Ranking and Repulsing Supermartingales for Reachability in in Probabilistic Programs Toru Takisaka 1 , Yuichiro Oyabu 2,3 , Natsuki Urabe 1 , Ichiro Hasuo 2,3 National Institute of Informatics, Japan 1 The Graduate University for Advanced Studies (SOKENDAI), Japan 2 University of Tokyo, Japan 3
Formalize the extension procedure from metamathematical viewpoint Discrete → Category Formal Hybrid theory, Qualitative → method for logic, … Quantitative CPS • Software support Formal for CPS method for development software collaborate • Cost cut in quality assurance Machine learning Specification, • Theoretical basis for Optimization verification, future integrated Control theory Synthesis… development • … https://group-mmm.org/eratommsd/
Formalize the extension procedure from metamathematical viewpoint Discrete → Category Formal Hybrid theory, Qualitative → method for logic, … Quantitative CPS • Software support Formal for CPS method for development software collaborate • Cost cut in quality assurance Machine learning Specification, • Theoretical basis for Optimization verification, future integrated Control theory Synthesis… development • … https://group-mmm.org/eratommsd/
Outline • Introduction / preliminaries • Our topic: supermartingale for reachability analysis • What can supermartingale do? • What is supermartingale? / Why does it work? • Which property of SM techniques are we interested? - Soundness / completeness • Our contribution • Theoretical part: characterization of SM techniques via KT theorem • Implementation and experiments
Problem formulation Input: probabilistic program
Problem formulation Input: probabilistic program Nondet. / Prob. branching Nondet. / Prob. assignment
Problem formulation Input: probabilistic program Problem What is the probability that the program terminates? Nondet. / Prob. (under angelic/demonic scheduler) branching We admit continuous variables ⇒ Generally one can’t compute Nondet. / Prob. assignment probability efficiently
Problem formulation Input: probabilistic program Problem What is the probability that the program terminates? Nondet. / Prob. (under angelic/demonic scheduler) branching We admit continuous variables ⇒ Generally one can’t compute Nondet. / Prob. assignment probability efficiently ⇒ Reachability analysis by supermartingale
Outline • Introduction / preliminaries • Our topic: supermartingale for reachability analysis • What can supermartingale do? • What is supermartingale? / Why does it work? • Which property of SM techniques are we interested? - Soundness / completeness • Our contribution • Theoretical part: characterization of SM techniques via KT theorem • Implementation and experiments
Ranking supermartingale for a.s. termination (Chakarov-Sankaranarayanan , CAV’13 etc.) Probabilistic modification of real-world benchmarks (in Alias+, SAS’10) A.s. termination is certified in 20/28 examples (Agrawal+, POPL’18)
Repulsing supermartingale for lower bound of safety probability (Steinhardt-Tedrake , IJRR’12; Chatterjee+, POPL’17 etc.) System: pendulum + noise Failure ⇔ 𝜄 𝜄 > 𝜌/6 at time 𝑢 ≤ 1hour The log-base-10 of the failure probability >99% safety is guaranteed (Pr(failure) <1%) (Steinhardt-Tedrake , IJRR’12)
Outline • Introduction / preliminaries • Our topic: supermartingale for reachability analysis • What can supermartingale do? • What is supermartingale? / Why does it work? • Which property of SM techniques are we interested? - Soundness / completeness • Our contribution • Theoretical part: characterization of SM techniques via KT theorem • Implementation and experiments
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 • A state is a pair (program location, memory state) • Nondet. / prob. branching ℝ V finite
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 • A state is a pair (program location, memory state) • Nondet. / prob. branching ℝ V finite
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 • A state is a pair (program location, memory state) • Nondet. / prob. branching ℝ V finite
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 • A state is a pair (program location, memory state) • Nondet. / prob. branching ℝ V finite
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 0.4 0.6 • A state is a pair (program location, memory state) • Nondet. / prob. branching ℝ V finite
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 0.4 Problem 0.6 𝑫 = (terminating states) = 𝒎 𝟔 × 𝒚, 𝒖, 𝒒 | 𝒖 ≤ 𝟑𝟏 • A state is a pair (program location, memory state) ⇒ Pr(the system eventually • Nondet. / prob. branching ℝ V finite visits the region 𝐷 )?
