aiming low is harder
play

Aiming Low is Harder Induction for Lower Bounds in Probabilistic - PowerPoint PPT Presentation

Apr 01, 2023 •246 likes •1.38k views

Aiming Low is Harder Induction for Lower Bounds in Probabilistic Program Verification Marcel Hark Benjamin Kaminski Jrgen Giesl Joost-Pieter Katoen POPL 2020 Aiming Low is Harder Hark , Kaminski, Giesl, Katoen 1/25/20 1

  1. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  2. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  3. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  4. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  5. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  6. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  7. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  8. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  9. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  10. Motivation Setting the stage � lfp λ E . [ a � = 1 ] · f + [ a = 1 ] · 1 � lfp λ E . [ a � = 1 ] · x + [ a = 1 ] · 1 � � � lfp Φ f � 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } � f � � x � • lfp Φ x = lim n → ω Φ n x ( 0 ) (incomputable). → Initial value of x is unknown. → We need bounds on least fixed points. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 3

  11. Motivation Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 4

  12. Upper Bounds [Park] Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 5

  13. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  14. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  15. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  16. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  17. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  18. Upper Bounds [Park] Park Induction while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) E ≥ Φ x ( E ) = ⇒ E ≥ lfp Φ x (Superinvariant). := x + [ a = 1 ] (Intuitive guess) E Φ x ( E ) = E → E is an upper bound on lfp Φ x . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 6

  19. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  20. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  21. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  22. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. E Φ x ( E ) lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  23. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. E Φ 2 x ( E ) lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  24. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. E Φ ω x ( E ) lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  25. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. E Φ ω x ( E ) lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  26. Upper Bounds [Park] Upper Bounds • Rule for upper bounds Φ f ( E ) ≥ E is simple. (Inductive) • Not a surprise, bound a least fixed point from above. → Enough to bound any fixed point from above. E Φ ω x ( E ) lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 7

  27. Upper Bounds [Park] Upper Bounds No information on quality of the bound. → We also need lower bounds. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 8

  28. Upper Bounds [Park] Upper Bounds No information on quality of the bound. → We also need lower bounds. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 8

  29. Upper Bounds [Park] Upper Bounds No information on quality of the bound. → We also need lower bounds. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 8

  30. Lower Bounds Outline Motivation Upper Bounds [Park] Lower Bounds Conclusion POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 9

  31. Lower Bounds Subinvariants E ≥ Φ x ( E ) E ≤ Φ x ( E ) = = ⇒ ⇒ E ≥ lfp Φ x (Superinvariant). E ≤ lfp Φ x (Subinvariant) ???. Not absurd: Sound for deterministic programs. [Frohn et al. 16] POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 10

  32. Lower Bounds Subinvariants E ≥ Φ x ( E ) E ≤ Φ x ( E ) = = ⇒ ⇒ E ≥ lfp Φ x (Superinvariant). E ≤ lfp Φ x (Subinvariant) ???. Not absurd: Sound for deterministic programs. [Frohn et al. 16] POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 10

  33. Lower Bounds Subinvariants E ≥ Φ x ( E ) E ≤ Φ x ( E ) = = ⇒ ⇒ E ≥ lfp Φ x (Superinvariant). E ≤ lfp Φ x (Subinvariant) ???. Not absurd: Sound for deterministic programs. [Frohn et al. 16] POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 10

  34. Lower Bounds Subinvariants E ≥ Φ x ( E ) E ≤ Φ x ( E ) = = ⇒ ⇒ E ≥ lfp Φ x (Superinvariant). E ≤ lfp Φ x (Subinvariant) ???. Not absurd: Sound for deterministic programs. [Frohn et al. 16] POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 10

  35. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  36. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  37. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  38. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  39. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  40. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } Φ x ( E ) = [ a � = 1 ] · x + [ a = 1 ] · 1 2 · ( E [ a / 0 ] + E [ x / x + 1 ]) . E ′ := x + [ a = 1 ] · ( 1 + 2 x ) → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ??? → E ′ ≤ Φ x ( E ′ ) , so E ′ is a lower bound ��� • Already seen upper bound by superinvariant E = x + [ a = 1 ] . E ′ �≤ E . POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 11

