Weakest Precondition Reasoning for Expected RunTimes of - - PowerPoint PPT Presentation

Weakest Precondition Reasoning for Expected Run–Times of Probabilistic Programs

Benjamin Kaminski Joost-Pieter Katoen Christoph Matheja Federico Olmedo 25th European Symposium on Programming

19th edition of the European Joint Conferences on Theory & Practice of Software

April 4, 2016, Eindhoven, Netherlands

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 1

Motivation Probabilistic Programs

Probabilistic Programs

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Probabilistic Programs

Introduce randomization into computation

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Probabilistic Programs

Introduce randomization into computation Significant speed–up in solving difficult problems at cost of tolerating incorrect results with low probability

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Probabilistic Programs

Introduce randomization into computation Significant speed–up in solving difficult problems at cost of tolerating incorrect results with low probability Solution to problems where deterministic techniques fail:

E.g. symmetry breaking in Dining Philosophers, Leader Election, Ethernet’s randomized exponential backoff

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Probabilistic Programs

Introduce randomization into computation Significant speed–up in solving difficult problems at cost of tolerating incorrect results with low probability Solution to problems where deterministic techniques fail:

E.g. symmetry breaking in Dining Philosophers, Leader Election, Ethernet’s randomized exponential backoff

Randomization of some sort occurs almost in any technique related used in cryptography and security

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Probabilistic Programs

Introduce randomization into computation Significant speed–up in solving difficult problems at cost of tolerating incorrect results with low probability Solution to problems where deterministic techniques fail:

E.g. symmetry breaking in Dining Philosophers, Leader Election, Ethernet’s randomized exponential backoff

Randomization of some sort occurs almost in any technique related used in cryptography and security Model probability distributions in machine learning

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 2

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

What is probabilistic about that language?

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

What is probabilistic about that language? Probabilistic guards ξ : Σ → D({true, false}):

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

What is probabilistic about that language? Probabilistic guards ξ : Σ → D({true, false}):

ξ : true(σ) = 1 − ξ : false(σ) is the probability of ξ evaluating to true

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

What is probabilistic about that language? Probabilistic guards ξ : Σ → D({true, false}):

ξ : true(σ) = 1 − ξ : false(σ) is the probability of ξ evaluating to true E.g.

2 3true + 1 3false

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Syntax of Probabilistic Programs

C − → skip

• x := E
• C; C
• {C} {C}
• if (ξ) {C} else {C}
• while (ξ) {C}

What is probabilistic about that language? Probabilistic guards ξ : Σ → D({true, false}):

ξ : true(σ) = 1 − ξ : false(σ) is the probability of ξ evaluating to true E.g.

2 3true + 1 3false, 1 2x > y + 1 2x ≥ y

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 3

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do?

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of distributions µ over terminal states

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ?

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ? Behavior of C not entirely determined by σ

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ? Behavior of C not entirely determined by σ Probabilistic nature of C influences its run–time

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Probabilistic Programs

Probabilistic Programs

What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ? Behavior of C not entirely determined by σ Probabilistic nature of C influences its run–time

Better Question: What is the expected run–time (ERT) of C on input σ?

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

Motivation Expected Run–Times

Expected Run–Time Phenomena

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations x := 1; while (1/2) {x := 2 · x}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations x := 1; while (1/2) {x := 2 · x}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: x := 1; while (1/2) {x := 2 · x}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite

x := 1; while (1/2) {x := 2 · x}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite

x := 1; while (1/2) {x := 2 · x}; while (x > 0) {x := x − 1}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition

x := 1; while (1/2) {x := 2 · x}; while (x > 0) {x := x − 1}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult:

x := 1; while (1/2) {x := 2 · x}; while (x > 0) {x := x − 1}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult:

Strictly more difficult than the termination problem for non–probabilistic programs [MFCS 2015]

x := 1; while (1/2) {x := 2 · x}; while (x > 0) {x := x − 1}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Time Phenomena

ERT of C can be finite even if C admits infinite computations Positive almost–sure termination:

ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult:

Strictly more difficult than the termination problem for non–probabilistic programs [MFCS 2015]

ERT of C can be infinite, even if C terminates almost–surely1 x := 1; while (1/2) {x := 2 · x}; while (x > 0) {x := x − 1}

1i.e. with probability 1 Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

Motivation Expected Run–Times

Expected Run–Times

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• Kaminski, Katoen, Matheja, Olmedo

Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• ERT if C does not terminate almost–surely on σ:

∞

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• ERT if C does not terminate almost–surely on σ:

∞ In general: ERT of C is a function t: Σ → R∞

≥0

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• ERT if C does not terminate almost–surely on σ:

∞ In general: ERT of C is a function t: Σ → R∞

≥0

Call such a t a run–time.

