<?xml version="1.0" encoding="UTF-8"?>
<rss  xmlns:atom="http://www.w3.org/2005/Atom" 
      xmlns:media="http://search.yahoo.com/mrss/" 
      xmlns:content="http://purl.org/rss/1.0/modules/content/" 
      xmlns:dc="http://purl.org/dc/elements/1.1/" 
      version="2.0">
<channel>
<title>dr. heap</title>
<link>https://www.drheap.nl/articles/</link>
<atom:link href="https://www.drheap.nl/articles/index.xml" rel="self" type="application/rss+xml"/>
<description>dr. heap is an independent publication launched in May 2024 by Hans-Dieter Hiep. The goals of this publication are: (1) To widely and effectively communicate scientific ideas concerning the foundations of computer science and computer engineering (including logic, programming language theory, program correctness). (2) To provide open access on-line courses that help with understanding the foundations of computer science and computer engineering (including how computers can be designed and programmed to ensure their correctness). All articles are licensed under Creative Commons Attribution International 4.0. (C) Copyright remains reserved to the original author(s). ISSN: 3050-5224</description>
<generator>quarto-1.9.38</generator>
<lastBuildDate>Fri, 28 Jun 2024 22:00:00 GMT</lastBuildDate>
<item>
  <title>A sound and complete proof system for separation logic (part 1)</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <dc:creator>Frank S. de Boer</dc:creator>
  <link>https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/</link>
  <description><![CDATA[ 





<p><a href="main.pdf" class="btn btn-default downloadthis  " id="dnldts64356"><i class="bi bi-download"></i> Download the PDF version of this article </a></p>
<section id="introduction" class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="introduction"><span class="header-section-number">1</span> Introduction</h2>
<p>In this article we have another look at the proof system for separation logic that is introduced in the first author’s PhD&nbsp;thesis <span class="citation" data-cites="hiep2024new">[5]</span> (publicly defended on Thursday, May 23rd, 2024).</p>
<p>By separation logic we mean the logic behind the assertion language used in Reynolds’ logic, the program logic for reasoning about the correctness of pointer programs that was introduced in 2002 by J.C.&nbsp;Reynolds <span class="citation" data-cites="reynolds2002separation">[9]</span>. In that article, Reynolds introduces both his program logic and axiomatizes the logic of separation logic by several axioms, but writes:</p>
<blockquote class="blockquote">
<p>Finally, we give axiom schemata for the predicate <img src="https://latex.codecogs.com/png.latex?%5Cmapsto">.<br>
(Regrettably, these are far from complete.)</p>
</blockquote>
<p>In 2021, completeness of quantifier-free separation logic was established <span class="citation" data-cites="DemriLM21">[3]</span>, and three year later completeness of the full language of separation logic <span class="citation" data-cites="hiep2024new">[5]</span>.</p>
<p>The purpose of this article is to show the novel proof system of <span class="citation" data-cites="hiep2024new">[5]</span> in a straightforward way. The new proof system can be used to prove <em>all</em> valid formulas, which until now were impossible to prove using existing automatic and interactive tools for separation logic. In Section&nbsp;2 we quickly revisit the formulas of separation logic, in Section&nbsp;3 we introduce the proof system, and in Section&nbsp;4 we have a look at a number of example proofs. We then continue the discussion that motivates the design of the proof system: in Section&nbsp;5 we discuss referential transparency and the binding structure of separation logic, and in Section&nbsp;6 we discuss issues such as univalence, well-foundedness, and finiteness.</p>
<p>This article is <strong>part one</strong> of a series of articles about the new proof system for separation logic. In this article, we focus on the syntax of the proof system. In Section&nbsp;7, the conclusion, we discuss the topics of the next parts of this series, namely semantics and the soundness and completeness of the proof system.</p>
</section>
<section id="preliminaries" class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="preliminaries"><span class="header-section-number">2</span> Preliminaries</h2>
<p>The syntax of formulas of separation logic is defined as follows: <img src="https://latex.codecogs.com/png.latex?%5Cphi,%5Cpsi%20%5CColoneqq%20%5Cbot%20%5Cmid%20(x%5Chookrightarrow%20y)%20%5Cmid%20P(x_1,%5Cldots,x_n)%20%5Cmid%20(%5Cphi%5Cto%5Cpsi)%20%5Cmid%20(%5Cforall%20x)%5Cphi%20%5Cmid%20(%5Cphi%5Cmathrel%7B*%7D%5Cpsi)%20%5Cmid%20(%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)"> where we assume there is a countably infinite set of variables <img src="https://latex.codecogs.com/png.latex?V"> with typical examples <img src="https://latex.codecogs.com/png.latex?x,y,z"> (possibly with subscripts), and we have a signature which has a countably infinite set of non-logical symbols each assigned to a fixed arity of which <img src="https://latex.codecogs.com/png.latex?P"> is a typical example with arity&nbsp;<img src="https://latex.codecogs.com/png.latex?n">. We have the usual logical symbols: <img src="https://latex.codecogs.com/png.latex?%5Cbot"> stands for falsity and <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cto%5Cpsi)"> stands for logical implication. From these two symbols we can derive all other propositional connectives, such as negation <img src="https://latex.codecogs.com/png.latex?%5Clnot%5Cphi">, verum <img src="https://latex.codecogs.com/png.latex?%5Ctop">, logical conjunction <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cland%5Cpsi)">, and logical disjunction <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Clor%5Cpsi)">. We have universal quantification <img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)%5Cphi"> where the variable <img src="https://latex.codecogs.com/png.latex?x"> is bound in the usual way, and we can define existential quantification <img src="https://latex.codecogs.com/png.latex?(%5Cexists%20x)%5Cphi"> as the dual <img src="https://latex.codecogs.com/png.latex?%5Clnot(%5Cforall%20x)%5Clnot%5Cphi">. By <img src="https://latex.codecogs.com/png.latex?FV(%5Cphi)"> we mean the set of free variables in <img src="https://latex.codecogs.com/png.latex?%5Cphi">. Quantification is first-order in the sense that quantification ranges over individuals. Finally, we also have equality <img src="https://latex.codecogs.com/png.latex?(x%20=%20y)"> as a non-logical symbol, but with a fixed meaning. (Our treatment of parentheses and resolution of ambiguity is standard: we may leave parentheses out as long as the result is not too ambiguous.)</p>
<p>What is different in separation logic compared to classical first-order logic are the following so-called <em>separation symbols</em> (distinguished from the logical and non-logical symbols). The primitive formula <img src="https://latex.codecogs.com/png.latex?(x%20%5Chookrightarrow%20y)"> is called <em>points to</em> (as in ‘<img src="https://latex.codecogs.com/png.latex?x"> points to <img src="https://latex.codecogs.com/png.latex?y">’) or a <em>reference</em> (as in ‘<img src="https://latex.codecogs.com/png.latex?x"> is a reference to <img src="https://latex.codecogs.com/png.latex?y">’). As complex formulas, two separating connectives are given: <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathrel%7B*%7D%5Cpsi)"> is a <em>separating conjunction</em>, and <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)"> is a <em>separating implication</em>. The latter connective is also called the <em>magic wand</em> by some authors. Having ‘points to’ <img src="https://latex.codecogs.com/png.latex?%5Chookrightarrow"> as primitive allows us to define ‘strict points to’ <img src="https://latex.codecogs.com/png.latex?%5Cmapsto"> as follows, where we take <img src="https://latex.codecogs.com/png.latex?(x%5Cmapsto%20y)"> to abbreviate <img src="https://latex.codecogs.com/png.latex?(x%20%5Chookrightarrow%20y)%5Cland%20(%5Cforall%20z,w.%5C,(z%20%5Chookrightarrow%20w)%20%5Cto%20x%20=%20z)."> The intention is that <img src="https://latex.codecogs.com/png.latex?(x%20%5Chookrightarrow%20y)"> expresses that location <img src="https://latex.codecogs.com/png.latex?x"> has value <img src="https://latex.codecogs.com/png.latex?y">, whereas <img src="https://latex.codecogs.com/png.latex?(x%20%5Cmapsto%20y)"> expresses furthermore that <img src="https://latex.codecogs.com/png.latex?x"> is the only location allocated. We also have the abbreviations <img src="https://latex.codecogs.com/png.latex?(x%20%5Chookrightarrow%20-)"> and <img src="https://latex.codecogs.com/png.latex?(x%20%5Cmapsto%20-)">, where we immediately existentially quantify away the value. These express that <img src="https://latex.codecogs.com/png.latex?x"> is allocated (possibly among other locations) and, moreover, that only <img src="https://latex.codecogs.com/png.latex?x"> is allocated. By <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> we mean nothing is allocated, so it abbreviates <img src="https://latex.codecogs.com/png.latex?%5Cforall%20x(%5Clnot(x%5Chookrightarrow%20-))">, i.e.&nbsp;every location <img src="https://latex.codecogs.com/png.latex?x"> does not point to some value, or equivalently <img src="https://latex.codecogs.com/png.latex?%5Cforall%20x,y.%5C,%5Clnot(x%5Chookrightarrow%20y)">.</p>
</section>
<section id="proof-system" class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="proof-system"><span class="header-section-number">3</span> Proof system</h2>
<p>In this section we introduce a novel proof system for separation logic. In this article we look at the proof system from a purely syntactical point of view. In the next article of this series, we give the standard semantics of separation logic.</p>
<p>The first device we introduce is a special <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D"> construct, in the following sense: <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D%5C%20(x%20%5Chookrightarrow%20y)%20:=%20%20%5Cpsi(x,y)%5C%20%5Cmathbf%7Bin%7D%5C%20%5Cphi."> This construct allows us to change the meaning of ‘point to’ in <img src="https://latex.codecogs.com/png.latex?%5Cphi">, by assigning it the meaning denoted by <img src="https://latex.codecogs.com/png.latex?%5Cpsi(x,y)">. Intuitively speaking, to evaluate whether <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D%5C%20(x%20%5Chookrightarrow%20y)%20:=%20%20%5Cpsi(x,y)%5C%20%5Cmathbf%7Bin%7D%5C%20%5Cphi"> holds, we first consider the heap denoted by <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> (with free variables <img src="https://latex.codecogs.com/png.latex?x"> and <img src="https://latex.codecogs.com/png.latex?y">) and then we evaluate whether <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds in the heap described by <img src="https://latex.codecogs.com/png.latex?%5Cpsi">. We must be careful not having a too naïve interpretation of <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D">: we cannot just simplify by replacing the occurrences of <img src="https://latex.codecogs.com/png.latex?(x%5Chookrightarrow%20y)"> in <img src="https://latex.codecogs.com/png.latex?%5Cphi"> by <img src="https://latex.codecogs.com/png.latex?%5Cpsi(x,y)">, because separating connectives are referentially opaque (this is explained in more detail in Section&nbsp;5). The purpose of our proof system is to reason about this <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D"> construct in a formal way.</p>
<p>Working with <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D"> takes much space, so instead we use the shorthand notation <img src="https://latex.codecogs.com/png.latex?%5Cphi%5Cmathord%7B@%7D_%7Bx,y%7D%5Cpsi">. Thus, the objects of our proof system involve not just the formulas of separation logic, but an extended language (called extended separation logic) in which we add this special construct: <img src="https://latex.codecogs.com/png.latex?%5Cphi,%5Cpsi%20%5CColoneqq%20%5Cldots%20%5Cmid%20(%5Cphi%5Cmathord%7B@%7D_%7Bx,y%7D%5Cpsi)"></p>
<p>Next, we introduce a proof system with as objects the formulas of extended separation logic. This proof system allows us to deduce formulas: a deduction is also called a proof, and we shall give a number of example proofs. Recall that we have a signature that has a countable infinite supply of non-logical symbols. For any formula of extended separation logic, its parameters are the predicate symbols of the signature that occur somewhere in the formula. In particular, we shall make use of so-called ‘bookkeeping devices’, which are binary predicate symbols <img src="https://latex.codecogs.com/png.latex?R"> (possibly with quotes or subscripts) from the signature. Sometimes we have the side-conditions that our bookkeeping devices are ‘fresh’, in the sense that they do not appear as parameters of formulas in the context.</p>
<p>We present the proof system as a Hilbert-style axiom system, but nothing prevents us from also giving the proof system in the style of natural deduction. We have the usual proof rules and axioms of classical logic (but instantiated with formulas of extended separation logic), together with the following axioms:</p>
<ul>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cphi%5Cleftrightarrow(%5Cphi%5Cmathord%7B@%7D(x%5Chookrightarrow%20y))"><span class="move-right">(Lookup)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?((x'%5Chookrightarrow%20y')%5Cmathord%7B@%7D%5Cpsi)%5Cleftrightarrow%20%5Cpsi%5Bx,y%20:=%20x',y'%5D"><span class="move-right">(Replace)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cmathbf%7Bfalse%7D%5Cmathord%7B@%7D%5Cphi)%5Cleftrightarrow%5Cmathbf%7Bfalse%7D"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?@%5Cbot">)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?((%5Cphi%5Cto%5Cpsi)%5Cmathord%7B@%7D%5Cchi)%5Cleftrightarrow(%5Cphi%5Cmathord%7B@%7D%5Cchi%5Cto%20(%5Cpsi%5Cmathord%7B@%7D%5Cchi))"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?@%5C!%5C!%5Cto">)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?((%5Cforall%20x%5Cphi)%5Cmathord%7B@%7D%5Cpsi)%5Cleftrightarrow%20(%5Cforall%20x)(%5Cphi%5Cmathord%7B@%7D%5Cpsi)"> if <img src="https://latex.codecogs.com/png.latex?x%5Cnot%5Cin%20FV(%5Cpsi)"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?@%5Cforall">)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathord%7B@%7D(%5Cpsi%5Cmathord%7B@%7D%5Cchi))%5Cleftrightarrow%20((%5Cphi%5Cmathord%7B@%7D%5Cpsi)%5Cmathord%7B@%7D%5Cchi)"><span class="move-right">(Assoc)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x,y(%5Cpsi%5Cleftrightarrow%5Cchi))%5Cto%20((%5Cphi%5Cmathord%7B@%7D%5Cpsi)%5Cleftrightarrow(%5Cphi%5Cmathord%7B@%7D%5Cchi))"><span class="move-right">(Extent)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?((%5Cphi%5Cmathrel%7B*%7D%5Cpsi)%5Cmathord%7B@%7D%5Cchi)%5Cto%20(%5Cchi=R_1%5Cuplus%20R_2%20%5Cto%20(%5Cphi%5Cmathord%7B@%7DR_1)%5Cto%20(%5Cpsi%5Cmathord%7B@%7DR_2)%5Cto%20%5Cxi)%5Cto%5Cxi"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B*%7D">E)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cchi=%5Cchi_1%5Cuplus%20%5Cchi_2%20%5Cto%20(%5Cphi%5Cmathord%7B@%7D%5Cchi_1)%5Cto%20(%5Cpsi%5Cmathord%7B@%7D%5Cchi_2)%5Cto((%5Cphi%5Cmathrel%7B*%7D%5Cpsi)%5Cmathord%7B@%7D%5Cchi)"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B*%7D">I)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?((%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)%5Cmathord%7B@%7D%5Cchi)%5Cto(%5Cchi%5Cperp%5Cchi')%5Cto(%5Cphi%5Cmathord%7B@%7D%5Cchi')%5Cto((%5Cpsi%5Cmathord%7B@%7D(%5Cchi%5Clor%5Cchi'))%5Cto%20%5Cxi)%5Cto%5Cxi"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D">E)</span></p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cchi%5Cperp%20R%5Cto%20(%5Cphi%5Cmathord%7B@%7DR)%5Cto%20(%5Cpsi%5Cmathord%7B@%7D(%5Cchi%5Clor%20R(x,y))))%5Cto%20((%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)%5Cmathord%7B@%7D%5Cchi)"><span class="move-right">(<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D">I)</span></p></li>
</ul>
<p>We have the side-condition in the rule (<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B*%7D">E) that the symbols <img src="https://latex.codecogs.com/png.latex?R_1"> and <img src="https://latex.codecogs.com/png.latex?R_2"> are fresh, i.e.&nbsp;are not parameters of <img src="https://latex.codecogs.com/png.latex?%5Cphi,%5Cpsi,%5Cchi,%5Cxi">. Similarly, we have the side-condition in the rule (<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D">I) that the symbol <img src="https://latex.codecogs.com/png.latex?R"> is fresh, i.e.&nbsp;is not a parameter of <img src="https://latex.codecogs.com/png.latex?%5Cphi,%5Cpsi,%5Cchi">. We used <img src="https://latex.codecogs.com/png.latex?@"> without subscripts instead of <img src="https://latex.codecogs.com/png.latex?@_%7Bx,y%7D"> to reduce notational clutter. To avoid confusion, we may use <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bfalse%7D"> instead of <img src="https://latex.codecogs.com/png.latex?%5Cbot"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Btrue%7D"> instead of <img src="https://latex.codecogs.com/png.latex?%5Ctop">.</p>
<p><img src="https://latex.codecogs.com/png.latex?%5Cpsi%5Bx,y%20:=%20x',y'%5D"> is the result of simultaneous substitution of <img src="https://latex.codecogs.com/png.latex?x"> by <img src="https://latex.codecogs.com/png.latex?x'"> and <img src="https://latex.codecogs.com/png.latex?y"> by <img src="https://latex.codecogs.com/png.latex?y'">, respectively. The substitution operator <img src="https://latex.codecogs.com/png.latex?%5Cphi%5Bx%20:=%20x'%5D"> is defined compositionally as usual, and has the following specification for the new connective: <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathord%7B@%7D_%7Bx,y%7D%5Cpsi)%5Bz%20:=%20z'%5D%20=%20(%5Cphi%5Bz%20:=%20z'%5D%5Cmathord%7B@%7D_%7Bx,y%7D%5Cpsi%5Bz%20:=%20z'%5D)"> where <img src="https://latex.codecogs.com/png.latex?x,y,z"> are all distinct. If <img src="https://latex.codecogs.com/png.latex?z"> is either the same variable as <img src="https://latex.codecogs.com/png.latex?x"> or <img src="https://latex.codecogs.com/png.latex?y">, then the substitution is not pushed down on the right side. A similar definition can be given for simultaneous substitution of distinct variables.</p>
<p>We let <img src="https://latex.codecogs.com/png.latex?%5Cchi=%5Cchi_1%5Cuplus%20%5Cchi_2"> abbreviate the formula <img src="https://latex.codecogs.com/png.latex?(%5Cchi%20%5Cequiv%20%5Cchi_1%5Ccup%20%5Cchi_2)%20%5Cland%20(%5Cchi_1%5Cperp%20%5Cchi_2)"> and let <img src="https://latex.codecogs.com/png.latex?%7B%5Cchi%5Cequiv%20%5Cchi_1%5Ccup%20%5Cchi_2%7D"> abbreviate the formula <img src="https://latex.codecogs.com/png.latex?%5Cforall%20x,y(%5Cchi(x,y)%5Cleftrightarrow%20%5Cchi_1(x,y)%20%5Clor%20%5Cchi_2(x,y))"> and let <img src="https://latex.codecogs.com/png.latex?%7B%5Cchi_1%20%5Cperp%20%5Cchi_2%7D"> abbreviate the formula <img src="https://latex.codecogs.com/png.latex?%5Cforall%20x,y%5Cbigl(%5Cchi_1(x,y)%20%5Cto%20%5Cforall%20z.%5Clnot%20%5Cchi_2(x,z)%5Cbigr)."> These abbreviations universally quantify <img src="https://latex.codecogs.com/png.latex?x,y">: we let these quantifiers, on purpose, capture the free variables <img src="https://latex.codecogs.com/png.latex?x"> and <img src="https://latex.codecogs.com/png.latex?y"> of <img src="https://latex.codecogs.com/png.latex?%5Cchi,%5Cchi_1,%5Cchi_2">. When <img src="https://latex.codecogs.com/png.latex?%5Cchi_1"> and <img src="https://latex.codecogs.com/png.latex?%5Cchi_2"> are just the binary predicate symbols <img src="https://latex.codecogs.com/png.latex?R_1"> and <img src="https://latex.codecogs.com/png.latex?R_2">, we mean the formulas <img src="https://latex.codecogs.com/png.latex?R_1(x,y)"> and <img src="https://latex.codecogs.com/png.latex?R_2(x,y)">. One can also use set builder notation to make the intention more clear. Note that in the latter abbreviation, <img src="https://latex.codecogs.com/png.latex?%5Cchi_1%5Cperp%5Cchi_2">, we require the stronger notion of disjointness of the domains of the relation, not the weaker notion of disjointness of the two sets of pairs representing the pairs that are related by each relations.</p>
<p>Further, a useful result in practical reasoning is that we can replace equivalent subformulas in any formula. Moreover, the deduction theorem also holds for our proof system, hence we can apply the axioms under any context. We furthermore shall use the above proof system in a natural deduction style.</p>
</section>
<section id="example-proofs" class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="example-proofs"><span class="header-section-number">4</span> Example proofs</h2>
<p>Let us now have a look at a number of example proofs. We shall write <img src="https://latex.codecogs.com/png.latex?%5Cvdash%5Cphi"> to mean that <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is demonstrable in the proof system given above without any premises, and <img src="https://latex.codecogs.com/png.latex?%5CGamma%5Cvdash%20%5Cphi"> to mean that <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is demonstrable using the premises in <img src="https://latex.codecogs.com/png.latex?%5CGamma">.</p>
<p>The first example is given in Figure&nbsp;1. The statement we want to prove has the following intuitive meaning: in the heap described by <img src="https://latex.codecogs.com/png.latex?%5Cbot"> we have that <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> is satisfied. The argument is the following: the heap described by <img src="https://latex.codecogs.com/png.latex?%5Cbot"> is the empty graph (no location is mapped to any value), so evaluating <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> in that heap indeed yields a true formula. In the proof that follows, we do not explicitly write down how to do classical reasoning, and instead we focus on the application of the new axioms.</p>
<div id="fig:proof-1" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig2.png" class="img-fluid figure-img"></p>
<figcaption>Figure 1. Proof of <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> in the empty heap.</figcaption>
</figure>
</div>
<p>The second example is given in Figure&nbsp;2. We prove that for any (extended) separation logic formulas <img src="https://latex.codecogs.com/png.latex?%5Cphi"> and <img src="https://latex.codecogs.com/png.latex?%5Cpsi">, their separating conjunction is commutative. The proof proceeds in two parts. In step 9, we have shown how to swap the two separated formulas relative to the heap <img src="https://latex.codecogs.com/png.latex?(x%5Chookrightarrow%20y)">. But this heap description has the same extension as the ‘outer’ heap, hence we obtain the non-relative result in step 10! As such, we can obtain the result simply by putting the given formula under this <img src="https://latex.codecogs.com/png.latex?@">-connective. We add formulas to the context by means of opening a box, so at step 6 we have established: <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathrel%7B*%7D%5Cpsi)%5Cmathord%7B@%7D(x%5Chookrightarrow%20y),(x%5Chookrightarrow%20y)%20=%20R_1%5Cuplus%20R_2,%5Cphi%5Cmathord%7B@%7DR_1,%5Cpsi%5Cmathord%7B@%7DR_2%5Cvdash%20(%5Cpsi%5Cmathrel%7B*%7D%5Cphi)%5Cmathord%7B@%7D(x%5Chookrightarrow%20y)."></p>
<div id="fig:proof-2" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig3.png" class="img-fluid figure-img"></p>
<figcaption>Figure 2. Proof of commutativity of <img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B*%7D">.</figcaption>
</figure>
</div>
<p>See Figure&nbsp;3 and Figure&nbsp;4 for the third and fourth examples. Figure&nbsp;3 is a generalization of the result in Figure&nbsp;1. Note that in step 5 of Figure&nbsp;4 we use the result proven in Figure&nbsp;3. What should be obvious now is that the proofs are not very difficult: we use our set theoretic intuition for dealing with heaps. Both Figure&nbsp;2 and Figure&nbsp;4 show that (<img src="https://latex.codecogs.com/png.latex?%5Cmathrel%7B*%7D">E) simply adds fresh parameters <img src="https://latex.codecogs.com/png.latex?R_1,R_2"> and the corresponding assumptions to the context. This shows that separating connectives behave almost like a quantifier, if we compare it with the way first-order quantification works (as in Figure&nbsp;3).</p>
<div id="fig:proof-3" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig4.png" class="img-fluid figure-img"></p>
<figcaption>Figure 3. Proof that <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> holds and only holds in empty heaps.</figcaption>
</figure>
</div>
<div id="fig:proof-4" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig5.png" class="img-fluid figure-img"></p>
<figcaption>Figure 4. Proof that <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bemp%7D"> is a unit of separating conjunction.</figcaption>
</figure>
</div>
<p>The reader can now try and write down the proofs for the following formulas:</p>
<ul>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20(%5Cphi%5Clor%5Cpsi)%5Cmathrel%7B*%7D%5Cchi%20%5Cleftrightarrow%20%5Cphi%5Cmathrel%7B*%7D%5Cchi%20%5Clor%20%5Cpsi%5Cmathrel%7B*%7D%5Cchi">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20(%5Cphi%5Cland%5Cpsi)%5Cmathrel%7B*%7D%5Cchi%20%5Cto%20%5Cphi%5Cmathrel%7B*%7D%5Cchi%20%5Cland%20%5Cpsi%5Cmathrel%7B*%7D%5Cchi">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20(%5Cexists%20x%20%5Cphi(x))%5Cmathrel%7B*%7D%5Cpsi%20%5Cleftrightarrow%20%5Cexists%20x%20(%5Cphi(x)%5Cmathrel%7B*%7D%5Cpsi)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20(%5Cforall%20x%20%5Cphi(x))%5Cmathrel%7B*%7D%5Cpsi%20%5Cto%20%5Cforall%20x%20(%5Cphi(x)%5Cmathrel%7B*%7D%5Cpsi)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cphi%5Cmathrel%7B*%7D(%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)%5Cto%5Cpsi">.</p></li>
</ul>
<p>At last, we have the following non-trivial properties:</p>
<ul>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20(x%5Chookrightarrow%20y)%20%5Cleftrightarrow%20(x%5Cmapsto%20y)%5Cmathrel%7B*%7D%5Ctop">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Clnot(x%5Chookrightarrow%20-)%20%5Cto%20(((x%5Cmapsto%20y)%20%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D(x%5Cmapsto%20y)%5Cmathrel%7B*%7D%5Cphi)%5Cleftrightarrow%20%5Cphi)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20((%5Cexists%20x(x%5Chookrightarrow%20y))%5Cmathrel%7B*%7D(%5Cexists%20x(x%5Chookrightarrow%20y)))%20%5Cleftrightarrow%20(%5Cexists%20x((x%5Chookrightarrow%20y)%5Cland%20%5Cexists%20z(z%5Cneq%20x%5Cland%20(z%5Chookrightarrow%20y))))">.</p></li>
</ul>
<p>The last property is very important. It shows that separation logic can be used to express cardinality properties of the universe. The last property shows the separation logic equivalent of the classical expression of the property ‘there are at least two elements’. When we scale this property, to ‘there are at least <img src="https://latex.codecogs.com/png.latex?n"> elements’, one will see that the separation logic formula grows linearly but the classical logic equivalent grows drastically faster: quadratically! This is the essence of the scalability argument motivating the use of separation logic.</p>
<p>Our proof system is able to prove this equivalence. However, existing proof systems for separation logic still lack the ability to prove this elementary fact. We have investigated whether the equivalence of these formulas can be proven in an interactive tool for reasoning about separation logic: the Iris project <span class="citation" data-cites="jung2018iris">[6]</span>. In current versions of that system, it is not possible to show the equivalence of these assertions, at least not without adding additional axioms.</p>
<p>The last example is a demonstration of the following equivalence: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Barray%7D%7Bc%7D%0A(x%20%5Chookrightarrow%20-)%20%5Cland%20((x%20=%20y%20%5Cland%20z%20=%20w)%20%5Clor%20(x%20%5Cneq%20y%20%5Cland%20(y%5Chookrightarrow%20z)))%5C%5C%0A%5Cleftrightarrow%5C%5C%0A(x%20%5Cmapsto%20-)%20%5Cmathrel%7B*%7D((x%20%5Cmapsto%20w)%20%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D(y%20%5Chookrightarrow%20z)).%0A%5Cend%7Barray%7D"> This equivalence is expressed in quantifier-free separation logic, for which a complete axiomatization was already known <span class="citation" data-cites="DemriLM21">[3]</span>. We can also give a proof, see Figure&nbsp;5. Surprisingly, this already exceeds the capability of all the automated separation logic provers in the benchmark competition SL-COMP. In fact, only the CVC4-SL tool <span class="citation" data-cites="reynolds2016decision">[8]</span> supports the fragment of separation logic that includes the separating implication. However, from our own experiments with that tool, we have that it produces an incorrect counter-example and reported this as a bug to one of the maintainers of the project. In fact, the latest version, CVC5-SL, reports the same input as ‘unknown’, indicating that the tool is incomplete.</p>
<div id="fig:proof-5" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig6.png" class="img-fluid figure-img"></p>
<figcaption>Figure 5. Proof of an equivalence between a semi-pure and separating formula.</figcaption>
</figure>
</div>
<p>So far, we have seen several valid formulas of separation logic, which in the novel proof system for separation logic we are actually able to prove. This alone already shows our proof system goes beyond the ability of existing tools for reasoning about separation logic! The novelty of this proof system lies in the fact of adding a <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Blet%7D"> binding construct, which in shorthand is written using the <img src="https://latex.codecogs.com/png.latex?@">-connective, that relativates the heap with respect to which a formula is interpreted.</p>
</section>
<section id="referential-transparency" class="level2" data-number="5">
<h2 data-number="5" class="anchored" data-anchor-id="referential-transparency"><span class="header-section-number">5</span> Referential transparency</h2>
<p>In this section we discuss the binding structure of separation logic, and how the concept of referential transparency applies. Referential transparancy is a general concept in formal languages and as such applies to both logical and programming languages. Although Whitehead and Russell already speak of it, Quine is often credited for introducing the term in his book <em>Word and Object</em>&nbsp;<span class="citation" data-cites="quine2013word">[7]</span> originally published in 1960. In the case of separation logic, we shall see that the separating connectives fail referential transparency!</p>
<p>Separating connectives capture references, the ‘points to’, that occur in subformulas. In the binding structure of first-order logic, one could resolve unintentional capturing by means of a so-called ‘capture avoiding’ substitution operator that renames quantified variables before actually performing a substitution. However in separation logic, one cannot define such a capture avoiding substitution operator since in separation logic there is only a single heap in scope that can not be renamed.</p>
<p>First, we shall make some general remarks about the binding structure of separation logic formulas. A formula is <em>pure</em> if no separation symbol <img src="https://latex.codecogs.com/png.latex?%5Chookrightarrow,%5Cmathrel%7B*%7D,%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D,%5Cmathord%7B@%7D"> occurs in it. In that case the meaning of a formula does not depend on the heap, viz.&nbsp;the interpretation of <img src="https://latex.codecogs.com/png.latex?%5Chookrightarrow">. Otherwise, a formula is <em>semi-pure</em> if only the separation symbol <img src="https://latex.codecogs.com/png.latex?%5Chookrightarrow"> occurs in it. A formula in which one of the separating connectives occur is called a <em>separating</em> formula. We have the usual notions of free variable occurrence and bound variable occurrence, as our notion of variable binding is the same as in first-order logic. But, in separation logic, we also have another binding structure, namely that of references: the meaning of ‘points to’ is different under the separating connectives.</p>
<p>To see why separation logic fails referential transparency, consider the reference to ‘the value of location <img src="https://latex.codecogs.com/png.latex?y">’ in the proposition ‘the value of location <img src="https://latex.codecogs.com/png.latex?y"> has property <img src="https://latex.codecogs.com/png.latex?P">’. To avoid that ‘the value of location <img src="https://latex.codecogs.com/png.latex?y">’ is ill-defined, when speaking of <em>the</em> value one implicitly intends there exists a unique value. Moreover, linguistically speaking, a reference is <em>free</em> if we can replace it by any other expression that is equal to it, without affecting the truth value of the proposition after replacement compared to the proposition before replacement. Often this is called the principle of substitutivity<sup>1</sup>. For example, given that ‘the value of location <img src="https://latex.codecogs.com/png.latex?y">’ equals ‘the value of location <img src="https://latex.codecogs.com/png.latex?z">’, when we replace a reference of the former by the latter in the expression ‘the value of location <img src="https://latex.codecogs.com/png.latex?y"> has property <img src="https://latex.codecogs.com/png.latex?P">’ to obtain ‘the value of location <img src="https://latex.codecogs.com/png.latex?z"> has property <img src="https://latex.codecogs.com/png.latex?P">’, we obtain an equivalent proposition: so we have that the reference ‘the value of location <img src="https://latex.codecogs.com/png.latex?y">’ occurs free. A context is said to be <em>referentially transparent</em> whenever it preserves the free references: every free reference remains a free reference under the given context. Otherwise, the context is <em>referentially opaque</em>.</p>
<p>In classical logic all propositional connectives are referentially transparent. The only referentially opaque connectives are the quantifiers under specific circumstances. This is easy to see for a given formula <img src="https://latex.codecogs.com/png.latex?P(x)"> with a free variable&nbsp;<img src="https://latex.codecogs.com/png.latex?x">. Suppose <img src="https://latex.codecogs.com/png.latex?x%20=%205">, then by substitutivity we know that <img src="https://latex.codecogs.com/png.latex?P(5)"> is equivalent to <img src="https://latex.codecogs.com/png.latex?P(x)">. However, some quantifiers fail referential transparency, since for example in the formula <img src="https://latex.codecogs.com/png.latex?%5Cexists%20x(P(x))"> we can no longer naïvely replace <img src="https://latex.codecogs.com/png.latex?x"> with <img src="https://latex.codecogs.com/png.latex?5"> when we know <img src="https://latex.codecogs.com/png.latex?x%20=%205">. If the quantified variable is not the same as one of the free variables (either in the subformula or in the expression being substituted), we do maintain referential transparency. To ensure referential transparency there is the convention of keeping bound and free variables separate, analogous to the so-called Barendregt variable convention <span class="citation" data-cites="herman2008theory">[4 Sect.&nbsp;5.2]</span>.</p>
<p>In separation logic, however, many contexts involving separating connectives are referentially opaque. For example, in the context of a separating conjunction it is not always the case that we can freely replace references by equivalent expressions. An example is where the value of location <img src="https://latex.codecogs.com/png.latex?y"> is equal to the value of location <img src="https://latex.codecogs.com/png.latex?z">, and where we also separate the locations <img src="https://latex.codecogs.com/png.latex?y"> and <img src="https://latex.codecogs.com/png.latex?z">. Formally, we have the equality on the left, and the separation on the right: <img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x_1.%5C,(y%5Chookrightarrow%20x_1)%20%5Cto%20%5Cforall%20x_2.%5C,(z%5Chookrightarrow%20x_2)%20%5Cto%20x_1%20=%20x_2)%20%5Cland%20((%5Cexists%20x.%5C,(y%20%5Chookrightarrow%20x))%20%5Cmathrel%7B*%7D(%5Cexists%20x.%5C,(z%20%5Chookrightarrow%20x)))."> Although we know that locations <img src="https://latex.codecogs.com/png.latex?y"> and <img src="https://latex.codecogs.com/png.latex?z"> have the same value, we cannot literally replace <img src="https://latex.codecogs.com/png.latex?y"> for <img src="https://latex.codecogs.com/png.latex?z"> in the left component of the separating conjunction, without also doing the reverse replacement (replacing <img src="https://latex.codecogs.com/png.latex?z"> for <img src="https://latex.codecogs.com/png.latex?y">) in the other component of the separating connective. Thus we no longer have that the reference ‘the value of location <img src="https://latex.codecogs.com/png.latex?y">’ is free when it is nested under a separating conjunction: separating conjunction is referentially opaque!</p>
<p>To understand the binding structure of separation logic, we introduce the notions of <em>direct</em> and <em>indirect</em> binding. A reference (a ‘points to’ construct) or a separating connective is directly bound to the separating connective under which it is nested, without any other separating connective in between. Thus, here by nesting we only have to look at separating connectives in the immediate context, not at the logical connectives. A reference or a separating connective is said to be <em>free</em> whenever it is not directly bound. A reference or a separating connective is indirectly bound to all the separating connectives under which it is nested, but not immediately nested. In a sense, indirect binding is the transitive but irreflexive closure of direct binding.</p>
<p>Another example is the following formula involving magic wand: <img src="https://latex.codecogs.com/png.latex?%5Cforall%20y.%20(%5Cforall%20z%20(z%5Cmkern%202mu%5Cnot%5Cmkern-2mu%5Chookrightarrow%20y))%20%5Cto%20((x%5Chookrightarrow%20y)%20%5Cmathrel%7B*%7D(y%20%5Chookrightarrow%20x)%20%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D(%5Cforall%20w.(w%5Chookrightarrow%20y)%20%5Cleftrightarrow%20w%20=%20x))"> which expresses the following concept: for every value <img src="https://latex.codecogs.com/png.latex?y"> that the heap does not refer to, if we were to extend the heap with a cycle between the locations <img src="https://latex.codecogs.com/png.latex?x"> and <img src="https://latex.codecogs.com/png.latex?y">, then in the resulting heap the location <img src="https://latex.codecogs.com/png.latex?x"> is the only location which has value <img src="https://latex.codecogs.com/png.latex?y">. So how does the binding structure of this formula look like? Syntactically, there are four references (‘points to’ constructs) in this formula and two separating connectives. Each of these entities are either bound or free. The left-most reference is free, and the other three references are bound. These three references are nested under the magic wand, so directly or indirectly bound to that magic wand. The magic wand itself is free. The right-most reference is directly bound to the magic wand. The other two references are directly bound to the separating conjunction. See Figure&nbsp;6 for a graphical depiction of the parse tree and the binding structure of references and separating connectives to separating connectives.</p>
<div id="fig:forest" class="quarto-figure quarto-figure-center anchored">
<figure class="figure">
<p><img src="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/fig1.png" class="img-fluid figure-img"></p>
<figcaption>Figure 6. A parse tree showing the binding structure of separation logic. Direct bindings are shown with dotted lines pointing to a separating connective. Free references and free separating connectives are shown in red.</figcaption>
</figure>
</div>
<p>There is a difference with the variable binding structure of first-order logic: if a variable is bound to a quantifier, then it no longer necessarily has a relationship with the free variables of the same name. Quantifiers thus introduce a so-called <em>scope</em> for each variable. This is different for separation logic: although a reference can be directly bound to a separating connective, there still can be a necessary relationship with references that occur outside the connective to which it is bound. For example, in Figure&nbsp;6 we have that both the free reference and the magic wand speak about the same heap (the ‘outer’ heap), but also the right-most reference under the magic wands speaks about (part of) that outer heap: namely, for every <img src="https://latex.codecogs.com/png.latex?z%5Cneq%20x"> we also have <img src="https://latex.codecogs.com/png.latex?%5Clnot(z%5Chookrightarrow%20y)"> due to the equivalence on the right-side of the magic wand.</p>
<p>The moral is that separation logic has ‘leaky scopes’. But it is also possible to define constructions in separation logic that have proper scopes. For example, the formula <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> has the intuitive meaning that <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds for all heaps (its formal definition is given in the next section). It thus acts as a universal quantifier for heaps. And we can also define <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge%5Cphi"> as the dual <img src="https://latex.codecogs.com/png.latex?%5Clnot%5Cblacksquare%5Clnot%20%5Cphi">, that acts as an existential quantifier for heaps. Just like quantifiers in first-order logic, we have that <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> and <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge%5Cphi"> introduce a proper scope of the ‘points to’ construct inside <img src="https://latex.codecogs.com/png.latex?%5Cphi">, which is different from the ‘points to’ construct outside.</p>
<p>The formula <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> is a so-called <em>heap independent</em> formula. A heap independent formula is a formula for which its truth value does not depend on the ‘current’ heap in which it is evaluated. For example, the pure fragment of separation logic, comprising no separation symbols, is heap independent. But also <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> is heap independent, even when it contains ‘points to’ constructs and separating connectives in <img src="https://latex.codecogs.com/png.latex?%5Cphi">. All references and connectives under <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare"> are bound and the scope is closed: no ‘leaky scope’ for the black box.</p>
</section>
<section id="univalence-well-foundedness-and-finiteness" class="level2" data-number="6">
<h2 data-number="6" class="anchored" data-anchor-id="univalence-well-foundedness-and-finiteness"><span class="header-section-number">6</span> Univalence, well-foundedness and finiteness</h2>
<p>We now introduce the modality <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> as the abbreviation <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Btrue%7D%5Cmathrel%7B*%7D(%5Cmathbf%7Bemp%7D%5Cland%20(%5Cmathbf%7Btrue%7D%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cphi))."> We also have the dual <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge%5Cphi"> defined as <img src="https://latex.codecogs.com/png.latex?%5Clnot%5Cblacksquare%5Clnot%5Cphi">. We have that both modalities have the same binding strength as classical negation. The intuitive reading of the modal operators is that <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare%5Cphi"> holds in a given ‘current’ heap whenever <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds for all heaps (including the current heap), and <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge%5Cphi"> holds in a given current heap whenever <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds in some heap (which may be different from the current heap). As such, these modal operators change the heap with respect to which a formula is evaluated.</p>
<p>In fact, we have the following valid formulas involving these modalities:</p>
<ul>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare%20(%5Cphi%20%5Cto%20%5Cpsi)%20%5Cto%20%5Cblacksquare%5Cphi%20%5Cto%20%5Cblacksquare%5Cpsi">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare%20%5Cphi%20%5Cto%20%5Cphi">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare%20%5Cphi%20%5Cto%20(%5Cphi@%5Cpsi)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare(%5Cphi%5Cto%20%5Cphi')%20%5Cto%20%5Cblacksquare(%5Cpsi%5Cto%5Cpsi')%20%5Cto%20(%5Cphi%5Cmathrel%7B*%7D%5Cpsi)%20%5Cto%20(%5Cphi'%5Cmathrel%7B*%7D%5Cpsi')">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare(%5Cphi'%5Cto%20%5Cphi)%20%5Cto%20%5Cblacksquare(%5Cpsi%5Cto%5Cpsi')%20%5Cto%20(%5Cphi%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi)%20%5Cto%20(%5Cphi'%5Cmathrel%7B-%5Cmkern-4.5mu%20*%7D%5Cpsi')">.</p></li>
</ul>
<p>These formulas can all be proven in our novel proof system (their proofs are great exercises for the reader). We also have that the rule of necessitation is admissible, in the sense that <img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cphi"> implies <img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5Cblacksquare%20%5Cphi">, but whether this rule is also effectively derivable is not known to us.</p>
<p>We now consider an example of using the black box modality <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare">. In our treatment of separation logic, we do not necessarily impose so-called ‘functionality’ or ‘univalence’ of the heap. This means that it is possible that <img src="https://latex.codecogs.com/png.latex?(x%5Chookrightarrow%20y)%20%5Cland%20(x%5Chookrightarrow%20z)%20%5Cland%20y%5Cneq%20z"> is true in some situation. We thus treat <img src="https://latex.codecogs.com/png.latex?%5Chookrightarrow"> as a relation symbol. One intuitive way to interpret the ‘points to’ relation would be from object-oriented programming, where the object <img src="https://latex.codecogs.com/png.latex?x"> has some reference to the object <img src="https://latex.codecogs.com/png.latex?y"> by one of its fields, but we abstract away through which field object <img src="https://latex.codecogs.com/png.latex?x"> references object <img src="https://latex.codecogs.com/png.latex?y">. It is not difficult to obtain univalence by restricting ourselves to those situations where there is at most one value, by means of the property: <img src="https://latex.codecogs.com/png.latex?%5Cforall%20x,y,z.%5C,(x%5Chookrightarrow%20y)%20%5Cland%20(x%5Chookrightarrow%20z)%20%5Cto%20y%20=%20z."> That <em>all</em> heaps are univalent can be simply expressed by: <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare(%5Cforall%20x,y,z.%5C,(x%5Chookrightarrow%20y)%5Cland%20(x%5Chookrightarrow%20z)%5Cto%20y%20=%20z)."></p>
<p>We also have the following modality <img src="https://latex.codecogs.com/png.latex?%5CBox%5Cphi">, introduced as the abbreviation <img src="https://latex.codecogs.com/png.latex?%5Clnot(%5Ctop%5Cmathrel%7B*%7D%5Clnot%5Cphi)."> Also the dual <img src="https://latex.codecogs.com/png.latex?%5CDiamond%5Cphi"> is defined as <img src="https://latex.codecogs.com/png.latex?%5Clnot%5CBox%5Clnot%5Cphi">. The intuitive reading of these modal operators is different, in the sense that <img src="https://latex.codecogs.com/png.latex?%5CBox%5Cphi"> holds in a given heap whenever <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds for all subheaps of the given heap. Similarly, <img src="https://latex.codecogs.com/png.latex?%5CDiamond%5Cphi"> holds in a given heap whenever <img src="https://latex.codecogs.com/png.latex?%5Cphi"> holds for some subheap of the given heap.</p>
<p>An example of the <img src="https://latex.codecogs.com/png.latex?%5CBox"> modality is the following. We say that a value <img src="https://latex.codecogs.com/png.latex?x"> is <em>reachable</em> if there is a location <img src="https://latex.codecogs.com/png.latex?y"> which refers to it, so <img src="https://latex.codecogs.com/png.latex?%5Cexists%20y.(y%5Chookrightarrow%20x)">. Conversely, a location <img src="https://latex.codecogs.com/png.latex?y"> is <em>allocated</em> whenever it refers to a value, so <img src="https://latex.codecogs.com/png.latex?%5Cexists%20x.(y%5Chookrightarrow%20x)">. Consider that allocated locations can also be used as values, so we can have an allocated and reachable location. This way, we can form chains of so-called traversals: <img src="https://latex.codecogs.com/png.latex?x_0%5Chookrightarrow%20x_1%5Chookrightarrow%20x_2%5Chookrightarrow%20%5Cldots%20%5Chookrightarrow%20x_n"> which abbreviates the conjunction of <img src="https://latex.codecogs.com/png.latex?x_i%5Chookrightarrow%20x_%7Bi+1%7D"> for <img src="https://latex.codecogs.com/png.latex?0%5Cleq%20i%20%3C%20n">. Whenever <img src="https://latex.codecogs.com/png.latex?x_n"> is not allocated, the traversal has reached a dead-end. However, whenever in a traversal the first and last location are the same, we have a cycle: it is then possible to keep on traversing the heap indefinitely.</p>
<p>We say that a heap is <em>well-founded</em> whenever for every non-empty subheap there is some allocated but unreachable location. This is expressed formally as: <img src="https://latex.codecogs.com/png.latex?%5CBox(%5Clnot%5Cmathbf%7Bemp%7D%5Cto%20%5Cexists%20x.(x%5Chookrightarrow%20-)%5Cland%20%5Cforall%20y.(y%5Cmkern%202mu%5Cnot%5Cmkern-2mu%5Chookrightarrow%20x))."> The claim is now that there are no cycles in a well-founded heap. To see why, suppose towards contradiction we have a well-founded heap (in which the above formula is true) in which there exists a cycle <img src="https://latex.codecogs.com/png.latex?x_0%5Chookrightarrow%20x_1%5Chookrightarrow%20x_2%5Chookrightarrow%20%5Cldots%20%5Chookrightarrow%20x_n%5Chookrightarrow%20x_0."> Then take the subheap which consists precisely of the locations <img src="https://latex.codecogs.com/png.latex?%5C%7Bx_0,%5Cldots,x_n%5C%7D">, that is, we ignore all the locations not visited as part of the cycle. This subheap is non-empty. But we can not take any <img src="https://latex.codecogs.com/png.latex?x_i"> as witness, since every location is reachable! This is a contradiction.</p>
<p>When speaking of modal operators, it is useful to speak of the ‘current’ heap (with respect to which any formula in separation logic is evaluated), the ‘outer’ heap (which is the heap with respect to which an enclosing formula is evaluated) and the ‘inner’ heap (which is the current heap while evaluating a subformula). This terminology is also useful when speaking about the separating connective <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathrel%7B*%7D%5Cpsi)">, where we would speak of the ‘outer’ heap with respect to which the entire formula is evaluated, and two ‘inner’ heaps corresponding to the evaluation of <img src="https://latex.codecogs.com/png.latex?%5Cphi"> and <img src="https://latex.codecogs.com/png.latex?%5Cpsi">.</p>
<p>The point of the discussion above is that we can now understand more clearly what happens with the <img src="https://latex.codecogs.com/png.latex?@">-connective. Suppose now that <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> is pure, so it does not have any (free) references. Then we have that <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathord%7B@%7D%5Cpsi)"> and the formula <img src="https://latex.codecogs.com/png.latex?%5Cblacksquare((%5Cforall%20x,y.%5C,%20(x%5Chookrightarrow%20y)%5Cleftrightarrow%20%5Cpsi(x,y))%5Cto%20%5Cphi)"> are equivalent. (We discuss this and related formulas in more detail below.) Clearly, this is a heap independent formula, due to the black box! However, when <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> is not pure, the formula <img src="https://latex.codecogs.com/png.latex?(%5Cphi%5Cmathord%7B@%7D%5Cpsi)"> is not heap independent. In the <img src="https://latex.codecogs.com/png.latex?@">-connective, the crux is that the ‘points to’ symbol in <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> is relevant and its meaning depends on the ‘outer’ heap, whereas the ‘points to’ symbol in <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is intentionally captured by the <img src="https://latex.codecogs.com/png.latex?@">-connective where its denotation is described by <img src="https://latex.codecogs.com/png.latex?%5Cpsi">. The <img src="https://latex.codecogs.com/png.latex?@">-connective thus changes what is the ‘current’ heap when evaluating <img src="https://latex.codecogs.com/png.latex?%5Cphi">. This is similar to what the modal operator <img src="https://latex.codecogs.com/png.latex?%5CBox%5Cphi"> does, in which also we have an ‘inner’ and ‘outer’ heap, but where the former is a subheap of the latter heap. In the <img src="https://latex.codecogs.com/png.latex?@">-connective the ‘inner’ heap is described by <img src="https://latex.codecogs.com/png.latex?%5Cpsi">, which may depend on the ‘outer’ heap when it is not a heap independent formula.</p>
<p>Existence of the empty heap, where nothing is allocated, is expressed by: <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge(%5Cforall%20x,y.%5C,%20(x%5Cmkern%202mu%5Cnot%5Cmkern-2mu%5Chookrightarrow%20y))."> But what about the opposite, the existence of a heap in which every location is allocated? Could the formula <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge(%5Cforall%20x%5Cexists%20y.%5C,%20(x%5Chookrightarrow%20y))"> be true? Or what about the existence of a heap in which every value is reachable? Could the formula <img src="https://latex.codecogs.com/png.latex?%5Cblacklozenge(%5Cforall%20y%5Cexists%20x.%5C,%20(x%5Chookrightarrow%20y))"> be true? No, in the standard interpretation of separation logic, based on the integers, these formulas are false because heaps are finitely-based partial functions!</p>
<p>Suppose we work with the standard integers <img src="https://latex.codecogs.com/png.latex?%5Cmathbb%7BZ%7D">, and we have in our signature the usual arithmetical symbols. If we want to ensure we only deal with finite, univalent heaps, then we should take the following formulas as axioms: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Barray%7D%7Bc%7D%0A%5Cblacksquare(%5Cforall%20x,y,z.%5C,(x%5Chookrightarrow%20y)%5Cland%20(x%5Chookrightarrow%20z)%5Cto%20y%20=%20z)%5C%5C%0A%5Cblacksquare(%5Cexists%20x_0,x_1.%5C,%5Cforall%20x,y.%5C,%20(x%5Chookrightarrow%20y)%5Cto%20x_0%5Cleq%20x%20%5Cleq%20x_1)%0A%5Cend%7Barray%7D"> The first axiom expresses univalence. The second axiom expresses boundedness, that is, for every heap there is a bound on the domain, that is, there is a maximum and minimum location. Every finitely-based partial function satisfies these property (a finitely-based partial function can be seen as a finite list of location-value associations, and the maximum and minimum can be computed). Conversely, every heap that satisfies both axioms can be represented by a finitely-based partial function: there are only finitely many locations between the minimum and maximum location (due to boundedness) that can be assigned at most one value (due to univalence).</p>
<p>Note that in the standard interpretation of separation logic on the integers, we never treat the heap as a total map, where every location must have a value. It thus always remains a possibility for a location to be unallocated, i.e.&nbsp;the location <img src="https://latex.codecogs.com/png.latex?x"> is unallocated in a situation whenever <img src="https://latex.codecogs.com/png.latex?%5Cforall%20z(x%5Cmkern%202mu%5Cnot%5Cmkern-2mu%5Chookrightarrow%20z)"> holds—which expresses that there is no value to which <img src="https://latex.codecogs.com/png.latex?x"> points. In non-standard interpretations of separation logic, we do have the possibility of an infinite heap.</p>
</section>
<section id="conclusion" class="level2" data-number="7">
<h2 data-number="7" class="anchored" data-anchor-id="conclusion"><span class="header-section-number">7</span> Conclusion</h2>
<p>The proof system we introduce makes use of a new <img src="https://latex.codecogs.com/png.latex?@">-connective which allows to interpret the points-to relation in terms of a logical description. It bears some relation with <a href="https://plato.stanford.edu/entries/logic-hybrid/">hybrid logic</a> <span class="citation" data-cites="brauner2010hybrid">[1]</span> which features so-called nominals and satisfaction operators. Temporally, the nominals describe when is ‘now’, and the satisfaction operator allows to evaluate a formula with respect to a given nominal, thereby changing when is ‘now’. As such, hybrid logic allows to express more than modal logic: an example is “At 6 o’clock, the church bells ring six times.” This sentence is more time-specific than the usual modal operators for expressing ‘always’ or ‘sometimes’. Comparing with the <img src="https://latex.codecogs.com/png.latex?@">-connective, we see that <img src="https://latex.codecogs.com/png.latex?@"> is even more general notion than what a satisfaction operator provides, since we introduce it as a connective between formulas. This means that formulas can now also take the place of the nominals in hybrid logic, and this allow us to describe a situation, that is, the ‘current’ heap, by means of a formula.</p>
<p>An important result is that our new proof system allows us to show many more equivalences than existing proof systems for separation logic. Thus we go beyond the capability of many existing tools for (automatic or interactive) reasoning about separation logic! It is quite surprising that none of the existing tools can verify some of our particular equivalences. We think this is due to the abstract description of the separating connectives in terms of <em>cancellative partially commutative monoids</em> (cf.&nbsp;separation algebras <span class="citation" data-cites="calcagno2007local">[2]</span>). How to combine this abstract description with a set-theoretical interpretation of the points-to relation is problematic. This seems to suggest we should start developing new kinds of tools for automatic or interactive reasoning about separation logic, or adjust the existing tools to be able to work around current limitations.</p>
<p>The presented proof system is sound and complete. This will be elaborated upon in following blog posts. In <strong>part two</strong> we study standard and non-standard interpretations of separation logic, and give the main argument of relative completeness of the novel proof system. Relative completeness is a completeness argument relative to an oracle. This approach is necessary since absolute completeness for standard separation logic is not possible due to failure of compactness. Other topics that we will discuss in this series of articles concern the impact on Reynolds’ program logic <span class="citation" data-cites="reynolds2002separation">[9]</span>, expressivity of separation logic and separation logic as an intermediate logic between first-order logic and second-order logic, and intuitionistic separation logic.</p>
</section>

