Abstract
We formalise two semantics observing the expected running time of pGCL programs. The first semantics is a denotational semantics providing a direct computation of the running time, similar to the weakest pre-expectation transformer. The second semantics interprets a pGCL program in terms of a Markov decision process (MDPs), i.e. it provides an operational semantics. Finally we show the equivalence of both running time semantics.
We want to use this work to implement a program logic in Isabelle/HOL to verify the expected running time of pGCL programs. We base it on recent work by Kaminski, Katoen, Matheja, and Olmedo. We also formalise the expected running time for a simple symmetric random walk discovering a flaw in the original proof.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Expected Running Time
- pGCL Program
- Simple Symmetric Random Walk
- Markov Decision Process (MDP)
- Denotational Semantics
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
We want to implement expected running time analysis in Isabelle/HOL based on Kaminski et al. [9]. They present semantics and proof rules to analyse the expected running time of probabilistic guarded command language (pGCL) programs. pGCL is an interesting programming language as it admits probabilistic and non-deterministic choice, as well as unbounded while loops [12].
Following [9], in Sect. 3 we formalise two running time semantics for pGCL and show their equivalence: a denotational one expressed as expectation transformer of type , and a operational one defining a Markov decision process (MDP). This proof follows the equivalence proof of pGCL semantics on the expectation of program variables in [4] derived from the pen-and-paper proof by Gretz et al. [3].
Based on these formalisations we analyse the simple symmetric random walk, and show that the expected running time is infinite. We started with the proof provided in [9], but we discovered a flaw in the proof of the lower \(\omega \)-invariant based on the denotational semantics. Now, our solution combines results from the probability measure of the operational semantics and the fixed point solution from the denotational semantics.
Both proofs are based on our formalisation of Markov chains and MDPs [4]. The formalisation in this paper is on BitBucketFootnote 1.
2 Preliminaries
The formulas in this paper are oriented on Isabelle’s syntax: type annotations are written , type variables can be annotated with type classes (i.e. t has type \(\tau \) which is in type class tc), and type constructors are written in post-fix notation: e.g. . We write int for integers, ennreal for extended non-negative real numbers: \([0, \infty ]\), \(\alpha \) stream for infinite streams of \(\alpha \), \(\alpha \) pmf for probability mass functions (i.e. discrete distributions) on \(\alpha \). The state space is usually the type variable \(\sigma \). On infinite streams sdrop \(n\,\,\omega \) drops the first n elements from the stream \(\omega \): and .
Least Fixed Points. A central tool to define semantics are least fixed points on complete lattices: , bool, enat, and ennreal. Least fixed points are defined as . For a monotone function f, we get the equations . Fixed point theory also gives nice algebraic rules: the rolling rule “rolls” a composed fixed point: for monotone f and g, and the diagonal rule for nested fixed points: , for f monotone in both arguments.
To use least fixed points in measure theory, countable approximations are necessary. This is possible if the function f is sup-continuous: \(f\,(\bigsqcup _i C\,i) = \bigsqcup _i f\,(C\,i)\) for all chains C. Then f is monotone and . For our proofs we also need an induction and a transfer ruleFootnote 2:
Markov Chains (MCs) and Markov Decision Processes (MDPs). An overview of Isabelle’s MC and MDP theory is found in [4, 5]. A MC is defined by a transition function , inducing an expectation: is the expectation of f over all traces in K starting in s. A MDP is defined by a transition function , inducing the maximal expectation: is the supremum of all expectation of f over all traces in K starting in s. Both expectations and have values in ennreal, which is a complete lattice. Both are sup-continuous on measurable functions (called monotone convergent in measure theory), which allows us to apply the transfer rule when f is defined as a least fixed point. Also both expectations support an iteration rule, i.e. we can compute them by first taking a step in K and then continue in the resulting state t:
Where \(t\cdot \omega \) is the stream constructor and \(\int f\mathsf {d}D\) is the integral over the pmf D.
3 Probabilistic Guarded Command Language (pGCL)
The probabilistic guarded command language (pGCL) is a simple programming language allowing probabilistic assignment, non-deterministic choice and arbitrary While-loops. A thorough description of it using the weakest pre-expectation transformer (wp) semantics is found in McIver and Morgan [12]. Gretz et al. [3] shows the equivalence of wp with a operational semantics based on MDPs. Hurd et al. [8] and Cock [2] provide a shallow embedding of pGCL in HOL4 and Isabelle/HOL. We follow the definition in Kaminski et al. [9].
