[PDF] - Researc h Articles pGCL formal reasoning for random PDF Document

SLIDE 1 Researc h Articles pGCL formal reasoning for random algorithms

Carroll

Morgan and Annab elle McIv er Pr

gr

amming R ese ar ch Gr

up

University

f

Oxfor d httpwwwcomlaboxacuko uclg roup spro bs fcarrollanabelgcomlabox acu k Abstract Dijkstr as guar de dc

mmand

language GCL c

ntains

explicit demonic nondeterminism r epr esenting abstr action fr

m
r

ignor anc e

f
which
f

two pr

gr

am fr agments wil l b e exe cute d We intr

duc

e probabilistic nondeter minism to the language c al ling the r esult pGCL Imp

rtant

is that b

th

forms

f

nondeterminism ar e pr esent

b
th

demonic and pr

b

abilistic unlike e arlier appr

aches

we do not de al

nly

with

ne
r

the

ther

The pr

gr

amming lo gic

f

we akest pr e c

nditions

for GCL b e c

mes

a lo gic

f

gr e atest pr eexp e ctations for pGCL we emb e d pr e dic ates Bo

le

anvalue d expr essions

ver

state variables into arithmetic by writing P

an

expr ession that is

when

P holds and

when

it do es not Thus in a trivial sense P

is

the pr

b

ability that P is true and such emb e dde d pr e dic ates ar e the b asis for the mor e elab

r

ate arithmetic expr essions that we c al l exp e ctations pGCL is suitable for describing r andom algorithms at le ast

ver

discr ete distributions In

ur

pr esentation

f

it and its lo gic we give two examples an err atic se quenc e ac cumulator that fails with some pr

b

ability to move along the se quenc e and R abin s choic ec

r

dination

algorithm

The rst il lustr ates pr

b

abilistic invariants the se c

nd

il lustr ates pr

b

abilistic variants Keyw

rds

Pr

gr

am c

rr

e ctness pr

b

ability demonic nondeterminism r andom algorithm pr e dic ate tr ans former we akest pr e c

ndition

guar de d c

mmand

c

rr

e ctness pr

f

invariant variant Computing Review Categories D D F F G G

In

tro duction Dijkstras Guarded Command Language GCL

is

a w eak estprecondition based metho d

f

describing com putations and their meaning here w e extend it to probabilistic programs those that implemen t random algorithms and w e giv e examples

f

its use Most sequen tial programming languages con tain a construct for deterministic c hoice where the pro gram selects

ne

from a n um b er

f

alternativ es in some predictable w a y for example in if test then this else that

the

c hoice b et w een this and that is determined b y test and the curren t state In con trast Dijkstras language

f

guarded com mands brings nondeterministic

r

demonic c hoice to prominence in whic h the programs b eha viour is not predictable not determined b y the curren t state A t rst

demonic

c hoice w as presen ted as a conse quence

f
v

erlapping guards almost an acciden t

but

as its imp

rtance

b ecame more widely recognised it dev elop ed a life

f

its

wn

No w ada ys it merits an

P

art

f

this rep

rt

is a transliteration

f

another rep

rt
from

generalised substitutions

to

guarded commands The case study Rabins algorithm has not app eared b efore explicit

p

erator the construct this u that c ho

ses

b et w een the alternativ es unpredictably and as a sp ecication indicates abstraction from the issue

f

whic h will b e executed The customer will b e happ y with either this

r

that

and

the implemen tor ma y c ho

se

b et w een them according to his

wn

concerns Early researc h

n

probabilistic seman tics to

k

a dieren t route demonic c hoice w as not regarded as fundamen tal

rather

it w as abandoned altogether b eing replaced b y probabilistic c hoice

Th

us probabilistic seman tics w as div

rced

from the con temp

raneous

w

rk
n

sp ecication and rene men t b ecause without demonic c hoice there is no means

f

abstraction More recen tly ho w ev er it has b een disco v ered

ho

w to bring the t w

topics

bac k together tak ing the more natural approac h

f

adding probabilistic c hoice while retaining demonic c hoice In fact deter ministic c hoice is a sp ecial case

f

probabilistic c hoice whic h in turn is a renemen t

f

demonic c hoice W e giv e the resulting probabilistic extension

f

GCL the name pGCL Section

giv

es a brief and shallo w

v

erview

f
SA

CJSAR T No

SLIDE 2 Researc h Articles pGCL somewhat informal and concen trating

n

sim ple examples Section

sets
ut

the denitions and prop erties

f

pGCL systematically

and

Sec

treats

an example

f

reasoning ab

ut

probabilistic lo

ps

sho wing ho w to use probabilistic in v arian ts Section

illustrates

probabilistic v arian ts with a thorough treat men t

f

Rabins c hoiceco

rdination

algorithm

An

impression

f

pGCL can b e gained b y reading Secc

and
with

nally a glance

v

er Secc

and
more

thoroughly

ne

w

uld

read Secc

and
then
again

and nally

The

more theoretical Sec

can

b e skipp ed

n

rst reading and Sec

can

b e read indep enden tly

Throughout

w e write f x instead

f

f x for func tion f applied to argumen t x with left asso ciation and w e use

for

is dened to b e

An

impression

f

pGCL Let square brac k ets

b

e used to em b ed Bo

lean

v alued predicates within arithmetic form ulae whic h for reasons explained b elo w w e call exp e ctations

w

e allo w them to range

v

er the unit in terv al

Stip

ulating that false is

and

true is

mak

es

P
in

a trivial sense the probabilit y that a giv en predicate P holds if false P holds with probabilit y

if

true it holds with probabilit y

F
r
ur

rst example consider the simple pro gram x

y
x
y
v

er v ariables x y

Z
using

a construct

whic

h w e in terpret as c ho

se

the left branc h x

y

with prob abilit y

and

c ho

se

the righ t branc h with proba bilit y

Recall
that

for an y predicate P

v

er nal states and a standard

command

S

the

w eak est pre condition predicate wpSP acts

v

er initial states it holds just in those initial states from whic h S is guar an teed to reac h P

