Formal Methods for Probabilistic Systems

Similar documents
Formal Methods for Probabilistic Systems

Demonic, angelic and unbounded probabilistic choices in sequential programs

Probabilistic Action System Trace Semantics

Proofs and refutations for probabilistic systems

Proofs and refutations for probabilistic systems

Abstract Interpretation from a Topological Perspective

A Monad For Randomized Algorithms

Quantitative Program Logic and Performance in Probabilistic Distributed Algorithms

Using Probabilistic Kleene Algebra for Protocol Verification

Algebraic Reasoning for Probabilistic Action Systems and While-Loops

Verifying Probabilistic Programs using the HOL Theorem Prover Joe Hurd p.1/32

Probabilistic Guarded Commands Mechanized in HOL

Unifying Theories of Programming

Cost-based analysis of probabilistic programs mechanised in HOL

Probabilistic Observations and Valuations (Extended Abstract) 1

Refinement-oriented probability for CSP

Probabilistic Program Verification in the Style of the Unifying Theories of Programming

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice

Cost analysis of games, using program logic

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

MODELING NONDETERMINISM IN PROGRAM SEMANTICS USING LIFTED BINARY MULTIRELATIONS

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Characterising FS domains by means of power domains

Programming Languages and Types

Halting and Equivalence of Program Schemes in Models of Arbitrary Theories

Semantics for algebraic operations

Healthiness Conditions for Predicate Transformers

(Refer Slide Time: 0:21)

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Verifying Randomized Distributed Algorithms with PRISM

1 Probability Review. CS 124 Section #8 Hashing, Skip Lists 3/20/17. Expectation (weighted average): the expectation of a random quantity X is:

Proofs of randomized algorithms in Coq

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Foundations of Quantum Programming

arxiv: v1 [cs.lo] 4 Sep 2018

Hyperproperties. Department of Computer Science Cornell University

Mathematical Foundations of Logic and Functional Programming

Introduction to Turing Machines. Reading: Chapters 8 & 9

Halting and Equivalence of Schemes over Recursive Theories

Reasoning about probabilistic sequential programs in a probabilistic logic

An integration testing method that is proved to find all faults

07 Equational Logic and Algebraic Reasoning

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 12. Random Variables: Distribution and Expectation

Dana S. Scott. University Professor, Emeritus Carnegie Mellon University. Visiting Scholar in Mathematics University of California, Berkeley

Discrete Random Variables Over Domains

Exam Computability and Complexity

Fooling Sets and. Lecture 5

A Note on Turing Machine Design

Memoryless strategies for stochastic games via domain theory

A PECULIAR COIN-TOSSING MODEL

REVIEW QUESTIONS. Chapter 1: Foundations: Sets, Logic, and Algorithms

Hoare Logic (I): Axiomatic Semantics and Program Correctness

CS 5114: Theory of Algorithms

Equivalence Relations and Partitions, Normal Subgroups, Quotient Groups, and Homomorphisms

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Reasoning About Imperative Programs. COS 441 Slides 10b

Fast Probabilistic Simulation, Nontermination, and Secure Information Flow

Turing Machines Part II

Omega Algebra, Demonic Refinement Algebra and Commands. Peter Höfner Kim Solin Bernhard Möller. Report June 2006

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 15. Random Variables: Distributions, Independence, and Expectations

Stochastic Histories. Chapter Introduction

Continuity of partially ordered soft sets via soft Scott topology and soft sobrification A. F. Sayed

MITOCW watch?v=vjzv6wjttnc

CS243, Logic and Computation Nondeterministic finite automata

Abstraction, Refinement and Proof for Probabilistic Systems

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Note 16. Random Variables: Distribution and Expectation

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Preliminaries. Introduction to EF-games. Inexpressivity results for first-order logic. Normal forms for first-order logic

The Locale of Random Sequences

CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions

Introduction to Logic and Axiomatic Set Theory

Turing Machines Part II

On the Hardness of Analyzing Probabilistic Programs

Advanced Automata Theory 7 Automatic Functions

Communicating Parallel Processes. Stephen Brookes

ClC (X ) : X ω X } C. (11)

