1 Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan • Source-level program logic • Meta-theorems for loops • Examples • Probabilistic amplification • Uniform selection
2 Probabilistic amplification Is K prime? true � “yes” false � “no” There is a Boolean question Q that the program is to answer, { [ N � 0] � (1 - 1/ 2 N ) } in Boolean variable a . a,n := true,N ; But a := Q is not allowed! do n � 0 � a � a Instead, only a := Q 1/ 2 � true a := Q 1/ 2 � true ; can be used. n := n -1 od We must therefore “amplify” that 1/ 2 probability towards 1, { [ a = Q ] } for which we pay with execution time. The Miller-Rabin test “puts K to the Question”. If K is prime, it will never confess; but if it is composite, then it On e con f ession is en ough... will confess with probability 1/ 2. Probabilistic amplification interrogates K a number of times, to increase the probability of confession. (The real Inquisition allowed only three interrogations.)
3 Probabilistic amplification { [ N � 0] � (1 - 1/ 2 N ) } The probability that a = Q on a,n := true,N ; termination... do n � 0 � a � is at least 1 - 1/ 2 N ... a := Q 1/ 2 � true ; n := n -1 provided N � 0 initially. od { [ a = Q ] }
4 What is the invariant? a = Q do n � 0 � a � Q not Q finally? a := Q 1/ 2 � true ; n := n -1 1 - 1/ 2 n a true od { [ a = Q ] } not a false true After some experimentation, [ a ] � � Q � � � 1 - [ a ]/ 2 n turns out to work well in the calculations.
5 Invariant is preserved do n � 0 � a � a := Q 1/ 2 � true ; Invariant “at end of loop body” n:= n -1 od [ a ] � � Q � � � 1 - [ a ]/ 2 n [ a ] � � Q � � � 1 - [ a ]/ 2 n-1 � wp. ( n := n -1 ) • 1/ 2 � ( [ Q ] � � Q � � � 1 - [ Q ]/ 2 n-1 ) � wp. ( a := Q 1/ 2 � true ) • 1/ 2 � ( [ true ] � � Q � � � 1 - [ true ]/ 2 n-1 ) + 1/ 2 � 1 + 1/ 2 � ( 1 � � Q � � � 1 - 1/ 2 n-1 ) � arithmetic 1 � � Q � � � 1 - 1/ 2 n � arithmetic [ a ] � ( [ a ] � � Q � � � 1 - [ a ]/ 2 n ) . � [ a ] from guard Loop guard Invariant “at beginning of loop body”
6 Invariant establishes overall post-expectation Negated loop guard Invariant “at end of loop body” [ n =0 � ! a ] � ( [ a ] � � Q � � � 1 - [ a ]/ 2 n ) [ n =0 � ! a ] � ( [ a ] � � Q � � � [! a ] ) � arithmetic � [ a ] � � Q � � � [! a ] drop guard � [ a = Q ] . arithmetic do n � 0 � a � a := Q 1/ 2 � true ; Overall post-expectation n:= n -1 od
7 Invariant... established by initialisation a,n := true , N ; do n � 0 � a � Invariant “at a := Q 1/ 2 � true ; beginning of loop body” Termination condition n:= n -1 od [ n � 0] � ( [ a ] � � Q � � � 1 - [ a ]/ 2 n ) [ N � 0] � ( [ true ] � � Q � � � 1 - [ true ]/ 2 N ) � wp. ( a , n := true,N ) • [ N � 0] � ( 1 � � Q � � � 1 - 1/ 2 N ) � arithmetic [ N � 0] � (1 - 1/ 2 N ) . � sufficient Probability of establishing Q=a is at least this... ...provided termination is guaranteed.
8 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] } “postcondition”
9 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } invariant od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] } “postcondition”
10 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } invariant and negated guard { [ a = Q ] }
11 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } implies { [ a = Q ] } postcondition
12 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } invariant must be maintained od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
13 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ a ] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 work backwards { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
14 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ Q ] � � Q � � 1 - [ Q ]/ 2 n -1 1/ 2 � [ true ] � � Q � � 1 - [ tru a := Q 1/ 2 � true ; work backwards { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
15 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } [ true ] � � Q � � 1 - [ true ]/ 2 n -1 a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { [ Q ] � � Q � � 1 - [ Q ]/ 2 n -1 1/ 2 � } a := Q 1/ 2 � true ; work backwards { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
16 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } [ true ] � � Q � � 1 - [ true ]/ 2 n -1 a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � should be { [ Q ] � � Q � � 1 - [ Q ]/ 2 n -1 1/ 2 � } implied by invariant and a := Q 1/ 2 � true ; guard { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
17 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { 1 � � Q � � 1 - 0/ 2 n -1 1/ 2 � 1 � � Q � � 1 - 1/ 2 n -1 } simplify a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
18 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { 1 � � Q � � (1 1/ 2 � 1 - 1/ 2 n -1) } simplify more a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
19 Summary { [ N � 0] � (1 - 1/ 2 N ) } { [ N � 0] � ( 1 � � Q � � 1 - 1/ 2 N ) } a,n := true,N ; { [ n � 0] � ( [ a ] � � Q � � 1 - [ a ]/ 2 n ) } do n � 0 � a � { 1 � � Q � � 1 - 1/ 2 n } and more a := Q 1/ 2 � true ; { [ a ] � � Q � � 1 - [ a ]/ 2 n -1 } n := n -1 { [ a ] � � Q � � 1 - [ a ]/ 2 n } od { [ n =0 � ! a ] � ([ a ] � � Q � � � 1 - [ a ]/ 2 n ) } { [ a = Q ] }
Recommend
More recommend