  41. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants → Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 12

  42. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants → Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 12

  43. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants → Subinvariants are i.g. not sound for lower bounds. → Additional requirements to extract lower bound. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 12

  44. Lower Bounds E ≤ Φ x ( E ) = ⇒ E ≤ lfp Φ x Subinvariants Φ ω x ( E ) → Subinvariants are i.g. not sound for lower bounds. E → Additional requirements to extract lower bound. lfp Φ x POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 12

  45. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  46. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  47. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  48. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  49. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. E ( s ) • C • • ... � � • E ( τ 1 ) E ( τ 2 ) E ( τ 3 ) Exp POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  50. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. E ( s ) • C • • ... � � • E ( τ 1 ) E ( τ 2 ) E ( τ 3 ) Exp POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  51. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. E ( s ) • C • • ... � � • E ( τ 1 ) E ( τ 2 ) E ( τ 3 ) Exp POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  52. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ additional requirements E ≤ Φ f ( E ) E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ∧ = = = ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . ⇒ E ≤ lfp Φ f . 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for easily checkable K ∈ R ≥ 0 K ∈ R ≥ 0 1. Expected finite number of loop iterations. 2. Expected change is bounded by constant. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 13

  53. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � → Rule is not applicable! λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 1 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 � 1 ≥ [ a = 1 ] · ( 1 + 2 x ) ��� = → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  54. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � → Rule is not applicable! λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 1 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 � 1 ≥ [ a = 1 ] · ( 1 + 2 x ) ��� = → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  55. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  56. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  57. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  58. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  59. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  60. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  61. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  62. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  63. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  64. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  65. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  66. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  67. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  68. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  69. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  70. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  71. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  72. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  73. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  74. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  75. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Our Rule Our Rule 1. Exp ( T ¬ ϕ ) < ∞ 1. Exp ( T ¬ ϕ ) < ∞ E ≤ Φ f ( E ) E ≤ Φ f ( E ) ∧ ∧ ⇒ E ≤ wp � loop � ( f ) . ⇒ E ≤ wp � loop � ( f ) . = = 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for 2. λ s . [ ϕ ] wp � C � ( | E − E ( s ) | ) ≤ K for K ∈ R ≥ 0 K ∈ R ≥ 0 while ( a = 1 ) { � { x := x + 1 } � 1 { a := 0 } 2 } E ′ = x + [ a = 1 ] · ( 1 + 2 x ) = x + [ a = 1 ] → Easily checkable. E � � � { x := x + 1 } � { x := x + 1 } T ( a � = 1 ) � ≤ 2 · [ a = 1 ] < ∞ . � � ( | E ′ − E ′ ( s ) | ) ( s ) → Good, since E ′ is not a lower bound. � 1 � 1 � λ s . [ a = 1 ] · wp λ s . [ a = 1 ] · wp → Rule is not applicable! { a := 0 } { a := 0 } ( | E − E ( s ) | ) ( s ) Expected finite looping time: Exp → E is a lower bound. � � { a := 0 } � { x := x + 1 } � � 2 2 2 · | x + [ 0 = 1 ] − ( x + [ a = 1 ]) | + 1 1 � 1 = ≥ [ a = 1 ] · ( 1 + 2 x ) ��� → E = wp while ( a = 1 ) 2 · | x + 1 + [ a = 1 ] − ( x + [ a = 1 ]) | ( x ) . 2 = 2 · |− [ a = 1 ] | + 1 1 2 · | 1 | ≤ 1 = K (constant) POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 14

  76. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Contribution To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 15

  77. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Contribution To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 15

  78. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Contribution To best of our knowledge: → First inductive rule for lower bounds. → No reasoning about limits of sequences. POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 15