<section id="references" class="level2 unnumbered">




</section>


<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix unnumbered"><h2 class="anchored quarto-appendix-heading">Acknowledgments</h2><div class="quarto-appendix-contents">

<p>Cover image credit: Ulysses and the Sirens, John William Waterhouse (Google Art Project)</p>
</div></section><section class="quarto-appendix-contents" id="quarto-bibliography"><h2 class="anchored quarto-appendix-heading">References</h2><div id="refs" class="references csl-bib-body" data-entry-spacing="0">
<div id="ref-brauner2010hybrid" class="csl-entry">
<div class="csl-left-margin">[1] </div><div class="csl-right-inline">Torben Braüner. <em>Hybrid logic and its proof-theory</em>. Springer. <a href="https://doi.org/10.1007/978-94-007-0002-4">https://doi.org/10.1007/978-94-007-0002-4</a></div>
</div>
<div id="ref-calcagno2007local" class="csl-entry">
<div class="csl-left-margin">[2] </div><div class="csl-right-inline">Cristiano Calcagno, Peter W. O’Hearn, and Hongseok Yang. Local action and abstract separation logic. In <em>22nd annual IEEE symposium on logic in computer science (LICS 2007)</em>, 2007. IEEE, page 366–378. <a href="https://doi.org/10.1109/LICS.2007.30">https://doi.org/10.1109/LICS.2007.30</a></div>
</div>
<div id="ref-DemriLM21" class="csl-entry">
<div class="csl-left-margin">[3] </div><div class="csl-right-inline">Stéphane Demri, Étienne Lozes, and Alessio Mansutti. A complete axiomatisation for quantifier-free separation logic. <em>Log. Methods Comput. Sci.</em> volume 17, issue 3 (2021). <a href="https://doi.org/10.46298/lmcs-17(3:17)2021">https://doi.org/10.46298/lmcs-17(3:17)2021</a></div>
</div>
<div id="ref-herman2008theory" class="csl-entry">
<div class="csl-left-margin">[4] </div><div class="csl-right-inline">David Herman and Mitchell Wand. A theory of hygienic macros. In <em>Programming languages and systems: 17th european symposium on programming</em>, 2008. Springer, page 48–62. <a href="https://doi.org/10.1007/978-3-540-78739-6_4">https://doi.org/10.1007/978-3-540-78739-6_4</a></div>
</div>
<div id="ref-hiep2024new" class="csl-entry">
<div class="csl-left-margin">[5] </div><div class="csl-right-inline">Hans-Dieter A. Hiep. New foundations for separation logic. PhD thesis. Leiden University. Retrieved from <a href="https://hdl.handle.net/1887/3754463">https://hdl.handle.net/1887/3754463</a></div>
</div>
<div id="ref-jung2018iris" class="csl-entry">
<div class="csl-left-margin">[6] </div><div class="csl-right-inline">Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. <em>Journal of Functional Programming</em> volume 28, (2018). <a href="https://doi.org/10.1017/S0956796818000151">https://doi.org/10.1017/S0956796818000151</a></div>
</div>
<div id="ref-quine2013word" class="csl-entry">
<div class="csl-left-margin">[7] </div><div class="csl-right-inline">Willard Van Orman Quine. <em>Word and object</em>. MIT press. <a href="https://doi.org/10.7551/mitpress/9636.001.0001">https://doi.org/10.7551/mitpress/9636.001.0001</a></div>
</div>
<div id="ref-reynolds2016decision" class="csl-entry">
<div class="csl-left-margin">[8] </div><div class="csl-right-inline">Andrew Reynolds, Radu Iosif, Cristina Serban, and Tim King. A decision procedure for separation logic in <span>SMT</span>. In <em>International symposium on automated technology for verification and analysis</em>, 2016. Springer, page 244–261. <a href="https://doi.org/10.1007/978-3-319-46520-3_16">https://doi.org/10.1007/978-3-319-46520-3_16</a></div>
</div>
<div id="ref-reynolds2002separation" class="csl-entry">
<div class="csl-left-margin">[9] </div><div class="csl-right-inline">J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In <em>Proceedings 17th annual IEEE symposium on logic in computer science</em>, 2002. page 55–74. <a href="https://doi.org/10.1109/LICS.2002.1029817">https://doi.org/10.1109/LICS.2002.1029817</a></div>
</div>
</div></section><section id="footnotes" class="footnotes footnotes-end-of-document"><h2 class="anchored quarto-appendix-heading">Footnotes</h2>