No

w supp

se

S is probabilistic as Program

is

what can w e sa y ab

ut

the pr

b

ability that wpSP holds in some initial state It turns

ut

that the answ er is just wp S P

nce

w e generalise wp S to exp ectations instead

f

predi cates F

r

that w e b egin with the t w

denitions

wp x

E

R

R

with x replaced ev erywhere b y E

wpS

p

T

R

p
wpSR
p
wp

T R

in

whic h R is an exp ectation and for

ur

example program w e ask

what

is the probabilit y that the predicate the nal state will satisfy x

holds

in some giv en initial state

f

the program

Throughout

w e use standar d to mean nonprobabilistic

In

the usual w a y

w

e tak e accoun t

f

free and b

und

v ari ables and if necessary rename to a v

id

v ariable capture T

nd
ut

w e calculate wp S P

in

this case that is wp x

y
x
y
x
wp

x

y
x
wp

x

y
x
using
y
y
using
using

arithmetic y

y
y
Th

us

ur

answ er is the last arithmetic form ula ab

v

e whic h w e could call a preexp ectation

and

the probabilit y w e seek is found b y reading

the

for m ulas v alue for v arious initial v alues

f

y

getting
when

y

when

y

when

y

Those

results indeed corresp

nd

with

ur
p

erational in tuition ab

ut

the eect

f
The

ab

v

e remark able generalisation

f

sequen tial program correctness is due to Kozen

but

un til re cen tly w as restricted to programs that did not con tain demonic c hoice u When He et al

and

Morgan et al

successfully

added demonic c hoice it b e came p

ssible

to b egin the longo v erdue in tegration

f

probabilistic programming and formal program dev el

pmen

t in the latter demonic c hoice

as

abstr action

pla

ys a crucial role in sp ecications T

illustrate

the use

f

abstraction in

ur

second example w e abstract from probabilities a demonic v ersion

f

Program

is

m uc h more realistic in that w e set its probabilistic parameters

nly

within some tolerance W e sa y informally but still with precision that

x
y

is to b e executed with proba bilit y at le ast

x
y

is to b e executed with proba bilit y at le ast

and
it

is certain that

ne
r

the

ther

will b e executed

Equiv

alen tly w e could sa y that alternativ e x

y

is executed with probabilit y b et w een

and
and

that

therwise

x

y

is executed therefore with probabilit y b et w een

and
With

demonic c hoice w e can write Sp ecication

as

x

y
x
y

u x

y
x
y
b

ecause w e do not kno w

r

care whether the left

r

righ t alternativ e

f

u is tak en

and

it ma y ev en v ary

Later

w e explain the use

f
rather

than

SAR

TSA CJ No

SLIDE 3 Researc h Articles from run to run

f

the program resulting in an eec tiv e p

with

p somewhere b et w een the t w

extremes
T
treat

Program

w

e dene the command wpS u T R

wp

SR min wpT R

using

min b ecause w e regard demonic b eha viour as attempting to mak e the ac hieving

f

R as im probable as it can Rep eating

ur

earlier calculation but more briey giv es this time wp

Program
x
using
y
y
min
y
y
using

arithmetic y

y
y
Our

in terpretation is no w

When

y is initially negativ e the demon c ho

ses

the left branc h

f

u b ecause that branc h is more lik ely

vs
to

execute x

y
the

b est w e can sa y then is that x

will

hold with prob abilit y at least

When

y is initially zero the demon cannot a v

id

x

either

w a y the probabilit y

f

x

nally

is

When

y is initially p

sitiv

e the demon c ho

ses

the righ t branc h b ecause that branc h is more lik ely to execute x

y
the

b est w e can sa y then is that x

nally

with probabilit y at least

The

same in terpretation holds if w e regard u as abstraction Supp

se

Program

represen

ts some masspro duced ph ysical device and b y examining the pro duction metho d w e ha v e determined the tolerance

n

the devices pro duced If w e w ere to buy

ne

arbitrarily

all

w e could conclude ab

ut

its probabilit y

f

establishing x

is

just as calculated ab

v

e Renemen t is the con v erse

f

abstraction for t w

substitutions

S T w e dene S v T

wpSR

V wp T R for all R

where

w e write V for ev erywhere no more than whic h ensures false V true as the notation sug gests F rom

w

e see that in the sp ecial case when R is an em b edded predicate P

the

meaning

f

V ensures that a renemen t T

f

S is at least as lik ely to establish P as S is That accords with the usual denition

f

renemen t for standard programs

for

then w e kno w wp S P

is

either

r
and

whenev er

A

con v enien t notation for

w
uld

b e based

n

the abbre viation S pq

T
S

p

T

u S q

T
w

e w

uld

then write it x

y
x
y
S

is certain to establish P whenev er wp S P

w

e kno w that T also is certain to do so b ecause then

V

wp T

P
F
r
ur

third example w e pro v e a renemen t con sider the program x

y
x
y
whic

h clearly satises Sp ecication

th

us it should rene Program

With

Denition

w

e nd for an y R that wp

Program
R
wp

x

y

R

wpx
y

R

R
R
in

tro duce abbreviations

R
R
R
R
arithmetic

W an y linear com bination exceeds min R

R
min

R

R
wp
Program
R
The

renemen t relation

is

indeed established for the t w

programs

The in tro duction

f
and
in

the third step can b e understo

d

b y noting that demonic c hoice u can b e implemen ted b y an y probabilistic c hoice what ev er in this case w e used

Th

us a pro

f
f

rene men t at the program lev el migh t read Program

x
y
x
y
x
y
x
y
x
y
x
y
arithmetic

w u v

p
for

an y p x

y
x
y

u x

y
x
y
Program
Presen

tation

f

probabilistic GCL In this section w e giv e a concise presen tation

f

prob abilistic GCL

pGCL
as

a whole its denitions ho w they are to b e in terpreted and their healthiness prop erties

