On Proving Almost-Sure Termination Joost-Pieter Katoen Talk 2019 - PowerPoint PPT Presentation

IFIP WG 2.2, 2019 On Proving Almost-Sure Termination Joost-Pieter Katoen Talk 2019 Meeting IFIP WG 2.2, Vienna Joost-Pieter Katoen On Proving Almost-Sure Termination 1/30

IFIP WG 2.2, 2019 Termination of programs that roll dice? Joost-Pieter Katoen On Proving Almost-Sure Termination 2/30

IFIP WG 2.2, 2019 Certain termination while (i > 0) { i-- } This program never diverges. This holds for all integer inputs i . Joost-Pieter Katoen On Proving Almost-Sure Termination 3/30

IFIP WG 2.2, 2019 Almost-sure termination For 0 < p < 1 an arbitrary probability: bool c := true ; int i := 0; while (c) { i++; (c := false [p] c := true ) } This program does not always terminate. It diverges with probability zero. It almost surely terminates. Joost-Pieter Katoen On Proving Almost-Sure Termination 4/30

IFIP WG 2.2, 2019 Non almost-sure termination P :: skip [1/2] { call P; call P; call P } ” 5 � 1 This program terminates with probability < 1. 2 I I X n = t xxx - Joost-Pieter Katoen On Proving Almost-Sure Termination 5/30

IFIP WG 2.2, 2019 Olivier Bournez Florent Garnier Nuances of termination . . . . . . certain termination . . . . . . termination with probability one º almost-sure termination . . . . . . in an expected finite number of steps “positive” almost-sure termination º . . . . . . in an expected infinite number of steps “null” almost-sure termination º Joost-Pieter Katoen On Proving Almost-Sure Termination 6/30

IFIP WG 2.2, 2019 [ & , 2015J Kaminski K JP Hardness of almost sure termination ⌃ FFV FFF Σ 0 Π 0 UPAST 3 3 ✓ ∆ 0 3 COF COF * Σ 0 ① Π 0 AST UAST htt 2 2 PAST ∆ 0 ✓ 2 UH VH u " UH ⇒ Σ 0 Π 0 1 1 ∆ 0 1 H H Adding non-determinism does not change the picture. Neither for approximating termination probabilities. Joost-Pieter Katoen On Proving Almost-Sure Termination 7/30

IFIP WG 2.2, 2019 Proving almost-sure termination Z What? Z Termination with probability one Z For all possible inputs Z Why? Z Reachability can be encoded as termination Z Often a prerequisite for proving correctness Z Often implicitly assumed Z Why is it hard in practice? Z Requires proving lower bound 1 for termination probability Joost-Pieter Katoen On Proving Almost-Sure Termination 8/30

IFIP WG 2.2, 2019 Almost-sure termination “[Ordinary] termination is a purely topological property [ . . . ], but almost-sure termination is not. [ . . . ] Proving almost– sure termination requires arithmetic reasoning not o ff ered by termination provers." Javier Esparza CAV 2012 Joost-Pieter Katoen On Proving Almost-Sure Termination 9/30

IFIP WG 2.2, 2019 How to prove termination? Use a variant function on the program’s state space whose value — on each loop iteration — is monotonically decreasing with respect to a (strict) well-founded relation. Alan Mathison Turing Checking a large routine 1949 Joost-Pieter Katoen On Proving Almost-Sure Termination 10/30

IFIP WG 2.2, 2019 Variant functions V ⇥ Σ � I R ' 0 for loop while ( G ) P is variant function if every state s : 1. If s Ï G , then P ’s execution on s terminates in a state t with: V ( t ) & V ( s ) � ε for some fixed ε > 0, and 2. If V ( s ) & 0, then s / Ï G . well-founded ( IR se ) for is c s o > , o Joost-Pieter Katoen On Proving Almost-Sure Termination 11/30

IFIP WG 2.2, 2019 Termination proofs V ( s i ) • • • • • V ( s 4 ) V ( s 5 ) T V ( s 4 ) • V ( s 5 ) • • • • s 0 s 1 s 1 s 2 s 2 s 3 s 3 s 4 s 4 s 5 s 5 s 6 s 6 s 7 s 7 s 8 s 8 s 9 s 9 � loop iterations arrival at 0 guaranteed by well–foundedness of U Joost-Pieter Katoen On Proving Almost-Sure Termination 12/30

IFIP WG 2.2, 2019 Examples while (x > 0) { x-- } Ranking function V = x . x := ... ; y := ... // x and y are positive while (x != y) { if (x > y) { x := x-y } else { y := y-x } } Ranking function V = x + y . Joost-Pieter Katoen On Proving Almost-Sure Termination 13/30

IFIP WG 2.2, 2019 Proving almost-sure termination so far Hart/Sharir/Pnueli: Termination of Probabilistic Concurrent Programs. POPL 1982 Bournez/Garnier: Proving Positive Almost-Sure Termination. RTA 2005 McIver/Morgan: Abstraction, Refinement and Proof for Probabilistic Systems. 2005 Esparza et al. : Proving Termination of Probabilistic Programs Using Patterns. CAV 2012 Chakarov/Sankaranarayanan: Probabilistic Program Analysis w. Martingales. CAV 2013 Fioriti/Hermanns: Probabilistic Termination: Soundness, Completeness, and Compositionality. POPL 2015 Chatterjee et al. : Algorithmic Termination of A ffi ne Probabilistic Programs. POPL 2016 Agrawal/Chatterjee/Novotn ý : Lexicographic Ranking Supermartingales. POPL 2018 . . . . . . Key ingredient: super- (or some form of) martingales Joost-Pieter Katoen On Proving Almost-Sure Termination 14/30

