Imperial College, 24 November 2013 -- p. 12/26 Undecidability contra =def copy ; H ; dither Suppose H decides whether contra called with the code of contra halts, then def P1 = λtp. tp = ([], hcode contrai) def P2 = λtp. tp = ([0], h(code contra, code contra)i) def k P3 = λtp. 9 k. tp = (0 , h0i) {P1} copy {P2} {P2} H {P3} {P1} copy ; H {P3} {P3} dither " {P1} contra " Imperial College, 24 November 2013 -- p. 12/26 Undecidability contra =def copy ; H ; dither Suppose H decides wether contra called with the code of contra does not halt, then def Q1 = λtp. tp = ([], hcode contrai) def Q2 = λtp. tp = ([0], h(code contra, code contra)i) def k Q3 = λtp. 9 k. tp = (0 , h1i) {Q1} copy {Q2} {Q2} H {Q3} {Q1} copy ; H {Q3} {Q3} dither {Q3} {Q1} contra {Q3} Imperial College, 24 November 2013 -- p. 12/26 Hoare Reasoning reasoning is quite demanding, e.g. the invariants of the copy-machine: def n I1 n (l, r) = (l, r) = ([], 1 ) (starting state) def i j I2 n (l, r) = 9 i j. 0 < i ^ i + j = n ^ (l, r) = (1 , 1 ) def n I3 n (l, r) = 0 < n ^ (l, tl r) = (0::1 , []) def n n - 1 I4 n (l, r) = 0 < n ^ (l, r) = (1 , [0, 1]) _ (l, r) = (1 , [1, 0, 1]) def n - 2 I0 n (l, r) = 1 < n ^ (l, r) = (1 , [1, 1, 0, 1]) _ (halting state) n = 1 ^ (l, r) = ([], [0, 1, 0, 1]) def i j j J1 n (l, r) = 9 i j. i + j + 1 = n ^ (l, r) = (1 , 1::1::0 @1 ) ^ 0 < j _ 0 < n ^ (l, r) = ([], 0::1::0n@1n) (starting state) def n n J0 n (l, r) = 0 < n ^ (l, r) = ([0], 1::0 @1 ) (halting state) def n n K1 n (l, r) = 0 < n ^ (l, r) = ([0], 1::0 @1 ) (starting state) def n n K0 n (l, r) = 0 < n ^ (l, r) = ([0], 1 @0::1 ) (halting state) Imperial College, 24 November 2013 -- p. 13/26 Midway Conclusion feels awfully like reasoning about machine code compositional constructions / reasoning is not at all frictionless sizes sizes: UF 140843 constructors URM 2 Mio instructions UTM 38 Mio states ?old version: URM (12.Mio) UTM (112 Mio) Imperial College, 24 November 2013 -- p. 14/26 very little opportunity for automation The Trouble With Hoare-Triples Whenever we wanted to prove {P} p {Q} (1) we had to find invariants for each state (not easy) (2) we had to find a termination order proving that p terminates (not easy either) Imperial College, 24 November 2013 -- p. 15/26 The Trouble With Hoare-Triples Whenever we wanted to prove {P} p {Q} (1) we had to find invariants for each state (not easy) (2) we had to find a termination order proving that p terminates (not easy either) very little opportunity for automation Imperial College, 24 November 2013 -- p. 15/26 Jensen, Benton, Kennedy (2013), High-Level Separation Logic for Low-Level Code Myreen (2008), Formal Verification of Machine-Code Programs, PhD thesis Klein, Kolanski, Boyton (2012), Mechanised Separation Algebra Inspiration from other Works Imperial College, 24 November 2013 -- p.