Denitions
f

pGCL commands In pGCL commands act b et w een exp ectations rather than predicates where an exp e ctation is an expression

v

er program

r

state v ariables that tak es its v alue in the unit in terv al

T
retain

the use

f

predi cates w e allo w exp ectations

f

the form P

when

P

SA

CJSAR T No

SLIDE 4 Researc h Articles is Bo

leanv

alued dening false to b e

and

true

to

b e

Implicationlik

e relations b et w een exp ectations are R V R

R

is ev erywhere no more than R

R
R
R

is ev erywhere equal to R

R

W R

R

is ev erywhere no less than R

Note

that j

P
P
exactly

when

P
V

P

and

so

n

that is the motiv ation for the sym b

ls

c hosen The denitions

f

the substitutions in pGCL are giv en in Fig

In

terpretation

f

pGCL exp ecta tions In its full generalit y

an

exp ectation is a function de scribing ho w m uc h eac h program state is w

rth

The sp ecial case

f

an em b edded predicate P

as

signs to eac h state a w

rth
f
r
f
states

satis fying P are w

rth
and

states not satisfying P are w

rth
The

more general exp ectations arise when

ne

estimates in the initial state

f

a probabilistic program what the w

rth
f

its nal state will b e That estimate the exp ected w

rth
f

the nal state is

btained

b y summing

v

er all nal states the w

rth
f

the nal state m ultiplied b y the probabilit y the program will go there from the initial state Naturally the will go there probabilities dep end

n

from where and so that exp ected w

rth

is a function

f

the initial state When the w

rth
f

nal states is giv en b y P

the

exp ected w

rth
f

the initial state turns

ut
v

ery nearly

to

b e just the probabilit y that the program will reac h P

That

is b ecause exp ected w

rth
f

initial state

probabilit

y S reac hes P

w
rth
f

states satisfying P

probabilit

y S do es not reac h P

w
rth
f

states not satisfying P

probabilit

y S reac hes P

probabilit

y S do es not reac h P

probabilit

y S reac hes P

where

matters are greatly simplied b y the fact that all states satisfying P ha v e the same w

rth

T ypical analyses

f

programs S in practice lead to conclusions

f

the form p

wpS

P

for

some p and P whic h giv en the ab

v

e w e can in terpret in t w

equiv

alen t w a ys

the

exp ected w

rth

P

f

the nal state is at least

the

v alue

f

p in the initial state

r
the

probabilit y that S will establish P is at least p Eac h in terpretation is useful and in the follo wing example w e can see them acting together w e ask for the probabilit y that t w

fair

coins when ipp ed will sho w the same face and calculate wp

x
H
x
T
y
H
y
T
x
y
and

sequen tial comp

sition

wp x

H
x
T

x

H
x
T
and
H
H
H
T
T
H
T
T
denition
arithmetic

W e can then use the second in terpretation ab

v

e to conclude that the faces are the same with probabilit y at least

But

part

f

the ab

v

e calculation in v

lv

es the more general expression wp x

H
x
T

x

H
x
T
and

what do es that mean

n

its

wn

It m ust b e giv en the rst in terpretation since its p

stexp

ectation is not

f

the form P

and

it means the exp ected v alue

f

the expression x

H
x
T
after

executing x

H
x
T
whic

h the calculation go es

n

to sho w is in fact

But

for

ur
v

erall conclusions w e do not need to think ab

ut

the in termediate expressions

they

are

nly

the glue that holds the

v

erall reasoning together

Prop

erties

f

pGCL Recall that all GCL constructs satisfy the prop ert y

f

conjunctivit y

that

is for an y GCL command S and p

stconditions

P

P
w

e ha v e wpSP

P
wp

SP

wpSP
That

healthiness prop ert y

is

used to pro v e general prop erties

f

programs

W

e m ust sa y at least in general b ecause

f

p

ssible

de monic c hoice in S

and

some analyses giv e

nly

the w eak er p V wp S P

in

an y case

Kno

wing there is no demonic c hoice in the program w e can in fact sa y it is exact

They

satisfy monotonicit y to

whic

h is implied b y conjunc tivit y

SAR

TSA CJ No

SLIDE 5 Researc h Articles The probabilistic guarded command language pGCL acts

v

er exp ectations rather than predicates exp e ctations tak e v alues in

wpx
E

R The exp ectation

btained

after replacing all free

ccurrences
f

x in R b y E

renaming

b

und

v ari ables in R if necessary to a v

id

capture

f

free v ari ables in E

wpskipR

R wpS

T

R wpSwp T R

wpS

u T R wpSR min wpT R wpS p

T

R p

wpSR
p
wpT

R S v T wpSR V wpT R for all R

R

is an exp ectation p

ssibly

but not necessarily

P
for

some predicate P

P

is a predicate not an exp ectation

is

m ultiplication

S

T are probabilistic guarded commands inductiv ely

p

is an expression

v

er the program v ariables p

ssibly

but not necessarily a constan t taking a v alue in

and
x

is a v ariable

r

a v ector

f

v ariables Deterministic c hoice if B then S else T

is

a sp ecial case

f

probabilistic c hoice it is just S B

T
Recursions

are handled b y least xed p

in

ts in the usual w a y in practice ho w ev er the sp ecial case

f

lo

ps

is more easily treated using probabilistic in v arian ts and v arian ts Figure

pGCL
the

probabilistic Guarded Command Language

SA

CJSAR T No

SLIDE 6 Researc h Articles In pGCL the healthiness condition b ecomes sub linearit y

a

generalisation

f

conjunctivit y

Sublinearity

Let a b c b e nonnegativ e nite reals and R

R
exp

ectations then all pGCL con structs S satisfy wpSaR

bR
c

W awpSR

bwpSR
c
whic

h prop ert y

f

S is called subline arity W e ha v e written aR for a

R

etc and trun cated subtraction

is

dened x

y
x
y
max
with

syn tactic precedence lo w er than

Although

it has a strange app earance from sub linearit y w e can extract a n um b er

f

v ery useful con sequences as w e no w sho w

W

e b egin with mono tonicit y

feasibilit

y and scaling

monotonicit

y increasing a p

stexp

ectation can

nly

increase the preexp ectation Supp

se

R V R

for

t w

exp

ectations R

R
then

wp SR

wp

SR

R
R
W

sublinearit y with a b c

wp

SR

wpSR
R
W

R

R

w ell dened hence

V

wpSR

R
wp

SR

feasibilit

y preexp ectations cannot b e to

large

First note that wp S

wp

S

W

sublinearit y with a b c

wpS
so

that wp S m ust b e

No

w write max R for the maxim um

f

R

v

er all its v ariables v alues then

wp

S feasibilit y ab

v

e

wp

SR

max

R

R
max

R

W

wp SR

max

R

a

b c

max

R But from

W

wp SR

max

R

w

e ha v e trivially that wpSR V max R

whic

h w e iden tify as the fe asibility condition

for

pGCL

Sublinearit

y c haracterises probabilistic and demonic sub stitutions In Kozens

riginal

probabilit yonly form ulation

the

substitutions are not demonic and there they satisfy the m uc h stronger prop ert y

f

linearit y

Con

v enien tly

the

the general

implies

the earlier sp ecial case wp S

scaling

m ultiplication b y a nonnegativ e constan t distributes through commands Note rst that wp SaR