  79. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) N · H N = N · ( 1 + 1 2 + · · · + 1 T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. H N appears in real world algorithm-analysis! POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  80. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) N · H N = N · ( 1 + 1 2 + · · · + 1 T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. H N appears in real world algorithm-analysis! POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  81. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) N · H N = N · ( 1 + 1 2 + · · · + 1 T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. H N appears in real world algorithm-analysis! POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  82. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) N · H N = N · ( 1 + 1 2 + · · · + 1 T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. H N appears in real world algorithm-analysis! POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  83. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) x := N N · H N = N · ( 1 + 1 2 + · · · + 1 while ( 0 < x ) { T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. i := N + 1 while ( x < i ) { H N appears in real world algorithm-analysis! i := Unif [ 1 .. N ] } x := x − 1 } POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  84. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) x := N N · H N = N · ( 1 + 1 2 + · · · + 1 while ( 0 < x ) { T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. i := N + 1 while ( x < i ) { H N appears in real world algorithm-analysis! i := Unif [ 1 .. N ] } x := x − 1 } POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  85. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) x := N N · H N = N · ( 1 + 1 2 + · · · + 1 while ( 0 < x ) { T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. i := N + 1 while ( x < i ) { H N appears in real world algorithm-analysis! i := Unif [ 1 .. N ] } x := x − 1 } POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

  86. Lower Bounds wp � while ( ϕ ) { C } � ( f ) Lower Bounds for Expected Runtimes • Similar rule for expected runtimes (ert [Kaminski et al. 16]). • Only side condition: λ s . [ ϕ ] wp � C � ( | T − T ( s ) | ) ≤ K for K ∈ R ≥ 0 . Coupon Collector : T = [ 0 < x ≤ N ] · N · H x + [ N < x ] · ( N · H N + N − x ) x := N N · H N = N · ( 1 + 1 2 + · · · + 1 while ( 0 < x ) { T [ x / N ] N ) is lower bound. Lower bound is strict but asymptotically optimal. i := N + 1 while ( x < i ) { H N appears in real world algorithm-analysis! i := Unif [ 1 .. N ] } x := x − 1 } POPL 2020– Aiming Low is Harder – Hark , Kaminski, Giesl, Katoen – 1/25/20 – 16

Recommend

. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best

. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best

. Feet on the ground. Aiming for the stars. . Feet on the ground. Aiming for the stars. Best Batsman - Flynn Farrell Best Bowlers - Tyron Halpenny Best Fielder - Tom Fitzhenry Coaches award - Hayden Cockerill . Feet on the ground. Aiming for

309 views • 20 slides
What is process control system Why a new control system? Aiming control system field main flaws

What is process control system Why a new control system? Aiming control system field main flaws

What is process control system Why a new control system? Aiming control system field main flaws Fully-featured systems are expensive and not available to general public - professional individuals, schools, small companies... AIMING: WIDE USE

350 views • 9 slides
Are Ideas Getting Harder to Find? Bloom, Jones, Van Reenen, and Webb March 2018 1 / 63

Are Ideas Getting Harder to Find? Bloom, Jones, Van Reenen, and Webb March 2018 1 / 63

Are Ideas Getting Harder to Find? Bloom, Jones, Van Reenen, and Webb March 2018 1 / 63 Overview New stylized fact: Exponential growth is getting harder to achieve. Economic Research Number of = growth productivity researchers

849 views • 63 slides
By Brendan Lamarre Mentors: Jerry Harder and Mark Rast Irradiance Trends (Harder et al., 2010)

By Brendan Lamarre Mentors: Jerry Harder and Mark Rast Irradiance Trends (Harder et al., 2010)

By Brendan Lamarre Mentors: Jerry Harder and Mark Rast Irradiance Trends (Harder et al., 2010) Jan 15 th , 2005 Ca II K (393.45nm) Jan 15 th , 2005 Red (607.095nm) Jan 25 th , 2009 Ca II K (393.45nm) Jan 25 th , 2009 Red (607.095nm) Jan 15th,

433 views • 21 slides
Train Smarter 1 The days of just training harder are over, you need to train smarter.