In Fig. 1 we define a datatype representing pGCL programs over an arbitrary program state of type \(\sigma \). Empty has not running time. Halt immediately aborts the program. Seq is for sequential composition. Par is for non-deterministic choice, i.e. both commands are executed and then one of the results is chosen. Assign, If, and While have the expected behaviour, and all three commands require one time step. A probabilistic choice is possible with Assign u, where u is a probabilistic state transformer (). The expected running time of Assign u weights each possible running time with the outcome of u. The assignment is deterministic is u is a Dirac distribution, i.e. assigning probability 1 to exactly one value. We need the datatype to have a deep embedding of pGCL programs, which is necessary for the construction of the MDP.
Expected Running Time. The denotational semantics for the running time is given as an expectation transformer, which is similar to the denotational semantics for the expectation of program variables as weakest pre-expectation transformers. Again we follow the definition in Kaminski et al. [9]. In Fig. 2 we define the expectation transformer ert taking a pGCL command c and an expectation f, where f assigns an expected running time to each terminal state of c. This gives a simple recursive definition of the Seq case, for the expected running time of a pGCL program we will set \(f = 0\). We proved some validating theorems about expectation transformer ert, i.e. continuity and monotonicity of ert c, closed under constant addition for Halt-free programs, sub-additivitiy, etc.
MDP Semantics. For the operational small-step semantics we introduce a MDP constructed per pGCL program, and compute the expected number of steps until the program terminates. In Fig. 3 we define the MDP by its transition function K and the per-state cost function cost f c s x. The per-state cost cost f c s x computes the running time cost associated with the program c at state s. Here the program is seen as a list of statements, hence we walk along a list of Seq and only look at its left-most leaf. If the program is Empty the MDP is stopped and we return f s containing further running time cost we want to associated to a finished state s (in most cases this will be 0, but it is essential in the induction case of Theorem 1). When the execution continues we also add x, c.f. the definition of .
The transition function K induces now a set of trace spaces, one for each possible resolution of the non-deterministic choices introduced by Par. We write \(\hat{\mathbb {E}}^{K}_{(c, s)}[f]\) for the maximal expectation of when the MDP starts in (c, s). We define the cost of a trace as the sum of cost over all states in the trace:
Finally the maximal expectation of computes ert:
Theorem 1
Proof
(Induction on c). The interesting cases are Seq and While. For Seq we prove the equation , by fixed point induction in both directions. For While we prove
by equating it to a completely unrolled version using fixed point induction and then massaging it in the right form using the rolling and diagonal rules. \(\square \)
4 Simple Symmetric Random Walk
As an application for the expected running time analysis Kaminski et al. [9] chose the simple random walk. As difference to [9] we do not use \(\omega \)-invariants to prove the infinite running time, but the correspondence of the program with a Markov chain (there is no non-deterministic choice).
The simple symmetric random walk (srw) is a Markov chain on \(\mathbb {Z}\), in each step i it goes uniformly to \(i + 1\) or \(i - 1\) (i.e. in both cases with probability 1 / 2). Surprisingly, but well known (and formalised by Hurd [7]), it reaches each point with probability 1. Equally surprising, the expected time for the srw to go from i to \(i + 1\) is infinite! Kaminski et al. [9] prove this by providing a lower \(\omega \)-invariant. Unfortunately, this proof has a flaw: in Appendix B.1 of [10] (the extended version of [9]), the equation \(1 + \llbracket x> 0 \rrbracket \cdot 2 + \llbracket 1< x \le n + 1 \rrbracket \cdot \infty + \llbracket 0< x \le n - 1 \rrbracket \cdot \infty = 1 + \llbracket x > 0 \rrbracket \cdot 2 + \llbracket 0 < x \le n + 1 \rrbracket \cdot \infty \) does not hold for \(n=0\) and \(x=1\). The author knows from private communication with Kaminski et al. that it still is possible to use a lower \(\omega \)-invariant. Unfortunately, the necessary invariant gets much more complicated.
After discovering the flaw in the proof, we tried a more traditional proof. The usual approach in random walk theory uses the generating function of the first hitting time. Unfortunately, this would require quite some formalizations in combinatorics, e.g. Stirling numbers and more theorems about generating functions than available in [4]. Finally, we choose an approach similar to [7], i.e. we set up a linear equation system and prove that the only solution is infinity.
Now, is the transition function for the simple symmetric random walk. The expected time to reach j when started in i is written , where is the first hitting time. Now we need to prove the following rules: (I) if , (II) , (III) and (VI) . From these rules we can derive \(H~i~j = \infty \) for \(i \not = j\).
Rule (VI) is derived the expectation transformer semantics. But it is not clear to us how to prove rule (I) by only applying fixed point transformations or induction. Instead we prove (I) in a measure theoretic way:
Equation 1 requires that f k is finite with probability 1, we do a case distinction: if it is not finite a.e. the result follows from \(H~j~i \ge H~j~k = \infty \). Equation 2 is now simply proved by induction on n. The proofs for Eqs. 1 and 2 essentially operate on each trace \(\omega \) in our probability space, making them inherently dependent on the trace space.