W

awp SR

directly

from sublinear it y

F
r

V w e ha v e t w

cases

when a is

trivially

from feasibilit y wp S

R
wp

S

wpSR
and

for the

ther

case a

w

e reason wp SaR

aawpSaR
a
V

awp SaaR

sublinearit

y using a

awp

SR

th

us establishing wpSaR

awp

SR

gener

ally

That

completes monotonicit y

feasibilit

y and scaling The remaining prop ert y w e examine is probabilis tic conjunction Since standard conjunction

is

not dened

v

er n um b ers w e ha v e man y c hoices for a probabilistic analogue

f

it requiring

nly

that

for

consistency with em b edded Bo

leans

Ob vious p

ssibilities

for

are

m ultiplication

and

minim um min

and

eac h

f

those has its uses but neither satises an ything lik e a generalisation

f

con junctivit y

Instead

w e dene R

R
R
R
whose

righ thand side is inspired b y sublinearit y when a b c

W

e no w state a sub distribution prop ert y for it a direct consequence

f

sublinearit y

subconjunctivit

y the

p

erator

sub

distributes through substitutions F rom sublinearit y with a b c

w

e ha v e wp SR

R
W

wpSR

wp

SR

for

all S

Unfortunately

there do es not seem to b e a full rather than sub conjunctivit y prop ert y

Bey
nd

subconjunctivit y

w

e sa y that

gener

alises conjunction for sev eral

ther

reasons The rst is

f

course that it satises the standard prop erties

The

second reason is that subconjunctivit y im plies full conjunctivit y for standard programs Stan dard programs con taining no probabilistic c hoices tak e standard P st yle p

stexp

ectations to standard SAR TSA CJ No

SLIDE 7 Researc h Articles preexp ectations they are the em b edding

f

GCL in pGCL and for standard S w e no w sho w that wp SP

P
wp

S P

wp

S P

First

note that W comes directly from sub conjunctivit y ab

v

e taking R

R
to

b e P

P
F
r

V w e app eal to monotonicit y

b

ecause P

P
V

P

whence

wpS P

P
V

wp S P

and

similarly for P

Putting

those together giv es wpS P

P
V

wpS

P
min

wp S P

b

y elemen tary arithmetic prop erties

f

V But

n

standard exp ectations

whic

h wp S P

and

wpS P

are

b ecause S is standard

the
p

erators min and

agree

A last attribute linking

to
comes

straigh t from elemen tary probabilit y theory

Let

A and B b e t w

ev

en ts unrelated b y

and

not necessarily indep en den t

if

the probabilit y

f

A is at least p and the probabilit y

f

B is at least q

then

the most that can b e said ab

ut

the join t ev en t A

B

is that it has probabilit y at least p

q
The
p

erator also pla ys a crucial role in the pro

f
not

giv en in this pap er

f

the probabilistic lo

p

rule presen ted and used in the next section

Probabilistic

in v arian ts for lo

ps

T

sho

w pGCL in action w e state a pro

f

rule for probabilistic lo

ps

and apply it to a simple example Just as for standard lo

ps

w e can deal with in v arian ts and termination separately common sense suggests that the probabilistic reasoning should b e an extension

f

standard reasoning and indeed that is the case One pro v es a predicate in v arian t under exe cution

f

a lo

ps

b

dy

and

ne

nds a v arian t that ensures the lo

ps

ev en tual termination the conclu sion is that if the in v arian t holds initially then the in v arian t and the negation

f

the lo

p

guard together hold nally

Probabilit

y do es lead to dierences ho w ev er

here

are some

f

them

The

in v arian t may b e probabilistic in whic h case its

p

erational meaning is more general than just the computation remains within a certain set

f

states

The

v arian t migh t have to b e probabilistically in terpreted since the usual m ust strictly decrease and is b

unded

b elo w tec hnique is no longer ad equate ev en for simple cases It remains sound

When

b

th

the in v arian t and the termination con dition are probabilistic

ne

cant use Bo

lean

con junction to com bine correct if terminates and it do es terminate

Probabilistic

in v arian ts In a standard lo

p

the in v arian t holds at ev ery itera tion

f

the lo

p

it describ es a set

f

states from whic h con tin uing to execute the lo

p

b

dy

is guaran teed to establish the p

stcondition

if the guard ev er b ecomes false

that

is if termination

ccurs

F

r

a probabilistic lo

p

w e ha v e a p

st

exp ectation rather than a p

stcondition

but

ther

wise the situation is m uc h the same and if that p

st

exp ectation is some P

sa

y

then
as

an aid to the in tuition

w

e can lo

k

for an in v arian t that giv es a lo w er b

und
n

the probabilit y that w e will establish P b y con tin uing to execute the lo

p

b

dy
Often

that in v arian t will ha v e the form p

I
with

p a probabilit y and I a predicate b

th

expres sions

v

er the state F rom the denition

f
w

e kno w that the in terpretation

f
is

probabilit y p if I holds and probabilit y

th

erwise W e see an example

f

suc h in v arian ts b elo w

T

ermination The probabilit y that a program will terminate gen eralises the usual denition recalling that true

w

e see that a programs probabilit y

f

termination is giv en b y wpS

As

a simple example

f

that supp

se

S is the recursiv e program S

S

p

skip
in

whic h w e assume that p is some constan t strictly less than

n

eac h recursiv e call P has probabilit y p

f

termination con tin uing

therwise

with further recursion

By

calculation based

n
w

e see that wp S

p
wp

S

p
wpskip
p
wp

S

p
so

that p

wp

S

p

Since p is not

w

e can divide b y p to see that indeed wpS

the

recursion will terminate with probabilit y

for

if p is not

the

c hance

f

recursing N times is p N

whic

h for p

approac

hes

as

N increases without b

und

W e return to probabilistic termination in Sec

Elemen

tary probabilit y theory sho ws that S terminates with probabilit y

after

an exp ected pp recursiv e calls

SA

CJSAR T No

SLIDE 8 Researc h Articles

Probabilistic

correctness

f

lo

ps

As in the standard case it is easy

to

sho w that if P

I

V S I then I V wp do P

S
d
P
I
pro

vided

the

lo

p

terminates Th us the notion

f

in v arian t carries

v

er smo

thly

from the standard to the probabilistic case When termination is tak en in to accoun t as w ell w e get the follo wing rule

