Aiming Low is Harder Induction for Lower Bounds in Probabilistic - - PowerPoint PPT Presentation

Aiming Low is Harder

Induction for Lower Bounds in Probabilistic Program Verification Marcel Hark Benjamin Kaminski Jürgen Giesl Joost-Pieter Katoen

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 1

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage

• Expected outcome of probabilistic programs P w.r.t. expectation f : Σ → R∞

≥0.

Expectation ↔ Random Variable. → Weakest preexpectation of f : wp P (f ) : Σ → R∞

≥0 (total correctness).

→ Quantitative version of Dijkstra’s wp-calculus: [Kozen 81, McIver,Morgan 96]. → Bottleneck: wp while ( ϕ ) { C } (f ) (loop invariants).

s

• ...

f (τ1) f (τ2) f (τ3)

wp P (f ) (s) =Exp

• P

f = [x = 10]: wp P (f ) Probability that x is 10 after termination. f = x2 + y2: wp P (f ) Expected outcome of x2 + y2 after termination.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 2

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Setting the stage while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} lfp Φf

lfp λE. [a = 1] · f + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• f

x

lfp λE. [a = 1] · x + [a = 1] · 1

2 · (E[a/0] + E[x/x + 1])

• → Initial value of x is unknown.
• lfp Φx = limn→ω Φn

x(0) (incomputable).

→ We need bounds on least fixed points.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 3

Motivation Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 4

Upper Bounds [Park] Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 5

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Park Induction while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1])

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E

:= x + [a = 1] (Intuitive guess) Φx(E) = E → E is an upper bound on lfp Φx.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 6

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

E

Φx(E) lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

E

Φ2

x(E)

lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

E

Φω

x (E)

lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

E

Φω

x (E)

lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

• Rule for upper bounds Φf (E) ≥ E is simple.

(Inductive)

• Not a surprise, bound a least fixed point from above.

→ Enough to bound any fixed point from above.

E

Φω

x (E)

lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 7

Upper Bounds [Park] Upper Bounds

No information on quality of the bound. → We also need lower bounds.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 8

Upper Bounds [Park] Upper Bounds

No information on quality of the bound. → We also need lower bounds.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 8

Upper Bounds [Park] Upper Bounds

No information on quality of the bound. → We also need lower bounds.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 8

Lower Bounds Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 9

Lower Bounds Subinvariants

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E ≤ Φx(E)

= ⇒

E ≤ lfp Φx (Subinvariant) ???.

Not absurd: Sound for deterministic programs. [Frohn et al. 16]

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 10

Lower Bounds Subinvariants

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E ≤ Φx(E)

= ⇒

E ≤ lfp Φx (Subinvariant) ???.

Not absurd: Sound for deterministic programs. [Frohn et al. 16]

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 10

Lower Bounds Subinvariants

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E ≤ Φx(E)

= ⇒

E ≤ lfp Φx (Subinvariant) ???.

Not absurd: Sound for deterministic programs. [Frohn et al. 16]

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 10

Lower Bounds Subinvariants

E ≥ Φx(E)

= ⇒

E ≥ lfp Φx (Superinvariant). E ≤ Φx(E)

= ⇒

E ≤ lfp Φx (Subinvariant) ???.

Not absurd: Sound for deterministic programs. [Frohn et al. 16]

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 10

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

} Φx(E) = [a = 1] · x + [a = 1] · 1

2 · (E [a/0] + E [x/x + 1]).

E ′ := x + [a = 1] · (1 + 2x)

→ E ′ ≤ Φx(E ′), so E ′ is a lower bound ??? → E ′ ≤ Φx(E ′), so E ′ is a lower bound

• Already seen upper bound by superinvariant E = x + [a = 1].

E′≤E.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 11

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants

→ Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 12

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants

→ Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 12

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants

→ Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 12

Lower Bounds

E ≤ Φx(E)

= ⇒

E ≤ lfp Φx

Subinvariants

→ Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound.

Φω

x (E)

E

lfp Φx

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 12

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E(s)

• ...

E(τ1) E(τ2) E(τ3)

Exp

• C

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E(s)

• ...

E(τ1) E(τ2) E(τ3)

Exp

• C

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E(s)

• ...

E(τ1) E(τ2) E(τ3)

Exp

• C

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

additional requirements easily checkable

= ⇒ E ≤ lfp Φf . Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

• 1. Expected finite number of loop iterations.
• 2. Expected change is bounded by constant.

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ lfp Φf .

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 13

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ).

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ).

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). Our Rule

E ≤ Φf (E)

∧

• 1. Exp (T ¬ϕ) < ∞
• 2. λs. [ϕ] wp C (|E − E(s)|) ≤ K for

K ∈ R≥0

= ⇒ E ≤ wp loop (f ). while ( a = 1 ) { { a := 0 }

1

2

{ x := x + 1 }

}

E

= x + [a = 1]

E ′ = x + [a = 1] · (1 + 2x)

λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E − E(s)|) (s)

=

1 2 · |x + [0 = 1] − (x + [a = 1])| + 1 2 · |x + 1 + [a = 1] − (x + [a = 1])|

=

1 2 · |− [a = 1]| + 1 2 · |1|

≤ 1 = K (constant) λs. [a = 1] · wp

• { a := 0 }

1

2

{ x := x + 1 }

• (|E ′ − E ′(s)|) (s)

≥ [a = 1] · (1 + 2x) Expected finite looping time: Exp

• T (a=1) ≤ 2 · [a = 1] < ∞.

→ E is a lower bound. → E = wp

• while ( a = 1 )

{ a := 0 } 1

2

{ x := x + 1 }

• (x).

→ Rule is not applicable! → Good, since E ′ is not a lower bound. → Easily checkable.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 14

Lower Bounds wp while ( ϕ ) { C } (f ) Contribution

To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 15

Lower Bounds wp while ( ϕ ) { C } (f ) Contribution

To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 15

Lower Bounds wp while ( ϕ ) { C } (f ) Contribution

To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 15

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Lower Bounds wp while ( ϕ ) { C } (f ) Lower Bounds for Expected Runtimes

• Similar rule for expected runtimes (ert [Kaminski et al. 16]).
• Only side condition: λs. [ϕ] wp C (|T − T(s)|) ≤ K for K ∈ R≥0.

Coupon Collector:

x := N

while ( 0 < x ) {

i := N + 1

while ( x < i ) {

i := Unif[1..N]

}

x := x − 1

}

T = [0 < x ≤ N] · N · Hx + [N < x] · (N · HN + N − x) T[x/N] N · HN = N · (1 + 1

2 + · · · + 1 N) is lower bound.

Lower bound is strict but asymptotically optimal. HN appears in real world algorithm-analysis!

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 16

Conclusion Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 17

Conclusion Summary

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

Future Work

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

Future Work

• Generalization to mixed sign expectations.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

Future Work

• Generalization to mixed sign expectations.
• Automation.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

Future Work

• Generalization to mixed sign expectations.
• Automation.

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18

Conclusion Summary

• Inductive rule for deriving lower bounds on (unbounded) postexpectations.
• Inductive rule for deriving lower bounds on expected runtimes.

Future Work

• Generalization to mixed sign expectations.
• Automation.

Thank you

POPL 2020– Aiming Low is Harder – Hark, Kaminski, Giesl, Katoen – 1/25/20 – 18