arXiv:2007.06327v1 [cs.LO] 13 Jul 2020 Generating Functions for Probabilistic Programs⋆ Lutz Klinkenberg1[0000−0002−3812−0572] , Kevin Batz1[0000−0001−8705−2564] , Benjamin Lucien Kaminski1,2[0000−0001−5185−2324] , Joost-Pieter Katoen1[0000−0002−6143−1926] , Joshua Moerman1[0000−0001−9819−8374] , and Tobias Winkler1[0000−0003−1084−6408] 1 RWTH Aachen University, 52062 Aachen, Germany 2 University College London, United Kingdom {lutz.klinkenberg, kevin.batz, benjamin.kaminski, katoen, joshua, tobias.winkler}@cs.rwth-aachen.de Abstract. This paper investigates the usage of generating functions (GFs) encoding measures over the program variables for reasoning about discrete probabilistic programs. To that end, we define a denotational GF-transformer semantics for probabilistic while-programs, and show that it instantiates Kozen’s seminal distribution transformer semantics. We then study the effective usage of GFs for program analysis. We show that finitely expressible GFs enable checking super-invariants by means of computer algebra tools, and that they can be used to determine termination probabilities. The paper concludes by characterizing a class of — possibly infinite-state — programs whose semantics is a rational GF encoding a discrete phase-type distribution. Keywords: probabilistic programs · quantitative verification · semantics · formal power series. 1 Introduction Probabilistic programs are sequential programs for which coin flipping is a firstclass citizen. They are used e.g. to represent randomized algorithms, probabilistic graphical models such as Bayesian networks, cognitive models, or security protocols. Although probabilistic programs are typically rather small, their analysis is intricate. For instance, approximating expected values of program variables at program termination is as hard as the universal halting problem [15]. Determining higher moments such as variances is even harder. Deductive program verification techniques based on a quantitative version of weakest preconditions [18] enable to reason about the outcomes of probabilistic programs, such as what is the probability that a program variable equals a certain value. Dedicated analysis techniques have been developed to e.g., determine tail bounds [6], decide almost-sure termination [19,8], or to compare programs [1]. ⋆ This research was funded by the ERC AdG project FRAPPANT (787914) and the DFG RTG 2236 UnRAVeL. 2 L. Klinkenberg et al. This paper aims at exploiting the well-tried potential of probability generating functions (PGFs [14]) for the analysis of probabilistic programs. In our setting, PGFs are power series representations — generating functions — encoding discrete probability mass functions of joint distributions over program variables. PGF representations — in particular if finite — enable a simple extraction of important information from the encoded distributions such as expected values, higher moments, termination probabilities or stochastic independence of program variables. To enable the usage of PGFs for program analysis, we define a denotational semantics of a simple probabilistic while-language akin to probabilistic GCL [18]. Our semantics is defined in a forward manner: given an input distribution over program variables as a PGF, it yields a PGF representing the resulting subdistribution. The “missing” probability mass represents the probability of non-termination. More accurately, our denotational semantics transforms formal power series (FPS). Those form a richer class than PGFs, which allows for overapproximations of probability distributions. While-loops are given semantics as least fixed points of FPS transformers. It is shown that our semantics is in fact an instantiation of Kozen’s seminal distribution-transformer semantics [16]. The semantics provides a sound basis for program analysis using PGFs. Using Park’s Lemma, we obtain a simple technique to prove whether a given FPS overapproximates a program’s semantics i.e., whether an FPS is a so-called superinvariant. Such upper bounds can be quite useful: for almost-surely terminating programs, such bounds can provide exact program semantics, whereas, if the mass of an overapproximation is strictly less than one, the program is provably non-almost-surely terminating. This result is illustrated on a non-trivial random walk and on examples illustrating that checking whether an FPS is a superinvariant can be automated using computer algebra tools. In addition, we characterize a class of — possibly infinite-state — programs whose PGF semantics is a rational function. These homogeneous bounded programs (HB programs) are characterized by loops in which each unbounded variable has no effect on the loop guard and is in each loop iteration incremented by a quantity independent of its own value. Operationally speaking, HB programs can be considered as finite-state Markov chains with rewards in which rewards can grow unboundedly large. It is shown that the rational PGF of any program that is equivalent to an almost-surely terminating HB program represents a multi-variate discrete phase-type distribution [22]. We illustrate this result by obtaining a closed-form characterization for the well-studied infinite-state dueling cowboys example [18]. Related work. Semantics of probabilistic programs is a well-studied topic. This includes the seminal works by Kozen [16] and McIver and Morgan [18]. Other related semantics of discrete probabilistic while-programs are e.g., given in several other articles like [18,24,10,23,4]. PGFs have recent scant attention in the analysis of probabilistic programs. A notable exception is [5] in which generating functions of finite Markov chains are obtained by Padé approximation. Computer Generating Functions for Probabilistic Programs 3 algebra systems have been used to transform probabilistic programs [7], and more recently in the automated generation of moment-based loop invariants [2]. Organization of this paper. After recapping FPSs and PGFs in Sections 2–3, we define our FPS transformer semantics in Section 4, discuss some elementary properties and show it instantiates Kozen’s distribution transformer semantics [16]. Section 5 presents our approach for verifying upper bounds to loop invariants and illustrates this by various non-trivial examples. In addition, it characterizes programs that are representable as finite-state Markov chains equipped with rewards and presents the relation to discrete phase-type distributions. Section 6 concludes the paper. All proofs can be found in the appendix. 