Pr
of

r ule f

r

pr

babilistic

loops F

r

con v enience write T for the termination probabilit y

f

the lo

p

so that T

wpdo

P

S
d
Then

partial lo

p

correctness

preser

v ation

f

a lo

p

in v arian t I

implies

total lo

p

correctness if that in v arian t I no where

exceeds

T

that

is if

P
I

V wpSI and I V T then I V wpdo P

S
d
P
I
W

e illustrate the lo

p

rule with a simple example Supp

se

w e ha v e a mac hine that is supp

sed

to sum the elemen ts

f

a sequence except that the mec hanism for mo ving along the sequence

ccasionally

mo v es the wrong w a y

A

program for the mac hine is giv en in Fig

where

the unreliable comp

nen

t k

k
c
k
k
misb

eha v es with probabilit y c With what proba bilit y do es the mac hine accurately sum the sequence establishing r

X

ss

n

termination W e rst nd the in v arian t relying

n
ur

informal discussion ab

v

e w e ask during the lo

ps

execution with what proba bilit y are w e in a state from whic h completion

f

the lo

p

w

uld

establish

The

answ er is in the form

tak

e p to b e c N k

and

let I b e the standard in v arian t

k
N
r
X

ssk

It

is an immediate consequence

f

the denition

f

lo

ps

as least xed p

in

ts indeed for the pro

f
ne

simply carries

ut

the standard reasoning almost without noticing that exp ecta tions rather than predicates are b eing manipulated

The

precise treatmen t

f

pro vided uses w eak est lib er al pre exp ectations

Note

that it is not the same to sa y implies total correctness from those initial states where I do es not exceed T

in

fact I m ust not exceed T in any state The w eak er alternativ e is not sound Then

ur

probabilistic in v arian t

call

it J

is

just p

I
whic

h is to sa y it is if the standard in v arian t holds then c N k

the

probabilit y

f

going

n

to successful termina tion if it do es not hold then

Ha

ving c hosen a p

ssible

in v arian t to c hec k it w e cal culate wp

r
r
ssk
k
k
c
k
k
J
wpr
ssk
c
wpk
k
J
c
wp

k

k
J
and

c

W

wpr

r
ssk
c

N k

k
N

r

P

ssk

drop

second term and

c

N k

k
N

r

ss

k

P

ssk

W

k

N
J
where

in the last step the guard k

N
and

k

from

the in v arian t allo w the remo v al

f

ss k from b

th

sides

f

the lo w er equalit y

No

w w e turn to termination w e note informally that the lo

p

terminates with probabilit y at least c N k

k
N
whic

h is just the probabilit y

f

N

k

correct execu tions

f

k

k
giv

en that k is in the prop er range to start with hence trivially J V T as required b y the lo

p

rule That concludes reasoning ab

ut

the lo

p

itself lea ving

nly

initialisation and the p

stexp

ectation

f

the whole program F

r

the latter w e see that

n

ter mination

f

the lo

p

w e ha v e k

N
J
whic

h indeed implies is in the relation V to the p

stexp

ectation r

P

ss as required T urning nally to the initialisation w e nish

with

wp r

k
J
c

N

N
P

ss

c

N

true
c

N

and
ur
v

erall conclusion is therefore c N V wp se quenc esummer

h

r

X

ss i

just

as w e had hop ed the probabilit y that the se quence is correctly summed is at least c N

Note

the imp

rtance
f

the inequalit y V in

ur

conclusion just ab

v

e

it

is not true that the prob abilit y

f

correct

p

eration is e qual to c N in general F

r

it is certainly p

ssible

that r is correctly calculated in spite

f

the

ccasional

malfunction

f

k

k
SAR

TSA CJ No

SLIDE 9 Researc h Articles con ssN

Z
v

ar r

Z
j

v ar k

Z
r
k
do

k

N
r
r
ss

k

k
k
c
k
k
failure

p

ssible

here

d

j Figure

An

unreliable sequencesummer but the exact probabilit y

should

w e try to calculate it migh t dep end in tricately

n

the con ten ts

f

ss It could b e v ery in v

lv

ed if ss con tained some mixture

f

p

sitiv

e and negativ e v alues If w e w ere forced to calculate exact results as in earlier w

rk
rather

than just lo w er b

unds

as w e did ab

v

e this metho d w

uld

not b e at all practical F urther examples

f

lo

ps

are giv en elsewhere

Case

study Rabins c hoice co

rdination
In

tro duction Rabins c hoiceco

rdination

algorithm explained in Secc

and
b

elo w is an example

f

the use

f

probabilit y for symmetrybr e aking

iden

tical pro cesses with iden tical initial conditions m ust reac h collectiv ely an asymmetric state all c ho

sing
ne

alternativ e

r

all c ho

sing

the

ther

The simplest example is a coin ipp ed b et w een t w

p

eople

eac

h has equal righ t to win the coin is fair the initial conditions are th us symmetric y et at the end

ne

p erson has w

n

and not the

ther

In this example ho w ev er the situation is made more complex b y insisting that the pro cesses b e distribute d

they

cannot share a cen tral coin Rabins article

explains

the algorithm he in v en ted

but

do es not giv e a formal pro

f
f

its cor rectness W e do that here Section

writes

the algorithm as a lo

p

con taining probabilistic c hoice and w e sho w the lo

p

ter minates with probabilit y

in

a desired state

w

e use in v arian ts to sho w that if it terminates it is in that state and w e use probabilistic v arian ts to sho w that indeed it do es terminate In this example the partial correctness argumen t is en tirely standard and so do es not illustrate the new

and

relates it to a similar algorithm in nature carried

ut

b y mites who m ust decide whether they should all infest the left

r

all the righ t ear

f

a bat

T

ermination with probabilit y

is

the kind

f

termination exhibited for example b y the algorithm ip a fair coin rep eat edly un til y

u

get heads then stop F

r
ur

purp

ses

that is as go

d

as normal guaran tees

f

termination probabilistic tec hniques It is somewhat in v

lv

ed ho w ev er and th us in teresting as an exercise in an y case In suc h cases

ne

treats probabilistic c hoice as nondeterministic c hoice and pro ceeds with standard reasoning since the theory sho ws that an y wpst yle prop ert y pro v ed

f

the pro jected nondeterministic program is v alid for the

riginal

probabilistic program as w ell

The

termination argumen t is no v el ho w ev er since probabilistic v arian t tec hniques