Theorem 2
(The running time of srw is infinite). \( H~i~j = \infty ~\text {if}~i \not = j. \)
5 Coupon Collector
Another example we formalised is the coupon collector example from [9]. The idea is to compute the expected time until we collect N different coupons from a uniform, independent and infinite source of coupons. The left side of Fig. 4 shows our concrete implementation \(\mathtt {CC}_N\), the right side is its refinement (there is no array cp necessary). By fixed point transformations we show that the (refined) inner loop’s running time has a Geometric distribution, and hence the expected running time for \(\mathtt {CC}_N\) is: for \(N>0\).
6 Related Work
The first formalisation of probabilistic programs was by Hurd [7] in hol98, formalising a trace space for a stream of probabilistic bits. Hurd et al. [8] is different approach, formalising the weakest pre-expectation transformer semantics of pGCL in HOL4. Both formalisations are not related. Audebaud and Paulin-Mohring [1] use a shallow embedding of a probability monad in Coq.
Cock [2] provides a VCG for pGCL in Isabelle/HOL. Hölzl and Nipkow [5, 6] formalises MCs and analyses the expected running time of the ZeroConf protocol. On the basis of [5] formalises MDPs and shows the equivalence of the weakest pre-expectation transformer (based on the pen-and-paper proof in [3]).
Unlike Theorem 1, these formalisations either define denotational semantics [1, 2, 8], or operational semantics [5–7], none of them relate both semantics.
7 Conclusion and Future Work
While formalising the random walk example in [9] we found an essential flaw in the proof in [10]. Our solution seams to indicate, that for the verification of expected running times an \(\omega \)-invariant approach is not enough. While the expectation transformer gives us a nice verification condition generator (e.g. [2]), the trace space might be required to get additional information i.e. fairness and termination. The equivalence between the expectation transformer semantics and the MDP semantics provides the required bridge between both worlds. Also we might require a probabilistic, relational Hoare logic (maybe based on [11]) to automate tasks like Fig. 4.
Notes
- 1.
- 2.
In our formalisation, the transfer rule is stronger: expectation requires measurability, hence we restrict the elements to which we apply \(\alpha \) by some predicate P.
References
Audebaud, P., Paulin-Mohring, C.: Proofs of randomized algorithms in Coq. Sci. Comput. Prog. 74(8), 568–589 (2009)
Cock, D.: Verifying probabilistic correctness in Isabelle with pGCL. In: SSV 2012. EPTCS, vol. 102, pp. 167–178 (2012)
Gretz, F., Katoen, J., McIver, A.: Operational versus weakest pre-expectation semantics for the probabilistic guarded command language. Perform. Eval. 73, 110–132 (2014)
Hölzl, J.: Markov chains and Markov decision processes in Isabelle/HOL. Submitted to JAR in December 2015. http://in.tum.de/~hoelzl/mdptheory
Hölzl, J.: Construction and Stochastic Applications of Measure Spaces in Higher-Order Logic. Ph.D. thesis, Technische Universität München (2013)
Hölzl, J., Nipkow, T.: Interactive verification of Markov chains: two distributed protocol case studies. In: QFM 2012. EPTCS, vol. 103 (2012)
Hurd, J.: Formal Verification of Probabilistic Algorithms. Ph.D. thesis (2002)
Hurd, J., McIver, A., Morgan, C.: Probabilistic guarded commands mechanized in HOL. Theoret. Comput. Sci. 346(1), 96–112 (2005)
Kaminski, B.L., Katoen, J.-P., Matheja, C., Olmedo, F.: Weakest precondition reasoning for expected run–times of probabilistic programs. In: Thiemann, P. (ed.) ESOP 2016. LNCS, vol. 9632, pp. 364–389. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49498-1_15
Kaminski, B.L., Katoen, J., Matheja, C., Olmedo, F.: Weakest precondition reasoning for expected run-times of probabilistic programs. CoRR abs/1601.01001v1 (Extended version) (2016)
Lochbihler, A.: Probabilistic functions and cryptographic oracles in higher order logic. In: Thiemann, P. (ed.) ESOP 2016. LNCS, vol. 9632, pp. 503–531. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49498-1_20
McIver, A., Morgan, C.: Abstraction, Refinement and Proof for Probabilistic Systems. Monographs in Computer Science. Springer, New York (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Hölzl, J. (2016). Formalising Semantics for Expected Running Time of Probabilistic Programs. In: Blanchette, J., Merz, S. (eds) Interactive Theorem Proving. ITP 2016. Lecture Notes in Computer Science(), vol 9807. Springer, Cham. https://doi.org/10.1007/978-3-319-43144-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-43144-4_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-43143-7
Online ISBN: 978-3-319-43144-4
eBook Packages: Computer ScienceComputer Science (R0)