2 Formal Power Series Our goal is to make the potential of probability generating functions available to the formal verification of probabilistic programs. The programs we consider will, without loss of generality, operate on a fixed set of k program variables. The valuations of those variables range over N. A program state σ is hence a vector in Nk . We denote the state (0, . . . , 0) by 0. A prerequisite for understanding probability generating functions are (multivariate) formal power series — a special way of representing a potentially infinite k-dimensional array. For k=1, this amounts to representing a sequence. Definition 1 (Formal Power Series). Let X = X1 , . . . , Xk be a fixed sequence of k distinct formal indeterminates. For a state σ = (σ1 , . . . , σk ) ∈ Nk , let Xσ abbreviate the formal multiplication X1σ1 · · · Xkσk . The latter object is called a monomial and we denote the set of all monomials over X by Mon (X). A (multivariate) formal power series (FPS) is a formal sum X [σ]F · Xσ , where [ · ]F : N k → R ∞ F = ≥0 , σ∈Nk R∞ ≥0 where denotes the extended positive real line. We denote the set of all FPSs by FPS. Let F, G ∈ FPS. If [σ]F < ∞ for all σ ∈ Nk , we denote this fact by F ≪ ∞. The addition F + G and scaling r · F by a scalar r ∈ R∞ ≥0 is defined coefficient-wise by X X  F +G = [σ]F + [σ]G · Xσ r · [σ]F · Xσ . and r·F = σ∈Nk σ∈Nk For states σ = (σ1 , . . . , σk ) and τ = (τ1 , . . . , τk ), we define σ + τ = (σ1 + τ1 , . . . , σk + τk ). The multiplication F · G is given as their Cauchy product (or discrete convolution) X [σ]F · [τ ]G · Xσ+τ . F ·G = σ,τ ∈Nk Drawing coefficients from the extended reals enables us to define a complete lattice on FPSs in Section 4. Our analyses in Section 5 will, however, only consider FPSs with F ≪ ∞. 4 3 L. Klinkenberg et al. Generating Functions A generating function is a device somewhat similar to a bag. Instead of carrying many little objects detachedly, which could be embarrassing, we put them all in a bag, and then we have only one object to carry, the bag. — George Pólya [25] Formal power series pose merely a particular way of encoding an infinite kdimensional array as yet another infinitary object, but we still carry all objects forming the array (the coefficients of the FPS) detachedly and there seems to be no advantage in this particular encoding. It even seems more bulky. We will now, however, see that this bulky encoding can be turned into a one-object bag carrying all our objects: the generating function. Definition 2 (Generating Functions). The generating function of a formal P power series F = σ∈Nk [σ]F · Xσ ∈ FPS with F ≪ ∞ is defined as the partial function f: [0, 1]k 99K R≥0 , (x1 , . . . , xk ) 7→ X [σ]F · xσ1 1 · · · xσk k . σ=(σ1 ,...,σk )∈Nk In other words: in order to turn an FPS into its generating function, we merely treat every formal indeterminate Xi as an “actual” indeterminate xi , and the formal multiplications and the formal sum also as “actual” ones. The generating function f of F is uniquely determined by F as we require all coefficients of F to be non-negative, and so the ordering of the summands is irrelevant: For a given point x ∈ [0, 1]k , the sum defining f (x) either converges absolutely to some positive real or diverges absolutely to ∞. In the latter case, f is undefined at x and hence f may indeed be partial. Since generating functions stem from formal power series, they are infinitely often differentiable at 0 = (0, . . . , 0). Because of that, we can recover F from f as the (multivariate) Taylor expansion of f at 0. Definition 3 (Multivariate Derivatives and Taylor Expansions). For σ = (σ1 , . . . , σk ) ∈ Nk , we write f (σ) for the function f differentiated σ1 times in x1 , σ2 times in x2 , and so on. If f is infinitely often differentiable at 0, then the Taylor expansion of f at 0 is given by X σ∈Nk f (σ) ( 0 ) · xσ1 · · · xσk k . σ1 ! · · · σk ! 1 If we replace every indeterminate xi by the formal indeterminate Xi in the Taylor expansion of generating function f of F , then we obtain the formal power series F . It is in precisely that sense, that f generates F . Generating Functions for Probabilistic Programs 5 Example 1 (Formal Power Series and Generating Functions). Consider the infinite (1-dimensional) sequence 1/2, 1/4, 1/8, 1/16, . . .. Its (univariate) FPS — the entity carrying all coefficients detachedly — is given as 1 1 1 1 1 1 1 1 + X + X2 + X3 + X4 + X5 + X6 + X7 + . . . . 2 4 8 16 32 64 128 256 (†) On the other hand, its generating function — the bag — is given concisely by 1 . 2−x (♭) Figuratively speaking, (†) is itself the infinite sequence an := 21n , whereas (♭) is a bag with the label “infinite sequence an := 21n ”. The fact that (†) generates (♭), 1 at 0 being 21 + 41 x + 18 x2 + . . .. △ follows from the Taylor expansion of 2−x The potential of generating functions is that manipulations to the functions — i.e. to the concise representations — are in a one-to-one correspondence to the associated manipulations to FPSs [9]. For instance, if f (x) is the generating function of F encoding the sequence a1 , a2 , a3 , . . ., then the function f (x) · x is the generating function of F · X which encodes the sequence 0, a1 , a2 , a3 , . . . As another example for correspondence between operations on FPSs and generating functions, if f (x) and g(x) are the generating functions of F and G, respectively, then f (x) + g(x) is the generating function of F + G. Example 2 (Manipulating to Generating Functions). Revisiting Example 1, if 1 we multiply 2−x by x, we change the label on our bag from “infinite sequence 1 := 21n ” and — just by := an 2n ” to “a 0 followed by an infinite sequence an+1 changing the label — the bag will now contain what it says on its label. Indeed, 1 4 x at 0 is 0 + 21 x + 41 x2 + 18 x3 + 16 x + . . . encoding the Taylor expansion of 2−x the sequence 0, 1/2, 1/4, 1/8, 1/16, . . . △ Due to the close correspondence of FPSs and generating functions [9], we use both concepts interchangeably, as is common in most mathematical literature. We mostly use FPSs for definitions and semantics, and generating functions in calculations and examples. Probability Generating Functions. We now use formal power series to represent probability distributions. Definition 4 (Probability Subdistribution). A probability subdistribution (or simply subdistribution) over Nk is a function X µ : Nk → [0, 1], such that |µ| = µ(σ) ≤ 1 . σ∈Nk We call |µ| the mass of µ. We say that µ is a (full) distribution if |µ| = 1, and a proper subdistribution if |µ| < 1. The set of all subdistributions on Nk is denoted by D≤ (Nk ) and the set of all full distributions by D(Nk ). 