Stochastic Processes

Strength; Weakest Preconditions

A Tutorial Introduction to CSP in Unifying Theories of Programming

CHAPTER 1: Functions

Peter Wood. Department of Computer Science and Information Systems Birkbeck, University of London Automata and Formal Languages

cse303 ELEMENTS OF THE THEORY OF COMPUTATION Professor Anita Wasilewska

Basic System and Subsystem Structures in the Dataflow Algebra. A. J. Cowling

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Probabilistic Bisimilarity as Testing Equivalence

Final Exam Review. 2. Let A = {, { }}. What is the cardinality of A? Is

Unifying Probability with Nondeterminism

CS 322 D: Formal languages and automata theory

Quantum Programming. J. W. Sanders and P. Zuliani

An elementary proof that Herman s Ring is (N 2 )

Logic, Sets, and Proofs

CSC236 Week 11. Larry Zhang

Automata-Theoretic Model Checking of Reactive Systems

As a rst step, we concentrate in this paper on the second problem and we abstract from the problem of synchronisation. We therefore dene a denotationa

0.2 Vector spaces. J.A.Beachy 1

Lecture Notes On THEORY OF COMPUTATION MODULE -1 UNIT - 2

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Note 14

A UTP semantics of pgcl as a homogeneous relation

Discrete Mathematics and Probability Theory Summer 2014 James Cook Final Exam

Transcription:

Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level program logic Meta-theorems for loops Examples Relational operational model Standard, deterministic, terminating... functions Standard, deterministic, non-terminating... functions with Standard, demonic, non-terminating... relations with Standard powerdomains... closure Probabilistic powerdomains... sub-distributions Demonic, probabilistic powerdomains... sets of... Examples... program geometry

2 Standard, deterministic, terminating relational semantics

Standard, deterministic, terminating relational semantics No probabilistic choice. 3 Output predictable from input. No infinite loops or run-time errors. standard, deterministic, terminating... Relates initial states to final states, and so gives an operational view. A program f is a function of type state-to-state. f: S S Function f applied to initial state s gives final state s. This is function application, that is f(s). f.s = s

4 Standard, deterministic, terminating relational semantics Initial states Final states 0 0 2 3 2 3 s:=(s ) mod 4 syntax Function f, where f.s =(s ) mod 4. relational semantics of type {0..3} {0..3}

Standard, deterministic relational semantics possibly nonterminating S { } 5 A program f is now a function of type state to state-or-bottom. Function f applied to initial state s gives final state s... or the special nontermination state. f: S S f.s = s if f terminates, from s, ats = otherwise

Standard, deterministic relational semantics 6 Initial states Final states 0 0 2 3 2 3 s:=s We suppose it is a run-time error to attempt to set s to -.

Standard relational semantics possibly nonterminating possibly demonically nondeterministic 7 A program r is now a relation of type state to state-or-bottom. r: S S Usually r is total image-finite and up-closed. Miracles are excluded. Continuity is required. If r can fail to terminate, then all (other) behaviours are deemed possible as well. r.s.s holds just when r can reach s from s. Boolean valued true iff (s,s ) r.

Standard relational semantics 8 Initial states Final states 0 0 2 3 2 3 s:=s ±

Standard relational semantics 9 Initial states Final states 0 0 2 3 2 3 s:=s ±

Standard relational semantics 0 Initial states Final states 0 0 2-2 Up-closure 3 4 3 s:=s ± Remember that it is a run-time error to attempt to set s outside its type {0..3}.

Standard relational semantics Initial states Final states 0 2 3 0 2 3 Gets complicated... s:=s ±...so we take an alternative view...

Standard relational semantics 2 Initial states Sets of final states 0 { } {0} 2 {0,2} {,3} {} {,2,3}... 3 S {0,2, } Up-closed Finite, non-empty subsets of... s:=s ± A program r is a relation of type state to state-orbottom... or equivalently a set-valued function. r: S S r: S PS r: S F + S

The significance of up-closure 3-3 -2-0 2 3 A flat domain, based on the integers; for example 3. a proper outcome nontermination Informally, we regard 3 as a better outcome than. And we regard a program f 2 that delivers consistently better results than some other program f as a better program overall: Program f is refined by f 2 if some If ( s f.s f 2.s ) then we say f f 2 of f s nontermination is replaced {by proper outcomes in f 2. This in effect promotes the order from an order on individual values to an order on functions resulting in those values. For nondeterminism we seek a similar promotion, but this time to the sets of values that represent the demonic choice.