<ol>
<li id="fn1"><p>What is called a ‘free reference’ here comes from Quine’s ‘purely referential position’. But, we already use the word ‘pure’ in a different sense, namely that any formula that involves the ‘points to’ construct itself is not pure. Hence we use instead the term ‘free reference’.↩︎</p></li>
</ol>
</section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2024,
  author = {Hiep, Hans-Dieter A. and de Boer, Frank S.},
  title = {A Sound and Complete Proof System for Separation Logic (Part
    1)},
  journal = {dr. heap},
  volume = {2},
  number = {2},
  date = {2024-06-29},
  url = {https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/},
  doi = {10.59350/2gkd1-c0k49},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2024" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep and Frank S. de Boer. A
sound and complete proof system for separation logic (part 1). <em>dr.
heap</em> volume 2, issue 2 (June 2024). <a href="https://doi.org/10.59350/2gkd1-c0k49">https://doi.org/10.59350/2gkd1-c0k49</a></div>
</div></div></section></div> ]]></description>
  <category>Original Research</category>
  <category>Program Correctness</category>
  <guid>https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/</guid>
  <pubDate>Fri, 28 Jun 2024 22:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2024/sound-and-complete-proof-system-for-separation-logic-part-1/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
<item>
  <title>On invariance and inconsistency</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <link>https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/</link>
  <description><![CDATA[ 





<p><a href="main.pdf" class="btn btn-default downloadthis  " id="dnldts18204"><i class="bi bi-download"></i> Download the PDF version of this article </a></p>
<section id="introduction" class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="introduction"><span class="header-section-number">1</span> Introduction</h2>
<p>How can you explain important concepts from program correctness in a simple and intuitive manner? In this blog post, we shall have a look at some puzzles and analyze them from the perspective of program correctness. This way we can nicely explain and demonstrate the usefulness of two important concepts, namely <em>invariants</em> and <em>inconsistent specifications</em>.</p>
<p>The puzzles we study here come from the book Algorithmic Puzzles <span class="citation" data-cites="algopuzzle">[1]</span> by Anany and Maria Levitin, published by Oxford University Press in 2011. This book presents 150 puzzles that are good candidates for applying analytical and logical thinking skills (the puzzles can also be used as challenging interview questions). We make a small selection of the puzzles, and we will see them answered from the perspective of program correctness. In program correctness, we consider a program to be correct with respect to a given program specification. A program specification is a specific formulation of a requirement. For example, a specification of what the output of a program must be given some input. More specifically (no pun intended), we can rephrase the puzzles in such way that a puzzle can seen as a program specification, and proving that there exists a program that is correct with respect to that specification would then solve the puzzle in question. Or, alternatively, we show that there is no solution to the puzzle, by arguing there cannot be a correct program in the first place.</p>
<p>First we shortly revisit preliminaries (Section&nbsp;2). This article does assume the reader is already somewhat familiar with the basics of programming and program correctness, but we nevertheless quickly revisit the basic concepts. For a thorough introduction to program correctness, one could take a look at one of the following books (in order of appearance):</p>
<ul>
<li><p><em>A Discipline of Programming</em> by Edsger Dijkstra (1976),</p></li>
<li><p><em>Mathematical Theory of Program Correctness</em> by Jaco de Bakker (1980),</p></li>
<li><p><em>The Science of Programming</em> by David Gries (1981),</p></li>
<li><p><em>Program Verification</em> by Nissim Francez (1992), or</p></li>
<li><p><em>Verification of Sequential and Concurrent Programs</em> by Krzysztof Apt, Frank de Boer &amp; Ernst-Rüdiger Olderog (2009).</p></li>
</ul>
<p>Then we shed light on the concept of an <em>invariant</em> by discussing the 5th puzzle of the book, ‘Row and Column Exchanges’ (Section&nbsp;3). We also look at why <em>declarative specifications</em> are useful by discussing the 12th puzzle of the book, ‘Questionable Tiling’ (Section&nbsp;4). But we also discuss more generally the importance of invariants and formulating consistent specifications (Section&nbsp;5).</p>
</section>
<section id="sec-prelim" class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="sec-prelim"><span class="header-section-number">2</span> Preliminaries</h2>
<p>We shall restrict our attention to a simple imperative programming language: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0AS%20%5CColoneqq%20x%20%5Ccoloneqq%20a%20%5Cmid%20S_1;S_2%20%5Cmid%20%5Cmathbf%7Bif%7D%5C%20b%5C%20%5Cmathbf%7Bthen%7D%5C%20S_1%5C%20%5Cmathbf%7Belse%7D%5C%20S_2%5C%20%5Cmathbf%7Bfi%7D%20%5Cmid%20%5Cmathbf%7Bwhile%7D%5C%20b%5C%20%5Cmathbf%7Bdo%7D%5C%20S%5C%20%5Cmathbf%7Bod%7D%0A%5Cend%7Bgathered%7D"> where we use not only <img src="https://latex.codecogs.com/png.latex?x"> as variable but also <img src="https://latex.codecogs.com/png.latex?y,z,%5Cldots"> (possibly with subscripts), where the terms <img src="https://latex.codecogs.com/png.latex?a"> of the language are the usual arithmetical expressions: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0Aa%20%5CColoneqq%200%20%5Cmid%201%20%5Cmid%20x%20%5Cmid%20-a%20%5Cmid%20(a_1%20+%20a_2)%20%5Cmid%20(a_1%20%5Ctimes%20a_2)%0A%5Cend%7Bgathered%7D"> and where the terms <img src="https://latex.codecogs.com/png.latex?b"> of the language are the Boolean expressions: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0Ab%20%5CColoneqq%20(a_1%20=%20a_2)%20%5Cmid%20(a_1%20%3C%20a_2)%20%5Cmid%20(b_1%20%5Cland%20b_2)%20%5Cmid%20(b_1%20%5Clor%20b_2)%20%5Cmid%20%5Clnot%20b%0A%5Cend%7Bgathered%7D"> We also have the usual abbreviations, such as <img src="https://latex.codecogs.com/png.latex?(a_1%20%5Cleq%20a_2)">, that abbreviate more complex expressions, such as <img src="https://latex.codecogs.com/png.latex?(a_1%20%3C%20a_2)%20%5Clor%20(a_1%20=%20a_2)">, respectively. The numerals <img src="https://latex.codecogs.com/png.latex?2,3,4,%5Cldots"> are also abbreviations of complex expressions <img src="https://latex.codecogs.com/png.latex?(1+1),%20(1+2),%20(1+3),%5Cldots"></p>
<p>We also have first-order formulas, captured by the following syntax: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0A%5Cphi,%5Cpsi%20%5CColoneqq%20b%20%5Cmid%20(%5Cphi%20%5Cto%20%5Cpsi)%20%5Cmid%20(%5Cforall%20x)%5Cphi%0A%5Cend%7Bgathered%7D"> Other logical connectives, such as <img src="https://latex.codecogs.com/png.latex?(%5Cphi%20%5Cland%20%5Cpsi)"> and <img src="https://latex.codecogs.com/png.latex?%5Clnot%5Cphi">, can seen as abbreviations. First-order logic involves first-order universal quantification <img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)%5Cphi">, and we have the dual of first-order existential quantification <img src="https://latex.codecogs.com/png.latex?(%5Cexists%20x)%5Cphi"> as abbreviation of <img src="https://latex.codecogs.com/png.latex?%5Clnot(%5Cforall%20x)%5Clnot%5Cphi">. Quantification only ranges over individuals, so in our case integers.</p>
<p>Now let us consider semantics. Let <img src="https://latex.codecogs.com/png.latex?%5Csigma"> be a state (an assignment of variables to integer values). We have the usual semantics for arithmetical expressions <img src="https://latex.codecogs.com/png.latex?a"> and Boolean expressions <img src="https://latex.codecogs.com/png.latex?b">: <img src="https://latex.codecogs.com/png.latex?%5B%5C!%5Ba%20%5D%5C!%5D_%5Csigma"> denotes an integer value and <img src="https://latex.codecogs.com/png.latex?%5B%5C!%5Bb%5D%5C!%5D_%5Csigma"> denotes a Boolean value. Note that an expression depends only on finitely many variables, and we only deal with pure expressions in our simple language. Each statement <img src="https://latex.codecogs.com/png.latex?S"> of our programming language denotes a transition relation of states: <img src="https://latex.codecogs.com/png.latex?%5B%5C!%5BS%5D%5C!%5D%5Csubseteq%20%5CSigma%5Ctimes%5CSigma"> where <img src="https://latex.codecogs.com/png.latex?%5CSigma"> is the set of states (with typical element <img src="https://latex.codecogs.com/png.latex?%5Csigma">), and <img src="https://latex.codecogs.com/png.latex?%5CSigma%5Ctimes%5CSigma"> is the set of pairs of states. A statement denotes a binary relation between initial and final states. Each formula <img src="https://latex.codecogs.com/png.latex?%5Cphi"> denotes a set of states: <img src="https://latex.codecogs.com/png.latex?%5B%5C!%5B%5Cphi%5D%5C!%5D%5Csubseteq%20%5CSigma"> in the sense that in each state <img src="https://latex.codecogs.com/png.latex?%5Csigma%5Cin%5B%5C!%5B%5Cphi%5D%5C!%5D"> the formula <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is true, also written <img src="https://latex.codecogs.com/png.latex?%5Csigma%5Cmodels%5Cphi">.</p>
<p>In program correctness we combine two languages: a programming language and a specification language. The programming language is already given above. As specification language we take the above first-order language. Note that the variables of formulas in the assertion language are the same variables we use in the programming language. We can now form the Hoare triples: <img src="https://latex.codecogs.com/png.latex?%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D"> where <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is called the precondition and <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> is called the postcondition. A Hoare triple is correct when the statement <img src="https://latex.codecogs.com/png.latex?S"> satisfies the input/output specification given by the precondition <img src="https://latex.codecogs.com/png.latex?%5Cphi"> and the postcondition <img src="https://latex.codecogs.com/png.latex?%5Cpsi">, and a Hoare triple is incorrect otherwise. Note that the (global) variables of <img src="https://latex.codecogs.com/png.latex?S"> and the (free) variables of the formulas <img src="https://latex.codecogs.com/png.latex?%5Cphi"> and <img src="https://latex.codecogs.com/png.latex?%5Cpsi"> are bound to each other. Formally, we define <img src="https://latex.codecogs.com/png.latex?%5Cmodels%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D%20%5Ctext%7B%20if%20and%20only%20if%20%7D%20%5B%5C!%5BS%5D%5C!%5D(%5B%5C!%5B%5Cphi%5D%5C!%5D)%20%5Csubseteq%20%5B%5C!%5B%5Cpsi%5D%5C!%5D"> where <img src="https://latex.codecogs.com/png.latex?R(X)"> is the left-restriction of the binary relation <img src="https://latex.codecogs.com/png.latex?R"> by the set <img src="https://latex.codecogs.com/png.latex?X">, that is, <img src="https://latex.codecogs.com/png.latex?R(X)%20=%20%5C%7By%20%5Cmid%20xRy%5Ctext%7B%20for%20some%20%7Dx%5Cin%20X%5C%7D">. Unpacking this formal definition gives us <img src="https://latex.codecogs.com/png.latex?%5Cmodels%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D%20%5Ctext%7B%20if%20and%20only%20if%20%7D%20%5Csigma%5Cin%5B%5C!%5B%5Cphi%5D%5C!%5D%5Ctext%7B%20and%20%7D%20(%5Csigma,%5Ctau)%5Cin%5B%5C!%5BS%5D%5C!%5D%5Ctext%7B%20implies%20%7D%20%5Ctau%5Cin%5B%5C!%5B%5Cpsi%5D%5C!%5D."></p>
<p>Incorrectness means that <img src="https://latex.codecogs.com/png.latex?S"> has a bug. Suppose we start in some initial state <img src="https://latex.codecogs.com/png.latex?%5Csigma"> which satisfies the precondition <img src="https://latex.codecogs.com/png.latex?%5Cphi">, and we execute <img src="https://latex.codecogs.com/png.latex?S"> from that state, and that execution results in some final state <img src="https://latex.codecogs.com/png.latex?%5Ctau">. If the final state <img src="https://latex.codecogs.com/png.latex?%5Ctau"> does not satisfy <img src="https://latex.codecogs.com/png.latex?%5Cpsi">, then we have found a bug! Formally, <img src="https://latex.codecogs.com/png.latex?%5Cnot%5Cmodels%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D%20%5Ctext%7B%20if%20and%20only%20if%20%7D%20%5Csigma%5Cmodels%5Cphi%20%5Ctext%7B%20and%20%7D(%5Csigma,%5Ctau)%5Cin%5B%5C!%5BS%5D%5C!%5D%5Ctext%7B%20and%20%7D%5Ctau%5Cnot%5Cmodels%5Cpsi%5Ctext%7B%20for%20some%20%7D%5Csigma,%5Ctau."></p>
<p>Hoare logic is a formal system in which Hoare triples can be derived, in which case one writes <img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D">. Hoare logic is sound and (relatively) complete, meaning that we have <img src="https://latex.codecogs.com/png.latex?%5Cvdash%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D%5Ctext%7B%20if%20and%20only%20if%20%7D%5Cmodels%20%5C%7B%5Cphi%5C%7D%5C%20S%5C%20%5C%7B%5Cpsi%5C%7D"> under some reasonable assumptions.<sup>1</sup> See one of the books mentioned in in the introduction for a presentation of Hoare logic, or <a href="https://en.wikipedia.org/wiki/Hoare_logic">Wikipedia</a>.</p>
<p>A quick example is the following Hoare triple. Is it correct or not? <img src="https://latex.codecogs.com/png.latex?%5C%7By%20=%200%5C%7D%5C%20x%20%5Ccoloneqq%201;%20%5Cmathbf%7Bwhile%7D%5C%20x%20%5Cleq%20z%5C%20%5Cmathbf%7Bdo%7D%5C%20y%20%5Ccoloneqq%20y%20+%20x;%20x%20%5Ccoloneqq%20x%20+%201%5C%20%5Cmathbf%7Bod%7D%5C%20%5C%7B2%5Ctimes%20y%20=%20z%5Ctimes(z+1)%5C%7D"> To verify the loop, we need to come up with a so-called loop invariant: a condition that holds at four control points (1) before entering the loop, (2) before the loop body begins, (3) after the loop body ends, and (4) after the loop is exited. Finding loop invariants is difficult, and often it takes multiple tries until one finds a suitable invariant. In the above example, one can take: <img src="https://latex.codecogs.com/png.latex?1%20%5Cleq%20x%20%5Cleq%20z%20+%201%20%5Cland%202%5Ctimes%20y%20=%20(x%20-%201)%5Ctimes%20x"> where <img src="https://latex.codecogs.com/png.latex?(x%20-%201)"> abbreviates <img src="https://latex.codecogs.com/png.latex?(x%20+%20-1)"> and the chain of inequalities is conjunctive.</p>
</section>
<section id="sec-invariants" class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="sec-invariants"><span class="header-section-number">3</span> Invariants</h2>
<p>In this section we discuss a puzzle in which invariants play a prominent role. The 5th puzzle of the book Algorithmic Puzzles is ‘Row and Column Exchanges’:</p>
<blockquote class="blockquote">
<p>Can you transform the left table into the right table of Figure&nbsp;1 by exchanging its rows and columns?</p>
</blockquote>
<div id="fig-tables" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-tables-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig1.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-tables-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;1: Initial and final table.
</figcaption>
</figure>
</div>
<p>(It is recommended that the reader first tries out solving this puzzle herself!)</p>
<p>To get a sense of what the puzzle asks for, let us perform the operations of swapping rows and columns in a table. An example of a sequence of successive applications of these operations is shown in Figure&nbsp;2.</p>
<div id="fig-series" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-series-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig2.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-series-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;2: The start of a sequence of exchanges.
</figcaption>
</figure>
</div>
<p>This figure shows:</p>
<ol type="1">
<li><p>The first table shows the initial table of Figure&nbsp;1, our starting point in this puzzle.</p></li>
<li><p>After the first step, we have exchanged the first and last row. So we swapped the values <img src="https://latex.codecogs.com/png.latex?1,2,3,4"> and <img src="https://latex.codecogs.com/png.latex?13,14,15,16">.</p></li>
<li><p>After the second step, we have also exchanged the first and last column. So we swapped the values <img src="https://latex.codecogs.com/png.latex?13,5,9,1"> and <img src="https://latex.codecogs.com/png.latex?16,8,12,4">.</p></li>
</ol>
<p>Notice that we have now obtained a table, in which the last row coincides with the values of the final table we wish to obtain (the last row is ‘correct’ with respect to the desired final table). To get closer to the final table, we can continue the series of operations as in Figure&nbsp;3, where we perform two additional steps: we swap the first and third row, and we swap the second and third row.</p>
<div id="fig-series-2" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-series-2-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig3.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-series-2-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;3: Continuing the series of exchanges.
</figcaption>
</figure>
</div>
<p>In the resulting table, we have colored the cells that have values in the right place when comparing it to the final table in Figure&nbsp;1. This particular example shows that we are not there yet. <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2021&amp;gist=8481cfe72a96f11d697b4c909f22449a">Click here for a Rust implementation of this example.</a></p>
<p>Just giving this single example, where we have not solved the puzzle (since the final table is not ‘correct’), is not a solution the puzzle! But one may wonder, whether there exists a solution at all. If there exists a solution, then we have not yet found it. But, if there is no solution to be found, then just showing this single counter-example is not sufficient proof.</p>
<p>Imagine that these tables are representations of state, where the state is an assignment of integers to variables (each cell in the table is modeled by its own variable, sixteen in total). There are two primitive operations that work on this state:</p>
<ul>
<li><p>to swap two columns <img src="https://latex.codecogs.com/png.latex?C(j,j')">, and</p></li>
<li><p>to swap two rows <img src="https://latex.codecogs.com/png.latex?R(i,i')">.</p></li>
</ul>
<p>The puzzle can be rephrased by asking whether we can come up with a program that is composed out of these two primitive operations. Instead of our simple programming language given above, where the only primitive operation is the assignment <img src="https://latex.codecogs.com/png.latex?x%20:=%20a">, we instead consider the programming language with only these two primitive operations. In this way we realize encapsulation, in the sense that the program may not directly modify the state by means of an assignment, only indirectly through the exposed operations.</p>
<p>This may remind the reader of object-oriented programming. Each table could be seen as an instance of a class of objects, which has an encapsulated internal state. The class of objects exposes a number of operations, viz.&nbsp;it has a well-defined interface. We ask ourselves now: does there exists a client, which can only work with the interface and not directly modify the internal state, that solves our puzzle?</p>
<p>What does it mean to solve the puzzle? We can formulate the Hoare triple <img src="https://latex.codecogs.com/png.latex?%5C%7B%5C!%5C!%5C!%5Cbigwedge_%7Bi%5Cin%5B1,4%5D%7D%5Cbigwedge_%7Bj%5Cin%5B1,4%5D%7D%5C!%5C!%5C!x_%7Bi,j%7D%20=%20(i%20-%201)%20%5Ctimes%204%20+%20j%5C%7D%5C%20S%5C%20%5C%7Bx_%7B1,1%7D%20=%2012%20%5Cland%20%5Cldots%20%5Cland%20x_%7B4,4%7D%20=%201%5C%7D"> where <img src="https://latex.codecogs.com/png.latex?x_%7B1,1%7D"> until <img src="https://latex.codecogs.com/png.latex?x_%7B4,4%7D"> are the sixteen variables corresponding to the cells of the table.<sup>2</sup> Note that in the postcondition we simply require the variables to have the proper values, as indicated in Figure&nbsp;1. If we can find a program <img src="https://latex.codecogs.com/png.latex?S"> that is composed of only these primitive operations, and prove it correct, we have solved the puzzle!</p>
<p>To understand the meaning of the primitive operations, we give a set of Hoare triples that we take as axioms (technically, we give an axiom scheme). This approach is also known as the ‘axiomatic approach’, where we abstract from the exact semantics of the primitive operations. Here we go (assuming meta-variables <img src="https://latex.codecogs.com/png.latex?j%5Cin%5B1,4%5D"> and <img src="https://latex.codecogs.com/png.latex?j'%5Cin%5B1,4%5D">): <img src="https://latex.codecogs.com/png.latex?%5C%7B%5C!%5C!%5C!%5Cbigwedge_%7Bi%5Cin%5B1,4%5D%7D%5C!%5C!%5C!x_%7Bi,j%7D%20=%20y_r%20%5Cland%20%5C!%5C!%5C!%5Cbigwedge_%7Bi%5Cin%5B1,4%5D%7D%5C!%5C!%5C!x_%7Bi,j'%7D%20=%20z_r%5C%7D%5C%20C(j,j')%5C%20%5C%7B%5C!%5C!%5C!%5Cbigwedge_%7Bi%5Cin%5B1,4%5D%7D%5C!%5C!%5C!x_%7Bi,j%7D%20=%20z_r%20%5Cland%20%5C!%5C!%5C!%5Cbigwedge_%7Bi%5Cin%5B1,4%5D%7D%5C!%5C!%5C!x_%7Bi,j'%7D%20=%20y_r%5C%7D"> The ‘freeze variables’ <img src="https://latex.codecogs.com/png.latex?y_1,%5Cldots,y_4"> capture the old values at column <img src="https://latex.codecogs.com/png.latex?j">, and <img src="https://latex.codecogs.com/png.latex?z_1,%5Cldots,z_4"> capture old values at column <img src="https://latex.codecogs.com/png.latex?j'">. In the postcondition, we use the (unchanged) freeze variables to refer to the old values at the beginning of the swapping operation. This argument crucially relies on the fact that the operation <img src="https://latex.codecogs.com/png.latex?C(j,j')"> only changes the variables in the set <img src="https://latex.codecogs.com/png.latex?%5C%7Bx_%7Bi,j%7D,x_%7Bi,j'%7D%5Cmid%20i%5Cin%5B1,4%5D%5C%7D">. By Hoare’s invariance rule, we know that any property about the other variables thus remains invariant. A similar axiom scheme can be given for swapping the rows.</p>
<p>We could think of an <em>object invariant</em>: a property that holds of the internal state of the object, that must be preserved by every operation that is performed by any client. Note that object invariants may be temporarily broken in the implementation of an operation, as long as the object invariant is restored before the implementation terminates.</p>
<p>The beauty of invariants is that they are a powerful tool for answering these kinds of puzzle questions. When we are able to find some invariant, that is true for the initial table but false for the final table, then we must know: the final table cannot be obtained by means of these operations only, since all the operations preserve the object invariant!</p>
<p>An example of an object invariant in this case would be the property: the table has the values <img src="https://latex.codecogs.com/png.latex?%5C%7B1,%5Cldots,16%5C%7D">. In other words, every value in the table is in <img src="https://latex.codecogs.com/png.latex?%5C%7B1,%5Cldots,16%5C%7D"> and every value of <img src="https://latex.codecogs.com/png.latex?%5C%7B1,%5Cldots,16%5C%7D"> is somewhere in the table. Let’s formalize it (Equation&nbsp;1): <img src="https://latex.codecogs.com/png.latex?%5C%7Bx_%7Bi,j%7D%20%5Cmid%201%5Cleq%20i,j%20%5Cleq%204%5C%7D%20=%20%5C%7B1,%5Cldots,16%5C%7D."> The set comprehension on the left collects all values in the table in a set. The set expression on the right is the finite set consisting of the integers <img src="https://latex.codecogs.com/png.latex?1"> up to and including <img src="https://latex.codecogs.com/png.latex?16">. The property now expresses that these two sets are identical, i.e.&nbsp;have precisely the same members. This property holds for the initial state of the object, and it also is preserved by every operation: swapping two rows, or swapping two columns, does not introduce any new values and thus does not invalidate this property. Hence, this property is an object invariant.</p>
<p>The final table of Figure&nbsp;1 also satisfies the object invariant of Equation&nbsp;1. So this invariant, while nice to know, is not useful in answering the puzzle question. We can only prove that there is no solution to the puzzle when we find an invariant, that holds of the initial state and is preserved by the operations, but does not hold in the final state.</p>
<p>Just how finding loop invariants (to show the correctness of a program) is a difficult problem, finding object invariants (to show there can be no correct program) is also a difficult problem. Finding invariants may require several tries. Let us try another invariant. Consider that we not only have a set of values, but in fact we have a set of sets of values: <img src="https://latex.codecogs.com/png.latex?%5Cbigl%5C%7B%5C%7Bx_%7Bi,j%7D%20%5Cmid%201%5Cleq%20i%5Cleq%204%5C%7D%5Cmid%20j%20%5Cleq%204%5Cbigr%5C%7D%20=%20%5Cbigl%5C%7B%5C%7B1,2,3,4%5C%7D,%5Cldots,%5C%7B13,14,15,16%5C%7D%5Cbigr%5C%7D"> The outer set consists of the sets corresponding to the values one finds at each row. And the inner sets consists of the values present at each row. If we swap two rows, the invariant is preserved because the outer set does not care about the order of its values (sets of integers). If we swap two columns, then the invariant is preserved, because the set of values at each row remain the same when we have swapped two columns.</p>
<p>Now, looking at Figure&nbsp;1 we see that the initial table satisfies this property. However, if we look at the final table we see that it does not satisfy this property. The final table has as set of sets of integers: <img src="https://latex.codecogs.com/png.latex?%5Cbigl%5C%7B%5C%7B12,10,11,9%5C%7D,%5C%7B16,14,15,13%5C%7D,%5C%7B8,6,7,5%5C%7D,%5C%7B4,3,2,1%5C%7D%5Cbigr%5C%7D."> Sure, the first and last row are correct, so we could focus on comparing the sets <img src="https://latex.codecogs.com/png.latex?%5Cbigl%5C%7B%5C%7B16,14,5,13%5C%7D,%5C%7B8,6,7,15%5C%7D%5Cbigr%5C%7D%20%5Ctext%7B%20and%20%7D%20%5Cbigl%5C%7B%5C%7B16,14,15,13%5C%7D,%5C%7B8,6,7,5%5C%7D%5Cbigr%5C%7D"> which cannot be equal because both sets contain values that are not contained in the other set. Hence the final table does not satisfy the invariant, which finally proves that there is no solution! (We shall further discuss this problem in Section&nbsp;5.)</p>
</section>
<section id="sec-spec" class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="sec-spec"><span class="header-section-number">4</span> Logical specifications</h2>
<p>We have a look at the 12th puzzle of the Algorithmic Puzzles book, ‘Questionable Tiling’ (with a slightly different phrasing):</p>
<blockquote class="blockquote">
<p>Is it possible to tile an 8-by-8 board with dominoes (2-by-1 tiles) such that no two dominoes lie next to each other in parallel?</p>
</blockquote>
<p>(Again, the reader should first try to solve this puzzle herself!)</p>
<p>Before even beginning to solve the problem, we should first try to get an exact understanding of the puzzle by understanding each part of the question:</p>
<ul>
<li><p>What is a ‘tiling of dominoes’ on an 8-by-8 board?</p></li>
<li><p>What does it mean when two dominoes ‘lie next to each other in parallel’?</p></li>
</ul>
<p>Suppose we formalize the 8-by-8 board, again by means of a table. Each cell of the table is again understood to be represented by the variables <img src="https://latex.codecogs.com/png.latex?x_%7Bi,j%7D"> where <img src="https://latex.codecogs.com/png.latex?i"> is the row counted from the top and <img src="https://latex.codecogs.com/png.latex?j"> is the column counted from the left. But what do the values of these variables mean? We could devise the following encoding:</p>
<ul>
<li><p>If a variable <img src="https://latex.codecogs.com/png.latex?x_%7Bi,j%7D"> has value <img src="https://latex.codecogs.com/png.latex?0"> it means that the cell is empty.</p></li>
<li><p>If a variable <img src="https://latex.codecogs.com/png.latex?x_%7Bi,j%7D"> has some positive value, then that positive value identifies a domino piece.</p></li>
</ul>
<p>For example, see Figure&nbsp;4 where we have a table that encodes an 8-by-8 board with only four dominoes. Note that in this and the following pictures, only the numbers in the cells are significant and not the colors. Colors are only for visual aid. Further, what is shown in Figure&nbsp;4 is not a tiling yet, it is a partial tiling and towards becoming a complete tiling.</p>
<div id="fig-dominoes-1" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-1-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig4.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-1-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;4: An encoding of dominoes on an 8-by-8 board.
</figcaption>
</figure>
</div>
<p>One fruitful approach would be looking for patterns. A pattern is, figuratively speaking, a small ‘frame’ or ‘scope’ that you locally could observe in the picture. These patterns are ‘timeless’ and observed of the outcome, and thus do not care about the intermediary state one has passed through to obtain the outcome. Finding patterns is a useful ability of a declarative programmer.</p>
<p>One can observe already the following properties:</p>
<dl>
<dt>Property 1.</dt>
<dd>
<p>(Number of dominoes in tiling)<br>
In an 8-by-8 table, a complete tiling has exactly <img src="https://latex.codecogs.com/png.latex?%5Cfrac%7B8%5Ctimes%208%7D%7B2%7D=32"> numbers identifying domino pieces.</p>
</dd>
<dt>Property 2.</dt>
<dd>
<p>(Size of single domino)<br>
Every number identifying a domino piece occurs at most twice.</p>
</dd>
<dt>Property 3.</dt>
<dd>
<p>(Dominoes line up)<br>
Given a cell of a table that contains a number identifying a domino. Now consider its immediate neighborhood (the cells on the top, right, bottom, left—but not the diagonal cells). We observe that the following must hold: a cell above, on the left, below, or on the right of the given cell exists and has the same domino identifying number. The other neighboring cells must have a different value. See also Figure&nbsp;5 for a picture, but note that these patterns only work for interior cells. For cells on the border, the pattern need not check outside bounds.</p>
</dd>
</dl>
<div id="fig-dominoes-2" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-2-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig5.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-2-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;5: Patterns to check that numbers line up. Here, <img src="https://latex.codecogs.com/png.latex?k"> is the number identifying a domino and we have <img src="https://latex.codecogs.com/png.latex?k%5Cneq%20n_1">, <img src="https://latex.codecogs.com/png.latex?k%5Cneq%20n_2">, <img src="https://latex.codecogs.com/png.latex?k%5Cneq%20n_3">.
</figcaption>
</figure>
</div>
<p>Now, consider completing the tiling in Figure&nbsp;4. What domino do we place on the left of the domino identified by number three (the blue one)? It will form a 2-by-2 square. We also form a 2-by-2 square if we would place another domino directly below and in parallel with the domino identified by number four (the purple one). These are undesired according to the puzzle.</p>
<p>We end up with the following property:</p>
<dl>
<dt>Property 4.</dt>
<dd>
<p>(No parallel dominoes)<br>
In each 2-by-2 square there are not exactly two dominoes. See Figure&nbsp;6 for the two forbidden patterns.</p>
</dd>
</dl>
<div id="fig-dominoes-3" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-3-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig6.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-3-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;6: Two patterns that show how two dominoes form a 2-by-2 square.
</figcaption>
</figure>
</div>
<p>We can now formalize the properties, and obtain a program specification.</p>
<dl>
<dt>Property 1.</dt>
<dd>
<p>(Number of dominoes in tiling) <img src="https://latex.codecogs.com/png.latex?%7CD%7C%20=%208%5Ctimes%208"> where <img src="https://latex.codecogs.com/png.latex?D"> is the set of domino identifying numbers that occur somewhere in the table, that is, <img src="https://latex.codecogs.com/png.latex?D%20=%20%5C%7Bx_%7Bi,j%7D%20%5Cmid%201%20%5Cleq%20i,j%5Cleq%208%5C%7D%5Ccap%5C%7Bn%5Cmid%20n%20%3E%200%5C%7D">.</p>
</dd>
<dt>Property 2.</dt>
<dd>
<p>(Size of single domino) <img src="https://latex.codecogs.com/png.latex?%7C%5C%7B(i,j)%20%5Cmid%20k%20=%20x_%7Bi,j%7D%5Ctext%7B%20and%20%7D1%5Cleq%20i,j%5Cleq%208%5C%7D%7C%20=%202%5Ctext%7B%20for%20each%20%7Dk%5Cin%20D."></p>
</dd>
<dt>Property 3.</dt>
<dd>
<p>(Dominoes line up)<br>
For every <img src="https://latex.codecogs.com/png.latex?1%5Cleq%20i,j%5Cleq%208"> there is some <img src="https://latex.codecogs.com/png.latex?%5Cell%5Cin%20K(i,j)"> such that <img src="https://latex.codecogs.com/png.latex?x_%7Bi,j%7D%20=%20x_%5Cell%20%5Cland%5Cmkern-24mu%5Cbigwedge_%7Bk%5Cin%20K(i,j)%5Csetminus%5C%7B%5Cell%5C%7D%7D%5Cmkern-26mu%20x_%7Bi,j%7D%5Cneq%20x_%7Bk%7D"> where <img src="https://latex.codecogs.com/png.latex?K(i,j)"> is the set of neighboring coordinates within bounds <img src="https://latex.codecogs.com/png.latex?%5C%7B(i+1,j),(i,j+1),(i-1,j),(i,j-1)%5C%7D%20%5Ccap%20%5C%7B(i',j')%5Cmid%201%5Cleq%20i',j'%5Cleq%208%5C%7D."></p>
</dd>
</dl>
<p>Technically, we have that <img src="https://latex.codecogs.com/png.latex?x_%7B(i,j)%7D"> is defined to be equal to <img src="https://latex.codecogs.com/png.latex?x_%7Bi,j%7D"> so we can use the coordinates to refer to a particular subscripted variable.</p>
<dl>
<dt>Property 4.</dt>
<dd>
<p>(No parallel dominoes)<br>
For every <img src="https://latex.codecogs.com/png.latex?1%20%5Cleq%20i,j%20%3C%208"> we have <img src="https://latex.codecogs.com/png.latex?%7C%5C%7Bx_%7B(i,j)%7D,x_%7B(i+1,j)%7D,x_%7B(i,j+1)%7D,x_%7B(i+1,j+1)%7D%5C%7D%5Ccap%5C%7Bn%5Cmid%20n%20%3E%200%5C%7D%7C%20%5Cneq%202."></p>
</dd>
</dl>
<p>These properties can be abbreviated to <img src="https://latex.codecogs.com/png.latex?P1,P2,P3,P4">, respectively. Now the puzzle amounts to finding a program <img src="https://latex.codecogs.com/png.latex?S"> that changes the variables <img src="https://latex.codecogs.com/png.latex?x_%7B1,1%7D,%5Cldots,x_%7B8,8%7D"> such that we can prove <img src="https://latex.codecogs.com/png.latex?%5C%7B%5Cmathbf%7Btrue%7D%5C%7D%5C%20S%5C%20%5C%7BP1%5Cland%20P2%5Cland%20P3%5Cland%20P4%5C%7D."> Consider a program that assigns the cells’ values according to Figure&nbsp;7. We can now verify whether the program indeed satisfies the specification, by checking whether all properties hold.</p>
<div id="fig-dominoes-4" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-4-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig7.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-4-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;7: An encoding of dominoes on an 8-by-8 board (we use a duotrigesimal numbering system, the shifted ‘extended hex’ numbers).
</figcaption>
</figure>
</div>
<p><img src="https://latex.codecogs.com/png.latex?P1"> holds because there are exactly 32 dominoes in the final state assigned to the variables. <img src="https://latex.codecogs.com/png.latex?P2"> holds since every number identifying a domino piece occurs exactly twice. Also <img src="https://latex.codecogs.com/png.latex?P3"> holds, and this can easily be seen by the different colors. However, checking <img src="https://latex.codecogs.com/png.latex?P4"> shows that the property is violated (see the center).</p>
<p>If we slightly generalize the problem, then we see there is a solution. Suppose the board is infinite, i.e.&nbsp;we have an <img src="https://latex.codecogs.com/png.latex?%5Cinfty">-by-<img src="https://latex.codecogs.com/png.latex?%5Cinfty"> board, which we start tiling from the top-left corner. Then the following brick laying pattern can be continued indefinitely (see Figure&nbsp;8):</p>
<ul>
<li><p>Start horizontally with the dominoes <img src="https://latex.codecogs.com/png.latex?A_1,A_2,%5Cldots"> and lay the next on the right of the previous one until the entire first row is covered with dominoes.</p></li>
<li><p>Continue vertically with the dominoes <img src="https://latex.codecogs.com/png.latex?B_1,B_2,%5Cldots"> and lay the next below the previous one until the entire first column is also covered with dominoes.</p></li>
<li><p>We are now in the same situation as before: we want to fill an <img src="https://latex.codecogs.com/png.latex?%5Cinfty">-by-<img src="https://latex.codecogs.com/png.latex?%5Cinfty"> board, so we repeat the strategy of first laying <img src="https://latex.codecogs.com/png.latex?C_1,C_2,%5Cldots"> horizontally and then laying <img src="https://latex.codecogs.com/png.latex?D_1,D_2,%5Cldots"> vertically.</p></li>
</ul>
<div id="fig-dominoes-5" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-5-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig8.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-5-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;8: Laying dominoes on an <img src="https://latex.codecogs.com/png.latex?%5Cinfty">-by-<img src="https://latex.codecogs.com/png.latex?%5Cinfty"> board.
</figcaption>
</figure>
</div>
<p>Such an infinite board would then satisfy these properties:</p>
<ul>
<li><p>The number of dominoes on the infinite board are also infinite.</p></li>
<li><p>If we make sure that each domino is represented by a different number, then each such number occurs only twice. For example, we could take the numbering scheme where for each domino that lies on the coordinates <img src="https://latex.codecogs.com/png.latex?(i,j)"> and <img src="https://latex.codecogs.com/png.latex?(i',j')"> we take as identifier <img src="https://latex.codecogs.com/png.latex?%5Cmin(2%5Ei3%5Ej,2%5E%7Bi'%7D3%5E%7Bj'%7D)">.</p></li>
<li><p>The dominoes are placed correctly, as can be observed from the coloring.</p></li>
<li><p>There are no parallel dominoes, since each 2-by-2 square has exactly three dominoes.</p></li>
</ul>
<p>Note that we avoided the occurrence of four dominoes within a 2-by-2 square, as shown in Figure&nbsp;9.</p>
<div id="fig-dominoes-6" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-6-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig9.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-6-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;9: Laying dominoes in such a way that there are four different dominoes in the middle 2-by-2 square.
</figcaption>
</figure>
</div>
<p>More generally, we never have any of the patterns in Figure&nbsp;10 occurring. These patterns are called the top-right corner and bottom-left corner. Note that these patterns do occur in Figure&nbsp;9, so already from knowing the absence of these two corners we also know that there can be no four different dominoes within a 2-by-2 square.</p>
<div id="fig-dominoes-7" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-7-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig10.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-7-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;10: Patterns that never occur in the infinite solution.
</figcaption>
</figure>
</div>
<p>Now suppose we would cut off the board of Figure&nbsp;8 so to obtain an 8-by-8 board. We then see problems occurring at the boundaries, with dominoes sticking out. Here are two instances:</p>
<ol type="1">
<li><p>On the first column, we see that the domino <img src="https://latex.codecogs.com/png.latex?B_4"> falls out of bounds. Hence the only way to lay down that domino is by turning it 90 degrees.</p></li>
<li><p>On the second row, we see that the domino <img src="https://latex.codecogs.com/png.latex?C_4"> also falls out of bounds. Also here we would need to lay down that domino turned by 90 degrees.</p></li>
</ol>
<p>What we thus see, is that whenever the board is finite, it must have one of the corners of Figure&nbsp;10. We shall now argue that it is impossible to satisfy <img src="https://latex.codecogs.com/png.latex?P4">, the property that no dominoes are parallel, whenever we have the (necessary) top-left corner and also either the bottom-left or the top-right corner on the board. We make a number of simplifying assumptions, but these do not hurt our demonstration (that is to say, these assumptions are without loss of generality):</p>
<ul>
<li><p>we assume we work on an arbitrary <img src="https://latex.codecogs.com/png.latex?n">-by-<img src="https://latex.codecogs.com/png.latex?n"> board where <img src="https://latex.codecogs.com/png.latex?n"> is even,</p></li>
<li><p>we assume we start with the same type of top-left corner and top-right corner where the horizontal domino is on top,</p></li>
<li><p>we assume that both corners occur on the same height.</p></li>
</ul>
<div id="fig-dominoes-8" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-8-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig11.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-8-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;11: Starting situation of the impossibility result.
</figcaption>
</figure>
</div>
<p>Now consider the situation of Figure&nbsp;11. Consider that, if we were to satisfy all properties <img src="https://latex.codecogs.com/png.latex?P1"> until <img src="https://latex.codecogs.com/png.latex?P4">, it is impossible to place a domino vertically next to <img src="https://latex.codecogs.com/png.latex?B_1"> nor is it possible to place a domino vertically next to <img src="https://latex.codecogs.com/png.latex?C_n">. If we were to place a domino horizontally at the low end at <img src="https://latex.codecogs.com/png.latex?B_1"> (thus forming a bottom-left corner), then we need to place another domino on top that violates <img src="https://latex.codecogs.com/png.latex?P4">. Hence the only dominoes that are possible are depicted in Figure&nbsp;12 (a). We end up with the other type of corner (where the vertical domino is on the side) and we can again analyze where to place the next domino in the corner next to <img src="https://latex.codecogs.com/png.latex?B_1"> and below <img src="https://latex.codecogs.com/png.latex?C_1">, and next to <img src="https://latex.codecogs.com/png.latex?C_n"> and below <img src="https://latex.codecogs.com/png.latex?C_%7Bn-1%7D">. After analyzing the possibilities and ruling out those that violate <img src="https://latex.codecogs.com/png.latex?P4"> we end up with the situation depicted in Figure&nbsp;12 (b).</p>
<div id="fig-dominoes-9" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-9-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<div id="fig-dominoes-9a" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-subfloat-fig figure">
<div aria-describedby="fig-dominoes-9a-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig12a.png" class="img-fluid figure-img" data-ref-parent="fig-dominoes-9">
</div>
<figcaption class="quarto-float-caption-bottom quarto-subfloat-caption quarto-subfloat-fig" id="fig-dominoes-9a-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
(a) Second situation
</figcaption>
</figure>
</div>
<div id="fig-dominoes-9b" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-subfloat-fig figure">
<div aria-describedby="fig-dominoes-9b-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig12b.png" class="img-fluid figure-img" data-ref-parent="fig-dominoes-9">
</div>
<figcaption class="quarto-float-caption-bottom quarto-subfloat-caption quarto-subfloat-fig" id="fig-dominoes-9b-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
(b) Third situation
</figcaption>
</figure>
</div>
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-9-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;12: Stepping towards the impossibility result.
</figcaption>
</figure>
</div>
<p>After continuing this way, we see that we construct two ‘lines’, one originating from each corner. It is necessarily the case that these two lines will intersect!</p>
<div id="fig-dominoes-10" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-dominoes-10-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/fig13.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-dominoes-10-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;13: Last part of the impossibility result.
</figcaption>
</figure>
</div>
<p>In Figure&nbsp;13 we see the two lines coming diagonally out of the top-left corner and the top-right corner intersect. The way this plays out is as follows: we start with the corner consisting of dominoes <img src="https://latex.codecogs.com/png.latex?%5C%7B1,2%5C%7D"> (the top-left corner) and dominoes <img src="https://latex.codecogs.com/png.latex?%5C%7BA,B%5C%7D"> (the top-right corner). Then we necessarily place domino <img src="https://latex.codecogs.com/png.latex?3">, but this takes the same place as we would take when we would place a domino in the other corner. We now have two corners, but they share a domino, namely the dominoes <img src="https://latex.codecogs.com/png.latex?%5C%7B2,3%5C%7D"> (the top-left corner) and the dominoes <img src="https://latex.codecogs.com/png.latex?%5C%7B3,B%5C%7D"> (the top-right corner). We then place <img src="https://latex.codecogs.com/png.latex?4"> and <img src="https://latex.codecogs.com/png.latex?D"> in the only way possible inside these corners, but we see that this gives us a parallel pair of dominoes in a 2-by-2 square.</p>
<p>Summarizing, the argument goes as follows. If there are two corners on the board that induce a ‘diagonal line’ that intersect, this must give rise to a pair of parallel dominoes. Hence we can not have both a top-left corner and a top-right corner on the board. However, for every <img src="https://latex.codecogs.com/png.latex?n">-by-<img src="https://latex.codecogs.com/png.latex?n"> board tiling it is necessary to have both a top-left corner and a top-right corner. Hence we cannot have a tiling of the <img src="https://latex.codecogs.com/png.latex?8">-by-<img src="https://latex.codecogs.com/png.latex?8"> that also has no parallel dominoes.</p>
</section>
<section id="sec-conclusion" class="level2" data-number="5">
<h2 data-number="5" class="anchored" data-anchor-id="sec-conclusion"><span class="header-section-number">5</span> Conclusion</h2>
<p>We have now seen two example puzzles, which we phrased by means of asking whether we can come up with a program that satisfies certain requirements. In the first example Section&nbsp;3 we have seen that the program’s requirements can (1) be stated formally, and (2) a final state was imaginable that satisfies the end goal, but (3) there was no correct program that reaches the final state. In the second example (Section&nbsp;4) we have seen that the requirements themselves can (1) be stated formally, but already that (2) a final state was not imaginable that satisfies the end goal. If there is no final state that satisfies the requirements, it is impossible to write a correct program. This must be a valid conclusion, since each program only moves from state to state, and there does not even exist a state that satisfied the requirements.</p>
<p>All this serves to show is that program correctness is a difficult subject. It shows that sometimes it is ‘easy to ask’ but ‘difficult to deliver’. Extensive analysis of a problem is required to obtain (1) a formal description of the problem, and (2) proof that the requirements are consistent. Even before one starts writing a program, one already has to face an undecidable problem: namely, to check that the requirements are consistent! And we have seen a concrete example that this is not always the case—even when the problem looks simple. If we then have requirements that are satisfiable, we then face the second difficult problem: does there exists a correct program? We have seen that, no, this is not obvious either. To show that there does not exists a correct program, we need to formulate an invariant that any program preserves but which the final state violates. On the other hand, whenever there exists a non-trivial program (i.e.&nbsp;involving a loop) we also face a difficult problem: to prove it correct requires us to come up with an invariant as well.</p>
<p>This finally gives us two slogans:</p>
<div class="framed">
<p>To show a program is correct, requires one to find an invariant.<br>
To show there is no correct program, also requires one to find an invariant.</p>
</div>
<p>and</p>
<div class="framed">
<p>Correctness is impossible to attain if the requirements are inconsistent.</p>
</div>
<p><strong>Bonus questions.</strong></p>
<ol type="1">
<li><p>Can you analyze the problem of swapping rows and columns also in the context of concurrent client programs?</p></li>
<li><p>What about tiling the board without parallel dominoes when the boundaries are glued to each other in weird (non-Euclidean) ways?</p></li>
</ol>
</section>