6 L. Klinkenberg et al. We need subdistributions for capturing non-termination. The “missing” probability mass 1 − |µ| precisely models the probability of non-termination. The generating function of a (sub-)distribution is called a probability generating function. Many properties of a distribution µ can be read off from its generating function Gµ in a simple way. We demonstrate how to extract a few common properties in the following example. Example 3 (Geometric Distribution PGF). Recall Example 1. The presented formal power series encodes a geometric distribution µgeo with parameter 1/2 of a single variable X. The fact that µgeo is a proper probability distribution, for 1 = 1. The expected instance, can easily be verified computing Ggeo (1) = 2−1 1 ′ △ value of X is given by Ggeo (1) = (2−1)2 = 1. Extracting Common Properties. Important information about probability distributions is, for instance, the first and higher moments. In general, the k th factorial moment of variable Xi can be extracted from a PGF by computing ∂kG (1, . . . , 1).3 This includes the mass |G| as the 0th moment. The marginal dis∂Xik tribution of variable Xi can simply be extracted from G by G(1, . . . , Xi , . . . , 1). We also note that PGFs can treat stochastic independence. For instance, for a bivariate PGF H we can check for stochastic independence of the variables X and Y by checking whether H(X, Y ) = H(X, 1) · H(1, Y ). 4 FPS Semantics for pGCL In this section, we give denotational semantics to probabilistic programs in terms of FPS transformers and establish some elementary properties useful for program analysis. We begin by endowing FPSs and PGFs with an order structure: Definition 5 (Order on FPS). For all F, G ∈ FPS, let F  G iff ∀ σ ∈ Nk : [σ]G ≤ [σ]F . Lemma 1 (Completeness of  on FPS). (FPS, ) is a complete latttice. 4.1 FPS Transformer Semantics Recall that we assume programs to range over exactly k variables with valuations in Nk . Our program syntax is similar to Kozen [16] and McIver & Morgan [18]. Definition 6 (Syntax of pGCL [16,18]). A program P in probabilistic Guarded Command Language ( pGCL) adheres to the grammar P ::= skip xi := E P;P if(B) {P } else {P } 3 {P } [p] {P } while (B) {P } , In general, one must take the limit Xi → 1 from below. Generating Functions for Probabilistic Programs 7 where xi ∈ {x1 , . . . , xk } is a program variable, E is an arithmetic expression over program variables, p ∈ [0, 1] is a probability, and B is a predicate (called guard) over program variables. The FPS semantics of pGCL will be defined in a forward denotational style, where the program variables x1 , . . . , xk correspond to the formal indeterminates X1 , . . . , Xk of FPSs. For handling assignments, if-conditionals and while-loops, we need some auxiliary functions on FPSs: For an arithmetic expression E over program variables, we denote by evalσ (E) the evaluation of E in program state σ. For a predicate B ⊆ Nk and FPS F , we define the restriction of F to B by X hF iB := [σ]F · Xσ , σ∈B i.e. hF iB is the FPS obtained from F by setting all coefficients [σ]F where σ 6∈ B to 0. Using these prerequisites, our FPS transformer semantics is given as follows: Definition 7 (FPS Semantics of pGCL). The semantics JP K : FPS → FPS of a loop-free pGCL program P is given according to the upper part of Table 1. The unfolding operator ΦB,P for the loop while (B) {P } is defined by ΦB,P : (FPS → FPS) → (FPS → FPS),   ψ 7→ λF . hF i¬B + ψ JP K hF iB .  The partial order (FPS, ) extends to a partial order FPS → FPS, ⊑ on FPS transformers by a point-wise lifting of . The least element of this partial order is the transformer 0 = λF . 0 mapping any FPS F to the zero series. The semantics of while (B) {P } is then given by the least fixed point (with respect to ⊑) of its unfolding operator, i.e. Jwhile (B) {P }K = lfp ΦB,P . Table 1. FPS transformer semantics of pGCL programs. P JP K (F ) skip xi := E F P {P1 } [p] {P2 } if (B) {P1 } else {P2 } P1 # P2 while(B){P } evalσ (E) σ∈Nk µσ X1σ1 · · · Xi · · · Xkσk p · JP1 K (F ) + (1 − p) · JP2 K (F )   + JP2 K hF i¬B  JP2 K JP1 K (F ) JP1 K hF iB  lfp ΦB,P (F ) , for   ΦB,P (ψ) = λF . hF i¬B + ψ JP K hF iB 8 (( G L. Klinkenberg et al. Example 4. Consider the program P = {x := 0} [1/2] {x := 1}# c := c + 1 and the input PGF G = 1, which denotes a point mass on state σ = 0. Using the annotation style shown in the left margin, denoting that JP ′ K (G) = G′ , we calculate JP K (G) as follows: P′ (( G′ (( 1 {x := 0} [1/2] {x := 1}# (( 1 2 + X 2 c := c + 1 (( C2 + CX 2 As for the semantics of c := c + 1, see Table 2. △ Before we study how our FPS transformers behave on PGFs in particular, we now first argue that our FPS semantics is well-defined. While evident for loopfree programs, we appeal to the Kleene Fixed Point Theorem for loops [17], which requires ω-continuous functions. Theorem 1 (ω-continuity of pGCL Semantics). The semantic functional J · K is ω-continuous, i.e. for all programs P ∈ pGCL and all increasing ω-chains F1  F2  . . . in FPS,   = sup JP K (Fn ) . JP K sup Fn n∈N n∈N Theorem 2 (Well-definedness of FPS Semantics). The semantics functional J · K is well-defined, i.e. the semantics of any loop while (B) {P } exists uniquely and can be written as Jwhile (B) {P }K = lfp ΦB,P = sup ΦnB,P (0) . n∈N 4.2 Healthiness Conditions of FPS Transformers In this section we show basic, yet important, properties which follow from [16]. For instance, for any input FPS F , the semantics of a program cannot yield as output an FPS with a mass larger than |F |, i.e. programs cannot create mass. Table 2. Common assignments and their effects on the input PGF F (X, Y ). P JP K (F ) x := x + k x := k · x X k · F (X, Y ) x := x + y F (X, XY ) F (X k , Y ) Generating Functions for Probabilistic Programs 9 Theorem 3 (Mass Conservation). For every P ∈ pGCL and F ∈ FPS, we have JP K (F ) ≤ |F |. A program P is called mass conserving if |JP K (F )| = |F | for all F ∈ FPS. Mass conservation has important implications for FPS transformers acting on PGFs: given as input a PGF, the semantics of a program yields a PGF. Corollary 1 (PGF Transformers). For every P ∈ pGCL and G ∈ PGF, we have JP K (G) ∈ PGF. Restricted to PGF, our semantics hence acts as a subdistribution transformer. Output masses may be smaller than input masses. The probability of nontermination of the programs is captured by the “missing” probability mass. As observed in [16], semantics of probabilistic programs are fully defined by their effects on point masses, thus rendering probabilistic program semantics linear. In our setting, this generalizes to linearity of our FPS transformers. Definition 8 (Linearity). Let F, G ∈ FPS and r ∈ R∞ ≥0 be a scalar. The function ψ : FPS → FPS is called a linear transformer (or simply linear), if ψ(r · F + G) = r · ψ(F ) + ψ(G) . Theorem 4 (Linearity of pGCL Semantics). For every program P and guard B, the functions h · iB and JP K are linear. Moreover, the unfolding operator ΦB,P maps linear transformers onto linear transformers. As a final remark, we can unroll while