m

ust b e used

Informal

description

f

Rabins al gorithm This informal description is based

n

Rabins presen tation

A

group

f

tourists are to decide b et w een t w

meeting

places inside a certain c h urc h

r

inside a m useum They ma y not comm unicate all at

nce

as a group Eac h tourist carries a notepad

n

whic h he will write v arious n um b ers

utside

eac h

f

the t w

p
ten

tial meeting places is a noticeb

ard
n

whic h v arious messages will b e written Initially the n um b er

ap

p ears

n

all the notepads and

n

the t w

noticeb
ards

Eac h tourist decides indep enden tly nondetermin istically whic h meeting place to visit rst after whic h he strictly alternates his visits b et w een them A t eac h visit he lo

ks

at the noticeb

ard

there and if it dis pla ys here go es inside If it do es not displa y here it will displa y a n um b er instead in whic h case the tourist compares that n um b er K with the

ne
n

his notepad k and tak es

ne
f

the follo wing three actions if k

K
The

tourist writes K

n

his notepad erasing k

and

go es to the

ther

place if k

K
The

tourist writes here

n

the notice b

ard

erasing K

and

go es inside if k

K
The

tourist c ho

ses

K

the

next ev en n um b er larger than K

and

then ips a coin if it comes up heads he increases K

b

y a further

More

precisely

replacing

probabilistic c hoice b y nondeter ministic c hoice is an an tirenemen t

SA

CJSAR T No

SLIDE 10 Researc h Articles He then writes K

n

the noticeb

ard

and

n

his notepad erasing k and K

and

go es to the

ther

place

Rabins

algorithm terminates with probabilit y

and
n

termination all tourists will b e inside at the same meeting place

The

program Here w e mak e the description more precise b y giving a pGCL program for it Fig

Eac

h tourist is rep resen ted b y an instance

f

the n um b er

n

his pad

The

program informally Call the t w

places

left and righ t Bag l

ut

r

ut

is the bag

f

n um b ers held b y tourists w aiting to lo

k

at the left righ t noticeb

ard

bag l in r in is the bag

f

n um b ers held b y tourists who ha v e already decided

n

the left righ t alterna tiv e n um b er L R

is

the n um b er

n

the left righ t noticeb

ard

Initially there are M N

tourists
n

the left righ t all holding the n um b er

no

tourist has y et made a decision Both noticeb

ards

sho w

Execution

is as follo ws If some tourists are still undecided so that l

ut

r

ut

is not y et empt y select

ne

the n um b er he holds is l r

If

some tourist has already decided

n

this alternativ e so that l in r in is not empt y this tourist do es the same

therwise

there are three further p

ssibilities

If this tourists n um b er l r

is

greater than the no ticeb

ard

v alue L R

then

he decides

n

this al ternativ e joining l in r in If this tourists n um b er equals the noticeb

ard

v alue he increases the noticeb

ard

v alue copies that v alue and go es to the

ther

alternativ e r

ut

l

ut

If this tourists n um b er is less than the noticeb

ard

v alue he copies that v alue and go es to the

ther

alternativ e

Notation

W e use the follo wing notations in the program and in the subsequen t analysis

b

b

c

c

Bag

m ultiset brac k ets

The

empt y bag

b

b nc c N

A

bag con taining N copies

f

v alue n

F
r

example if K is

r
rst

K

b

ecomes

and

then p

ssibly
Bags

are lik e sets except that they can ha v e sev eral copies

f

eac h elemen t the bag b b

c

c con tains t w

copies
f
and

is not the same as b b c c

b
b
The

bag formed b y putting all elemen ts

f

b and b together in to

ne

bag

tak

e n from b

A

program command c ho

se

an elemen t nondeterministically from nonempt y bag b assign it to n and remo v e it from b

add

n to b

Add

elemen t n to bag b

if

B then pr

g

else

Execute

pr

g

if B holds

therwise

treat

as

a collection

f

guarded alternativ es in the normal w a y

n
The

conjugate v alue n

if

n is ev en and n

if

n is

dd
e

n

The

minim um n min n

f

n and n

b
The

n um b er

f

elemen ts in bag b

x
m

p

n
Assign

m to x with probabilit y p and n to x with probabilit y p

Correctness

criteria W e m ust sho w that the program is guaran teed with probabilit y

to

terminate and that

n

termination it establishes l in

M

N

r

in

l

in

r

in

M

N

That

is

n

termination the tourists are either all in side

n

the left

r

all inside

n

the righ t

P

artial correctness The argumen ts for partial correctness in v

lv

e no prob abilistic reasoning but there are sev eral in v arian ts

Three

in v arian ts The rst in v arian t states that tourists are neither cre ated nor destro y ed l

ut
l

in

r
ut
r

in

M
N
It

holds initially

and

is trivially main tained The second in v arian t is l in l

ut
R

r in r

ut
L
and

expresses that a tourists n um b er nev er exceeds the n um b er p

sted

at the

ther

place

T
sho

w in v ariance w e reason as follo ws

It

holds initially

Since

L R nev er decrease it can b e falsied

nly

b y adding elemen ts to the bags

By

b

K

w e mean that no elemen t in the bag b exceeds the in teger K

SAR

TSA CJ No

SLIDE 11 Researc h Articles l

ut

r

ut
b

b c c M

b

bc c N

l

in r in

L

R

do

l

ut
tak

e l from l

ut

if l in

then

add l to l in else l

L
add

l to l in

l
L
L
L
L
add

L to r

ut
l
L
add

L to r

ut
r
ut
tak

e r from r

ut

if r in

then

add r to r in else r

R
add

r to r in

r
R
R
R
R
add

R to l

ut
r
R
add

R to l

ut
d

Figure

Rabins

c hoiceco

rdination

algorithm

Adding

elemen ts to l in r in cannot falsify it since those elemen ts come from l

ut

r

ut
The
nly

commands adding elemen ts to l

ut

r

ut

are add L to r

ut

and add R to l

ut
and

they main tain it trivially

Our

nal in v arian t for partial correctness is max l in

L

if l in

max

r in

R

if r in

expressing

that if an y tourist has gone inside then at least

ne
f

the tourists inside there m ust ha v e a n um b er exceeding the n um b er p

sted
utside

By symmetry w e need

nly

consider the left l in case The in v arian t holds

n

initialisation when l in

and

insp ection

f

the program sho ws that it is trivially established when the rst v alue is added to l in since the command concerned l