Semantics: Control flow graph (Agrawal+, POPL’18 etc.) ∗ ∗ 𝑚 3 𝑚 2 𝑚 4 𝑦 > 0 𝑢 ≔ 𝑢 + 1 𝑢 ≔ 𝑢 + 3 𝑞 ≔ Bernoulli(0.9) 𝑦 ≔ 𝑦 − 1 𝑚 1 𝑦 ≔ 𝑦 − 𝑞 Start 𝑦 ≤ 0 𝑚 5 0.4 Problem 0.6 𝑫 = (terminating states) = 𝒎 𝟔 × 𝒚, 𝒖, 𝒒 | 𝒖 ≤ 𝟑𝟏 • A state is a pair (program location, memory state) ⇒ Pr(the system eventually …under • Nondet. / prob. branching ℝ V finite angelic/demonic visits the region 𝐷 )? scheduler
Supermartingale = a function over states that is “non - increasing” through transitions f = 𝑦 − 1 f = 1 f = 𝑦 𝑚 3 ∗ 𝑦 ≔ Bernoulli(0.9) ∀𝑚 𝑚 2 → 𝑚 … (angelic) 𝑚 2 𝑚 1 ∃𝑚 𝑚 2 → 𝑚 …(demonic) ∗ the value of 𝑔 𝔽 = 0.9 𝑚 4 at the next state f = −3
Ranking function
Ranking function 4 3 1 3 2 0
Ranking function ℕ -valued > > 4 3 1 > > > > 3 2 0
Ranking function ℕ -valued > > 4 3 1 > > > > 3 2 0 The system eventually visits (under any nondeterministic choice)
Ranking function ℕ -valued 2 > > 4 3 1 1 0 > > > > 3 2 0 The system eventually visits (under any nondeterministic choice)
Ranking supermartingale 1 2 1 2 1
Ranking supermartingale 2 1 2 1 2 0 1
Ranking supermartingale [0, +∞) - valued the value of 𝑔 𝔽 decreases at least 1 2 1 at the next state 2 1 2 0 1
Ranking supermartingale [0, +∞) - valued the value of 𝑔 𝔽 decreases at least 1 2 1 at the next state 2 1 2 0 1 The system eventually visits almost surely
Barrier certificate Safe region Unsafe region 𝑦 init
Barrier certificate Safe region Unsafe region 𝑔 < 0 𝑦 init
Barrier certificate Safe region 𝑔 ≥ 0 Unsafe region 𝑔 < 0 𝑔 ≥ 0 𝑦 init
Barrier certificate Safe region 𝑔 ≥ 0 Unsafe region 𝑔 < 0 𝑔 ≥ 0 𝑦 init
Barrier certificate Safe region 𝑔 ≥ 0 Unsafe region 𝑔 < 0 𝑔 ≥ 0 𝑦 init The system does not enter the unsafe region
Probabilistic barrier certificate ( a.k.a. nonneg. repulsing supermartingale) Safe region Unsafe region 𝑦 init
Probabilistic barrier certificate ( a.k.a. nonneg. repulsing supermartingale) [0,1] - Safe region valued Unsafe region 𝑔 ≤ 𝜀 𝑦 init
Probabilistic barrier certificate ( a.k.a. nonneg. repulsing supermartingale) [0,1] - Safe region valued 𝑔 = 1 Unsafe region 𝑔 ≤ 𝜀 𝑔 = 1 𝑦 init
Probabilistic barrier certificate ( a.k.a. nonneg. repulsing supermartingale) [0,1] - Safe region valued 𝑔 = 1 Unsafe region 𝑔 ≤ 𝜀 𝑔 = 1 𝑦 init
Probabilistic barrier certificate ( a.k.a. nonneg. repulsing supermartingale) [0,1] - Safe region valued 𝑔 = 1 Unsafe region 𝑔 ≤ 𝜀 𝑔 = 1 𝑦 init Pr(the system enters the unsafe region) ≤ 𝜀
Outline • Introduction / preliminaries • Our topic: supermartingale for reachability analysis • What can supermartingale do? • What is supermartingale? / Why does it work? • Which property of SM techniques are we interested? - Soundness / completeness • Our contribution • Theoretical part: characterization of SM techniques via KT theorem • Implementation and experiments
Recommend
More recommend