loops: Lemma 2 (Loop Unrolling). For any FPS F , Jwhile (B) {P }K (F ) = hF i¬B + Jwhile (B) {P }K JP K hF iB 4.3 Embedding into Kozen’s Semantics Framework  . Kozen [16] defines a generic way of giving distribution transformer semantics based on an abstract measurable space (X n , M (n) ). Our FPS semantics instantiates his generic semantics. The state space we consider is Nk , so that (Nk , P(Nk )) is our measurable space.4 A measure on that space is a countably-additive function µ : P(Nk ) → [0, ∞] with µ(∅) = 0. We denote the set of all measures on our space by M. Although, we represent measures by FPSs, the two notions are in bijective correspondence τ : FPS → M, given by X τ (F ) = λS. [σ]F . σ∈S This map preserves the linear structure and the order . Kozen’s syntax [16] is slightly different from pGCL. We compensate for this by a translation function T, which maps pGCL programs to Kozen’s. The following theorem shows that our semantics agrees with Kozen’s semantics.5 4 5 We note that we want each point σ to be measurable, which enforces a discrete measurable space. Note that Kozen regards a program P itself as a function P : M → M. 10 L. Klinkenberg et al. Theorem 5. The FPS semantics of pGCL is an instance of Kozen’s semantics, i.e. for all pGCL programs P , we have τ ◦ JP K = T(P ) ◦ τ . Equivalently, the following diagram commutes: FPS τ M JP K T(P ) FPS M τ For more details about the connection between FPSs and measures, as well as more information about the actual translation, see Appendix A.3. 5 Analysis of Probabilistic Programs Our PGF semantics enables the representation of the effect of a pGCL program on a given PGF. As a next step, we investigate to what extent a program analysis can exploit such PGF representations. To that end, we consider the overapproximation with loop invariants (Section 5.1) and provide examples showing that checking whether an FPS transformer overapproximates a loop can be checked with computer algebra tools. In addition, we determine a subclass of pGCL programs whose effect on an arbitrary input state is ensured to be a rational PGF encoding a phase-type distribution (Section 5.2). 5.1 Invariant-style Overapproximation of Loops In this section, we seek to overapproximate loop semantics, i.e. for a given loop W = while (B) {P }, we want to find a (preferably simple) FPS transformer ψ, such that JW K ⊑ ψ, meaning that for any input G, we have JW K (G)  ψ(G) (cf. Definition 7). Notably, even if G is a PGF, we do not require ψ(G) to be one. Instead, ψ(G) can have a mass larger than one. This is fine, because it still overapproximates the actual semantics coefficient-wise. Such overapproximations immediately carry over to reading off expected values (cf. Section 3), for instance ∂ ∂X JW K (G) (1) ≤ ∂ ∂X ψ(G)(1) . We use invariant-style reasoning for verifying that a given ψ overapproximates the semantics of JW K. For that, we introduce the notion of a superinvariant and employ Park’s Lemma, a well-known concept from fixed point theory, to obtain a conceptually simple proof rule for verifying overapproximations of while loops. Theorem 6 (Superinvariants and Loop Overapproximations). Let ΦB,P be the unfolding operator of while(B){P } (cf. Def. 7) and ψ : FPS → FPS. Then ΦB,P (ψ) ⊑ ψ implies Jwhile (B) {P }K ⊑ ψ . Generating Functions for Probabilistic Programs 11 We call a ψ satisfying ΦB,P (ψ) ⊑ ψ a superinvariant. We are interested in linear superinvariants, as our semantics is also linear (cf. Theorem 4). Furthermore, linearity allows to define ψ solely in terms of its effect on monomials, which makes reasoning considerably simpler: Corollary 2. Given a function f : Mon (X) → FPS, let the linear extension fˆ of f be defined by X [σ]F f (Xσ ) . fˆ: FPS → FPS, F 7→ σ∈Nk Let ΦB,P be the unfolding operator of while (B) {P }. Then ∀ σ ∈ Nk : ΦB,P (fˆ)(Xσ ) ⊑ fˆ(Xσ ) implies Jwhile (B) {P }K ⊑ fˆ . We call an f satisfying the premise of the above corollary a superinvariantlet. Notice that superinvariantlets and their extensions agree on monomials, i.e. f (Xσ ) = fˆ(Xσ ). Let us examine a few examples for superinvariantlet-reasoning. Example 5 (Verifying Precise Semantics). In Program 1.1, in each iteration, a fair coin flip determines the value of x. Subsequently, c is incremented by 1. Consider the following superinvariantlet: ( C , if i = 1; f (X i C j ) = C j · 2−C X i, if i 6= 1. To verify that f is indeed a superinvariantlet, we have to show that  ΦB,P (fˆ)(X i C j ) = X i C j x6=1 + fˆ JP K X i C j x=1 ! ⊑ fˆ X i C j For i 6= 1, we get ΦB,P (fˆ)(X i C j ) = X iC j  . x6=1 + fˆ(JP K (0)) = X i C j = f (X i C j ) = fˆ(X i C j ) . For i = 1, we get ΦB,P (fˆ)(X 1 C j ) = fˆ = = 1 0 j+1 + 12 X 1 C j+1 2X C   0 j+1 1 + 21 f X 1 C j+1 2f X C   1 j C j+1 = fˆ X 1 C j 2−C = f X C  (by linearity of fˆ) . (by definition of f ) C . Hence, Corollary 2 yields JW K (X) ⊑ f (X) = 2−C For this example, we can state even more. As the program is almost surely terminating, and f (X i C j ) = 1 for all (i, j) ∈ N2 , we conclude that fˆ is exactly the semantics of W , i.e. fˆ = JW K. △ 12 L. Klinkenberg et al. while ( x = 1 ) { {x := 0} [ 1/2 ] {x := 1}# c := c + 1 } Program 1.1. Geometric distribution generator. while ( x > 0 ) { {x := x + 1} [ 1/2 ] {x := x - 1}# c := c + 1 } Program 1.2. Left-bounded 1-dimensional random walk. Example 6 (Verifying Proper Overapproximations). Program 1.2 models a one dimensional, left-bounded random walk. Given an input (i, j) ∈ N2 , it is evident that this program can only terminate in an even (if i is even) or odd (if i is odd) number of steps. This information can be encoded into the following superinvariantlet: f (X 0 C j ) = C j f (X i+1 C j ) = C j · and ( C 1−C 2 , 1 1−C 2 , if i is odd; if i is even. It is straightforward to verify that f is a proper superinvariantlet (proper because C 3 5 1−C 2 = C + C + C + . . . is not a PGF) and hence f properly overapproximates the loop semantics. Another superinvariantlet for Program 1.2 is given by  √   1− 1−C 2 i , if i ≥ 1; i j j C h(X C ) = C · 1, if i = 0. Given that the program terminates almost-surely [11] and that h is a superinvariantlet yielding only PGFs, it follows that the extension of h is exactly the semantics of Program 1.2. An alternative derivation of this formula for the case h(X) can be found, e.g., in [12]. For both f and h, we were able to prove that they are indeed superinvariantlets automatically, using the computer algebra library SymPy [20]. The code is included in Appendix B (Program 1.5). △ Example 7 (Proving Non-almost-sure Termination). In Program 1.3, the branching probability of the choice statement depends on the value of a program variable. This notation is just syntactic sugar, as this behavior can be mimicked by loop constructs