L
add

l to l in

is

executed when l in

to

establish l in

b

bl c c for some l

L

Since elemen ts nev er lea v e l in it remains non empt y and max l in can

nly

increase nally L cannot c hange when l in is nonempt y

On

termination

On

termination w e ha v e l

ut
r
ut
and

so with in v arian t

w

e need

nly

l in

r

in

Assuming

for a con tradiction that b

th

l in and r in are nonempt y

w

e then ha v e from in v arian ts

and
the

inequalities L

max

r in

R
max

l in

L
whic

h giv e us the required imp

ssibilit

y

Sho

wing termination the v arian t F

r

termination w e need probabilistic argumen ts since it is easy to see that no standard v arian t will do supp

se

that the rst M

N

iterations

f

the lo

p

tak e us to the state l

ut

r

ut
b

bc c M

b

bc c N l in r in

L

R

diering

from the initial state

nly

in the use

f

s rather than s All coin ips came up heads and eac h tourist had exactly t w

turns

Since the pro gram con tains no absolute comparisons

w

e are ef fectiv ely bac k where w e started

and

b ecause

f

that there can b e no standard v arian t that decreased

n

ev ery step w e to

k

So is not p

ssible

to pro v e termination using a standard in v arian t whose strict decrease is guaran teed

The

program c hec ks

nly

whether v arious n um b ers are greater than

thers

not what the n um b ers actually are

SA

CJSAR T No

SLIDE 12 Researc h Articles Instead w e app eal to the follo wing rule

Pr
babilistic

v ariant r ule If an in tegerv alued function

f

the program state

a

pr

b

abilistic variant

can

b e found that

is

b

unded

ab

v

e

is

b

unded

b elo w and

with

probabilit y at least p is decreased b y the lo

p

b

dy
for

some xed non zero p then with probabilit y

the

lo

p

will termi nate Note that the in v arian t and guard

f

the lo

p

ma y b e used in establishing the three prop erties

The

rule diers from the standard

ne

in t w

re

sp ects the v arian t m ust b e b

unded

ab

v

e as w ell as b elo w and it is not guaran teed to decrease but rather do es so

nly

with some probabilit y b

unded

a w a y from

T
nd
ur

v arian t w e note that the algorithm ex hibits t w

kinds
f

b eha viour the sh uttling bac kand forth

f

the tourists b et w een the t w

meeting

places small scale and the pattern

f

the t w

noticeb
ard

n um b ers L R as they increase large scale Our v ari an t therefore will b e lexicographic

ne

within an

ther

the smallscale inner v arian t will deal with the sh uttling and the largescale

uter

v arian t will deal with L and R

Inner

v arian t tourists mo v emen ts The aim

f

the inner v arian t is to sho w that the tourists cannot sh uttle forev er b et w een the sites with

ut

ev en tually c hanging

ne
f

the noticeb

ards

In tuition suggests that indeed they cannot since ev ery suc h mo v emen t increases the n um b er

n

some tourists notepad and from in v arian t

those

n um b ers are b

unded

ab

v

e b y L max R

The

inner v arian t increasing is based

n

that idea with some care tak en ho w ev er to mak e sure that it is b

unded

ab

v

e and b elo w b y xed v alues inde p enden t

f

L and R

W

e dene V

to

b e b b x l

utr
ut

j x

Lc

c

b

b x l

utr
ut

j x

R

c c

l

inr in

It

is trivially b

unded

ab

v

e b y M

N
and

since the

uter

v arian t will deal with c hanges to L and R

in
Note

that the probabilit y

f

decrease ma y dier from state to state But the p

in

t

f

b

unded

a w a y from zero

distin

guished from simply not equal to zero

is

that

v

er an innite state space the v arious probabilities cannot b e arbitrarily small Ov er a nite state space theres no distinction

The

indep endence

f

L R is imp

rtan

t giv en

ur

v arian t rule b ecause L and R can themselv es increase without b

und

c hec king the increase

f

V

w

e can restrict

ur

atten tion to those parts

f

the lo

p

b

dy

that lea v e L R xed

and

w e sho w in that case that the v arian t m ust increase

n

ev ery step

If

l in

then

an elemen t is remo v ed from l

ut

V

decreases

b y at most

and

added to l in but then V

increases

b y

the

same reasoning ap plies when l

L
If

l

L

then L will c hange so w e need not con sider that It will b e dealt with b y the