The significance of up-closure: powerdomains 4 Given two relational programs r and r 2, we say that r r 2 iff, for all initial states s, any outcome in the set r 2.s can be justified by some outcome in the set r.s, that is if every behaviour of the implementation r 2 is justified by the specification r : for all s, and s 2 r 2.s, there is an s r.s such that s s 2 That is, if r 2.s.s 2 holds, or equivalently (s,s 2 ) r 2. This is known as the Smyth order. For subsets S,S 2 of the state space S, we say that S S 2 iff ( s 2 s 2 S 2 ( s s S s s 2 )). The refinement order between relations is just the Smyth order on result-sets, lifted functionally as we saw before. MB Smyth. Power domains. Jnl. Comp. Sys. Sci. 6: 23-36, 978.

The significance of up-closure: equivalence classes 5 For subsets S,S 2 of the state space S, we say that S S 2 iff ( s 2 s 2 S 2 ( s s S s s 2 )). The Smyth pre-order. Notice that both {, 2} {, 3} and {, 3} {, 2}. This means that is not a partial order rather it is a pre-order, satisfying reflexivity and transitivity but not antisymmetry. We say that {, 2} {, 3}, that they are equivalent. This is a nuisance, but a well known one with a well known solution: we form equivalence classes, and take a distinguished representative from each class. That representative happens to be the up-closure that is, for subset S of S, the set S defined { s s S ( s s S s s) } Not only does this have the property S S 2 iff S = S 2, as we would expect from the equivalence-class-representative construction, but we have also that S S 2 iff S S 2

Up-closure for a flat domain 6-3 -2-0 2 3 S In the flat domain S the definition of up-closure is particularly simple; it is S = S if S = S otherwise. If the computation can reach, then we deem that it can reach every other state as well. Although we have gone a long way to justify this easy construction, it is reassuring to know that it fits in with the general theory and that will make things work much more smoothly later on. Morgan s Rule: If you re going to re-invent the wheel... at least make sure it s round.

A probabilistic powerdomain 7 The powerdomain construction we have just seen took an underlying set of values, with a partial order representing refinement, and from it constructed in a very general way a partial order over sets of those values, one which can be used to describe demonically nondeterministic programs. A similar construction though more complex takes the underlying set of values, with its refinement order, to a partial order over distributions on those values. That is what we shall use. C Jones. Probabilistic nondeterminism. Monograph ECS-LFCS-90-05 (PhD Thesis), University of Edinburgh, 989. C Jones and G Plotkin. A probabilistic powerdomain of evaluations. Proc. 4th IEEE LICS Symp., 68-95, 989.

A probabilistic powerdomain over a flat structure 8 Take our underlying space S, with its flat information order, and generate the Scott topology on it. Carry on by generating the space of probabilistic evaluations over that topology. Then notice that the result is isomomorphic to { : S [0,] ( s S.s) } with the order Notice we do not need to refer to explicitly. 2 iff.s 2.s for all s S. These are called discrete sub-probability measures. G Gierz et al. A Compendium of Continuous Lattices. Springer Verlag, 980. Jones and Plotkin. Op. cit. (for example) D Kozen. Semantics of probabilistic programs. Jnl. Comp. Sys. Sci. 22:328-350, 98.

Discrete sub-probability measures 9 A discrete probability distribution assigns probabilities to individual points, e.g. the function { H /2, T /2 } that describes flipping an unbiased coin. It gains the prefix sub- if it is not required to sum to one, as in the distribution { H /3, T /3 } for a coin that might not terminate this implicitly includes a probability - /3 - /3 = /3 of nontermination. Such a coin is refined by another that terminates at least as often; and any extra termination can be assigned to either proper outcome; for example, we have { H /3, T /3 } { H 2/5, T /2 } in which the right-hand coin refines the left-hand coin, but still has probability /0 of failing to terminate. Again we have used theoretical tools (information orders, Scott topology, Jones/Plotkin evaluations...) that in the end (via isomorphism) have produced something quite simple. We have thus ensured that the wheel is round and so it rolls very nicely!