together with coin flips [3, pp. 115f]. Generating Functions for Probabilistic Programs 13 while ( x > 0 ) { {x := x - 1} [ 1/x ] {x := x + 1} } Program 1.3. A non-almost-surely terminating loop. while ( x < 1 and t < 2 ) { if ( t = 0 ) { {x := 1} [ a ] {t := 1}# c := c + 1 } else { {x := 1} [ b ] {t := 0}# d := d + 1 } } Program 1.4. Dueling cowboys. To prove that Program 1.3 does not terminate almost-surely, we consider the following superinvariantlet: f (X i ) = 1 − i−2 1 X 1 · , e n=0 n! where e = 2.71828 . . . is Euler’s number. Again, the superinvariantlet property was verified automatically, here  using2Math1 1 ematica [13]. Now, consider for instance f (X 3 ) = 1 − 1e · 0! + 1! = 1 − e < 1. This proves, that the program terminates on X 3 with a probability strictly smaller than 1, witnessing that the program is not almost surely terminating. △ 5.2 Rational PGFs In several of the examples from the previous sections, we considered PGFs which were rational functions, that is, fractions of two polynomials. Since those are a particularly simple class of PGFs, it is natural to ask which programs have rational semantics. In this section, we present a semantic characterization of a class of while-loops whose output distribution is a (multivariate) discrete phasetype dsitribution [21,22]. This implies that the resulting PGF of such programs is an effectively computable rational function for any given input state. Let us illustrate this by an example. Example 8 (Dueling Cowboys). Program 1.4 models two dueling cowboys [18]. The hit chance of the first cowboy is a percent and the hit chance of the second cowboy is b percent, where a, b ∈ [0, 1].6 The cowboys shoot at each other in turns, as indicated by the variable t, until one of them gets hit (x is set to 1). 6 These are not program variables. 14 L. Klinkenberg et al. The variable c counts the number of shots of the first cowboy and d those of the second cowboy. We observe that Program 1.4 is somewhat independent of the value of c, in the sense that moving the statement c := c + 1 to either immediately before or after the loop, yields an equivalent program. In our notation, this is expressed as JW K (C · H) = C · JW K (H) for all PGFs H. By symmetry, the same applies to variable d. Unfolding the loop once on input 1, yields JW K (1) = (1 − a)C · JW K (T ) + aCX . A similar equation for JW K (T ) involving JW K (1) on its right-hand side holds. This way we obtain a system of two linear equations, although the program itself is infinite-state. The linear equation system has a unique solution JW K (1) in the field of rational functions over the variables C, D, T , and X which is the PGF G := aCX + (1 − a)bCDT X . 1 − (1 − b)(1 − a)CD From G we can easily read off the following: The probability that the first cowboy a , and the expected total number of wins (x = 1 and t = 0) equals 1−(1−a)(1−b) 1 ∂ G(1) = a+b−ab . Notice that this quantity equals shots of the first cowboy is ∂C ∞ if a and b are both zero, i.e. if both cowboys have zero hit chance. If we write GV for the PGF obtained by substituting all but the variables in V with 1, then we moreover see that GC · GD 6= GC,D . This means that C and D (as random variables) are stochastically dependent. △ The distribution encoded in the PGF JW K (1) is a discrete phase-type distribution. Such distributions are defined as follows: A Markov reward chain is a Markov chain where each state is augmented with a reward vector in Nk . By definition, a (discrete) distribution on Nk is of phase-type iff it is the distribution of the total accumulated reward vector until absorption in a Markov reward chain with a single absorbing state and a finite number of transient states. In fact, Program 1.4 can be described as a Markov reward chain with two states (X 0 T 0 and X 0 T 1 ) and 2-dimensional reward vectors corresponding to the “counters” (c, d): the reward in state X 0 T 0 is (1, 0) and (0, 1) in the other state. Each pGCL program describes a Markov reward chain [10]. It is not clear which (non-trivial) syntactical restrictions to impose to guarantee for such chains to be finite. In the remainder of this section, we give a characterization of while-loops that are equivalent to finite Markov reward chains. The idea of our criterion is that each variable has to fall into one of the following two categories: Definition 9 (Homogeneous and Bounded Variables). Let P ∈ pGCL be a program, B be a guard and xi be a program variable. Then: – xi is called homogeneous for P if JP K (Xi ·G) = Xi ·JP K (G) for all G ∈ PGF. – xi is called bounded by B if the set {σi | σ ∈ B} is finite. Generating Functions for Probabilistic Programs 15 Intuitively, homogeneity of xi means that it does not matter whether one increments the variable before or after the execution of P . Thus, a homogeneous variable behaves like an increment-only counter even if this may not be explicit in the syntax. In Example 8, the variables c and d in Program 1.4 are homogeneous (for both the loop-body and the loop itself). Moreover, x and t are clearly bounded by the loop guard. We can now state our characterization. Definition 10 (HB Loops). A loop while (B) {P } is called homogeneousbounded (HB) if for all program states σ ∈ B, the PGF JP K (Xσ ) is a polynomial and for all program variables x it either holds that – x is homogeneous for P and the guard B is independent of x, or that – x is bounded by the guard B. In an HB loop, all the possible valuations of the bounded variables satisfying B span the finite transient state space of a Markov reward chain in which the dimension of the reward vectors equals the number of homogeneous variables. The additional condition that JP K (Xσ ) is a polynomial ensures that there is only a finite amount of terminal (absorbing) states. Thus, we have the following: Proposition 1. Let W be a while-loop. Then JW K (Xσ ) is the (rational) PGF of a multivariate discrete phase-type distribution if and only if W is equivalent to an HB loop that almost-surely terminates on input σ. To conclude, we remark that there are various simple syntactic conditions for HB loops: For example, if P is loop-free, then JP K (Xσ ) is always a polynomial. Similarly, if x only appears in assignments of the form x := x + k, k ≥ 0, then x is homogeneous. Such updates of variables are e.g. essential in constant probability programs [?]. The crucial point is that such conditions are only sufficient but not necessary. Our semantic conditions thus capture the essence of phasetype distribution semantics more adequately while still being reasonably simple (albeit — being non-trivial semantic properties — undecidable in general). 