Train Smarter 1 The days of just training harder are over, you need to train smarter.

Train Smarter 1 The days of just training harder are over, you need to train smarter. Just Training Harder has Limitations Limited Personalized Feedback Limited Data Collection Limited Athlete Motivation So Train Smarter with

302 views • 14 slides
For many of us we need to adopt a longer-term perspective and become investors not savers. While

For many of us we need to adopt a longer-term perspective and become investors not savers. While

Interest rates are falling and have been falling for many years now. Low rates present stern challenges for all of us. It makes it harder to save towards our retirement nest egg and harder to live off that nest egg in our retirement. To meet the

635 views • 44 slides
What is PPI? The Investment Partnerships Program (PPI) was launched in May 2016, aiming to

What is PPI? The Investment Partnerships Program (PPI) was launched in May 2016, aiming to

What is PPI? The Investment Partnerships Program (PPI) was launched in May 2016, aiming to coordinate and supervise concessions and privatizations of Federal Government infrastructure projects. PPIs Special Secretary supports Ministries and

1.64k views • 92 slides
Introduc)on: Why is U)lity Financial Management Becoming Harder

Introduc)on: Why is U)lity Financial Management Becoming Harder

Introduc)on: Why is U)lity Financial Management Becoming Harder Than Ever? Residen)al Water Sales Isnt this a Success Story? Yes, but with side

1.52k views • 15 slides
Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi Methods Stella Q&quot;vmd BAE SYSTEMS ISMOR 1 1 1 The Problem Developed

127 views • 10 slides
Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta,

Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta,

Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta, Aaron Williams La Maddalena June 9, 2016 Super Mario Bros. Is Harder/Easier than We Thought State of the art: FUN 2014 &quot;Classic Nintendo

1.17k views • 77 slides
ts . harder to lasso. her herding ding ca cats 1 2 3 4 4 What do retail development

ts . harder to lasso. her herding ding ca cats 1 2 3 4 4 What do retail development

.theyre easy to Recr ecruiting uiting retailer etailers s find, but a little is a lot lik is a lot like e ts . harder to lasso. her herding ding ca cats 1 2 3 4 4 What do retail development and a junior high dance party

353 views • 13 slides
1400-1500 Todays session will be facilitated by: Dr. . Curtis tis Ha Harder der -

1400-1500 Todays session will be facilitated by: Dr. . Curtis tis Ha Harder der -

Stakehold holder er Consulta ultati tion on Worksh kshop op May11, 2015 1400-1500 Todays session will be facilitated by: Dr. . Curtis tis Ha Harder der - Residency Coordinator, Vancouver Island Health Authority Allan n

401 views • 39 slides
Aiming Introductory Composition Course Design y c a r e t i L l a t i g i D l a

Aiming Introductory Composition Course Design y c a r e t i L l a t i g i D l a

Aiming Introductory Composition Course Design y c a r e t i L l a t i g i D l a i d e m C s C n n a o r T H s &amp; d r M a H w U o T , a g a n i h s o Y a d I - Linda Dishman, These are

440 views • 13 slides
Vanadium Industry Aiming to be the Next Producer in an Evolving Market Important Information

Vanadium Industry Aiming to be the Next Producer in an Evolving Market Important Information

For personal use only Leading the Charge in the (ASX: TMT, TMTO; FRA: TN6) July 2018 Vanadium Industry Aiming to be the Next Producer in an Evolving Market Important Information Disclaimer This presentation has been prepared by Technology

441 views • 31 slides
TRADE, SERVICES AND DEVELOPMENT Geneva, 18-20 July 2017 Aiming for a Weatherproof

TRADE, SERVICES AND DEVELOPMENT Geneva, 18-20 July 2017 Aiming for a Weatherproof

UNCTAD Multi-year Expert Meeting on TRADE, SERVICES AND DEVELOPMENT Geneva, 18-20 July 2017 Aiming for a Weatherproof Environment for Purposeful Development by Olutunmbi Idowu Head, Compliance and Risk Control, Solution Area,