IFIP WG 2.2, 2019 On super-martingales A stochastic process X 1 , X 2 , . . . is a martingale whenever: E ( X n + 1 ∂ X 1 , . . . , X n ) = X n It is a super-martingale whenever: E ( X n + 1 ∂ X 1 , . . . , X n ) & X n Joost-Pieter Katoen On Proving Almost-Sure Termination 15/30

IFIP WG 2.2, 2019 Our aim A powerful, simple proof rule for almost-sure termination. At the source code level. No “descend” into the underlying probabilistic model. No severe restrictions on programs. Joost-Pieter Katoen On Proving Almost-Sure Termination 16/30

IFIP WG 2.2, 2019 Proving almost-sure termination V X = ' ) Vk " ECU FE e e so - . The symmetric random walk: while (x > 0) { x := x-1 [0.5] x := x+1 } ' h ' h . . . 42 Yz Yz Joost-Pieter Katoen On Proving Almost-Sure Termination 17/30

IFIP WG 2.2, 2019 Proving almost-sure termination The symmetric random walk: while (x > 0) { x := x-1 [0.5] x := x+1 } Is out-of-reach for many proof rules. A loop iteration decreases x by one with probability 1 / 2 This observation is enough to witness almost-sure termination! Joost-Pieter Katoen On Proving Almost-Sure Termination 17/30

IFIP WG 2.2, 2019 Are these programs almost surely terminating? Z Escaping spline: O €1,2 while (x > 0) { p := 1/(x+1); x := 0 [p] x++} 's % f rn . . . . . . b 3 4 5 • @ • Joost-Pieter Katoen On Proving Almost-Sure Termination 18/30

IFIP WG 2.2, 2019 Are these programs almost surely terminating? Z Escaping spline: ✓ while (x > 0) { p := 1/(x+1); x := 0 [p] x++} Z A slightly unbiased random walk: p := 0.5-eps ; while (x > 0) { x--1 [p] x++ } • Ite Etc Ite Ite finish ons IT I FA # , , °o° ✓ o , I E- e I E- E I - e e e - - Joost-Pieter Katoen On Proving Almost-Sure Termination 18/30

IFIP WG 2.2, 2019 Are these programs almost surely terminating? Z Escaping spline: ✓ while (x > 0) { p := 1/(x+1); x := 0 [p] x++} Z A slightly unbiased random walk: X p := 0.5-eps ; while (x > 0) { x--1 [p] x++ } • Z A symmetric-in-the-limit random walk: while (x > 0) { p := x/(2*x+1) ; x-- [p] x++ } , * . . . . to I 317 41g 45 Joost-Pieter Katoen On Proving Almost-Sure Termination 18/30

IFIP WG 2.2, 2019 Proving almost-sure termination Goal: prove a.s.–termination of while(G) P , for all inputs Ingredients: Z A supermartingale V mapping states onto non-negative reals Z E { V ( s n + 1 ) ∂ V ( s 0 ) , . . . , V ( s n )} & V ( s n ) Z Running body P on state s Ï G does not increase E ( V ( s )) Z Loop iteration ceases if V ( s ) = 0 Z . . . . . . and a progress condition: on each loop iteration in s i Z V ( s i ) = v decreases by ' d ( v ) > 0 with probability ' p ( v ) > 0 Z with antitone p (“probability”) and d (“decrease”) on V ’s values Then: while(G) P a.s.-terminates on every input Joost-Pieter Katoen On Proving Almost-Sure Termination 19/30

IFIP WG 2.2, 2019 @ @ p ( V 1 ) & p ( V 4 ) Proving almost-sure termination by antitone p with prob. ' p ⇤ V ( s 1 ) • V ( s i ) • ⑨ • d ⇤ V ( s 1 ) V ( s 1 ) • • with prob. ' p ⇤ V ( s 4 ) V ( s 2 ) • • • • d ⇤ V ( s 4 ) V ( s 4 ) ⑧ ⑨ • d ( V 1 ) & d ( V 4 ) • V ( s 5 ) by antitone d • s 0 s 1 s 1 s 2 s 2 s 3 s 3 s 4 s 4 s 5 s 5 s 6 s 6 s 7 s 7 s 8 s 8 s 9 s 9 � loop iterations The closer to termination, the more V decreases and this becomes more likely Joost-Pieter Katoen On Proving Almost-Sure Termination 20/30

IFIP WG 2.2, 2019 The symmetric random walk Z Recall: E while (x > 0) { x := x-1 [0.5] x := x+1 } Z Witnesses of almost-sure termination: Z V = x Z p ( v ) = 1 / 2 and d ( v ) = 1 That’s all you need to prove almost-sure termination! Joost-Pieter Katoen On Proving Almost-Sure Termination 21/30

IFIP WG 2.2, 2019 The escaping spline Z Consider the program: while (x > 0) { p := 1/(x+1); x := 0 [p] x++} Z Witnesses of almost-sure termination: Z V = x 1 Z p ( v ) = v + 1 and d ( v ) = 1 Joost-Pieter Katoen On Proving Almost-Sure Termination 22/30

IFIP WG 2.2, 2019 A symmetric-in-the-limit random walk Z Consider the program: while (x > 0) { p := x/(2*x+1) ; x-- [p] x++ } x ) Ln C Ve Z Witnesses of almost-sure termination: Z V = H x , where H x is x -th Harmonic number 1 + 1 / 2 + . . . + 1 / x Z p ( v ) = 1 / 3 and d ( v ) = w 1 / x if v > 0 and H x � 1 < v & H x 1 if v = 0 Joost-Pieter Katoen On Proving Almost-Sure Termination 23/30