6 Conclusion We have presented a denotational distribution transformer semantics for probabilistic while-programs where the denotations are generation functions (GFs). Moreover, we have provided a simple invariant-style technique to prove that a given GF overapproximates the program’s semantics and identified a class of (possibly infinite-state) programs whose semantics is a rational GF ecoding a phase-type distribution. Directions for future work include the (semi-)automated synthesis of invariants and the development of notions on how precise overapproximations by invariants actually are. A Proofs of Section 4 A.1 Proofs of Section 4.1 Lemma 1 (Completeness of  on FPS). (FPS, ) is a complete latttice. Proof. We start by showing that (FPS, ) is a partial order. Let F, G, H ∈ FPS, σ ∈ Nk . For reflexivity, consider the following: G  G ∀σ ∈ Nk : [σ]G ≤ [σ]G iff iff true . For antisymmetry, consider the following: implies implies implies G  H and H  G ∀σ ∈ Nk : [σ]G ≤ [σ]H and [σ]H ≤ [σ]G and [σ]H ≤ [σ]F k ∀σ ∈ N : [σ]G = [σ]H G = H . For transitivity, consider the following: implies implies implies G  H k and H  F ∀σ ∈ N : [σ]G ≤ [σ]H k ∀σ ∈ N : [σ]G ≤ [σ]F G  F . Next, we show that every set S ⊆ FPS has a supremum X sup [σ]F Xσ sup S = σ∈Nk F ∈S P in FPS. In particular, notice that sup ∅ = σ∈Nk 0 · Xσ . The fact that sup S ∈ k FPS is trivial since supF ∈S [σ]F ∈ R∞ ≥0 for every σ ∈ N . Furthermore, the fact that sup S is an upper bound on S is immediate since  is defined coefficientwise. Finally, sup S is also the least upper bound, since, by definition of , we have [σ]sup S = supF ∈S [σ]F . The following proofs rely on the Monotone Sequence Theorem (MST), which we recall here: If (an )n∈N is a monotonically increasing sequence in R∞ ≥0 , then supn an = limn→∞ an . In particular, if (an )n∈N and (bn )n∈N are monotonically increasing sequences in R∞ ≥0 , then sup an + sup bn = n n lim an + lim bn = n→∞ n→∞ lim an + bn = sup an + bn . n→∞ n Generating Functions for Probabilistic Programs 19 Theorem 1 (ω-continuity of pGCL Semantics). The semantic functional J · K is ω-continuous, i.e. for all programs P ∈ pGCL and all increasing ω-chains F1  F2  . . . in FPS, JP K  sup Fn n∈N  = sup JP K (Fn ) . n∈N Proof. By induction on the structure of P . Let S = {F1 , F2 , . . .} be an increasing ω-chain in FPS. First, we consider the base cases. The case P = skip. We have JP K (sup S) = sup S = sup {F } = sup {JP K (F )} . F ∈S F ∈S P The case P = xi := E. Let sup S = Ĝ = σ∈Nk [σ]Ĝ · X σ , where for each σ ∈ Nk we have [σ]Ĝ = supF ∈S [σ]F . We calculate JP K (sup S)   = JP K Ĝ   X = JP K  [σ]Ĝ · X σ  σ∈Nk   = JP K  X [σ]Ĝ · X1σ1 · · · Xiσi · · · Xkσk  = JP K  X [σ]Ĝ · X1σ1 · · · Xiσi · · · Xkσk  σ∈Nk  σ∈Nk = X σ∈Nk = = sup F ∈S sup [σ]F F ∈S X · · · Xkσk evalσ (E) · X1σ1 · · · Xi evalσ (E) σ∈Nk  X σ∈Nk = sup JP K (F ) F ∈S  [σ]F · X1σ1 · · · Xi = sup JP K  F ∈S evalσ (E) [σ]Ĝ · X1σ1 · · · Xi X  σ∈Nk  · · · Xkσk · · · Xkσk (sup on FPS is defined coefficient–wise)  [σ]F · X1σ1 · · · Xiσi · · · Xkσk  20 L. Klinkenberg et al. As the induction hypothesis now assume that for some arbitrary, but fixed, programs P1 , P2 and all increasing ω-chains S1 , S2 in FPS it holds that both JP1 K (sup S1 ) = sup JP1 K (F ) and F ∈S1 JP2 K (sup S2 ) = sup JP2 K (F ) . F ∈S2 We continue with the induction step. The case P = {P1 } [p] {P2 }. We have JP K (sup S) = p · JP1 K (sup S) + (1 − p) · JP2 K (sup S)     = p · sup JP1 K (F ) + (1 − p) · sup JP2 K (F ) F ∈S F ∈S     = sup p · JP1 K (F ) + sup (1 − p) · JP2 K (F ) F ∈S (I.H. on P1 and P2 ) F ∈S (scalar multiplication is defined point–wise) = sup (p · JP1 K (F ) + (1 − p) · JP2 K (F )) (apply MST coefficient–wise.) F ∈S = sup J{P1 } [p] {P2 }K (F ) F ∈S = sup JP K (F ) . F ∈S The case P = if (B) {P1 } else {P2 }. We have JP K (sup S) = JP1 K (hsup SiB ) + JP2 K (hsup Si¬B )       = JP1 K sup hF iB + JP2 K sup hF i¬B F ∈S F ∈S (restriction defined coefficient–wise) = sup JP1 K (hF iB ) + sup JP2 K (hF i¬B ) F ∈S F ∈S = sup (JP1 K (hF iB ) + JP2 K (hF i¬B )) (I.H. on P1 and P2 ) (apply MST coefficient–wise) F ∈S = sup Jif (B) {P1 } else {P2 }K (F ) F ∈S = sup JP K (F ) . F ∈S The case P = while(B){P1 }. Recall that for every G ∈ FPS, JP K (G) = (lfp ΦB,P1 ) (G)  = sup ΦnB,P1 (0) (G) . n∈N Hence, it suffices to show that      n n sup ΦB,P1 (0) (sup S) = sup sup ΦB,P1 (0) (F ) . n∈N F ∈S n∈N Generating Functions for Probabilistic Programs 21 Assume for the moment that for every n ∈ N and all increasing ω-chains S in FPS,   ΦnB,P1 (0) (sup S) = sup ΦnB,P1 (0) (F ) . (1) F ∈S We then have   sup ΦnB,P1 (0) (sup S) n∈N  = sup ΦnB,P1 (0) (sup S) n∈N  = sup sup ΦnB,P1 (0) (F ) n∈N F ∈S  = sup sup ΦnB,P1 (0) (F ) F ∈S n∈N     = sup , sup ΦnB,P1 (0) (F ) F ∈S (sup for ΦB,P1 is defined point–wise) (Equation 1) (swap suprema) (sup for ΦB,P1 is defined point–wise) n∈N which is what we have to show. It remains to prove Equation 1 by induction on n. Base case n = 0. We have   Φ0B,P1 (0) (sup S) = sup S = sup F = sup Φ0B,P1 (0) (F ) . F ∈S F ∈S Induction step. We have   Φn+1 B,P1 (0) (sup S)  = ΦB,P1 ΦnB,P1 (0) (sup S) = hsup Si¬B + ΦnB,P1 (0) (JP1 K (hsup SiB ))   = hsup Si¬B + ΦnB,P1 (0) sup JP1 K (hF iB ) F ∈S = hsup Si¬B + sup ΦnB,P1 (0) (JP1 K (hF iB )) F ∈S  = sup hF i¬B + ΦnB,P1 (0) (JP1 K (hF iB )) F ∈S   = sup Φn+1 B,P1 (0) (F ) . F ∈S (Def. of ΦB,P1 ) (I.H. on P1 ) (I.H. on n) (apply MST) (Def. of ΦB,P1 ) This completes the proof. Theorem 2 (Well-definedness of FPS Semantics). The semantics functional J · K is well-defined, i.e. the semantics of any loop while (B) {P } exists uniquely and can be written as Jwhile (B) {P }K = lfp ΦB,P = sup ΦnB,P (0) . n∈N 22 L. Klinkenberg et al. Proof. First, we show that the unfolding operator ΦB,P is ω-continuous. For that, let f1 ⊑ f2 ⊑ . . . be an ω-chain in FPS → FPS. Then, ΦB,P  sup{fn } n∈N    = λG. hGi¬B + sup{fn } (JP K (hGiB )) n∈N = λG. hGi¬B + sup{fn (JP K (hGiB ))} n∈N (sup on FPS → FPS is defined point–wise) = sup {λG. hGi¬B + fn (JP K (hGiB ))} n∈N (apply monotone sequence theorem coefficient-wise) = sup {ΦB,P (fn )} . (Def. of ΦB,P ) n∈N Since ΦB,P is ω-continuous and (FPS → FPS, ⊑) forms a complete lattice (Lemma 1), we get by the Kleene fixed point Theorem [17] that ΦB,P has a unique least fixed point given by supn∈N ΦnB,P (0). Theorem 3 (Mass Conservation). For every P ∈ pGCL and F ∈ FPS, we have JP K (F ) ≤ |F |. Proof. By induction on the structure of P . For the loop–free cases, this is straightforward. For the case P = while(B){P1 }, we proceed as follows. For every r ∈ R∞ ≥0 , we define the set FPSr = {F ∈ FPS | |F | ≤ r} of all FPSs whose mass is at most r. First, we define the restricted unfolding operator ΦB,P1 ,r : (FPSr → FPSr ) → (FPSr → FPSr ), ψ 7→ ΦB,P1 (ψ) . Our induction hypothesis on P1 implies that ΦB,P1 ,r is well–defined. It is now only left to show that (FPSr , ) is an