uter

v arian t

If

l

L

then V

increases

b y at least

since

l is replaced b y L in l

utr
ut
and

b efore l

L

but after L

L

The reasoning for r

ut
n

the righ t is symmetric

Outer

v arian t c hanges to L and R F

r

the

uter

v arian t w e need further in v arian ts the rst is e L

e

R

f
g
stating

that the noticeb

ard

v alues can nev er b e to

far

apart It holds initially and from in v arian t

the

command L

L
L
is

executed

nly

when L

R
th

us

nly

when e L

e

R

and

has the eect e L

e

L

Th

us w e can classify L R in to three sets

f

states

e

L

e

R

e

L

e

R

write

L

e
R

for those states

L
R

equiv alen tly L

R
write

L e

R
L
R
Then

w e note that the underlying iteration

f

the lo

p

induces state transitions as follo ws W e write hL

R

i for the set

f

states satisfying L

R
and

so

n

nondeterministic c hoice is indicated b y u the transitions are indicated b y

hL
e
R

i

hL
e
R

i u hL

R

i

hL

e

R

i hL

R

i

hL
R

i u hL

e
R

i hL e

R

i

hL

e

R

i T

explain

the absence

f

a transition lea ving states hL e

R

i w e need y et another in v arian t L

r
ut
R
l
ut
It

holds initially

and

cannot b e falsied b y the com mand add L to r

ut

b ecause L

L

That lea v es SAR TSA CJ No

SLIDE 13 Researc h Articles the command L

L
L
but

in that case from

w

e ha v e r

ut
L
L
L
L
L
so

that in neither case do es the command set L to the conjugate

f

a v alue already in r

ut

Th us with

w

e see that execution

f

the

nly

alternativ es that c hange L R cannot

ccur

if L e

R
since

for example selection

f

the guard l

L

implies L

l
ut

imp

ssible

if L e

R

and R

l
ut

F

r

the

uter

v arian t w e therefore dene V

to

b e

if

L

R
if

L

e
R
if

L e

R
and

note that whenev er L

r

R c hanges the quan tit y V

decreases

with probabilit y at least

The

t w

v

arian ts together If w e put the t w

v

arian ts together lexicographically

with

the

uter

v arian t V

b

eing the more signican t then the comp

site

satises all the conditions required b y the probabilistic v arian t rule

In

particular it has probabilit y at least

f

strict decrease

n

every iteration

f

the lo

p

Th us the algorithm terminates with probabilit y

and

w e are done

Conclusion

It seems that a little generalisation can go a long w a y Kozens use

f

exp ectations and the denition

f

p

as

a w eigh ted a v erage

is

all that is needed for a simple probabilistic seman tics alb eit

ne

lac king ab straction Then Hes sets

f

distributions

and
ur

min for demonic c hoice together with the fundamen tal prop ert y

f

sublinearit y

tak

e us the rest

f

the w a y

allo

wing abstraction and renemen t to resume their cen tral role

this

time in a probabilistic con text And as Secc

and
illustrate

man y

f

the standard reasoning principles carry

v

er almost un c hanged Being able to reason formally ab

ut

probabilistic programs do es not

f

course remo v e p er se the com plexit y

f

the mathematics

n

whic h they rely w e do not no w exp ect to nd astonishingly simple correct ness pro

fs

for all the large collection

f

randomised algorithms that ha v e b een dev elop ed

v

er the decades

Our

con tribution

at

this stage

is

to mak e it p

ssible

in principle to lo cate and determine re liably what are the probabilistic mathematical facts the construction

f

a randomised algorithm needs to exploit

whic

h is

f

course just what standard pred icate transformers do for con v en tional algorithms

Actually

the inner v arian t increases rather than decreases

w

e could subtract it from M N

to

mak e it decrease In practice ho w ev er

ne

is in terested not

nly

in certain and correct termination

f

random algorithms but in ho w long they tak e to do so Suc h algorithms p erformance cannot b e put within b

unds

in the nor mal w a y instead

ne

sp eaks

f

the exp e cte d time to termination ho w long

n

a v erage should

ne

exp ect the algorithm to tak e When the algorithm is also nondeterministic as in Rabins where no assumptions are made ab

ut

the

rder
r

frequency

f

the tourists tra v els the estimate w

uld

ha v e to b e w

rstcase

exp ected Using tec hniques lik e the ab

v

e to answ er those questions is a topic

f

curren t researc h

Finally
there

is the larger issue

f

probabilistic mo dules and the asso ciated concern

f

probabilis tic data renemen t That is a c hallenging problem with lots

f

surprises using

ur

new to

ls

w e ha v e already seen that probabilistic mo dules sometimes do not mean what they seem

and

that equiv alence

r

renemen t b et w een them dep ends subtly

n

the p

w

er

f

demonic c hoice and its in teraction with probabilit y

Ac

kno wledgemen ts This pap er rep

rts

w

rk

carried

ut

with Je Sanders and Karen Seidel and supp

rted

b y the EPSR C References

JR

Abrial The BBo

k

Cam bridge Univ er sit y Press

EW

Dijkstra A Discipline

f

Pr

gr

amming Pren tice Hall In ternational Englew

d

Clis NJ

Yishai

A F eldman A decidable prop

sitional

dynamic logic with explicit probabilities Infor mation and Contr

l

!

Yishai

A F eldman and Da vid Harel A proba bilistic dynamic logic J Computing and System Scienc es !

S

Hart M Sharir and A Pn ueli T ermina tion

f

probabilistic concurren t programs A CM T r ansactions

n

Pr

gr

amming L anguages and Systems !

Jifeng

He K Seidel and A K McIv er Proba bilistic mo dels for the guarded command lan guage Scienc e

f

Computer Pr

gr

amming !

C

Jones Probabilistic nondeterminism Mono graph ECSLF CS Edin burgh Univ Ed in burgh UK

PhD

thesis

C

Jones and G Plotkin A probabilistic p

w

er domain

f

ev aluations In Pr

c

e e dings

f

the th

SA

CJSAR T No

SLIDE 14 Researc h Articles IEEE A nnual Symp

sium
n

L

gic

in Computer Scienc e pages ! Los Alamitos Calif

Computer

So ciet y Press

D

Kozen A probabilistic PDL In Pr

c

e e d ings

f

the th A CM Symp

sium
n

The

ry
f

Computing New Y

rk
A

CM

Annab

elle McIv er Reasoning ab

ut

e"ciency within a probabilistic calculus In Pr

c

e e dings PR OBMIV June

Annab

elle McIv er and Carroll Morgan Proba bilistic predicate transformers part

T

ec hnical Rep

rt

PR GTR Programming Researc h Group Marc h

Annab

elle McIv er and Carroll Morgan P ar tial correctness for probabilistic demonic pro grams T ec hnical Rep

rt

PR GTR Pro gramming Researc h Group

Revised

v er sion to b e submitted for publication under the title Demonic angelic and unb

unde

d pr

b

a bilistic choic es in se quential pr

gr

ams

Annab

elle McIv er Carroll Morgan and Elena T roubitsyna The probabilistic steam b

iler

a case study in probabilistic data renemen t T

app

ear in Pr

c

e e dings

f

the International R e nement Workshop Can b erra

C

C Morgan Pro

f

rules for probabilistic lo

ps

In He Jifeng John Co

k

e and P eter W al lis editors Pr

c

e e dings

f

the BCSF A CS th R enement Workshop W

rkshops

in Comput ing Springer V erlag July

Carroll

Morgan Annab elle McIv er and Karen Seidel Probabilistic predicate transformers A CM T r ansactions

n

Pr

gr

amming L anguages and Systems ! Ma y

Carroll

Morgan The generalised substitution language extended to probabilistic programs Pr

c

e e dings B Confer enc e Mon tp ellier Ma y

Didier

Bert Ed Springer V erlag LNCS

Ra

jeev Mot w ani and Prabhak ar Ragha v an R andomize d A lgorithms Cam bridge Univ ersit y Press

M

O Rabin The c hoiceco

rdination

problem A cta Informatic a ! June

K

Seidel C C Morgan and A K McIv er An in tro duction to probabilistic predicate trans formers T ec hnical Rep

rt

PR GTR Pro gramming Researc h Group F ebruary

M

Sharir A Pn ueli and S Hart V erication

f

probabilistic programs SIAM Journal

n

Com puting ! Ma y

SAR

TSA CJ No