88 views • 5 slides
Aiming upstream: Waste Prevention Campaigns Kelley Dennings

Aiming upstream: Waste Prevention Campaigns Kelley Dennings

Aiming upstream: Waste Prevention Campaigns Kelley Dennings Casey Williams kdennings@gmail.com casey@newdream.org New Dream empowers individuals, communities, and

948 views • 49 slides
* Nick Tyler CRUCIBLE Centre UCL * What are we really aiming for? * S ociological * Medical *

* Nick Tyler CRUCIBLE Centre UCL * What are we really aiming for? * S ociological * Medical *

* Nick Tyler CRUCIBLE Centre UCL * What are we really aiming for? * S ociological * Medical * Technological * Personal * * Condit ion-cent red * Fix t he condit ion * Easier t o put similar condit ions in t he same place * Treat / cure * Care

294 views • 28 slides
Aiming to develop into a West Australian mining company via exploration success, acquisition or

Aiming to develop into a West Australian mining company via exploration success, acquisition or

Aiming to develop into a West Australian mining company via exploration success, acquisition or M&amp;A activity AMEC Investor Briefing 1 April 2017 Important Disclaimer This Document and the information contained herein and any presentation

436 views • 16 slides
Lessons Learned Designing an Open Source UMPC Ben Goska and Tim Harder Oregon State University

Lessons Learned Designing an Open Source UMPC Ben Goska and Tim Harder Oregon State University

Outline What is the OSWALD? Development team Lessons Learned Designing an Open Source UMPC Ben Goska and Tim Harder Oregon State University September 25, 2009 Ben Goska and Tim Harder Oregon State University Lessons Learned Designing an

835 views • 13 slides
Aiming to develop into a West Australian mining company via exploration success, acquisition or

Aiming to develop into a West Australian mining company via exploration success, acquisition or

Aiming to develop into a West Australian mining company via exploration success, acquisition or M&amp;A activity Annual General Meeting 25 November 2016 Important Disclaimer This Document and the information contained herein and any

147 views • 14 slides
Aiming to become a supplier of battery grade lithium chemicals into Europe 15 September 2016 An

Aiming to become a supplier of battery grade lithium chemicals into Europe 15 September 2016 An

Aiming to become a supplier of battery grade lithium chemicals into Europe 15 September 2016 An in-specie distribution to shareholders of Hannans Ltd (ASX:HNR) Executive Summary Incubator of high value mining projects in Scandinavia

454 views • 28 slides
EMOTIONAL &amp; RATIONAL OUR KIDS THE FUTURE MORE BUT HARDER CHOICES A PLAN OR

EMOTIONAL &amp; RATIONAL OUR KIDS THE FUTURE MORE BUT HARDER CHOICES A PLAN OR

EMOTIONAL &amp; RATIONAL OUR KIDS THE FUTURE MORE BUT HARDER CHOICES A PLAN OR PLAN TO ADAPT HOW WE EARN WHY WE LEARN WHAT YOU WHAT WE DREAM NEED It is tougher to get ahead these days than in the past 72% Doing what

540 views • 14 slides
Ulley Sailing Club Where small really is beautiful! Aiming to make sailing affordable and

Ulley Sailing Club Where small really is beautiful! Aiming to make sailing affordable and

Ulley Sailing Club Where small really is beautiful! Aiming to make sailing affordable and accessible for all What makes us special? Volunteer run everything from training to cleaning to cooking our trademark communal lunches Friendly

474 views • 10 slides
AIMING HIGHER IN 2016 Q4 2015 p u d 12 February 2016 Contents Overview Q4 and

AIMING HIGHER IN 2016 Q4 2015 p u d 12 February 2016 Contents Overview Q4 and

, AIMING HIGHER IN 2016 Q4 2015 p u d 12 February 2016 Contents Overview Q4 and year-end 2015 Financial leverage Outlook 2016 Strategy, goals and priorities Appendix: EBIT per BU The statements about the future in

443 views • 13 slides

More recommend