<section id="references" class="level2 unnumbered">




</section>


<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix unnumbered"><h2 class="anchored quarto-appendix-heading">Acknowledgments</h2><div class="quarto-appendix-contents">

<p>Cover image credit: <a href="https://unsplash.com/@thomascouillard">Thomas Couillard</a></p>
</div></section><section class="quarto-appendix-contents" id="quarto-bibliography"><h2 class="anchored quarto-appendix-heading">References</h2><div id="refs" class="references csl-bib-body" data-entry-spacing="0">
<div id="ref-algopuzzle" class="csl-entry">
<div class="csl-left-margin">[1] </div><div class="csl-right-inline">Anany Levitin and Maria Levitin. <em><span>Algorithmic Puzzles</span></em>. Oxford University Press. <a href="https://doi.org/10.1093/oso/9780199740444.001.0001">https://doi.org/10.1093/oso/9780199740444.001.0001</a></div>
</div>
</div></section><section id="footnotes" class="footnotes footnotes-end-of-document"><h2 class="anchored quarto-appendix-heading">Footnotes</h2>

<ol>
<li id="fn1"><p>Access to an oracle that provides the valid formulas in arithmetic (this is an undecidable problem), and the expressivity of loop invariants.↩︎</p></li>
<li id="fn2"><p>Technically, the ‘quantifiers’ in the precondition are not first-order quantifiers but instead abbreviations where <img src="https://latex.codecogs.com/png.latex?i"> and <img src="https://latex.codecogs.com/png.latex?j"> are meta-variables that range over finitely many constant values: thus the formula is a big conjunction with sixteen clauses where each clause specifies the value of precisely one variable.↩︎</p></li>
</ol>
</section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2024,
  author = {Hiep, Hans-Dieter A.},
  title = {On Invariance and Inconsistency},
  journal = {dr. heap},
  volume = {2},
  number = {1},
  date = {2024-02-16},
  url = {https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/},
  doi = {10.59350/2r39a-f7740},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2024" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep. On invariance and
inconsistency. <em>dr. heap</em> volume 2, issue 1 (February 2024). <a href="https://doi.org/10.59350/2r39a-f7740">https://doi.org/10.59350/2r39a-f7740</a></div>
</div></div></section></div> ]]></description>
  <category>Lecture Notes</category>
  <category>Program Correctness</category>
  <guid>https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/</guid>
  <pubDate>Thu, 15 Feb 2024 23:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2024/on-invariance-and-inconsistency/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
<item>
  <title>Can the Collatz conjecture be proven, or not?</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <link>https://www.drheap.nl/articles/2023/can-the-collatz-conjecture-be-proven-or-not/</link>
  <description><![CDATA[ 