ω-complete partial order, because then ΦB,P1 ,r has a least fixed point in FPSr for every r ∈ R∞ ≥0 . The theorem then follows by letting r = |G|, because (lfp ΦB,P1 ) (G) =  lfp ΦB,P1 ,|G| (G) implies |(lfp ΦB,P1 ) (G)| ≤ |G| . (FPSr , ) is an ω-complete partial order. The fact that (FPSr , ) is a partial order is immediate. It remains to show ω-completeness. For that, let f1  f2  . . . be an ω-chain in FPSr . We have to show that supn Fn ∈ FPSr , which is the case if and only if X sup fn = sup [σ]fn ≤ r . n σ∈Nk n Generating Functions for Probabilistic Programs 23 Now let g : N → Nk be some bijection from N to Nk . We have X = sup [σ]fn σ∈Nk ∞ X n (series converges absolutely) sup [g(i)]fn i=0 = sup N n N X i=0 = sup sup N n = sup sup n N sup [g(i)]fn (rewrite infinite series as supremum of partial sums) n N X [g(i)]fn (apply monotone sequence theorem) [g(i)]fn (swap suprema) i=0 N X i=0 P Now observe that supN N i=0 [g(i)]fn = |fn |, which is a monotonically increasing sequence in n. Moreover, since fn ∈ FPSr , this sequence is bounded from above by r. Hence, the least upper bound supn |fn | of the sequence |fn | is no larger than r, too. This completes the proof. A.2 Proofs of Section 4.2 Lemma 3 (Representation of JwhileK). Let W = while (B) {P } be a pGCL program. An alternative representation is: JW K = λG. ∞ X i=0 ϕi (G) ¬B , where ϕ(G) = JP K (hGiB ). Proof. First we show by induction, that ΦnB,P (0)(G) = Base case. We have Φ0B,P (0)(G) = 0 = −1 X i=0 ϕi (G) ¬B Pn−1 i=0 . ϕi (G) ¬B . 24 L. Klinkenberg et al. Induction step. We have  n Φn+1 B,P (0)(G) = ΦB,P ΦB,P (0)(G) = hGi¬B + ΦnB,P (0)(JP K hGiB ) = hGi¬B + ΦnB,P (0)(ϕ(G)) n−1 X = hGi¬B + i=0 n X = hGi¬B + = n X ϕi (G) JW K (G)  = sup ΦnB,P (0) (G) n∈N  = sup ΦnB,P (0)(G) n∈N ) ( n X i = sup ϕ (G) ¬B n∈N = ∞ X i=0 ϕi i=1 i=0 Overall, we thus get ϕi+1 ¬B ¬B ¬B . (sup on FPS → FPS is defined point–wise) (see above) i=0 ϕi (G) ¬B Theorem 4 (Linearity of pGCL Semantics). For every program P and guard B, the functions h · iB and JP K are linear. Moreover, the unfolding operator ΦB,P maps linear transformers onto linear transformers. Proof. Linearity of h·iB . We have * ha · G + F iB = = = a· * σ∈Nk X X σ∈B =a· µσ X σ + (a · µσ + νσ ) X σ (a · µσ + νσ )X a · µσ X σ X X µσ X νσ X σ σ∈Nk σ∈Nk X σ∈B = X σ + + + B σ X νσ X σ σ∈B + σ∈B = a · hGiB + hF iB X σ∈B νσ X σ B Generating Functions for Probabilistic Programs 25 Linearity of JP K. By induction on the structure of P . First, we consider the base cases. The case P = skip. We have JskipK (r · F + G) = r · F + G = r · JskipK (F ) + JskipK (G) The case P = xi := E JXi := EK (r · F + G) X eval (E) · · · Xkσk [σ]r·F +G X1σ1 · · · Xi σ = σ∈Nk = X σ∈Nk = r· = r· evalσ (E) · · · Xkσk evalσ (E) · · · Xkσk  eval (E) · · · Xi σ · · · Xkσk  (r · [σ]F + [σ]G ) · X1σ1 · · · Xi X  [σ]F · X1σ1 · · · Xi X  X1σ1 σ∈Nk σ∈Nk + [σ]F · X  σ∈Nk evalσ (E) [σ]G · X1σ1 · · · Xi = r · JP K (F ) + JP K (G) . (+ and · defined coefficient–wise)   eval (E) · · · Xkσk + [σ]G · X1σ1 · · · Xi σ (+ and · defined coefficient–wise) · · · Xkσk  (+ and · defined coefficient–wise) Next, we consider the induction step. The case P = P1 ; P2 . We have JP1 ; P2 K (r · F + G) = JP2 K (JP1 K (r · F + G)) = JP2 K (r · JP1 K (F ) + JP1 K (G)) = r · JP2 K (JP1 K (F )) + JP2 K (JP1 K (G)) . (I.H. on P1 ) (I.H. on P2 ) The case P = if (B) {P1 } else {P2 }. We have Jif (B) {P1 } else {P2 }K (r · F + G) = hJP1 K (r · F + G)iB + hJP2 K (r · F + G)i¬B = hr · JP1 K (F ) + JP1 K (G))iB + hr · JP2 K (F ) + JP2 K (G)i¬B (I.H. on P1 and P2 )  = r · hJP1 K (F )iB + hJP2 K (F )i¬B + hJP1 K (G)iB + hJP2 K (G)i¬B (linearity of h·iB and h·i¬B ) = r · Jif (B) {P1 } else {P2 }K (F ) + Jif (B) {P1 } else {P2 }K (G) 26 L. Klinkenberg et al. The case P = {P1 } [p] {P2 }. J{P1 } [p] {P2 }K (r · F + G) = p · JP1 K (r · F + G) + (1 − p) · JP2 K (r · F + G) = p · (r · JP1 K (F ) + JP1 K (G)) + (1 − p) · (r · JP2 K (F ) + JP2 K (G)) (I.H. on P1 and P2 ) = r · (p · JP1 K (F ) + (1 − p) · JP2 K (F )) + p · JP1 K (G) + (1 − p) · JP2 K (G) (reorder terms) = r · J{P1 } [p] {P2 }K (F ) + J{P1 } [p] {P2 }K The case P = while (B) {P1 }. Jwhile (B) {P1 }K (r · F + G)  = sup ΦnB,P1 (0) (r · F + G) n∈N  = sup ΦnB,P1 (0)(r · F + G) (sup on FPS → FPS defined point–wise) n∈N  = sup r · ΦnB,P1 (0)(F ) + ΦnB,P1 (0)(G) n∈N (by straightforward induction on n using I.H. on P1 )  n  = r · sup ΦB,P1 (0)(F ) + sup ΦnB,P1 (0)(G) n∈N n∈N (apply monotone sequence theorem coefficient–wise) = r · Jwhile (B) {P1 }K (F ) + Jwhile (B) {P1 }K (G) Linearity of ΦB,P (f ) for linear f .  *  + X X ΦB,P (f )  µσ X σ  = µσ X σ σ∈Nk σ∈Nk = = = * * X σ∈Nk X σ∈Nk X σ∈Nk = X σ∈Nk = µσ X σ X σ∈Nk µσ X σ + + ¬B ¬B  * +  X  + f JP K  µσ X σ  +f + ¬B σ∈Nk X σ∈Nk X σ∈Nk B  µσ JP K (hX σ iB ) (1. & 2.) µσ · f (JP K (hX σ iB )) (f lin.) µσ hX σ i¬B + µσ · f (JP K (hX σ iB )) µσ · hX σ i¬B + f (JP K (hX σ iB )) µσ · ΦB,P (f )(X σ )  Generating Functions for Probabilistic Programs 27 Lemma 2 (Loop Unrolling). For any FPS F , Jwhile (B) {P }K (F ) = hF i¬B + Jwhile (B) {P }K JP K hF iB Proof. Let W, W ′ be as described in Lemma 2.  . JW K (G) = (lfp ΦB,P ) (G) = ΦB,P (lfp ΦB,P ) (G) = hGi¬B + (lfp ΦB,P ) JP K hGiB  = Jif (B) {P ; W } else {skip}K (G) = JW ′ K (G) A.3 Proofs of Section 4.3 Lemma 4. The mapping τ is a bijection. The inverse τ −1 of τ is given by X µ ({σ}) · Xσ τ −1 : M → FPS, µ 7→ σ∈Nk Proof. We show this by showing τ −1 ◦ τ = id and τ ◦ τ −1 = id.   ! X X −1 −1 σ  λN . ασ =τ τ ◦τ ασ X σ∈N σ∈Nk = X X σ∈Nk s∈{σ}  τ ◦ τ −1 (µ) = τ  X σ∈Nk ασ · Xσ = X ασ Xσ σ∈Nk  µ({σ}) · Xσ  = λN . X µ({σ}) = µ(N ) = µ σ∈N Lemma 5. The mappings τ and τ −1 are monotone linear maps. Proof. First, we show that τ −1 is linear (and hence τ , due to bijectivity): X (µ + ν)({σ}) · Xσ τ −1 (µ + ν) = σ∈Nk = X (µ({σ}) + ν({σ})) · Xσ X (µ({σ}) · Xσ + ν({σ}) · Xσ ) σ∈Nk = σ∈Nk  = X σ∈Nk (as M forms a vector space with standard +)   µ({σ}) · Xσ  +  X σ∈Nk  ν({σ}) · Xσ  = τ −1 (µ) + τ −1 (ν) 28 L. Klinkenberg et al. Second, we show that τ is monotone: Assume Gµ ⊑ Gµ′ .  τ (Gµ ) = τ  X σ∈Nk ≤ λS. X µ({σ}) · X µ′ ({σ})  σ = λS. X µ({σ}) σ∈S σ∈S  =τ X σ∈Nk (as µ({σ}) ≤ µ′ ({σ}) per definition of ⊑)  µ′ ({σ}) · Xσ  = τ (Gµ′ ) Third, we show that τ −1 is monotone: Assume µ ⊑ µ′ . τ −1 (µ) = X σ∈Nk ⊑ X σ∈Nk µ({σ}) · Xσ µ′ ({σ}) · Xσ (as µ({σ}) ≤ µ′ ({σ}) per definition of ⊑) = τ −1 (µ′ ) Lemma 6. Let f : (P, ≤) → (Q, ≤) be a monotone isomorphism for any partially ordered sets P and Q. Then, f ∗ : Hom(P, P ) → Hom(Q, Q), φ 7→ f ◦ ϕ ◦ f −1 is also a monotone isomorphism. Proof. Let f be such a monotone isomorphism, and f ∗ the corresponding lifting. First, we note that f ∗ is also bijective. Its inverse is given by (f ∗ )−1 = (f −1 )∗ . Second, f ∗ is monotone, as shown in the following calculation. f ≤ g =⇒ ∀x. =⇒ ∀x. =⇒ ∀x. f (x) ≤ g(x)   τ ◦ f τ −1 ◦ τ (x) ≤ τ ◦ g τ −1 ◦ τ (x) τ ∗ ◦ f (τ (x)) ≤ τ ∗ ◦ g (τ (x)) =⇒ ∀y. τ ∗ ◦ f (y) ≤ τ ∗ ◦ g(y) =⇒ τ ∗ (f ) ≤ τ ∗ (g) Lemma 7. Let P, Q be complete lattices, and τ a monotone isomorphism. Also let lfp be the least fixed point operator. Then the following diagram commutes. Generating Functions for Probabilistic Programs Hom(P, P ) τ∗ lfp 29 Hom(Q, Q) lfp P τ Q Proof. Let ϕ ∈ Hom(P, P ) be arbitrary.  