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• ERT if C does not terminate almost–surely on σ:

∞ In general: ERT of C is a function t: Σ → R∞

≥0

Call such a t a run–time. Denote set of run–times by T.

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Motivation Expected Run–Times

Expected Run–Times

ERT if C terminates almost–surely on σ:

∞

• i=1

i · Pr “C terminates after i steps on input σ”

• ERT if C does not terminate almost–surely on σ:

∞ In general: ERT of C is a function t: Σ → R∞

≥0

Call such a t a run–time. Denote set of run–times by T. Complete partial order on T: t1 t2 iff ∀ σ ∈ Σ: t1(σ) ≤ t2(σ)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T.

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T. C

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T. C t

time needed after executing C

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T. C t

time needed after executing C

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T. C t ert [C] (t)

time needed after executing C expected time needed before executing C

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Weakest Precondition Reasoning for Expected Run–Times

The ert Transformer

Use a continuation passing style ERT transformer ert[C]: T → T. C t ert [C] (t)

time needed after executing C expected time needed before executing C

ERT in Terms of ert

ert [C] (0) (σ) = “ERT of C on input σ”

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E]

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E]

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E] C1; C2 ert [C1] (ert [C2] (t))

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E] C1; C2 ert [C1] (ert [C2] (t)) {C1} {C2} max{ert [C1] (t) , ert [C2] (t)}

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E] C1; C2 ert [C1] (ert [C2] (t)) {C1} {C2} max{ert [C1] (t) , ert [C2] (t)} if (ξ) {C1} else {C2} 1 + ξ : true · ert [C1] (t) + ξ : false · ert [C2] (t)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times The ert Transformer

Rules for the ert Transformer

C ert [C] (t) skip 1 + t x := E 1 + t [x/E] C1; C2 ert [C1] (ert [C2] (t)) {C1} {C2} max{ert [C1] (t) , ert [C2] (t)} if (ξ) {C1} else {C2} 1 + ξ : true · ert [C1] (t) + ξ : false · ert [C2] (t) while (ξ) {C′} lfp X • 1 + ξ : false · t + ξ : true · ert [C′] (X)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Recall the definition of ert [while (ξ) {C}] (t): lfp X• 1 + ξ : false · t + ξ : true · ert [C] (X)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Recall the definition of ert [while (ξ) {C}] (t): lfp X• 1 + ξ : false · t + ξ : true · ert [C] (X)

• =: F(X)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Recall the definition of ert [while (ξ) {C}] (t): lfp X• 1 + ξ : false · t + ξ : true · ert [C] (X)

• =: F(X)

Theorem: Upper Bounds from Upper Invariants

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Recall the definition of ert [while (ξ) {C}] (t): lfp X• 1 + ξ : false · t + ξ : true · ert [C] (X)

• =: F(X)

Theorem: Upper Bounds from Upper Invariants

If I ∈ T is an upper invariant of while (ξ) {C}, i.e. if F(I) I

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Upper Bounds for ert of Loops

Recall the definition of ert [while (ξ) {C}] (t): lfp X• 1 + ξ : false · t + ξ : true · ert [C] (X)

• =: F(X)

Theorem: Upper Bounds from Upper Invariants

If I ∈ T is an upper invariant of while (ξ) {C}, i.e. if F(I) I then ert [while (ξ) {C}] (t) I .

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Lower Bounds for ert of Loops

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Lower Bounds for ert of Loops

Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Lower Bounds for ert of Loops

Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point

Theorem: Lower Bounds from Lower ω–Invariants

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Lower Bounds for ert of Loops

Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point

Theorem: Lower Bounds from Lower ω–Invariants

If {In}n∈N ⊆ T is a lower ω–invariant, i.e. if I0 F(0), and In+1 F(In)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Lower Bounds for ert of Loops

Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point

Theorem: Lower Bounds from Lower ω–Invariants

If {In}n∈N ⊆ T is a lower ω–invariant, i.e. if I0 F(0), and In+1 F(In) then sup

n∈N

In ert [while (ξ) {C}] (t) .

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Theorem: Completeness of Proof Rules

The presented proof rules are complete

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Theorem: Completeness of Proof Rules

The presented proof rules are complete, since I = lfp F is an upper invariant

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Theorem: Completeness of Proof Rules

The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω–invariant is given by In = F ◦ · · · ◦ F

• n times

(0) .

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Theorem: Completeness of Proof Rules

The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω–invariant is given by In = F ◦ · · · ◦ F

• n times

(0) .

Theorem: Bound Refinement

If I is an upper bound and F(I) I, then F(I) is also an upper bound.

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert

Theorem: Completeness of Proof Rules

The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω–invariant is given by In = F ◦ · · · ◦ F

• n times

(0) .

Theorem: Bound Refinement

If I is an upper bound and F(I) I, then F(I) is also an upper

• bound. Dually for lower bounds.