<p><a href="main.pdf" class="btn btn-default downloadthis  " id="dnldts32863"><i class="bi bi-download"></i> Download the PDF version of this article </a></p>
<section id="introduction" class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="introduction"><span class="header-section-number">1</span> Introduction</h2>
<p>In 1937, shortly after the mathematician <a href="https://mathshistory.st-andrews.ac.uk/Biographies/Collatz/">Lothar Collatz</a> obtained his doctorate, he wrote down a problem in his notebook that later became known as <em>Collatz’ problem</em> or <em>the <img src="https://latex.codecogs.com/png.latex?(3x+1)">-problem</em>. The problem is remarkable since it is easy to state, but for more than eighty years no solution had been found.</p>
<p>Before the problem can be stated, we first need two ingredients: we define a function, and we recall what is repeated function application. The function&nbsp;<img src="https://latex.codecogs.com/png.latex?f"> is defined on the positive natural numbers (<img src="https://latex.codecogs.com/png.latex?1">, <img src="https://latex.codecogs.com/png.latex?2">, <img src="https://latex.codecogs.com/png.latex?3">, et cetera) with the following specification: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0Af(x)%20=%20x%20%5Cdiv%202%20%5Ctext%7B%20if%20%7Dx%5Ctext%7B%20is%20even%7D,%5C%5C%0Af(x)%20=%203%20%5Ctimes%20x%20+%201%20%5Ctext%7B%20if%20%7Dx%5Ctext%7B%20is%20odd%7D.%0A%5Cend%7Bgathered%7D"> Now take an arbitrary positive natural number <img src="https://latex.codecogs.com/png.latex?n">. We can repeatedly apply the function <img src="https://latex.codecogs.com/png.latex?f"> starting with <img src="https://latex.codecogs.com/png.latex?n">, i.e.&nbsp;<img src="https://latex.codecogs.com/png.latex?f(n)">, <img src="https://latex.codecogs.com/png.latex?f(f(n))">, <img src="https://latex.codecogs.com/png.latex?f(f(f(n)))">, et cetera. We write <img src="https://latex.codecogs.com/png.latex?f%5Ei(n)"> to mean that the function <img src="https://latex.codecogs.com/png.latex?f"> is applied <img src="https://latex.codecogs.com/png.latex?i"> times starting with <img src="https://latex.codecogs.com/png.latex?n">, so that we have <img src="https://latex.codecogs.com/png.latex?f%5E1(n)=f(n)"> and <img src="https://latex.codecogs.com/png.latex?f%5E%7Bi+1%7D(n)=f(f%5Ei(n))">. The superscript notation, an operation on a function, should not be confused with exponentiation, an operation on a number. With this in mind, we can state the problem: for every positive natural number <img src="https://latex.codecogs.com/png.latex?n">, is there an <img src="https://latex.codecogs.com/png.latex?i"> such that <img src="https://latex.codecogs.com/png.latex?f%5Ei(n)%20=%201">?</p>
<p>We can first try out a number of examples, to gain some intuition about the problem. If we take <img src="https://latex.codecogs.com/png.latex?n%20=%201">, can we find an <img src="https://latex.codecogs.com/png.latex?i">? Clearly, <img src="https://latex.codecogs.com/png.latex?f(1)"> is <img src="https://latex.codecogs.com/png.latex?4">, since <img src="https://latex.codecogs.com/png.latex?1"> is odd and so the first clause of the definition of <img src="https://latex.codecogs.com/png.latex?f"> applies, and <img src="https://latex.codecogs.com/png.latex?3%5Ctimes%201%20+%201"> is <img src="https://latex.codecogs.com/png.latex?4">. Then we evaluate <img src="https://latex.codecogs.com/png.latex?f(f(1))">, which is <img src="https://latex.codecogs.com/png.latex?f(4)">: since <img src="https://latex.codecogs.com/png.latex?4"> is even the second clause applies so we have <img src="https://latex.codecogs.com/png.latex?f(4)%20=%202">. Finally, we evaluate <img src="https://latex.codecogs.com/png.latex?f(f(f(1)))">, which is <img src="https://latex.codecogs.com/png.latex?f(2)">: since <img src="https://latex.codecogs.com/png.latex?2"> is even we have <img src="https://latex.codecogs.com/png.latex?f(2)=1">. So <img src="https://latex.codecogs.com/png.latex?f%5E3(1)=1">, hence we can take <img src="https://latex.codecogs.com/png.latex?i"> to be three. For <img src="https://latex.codecogs.com/png.latex?n%20=%201"> the problem can be solved.</p>
<p>The process we tried is called iteration. We find <img src="https://latex.codecogs.com/png.latex?i"> by starting with the smallest value and try out successively larger values for <img src="https://latex.codecogs.com/png.latex?i"> until we reach our desired destination. This process works efficiently, since the computations we did in the past to find out whether <img src="https://latex.codecogs.com/png.latex?i"> was a solution can be reused to find out whether <img src="https://latex.codecogs.com/png.latex?i+1"> is a solution. In the case of Collatz’ problem, we see that the outcome of the previous try, i.e.&nbsp;<img src="https://latex.codecogs.com/png.latex?f%5Ei(n)">, is what we feed back as input in the next try, i.e.&nbsp;<img src="https://latex.codecogs.com/png.latex?f(f%5Ei(n))"> computes <img src="https://latex.codecogs.com/png.latex?f%5E%7Bi+1%7D(n)">.</p>
<p>Such iterative processes can be written down neatly. Say we start with <img src="https://latex.codecogs.com/png.latex?n%20=%205">. How often do we need to apply the function <img src="https://latex.codecogs.com/png.latex?f"> until we reach the destination <img src="https://latex.codecogs.com/png.latex?1">? We write the following sequence, where each number is separated by an arrow: <img src="https://latex.codecogs.com/png.latex?5%20%5Clongrightarrow%2016%20%5Clongrightarrow%208%20%5Clongrightarrow%204%20%5Clongrightarrow%202%20%5Clongrightarrow%201."> the computation sequence starts with <img src="https://latex.codecogs.com/png.latex?5"> and we get <img src="https://latex.codecogs.com/png.latex?16"> after applying <img src="https://latex.codecogs.com/png.latex?f"> once (<img src="https://latex.codecogs.com/png.latex?3%5Ctimes%205%20+%201%20=%2016">), we get <img src="https://latex.codecogs.com/png.latex?8"> after applying <img src="https://latex.codecogs.com/png.latex?f"> again (so twice from our starting point), and so on, until we reach our destination after applying <img src="https://latex.codecogs.com/png.latex?f"> five times from where we started. In other words, we have <img src="https://latex.codecogs.com/png.latex?f%5E5(5)%20=%201">. So for <img src="https://latex.codecogs.com/png.latex?n%20=%205">, we know there exists an <img src="https://latex.codecogs.com/png.latex?i">, namely <img src="https://latex.codecogs.com/png.latex?5">, such that <img src="https://latex.codecogs.com/png.latex?f%5Ei(n)%20=%201">. But meanwhile we also discovered for <img src="https://latex.codecogs.com/png.latex?n%20=%2016">, <img src="https://latex.codecogs.com/png.latex?n%20=%208">, <img src="https://latex.codecogs.com/png.latex?n%20=%204"> and <img src="https://latex.codecogs.com/png.latex?n%20=%202"> a solution, since these were the intermediary numbers that turned up in the computation starting in <img src="https://latex.codecogs.com/png.latex?5">.</p>
<p>As another example, take <img src="https://latex.codecogs.com/png.latex?n%20=%203">. We then have <img src="https://latex.codecogs.com/png.latex?f(3)%20=%203%5Ctimes%203%20+%201%20=%2010">, and <img src="https://latex.codecogs.com/png.latex?f(10)%20=%205">, and from that point onward we already know what happens. Starting with the number <img src="https://latex.codecogs.com/png.latex?5">, we see that we can extend the computation sequence towards the right (each time computing the function <img src="https://latex.codecogs.com/png.latex?f">), but we can <em>also</em> extend the computation sequence towards the left: <img src="https://latex.codecogs.com/png.latex?%5Cldots%20%5Clongrightarrow%203%20%5Clongrightarrow%2010%20%5Clongrightarrow%205%20%5Clongrightarrow%20%5Cldots"> What would be the number before <img src="https://latex.codecogs.com/png.latex?3">? And how would the computation sequence starting from <img src="https://latex.codecogs.com/png.latex?7"> look like? The reader may try answering these questions, to gain some intuition about Collatz’ problem.</p>
<p>For some numbers <img src="https://latex.codecogs.com/png.latex?n">, the solution is not immediately obvious. The reader may try out <img src="https://latex.codecogs.com/png.latex?n%20=%2027"> (but, beware, the computation takes more than 100 steps). In fact, for large enough <img src="https://latex.codecogs.com/png.latex?n">, the intermediary numbers that the computation goes through can be used to generate pseudo-random numbers that passes standard tests for randomness <span class="citation" data-cites="xu2019pseudo">[12]</span>. This fact may give us the impression that the numbers involved in the computation do not give much insight into solving the problem.</p>
<p>Now, the conjecture states that <em>there is</em> a solution for every <img src="https://latex.codecogs.com/png.latex?n">. This is what is known as the ‘Collatz conjecture’. Although the problem is quite old, more recently a new interest for the problem emerged—as witnessed by the many published articles, including scientific articles (e.g.&nbsp;<span class="citation" data-cites="andrei1998collatz andrei2000some andaloro2002problem">[2–4]</span>) and articles in the popular press (e.g.&nbsp;<a href="https://www.quantamagazine.org/why-mathematicians-still-cant-solve-the-collatz-conjecture-20200922/"><em>The Simple Math Problem We Still Can’t Solve</em></a> in QuantaMagazine). Also on social media such as MathOverflow, unanswered questions are raised, such as <a href="https://math.stackexchange.com/questions/4364817/how-to-know-when-the-collatz-conjecture-has-been-proved">“How to know when the Collatz conjecture has been proved?”</a></p>
<p>In 2013, the late John H. Conway wrote about the problem in The American Mathematical Monthly, in an article entitled <em>On unsettleable arithmetical problems</em>&nbsp;<span class="citation" data-cites="conway2013unsettleable">[8]</span>. In that article, Conway also speaks of well-known results such as Turing’s unsolvable halting problem or Gödel’s incompleteness theorem. The halting problem is the question whether an algorithm halts (which, as we shall see, has Collatz’ problem as an instance) and Turing showed that it is in general unsolvable. The incompleteness theorem states that there are true statements in a formal system called Peano arithmetic that cannot be proven from Peano’s axioms. The two results are closely related: there is a proof of the incompleteness theorem by reduction to the halting problem <span class="citation" data-cites="tourlakis2022incompleteness">[11]</span>.</p>
<p>Conway argues that it is very unlikely that the Collatz problem is settleable—a technical term he introduces for true assertions, as phrased in a set theoretical language, that can also be proven. A problem is unsettleable if it is true, but cannot be proven. There surely are unsettleable (or, unsettling?) assertions: the axioms of set theory are insufficient for proving all true assertions, by Gödel’s incompleteness theorem. But I find Conway’s argument, that Collatz conjecture is unlikely settleable, too difficult to grasp—it is probably because I lack the background knowledge and intuition behind his argument. However, Conway is not sure, and still leaves open the possibility for the conjecture to be proven:</p>
<blockquote class="blockquote">
<p>“I don’t want readers to take these words on trust but rather to encourage those who don’t find them convincing to try even harder to prove the Collatz Conjecture!” <span class="citation" data-cites="conway2013unsettleable">[8]</span></p>
</blockquote>
<p>A quick search on Google Scholar shows articles, that claim to have proven the Collatz conjecture. These articles are not published, but are available on pre-print servers or institutional repositories on the Web. How can we evaluate such articles? Are they really proofs? Is it worth our time to review them?</p>
<p>By accident, I stumbled upon the pre-print paper <em>Collatz conjecture becomes theorem</em> by Mirkowska and Salwicki <span class="citation" data-cites="mirkowska2023collatz">[10]</span>. Grażyna Mirkowska is a professor emeritus of Warsaw University, and she is an expert on mathematical logic, program semantics, and formal verification. Andrzej Salwicki is also professor emeritus, founder of the journal Fundamenta Informaticae, and he is an expert on the mathematical foundations of computer science. Both worked together on the 1978 book on <em>Algorithmic Logic</em> <span class="citation" data-cites="mirkowska1987algorithmic">[9]</span>, among other works. Algorithmic logic is closely related to my field of expertise, Hoare’s logic and dynamic logic.</p>
<p>Maybe I can understand what is written in their article? In the final remarks, the authors write:</p>
<blockquote class="blockquote">
<p>“We know that our presentation is clumsy (we are of age, English is not our native language).” <span class="citation" data-cites="mirkowska2023collatz">[10]</span></p>
</blockquote>
<p>It is not a good idea to reject this paper because of a clumsy presentation: the authors have a track record in the field, and their work must be taken seriously. Maybe I can figure out whether their paper makes sense to me? The adventure thus begins... And in this article, I do not present my own work, but I present what I could distill from what Mirkowska and Salwicki wrote.</p>
<div class="callout callout-style-default callout-note callout-titled">
<div class="callout-header d-flex align-content-center">
<div class="callout-icon-container">
<i class="callout-icon"></i>
</div>
<div class="callout-title-container flex-fill">
Note
</div>
</div>
<div class="callout-body-container callout-body">
<p>This article assumes the reader has knowledge of Hoare’s logic. See, for reference: <em>A Discipline of Programming</em> by Edsger Dijkstra (1976), <em>Mathematical Theory of Program Correctness</em> by Jaco de Bakker (1980), <em>The Science of Programming</em> by David Gries (1981), <em>Program Verification</em> by Nissim Francez (1992), <em>Verification of Sequential and Concurrent Programs</em> by Krzysztof Apt, Frank de Boer &amp; Ernst-Rüdiger Olderog (2009). See the survey paper by Apt and Olderog <span class="citation" data-cites="apt2019fifty">[5]</span> for more references.</p>
</div>
</div>
</section>
<section id="problem-statement" class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="problem-statement"><span class="header-section-number">2</span> Problem statement</h2>
<p>First, we revisit the conjecture. We can understand the conjecture in a different way, by studying the program in Figure&nbsp;1. Looking at the program as given, we have the following primitive operations and tests:</p>
<ul>
<li><p>the test <img src="https://latex.codecogs.com/png.latex?x%5Cneq%201"> for deciding whether the number <img src="https://latex.codecogs.com/png.latex?x"> is not equal to <img src="https://latex.codecogs.com/png.latex?1">,</p></li>
<li><p>the test <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7Beven%7D(x)"> for deciding whether <img src="https://latex.codecogs.com/png.latex?x"> is even,</p></li>
<li><p>the primitive operation <img src="https://latex.codecogs.com/png.latex?x%20:=%20x%5Cdiv%202"> for dividing the number by two—but this operation is only executed in the context where we know that the old value of <img src="https://latex.codecogs.com/png.latex?x"> is even and not equal to <img src="https://latex.codecogs.com/png.latex?1">,</p></li>
<li><p>the primitive operation <img src="https://latex.codecogs.com/png.latex?x%20:=%203%20%5Ctimes%20x%20+%201"> that multiplies the old value of <img src="https://latex.codecogs.com/png.latex?x"> by the constant three and adds the constant one—this operation is only executed in the context where we know that <img src="https://latex.codecogs.com/png.latex?x"> is odd and not equal to <img src="https://latex.codecogs.com/png.latex?1">.</p></li>
</ul>
<p>If the program terminates on every input <img src="https://latex.codecogs.com/png.latex?x%20%5Cgeq%201">, then the Collatz conjecture is true. From the terminating execution of the program we can then extract the computation sequence, simply by looking at the values that <img src="https://latex.codecogs.com/png.latex?x"> take over time. If, however, the program runs infinitely for some input <img src="https://latex.codecogs.com/png.latex?x%5Cgeq%201">, then we have a counterexample to the Collatz conjecture.</p>
<div id="fig-program" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-program-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2023/can-the-collatz-conjecture-be-proven-or-not/fig1.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-program-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;1: A program representation of the Collatz conjecture.
</figcaption>
</figure>
</div>
<p>Let us abbreviate the program in Figure&nbsp;1 by <img src="https://latex.codecogs.com/png.latex?S">. We reformulate the question, whether the program <img src="https://latex.codecogs.com/png.latex?S"> terminates or not, as follows:</p>
<ul>
<li><p>If <img src="https://latex.codecogs.com/png.latex?%5C%7Bx%5Cgeq%201%5Cland%20%5Cphi%5C%7D%5Cmathrel%7BS%7D%5C%7B%5Cmathbf%7Bfalse%7D%5C%7D"> is provable for some <img src="https://latex.codecogs.com/png.latex?%5Cphi"> in Hoare’s logic for partial correctness such that the precondition is satisfiable, then we know that the Collatz conjecture is false.</p></li>
<li><p>If <img src="https://latex.codecogs.com/png.latex?%5C%7Bx%5Cgeq%201%5C%7D%5Cmathrel%7BS%7D%5C%7B%5Cmathbf%7Btrue%7D%5C%7D"> is provable in Hoare’s logic for total correctness, then we know that the Collatz conjecture is true.</p></li>
</ul>
<p>This formulation raises a number of question, as often is the case in Hoare’s logic. What is the language we use in assertions? What is the program theory? And what is the background theory?</p>
<p>What is the logical language we use in assertions? We restrict ourselves to a first-order language consisting of addition only. This language consists of first-order formulas with respect to a signature with:</p>
<ul>
<li><p>the constant individual symbol <img src="https://latex.codecogs.com/png.latex?0">,</p></li>
<li><p>the constant individual symbol <img src="https://latex.codecogs.com/png.latex?1">,</p></li>
<li><p>the binary function symbol <img src="https://latex.codecogs.com/png.latex?+">.</p></li>
</ul>
<p>We can also introduce abbreviations: for every natural number <img src="https://latex.codecogs.com/png.latex?n"> we have the numeral <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7Bn%7D">. We have <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B0%7D%20=%200">, and for any <img src="https://latex.codecogs.com/png.latex?n%20%5Cgeq%200"> we have <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B(n%20+%201)%7D%20=%20%5Cunderline%7Bn%7D%20+%201">. In other words, we have the numerals: <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B0%7D%20=%200,%5C%20%5Cunderline%7B1%7D%20=%201,%5C%20%5Cunderline%7B2%7D%20=%201%20+%201,%5C%20%5Cunderline%7B3%7D%20=%20(1%20+%201)%20+%201,%5C%20%5Cunderline%7B4%7D%20=%20((1%20+%201)%20+%201)%20+%201,%5C%20%5Cldots"> Note that these numerals are terms constructed from constants and function symbols, hence do not depend on the value of variables: the numerals are all ground. Also, we implicitly used the fact that <img src="https://latex.codecogs.com/png.latex?0%20+%201%20=%201"> since this follows from the background theory we introduce later.</p>
<p>We introduce the abbreviation <img src="https://latex.codecogs.com/png.latex?x%20%3C%20y"> to stand for <img src="https://latex.codecogs.com/png.latex?(%5Cexists%20z)(z%5Cneq%200%5Cland%20x%20+%20z%20=%20y)"> where <img src="https://latex.codecogs.com/png.latex?z"> is fresh (so not equal to either <img src="https://latex.codecogs.com/png.latex?x"> or <img src="https://latex.codecogs.com/png.latex?y">). <img src="https://latex.codecogs.com/png.latex?y%20%3E%20x"> abbreviates <img src="https://latex.codecogs.com/png.latex?x%20%3C%20y">, and <img src="https://latex.codecogs.com/png.latex?x%20%5Cgeq%20y"> abbreviates <img src="https://latex.codecogs.com/png.latex?%7By%20%3C%20x%7D%20%5Clor%20%7By%20=%20x%7D">.</p>
<p>In a similar way as the numerals, can also introduce abbreviations for multiplication by a numeral: <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B0%7D%5Ctimes%20x%20=%200">, <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B(n%20+%201)%7D%5Ctimes%20x%20=%20x%20+%20(%5Cunderline%7Bn%7D%5Ctimes%20x)"> for <img src="https://latex.codecogs.com/png.latex?n%5Cgeq%200">. In other words, we have the abbreviations <img src="https://latex.codecogs.com/png.latex?%5Cunderline%7B0%7D%5Ctimes%20x%20=%200,%5C%20%5Cunderline%7B1%7D%5Ctimes%20x%20=%20x,%5C%20%5Cunderline%7B2%7D%5Ctimes%20x%20=%20x%20+%20x,%5C%20%5Cunderline%7B3%7D%5Ctimes%20x%20=%20x%20+%20x%20+%20x,%5C%20%5Cldots"> where we implicitly assume that <img src="https://latex.codecogs.com/png.latex?+"> is associative, and <img src="https://latex.codecogs.com/png.latex?x%20+%200%20=%20x"> (again, we shall introduce the background theory later, from which these properties follow).</p>
<p>What is the program theory? This question amounts to showing how we axiomatize the primitive operations and tests. We introduce a predicate symbol for the test <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7Beven%7D(x)">, where <img src="https://latex.codecogs.com/png.latex?x"> is a variable. We can define this predicate symbol in our language as follows: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7Beven%7D(x)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20(%5Cexists%20y)(x%20=%20y%20+%20y)."> It is necessary that tests are decidable. Otherwise, if one would execute the program one can not make the case distinction in the <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bif%7D">-statement.</p>
<p>Given that we have a formal understanding of the test, how do we axiomatize the two updates? We introduce the following axiom schemes. <img src="https://latex.codecogs.com/png.latex?%5C%7B(%5Cexists%20y)(x%20=%20y%20+%20y%20%5Cland%20%5Cphi%5Bx%20:=%20y%5D)%5C%7D%5Cmathrel%7Bx%20:=%20x%20%5Cdiv%202%7D%5C%7B%5Cphi%5C%7D%5Ctext%7B%20where%20%7Dy%5Ctext%7B%20is%20fresh%7D"> The precondition of the division-by-two update states that the original value of <img src="https://latex.codecogs.com/png.latex?x"> must be even before executing the operation. The witness of evenness, <img src="https://latex.codecogs.com/png.latex?y">, is substituted for <img src="https://latex.codecogs.com/png.latex?x"> in the postcondition—and we require the variable <img src="https://latex.codecogs.com/png.latex?y"> to be fresh, that is, not already occurring in <img src="https://latex.codecogs.com/png.latex?%5Cphi"> and different from the variable <img src="https://latex.codecogs.com/png.latex?x">. <img src="https://latex.codecogs.com/png.latex?%5C%7B%5Cphi%5Bx%20:=%20(%5Cunderline%7B3%7D%5Ctimes%20x)%20+%201%5D%5C%7D%5Cmathrel%7Bx%20:=%203%5Ctimes%20x%20+%201%7D%5C%7B%5Cphi%5C%7D"> The precondition of the times-three-plus-one update is the weakest precondition given the postcondition <img src="https://latex.codecogs.com/png.latex?%5Cphi">. Notice how we are able to express the new value of <img src="https://latex.codecogs.com/png.latex?x"> in terms of the old value of <img src="https://latex.codecogs.com/png.latex?x"> only by using the constant symbol&nbsp;<img src="https://latex.codecogs.com/png.latex?1"> and function symbol&nbsp;<img src="https://latex.codecogs.com/png.latex?+"> from our signature (recall that our multiplication by a numeral is an abbreviation, viz.&nbsp;<img src="https://latex.codecogs.com/png.latex?x%20+%20x%20+%20x">).</p>
<p>Now that we have axiomatized the test and primitive operations, we turn to the last question. What is the background theory? Until now, one may freely interpret what the language means. By means of a background theory we restrict the possible interpretations. From the background theory, we can derive consequences which must hold in every program state.</p>
<p>As background theory we take Presburger arithmetic. Presburger arithmetic is a restriction of Peano arithmetic, as it speaks only of the addition operation on numbers. By Gödel’s incompleteness theorem, the formal theory of Peano arithmetic can be shown to be incomplete, that is, there are valid sentences that are not consequences of the axioms. What is remarkable about Presburger arithmetic, however, is that it’s theory is complete: all valid sentences are also consequences of the axioms.</p>
<p>Furthermore, the axiomatization of Presburger arithmetic is recursive, that is, there exists a procedure to decide what are the axioms of Presburger arithmetic. From this, we also obtain that the formal theory of Presburger arithmetic is decidable: for any sentence, either we can use the standard proof system of first-order logic and prove that the sentence is valid, or we can effectively find a model that satisfies all axioms but in which the sentence is false.</p>
<p>There are different presentations of the same theory. We shall give one that is short on paper, but it is presented by using the unary function <img src="https://latex.codecogs.com/png.latex?s">. The unary function <img src="https://latex.codecogs.com/png.latex?s"> is defined by <img src="https://latex.codecogs.com/png.latex?s(x)%20=%20x%20+%201">, and we have that <img src="https://latex.codecogs.com/png.latex?1%20=%20s(0)">. The other axioms of Presbuger arithmetic are the following:</p>
<ol type="1">
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(s(x)%20%5Cneq%200)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(%5Cforall%20y)(s(x)%20=%20s(y)%20%5Cto%20x%20=%20y)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(x%20+%200%20=%20x)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(%5Cforall%20y)(s(y)%20+%20x%20=%20s(y%20+%20x))">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?%5Cphi(0)%20%5Cland%20(%5Cforall%20x)(%5Cphi%20%5Cto%20%5Cphi(s(x)))%20%5Cto%20(%5Cforall%20x)%5Cphi">.</p></li>
</ol>
<p>The last is an axiom scheme for any formula <img src="https://latex.codecogs.com/png.latex?%5Cphi">, and where <img src="https://latex.codecogs.com/png.latex?%5Cphi(t)"> is the result of replacing the free variable occurrences of <img src="https://latex.codecogs.com/png.latex?x"> by the term <img src="https://latex.codecogs.com/png.latex?t">. From these axioms, the usual properties of addition follow. For example:</p>
<ul>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(%5Cforall%20y)(x%20+%20y%20=%20y%20+%20x)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(%5Cforall%20y)(%5Cforall%20z)(x%20+%20(y%20+%20z)%20=%20(x%20+%20y)%20+%20z)">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(x%20%5Cneq%200%20%5Cto%20(%5Cexists%20y)(x%20=%20y%20+%201))">,</p></li>
<li><p><img src="https://latex.codecogs.com/png.latex?(%5Cforall%20x)(%5Cforall%20y)(%5Cforall%20z)(x%20+%20z%20=%20y%20+%20z%20%5Cto%20x%20=%20y)">.</p></li>
<li><p>et cetera.</p></li>
</ul>
</section>
<section id="different-interpretations" class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="different-interpretations"><span class="header-section-number">3</span> Different interpretations</h2>
<p>Now, we turn to the semantics of the program <img src="https://latex.codecogs.com/png.latex?S">, of which the halting problem captures the Collatz conjecture. A program is nothing but a piece of text: a finite string of symbols. One may think of the intended meaning of a program, but nothing prevents two people looking at the same string of symbols and interpret it differently. To illustrate this concept, we shall look at two interpretations of <img src="https://latex.codecogs.com/png.latex?S">. The fact that this simple program can be interpreted in different ways, somewhat delighted me when I first read the pre-print paper by Mirkowska and Salwicki <span class="citation" data-cites="mirkowska2023collatz">[10]</span>.</p>
<p>The standard interpretation is given by taking the following data structure:</p>
<ul>
<li><p>Take the natural numbers <img src="https://latex.codecogs.com/png.latex?%5Cmathbb%7BN%7D%20=%20%5C%7B0,1,2,3,%5Cldots%5C%7D"> as domain.</p></li>
<li><p>Interpret the symbols in the usual way: <img src="https://latex.codecogs.com/png.latex?+"> is addition of natural numbers, and <img src="https://latex.codecogs.com/png.latex?%3C"> is less than.</p></li>
</ul>
<p>This standard interpretation satisfies all the axioms of Presburger arithmetic.</p>
<p>Alternatively, one could give a complex interpretation, as follows:</p>
<ul>
<li><p>Take the following subset of the complex numbers <img src="https://latex.codecogs.com/png.latex?%5Cmathbb%7BC%7D"> as domain: <img src="https://latex.codecogs.com/png.latex?%5C%7Bk%20+%20w%5Ciota%20%5Cmid%20k%5Cin%5Cmathbb%7BZ%7D%20%5Ctext%7B%20and%20%7D%20w%5Cin%5Cmathbb%7BQ%7D%5E+%20%5Ctext%7B%20and%20if%20%7D%20w=0%20%5Ctext%7B%20then%20%7D%20k%5Cgeq%200%5C%7D"> where <img src="https://latex.codecogs.com/png.latex?k"> is an integer, <img src="https://latex.codecogs.com/png.latex?w"> is a non-negative rational, and <img src="https://latex.codecogs.com/png.latex?%5Ciota"> is <img src="https://latex.codecogs.com/png.latex?%5Csqrt%7B-1%7D">. (We use the Greek <img src="https://latex.codecogs.com/png.latex?%5Ciota"> instead of the Latin <img src="https://latex.codecogs.com/png.latex?i">, to avoid confusion with the natural number <img src="https://latex.codecogs.com/png.latex?i"> we used earlier in function iteration <img src="https://latex.codecogs.com/png.latex?f%5Ei">.) The condition implies that we have no negative real numbers in our domain.</p></li>
<li><p>The constant individual symbols <img src="https://latex.codecogs.com/png.latex?0"> and <img src="https://latex.codecogs.com/png.latex?1"> are interpreted as the complex numbers <img src="https://latex.codecogs.com/png.latex?0%20+%200%5Ciota"> and <img src="https://latex.codecogs.com/png.latex?1%20+%200%5Ciota">, respectively.</p></li>
<li><p>The binary function symbol <img src="https://latex.codecogs.com/png.latex?+"> is interpreted as usual: <img src="https://latex.codecogs.com/png.latex?(k%20+%20w%5Ciota)%20+%20(k'%20+%20w'%5Ciota)%20=%20(k%20+%20k')%20+%20(w%20+%20w')%5Ciota."> Note in this equation alone, the symbol <img src="https://latex.codecogs.com/png.latex?+"> has four different meanings: the function symbol <img src="https://latex.codecogs.com/png.latex?+"> in our language, we have the <img src="https://latex.codecogs.com/png.latex?+"> on complex numbers, we have the <img src="https://latex.codecogs.com/png.latex?+"> on integers, and we have the <img src="https://latex.codecogs.com/png.latex?+"> on non-negative rationals!</p></li>
</ul>
<p>This complex interpretation satisfies all the axioms of Presburger arithmetic.</p>
<p>In the complex interpretation, we have the so-called <em>reachable</em> elements and the <em>unreachable</em> elements. The reachable elements are the complex numbers <img src="https://latex.codecogs.com/png.latex?k%20+%20w%5Ciota"> in our domain with a zero imaginary part (and so, by the condition, we know that <img src="https://latex.codecogs.com/png.latex?k%5Cgeq%200">). The unreachable elements are the complex numbers in our domain with a non-zero imaginary part. Any operation performed on only reachable elements, gives us back a reachable element. However, an operation performed with at least one unreachable element, results in an unreachable element. This follows from the fact that the imaginary part is non-negative.</p>
<p>In the complex interpretation, the order of elements is defined by <img src="https://latex.codecogs.com/png.latex?x%20%3C%20y">, which abbreviates <img src="https://latex.codecogs.com/png.latex?(%5Cexists%20z)(z%5Cneq%200%5Cland%20x%20+%20z%20=%20y)">. We can understand the order relation on complex numbers <img src="https://latex.codecogs.com/png.latex?(k%20+%20w%5Ciota)%20%3C%20(k'%20+%20w'%5Ciota)"> as it were a lexical order on pairs: <img src="https://latex.codecogs.com/png.latex?%5Clangle%20w,k%5Crangle%20%3C%20%5Clangle%20w',k'%5Crangle">. This means that all reachable elements (where <img src="https://latex.codecogs.com/png.latex?w=0">) are below all unreachable elements (where <img src="https://latex.codecogs.com/png.latex?w%20%3E%200">). Further, in the complex interpretation we have that an element is even iff the real part is even.</p>
<p>With our complex interpretation, we can actually give an infinite run of the program! The following is a demonstration of a computation sequence: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Bgathered%7D%0A%20%20%20%20(8%20+%20%5Cfrac%7B1%7D%7B2%7D%5Ciota)%20%5Clongrightarrow%20(4%20+%20%5Cfrac%7B1%7D%7B4%7D%5Ciota)%20%5Clongrightarrow%20(2%20+%20%5Cfrac%7B1%7D%7B8%7D%5Ciota)%20%5Clongrightarrow%20(1%20+%20%5Cfrac%7B1%7D%7B16%7D%5Ciota)%20%5Clongrightarrow%20%5Cqquad%5C%5C%0A%20%20%20%20(4%20+%20%5Cfrac%7B3%7D%7B16%7D%5Ciota)%20%5Clongrightarrow%20(2%20+%20%5Cfrac%7B3%7D%7B32%7D%5Ciota)%20%5Clongrightarrow%20(1%20+%20%5Cfrac%7B3%7D%7B64%7D%5Ciota)%20%5Clongrightarrow%20(4%20+%20%5Cfrac%7B9%7D%7B64%7D%5Ciota)%20%5Clongrightarrow%20%5Cldots%0A%5Cend%7Bgathered%7D"> The computation sequence can be mapped back to an execution of the program (this takes a bit of work, but it is not difficult to see that the number generated each step is the value of the variable <img src="https://latex.codecogs.com/png.latex?x"> right at the start of each iteration of the <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bwhile%7D">-loop). Notice that, since we start with an unreachable value (the imaginary part is non-zero), the test of the loop never fails, and so the body of the loop is always taken. Any of the two operations (division-by-two or multiply-by-three-add-one) on an unreachable value result in an unreachable value again, which can never be equal to the reachable value of <img src="https://latex.codecogs.com/png.latex?1">.</p>
<p>However, this infinite run cannot be used to argue that the Collatz conjecture is false, since the conjecture speaks of the positive natural numbers and not the complex numbers we have introduced. So, coming back to our reformulated question: in Hoare’s partial correctness logic, can we prove <img src="https://latex.codecogs.com/png.latex?%5C%7Bx%5Cgeq%201%5Cland%20%5Cphi%5C%7D%5Cmathrel%7BS%7D%5C%7B%5Cmathbf%7Bfalse%7D%5C%7D"> for some <img src="https://latex.codecogs.com/png.latex?%5Cphi">, and show that the precondition is satisfiable? No, we can not prove this <em>based on our example above</em>. The reason why is that the complex interpretation is elementarily equivalent to the standard interpretation. This means that the same first-order sentences are true in both the standard interpretation as in the complex interpretation. Since our assertion language uses a first-order language, we cannot express in <img src="https://latex.codecogs.com/png.latex?%5Cphi"> that the starting value of <img src="https://latex.codecogs.com/png.latex?x"> has to be an unreachable element. Namely, the ability to express that <img src="https://latex.codecogs.com/png.latex?x"> is an unreachable element (which would be false in the standard interpretation, but true in the complex interpretation under existential quantification) contradicts that the standard and complex interpretations have the same first-order theories.</p>
<p>Note, however, that the above correctness formula may still be provable—showing the Collatz conjecture is false. If one gives a proof of <img src="https://latex.codecogs.com/png.latex?%5C%7Bx%5Cgeq%201%5Cland%20%5Cphi%5C%7D%5Cmathrel%7BS%7D%5C%7B%5Cmathbf%7Bfalse%7D%5C%7D"> in Hoare’s logic for partial correctness, then the proof must be sound for the standard interpretation too. If one then also shows that <img src="https://latex.codecogs.com/png.latex?%5Cphi"> is satisfiable in the standard interpretation, then the Collatz conjecture is settled (to be false).</p>
<p>On the other hand, if we look at proving <img src="https://latex.codecogs.com/png.latex?%5C%7Bx%5Cgeq%201%5C%7D%5Cmathrel%7BS%7D%5C%7B%5Cmathbf%7Btrue%7D%5C%7D"> in Hoare’s logic for total correctness, are we sure that a proof means that the Collatz conjecture is true? In Hoare’s total correctness logic, we employ a proof rule for reasoning about the termination of the <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bwhile%7D">-loop by giving two ingredients: the invariant (an assertion that holds before and after the loop and also before and after the loop body) and the variant (a term denoting a value that must decrease each iteration, and it must be shown that this term is larger than or equal to zero assuming the invariant).</p>
<p>There may be a problem with non-standard interpretations. For example, in the complex interpretation, what does the variant denote? It may no longer express a quantity that ensures that the loop body is executed finitely many times. In fact, we already know that every unreachable element is larger than <img src="https://latex.codecogs.com/png.latex?0">, and every unreachable element has infinitely many predecessors: so requiring that during the loop body the variant decreases no longer yields an argument that the computation must be finite. Yet, this is not a problem, for we can always ignore non-standard interpretations. The proof rule is sound: interpreting total correctness with respect to the standard interpretation works fine. In that interpretation, the variant expresses that, before executing the loop, we can predict the maximum number of iterations that will be taken based on the values of program variables in the initial state.</p>
<p>Mirkowska and Salwicki suggest that the Collatz conjecture, formulated as questions of provability in Hoare logic as we did above, is not precise. They then start working on the level of the semantics in the complex interpretation, and restrict attention to those states in which the program variables have reachable values. However, here I disagree. That there exists non-standard interpretations is not an excuse to not give a proof in Hoare’s logic: although such a proof can also be interpreted in a non-standard interpretation, there is always the standard interpretation one can look at.</p>
<p>What I thus expected to see was a clear description from which I can extract a proof in Hoare’s total correctness logic. In particular, to perform such an extraction, I need to know the answers to the following questions:</p>
<ul>
<li><p>What is the loop invariant of <img src="https://latex.codecogs.com/png.latex?S">?</p></li>
<li><p>Is the loop invariant expressible as an assertion?</p></li>
<li><p>What is the loop variant of <img src="https://latex.codecogs.com/png.latex?S">?</p></li>
<li><p>Is the loop variant expressible?</p></li>
</ul>
<p>Unfortunately, the paper does not clearly give answers to these questions. When I read the paper, I was not able to verify that there actually is a proof. The paper presents many interesting ideas, though, but I feel that I am doing original research to see how the ideas presented are related to me trying to answer the questions above. I should not have the feeling I am doing original research when my task and only task is to verify a proof!</p>
</section>
<section id="conclusion-and-closing-remarks" class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="conclusion-and-closing-remarks"><span class="header-section-number">4</span> Conclusion and closing remarks</h2>
<p>Unfortunately, I am unable to extract a proof from the pre-print paper by Mirkowska and Salwicki <span class="citation" data-cites="mirkowska2023collatz">[10]</span>. Thus, the Collatz conjecture still remains unsettled—at least in my mind—and thus remains unsettling. The lesson, if there is a need for one, is that non-standard interpretations of Hoare’s logic exists, and may shed light on a problem from a different angle.</p>
<p>At some point during reading, I got the following intuitions. I share them here—just for fun—but these closing remarks may not be valuable to anyone and may only cause confusion.</p>
<p>If we revisit the computation sequence above, that yielded an infinite run, we see the following pattern (we call these the <em>even step</em> and the <em>odd step</em>): <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Baligned%7D%0A%20%20%20%20(k%20+%20%5Cfrac%7B3%5Eo%7D%7B2%5Ee%7D%5Ciota)%20&amp;%5Clongrightarrow%20(%5Cfrac%7Bk%7D%7B2%7D%20+%20%5Cfrac%7B3%5Eo%7D%7B2%5E%7Be+1%7D%7D%5Ciota)%20%5Ctext%7B%20if%20%7Dk%5Ctext%7B%20is%20even,%7D%5C%5C%0A%20%20%20%20(k%20+%20%5Cfrac%7B3%5Eo%7D%7B2%5Ee%7D%5Ciota)%20&amp;%5Clongrightarrow%20((3%5Ctimes%20k%20+%201)%20+%20%5Cfrac%7B3%5E%7Bo+1%7D%7D%7B2%5Ee%7D%5Ciota)%20%5Ctext%7B%20if%20%7Dk%5Ctext%7B%20is%20odd.%7D%0A%5Cend%7Baligned%7D"> For simplicity, assume <img src="https://latex.codecogs.com/png.latex?k"> is a positive natural number, and <img src="https://latex.codecogs.com/png.latex?o,e"> are natural numbers. Forgetting about the imaginary part, we see simply that the function <img src="https://latex.codecogs.com/png.latex?f"> we defined in the introduction is applied on <img src="https://latex.codecogs.com/png.latex?k">. However, in the imaginary part, we see that the rational number is ‘counting’ how many times which part of the function was applied. If <img src="https://latex.codecogs.com/png.latex?k"> was even, we increase the denominator from <img src="https://latex.codecogs.com/png.latex?2%5Ee"> to <img src="https://latex.codecogs.com/png.latex?2%5E%7Be+1%7D">. If <img src="https://latex.codecogs.com/png.latex?k"> was odd, we increase the numerator from <img src="https://latex.codecogs.com/png.latex?3%5Eo"> to <img src="https://latex.codecogs.com/png.latex?3%5E%7Bo+1%7D">.</p>
<p>Now, for any computation sequence on natural numbers of the domain of the standard interpretation, there exists infinitely many corresponding computation sequences on the complex numbers of the domain of the complex interpretation. We are free, so to say, to choose the imaginary part of the complex number. So, let us look at the complex interpretation. From now onward, my thoughts are a bit cloudy and imprecise—so we proceed in unclear territory.</p>
<p>Since in computations of the complex interpretation, ‘we are free’ to choose the imaginary part, could we treat the imaginary part as a ghost count of the number of times we see an even number and the number of times we see an odd number? If the even numbers tend to outnumber the odd numbers then we are going towards the exit—but at any moment we are doubtful, we may freely reset the counters. Even when we reach the destination, we may still continue (here <img src="https://latex.codecogs.com/png.latex?%5Clongrightarrow%5E*"> means multiple steps, even or odd): <img src="https://latex.codecogs.com/png.latex?(1%20+%20%5Ciota)%20%5Clongrightarrow%5E*%20(1%20+%20%5Cfrac%7B3%7D%7B4%7D%5Ciota)%20%5Clongrightarrow%5E*%20(1%20+%20%5Cfrac%7B9%7D%7B16%7D%5Ciota)%20%5Clongrightarrow%5E*%20(1%20+%20%5Cfrac%7B27%7D%7B64%7D%5Ciota)%20%5Clongrightarrow%20%5Cldots"> Here the denominator grows faster than the numerator: the imaginary part tends towards zero in the limit if we never reset the ghost counter back to <img src="https://latex.codecogs.com/png.latex?%5Ciota">. Does this intuition help? I do not know. Maybe one can show that there is a computation sequence in the complex interpretation in which the imaginary part tends to zero if and only if there is a corresponding computation sequence in the standard interpretation? If so, can we then also show that a computation sequence tends to zero if and only if it contains a number with <img src="https://latex.codecogs.com/png.latex?1"> as real part?</p>
<p>The intuition here is that we want to jump ahead a potential computation sequence starting in some number, as if we could travel in time. The target of our jump is a number with the same real part—that would be evidence of a loop. If the loop also exists in the standard interpretation, then all the intermediary numbers must be natural numbers. Suppose we are at an arbitrary section of the computation sequence: <img src="https://latex.codecogs.com/png.latex?(f%5E0(k)%20+%20w_0%5Ciota)%20%5Clongrightarrow%20(f%5E1(k)%20+%20w_1%5Ciota)%20%5Clongrightarrow%20%5Cldots%20%5Clongrightarrow%20(f%5Ei(k)%20+%20w_i%5Ciota)"> where <img src="https://latex.codecogs.com/png.latex?f%5E0(k)%20=%20k">. The sequence <img src="https://latex.codecogs.com/png.latex?w_0,w_1,%5Cldots"> are the values of the ghost counters. We now want to reset the ghost counters back to <img src="https://latex.codecogs.com/png.latex?%5Ciota">, but keep the real part. Note that the imaginary part of <img src="https://latex.codecogs.com/png.latex?%5Ciota"> is the fraction <img src="https://latex.codecogs.com/png.latex?%7B3%5E0%7D%5Cdiv%7B2%5E0%7D=1">, meaning both even and odd counters are zero. After resetting the ghost counters, we have the section that starts with <img src="https://latex.codecogs.com/png.latex?(k%20+%20%5Ciota)">: <img src="https://latex.codecogs.com/png.latex?(f%5E0(k)%20+%20%5Cfrac%7B3%5E%7Bo_0%7D%7D%7B2%5E%7Be_0%7D%7D%5Ciota)%20%5Clongrightarrow%20(f%5E1(k)%20+%20%5Cfrac%7B3%5E%7Bo_1%7D%7D%7B2%5E%7Be_1%7D%7D%5Ciota)%20%5Clongrightarrow%20%5Cldots%20%5Clongrightarrow%20(f%5Ei(k)%20+%20%5Cfrac%7B3%5E%7Bo_i%7D%7D%7B2%5E%7Be_i%7D%7D%5Ciota)"> where the sequences <img src="https://latex.codecogs.com/png.latex?o_0,o_1,o_2,%5Cldots"> and <img src="https://latex.codecogs.com/png.latex?e_0,e_1,e_2,%5Cldots"> are running ghost counts with <img src="https://latex.codecogs.com/png.latex?o_0=e_0=0">. For any index in the sequence <img src="https://latex.codecogs.com/png.latex?0%5Cleq%20j%5Cleq%20i">, we have that <img src="https://latex.codecogs.com/png.latex?o_j%20+%20e_j%20=%20j">.</p>
<p>Is it possible to have <img src="https://latex.codecogs.com/png.latex?f%5E0(k)%20=%20f%5Ei(k)"> but where the numerator grows faster than the denominator, i.e.&nbsp;<img src="https://latex.codecogs.com/png.latex?3%5E%7Bo_i%7D%20%3E%202%5E%7Be_i%7D">? If so, can it then also have <img src="https://latex.codecogs.com/png.latex?1"> occurring in the sequence? Note that <img src="https://latex.codecogs.com/png.latex?1"> is never reached as a result of <img src="https://latex.codecogs.com/png.latex?3%5Ctimes%20x%20+%201"> (only <img src="https://latex.codecogs.com/png.latex?x"> with zero real part would give <img src="https://latex.codecogs.com/png.latex?1">, but that never occurs since <img src="https://latex.codecogs.com/png.latex?0%20+%20w%5Ciota"> is even and thus stays even), so from that point onward the denominator would dominate the numerator.</p>
<p>And what about the non-repeating computation sequences? Where there is no loop, but in which the imaginary part does tend to zero?</p>
<p>So many questions are still floating around in my mind, like butterflies...</p>
</section>