A demonic powerdomain over discrete sub-probability measures 20 To have both demonic and probabilistic choice available to us, we take the probabilistic powerdomain we have just constructed discrete sub-probability measures and apply our earlier up-closure of sets construction; the latter will add demonic choice, as it did before, but this time to elements that already model probability. The flat domain over state space S. The probabilistic powerdomain over S. Sets of discrete sub-probability measures, for demonic choice. Closed sets of discrete subprobability measures, for refinement. S S PS CS Discrete subprobability measures. Then up closure, convex closure, Cauchy closure? CS PS The relational model of demonic, probabilistic programs. S CS HS

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 2 { } (/2, /2) 0 An unbiased coin. H McIver and Morgan. Abstraction, Refinement and Proof for Probabilistic Systems, Chapter 6. Springer Verlag, 2004.

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 22 (2/3, /3) 0 A heads-biased coin. H

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 23 (/3, 2/3) 0 A tails-biased coin. H

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 24 Demonic choice between these (/3, 2/3) (/2, /2) Convex closure (2/3, /3) 0 A biased coin, up to /6 either way... H... one refinement of which is an unbiased coin.

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 25 (/3, 2/3) (/2, /2) Up closure (/3, /3) (2/3, /3) 0 A possibly nonterminating coin... whose refinements include all three coins before. H

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 26 Convex closure Up closure (/4, /3) (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S when S is the two-element space { H, T } of coin-flip results T 27 Up closure (/4, /3) (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S when S is the two-element space { H, T } of coin-flip results 28 HS for Jifeng He He, McIver and Seidel. Probabilistic models for the guarded command language. Sci. Comp. Prog. 28:7-92, 997. T (/4, /3) HS is the relational model S CS Convex closure Up closure Cauchy closure (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S concluded... but what s the connection with the programming logic? 29 He, McIver and Seidel. Probabilistic models for the guarded command language. Sci. Comp. Prog. 28:7-92, 997. Morgan, McIver and Seidel. Probabilistic predicate transformers. ACM TOPLAS 8(3): 325-353,996. T (/4, /3) (/3, /4) 0 Demonically, either of two possibly nonterminating coins. Convex closure Up closure Cauchy closure H

A brief tour of S concluded... but what s the connection with the programming logic? 30 x + 2y = /3 + 2(/4) = 5/6 T (,2) What is the greatest guaranteed expected value of this program with respect to the post-expectation [c=h] + 2[c=T]? x + 2y = 0 (/4, /3) It s 5/6. (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S concluded... but what s the connection with the programming logic? 3 x + 2y = /3 + 2(/4) = 5/6 T (,2) What is the greatest guaranteed expected value of this program with respect to the post-expectation 2[c=H] + [c=t]? x + 2y = 0 (/4, /3) (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S concluded... but what s the connection with the programming logic? 32 2x + y = 2/3 + /4 = /2 T (,2) What is the greatest guaranteed expected value of this program with respect to the post-expectation 2[c=H] + [c=t]? (/4, /3) (2,) It s not /2. (/3, /4) 0 Demonically, either of two possibly nonterminating coins. H

A brief tour of S concluded... 2x + y = 2/4 + /3 = 5/6 T but what s the connection with the programming logic? What is the greatest guaranteed expected value of this program with respect to the post-expectation 33 2x + y = 0 (/4, /3) (/3, /4) (2,) 0 2[c=H] + [c=t]? It s 5/6 again, because this time the demon goes to the other extreme. H

The two semantics are congruent 34 pree wp.prog.poste means ( s:s; : prog.s pree.s exp. poste ) transformer model: fun.s fun.s (sublinear) relational model: S (dist.s) Combined logic of weakest pre-expectations: pree wp(prog,poste)

The two semantics are congruent 35 wp.prog.poste.s means (" : prog.s pree.s exp. poste ) transformer model: fun.s fun.s (sublinear) = relational model: S (dist.s) Combined logic of weakest pre-expectations: pree wp(prog,poste)

Exercises 36 Ex. : Experiment with the geometric presentation of the transformer semantics: what happens to the demonic coin with post-expectation just [c=h]? just [c=t]? just [true]? (The direction numbers for [true] are (,), i.e. the grazing-line approaches at 45. Which distribution-point does it touch first?) Ex. 2: Why isn t the answer to the third item above just again?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback