weakest precondition reasoning for expected run times of
play

Weakest Precondition Reasoning for Expected RunTimes of - PowerPoint PPT Presentation

Jan 15, 2024 •157 likes •1.29k views

Weakest Precondition Reasoning for Expected RunTimes of Probabilistic Programs Benjamin Kaminski Joost-Pieter Katoen Christoph Matheja Federico Olmedo 25th European Symposium on Programming 19th edition of the European Joint Conferences on

  1. Motivation Probabilistic Programs Probabilistic Programs What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ ? Behavior of C not entirely determined by σ Probabilistic nature of C influences its run–time Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

  2. Motivation Probabilistic Programs Probabilistic Programs What does a probabilistic program C do? Run program C on initial state σ Obtain final set of (sub–)distributions µ over terminal states What is the run–time of C on input σ ? Behavior of C not entirely determined by σ Probabilistic nature of C influences its run–time Better Question: What is the expected run–time (ERT) of C on input σ ? Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 4

  3. Motivation Expected Run–Times Expected Run–Time Phenomena Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  4. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  5. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations x := 1; while ( 1 / 2 ) { x := 2 · x } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  6. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations x := 1; while ( 1 / 2 ) { x := 2 · x } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  7. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: x := 1; while ( 1 / 2 ) { x := 2 · x } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  8. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite x := 1; while ( 1 / 2 ) { x := 2 · x } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  9. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite x := 1; while ( 1 / 2 ) { x := 2 · x } ; while ( x > 0) { x := x − 1 } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  10. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition x := 1; while ( 1 / 2 ) { x := 2 · x } ; while ( x > 0) { x := x − 1 } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  11. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult: x := 1; while ( 1 / 2 ) { x := 2 · x } ; while ( x > 0) { x := x − 1 } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  12. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult: Strictly more difficult than the termination problem for non–probabilistic programs [MFCS 2015] x := 1; while ( 1 / 2 ) { x := 2 · x } ; while ( x > 0) { x := x − 1 } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  13. Motivation Expected Run–Times Expected Run–Time Phenomena ERT of C can be finite even if C admits infinite computations Positive almost–sure termination: ERT of C is finite Positively almost–surely terminating programs are not closed under sequential composition Reasoning about positive almost–sure termination is computationally very difficult: Strictly more difficult than the termination problem for non–probabilistic programs [MFCS 2015] ERT of C can be infinite, even if C terminates almost–surely 1 x := 1; while ( 1 / 2 ) { x := 2 · x } ; while ( x > 0) { x := x − 1 } 1 i.e. with probability 1 Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 5

  14. Motivation Expected Run–Times Expected Run–Times Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  15. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  16. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 ERT if C does not terminate almost–surely on σ : ∞ Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  17. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 ERT if C does not terminate almost–surely on σ : ∞ In general: ERT of C is a function t : Σ → R ∞ ≥ 0 Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  18. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 ERT if C does not terminate almost–surely on σ : ∞ In general: ERT of C is a function t : Σ → R ∞ ≥ 0 Call such a t a run–time. Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  19. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 ERT if C does not terminate almost–surely on σ : ∞ In general: ERT of C is a function t : Σ → R ∞ ≥ 0 Call such a t a run–time. Denote set of run–times by T . Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  20. Motivation Expected Run–Times Expected Run–Times ERT if C terminates almost–surely on σ : � “ C terminates after ∞ � � i · Pr i steps on input σ ” i =1 ERT if C does not terminate almost–surely on σ : ∞ In general: ERT of C is a function t : Σ → R ∞ ≥ 0 Call such a t a run–time. Denote set of run–times by T . Complete partial order on T : t 1 � t 2 iff ∀ σ ∈ Σ: t 1 ( σ ) ≤ t 2 ( σ ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 6

  21. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  22. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  23. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . C Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  24. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . C t time needed after executing C Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  25. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . C t time needed after executing C Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  26. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . ert [ C ] ( t ) C t expected time needed time needed before executing C after executing C Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  27. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Use a continuation passing style ERT transformer ert [ C ]: T → T . ert [ C ] ( t ) C t expected time needed time needed before executing C after executing C ERT in Terms of ert ert [ C ] ( 0 ) ( σ ) = “ERT of C on input σ ” Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 7

  28. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  29. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  30. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  31. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] C 1 ; C 2 ert [ C 1 ] ( ert [ C 2 ] ( t )) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  32. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] C 1 ; C 2 ert [ C 1 ] ( ert [ C 2 ] ( t )) { C 1 } � { C 2 } max { ert [ C 1 ] ( t ) , ert [ C 2 ] ( t ) } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  33. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] C 1 ; C 2 ert [ C 1 ] ( ert [ C 2 ] ( t )) { C 1 } � { C 2 } max { ert [ C 1 ] ( t ) , ert [ C 2 ] ( t ) } if ( ξ ) { C 1 } else { C 2 } 1 + � ξ : true � · ert [ C 1 ] ( t ) + � ξ : false � · ert [ C 2 ] ( t ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  34. Weakest Precondition Reasoning for Expected Run–Times The ert Transformer Rules for the ert Transformer ert [ C ] ( t ) C 1 + t skip x := E 1 + t [ x/E ] C 1 ; C 2 ert [ C 1 ] ( ert [ C 2 ] ( t )) { C 1 } � { C 2 } max { ert [ C 1 ] ( t ) , ert [ C 2 ] ( t ) } if ( ξ ) { C 1 } else { C 2 } 1 + � ξ : true � · ert [ C 1 ] ( t ) + � ξ : false � · ert [ C 2 ] ( t ) while ( ξ ) { C ′ } lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ′ ] ( X ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 8

  35. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  36. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Recall the definition of ert [ while ( ξ ) { C } ] ( t ) : lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ] ( X ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  37. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Recall the definition of ert [ while ( ξ ) { C } ] ( t ) : lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ] ( X ) � �� � =: F ( X ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  38. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Recall the definition of ert [ while ( ξ ) { C } ] ( t ) : lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ] ( X ) � �� � =: F ( X ) Theorem: Upper Bounds from Upper Invariants Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  39. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Recall the definition of ert [ while ( ξ ) { C } ] ( t ) : lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ] ( X ) � �� � =: F ( X ) Theorem: Upper Bounds from Upper Invariants If I ∈ T is an upper invariant of while ( ξ ) { C } , i.e. if F ( I ) � I Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  40. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Upper Bounds for ert of Loops Recall the definition of ert [ while ( ξ ) { C } ] ( t ) : lfp X • 1 + � ξ : false � · t + � ξ : true � · ert [ C ] ( X ) � �� � =: F ( X ) Theorem: Upper Bounds from Upper Invariants If I ∈ T is an upper invariant of while ( ξ ) { C } , i.e. if F ( I ) � I then ert [ while ( ξ ) { C } ] ( t ) � I . Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 9

  41. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Lower Bounds for ert of Loops Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

  42. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Lower Bounds for ert of Loops Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

  43. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Lower Bounds for ert of Loops Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point Theorem: Lower Bounds from Lower ω –Invariants Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

  44. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Lower Bounds for ert of Loops Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point Theorem: Lower Bounds from Lower ω –Invariants If { I n } n ∈ N ⊆ T is a lower ω –invariant, i.e. if I 0 � F ( 0 ) , and I n +1 � F ( I n ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

  45. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Lower Bounds for ert of Loops Reasoning on lower bounds is more involved: Find an argument for being below a least fixed point Theorem: Lower Bounds from Lower ω –Invariants If { I n } n ∈ N ⊆ T is a lower ω –invariant, i.e. if I 0 � F ( 0 ) , and I n +1 � F ( I n ) then sup I n � ert [ while ( ξ ) { C } ] ( t ) . n ∈ N Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 10

  46. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Theorem: Completeness of Proof Rules The presented proof rules are complete Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

  47. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Theorem: Completeness of Proof Rules The presented proof rules are complete, since I = lfp F is an upper invariant Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

  48. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Theorem: Completeness of Proof Rules The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω –invariant is given by I n = F ◦ · · · ◦ F ( 0 ) . � �� � n times Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

  49. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Theorem: Completeness of Proof Rules The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω –invariant is given by I n = F ◦ · · · ◦ F ( 0 ) . � �� � n times Theorem: Bound Refinement If I is an upper bound and F ( I ) � I , then F ( I ) is also an upper bound. Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

  50. Weakest Precondition Reasoning for Expected Run–Times Reasoning about ert Theorem: Completeness of Proof Rules The presented proof rules are complete, since I = lfp F is an upper invariant and a lower ω –invariant is given by I n = F ◦ · · · ◦ F ( 0 ) . � �� � n times Theorem: Bound Refinement If I is an upper bound and F ( I ) � I , then F ( I ) is also an upper bound. Dually for lower bounds. Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 11

  51. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  52. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  53. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  54. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  55. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  56. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times Nielson’s Hoare–style logic for reasoning about run–time orders of magnitude of deterministic programs : Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  57. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times Nielson’s Hoare–style logic for reasoning about run–time orders of magnitude of deterministic programs : Nielson’s logic relies on introducing additional logical variables Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  58. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times Nielson’s Hoare–style logic for reasoning about run–time orders of magnitude of deterministic programs : Nielson’s logic relies on introducing additional logical variables ert is sound and complete with respect to Nielson’s logic Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  59. Weakest Precondition Reasoning for Expected Run–Times Correspondence to Other Run–Time Models Is the ert Calculus a Reasonable Run–Time Model? Correspondence to an operational semantics: Operational model defined in terms of a reward MDP ` a la [QEST 2012] and [MFPS 2015] ert coincides with expected reward in the operational MDP Enables bounded model checking of expected run–times Nielson’s Hoare–style logic for reasoning about run–time orders of magnitude of deterministic programs : Nielson’s logic relies on introducing additional logical variables ert is sound and complete with respect to Nielson’s logic ert calculus is arguably easier to apply — no additional variables! Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 12

  60. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  61. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  62. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  63. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  64. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  65. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem We model it by the following algorithm: cp := [0 , . . . , 0] ; i := 1 ; x := N ; while ( x > 0) { while ( cp [ i ] � = 0) { i : ≈ Unif [1 . . . N ] } ; cp [ i ] := 1 ; x := x − 1 } Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  66. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem We model it by the following algorithm: cp := [0 , . . . , 0] ; i := 1 ; x := N ; while ( x > 0) { while ( cp [ i ] � = 0) { i : ≈ Unif [1 . . . N ] } ; cp [ i ] := 1 ; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  67. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem We model it by the following algorithm: cp := [0 , . . . , 0] ; i := 1 ; x := N ; while ( x > 0) { while ( cp [ i ] � = 0) { i : ≈ Unif [1 . . . N ] } ; cp [ i ] := 1 ; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [ coup . coll . ] ( 0 ) = 4 + [ N > 0] · 2 N · ( 2 + H N − 1 ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  68. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem We model it by the following algorithm: cp := [0 , . . . , 0] ; i := 1 ; x := N ; while ( x > 0) { while ( cp [ i ] � = 0) { i : ≈ Unif [1 . . . N ] } ; cp [ i ] := 1 ; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [ coup . coll . ] ( 0 ) = 4 + [ N > 0] · 2 N · ( 2 + H N − 1 ) Harmonic number H N − 1 is in Θ(log N ) Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  69. Weakest Precondition Reasoning for Expected Run–Times Case Study Case Study: The Coupon Collector’s Problem The coupon collector is a well–known problem We model it by the following algorithm: cp := [0 , . . . , 0] ; i := 1 ; x := N ; while ( x > 0) { while ( cp [ i ] � = 0) { i : ≈ Unif [1 . . . N ] } ; cp [ i ] := 1 ; x := x − 1 } Using ert, we can analyze the ERT of the above algorithm directly on the source code given above: ert [ coup . coll . ] ( 0 ) = 4 + [ N > 0] · 2 N · ( 2 + H N − 1 ) Harmonic number H N − 1 is in Θ(log N ) Coupon collector program runs in Θ( N · log N ) for N > 0 Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 13