<section id="references" class="level2 unnumbered">




</section>

<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix unnumbered"><h2 class="anchored quarto-appendix-heading">Acknowledgments</h2><div class="quarto-appendix-contents">

<p>Cover image credit: <a href="https://unsplash.com/@evanescentlight">Ian Parker</a></p>
</div></section><section class="quarto-appendix-contents" id="quarto-bibliography"><h2 class="anchored quarto-appendix-heading">References</h2><div id="refs" class="references csl-bib-body" data-entry-spacing="0">
<div id="ref-aberkane2021collatz" class="csl-entry">
<div class="csl-left-margin">[1] </div><div class="csl-right-inline">Idriss J. Aberkane. A collatz proof from the book. (2021). Retrieved from <a href="https://hal.science/hal-03364693">https://hal.science/hal-03364693</a></div>
</div>
<div id="ref-andaloro2002problem" class="csl-entry">
<div class="csl-left-margin">[2] </div><div class="csl-right-inline">Paul J. Andaloro. The <img src="https://latex.codecogs.com/png.latex?3x+1"> problem and directed graphs. <em>Fibonacci Quarterly</em> volume 40, issue 1 (2002), page 43–54. <a href="https://doi.org/10.48550/arXiv.math/0608208">https://doi.org/10.48550/arXiv.math/0608208</a></div>
</div>
<div id="ref-andrei2000some" class="csl-entry">
<div class="csl-left-margin">[3] </div><div class="csl-right-inline">Ştefan Andrei, Manfred Kudlek, and Radu Ştefan Niculescu. Some results on the <span>Collatz</span> problem. <em>Acta Informatica</em> volume 37, (2000), page 145–160. <a href="https://doi.org/10.1007/s002360000039">https://doi.org/10.1007/s002360000039</a></div>
</div>
<div id="ref-andrei1998collatz" class="csl-entry">
<div class="csl-left-margin">[4] </div><div class="csl-right-inline">Ştefan Andrei and Cristian Masalagiu. About the <span>Collatz</span> conjecture. <em>Acta Informatica</em> volume 35, (1998), page 167–179. <a href="https://doi.org/10.1007/s002360050117">https://doi.org/10.1007/s002360050117</a></div>
</div>
<div id="ref-apt2019fifty" class="csl-entry">
<div class="csl-left-margin">[5] </div><div class="csl-right-inline">Krzysztof R. Apt and Ernst-Rüdiger Olderog. Fifty years of <span class="nocase">Hoare’s</span> logic. <em>Formal Aspects of Computing</em> volume 31, (2019), page 751–807. <a href="https://doi.org/10.1007/s00165-019-00501-3">https://doi.org/10.1007/s00165-019-00501-3</a></div>
</div>
<div id="ref-ballesteros2018novel" class="csl-entry">
<div class="csl-left-margin">[6] </div><div class="csl-right-inline">Dora M. Ballesteros, Jimmy Peña, and Diego Renza. A novel image encryption scheme based on <span>Collatz</span> conjecture. <em>Entropy</em> volume 20, issue 12 (2018), page 901. <a href="https://doi.org/10.3390/e20120901">https://doi.org/10.3390/e20120901</a></div>
</div>
<div id="ref-clay2023long" class="csl-entry">
<div class="csl-left-margin">[7] </div><div class="csl-right-inline">Oliver K. Clay. The long search for <span>Collatz</span> counterexamples. <em>Journal of Humanistic Mathematics</em> volume 13, issue 2 (2023), page 199–227. <a href="https://doi.org/10.5642/jhummath.YQHO7207">https://doi.org/10.5642/jhummath.YQHO7207</a></div>
</div>
<div id="ref-conway2013unsettleable" class="csl-entry">
<div class="csl-left-margin">[8] </div><div class="csl-right-inline">John H. Conway. On unsettleable arithmetical problems. <em>The American Mathematical Monthly</em> volume 120, issue 3 (2013), page 192–198. <a href="https://doi.org/10.4169/amer.math.monthly.120.03.192">https://doi.org/10.4169/amer.math.monthly.120.03.192</a></div>
</div>
<div id="ref-mirkowska1987algorithmic" class="csl-entry">
<div class="csl-left-margin">[9] </div><div class="csl-right-inline">Grażyna Mirkowska and Andrzej Salwicki. <em>Algorithmic logic</em>. Springer.</div>
</div>
<div id="ref-mirkowska2023collatz" class="csl-entry">
<div class="csl-left-margin">[10] </div><div class="csl-right-inline">Grażyna Mirkowska and Andrzej Salwicki. Collatz conjecture becomes theorem. (2023). <a href="https://doi.org/10.48550/arXiv.2310.13035">https://doi.org/10.48550/arXiv.2310.13035</a></div>
</div>
<div id="ref-tourlakis2022incompleteness" class="csl-entry">
<div class="csl-left-margin">[11] </div><div class="csl-right-inline">George Tourlakis. G<span>ö</span>del’s first incompleteness theorem via the halting problem. In <em>Computability</em>. Springer, page 265–280. <a href="https://doi.org/10.1007/978-3-030-83202-5_8">https://doi.org/10.1007/978-3-030-83202-5_8</a></div>
</div>
<div id="ref-xu2019pseudo" class="csl-entry">
<div class="csl-left-margin">[12] </div><div class="csl-right-inline">David Xu and Dan E. Tamir. Pseudo-random number generators based on the <span>Collatz</span> conjecture. <em>International Journal of Information Technology</em> volume 11, issue 3 (2019), page 453–459. <a href="https://doi.org/10.1007/s41870-019-00307-9">https://doi.org/10.1007/s41870-019-00307-9</a></div>
</div>
</div></section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2023,
  author = {Hiep, Hans-Dieter A.},
  title = {Can the {Collatz} Conjecture Be Proven, or Not?},
  journal = {dr. heap},
  volume = {1},
  number = {4},
  date = {2023-11-01},
  url = {https://www.drheap.nl/articles/2023/can-the-collatz-conjecture-be-proven-or-not/},
  doi = {10.59350/7cfjs-b4x59},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2023" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep. Can the Collatz conjecture
be proven, or not? <em>dr. heap</em> volume 1, issue 4 (November 2023).
<a href="https://doi.org/10.59350/7cfjs-b4x59">https://doi.org/10.59350/7cfjs-b4x59</a></div>
</div></div></section></div> ]]></description>
  <category>Open Review</category>
  <category>Program Correctness</category>
  <guid>https://www.drheap.nl/articles/2023/can-the-collatz-conjecture-be-proven-or-not/</guid>
  <pubDate>Tue, 31 Oct 2023 23:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2023/can-the-collatz-conjecture-be-proven-or-not/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
<item>
  <title>What is an education?</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <link>https://www.drheap.nl/articles/2023/what-is-an-education/</link>
  <description><![CDATA[ 





<p>In university, one sees students attending lectures and labs, working together on assignments, and doing exams. But—standing still for a moment—what is the purpose of all this business? The answer involves education, in the sense that students are being educated. But what is an education, precisely? In this blog post, I will summarize my views on the matter.</p>
<div id="fig-floyd" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-floyd-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<div class="quarto-video ratio ratio-16x9"><iframe data-external="1" src="https://www.youtube.com/embed/EZEHm8eEb9E?si=eyRQjLUSI6SOO9M" title="" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen=""></iframe></div>
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-floyd-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;1: Music Video: Pink Floyd - Another Brick in the Wall (a protest song against corporal punishment)
</figcaption>
</figure>
</div>
<p>Some say that an education is more than professional training. By such professional training, I mean equipping students with useful skills such as communicating with humans or with computers, finding interesting or profitable problems to work on that are relevant to society at large, and finding novel, practical, efficient, and elegant solutions to such problems, et cetera. One could speak of <em>skill competency</em>, being measured at levels that indicate how well an individual is able to perform in a particular skill. There are skills which are considered more useful than others in a professional setting, thus correspondingly considered worth more. Following the tradition of <a href="https://en.wikipedia.org/wiki/New_Public_Management">New Public Management</a>, one can then do a back-on-the-envelope costs-and-benefits calculation (in Dutch this is called ‘studierendement’): surely, becoming proficient in computer science is worth the effort, to both the student at the individual level, and to society at the collective level. But all this skill development should not cost too much: there should be a positive Return On Investment!</p>
<p>Although professional training works, and could be very valuable, it also misses essential points of an education. But what, then, is an education <em>more</em> than training students and developing skills? Below, I shall outline the objectives of an education that go beyond the objectives of professional training. Generally speaking, during academic study, a student:</p>
<ul>
<li>progresses through human development into an <em>independent</em> and <em>disciplined</em> thinker,</li>
<li>cultivates a <em>disinterested</em> love of truth,</li>
<li>develops a <em>scientific attitude</em> to be able to understand, and be critical of, technological developments in the field, and</li>
<li>becomes <em>empowered</em> to defend one’s own outspoken position in public.</li>
</ul>
<p>All these points contribute to an education. Simply put, an education helps students to become self-sufficient. I shall discuss the above points one-by-one, and reflect on each general statement how, in particular, it applies to computer science education.</p>
<section id="independent-and-disciplined-thinker" class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="independent-and-disciplined-thinker"><span class="header-section-number">1</span> Independent and disciplined thinker</h2>
<div class="big-quote">
<p>Small is the number of them that<br>
see with their own eyes and feel with their own hearts.</p>
<div class="big-author">
<p>— Albert Einstein</p>
</div>
</div>
<p>A typical university student (age: 18-25) progresses through the human developmental stage of <em>emerging adulthood</em> and enters <em>early adulthood</em>. In these stages of human development, students improve in functioning (e.g.&nbsp;mastering technical skill), become disciplined actors and critical thinkers (e.g.&nbsp;improving use of language, developing awareness of context-sensitivity, and engaging in self-reflection), and develop a clear sense of self and identity (e.g.&nbsp;by demonstrating intellectual curiosity and creativity). An excellent education aims to improve not <em>only</em> a student’s capability in technical skill, communication, comprehension, and reasoning ability—but <em>also</em> in attaining and maintaining a position of (financial) stability, physical and mental health and safety, the perseverance to overcome challenges, and the resilience to handle failure gracefully.</p>
<p>In computer science there are lots of different technical skills and languages <em>by</em> which a student can develop, e.g.&nbsp;there are many programming languages, logical languages, and mathematical languages to study and practice with. Each language comes with its own set of challenges: some are easier to learn and others are more difficult. The required level of discipline varies: some languages are rigorous and exact, while others are more lenient and fuzzy. In a well-rounded curriculum, there should be a lot of room for exploration and creativity: <strong>I believe that the best form of learning is rediscovery</strong>, in which (practical and theoretical) results, and their importance, are arrived at by oneself.</p>
<p>Ideally, the objective of education is not to learn <em>just</em> new languages, but also to reflect on the learning process itself and learn <em>how to learn</em>. Each language is a tool to achieve this objective. The end goal is attained if a student is able to confront challenges and tackle difficulties encountered during learning, which often necessitates independent study and a disciplined approach to thinking and working. A mean to this end is progression through gradually more difficult subjects in time. To keep progressing further, it seems that the following factors are crucial for student engagement: confidence, interaction, and autonomy (CIA).</p>
<p><strong>Confidence.</strong> A lack of confidence hampers student engagement with the subject. Confidence can be increased by allowing students to revisit the necessary background knowledge, allowing students to check their own work, and giving hints towards a solution to exercises in case students are blocked for too long. Confidence can be decreased by obscurity of reference material, a lack of (direct or indirect) feedback, or information overload.</p>
<p><strong>Interaction.</strong> Ideally, students are intrinsically motivated to independently study the subject material. However, most times students need help from, and interaction with, their social surroundings. One effective way is to work together, in the sense of mentorship, to guide students through the material by means of a dialogue. Sometimes students can help one another (which ideally is useful for both), but this requires ‘matching up’ students at different levels. It is a clear signal of insufficient interaction if interaction only starts after a final examination.</p>
<p><strong>Autonomy.</strong> Ideally, each student can autonomously choose their next direction to explore in the subject (depending on their starting point). Sometimes it is a joy to discover that one has entered a dead-end: a valuable lesson! But finding oneself too often stuck in dead-ends is risky. Hints or nudges towards the right path are helpful to avoid going too far astray—however, these hints or nudges should never be enforced, and only offered as advice.</p>
</section>
<section id="disinterested-love-of-truth" class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="disinterested-love-of-truth"><span class="header-section-number">2</span> Disinterested love of truth</h2>
<div class="big-quote">
<p>If an opinion contrary to your own makes you angry, that is a sign that you are subconsciously aware of having no good reason for thinking as you do.</p>
<div class="big-author">
<p>— Bertrand Russell</p>
</div>
</div>
<p>Truth exists regardless of one’s expectation. Something is not true because one <em>wants</em> it to be true or <em>profits</em> from it being true. One should seek the truth from a position of freedom: disinterestedness in the sense of free from bias or (self-)interest. It may be difficult to engage all students in cultivating curiosity for <em>why</em> something is true. This could be the result of students being subjected to a prior non-free learning experience, where students were instructed to <em>‘just remember’</em> what was said and take it for granted, or to <em>‘just do’</em> what an assignment asks for—rather than stimulating students to raise questions and take the initiative to study the subject more deeply. Surely, it is easier to let students stop thinking, than not!</p>
<p>To cultivate a disinterested love of truth, one question to keep in mind is: what is <em>true</em>? Or even deeper, what is <em>truth</em>? It is not wise to claim that something is true in the absolute sense, or that only one person knows the truth: truth is something each student has to find out for themselves. The most reliable form of truth, looking from an epistemological point of view, is experienced individually: to be convinced of truth requires honest, independent, and disinterested verification by means of individual mental construction (theory), or direct experience by ones own senses (practice). As a lover of truth, viz.&nbsp;a philosopher, a student seeks answers to questions of truth through diverse means. This requires students to carefully and critically assess their own perception, memory, and (prior) beliefs and skills. Every (including one’s own) testimony, evidence, judgment, theory, or ideal should be regarded critically, or even skeptically when in (self-)doubt.</p>
<p>However, criticism and skepticism is bottomless, and students also need to be able to overcome the <a href="https://en.wikipedia.org/wiki/M%C3%BCnchhausen_trilemma">Münchhausen trilemma</a>: even the most rigorous methods for attaining truth have limitations, and there are no absolute or complete methods for obtaining truth or certainty. Generally speaking, one should be interested in comparing the authority (in the sense of convincing force) of different arguments, and should be able to follow and participate in academic debate that has culminated or is culminating in consensus.</p>
<p>Some questions fundamental to computer science are: what are the foundations of computer science? What are the limits of computing? What are the <a href="https://link.springer.com/article/10.1023/B:FODA.0000025037.28557.ea">limits of logical, mathematical, and scientific reasoning</a>? What languages can (not) be used to express ideas clearly? When comparing two entities, what differences are significant (or not)? What basic facts about computer science are relevant, and how does this depend on the context? What research agendas are out there and are they conflicting or complementary? What distinguishes fashions and opinions from necessities and facts? How can one turn vague ideas into concrete conceptualizations? What academic debates were relevant in the past, are still relevant today, and will become relevant in the future? Et cetera.</p>
</section>
<section id="scientific-attitude" class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="scientific-attitude"><span class="header-section-number">3</span> Scientific attitude</h2>
<div class="big-quote">
<p>The originator of a new concept […] finds, as a rule, that it is much more difficult to find out why other people do not understand him, than it was to discover the new truths.</p>
<div class="big-author">
<p>— Hermann von Helmholtz</p>
</div>
</div>
<p>It is important for students to develop a scientific attitude that is critical of technological developments in the field. A scientific attitude is exploratory in nature and embraces exciting speculation, necessitates experimentation, but requires one to be scrupulous in publicly making claims, and only to present findings that others can independently verify. Ideally, a scientific discovery lays bare not only the presence of a mechanism, but also its underlying structure that explains <em>why</em> predictions are reliable and <em>how</em> they are correct. Technological progress should be considered within a wider ethical context, also keeping in mind the actual and potential detrimental effects on human society and nature.</p>
<p>Especially in the field of computer science, a critical outlook on technology is important, since not all developments in our field are necessarily beneficial to all of humankind or nature. For example, most computer technology only benefits a tiny portion of humanity: is this fair, or not? Are practitioners that apply the results of computer science misguided or misinformed, even when they form a large majority influencing consensus and best practices, or not? Consensus is not a replacement of truth, but standing up against consensus might be risky for one’s career or public standing (e.g.&nbsp;nobody likes the partypooper).</p>
<div id="fig-arnold" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-arnold-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<div class="quarto-video ratio ratio-16x9"><iframe data-external="1" src="https://www.youtube.com/embed/q9FYBjSc3cU?si=GKycswTEUFQHJA1h" title="" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen=""></iframe></div>
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-arnold-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;2: Video Clip of Kindergarten Cop (1990) with Arnold Schwarzenegger
</figcaption>
</figure>
</div>
<p>Especially in computer security, sometimes one needs courage to raise issues and be very confident of one’s case, also considering the potential (legal) repercussions instigated by large companies and governments. But also in theoretical computer science, it is too easy to forget ‘the bigger picture’ and lose oneself in a deluge of technicalities: how can one be certain that the subject is studied as simple <em>as is possible</em>, without being <em>too simplistic</em>? The cases above necessitate a scientific attitude, to ensure that one only takes positions that can withstand reasonable doubt.</p>
<p>Critical thinking is an important skill, especially in an academic discipline such as computer science. Many computer scientists fall in the trap of making things too complicated (unfortunately, myself included). How can one prevent such tendencies? Working on complicated and obscure subjects may scratch one’s own itch of intellectual curiosity, but the trap is that it makes the field more difficult for outsiders to enter. It requires a good education to appreciate the fine balance between necessary complexity and accidental complexity of programs, theories, and systems. The key is that simplicity and elegance, while difficult and hard to attain, pays off by making it easier to explain to others what one did.</p>
</section>
<section id="empowerment" class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="empowerment"><span class="header-section-number">4</span> Empowerment</h2>
<div class="big-quote">
<p>Don’t, for heaven’s sake, be afraid of talking nonsense!<br>
But you must pay attention to your nonsense.</p>
<div class="big-author">
<p>— Ludwig Wittgenstein</p>
</div>
</div>
<p>Finally, empowering students allows them to defend their own, outspoken position in public. A reasonable position is supported by rational and well-founded argumentation, presented in an orderly (no chaos), timely (not too long), and, ideally, beautiful manner. To appreciate reason as a means of establishing truth, one has to be receptive of criticism, to be <em>open-minded</em> towards the possibility of finding faults and flaws in one’s own position. A good defender is capable of seeking out opponents, even if those opponents are established authorities, and engage in a mutually respectful, decent, and civilized debate. But, every defeat is a learning opportunity: losing an argument is fun!</p>
<p>There are many opportunities in computer science for taking in and trying to defend a position, for example in designing programs (and surviving programming errors), theories (and surviving inconsistency), and systems (and surviving design flaws). There are qualitative and quantitative approaches by which any idea can be evaluated, such as (among many others) program correctness and efficiency, system resilience, error tolerance, usability and extensibility, and theoretical elegance and simplicity: an educated person is able to appreciate these fine details.</p>
</section>


<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix" data-number="5"><h2 class="anchored quarto-appendix-heading"><span class="header-section-number">5</span> Acknowledgments</h2><div class="quarto-appendix-contents">

<p>Cover image credit: <a href="https://unsplash.com/@elisa_cb">Elisa Calvet B.</a></p>


</div></section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2023,
  author = {Hiep, Hans-Dieter A.},
  title = {What Is an Education?},
  journal = {dr. heap},
  volume = {1},
  number = {3},
  date = {2023-05-06},
  url = {https://www.drheap.nl/articles/2023/what-is-an-education/},
  doi = {10.59350/ej3j0-jb103},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2023" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep. What is an education?
<em>dr. heap</em> volume 1, issue 3 (May 2023). <a href="https://doi.org/10.59350/ej3j0-jb103">https://doi.org/10.59350/ej3j0-jb103</a></div>
</div></div></section></div> ]]></description>
  <category>Opinion</category>
  <category>Teaching</category>
  <guid>https://www.drheap.nl/articles/2023/what-is-an-education/</guid>
  <pubDate>Fri, 05 May 2023 22:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2023/what-is-an-education/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
<item>
  <title>Correctness of two sorting algorithms</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <link>https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/</link>
  <description><![CDATA[ 





