Ranking and Repulsing Supermartingales for Reachability in - - PowerPoint PPT Presentation

Ranking and Repulsing Supermartingales for Reachability in Probabilistic Programs

Toru Takisaka, Yuichiro Oyabu, Natsuki Urabe, Ichiro Hasuo

A robot resolves a set of tasks

Mode 1: safe mode

N tasks

Mode 1: safe mode

3 min. N tasks N-1 tasks

Mode 2: urgent mode

N tasks

Mode 2: urgent mode

1 min. 90% N tasks N-1 tasks

Mode 2: urgent mode

1 min. 90% 10% N tasks N-1 tasks N+3 tasks

Complete 15 tasks within 30 minutes

What is the probability that the robot completes the tasks?

Complete 15 tasks within 30 minutes

Problem formulation

Input: probabilistic program

Problem formulation

Input: probabilistic program

• Nondet. / Prob.

branching

Problem formulation

Input: probabilistic program

• Nondet. / Prob.

branching

• Nondet. / Prob.

assignment

Problem formulation

What is the probability that the program terminates?

(under angelic/demonic scheduler) Input: probabilistic program Problem

We admit continuous variable ⇒Generally one can’t compute this value efficiently

• Nondet. / Prob.

branching

• Nondet. / Prob.

assignment

Problem formulation

Input: probabilistic program

⇒ Certification by supermartingale

• Nondet. / Prob.

branching

• Nondet. / Prob.

assignment

What is the probability that the program terminates?

(under angelic/demonic scheduler) Problem

We admit continuous variable ⇒Generally one can’t compute this value efficiently

Certification by supermartingale

(Agrawal+, POPL’18)

Probabilistic modification of real-world benchmarks

(in Alias+, SAS’10)

Almost-sure termination is certified in 20/28 examples

Certification by supermartingale

(Steinhardt-Tedrake, IJRR’12)

System: a pendulum under Gaussian noise

>99% safety is guaranteed

(Pr(enter a bad state) <1%)

The log-base-10 of the failure probability (failure = within 1h)

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

Control flow graph

finite

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

Control flow graph

finite

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

Control flow graph

finite

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

Control flow graph

finite

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

Control flow graph

finite

𝟔

(Locations) (Variables)

• Start
• A state is a pair (program location, memory state)
• As powerful as MDP

⇒Pr(the system eventually visits the region )?

Problem

Control flow graph

finite

Supermartingale = a function over states that is “non-increasing” through transitions

• (angelic)
• …(demonic)

Ranking function

Ranking function

Ranking function

Int-valued

Ranking function

The system eventually visits (under any nondeterministic choice)

Int-valued

Ranking function

The system eventually visits (under any nondeterministic choice)

Int-valued

Ranking supermartingale

Ranking supermartingale

Ranking supermartingale

decreases at least 1

• valued

The system eventually visits almost surely

Ranking supermartingale

decreases at least 1

• valued

Barrier certificate

Safe region Unsafe region

Barrier certificate

Safe region Unsafe region

Barrier certificate

Safe region Unsafe region

Barrier certificate

Safe region Unsafe region

Barrier certificate

Safe region Unsafe region

The system does not enter the unsafe region

Probabilistic barrier certificate (a.k.a. nonnegative repulsing supermartingale)

Safe region Unsafe region

𝑦

Safe region Unsafe region

𝑦

• valued

Probabilistic barrier certificate (a.k.a. nonnegative repulsing supermartingale)

Safe region Unsafe region

𝑦

• valued

Probabilistic barrier certificate (a.k.a. nonnegative repulsing supermartingale)

Safe region Unsafe region

𝑦

• valued

Probabilistic barrier certificate (a.k.a. nonnegative repulsing supermartingale)

Safe region Unsafe region

Pr(the system enters the unsafe region)

𝑦

• valued

Probabilistic barrier certificate (a.k.a. nonnegative repulsing supermartingale)

Our contributions

Comprehensive account of martingale-based

approximation methods via fixed point argument

Soundness/completeness for uncountable-states MDPs,

under angelic/demonic nondeterminism

Implementation and experiments

Our contributions

Comprehensive account of martingale-based

approximation methods via fixed point argument

Soundness/completeness for uncountable-states MDPs,

under angelic/demonic nondeterminism

Implementation and experiments

Two objective functions

• Given: a control flow graph, and a subset
• f its states
• and

are

Two objective functions

• Given: a control flow graph, and a subset
• f its states
• and

are …under angelic/demonic scheduler

Soundness/completeness

Soundness: Completeness:

Ranking supermartingale

(

• )

Soundness: Completeness:

Nonnegative repulsing supermartingale

Soundness/completeness

Soundness: Completeness:

Ranking supermartingale

(

• )

Soundness: Completeness:

Nonnegative repulsing supermartingale

Known Partly known Partly known Not known

Soundness/completeness

For certain endofunctions and and

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Our theorem

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Soundness is a RankSM Our theorem

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Soundness is a RankSM Our theorem

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Soundness is a RankSM Knaster-Tarski theorem Our theorem

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Soundness is a RankSM Completeness Knaster-Tarski theorem Our theorem

Soundness/completeness

The lattice

… the set of all (measurable) functions

• …

Soundness is a RepSM Completeness Knaster-Tarski theorem Our theorem

Our contributions

Comprehensive account of martingale-based

approximation methods via fixed point argument

Soundness/completeness for uncountable-states MDPs,

under angelic/demonic nondeterminism

Implementation and experiments

Soundness/completeness for martingale methods

Approximation method It certifies Soundness Completeness Additive ranking Supermartingale

(Chakarov-Sankaranarayanan, CAV’13 etc.)

Yes (MDP, continuous variable) Yes (MDP, discrete variable) Nonnegative repulsing supermartingale

(Steinhardt+, IJRR’12 etc.)

Yes (Markov Chain)

• scaled submartingale

(Urabe+, LICS‘17)

Yes (Markov Chain)

• decreasing repulsing

supermartingale

(Chatterjee+, POPL’17)

Yes (MDP, continuous variable, linearity assumpt.)

Soundness/completeness for martingale methods

Approximation method It certifies Soundness Completeness Additive ranking Supermartingale

(Chakarov-Sankaranarayanan, CAV’13 etc.)

Yes (MDP, continuous variable) Yes (MDP, discrete variable) Nonnegative repulsing supermartingale

(Steinhardt+, IJRR’12 etc.)

Yes (Markov Chain)

• scaled submartingale

(Urabe+, LICS‘17)

Yes (Markov Chain)

• decreasing repulsing

supermartingale

(Chatterjee+, POPL’17)

Yes (MDP, continuous variable, linearity assumpt.)

• Yes (MDP, continuous variable)

Yes (MDP, continuous variable) No Yes (MDP, continuous variable)

Our contributions

Comprehensive account of martingale-based

approximation methods via fixed point argument

Soundness/completeness for uncountable-states MDPs,

under angelic/demonic nondeterminism

Implementation and experiments

Implementation and experiments

• Implemented template-based synthesis algorithms
• Nontrivial bounds are found (①)
• Observed comparative advantage of nonnegative RepSM over -decreasing RepSM (②)

① ① ②

Summary

• Martingale can evaluate reachability of probabilistic

programs in various ways

• We gave a comprehensive account of martingale-based approximation

methods via fixed point argument

• We proved soundness/completeness of several methods for

uncountable-states MDPs, which extends known results

• We demonstrated implementation and experiments