lfp ϕ = inf p ϕ(p) = p   τ (lfp ϕ) = τ inf p ϕ(p) = p  = inf τ (p) ϕ(p) = p  = inf τ (p) ϕ(τ −1 ◦ τ (p)) = τ −1 ◦ τ (p)  = inf τ (p) τ ◦ ϕ(τ −1 ◦ τ (p)) = τ (p)  = inf q τ ◦ ϕ(τ −1 (q)) = q  = inf q τ ∗ (ϕ)(q) = q = lfp τ ∗ (ϕ) Definition 11. Let T be the program translation from pGCL to a modified Kozen syntax, defined inductively: T(skip) = skip T(xi := E) = xi := fE (x1 , . . . , xk ) T({P } [p] {Q}) = {T(P )} [p] {T(Q)} T(P # Q) = T(P ); T(Q) T(if (B) {P } else {Q}) = if B then T(P ) else T(Q) fi T(while (B) {P }) = while B do T(P ) od , where p is a probability, k = |Var(P )|, B is a Boolean expression and P, Q are pGCL programs. The extended construct skip as well as {P } [p] {Q} is only syntactic sugar and can be simulated by the original Kozen semantics. The intended semantics of these constructs are and [skip] = id [{P } [p] {Q}] = p · T(P ) + (1 − p) · T(Q). Lemma 8. For all guards B, the following identity holds: eB ◦ τ = τ ◦ h·iB . P Proof. For all Gµ = σ∈Nk µ ({σ}) · Xσ ∈ FPS: eB ◦ τ (Gµ ) = eB (µ) = λS. µ(S ∩ B)   X X τ ◦ hGµ iB = τ  µ ({σ}) · Xσ + 0 · Xσ  σ∈B = λS. µ(S ∩ B) σ6∈B 30 =⇒ L. Klinkenberg et al. ∀Gµ ∈ FPS. eB ◦ τ (Gµ ) = τ ◦ hGµ iB Theorem 5. The FPS semantics of pGCL is an instance of Kozen’s semantics, i.e. for all pGCL programs P , we have τ ◦ JP K = T(P ) ◦ τ . Proof. The proof is done via induction on the program structure. We omit the loop-free cases, as they are straightforward. By definition, T(while (B) {P }) = while B do P od. Hence, the corresponding Kozen semantics is equal to lfp TB,P , where T : (M → M) → (M → M), S 7→ eB̄ + (S ◦ P ◦ eB ) . First, we show that τ −∗ ◦ TB,P ◦ τ ∗ = ΦB,P , where τ ∗ is the canonical lifting of τ , i.e., τ ∗ (S) = τ ◦ S ◦ τ −1 for all S ∈ (FPS → FPS).   −∗ τ ◦ TB,P ◦ τ ∗ (S) = τ −∗ ◦ TB,P ◦ τ ◦ S ◦ τ −1  = τ −∗ eB̄ + τ ◦ S ◦ τ −1 ◦ P ◦ eB = τ −1 ◦ eB̄ ◦ τ + τ −1 ◦ τ ◦ S ◦ τ −1 ◦ P ◦ eB ◦ τ = τ −1 ◦ eB̄ ◦ τ + S ◦ τ −1 ◦ P ◦ eB ◦ τ = τ −1 ◦ τ ◦ h·iB̄ + S ◦ τ −1 ◦ P ◦ τ ◦ h·iB = h·iB̄ + S ◦ τ −1 ◦ τ ◦ JP K ◦ h·iB (Using I.H. on P ◦ τ ) = h·iB̄ + S ◦ JP K ◦ h·iB = ΦB,P (S) Having this equality at hand, we can easily proof the correspondence of our while semantics to the one defined by Kozen in the following manner: τ ◦ Jwhile (B) {P }K = T(while (B) {P }) ◦ τ ⇔ τ ◦ lfp ΦB,P = lfp TB,P ◦ τ ⇔ lfp ΦB,P = τ −1 ◦ lfp TB,P ◦ τ ⇔ lfp ΦB,P = τ −∗ (lfp TB,P ) ⇔ lfp ΦB,P = lfp τ −∗ ◦ TB,P ◦ τ ⇔ lfp ΦB,P = lfp ΦB,P B (Definition of τ ∗ )  ∗ (cf. Lemma 7) Proofs of Section 5 Theorem 6 (Superinvariants and Loop Overapproximations). Let ΦB,P be the unfolding operator of while(B){P } (cf. Def. 7) and ψ : FPS → FPS. Then ΦB,P (ψ) ⊑ ψ implies Jwhile (B) {P }K ⊑ ψ . Generating Functions for Probabilistic Programs 31 Proof. Instance of Park’s Lemma [?]. Corollary 2. Given a function f : Mon (X) → FPS, let the linear extension fˆ of f be defined by fˆ: FPS → FPS, F 7→ X [σ]F f (Xσ ) . σ∈Nk Let ΦB,P be the unfolding operator of while (B) {P }. Then ∀ σ ∈ Nk : ΦB,P (fˆ)(Xσ ) ⊑ fˆ(Xσ ) implies Jwhile (B) {P }K ⊑ fˆ . Proof. Let G ∈ FPS be arbitrary. ΦB,P (fˆ)(G) = X [σ]G ΦB,P (fˆ)(Xσ ) (By Theorem 4) [σ]G f (Xσ ) (By assumption) σ∈Nk ⊑ =⇒ X σ∈Nk = fˆ(G) JW K ⊑ fˆ (By Theorem 6) Proof of Example 6.     ΦB,P fˆ X i C j = X iC j i=0  1 + fˆ X iC j 2 · i>0 case i = 0 : ⇒ (C j + fˆ(0)) = C j = f (X 0 C j )  C  ˆ i−1 j f (X C ) + fˆ X i+1 C j case i > 0 : ⇒ 2 ( 1 i even 2, = C j · 1−C = f (X i C j ) C , i odd 1−C 2   =⇒ ΦB,P fˆ (X i C j ) ⊑ f (X i C j ). C 1 + X iC j X 2 · XC i>0  32 L. Klinkenberg et al. Thus fˆ is a superinvariant. i j ΦB,P (ĥ)(X C ) = i X C j i=0 + ĥ  1 X iC j 2 C 1 · X iC j + i>0 X 2 i>0 · XC case i = 0 : ⇒ (C j + ĥ(0)) = 1 = h(X 0 C j )   C case i > 0 : ⇒ ĥ X i−1 C j + ĥ X i+1 C j 2  !i−1 !i+1  √ √ C j+1  1 − 1 − C 2 1 − 1 − C2  = + · 2 C C j = C · 1− !i √ 1 − C2 = h(X i C j ) C =⇒ ΦB,P (ĥ)(X i C j ) = h(X i C j ) Thus fˆ is a superinvariant. Verification Python Script from sympy import ∗ i nit p rint ing () x , c = sy m b o l s ( ’ x , c ’ ) i , j = sy m b o l s ( ’ i , j ’ , i n t e g e r=True ) #d e f i n e t h e h i g h e r o r d e r t r a n s f o r m e r def Phi ( f ) : return c /2 ∗ ( f . s u b s ( i , i −1) + f . s u b s ( i , i +1) ) def c o m p u t e d i f f e r e n c e ( f ) : return ( Phi ( f ) − f ) . s i m p l i f y ( ) #d e f i n e P o l yno m ia l v e r i f y e r def v e r i f y p o l y ( p o l y ) : p r i n t ( ” Check c o e f f i c i e n t s f o r non−p o s i t i v i t y : ” ) for c o e f f in poly . c o e f f s ( ) : i f coeff > 0: return F a l s e return True # a c t u a l v e r i f i c a t i o n method def v e r i f y ( f ) : p r i n t ( ” Check i n v a r i a n t : ” ) pprint ( f ) result = compute difference( f ) if result . is zero : print ( ” I n v a r i a n t i s a f i x p o i n t ! ” ) return True else : print ( ” I n v a r i a n t i s not a f i x p o i n t − check try : return v e r i f y p o l y ( Poly ( r e s u l t ) ) except P o l i f i c a t i o n F a i l e d : p r i n t ( ” I n v a r i a n t i s n o t a Poly ! ” ) return F a l s e except : p r i n t ( ” Unexpected E r r o r ” ) raise if r e m a i n d e r i s Poly ” )  Generating Functions for Probabilistic Programs 33 # d e f i n e t h e l o o p i n v a r i a n t g u e s s ( i != 0) c a s e f = c ∗∗ j ∗ ( ( c / (1− c ∗ ∗ 2 ) ) ∗ ( i % 2 ) + (1/(1 − c ∗ ∗ 2 ) ) ∗ ( ( i +1) % 2 ) ) # Second i n v a r i a n t : h = c ∗∗ j ∗ ( ( 1 − s q r t ( 1 − c ∗ ∗ 2 ) ) / c ) ∗∗ i print ( ” I n v a r i a n t v e r i f i e d ” i f print ( ” I n v a r i a n t v e r i f i e d ” i f v e r i f y ( f ) e l s e ”Unknown ” ) v e r i f y ( h ) e l s e ”Unknown ” ) Program 1.5. Python program checking the invariants Proof of Example 7. ΦB,P (fˆ)(X i ) = Xi i=0 + 1 ˆ ·f i  Xi · i>0 case i = 0 : ⇒ 1 + ∞ · fˆ(0) + − ∞ · fˆ(0) 1 X  +    1 1− · fˆ X i i  = 1 + ∞ · 0 + − ∞ · 0 = 1 = f Xi    1 ˆ i−1  1 case i > 0 : ⇒ 0 + · fˆ X i+1 + 1− ·f X i i ! !   i−3 i−1 1 1 X 1 1 X 1 1 + 1− · 1− · · 1− · = i e n=0 n! i e n=0 n! ! ! i−3 i−1 1 X 1 1 1 1 X 1 + 1− · − − · + = i ei n=0 n! e n=0 n! i !   i−1 1 X 1 1 1 1 = 1− · + · + e n=0 n! ei (i − 2)! (i − 1)! ! ! i−1 i−2 1 1 X 1 1 X 1 + = 1− · = 1− · e n=0 n! e(i − 1)! e n=0 n!  = f Xi =⇒ ΦB,P (fˆ)(X i ) = f (X i ) i>0 ·X  i−1 1 X 1 · ei n=0 n! Mathematica input query: Input: Output: 1 · k 0 k−3 1 X 1 1− · e n=0 n! ! 1 + (1 − ) · k k−1 1 X 1 1− · e n=0 n! ! − k−2 1 X 1 1− · e n=0 n! ! !