<p><a href="main.pdf" class="btn btn-default downloadthis  " id="dnldts29207"><i class="bi bi-download"></i> Download the PDF version of this article </a></p>
<section id="introduction" class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="introduction"><span class="header-section-number">1</span> Introduction</h2>
<p>On Wednesday, 8th of March, 2023, I gave a lecture about two sorting algorithms for the course <a href="https://studiegids.universiteitleiden.nl/courses/114222/program-correctness">Program Correctness</a> (see also <a href="https://youtube.com/playlist?list=PLgybIyDbLkESaKYMLk6X_UnenTHWWuB2B">the lecture series on YouTube</a>, available only in Dutch). Then, due to limited time, I only discussed a sketch of the correctness proof. But I promised the students that I would write down the correctness argument in more detail. So, in this article, I will revisit the two sorting algorithms and give the correctness proof in full detail.</p>
<p>We had a look at two sorting algorithms: <em>gnome sort</em> and <em>bozosort</em>. The purpose of a sorting algorithm is to operate on an array and rearrange its elements in order. The two algorithms presented are not the most <em>efficient</em> sorting algorithms, but that is not of our concern: instead, we will look at them from the perspective of their <em>correctness</em>.</p>
<p>The main questions answered in this article are:</p>
<ul>
<li><p>What is the (intuitive) argument of correctness of these algorithms?</p></li>
<li><p>How to write down a proof outline for these algorithms?</p></li>
</ul>
<p>When proving an algorithm correct, it is important to first have a rough, informal, idea how the correctness argument should go. Only then it makes sense to formalize the argument, by writing down a proof outline. During the latter activity, one can systematically check the argument to ensure there is no fault in one’s own reasoning. Thus, both aspects are important: <em>the bigger picture</em> and <em>the devil’s in the details</em>.</p>
<div class="callout callout-style-default callout-note callout-titled">
<div class="callout-header d-flex align-content-center">
<div class="callout-icon-container">
<i class="callout-icon"></i>
</div>
<div class="callout-title-container flex-fill">
Note
</div>
</div>
<div class="callout-body-container callout-body">
<p>This blog post assumes the reader has basic knowledge of Hoare logic. In case you want an introduction, you can consult one of the following books (in order of appearance): <em>A Discipline of Programming</em> by Edsger Dijkstra (1976), <em>Mathematical Theory of Program Correctness</em> by Jaco de Bakker (1980), <em>The Science of Programming</em> by David Gries (1981), <em>Program Verification</em> by Nissim Francez (1992), <em>Verification of Sequential and Concurrent Programs</em> by Krzysztof Apt, Frank de Boer &amp; Ernst-Rüdiger Olderog (2009). See the survey paper by Apt and Olderog <span class="citation" data-cites="apt2019fifty">[1]</span> for more references.</p>
</div>
</div>
</section>
<section id="sorting" class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="sorting"><span class="header-section-number">2</span> Sorting</h2>
<p>The purpose of a sorting algorithm is to rearrange elements in an array, so that the final result is an array where all elements are in order. For simplicity, we assume we are dealing with an array of integers. The ordering of integers is their natural order, <em>i.e.</em> <img src="https://latex.codecogs.com/png.latex?%5Cldots%5Cleq%20-2%5Cleq%20-1%5Cleq%200%5Cleq%201%5Cleq%202%5Cleq%20%5Cldots">.</p>
<p>Given array <img src="https://latex.codecogs.com/png.latex?a"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D">. We define the following predicate: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20i,%20j%20:%20i%20%5Cleq%20j%20%5Cto%20a%5Bi%5D%20%5Cleq%20a%5Bj%5D."> The above predicate expresses that the whole array <img src="https://latex.codecogs.com/png.latex?a"> is sorted. We also define: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,t)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20i,%20j%20:%20f%20%5Cleq%20i%20%5Cleq%20j%20%5Cleq%20t%20%5Cto%20a%5Bi%5D%20%5Cleq%20a%5Bj%5D."> This predicate expresses that array <img src="https://latex.codecogs.com/png.latex?a"> is sorted on the range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D">, <em>i.e.</em>&nbsp;from index <img src="https://latex.codecogs.com/png.latex?f"> until and including index <img src="https://latex.codecogs.com/png.latex?t">.</p>
<p>Alternatively, we can define the following predicates: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D%5C,'(a)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20i%20:%20a%5Bi%5D%20%5Cleq%20a%5Bi%20+%201%5D"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D%5C,'(a,f,t)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20i%20:%20f%20%5Cleq%20i%20%3C%20t%20%5Cto%20a%5Bi%5D%20%5Cleq%20a%5Bi%20+%201%5D."> It can now be verified (e.g.&nbsp;using a proof system for predicate logic such as natural deduction) that <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a)%20%5Cequiv%20%5Cmathit%7BSorted%7D%5C,'(a)"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,t)%5Cequiv%5Cmathit%7BSorted%7D%5C,'(a,f,t)">.</p>
<p>We may use these predicates to describe the desired outcome of a sorting algorithm: namely, that array <img src="https://latex.codecogs.com/png.latex?a"> is sorted (on a particular range). However, this property alone is not sufficient. We also require a relation between the input array and the output array, to specify that the algorithm did not insert new, duplicate old, or throw out any elements. Note that the input array and the output array are stored in the same place in memory, so it matters not <em>where</em> we look but <em>when</em> we look. By input array we mean the value of the array <img src="https://latex.codecogs.com/png.latex?a"> before the algorithm runs, and by output array we mean the value of the (same) array <img src="https://latex.codecogs.com/png.latex?a"> but after the algorithm finished running.</p>
<p>To avoid algorithms inserting new, duplicating old, or throwing out elements, we require there exists a one-to-one correspondence between the input and output array.</p>
<p>Given array <img src="https://latex.codecogs.com/png.latex?b"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D">. We use <img src="https://latex.codecogs.com/png.latex?b"> as the name for the input array, whereas <img src="https://latex.codecogs.com/png.latex?a"> is the name for the output array. We now define the following predicate: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cexists%20%5Cpi%20:%20%5Cmathit%7BInj%7D(%5Cpi)%20%5Cland%20%5Cmathit%7BSurj%7D(%5Cpi)%20%5Cland%20%5Cforall%20i%20:%20b%5B%5Cpi(i)%5D%20=%20a%5Bi%5D."> This predicate expresses that the whole array <img src="https://latex.codecogs.com/png.latex?a"> is a permutation of array <img src="https://latex.codecogs.com/png.latex?b">. The intuition of <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b)"> is that <img src="https://latex.codecogs.com/png.latex?%5Cpi"> represents a bijection between integers: a one-to-one correspondence between the indices of the output array <img src="https://latex.codecogs.com/png.latex?a"> and input array <img src="https://latex.codecogs.com/png.latex?b">. Here we make use of the following definitions: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BInj%7D(%5Cpi)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20x,%20y%20:%20%5Cpi(x)%20=%20%5Cpi(y)%20%5Cto%20x%20=%20y"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSurj%7D(%5Cpi)%20%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cforall%20x%20:%20%5Cexists%20y%20:%20%5Cpi(y)%20=%20x."></p>
<p>(As an aside, i.e.&nbsp;not relevant for the rest of this article, note that it depends on the language in which we work whether quantification over <img src="https://latex.codecogs.com/png.latex?%5Cpi"> is first-order or not. If we work in the language of Peano arithmetic, this quantifier is higher-order. But if we work in the language of set theory, this quantifier is first-order where <img src="https://latex.codecogs.com/png.latex?%5Cpi"> ranges over sets representing functions <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D">.)</p>
<p>We actually need a stronger predicate than <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D">, namely to expresses that array <img src="https://latex.codecogs.com/png.latex?a"> is a permutation of array <img src="https://latex.codecogs.com/png.latex?b"> for a particular range, and leaves all other elements in place. Compare this with how we have two predicates for being sorted: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a)"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,t)">. So we now define the following predicate: <img src="https://latex.codecogs.com/png.latex?%5Cbegin%7Baligned%7D%0A%5Cmathit%7BPermut%7D(a,b,f,t)%20&amp;%5Cequiv_%5Cmathrm%7Bdef%7D%20%5Cexists%20%5Cpi%20:%20%5Cmathit%7BInj%7D(%5Cpi)%20%5Cland%20%5Cmathit%7BSurj%7D(%5Cpi)%20%5Cland%20(%5Cforall%20i%20:%20b%5B%5Cpi(i)%5D%20=%20a%5Bi%5D)%5C%20%5Cland%5C%5C%0A&amp;%5Cqquad%5Cquad%20(%5Cforall%20i%20:%20f%20%5Cleq%20i%20%5Cleq%20t%20%5Clor%20%5Cpi(i)%20=%20i).%0A%5Cend%7Baligned%7D"> The new condition requires of the bijection <img src="https://latex.codecogs.com/png.latex?%5Cpi"> that every index <img src="https://latex.codecogs.com/png.latex?i"> that falls outside of the range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D"> is mapped identically. We could say that the latter predicate expresses a <em>restricted</em> permutation.</p>
</section>
<section id="gnome-sort" class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="gnome-sort"><span class="header-section-number">3</span> Gnome sort</h2>
<p>Gnome sort is a simple sorting algorithm. The story behind the algorithm is as follows. Suppose there is a garden with flower pots arranged next to each other on a table. Each flower pot contains a beautiful flower of a certain height. A gnome comes along, and being a pedantic gnome, wants to arrange the flowers in such way that the flowers in the pots are ordered from the smallest flower to the largest flower on the table.</p>
<p>How does the gnome achieve this? The gnome stands next to the table, in front of a single flower pot. The procedure is easy:</p>
<ol type="1">
<li><p>The gnome starts at the leftmost flower pot.</p></li>
<li><p>If there is no preceding flower pot, or if the flower in the preceding pot is smaller than the flower in the pot in front of the gnome, then the gnome takes one step to the right.</p></li>
<li><p>If there is a preceding flower pot and the flower in the preceding pot is larger than the flower in the pot in front of the gnome, the gnome swaps the two flowers and takes one step to the left.</p></li>
<li><p>If the gnome has not reached the end of the table, it goes back to step 2.</p></li>
</ol>
<p>Now, we use an array <img src="https://latex.codecogs.com/png.latex?a"> to represent an array of flower pots, each cell of the array is a flower pot, and the value stored in each cell represents the height of a flower. Swapping the values of two cells of the array would represent that the gnome, being a true gardener, would take out the flowers of the two pots and place them back in the other pot. Try to imagine how the gnome runs!</p>
<p>Note that gnome sort is slightly different from insertion sort. In the insertion sort algorithm, we need to keep track of two locations: the location of the element which is being inserted in the proper place, and the location of where to insert that element. Insertion sort is typically implemented using a nested loop: after the given element is inserted in the prefix (inner loop), we can continue with the next element after the prefix (outer loop). However, in gnome sort, there is only a single position that is tracked, namely the position of the gnome. The gnome has to walk back after it has placed the element in the proper position, and thus performs more comparisons than insertion sort.</p>
<div id="fig-gnomesort" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-gnomesort-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/fig1.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-gnomesort-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;1: The gnome sort algorithm.
</figcaption>
</figure>
</div>
<p>We can write down an algorithm that encodes the procedure of the gnome: see Figure&nbsp;1. We are given variables <img src="https://latex.codecogs.com/png.latex?f"> and <img src="https://latex.codecogs.com/png.latex?t"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D">. These represent the range of indices in the array <img src="https://latex.codecogs.com/png.latex?a"> representing the flower pots, where <img src="https://latex.codecogs.com/png.latex?f"> is the index of the first flower pot and <img src="https://latex.codecogs.com/png.latex?t"> is the index of the last flower pot. The variable <img src="https://latex.codecogs.com/png.latex?i"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D"> represents the position of the gnome, and the variable <img src="https://latex.codecogs.com/png.latex?z"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D"> is a temporary variable used for swapping the flowers.</p>
<p>We can make the following observations of the algorithm in Figure&nbsp;1:</p>
<ul>
<li><p>If <img src="https://latex.codecogs.com/png.latex?t%20%5Cleq%20f"> then the algorithm terminates without modifying the array. Otherwise, the bounds of the position <img src="https://latex.codecogs.com/png.latex?i"> are: <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20i%5Cleq%20t+1">.</p></li>
<li><p>The array from <img src="https://latex.codecogs.com/png.latex?f"> to <img src="https://latex.codecogs.com/png.latex?i%20-%201"> is always sorted. This property is a <em>loop invariant</em>: it holds at the beginning of the loop, at the beginning of the loop body, at the end of the loop body, and after the loop.</p></li>
<li><p>The sorting algorithm does not insert new elements, duplicate old elements, or throw out elements: thus, the output array (that is, the value of <img src="https://latex.codecogs.com/png.latex?a"> after running) is a permutation of the input array (the value of <img src="https://latex.codecogs.com/png.latex?a"> before running) restricted to the given range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D">. At the beginning and end of the loop body, the current value of the array is also a restricted permutation of the input array, and this property is a loop invariant. However, this is temporarily broken when we swap around values in the array!</p></li>
</ul>
<p>We now formalize the correctness proof, by means of a proof outline (see Figure&nbsp;2). First, we introduce a freeze variable, the array <img src="https://latex.codecogs.com/png.latex?b"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D">. We may think of <img src="https://latex.codecogs.com/png.latex?b"> as a snapshot of the array <img src="https://latex.codecogs.com/png.latex?a"> at the time before running the algorithm. Since <img src="https://latex.codecogs.com/png.latex?b"> is never modified by the program, it maintains its value over time, and thus allows us to compare the actual value of <img src="https://latex.codecogs.com/png.latex?a"> with its original value.</p>
<div id="fig-gnomesort-proof" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-gnomesort-proof-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/fig2.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-gnomesort-proof-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;2: A proof outline of the gnome sort algorithm.
</figcaption>
</figure>
</div>
<ol type="1">
<li><p>The precondition as formulated expresses that the freeze variable <img src="https://latex.codecogs.com/png.latex?b"> contains a snapshot of array <img src="https://latex.codecogs.com/png.latex?a"> at this instant. Also, we restrict ourselves in this proof to the case where <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20t+1"> holds (since, otherwise, the algorithm has no effect).</p></li>
<li><p>This assertion follows from (2.1) since the following properties hold: <img src="https://latex.codecogs.com/png.latex?(%5Cforall%20i%20:%20a%5Bi%5D%20=%20b%5Bi%5D)%20%5Cto%20%5Cmathit%7BPermut%7D(a,b)%5Ctext%7B%20and%20%7D%5Cmathit%7BPermut%7D(a,b)%20%5Cto%20%5Cmathit%7BPermut%7D(a,b,f,t)."> We take as a witness (for the existentially quantified <img src="https://latex.codecogs.com/png.latex?%5Cpi"> in the definition of <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D">) the identity function, which is a bijection. Also, the following property holds: <img src="https://latex.codecogs.com/png.latex?t%20%5Cleq%20f%20%5Cto%20%5Cmathit%7BSorted%7D(a,f,t),"> since the range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D"> must be empty if <img src="https://latex.codecogs.com/png.latex?t%20%3C%20f">, and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,f)"> also holds.</p></li>
<li><p>As we already observed from the algorithm, we can now formalize the loop invariant. The first part expresses that the array from <img src="https://latex.codecogs.com/png.latex?f"> until (but excluding) <img src="https://latex.codecogs.com/png.latex?i"> must be sorted. The second part expresses that the actual value of <img src="https://latex.codecogs.com/png.latex?a"> is a permutation of the input array (given the name <img src="https://latex.codecogs.com/png.latex?b">), restricted to the range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D">. The third part expresses the bounds of the position <img src="https://latex.codecogs.com/png.latex?i">. Note that by applying the substitution rule we obtain assertion (2.2), so we have verified that this loop invariant is <em>initially valid</em>. In the remainder of the proof outline we check whether the loop invariant is preserved by the loop body, and allows us to conclude our post condition.</p></li>
<li><p>This assertion always holds at the start of the loop body, where we know the loop test is true. Thus we can make the invariant stronger: we know that <img src="https://latex.codecogs.com/png.latex?i%5Cleq%20t"> subsumes <img src="https://latex.codecogs.com/png.latex?i%5Cleq%20t+1">.</p></li>
<li><p>We have obtained this assertion in the following way: we need to establish the loop invariant of (2.3) at the end of the loop body. Hence, it has to be a postcondition of the then-branch of the conditional statement. We apply the substitution axiom that replaces <img src="https://latex.codecogs.com/png.latex?i"> by <img src="https://latex.codecogs.com/png.latex?i%20+%201">. Now, why does this assertion follow from the preceding assertion? We discriminate two cases:</p>
<ul>
<li><p>Case <img src="https://latex.codecogs.com/png.latex?i%20=%20f">. We can establish <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,f)"> from the general property mentioned at (2.2).</p></li>
<li><p>Case <img src="https://latex.codecogs.com/png.latex?a%5Bi%20-%201%5D%20%5Cleq%20a%5Bi%5D">. The following property holds: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,i%20-%201)%20%5Cland%20a%5Bi%20-%201%5D%20%5Cleq%20a%5Bi%5D%20%5Cto%20%5Cmathit%7BSorted%7D(a,f,i)"> since we extend the range but also have the required property about <img src="https://latex.codecogs.com/png.latex?a%5Bi%5D"> and <img src="https://latex.codecogs.com/png.latex?a%5Bi+1%5D"> (and by transitivity of <img src="https://latex.codecogs.com/png.latex?%5Cleq">, also for all elements before <img src="https://latex.codecogs.com/png.latex?a%5Bi%5D">, cf.&nbsp;why the predicates <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D"> and <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D%5C,'"> are equivalent).</p></li>
</ul>
<p>That <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> follows from <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> (shown with dots) is trivial, and it is easy to see that <img src="https://latex.codecogs.com/png.latex?i%5Cleq%20t%20%5Cto%20i%20+%201%20%5Cleq%20t%20+%201"> and <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20i%20%5Cto%20f%5Cleq%20i+1">.</p></li>
<li><p>The assertion above this one is obtained from (2.4) and the negation of the conditional test. This assertion follows from the one above by the following argument. We have the property: <img src="https://latex.codecogs.com/png.latex?j%20%3C%20i%20%5Cland%20%5Cmathit%7BSorted%7D(a,f,i)%20%5Cto%20%5Cmathit%7BSorted%7D(a,f,j)"> since the range becomes smaller. <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> implies itself is again trivial, and <img src="https://latex.codecogs.com/png.latex?i%5Cleq%20t%20%5Cto%20i-1%20%5Cleq%20t+1"> and <img src="https://latex.codecogs.com/png.latex?f%3Ci%5Cto%20f%5Cleq%20i-1"> are easy to see.</p></li>
<li><p>But how did we obtain the assertion at (2.6) in the first place? Intuitively, it is the result of swapping <img src="https://latex.codecogs.com/png.latex?a%5Bi%5D"> and <img src="https://latex.codecogs.com/png.latex?a%5Bi-1%5D"> in the assertion (2.8). Swapping does not affect <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20i-1%5Cleq%20t+1">. We have the following property: <img src="https://latex.codecogs.com/png.latex?t%20%3C%20i%20%5Cto%20%5Cmathit%7BSorted%7D(a,f,t)%5Ba%5Bi%5D%20:=%20v%5D%20%5Cequiv%20%5Cmathit%7BSorted%7D(a,f,t)"> since <img src="https://latex.codecogs.com/png.latex?a%5Bx%5D%5Ba%5Bi%5D%20:=%20v%5D%20=%20a%5Bx%5D"> for all <img src="https://latex.codecogs.com/png.latex?x%20%3C%20i">: there is no aliasing here!</p>
<p>The proof outline has a missing link: why is it that <img src="https://latex.codecogs.com/png.latex?a"> and <img src="https://latex.codecogs.com/png.latex?b"> are still restricted permutations when we swap <img src="https://latex.codecogs.com/png.latex?a%5Bi%5D"> and <img src="https://latex.codecogs.com/png.latex?a%5Bi-1%5D">? The essence of the argument is that from the witness <img src="https://latex.codecogs.com/png.latex?%5Cpi"> of <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)">, we can construct a new witness, say <img src="https://latex.codecogs.com/png.latex?%5Cpi'">, as follows: <img src="https://latex.codecogs.com/png.latex?%7B%5Cpi'(i)%20=%20%5Cpi(i%20-%201)%7D"> and <img src="https://latex.codecogs.com/png.latex?%7B%5Cpi'(i-1)%20=%20%5Cpi(i)%7D"> and for all other arguments <img src="https://latex.codecogs.com/png.latex?%5Cpi'"> and <img src="https://latex.codecogs.com/png.latex?%5Cpi"> agree. Further, <img src="https://latex.codecogs.com/png.latex?i"> and <img src="https://latex.codecogs.com/png.latex?i-1"> fall within the restricted range <img src="https://latex.codecogs.com/png.latex?%5Bf,t%5D"> of the permutation.</p>
<p>To phrase it in a different way, we have the following property: <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)%5Ba%5Bi%20-%201%5D%20:=%20z%5D%5Ba%5Bi%5D%20:=%20a%5Bi%20-%201%5D%5D%5Bz%20:=%20a%5Bi%5D%5D%20%5Cequiv%20%5Cmathit%7BPermut%7D(a,b,f,t)"> if <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20i-1%5Cleq%20t+1">.</p></li>
<li><p>Easily obtained from the loop invariant by replacing <img src="https://latex.codecogs.com/png.latex?i"> by <img src="https://latex.codecogs.com/png.latex?i-1">.</p></li>
<li><p>We check that the loop invariant and the negation of the loop test actually leads to the desired postcondition: we have that <img src="https://latex.codecogs.com/png.latex?i%20=%20t%20+%201"> must hold.</p></li>
</ol>
<p>This concludes the correctness argument of the gnome sort algorithm.</p>
</section>
<section id="bozosort" class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="bozosort"><span class="header-section-number">4</span> Bozosort</h2>
<p>Bozosort is also a simple sorting algorithm. Suppose you stand in front of a table with cards on its surface, and each card has a number printed on it. Now pick any two cards on the table and swap them. Repeat this, until the numbers on the cards are all sorted from small to large. In this algorithm, we make use of a source of randomness: namely, to pick two cards to swap.</p>
<p>Again, we use an array <img src="https://latex.codecogs.com/png.latex?a"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D"> to represent the cards on the table. Each cell of the array corresponds to a spot on the table, and the value stored in the array is the number printed on the card.</p>
<div id="fig-bozosort" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-bozosort-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/fig3.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-bozosort-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;3: The bozosort algorithm.
</figcaption>
</figure>
</div>
<p>We can write down an algorithm that encodes this procedure, see Figure&nbsp;3. Here, we are given variables <img src="https://latex.codecogs.com/png.latex?f"> and <img src="https://latex.codecogs.com/png.latex?t"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D"> representing the bounds of the array. The algorithm consists of an outer loop and an inner loop. The loop body of the outer loop has two components (separated by vertical space). By component I simply mean a subprogram. The first component chooses two random numbers and swaps the values in the array. The second component walks through the array to test whether it is actually sorted. We use the variables <img src="https://latex.codecogs.com/png.latex?i"> and <img src="https://latex.codecogs.com/png.latex?j"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D">, and the variable <img src="https://latex.codecogs.com/png.latex?c"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bboolean%7D">.</p>
<p>To understand the meaning of the random assignment, we can make use of the following axiom: <img src="https://latex.codecogs.com/png.latex?%5C%7Bp%5C%7D%5Cmathrel%7Bx%20:=%20%5Cmathbf%7Brandom%7D(l,h)%7D%5C%7Bp%20%5Cland%20l%5Cleq%20x%5Cleq%20h%5C%7D"> where <img src="https://latex.codecogs.com/png.latex?p"> is an arbitrary formula where <img src="https://latex.codecogs.com/png.latex?x"> does not occur free, and <img src="https://latex.codecogs.com/png.latex?x"> does not occur in the arbitrary expressions <img src="https://latex.codecogs.com/png.latex?l"> or <img src="https://latex.codecogs.com/png.latex?h">. Intuitively, this statement selects (non-deterministically) an integer between <img src="https://latex.codecogs.com/png.latex?l"> and <img src="https://latex.codecogs.com/png.latex?h"> and updates the value of variable <img src="https://latex.codecogs.com/png.latex?x"> with the selected value.</p>
<p>What happens when <img src="https://latex.codecogs.com/png.latex?l%20%3E%20h"> is the case and we perform the random assignment? According to the above axiom, we obtain <img src="https://latex.codecogs.com/png.latex?%5C%7Bl%20%3E%20h%5C%7D%5Cmathrel%7Bx%20:=%20%5Cmathbf%7Brandom%7D(l,h)%7D%5C%7Bl%20%3E%20h%20%5Cland%20l%20%5Cleq%20x%20%5Cleq%20h%5C%7D."> The postcondition is contradictory, so equivalent to <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bfalse%7D">. Thus, operationally, we could think that running the random assignment from such a situation is equivalent to running a program that never finishes. This works because we look at Hoare triples in their <em>partial correctness</em> sense.</p>
<p>We can make the following observations of the algorithm in Figure&nbsp;3:</p>
<ul>
<li><p>The actual value of array <img src="https://latex.codecogs.com/png.latex?a"> is a permutation of the input array <img src="https://latex.codecogs.com/png.latex?a"> at any control point, except in the middle of the first component where we perform the swapping of two elements. Thus, we could use this fact as a loop invariant of both the inner and the outer loop.</p></li>
<li><p>After the second component finishes its execution, the variable <img src="https://latex.codecogs.com/png.latex?c"> represents whether the array is actually sorted or not. Hence, it is a loop invariant of the outer loop that <em>if</em> <img src="https://latex.codecogs.com/png.latex?c"> is true, <em>then</em> the array is sorted. This means that the loop only exists when the array <img src="https://latex.codecogs.com/png.latex?a"> is actually sorted!</p></li>
<li><p>The inner loop that checks whether the array is sorted looks a bit like gnome sort: the position variable <img src="https://latex.codecogs.com/png.latex?i"> is moved to the right whenever we have tested the array elements are in order. But, instead of walking to the left, the inner loop has an early exit in case it encounters two elements that are not properly ordered. By setting <img src="https://latex.codecogs.com/png.latex?c"> to <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bfalse%7D">, the outer loop must run again.</p></li>
</ul>
<div id="fig-bozosort-proof" class="quarto-float quarto-figure quarto-figure-center anchored">
<figure class="quarto-float quarto-float-fig figure">
<div aria-describedby="fig-bozosort-proof-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
<img src="https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/fig4.png" class="img-fluid figure-img">
</div>
<figcaption class="quarto-float-caption-bottom quarto-float-caption quarto-float-fig" id="fig-bozosort-proof-caption-0ceaefa1-69ba-4598-a22c-09a6ac19f8ca">
Figure&nbsp;4: A proof outline for the bozosort algorithm.
</figcaption>
</figure>
</div>
<p>We now formalize the correctness proof, by means of a proof outline (see Figure&nbsp;4). Again, we introduce a freeze variable, the array <img src="https://latex.codecogs.com/png.latex?b"> of type <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Binteger%7D%5Cto%5Cmathbf%7Binteger%7D">, with the same purpose as before.</p>
<ol type="1">
<li><p>This assertion follows from the precondition, since <img src="https://latex.codecogs.com/png.latex?(%5Cmathbf%7Bfalse%7D%5Cto%20p)"> is vacuous for any formula <img src="https://latex.codecogs.com/png.latex?p">, and the precondition implies <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> for the same reason as given in (2.2).</p></li>
<li><p>Here we have formalized our intuition of the loop invariant for the outer loop. Note that the assignment axiom allows us to obtain (4.1).</p></li>
<li><p>When entering the loop body we know that <img src="https://latex.codecogs.com/png.latex?c"> must be <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bfalse%7D">, so we can adapt the loop invariant: only information about the array <img src="https://latex.codecogs.com/png.latex?a"> being a restricted permutation remains present here.</p></li>
<li><p>Obtained by applying our axiom for random assignments.</p></li>
<li><p>Also obtained by applying our axiom for random assignments. Note that from this assertion it already follows that <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20t">.</p></li>
<li><p>Again we have the swapping of two elements. The argument needed here is a slight generalization of the argument of (2.7) above, where the essence is this property (given <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20i%5Cleq%20t"> and <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20j%5Cleq%20t">): <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)%5Ba%5Bj%5D%20:=%20z%5D%5Ba%5Bi%5D%20:=%20a%5Bj%5D%5D%5Bz%20:=%20a%5Bi%5D%5D%20%5Cequiv%20%5Cmathit%7BPermut%7D(a,b,f,t)."> Note that if the two random variables have the same value, the swap has no effect.</p></li>
<li><p>Comparing to (4.3), we now also know that <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20t">. Clearly, the three preceding assignments cannot affect <img src="https://latex.codecogs.com/png.latex?f%5Cleq%20t"> and we already knew it holds in (4.5). In the other case (that <img src="https://latex.codecogs.com/png.latex?f%20%3E%20t"> holds), we would not even reach this point in the program.</p></li>
<li><p>We here formulate the loop invariant for the inner body. The essence is that we know that everything on the left (and including) of <img src="https://latex.codecogs.com/png.latex?i"> must be sorted. This is initially valid, since <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,f)"> is true as in (2.2). We still need to establish that this is indeed a loop invariant.</p></li>
<li><p>When the loop body is entered, we know both <img src="https://latex.codecogs.com/png.latex?c"> and <img src="https://latex.codecogs.com/png.latex?i%20%3C%20t">. The latter is used to make our assertion stronger than the loop invariant.</p></li>
<li><p>In the case the elements are properly ordered, we can again apply the property as mentioned in the second case of (2.5).</p></li>
<li><p>Easy to see that <img src="https://latex.codecogs.com/png.latex?i%3Ct"> implies <img src="https://latex.codecogs.com/png.latex?i%5Cleq%20t">. It is quite surprising that the assertion at this point does not say anything about variable <img src="https://latex.codecogs.com/png.latex?c">.</p></li>
<li><p>We now establish that the outer loop invariant follows from the inner loop invariant, under the condition that the inner loop has terminated (so it’s test must be false). There are two cases:</p>
<ul>
<li><p>Case <img src="https://latex.codecogs.com/png.latex?%5Clnot%20c">: we have an early exit of the inner loop. Since <img src="https://latex.codecogs.com/png.latex?c"> is <img src="https://latex.codecogs.com/png.latex?%5Cmathbf%7Bfalse%7D">, the left conjunct is vacuous. The right conjunct trivially follows from the inner loop invariant.</p></li>
<li><p>Case <img src="https://latex.codecogs.com/png.latex?%5Clnot%20(i%20%3C%20t)">: we know the inner loop has fully executed, so <img src="https://latex.codecogs.com/png.latex?i%20=%20t"> from the upper bound in the loop invariant. So <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BSorted%7D(a,f,t)"> must hold, regardless of the value of <img src="https://latex.codecogs.com/png.latex?c">.</p></li>
</ul></li>
<li><p>The postcondition is obtained by a double negation elimination on the test of the outer loop: <img src="https://latex.codecogs.com/png.latex?%5Clnot%5Clnot%20c"> implies <img src="https://latex.codecogs.com/png.latex?c">, and so from <img src="https://latex.codecogs.com/png.latex?(c%5Cto%20%5Cmathit%7BSorted%7D(a,f,t))"> we obtain that the array is actually sorted. Again, <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> follows trivially from the outer loop invariant.</p></li>
</ol>
<p>This concludes the correctness argument of the bozosort algorithm.</p>
</section>
<section id="conclusion" class="level2" data-number="5">
<h2 data-number="5" class="anchored" data-anchor-id="conclusion"><span class="header-section-number">5</span> Conclusion</h2>
<p>We have seen two sorting algorithms, and discussed their correctness proofs. Although almost every detail is present here, there still remains a good exercise for practicing with array variable substitutions: to write down the proof outline of swapping the array elements above, and working out in all detail how it affects the restricted permutation predicate <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D">.</p>
<p>In this article, we only look at program correctness in the sense of <em>partial correctness</em>. An interesting question remains: what can we say about the termination of these algorithms? Under what conditions do these algorithms terminate? In the next following weeks of the Program Correctness course, we will look at <em>total correctness</em>, where we shall prove not only the correctness of a program with respect to a specification of its input and output behavior, but also whether the program terminates!</p>
</section>