  70. Het Einde Summary Summary Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

  71. Het Einde Summary Summary ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

  72. Het Einde Summary Summary ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

  73. Het Einde Summary Summary ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

  74. Het Einde Summary Summary ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

  75. Het Einde Summary Summary ert is an easy to understand weakest–precondition–style calculus for reasoning about ERT of probabilistic programs ert is sound and complete for reasoning about expected run–times and positive almost–sure termination ert comes with proof rules for reasoning about loops ert is a powerful alternative to ranking super–martingales ert is applicable to tricky real–world examples which are difficult to reason about by formal verification techniques Kaminski, Katoen, Matheja, Olmedo Weakest Precondition Reasoning for Expected Run–Times 4.4.2016 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling termination Operational semantics Adding non-determinism Refinement calculus 2 Summary Weakest precondition reasoning Handling termination

1.22k views • 85 slides
COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling termination Operational semantics Adding non-determinism Refinement calculus 2 Finding a proof Consider the following code: Pow r := 1; i := 0;

538 views • 37 slides
Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran

Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran

Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan Komondoor, Indian Institute of Science Problem Definition Verify absence of Null

1.04k views • 71 slides
A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella

A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella

A weakest precondition approach to active attacks A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella Mastroeni Musard Balliu Isabella Mastroeni School of Computer Science and Communication Royal

887 views • 74 slides
Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp

Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp

Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp semantics via modality 1 : T ( T 1 ) T 1 Ex ample (Powerset Monad P ) P 1 = 2 = { , } : P 2 2 {} , {} {} , { , }

487 views • 36 slides
Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to prove: } i==n right after the loop <post condition: i==n>

80 views • 7 slides
The weakest failure detectors to solve certain fundamental problems in distributed computing

The weakest failure detectors to solve certain fundamental problems in distributed computing

The weakest failure detectors to solve certain fundamental problems in distributed computing Carole Delporte-Gallet Hugues Fauconnier Vassos Hadzilacos Rachid Guerraoui Petr Kouznetsov Sam Toueg Contribution The weakest failure detectors

690 views • 38 slides
Chapter 17: The Expected Value and Standard Error Think about drawing 25 times, with

Chapter 17: The Expected Value and Standard Error Think about drawing 25 times, with

Chapter 17: The Expected Value and Standard Error Think about drawing 25 times, with replacement, from the box: 0 2 3 4 6 Heres one set of 25 draws: 6 0 4 3 0 2 2 2 0 0 3 2 4 2 2 6 0 6 3 6 3 4 0 6 0, sum = 66 Heres another: 0 3 2

578 views • 24 slides
GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and

GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and

UNITED MIDCOAST CHARITIES DESIRED OUTCOME GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and objectives build toward your desired SMART STEP SMART STEP SMART STEP SMART STEP (OBJECTIVE) (OBJECTIVE)

362 views • 14 slides
Calculating bounds on expected return and first passage times in finite-state imprecise

Calculating bounds on expected return and first passage times in finite-state imprecise

Calculating bounds on expected return and first passage times in finite-state imprecise birth-death chains Stavros Lopatatzidis, Jasper De Bock and Gert de Cooman Birth-death chains Birth-death chain special type of Markov chain X : =

404 views • 15 slides
TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT? New from 2019: all children in year 4 will sit an online times table test. Times Tables knowledge and recall underpin so many different areas of