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015]

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times

Nielson’s Hoare–style logic for reasoning about run–time

• rders of magnitude of deterministic programs:

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times

Nielson’s Hoare–style logic for reasoning about run–time

• rders of magnitude of deterministic programs:

Nielson’s logic relies on introducing additional logical variables

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times

Nielson’s Hoare–style logic for reasoning about run–time

• rders of magnitude of deterministic programs:

Nielson’s logic relies on introducing additional logical variables ert is sound and complete with respect to Nielson’s logic

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models

Is the ert Calculus a Reasonable Run–Time Model?

Correspondence to an operational semantics:

Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times

Nielson’s Hoare–style logic for reasoning about run–time

• rders of magnitude of deterministic programs:

Nielson’s logic relies on introducing additional logical variables ert is sound and complete with respect to Nielson’s logic ert calculus is arguably easier to apply — no additional variables!

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem We model it by the following algorithm: cp := [0, . . . , 0]; i := 1; x := N; while (x > 0) { while (cp[i] = 0) { i :≈ Unif[1 . . . N] }; cp[i] := 1; x := x − 1 }

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem We model it by the following algorithm: cp := [0, . . . , 0]; i := 1; x := N; while (x > 0) { while (cp[i] = 0) { i :≈ Unif[1 . . . N] }; cp[i] := 1; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above:

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem We model it by the following algorithm: cp := [0, . . . , 0]; i := 1; x := N; while (x > 0) { while (cp[i] = 0) { i :≈ Unif[1 . . . N] }; cp[i] := 1; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [coup. coll.] (0) = 4 + [N > 0] · 2N · (2 + HN−1)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem We model it by the following algorithm: cp := [0, . . . , 0]; i := 1; x := N; while (x > 0) { while (cp[i] = 0) { i :≈ Unif[1 . . . N] }; cp[i] := 1; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [coup. coll.] (0) = 4 + [N > 0] · 2N · (2 + HN−1) Harmonic number HN−1 is in Θ(log N)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Weakest Precondition Reasoning for Expected Run–Times Case Study

Case Study: The Coupon Collector’s Problem

The coupon collector is a well–known problem We model it by the following algorithm: cp := [0, . . . , 0]; i := 1; x := N; while (x > 0) { while (cp[i] = 0) { i :≈ Unif[1 . . . N] }; cp[i] := 1; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [coup. coll.] (0) = 4 + [N > 0] · 2N · (2 + HN−1) Harmonic number HN−1 is in Θ(log N) Coupon collector program runs in Θ(N · log N) for N > 0

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

Het Einde Summary

Summary

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales ert is applicable to tricky real–world examples which are difficult to reason about by formal verification techniques

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales ert is applicable to tricky real–world examples which are difficult to reason about by formal verification techniques

λ → ∀ =

I s a b e l l e

β α H O L

ert is Isabelle/HOL certified (courtesy of Johannes H¨

• lzl, TUM)

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales ert is applicable to tricky real–world examples which are difficult to reason about by formal verification techniques

λ → ∀ =

I s a b e l l e

β α H O L

ert is Isabelle/HOL certified (courtesy of Johannes H¨

• lzl, TUM)

Future work: recursion, conditioning, run–time variance

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Summary

ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales ert is applicable to tricky real–world examples which are difficult to reason about by formal verification techniques

λ → ∀ =

I s a b e l l e

β α H O L

ert is Isabelle/HOL certified (courtesy of Johannes H¨

• lzl, TUM)

Future work: recursion, conditioning, run–time variance Thank you for your kind attention!

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Het Einde Summary

Backup Slides: The Actual Rule for Assignments

C ert [C] (t) x :≈ µ 1 + λσ• Eµ(σ) (λv. t [x/v] (σ))

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 15

Het Einde Summary

Backup Slides: ert Calculations and Proof Rule Application

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 16

Het Einde Summary

Backup Slides: Operational RMDP

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 17

Het Einde Summary

Backup Slides: Park’s Lemma

∞ gfp F lfp F

• Kaminski, Katoen, Matheja, Olmedo

Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18

Het Einde Summary

Backup Slides: Park’s Lemma

∞ gfp F lfp F

• I

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18

Het Einde Summary

Backup Slides: Park’s Lemma

∞ gfp F lfp F

• I

F(I)

≤

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18

Het Einde Summary

Backup Slides: Park’s Lemma

F(I) ≤ I implies lfp F ≤ I ∞ gfp F lfp F

• I

F(I)

≤

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18

Het Einde Summary

Backup Slides: Park’s Lemma

F(I) ≤ I implies lfp F ≤ I ∞ gfp F lfp F

• I

F(I)

≤

I

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18

Het Einde Summary

Backup Slides: Park’s Lemma

F(I) ≤ I implies lfp F ≤ I ∞ gfp F lfp F

• I

F(I)

≤

I F(I)

≤

Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 18