<section id="references" class="level2 unnumbered">




</section>

<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix unnumbered"><h2 class="anchored quarto-appendix-heading">Acknowledgments</h2><div class="quarto-appendix-contents">

<p>I thank <a href="https://www.linkedin.com/in/dominique-lawson-99530a1b8/">Dominique Lawson</a> and <a href="https://www.linkedin.com/in/roos-wensveen-137039248/">Roos Wensveen</a> (both student assistants of the Program Correctness course) for suggesting improvements, and discovering an error in a previous version of this article. The error was that the postcondition needs to be <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b,f,t)"> and not <img src="https://latex.codecogs.com/png.latex?%5Cmathit%7BPermut%7D(a,b)"> (can you see why?). All remaining errors remain my own.</p>
</div></section><section class="quarto-appendix-contents" id="quarto-bibliography"><h2 class="anchored quarto-appendix-heading">References</h2><div id="refs" class="references csl-bib-body" data-entry-spacing="0">
<div id="ref-apt2019fifty" class="csl-entry">
<div class="csl-left-margin">[1] </div><div class="csl-right-inline">Krzysztof R. Apt and Ernst-Rüdiger Olderog. Fifty years of <span class="nocase">Hoare’s</span> logic. <em>Formal Aspects of Computing</em> volume 31, (2019), page 751–807. <a href="https://doi.org/10.1007/s00165-019-00501-3">https://doi.org/10.1007/s00165-019-00501-3</a></div>
</div>
</div></section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2023,
  author = {Hiep, Hans-Dieter A.},
  title = {Correctness of Two Sorting Algorithms},
  journal = {dr. heap},
  volume = {1},
  number = {2},
  date = {2023-03-15},
  url = {https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/},
  doi = {10.59350/yzrje-rgv51},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2023" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep. Correctness of two sorting
algorithms. <em>dr. heap</em> volume 1, issue 2 (March 2023). <a href="https://doi.org/10.59350/yzrje-rgv51">https://doi.org/10.59350/yzrje-rgv51</a></div>
</div></div></section></div> ]]></description>
  <category>Lecture Notes</category>
  <category>Program Correctness</category>
  <guid>https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/</guid>
  <pubDate>Tue, 14 Mar 2023 23:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2023/correctness-of-two-sorting-algorithms/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
<item>
  <title>Can ChatGPT do an exam?</title>
  <dc:creator>Hans-Dieter A. Hiep</dc:creator>
  <link>https://www.drheap.nl/articles/2023/can-chatgpt-do-an-exam/</link>
  <description><![CDATA[ 





<div class="abstract">
<p>In this article, I’ll publish the answers given by OpenAI’s ChatGPT for the final exam of the course Concepts of Programming Languages, a course I gave in the fall semester of 2022. I leave it to the reader to decide whether the given answers are correct or not ;-)</p>
</div>
<p>ChatGPT is a research project developed by <a href="https://openai.com/charter/">OpenAI</a>, which gives the following charter on their website: “OpenAI’s mission is to ensure that artificial general intelligence (AGI)—by which we mean highly autonomous systems that outperform humans at most economically valuable work—benefits all of humanity. We will attempt to directly build safe and beneficial AGI, but will also consider our mission fulfilled if our work aids others to achieve this outcome.” I have used version <a href="https://help.openai.com/en/articles/6825453-chatgpt-release-notes">Februari 13 (2023)</a> of ChatGPT.</p>
<p>After creating an account and logging in, the user interface for ChatGPT gives the following disclaimer: “While we have safeguards in place, the system may occasionally generate incorrect or misleading information and produce offensive or biased content. It is not intended to give advice.” So, we’re better beware of the answers…</p>
<p>I give it the following first input: <em>Hi. I would like to ask you a number of exam questions about the course Concepts of Programming Languages.</em></p>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: Of course, I’ll do my best to help you with your exam questions about Concepts of Programming Languages. What would you like to ask?</p>
</blockquote>
<p>So, here we go. All quotations are generated by ChatGPT.</p>
<section id="question-1." class="level2" data-number="1">
<h2 data-number="1" class="anchored" data-anchor-id="question-1."><span class="header-section-number">1</span> Question 1.</h2>
<p>What distinguishes a high-level programming language from a low-level programming language? Choose one or more correct answer from below.</p>
<ol type="1">
<li>High-level programming languages are used by more programmers than low-level programming languages.</li>
<li>High-level programming languages are always compiled into low-level programming languages, whereas low-level programming languages are directly executed by hardware processors.</li>
<li>High-level programming languages allow (some) concepts to be expressed more directly, whereas low-level programming languages require (convoluted, error-prone) encodings to express the same concepts.</li>
<li>A low-level programming language allows the programmer to describe more efficient computations, whereas a high-level programming language describes less efficient computations.</li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: The correct answer is 3. High-level programming languages allow (some) concepts to be expressed more directly, whereas low-level programming languages require (convoluted, error-prone) encodings to express the same concepts.</p>
<p>Explanation: High-level programming languages are designed to provide a more abstract view of programming, allowing the programmer to express concepts and algorithms more easily and directly. They typically use more human-readable syntax and provide built-in abstractions for common programming tasks, such as memory management, string manipulation, and I/O operations. In contrast, low-level programming languages require the programmer to work more directly with the underlying hardware, requiring more detailed knowledge of the system architecture and often relying on manual memory management and other low-level operations. While low-level programming languages may offer greater control over the hardware, they can be more error-prone and harder to use effectively than high-level languages.</p>
</blockquote>
</section>
<section id="question-2." class="level2" data-number="2">
<h2 data-number="2" class="anchored" data-anchor-id="question-2."><span class="header-section-number">2</span> Question 2.</h2>
<p>Give a short motivation for each choice of the question above, why you made your selection (that is, why it is correct if you selected it, or why it is incorrect if you did not select it). Keep your motivation short: write at most two sentences per choice.</p>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: Sure, here are the motivations for each choice:</p>
<ol type="1">
<li><p>Incorrect: The number of programmers using a language is not a factor in distinguishing between high-level and low-level programming languages.</p></li>
<li><p>Incorrect: While some high-level programming languages may be compiled into low-level machine code, this is not always the case, and low-level languages can also be compiled.</p></li>
<li><p>Correct: High-level programming languages provide built-in abstractions and a more abstract view of programming, making it easier to express concepts and algorithms more directly. In contrast, low-level languages require more direct manipulation of the hardware, making it necessary to use convoluted encodings to express the same concepts.</p></li>
<li><p>Incorrect: The efficiency of computations is not directly related to whether a language is high-level or low-level. Both types of languages can be used to write efficient code, depending on the specific task and the skill of the programmer.</p></li>
</ol>
</blockquote>
</section>
<section id="question-3." class="level2" data-number="3">
<h2 data-number="3" class="anchored" data-anchor-id="question-3."><span class="header-section-number">3</span> Question 3.</h2>
<p>What statements about pure and impure expressions are true? Choose one or more correct answer from below.</p>
<ol type="1">
<li>There exists an expression that is considered impure if you look at its parts, but which has no effect on the program state after it is fully evaluated.</li>
<li>An expression is only impure if its evaluation requires a large amount of time or space.</li>
<li>Impure expressions must have no side-effect on the program state when they are evaluated.</li>
<li>Assignment statements with impure expressions on the right-hand side can be eliminated, resulting in an equivalent program without any impure expressions.</li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: The correct statement is 1. There exists an expression that is considered impure if you look at its parts, but which has no effect on the program state after it is fully evaluated.</p>
<p>Explanation: Pure expressions are those that have no side effects and always return the same result given the same input. Impure expressions, on the other hand, have side effects or may return different results for the same input. However, it is possible for an expression to be impure by definition but have no effect on the program state when evaluated. For example, an impure expression might generate a warning or log a message, but if the program does not use or check for these outputs, the expression is effectively pure.</p>
<p>Statement 2 is incorrect because the time or space required for evaluation is not a factor in determining whether an expression is pure or impure.</p>
<p>Statement 3 is incorrect because impure expressions by definition have side effects, so they do affect the program state when evaluated.</p>
<p>Statement 4 is incorrect because assignment statements with impure expressions on the right-hand side cannot always be eliminated without changing the behavior of the program. For example, if the impure expression generates a warning or logs a message, eliminating the assignment would result in the loss of this information.</p>
</blockquote>
</section>
<section id="question-4." class="level2" data-number="4">
<h2 data-number="4" class="anchored" data-anchor-id="question-4."><span class="header-section-number">4</span> Question 4.</h2>
<p>Give a short motivation for each choice of the previous question above, why you made your selection (that is, why it is true if you selected it, or why it is not true if you did not select it). Keep your motivation short: write at most two sentences per choice.</p>
<p>(ChatGPT already did that.)</p>
</section>
<section id="question-5." class="level2" data-number="5">
<h2 data-number="5" class="anchored" data-anchor-id="question-5."><span class="header-section-number">5</span> Question 5.</h2>
<p>What statements about exceptions are true? Choose one or more correct answer from below.</p>
<ol type="1">
<li>Numerical errors such as division by zero must immediately cause a program crash.</li>
<li>It is never possible to rethrow an exception that was caught before.</li>
<li>Throwing an exception always requires unwinding the whole call stack to find an exception handler.</li>
<li>An unhandled exception that was thrown could lead to a program crash.</li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: The correct statements are 3 and 4.</p>
<p>Explanation:</p>
<ol type="1">
<li><p>Incorrect: Numerical errors such as division by zero can be handled by throwing an exception, rather than causing a program crash.</p></li>
<li><p>Incorrect: It is possible to rethrow an exception that was caught before using the “throw” statement.</p></li>
<li><p>Correct: When an exception is thrown, the call stack is unwound until an appropriate exception handler is found. This means that the function that threw the exception and any functions that it called will be exited, but this does not necessarily mean that the whole call stack will be unwound.</p></li>
<li><p>Correct: If an exception is not caught by any handler, it will cause the program to terminate with an error message. This can lead to a program crash if the error is not handled gracefully.</p></li>
</ol>
</blockquote>
</section>
<section id="question-6." class="level2" data-number="6">
<h2 data-number="6" class="anchored" data-anchor-id="question-6."><span class="header-section-number">6</span> Question 6.</h2>
<p>Give a short motivation for each choice of the previous question above, why you made your selection (that is, why it is true if you selected it, or why it is not true if you did not select it). Keep your motivation short: write at most two sentences per choice.</p>
<p>(ChatGPT already did that.)</p>
</section>
<section id="question-7." class="level2" data-number="7">
<h2 data-number="7" class="anchored" data-anchor-id="question-7."><span class="header-section-number">7</span> Question 7.</h2>
<p>What statements about object-oriented programming are true? Choose one or more correct answer from below.</p>
<ol type="1">
<li>Dynamic dispatch is a calling convention, where the method body that is actually invoked depends on the run-time type of the callee.</li>
<li>Class inheritance may sometimes be incompatible with Liskov’s substitution principle (where code that works on an object of type A also works for any object that is a subtype of A).</li>
<li>Every class has an object as an instance.</li>
<li>Objects live on a heap, and in garbage collected languages reachable objects may be removed in the background while the program is running.</li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: The correct statements are 1, 2, and 4.</p>
<p>Explanation:</p>
<ol type="1">
<li><p>Correct: Dynamic dispatch is a key feature of object-oriented programming, where the method body that is actually invoked depends on the run-time type of the object that the method is invoked on.</p></li>
<li><p>Correct: Class inheritance can lead to violations of Liskov’s substitution principle if the subclass behavior is not compatible with the superclass behavior. For example, if a subclass violates the preconditions or postconditions of a superclass method, code that works on the superclass object may not work correctly on the subclass object.</p></li>
<li><p>Incorrect: While every object belongs to a class, not every class has an object as an instance. A class can be abstract or simply serve as a blueprint for creating objects.</p></li>
<li><p>Correct: Objects in object-oriented programming are typically allocated on a heap, and in garbage-collected languages, unreachable objects may be removed by the garbage collector while the program is running. This allows the programmer to focus on the program logic and not worry about memory management.</p></li>
</ol>
</blockquote>
</section>
<section id="question-8." class="level2" data-number="8">
<h2 data-number="8" class="anchored" data-anchor-id="question-8."><span class="header-section-number">8</span> Question 8.</h2>
<p>Give a short motivation for each choice of the previous question above, why you made your selection (that is, why it is true if you selected it, or why it is not true if you did not select it). Keep your motivation short: write at most two sentences per choice.</p>
<p>(ChatGPT already did that.)</p>
</section>
<section id="question-9." class="level2" data-number="9">
<h2 data-number="9" class="anchored" data-anchor-id="question-9."><span class="header-section-number">9</span> Question 9.</h2>
<p>Given the following context-free grammar in Backus-Naur Form (BNF):</p>
<pre><code>&lt;expr&gt; ::= (&lt;expr&gt;) | &lt;expr&gt; + &lt;expr&gt; | &lt;expr&gt; * &lt;expr&gt; | &lt;num&gt; | &lt;var&gt;
&lt;num&gt; ::= &lt;digit&gt; | &lt;digit&gt;&lt;num&gt;
&lt;digit&gt; ::= 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
&lt;var&gt; ::= &lt;letter&gt; | &lt;letter&gt;&lt;var&gt;
&lt;letter&gt; ::= a | b | c | ...
&lt;stmt&gt; ::= {&lt;stmt&gt;} | &lt;var&gt; := &lt;expr&gt; | if &lt;expr&gt; = 0 then &lt;stmt&gt; else &lt;stmt&gt; | &lt;stmt&gt;; &lt;stmt&gt;</code></pre>
<p>The starting symbol is <code>&lt;stmt&gt;</code>.</p>
<p>Which of the following strings are in the language defined by the grammar above? Choose one or more correct answer from below.</p>
<ol type="1">
<li><code>abc := a+b;</code></li>
<li><code>c := (((c)))</code></li>
<li><code>a := b + a; b := a - b</code></li>
<li><code>if (a + b) = 0 then a := b else b := a</code></li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: The correct strings are 1, 2, and 4.</p>
<p>Explanation:</p>
<ol type="1">
<li><p>Correct: The string <code>abc := a+b;</code> can be generated by the rule <code>&lt;var&gt; := &lt;expr&gt;</code>. The variable “abc” is a sequence of letters, which is generated by the rule <code>&lt;letter&gt;&lt;var&gt;</code>, and the expression “a+b” is generated by the rule <code>&lt;expr&gt; + &lt;expr&gt;</code> with <code>&lt;expr&gt;</code> being the variable “a” and the variable “b”, which are generated by the rule <code>&lt;var&gt;</code>.</p></li>
<li><p>Correct: The string <code>(((c)))</code> can be generated by the rule <code>&lt;expr&gt;</code> with <code>&lt;expr&gt;</code> being <code>(&lt;expr&gt;)</code> and <code>&lt;expr&gt;</code> being <code>(&lt;expr&gt;)</code> and <code>&lt;var&gt;</code> being “c”.</p></li>
<li><p>Incorrect: The string <code>a := b + a; b := a - b</code> cannot be generated by the given grammar because it is not a valid <code>&lt;stmt&gt;</code>. The grammar allows only one assignment statement per <code>&lt;stmt&gt;</code>.</p></li>
<li><p>Correct: The string <code>if (a + b) = 0 then a := b else b := a</code> can be generated by the rule <code>if &lt;expr&gt; = 0 then &lt;stmt&gt; else &lt;stmt&gt;</code>, with <code>&lt;expr&gt;</code> being (a+b) generated by the rule <code>&lt;expr&gt; + &lt;expr&gt;</code>, and <code>&lt;stmt&gt;</code> being the assignment statements “a := b” and “b := a” generated by the rule <code>&lt;var&gt; := &lt;expr&gt;</code>.</p></li>
</ol>
</blockquote>
</section>
<section id="question-10." class="level2" data-number="10">
<h2 data-number="10" class="anchored" data-anchor-id="question-10."><span class="header-section-number">10</span> Question 10.</h2>
<p>Motivate, for each string in the previous question above, why you made your selection (i.e.&nbsp;why the string is in the language if you selected it, or why it is not if you did not select it).</p>
<p>(ChatGPT already did that.)</p>
</section>
<section id="question-11." class="level2" data-number="11">
<h2 data-number="11" class="anchored" data-anchor-id="question-11."><span class="header-section-number">11</span> Question 11.</h2>
<p>Is the grammar given above ambiguous? Give a reasoned answer (i.e.&nbsp;not only “yes” or “no”, but also why and how you found out).</p>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: Yes, the grammar given above is ambiguous.</p>
<p>Reasoning:</p>
<p>Ambiguity in a context-free grammar means that there exists at least one string in the language that can be generated by the grammar in more than one way. In the given grammar, the expression <code>&lt;expr&gt; + &lt;expr&gt;</code> can be associated with either left or right recursion, which leads to different interpretations of the same input. For example, the input string <code>"1 + 2 * 3"</code> can be parsed as either <code>"(1 + 2) * 3"</code> or <code>"1 + (2 * 3)"</code>, which have different values. This indicates that the grammar is ambiguous.</p>
<p>One way to demonstrate the ambiguity is by constructing a parse tree for an ambiguous string. For instance, consider the string <code>"1 + 2 * 3"</code>. It can be parsed in two different ways, resulting in two different parse trees:</p>
<pre><code>   +                    *
  / \                  / \
 1   *                +   3
    / \              / \
   2   3            1   2</code></pre>
<p>The left tree corresponds to the interpretation <code>"(1 + 2) * 3"</code>, while the right tree corresponds to the interpretation <code>"1 + (2 * 3)"</code>. Since the grammar allows both of these parse trees, it is ambiguous.</p>
</blockquote>
</section>
<section id="question-12." class="level2" data-number="12">
<h2 data-number="12" class="anchored" data-anchor-id="question-12."><span class="header-section-number">12</span> Question 12.</h2>
<p>Given the following context-free grammar of the (untyped) lambda calculus:</p>
<pre><code>&lt;expr&gt; ::= &lt;var&gt; | λ&lt;var&gt;&lt;expr&gt; | &lt;expr&gt;&lt;expr&gt;</code></pre>
<p>We use only single letter variables. Use the standard way of resolving ambiguity: application associates to the left, abstraction precedes application (that is, abstraction binds more strongly than application, or, in other words, abstraction has a higher precedence than application). Expressions can use parentheses for disambiguation (not shown in the grammar).</p>
<p>Draw the abstract syntax tree of the following lambda expressions (in black). Circle the free variable occurrences (in red). Show the binding of variables (in green).</p>
<ol type="1">
<li>xyz</li>
<li>λxxx</li>
<li>(λyxλx(yx))y</li>
</ol>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: 1.</p>
<pre><code>     xyz
      |
    -----
   |     |
   x     y
        / \
       x   z</code></pre>
<p>Variable occurrences: x, y, z. All three are free.</p>
<p>Binding of variables: none.</p>
<ol type="1">
<li></li>
</ol>
<pre><code>      λxxx
        |
      -----
     |     |
     λ     x
          |
          x</code></pre>
<p>Variable occurrences: none.</p>
<p>Binding of variables: x is bound by the abstraction λxxx.</p>
<ol type="1">
<li></li>
</ol>
<pre><code>          λyx
            |
         --------
        |        |
        x     --------
             |        |
             y     -----
                   |     |
                   x     y
                   |
                   y</code></pre>
<p>Variable occurrences: y appears once as a free variable.</p>
<p>Binding of variables: x is bound by the first abstraction λx(yx), and y is bound by the second abstraction λyx.</p>
</blockquote>
</section>
<section id="question-13." class="level2" data-number="13">
<h2 data-number="13" class="anchored" data-anchor-id="question-13."><span class="header-section-number">13</span> Question 13.</h2>
<p>Explain the meaning (what kind of statement) and execution (what happens when statement is executed) of each statement of the following program with dynamic memory management:</p>
<pre><code>int *x = new(5);
int *z = null;
{
  int *y = new(6);
  z := y;
  delete z;
  *x := *y;
}</code></pre>
<blockquote class="blockquote">
<p><strong>ChatGPT</strong>: This is a program written in C++ with dynamic memory management. Here’s what each statement does:</p>
<ol type="1">
<li><p><code>int *x = new(5);</code>: This statement dynamically allocates memory for an integer array of size 5 and assigns the address of the first element to the variable <code>x</code>.</p></li>
<li><p><code>int *z = null;</code>: This statement initializes a pointer variable <code>z</code> to null.</p></li>
<li><p><code>{</code>: This is the beginning of a block statement.</p></li>
<li><p><code>int *y = new(6);</code>: This statement dynamically allocates memory for an integer array of size 6 and assigns the address of the first element to the variable <code>y</code>.</p></li>
<li><p><code>z := y;</code>: This statement assigns the value of <code>y</code> to <code>z</code>, so <code>z</code> now points to the same memory location as <code>y</code>.</p></li>
<li><p><code>delete z;</code>: This statement deallocates the memory that <code>z</code> points to, which is the memory that <code>y</code> also points to. This means that the memory for the integer array of size 6 that was allocated on the heap is now freed.</p></li>
<li><p><code>*x := *y;</code>: This statement copies the value of the first element of the integer array that <code>y</code> points to, which is also the value of the first element of the integer array that <code>x</code> points to. This means that the value of <code>x</code> is now equal to the value of <code>y</code>.</p></li>
</ol>
<p>The execution of this program involves allocating and deallocating memory on the heap and copying values between memory locations. When the program runs, it first allocates memory for the integer array of size 5 and assigns its address to <code>x</code>. Then it initializes <code>z</code> to null. Inside the block statement, it allocates memory for the integer array of size 6 and assigns its address to <code>y</code>. It then assigns the value of <code>y</code> to <code>z</code>, so <code>z</code> points to the same memory location as <code>y</code>. It then deallocates the memory that <code>z</code> points to, which also frees the memory that <code>y</code> points to. Finally, it copies the value of the first element of the integer array that <code>y</code> points to, which is also the value of the first element of the integer array that <code>x</code> points to. After the block statement, the memory for the integer array of size 5 is still allocated and assigned to <code>x</code>, while the memory for the integer array of size 6 that was allocated inside the block statement has been deallocated.</p>
</blockquote>
</section>
<section id="question-14." class="level2" data-number="14">
<h2 data-number="14" class="anchored" data-anchor-id="question-14."><span class="header-section-number">14</span> Question 14.</h2>
<p>Consider the following two programs (on the left and right) that are executed concurrently (x and y are shared integer variables):</p>
<pre><code>x := 5;                       y := 3;
y := 2;                       x := 2;
if (x &lt; 5) {                  x := x - y;
  y := 4                      y := y + 6;
}                             print x
x := x + y;</code></pre>
<p>Give five different executions of the program, i.e.&nbsp;five executions that each prints a different value. The result (of the five executions) alone is not sufficient. Please also describe, for each execution, what happened/how you obtained the result.</p>
<blockquote class="blockquote">
<p>ChatGPT: Here are five possible executions:</p>
<p>Execution 1:<br>
Thread 1: x := 5;<br>
Thread 2: y := 3;<br>
Thread 2: x := 2;<br>
Thread 1: y := 4;<br>
Thread 1: if (x &lt; 5) { // Condition is false, skip if statement<br>
Thread 1: x := x + y;<br>
Thread 2: x := x - y; // x = 2 - 3 = -1<br>
Thread 2: y := y + 6; // y = 3 + 6 = 9<br>
Thread 1: print x; // x = 9</p>
<p>Execution 2:<br>
Thread 1: x := 5;<br>
Thread 2: y := 3;<br>
Thread 2: x := 2;<br>
Thread 1: y := 4;<br>
Thread 1: if (x &lt; 5) { // Condition is false, skip if statement<br>
Thread 2: y := y + 6; // y = 3 + 6 = 9<br>
Thread 2: x := x - y; // x = 2 - 9 = -7<br>
Thread 1: x := x + y; // x = 5 + 4 = 9<br>
Thread 1: print x; // x = 9</p>
<p>Execution 3:<br>
Thread 1: x := 5;<br>
Thread 2: y := 3;<br>
Thread 2: x := 2;<br>
Thread 1: y := 4;<br>
Thread 1: if (x &lt; 5) { // Condition is false, skip if statement<br>
Thread 2: y := y + 6; // y = 3 + 6 = 9<br>
Thread 2: x := x - y; // x = 2 - 9 = -7<br>
Thread 1: x := x + y; // x = 5 + 4 = 9<br>
Thread 2: print x; // x = -7</p>
<p>Execution 4:<br>
Thread 1: x := 5;<br>
Thread 2: y := 3;<br>
Thread 2: x := 2;<br>
Thread 1: y := 4;<br>
Thread 1: if (x &lt; 5) { // Condition is false, skip if statement<br>
Thread 2: y := y + 6; // y = 3 + 6 = 9<br>
Thread 1: x := x + y; // x = 5 + 4 = 9<br>
Thread 2: x := x - y; // x = 2 - 9 = -7<br>
Thread 1: print x; // x = 9</p>
<p>Execution 5:<br>
Thread 1: x := 5;<br>
Thread 2: y := 3;<br>
Thread 2: x := 2;<br>
Thread 1: y := 4;<br>
Thread 1: if (x &lt; 5) { // Condition is false, skip if statement<br>
Thread 2: y := y + 6; // y = 3 + 6 = 9<br>
Thread 1: x := x + y; // x = 5 + 4 = 9<br>
Thread 2: print x; // x = -7</p>
<p>In general, the value printed depends on the order in which the threads execute their statements and whether the if statement is executed or skipped. In each execution, we simulate the interleaving</p>
</blockquote>
</section>
<section id="conclusion" class="level2" data-number="15">
<h2 data-number="15" class="anchored" data-anchor-id="conclusion"><span class="header-section-number">15</span> Conclusion</h2>
<p>(Note that I have removed some questions which are hard to give as input to ChatGPT textually.)</p>
<p>Decide for yourself what you think of the answers. I am impressed: the answers generated by ChatGPT seem closely related to the question, and make sense grammatically. However, when looking more closely into the answers, it is revealed that the chat bot is not able to give reasonably correct answers to all questions.</p>
</section>


<a onclick="window.scrollTo(0, 0); return false;" id="quarto-back-to-top"><i class="bi bi-arrow-up"></i> Back to top</a><div id="quarto-appendix" class="default"><section id="acknowledgments" class="level2 appendix unnumbered"><h2 class="anchored quarto-appendix-heading">Acknowledgments</h2><div class="quarto-appendix-contents">

<p>Cover image credit: <a href="https://unsplash.com/@siva_photography">Levart Photographer</a></p>


</div></section><section class="quarto-appendix-contents" id="quarto-citation"><h2 class="anchored quarto-appendix-heading">Citation</h2><div><div class="quarto-appendix-secondary-label">BibTeX citation:</div><pre class="sourceCode code-with-copy quarto-appendix-bibtex"><code class="sourceCode bibtex">@article{hiep2023,
  author = {Hiep, Hans-Dieter A.},
  title = {Can {ChatGPT} Do an Exam?},
  journal = {dr. heap},
  volume = {1},
  number = {1},
  date = {2023-02-23},
  url = {https://www.drheap.nl/articles/2023/can-chatgpt-do-an-exam/},
  doi = {10.59350/tyv9n-sw306},
  issn = {3050-5224},
  langid = {en}
}
</code></pre><div class="quarto-appendix-secondary-label">For attribution, please cite this work as:</div><div id="ref-hiep2023" class="csl-entry quarto-appendix-citeas">
<div class="">Hans-Dieter A. Hiep. Can ChatGPT do an exam?
<em>dr. heap</em> volume 1, issue 1 (February 2023). <a href="https://doi.org/10.59350/tyv9n-sw306">https://doi.org/10.59350/tyv9n-sw306</a></div>
</div></div></section></div> ]]></description>
  <category>Teaching</category>
  <category>Artificial Intelligence</category>
  <guid>https://www.drheap.nl/articles/2023/can-chatgpt-do-an-exam/</guid>
  <pubDate>Wed, 22 Feb 2023 23:00:00 GMT</pubDate>
  <media:content url="https://www.drheap.nl/articles/2023/can-chatgpt-do-an-exam/cover-min.jpg" medium="image" type="image/jpeg"/>
</item>
</channel>
</rss>
