Proof rules for probabilistic loops

Carroll Morgan
1996 unpublished
Probabilistic predicate transformers provide a semantics for imperative programs containing both demonic and probabilistic nondeterminism. Like the (standard) predicate transformers popularised by Dijkstra, they model programs as functions from final results to the initial conditions sufficient to achieve them. This paper presents practical proof rules, using the probabilistic transformers, for reasoning about iterations when probability is present. They are thoroughly illustrated by example:
more » ... rated by example: probabilistic binary chop, faulty factorial, the martingale gambling strategy and Herman's probabilistic self-stabilisation. Just as for traditional programs, weakest-precondition based proof rules for program derivation are an important step on the way to designing more general refinement techniques, or even a refinement calculus, for imperative probabilistic programming. * Morgan is a member of the Probabilistic Systems Group within the Programming Research Group at Oxford University: the other members are Annabelle McIver, Jeff Sanders and Karen Seidel. Our work is supported by the EPSRC. BCS-FACS 7th Refinement Workshop Dijkstra and of Kozen, we took advantage of later work by Claire Jones and Gordon Plotkin [10] and a 'relational' probabilistic model proposed by JiFeng He [7] (who used 'convex closure ' [19] to generalise an earlier imperative model due to Kozen [11]). One of the principal results of our earlier work [18] is the exact determination of the 'healthiness conditions' that apply to probabilistic predicate transformers; they generalise the conditions given by Dijkstra for standard predicate transformers. Our overall aim is to broaden the scope of refinement methods to include more aspects of 'real' system design, in this case that the ultimate components from which a system is built are never entirely reliable. When their unreliability can be quantified, probabilistic program derivation, or refinement, can be used to match low-level unreliability of components to high-level 'tolerable' unreliability in a specification. The contribution of this paper specifically is to use the probabilistic healthiness conditions to propose and justify methods for the treatment of probabilistic loops; in that way we move the theory [18] towards everyday practice. The main theorems concern probabilistic invariants and variants, and generalise the corresponding standard theorems; our probabilistic healthiness conditions are crucial to their proofs, and to the separate treatment of partial and total correctness. Informally, the use of invariants is just as in standard programs, based on the work of Hoare and Floyd [9, 4]: the invariant is established initially; it is maintained; and on termination additionally the negation of the repetition condition holds. Here however we use probabilistic invariants, as anticipated by Kozen, by Sharir, Pnueli and Hart [24], and finally by Jones [12, 10]; we have generalised their work by treating nondeterminism as well. The probabilistic variant rule (and the related '0-1 Law') was earlier proposed by Hart, Sharir and Pnueli [6] and shown to be sound and finitarily complete: a variant function must be bounded above and below, and have a nonzero probability of decrease. Our contribution here is to express that rule at the level of probabilistic predicate transformers, reproducing the proofs of soundness and finitary completeness in that context. We achieve a slight generalisation in that catastrophic failure (divergence, or abort) is included naturally as a possible behaviour of programs in our model. Sections 3-4 give the main theorems for the use of invariants and the way in which they are combined with information about loop termination; they are illustrated by the examples of Sec. 5, chosen to reveal the various combinations of probabilistic and standard variants and invariants. Sections 6-8 treat termination on its own. Section 9 provides a final example, a recent 'showcase' for probabilistic formalisms in which certain termination is the principal feature. Probabilistic predicate transformers Standard predicates are sets of states, and can thus be regarded as characteristic functions from the state space to {0, 1}. In practice -that is, for reasoning about specific programs -they are written as Boolean-valued expressions (formulae) over program variables. Probabilistic predicates are functions from the state space to the entire closed interval [0, 1]. 1 In practice they are written as real-valued expressions over the program variables.
doi:10.14236/ewic/rw1996.10 fatcat:cr5ej5qbcvdjrb4y4zg4jwoony