INHERENT LIMITATIONS OF COMPUTER PROGRAMS CSci 4011

UN DECIDABILITY A language is a set of strings. It is a mathematical way of expressing a problem: given an input, is it in the set L? If a language is decidable, there is a computer program (TM) that can always solve the problem correctly – it terminates and has the right answer. If a language is undecidable, then no matter how smart you are, and no matter how long you give it, you cannot program a computer to always solve the problem correctly.

UNDECIDABLE PROBLEMS D TM = { 〈 M 〉 | M is a TM that does not accept 〈 M 〉 } Theorem. D TM is undecidable. Proof. Suppose machine N decides D TM. Then N accepts 〈 N 〉 ⇔ 〈 N 〉  D TM ⇔ N does not accept 〈 N 〉 A TM = { 〈 M,w 〉 : M is a TM that accepts on input w } Theorem. If A TM is decidable, so is D TM. Proof. If ¬A TM is decided by the program nAccept we can decide D TM by calling nAccept(M, 〈 M 〉 ). Theorem. If HALT TM is decidable, then so is A TM. HALT TM = { 〈 M,w 〉 : M is a TM that halts on input w }

In most cases, we will show that a language is undecidable by showing that if it is decidable, then so is A TM We reduce deciding A TM to deciding the language in question

MAPPING REDUCTIONS ƒ : Σ*  Σ* is a computable function if there is a TM that on input w, halts with ƒ(w) on its tape A  m B if there is a computable ƒ, such that w  A  ƒ(w)  B ƒ is called a reduction from A to B

Theorem: If A ≤ m B and A is undecidable, then B is undecidable Proof: Suppose, for contradiction, that BSolver decides B and let ƒ be a reduction from A to B. Then there is a program ASolver that decides A: ASolver(w): 1. Let s = ƒ(w) 2. Return BSolver(s) Since A is undecidable the program BSolver must not exist. Thus B is undecidable.

0 → 0, R  → , R q accept q reject 0 → 0, R  → , R q0q0 q1q1 0q10q1 q00q00 0q rej q10q10  q rej q0q0 q1q1  q acc 0 0   # # # #q 0 0# # ## q acc  q acc q acc 0q acc q acc q acc  q acc q acc 0 # #q 0 0#0q10q1 q00q00# ## 0 0 q1q1  q acc # # 0 0q acc  q acc # q acc ## # #q acc 0q acc # #

MORE UNDECIDABLE PROBLEMS Many “problems about programs” are undecidable: “Does this applet open a network connection?” “Find all buffer overflows in this program.” “Find all unused methods in this applet.” “Find all memory leaks in this program.” “Do these programs always have the same output?” “Does this function always return the same answer?”

TOOLS package cs4011.tm; public class TuringMachine { public TuringMachine(String TM, String Input); public void run(); public boolean accepted(); … /* turing_machine.h – TM emulator in C */ #define ACCEPT 1 #define REJECT 0 /* runTM – simulate the TM with description m * on input string w. Return ACCEPT or REJECT */ int runTM(char *M, char *w);

NET = { J | J is a java applet that opens a network connection } Theorem. A TM ≤ m NET. Proof. On input 〈 M,w 〉, output the Java applet: import cs4011.tm.TuringMachine; import java.net.*; public class OutputApplet extends Applet { public void start() { TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) { // open a network connection URL url = new URL(“ Object o = url.getContent(); }

import cs4011.tm.TuringMachine; import java.net.*; public class OutputApplet extends Applet { public void start() { TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) { // open a network connection URL url = new URL(“ Object o = url.getContent(); } If M accepts w: OutputApplet opens url. If M loops on w: OutputApplet never gets to url. If M rejects w: OutputApplet skips if {… } block. In both cases, OutputApplet ∉ NET. Thus OutputApplet ∈ NET.

What’s wrong with this reduction? On input 〈 M,w 〉 : Run M on w. if M accepts, output: public class OutputApplet extends Applet { public void start() { URL url = new URL(“ Object o = url.getContent(); } else output: public class OutputApplet extends Applet { public void start() { return; }

CONST= { J | J is a Java program that prints the same string for every input } Theorem. A TM ≤ m CONST. Proof. On input 〈 M,w 〉, output the Java program: import cs4011.tm.TuringMachine; public class MightBeConstProgram { public static void main(String[] args) { if (args.length == 1 && args[0].equals(“Y”)) { System.out.print(“Y”); return; } TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) System.out.print(“Y”); else System.out.print(args[0]); }

ALLUSED = { J | J is a java applet with no unused methods} Theorem. A TM ≤ m ALLUSED. Proof. On input 〈 M,w 〉, output the Java applet: import cs4011.tm.TuringMachine; public class AllMethodsApplet extends Applet { public void unusedMethod() { int x = 0; return; } public void start() { TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) { this.unusedMethod(); }

SAME = { 〈 J 1,J 2 〉 | J 1 and J 2 are java programs that have the same output for all inputs.} Theorem. ¬A TM ≤ m SAME. Proof. On input 〈 M,w 〉, output the Java programs: import cs4011.tm.TuringMachine; public class J1 { public static void main(String[] args) { TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) System.out.print(“Y”); } import cs4011.tm.TuringMachine; public class J2 { public static void main(String[] args) { TuringMachine TM = new TuringMachine(“M”, “w”); TM.run(); if (TM.accepted()) System.out.print(“N”); }

OFLOW = { P | P is a C program with an exploitable buffer overflow } Theorem. A TM ≤ OFLOW. Proof. On input 〈 M,w 〉, output the C program: #include int main(int argc, char **argv) { int i; char buf[1024]; for(i = 0; i < 2048 && runTM(“M”,“w”); i++) { buf[i] = fgetc(stdin); } return 0; }

MLEAK = { P | P is a C program with a memory leak} Theorem. A TM ≤ MLEAK. Proof. On input 〈 M,w 〉, output the C program: #include int main(int argc, char **argv) { char *buf = NULL; buf = malloc(1<<30); if (runTM(“M”,”w”)) { buf = malloc(512); } if (buf != NULL) free(buf); return 0; }