526 views • 25 slides
CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based Systems ! syntax and semantics ! shallow and deep reasoning ! validity and satisfiability ! forward and backward ! logic languages chaining ! alternative

616 views • 23 slides
Loop Invariants: Part 1 7 January 2019 OSU CSE 1 Reasoning About Method Calls What a

Loop Invariants: Part 1 7 January 2019 OSU CSE 1 Reasoning About Method Calls What a

Loop Invariants: Part 1 7 January 2019 OSU CSE 1 Reasoning About Method Calls What a method call does is described by its contract Precondition: a property that is true before the call is made Postcondition: a property that is true

462 views • 45 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.22k views • 98 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.34k views • 118 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

589 views • 44 slides
Concurrent Kleene Algebra: Free Model and Completeness Tobias Kapp e Paul Brunet Alexandra

Concurrent Kleene Algebra: Free Model and Completeness Tobias Kapp e Paul Brunet Alexandra

Concurrent Kleene Algebra: Free Model and Completeness Tobias Kapp e Paul Brunet Alexandra Silva Fabio Zanasi University College London ESOP 2018 Introduction Lets write a program that outputs n > 0 space-separated s. T.

769 views • 65 slides
Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond)

Johannes Hlzl TU Mnchen, Germany Formalising Semantics for Expected Running Time of Probabilistic Programs (Rough Diamond) Kaminski, Katoen, Matheja, and Olmedo [ESOP 2016] Denotational: Operational: Correspondence: Denotational 2

1.36k views • 89 slides
Mixin Modules and Computational Effects Davide Ancona and Sonia Fagorzi and Eugenio Moggi and

Mixin Modules and Computational Effects Davide Ancona and Sonia Fagorzi and Eugenio Moggi and

Mixin Modules and Computational Effects Davide Ancona and Sonia Fagorzi and Eugenio Moggi and Elena Zucca {davide, fagorzi, moggi, zucca}@disi.unige.it Dipartimento di Informatica e Scienze dellInformazione (DISI) University of Genova To

844 views • 70 slides
A Higher-Order Abstract Syntax Approach to Verified Compilation of Functional Programs Yuting

A Higher-Order Abstract Syntax Approach to Verified Compilation of Functional Programs Yuting

A Higher-Order Abstract Syntax Approach to Verified Compilation of Functional Programs Yuting Wang and Gopalan Nadathur Department of Computer Science and Engineering University of Minnesota, Minneapolis ESOP 2016, Eindhoven, Netherlands

1.06k views • 88 slides
Session Types in a Nutshell Session Types structure a series of interactions in a simple and

Session Types in a Nutshell Session Types structure a series of interactions in a simple and

Session Types in a Nutshell Session Types structure a series of interactions in a simple and concise syntax and ensure type safe communication . A Protocol Protocol: Buyer-Seller Alice Seller title Description: Alice buying a

644 views • 60 slides
A Type-ical Case Study: The Sound Type-Indexed Type Checker Richard A. Eisenberg Bryn Mawr

A Type-ical Case Study: The Sound Type-Indexed Type Checker Richard A. Eisenberg Bryn Mawr

A Type-ical Case Study: The Sound Type-Indexed Type Checker Richard A. Eisenberg Bryn Mawr College / Tweag I/O rae@richarde.dev Tarball at richarde.dev/stitch.tar.gz and on ZuriHac website Sunday, June 16, 2019 ZuriHac Zrich,

449 views • 40 slides
Type inference for monotonicity Michael Arntzenius University of Birmingham S-REPLS 9, 2018 x +

Type inference for monotonicity Michael Arntzenius University of Birmingham S-REPLS 9, 2018 x +

Type inference for monotonicity Michael Arntzenius University of Birmingham S-REPLS 9, 2018 x + log x x x log x 4 ::= R | A B types A , B terms M , N ::= x | x . M | M N A Poset R = R A B =

452 views • 34 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides

More recommend