probabilistic semantics of terminating programs
TRANSCRIPT
U.S.S.R. Comput.Maths.Math.Phys.,Vo1.28,No.2,pp.82-88,1908 0041-5553/88 $l~.oo+o.o~ Printed in Great Britain 01989 Pergamon Press PlC
PROBABILISTIC SEMANTICS OF TERMINATING PROGRAMS*
E.A. KAZ'MINA
The properties of programs in which pre- and post-conditions contain measures on the set of memory states are considered. Rules forproving these properties are suggested.
A method of verifying annotated programs whose inductive assertions include probability distributions of the values of the program variables is proposed in /l/. In this paper, we attempt a more formal approach to the same problem: we propose a model language semantics in terms of measures.
1. Definition of the metric property. Consider a model prograrmning language withthe following instructions: assignment,compound
instruction, short conditional instruction, and the while loop. We will only consider programs whose execution terminates from any initial state. Predicates are interpreted as logical functions.
Let S be a program with the state set V. Measures are non-negative and o -additive functions defined on the set of all subsets of V (is function f is called a-additive if
m
ftjA)= L(A) L-1
for any systemofnon-intersecting sets (A,) such that A,cV). Given the correspondence between predicates and truth sets, we use predicates as the arguments of these functions. Measures will be denoted by the letters p, Y, 11; predicates defined on V by the letters a? &r; predicates defined on the set of measures by the letters q,$,& A predicate true on the unique measure ~1 will be denoted by n,,.
Definition 1. We say that the metric property {n,)S(n.}, is satisfied if the relation v(a)= p(wP(S, a)) holds for any a.
Here wp(S, a) is the weakest precondition corresponding to the postcondition a (see /2/j.
Remark 1. Let the metric property (n,Js(n,) be satisfied. Then by Definition 1, there is no measure VI other than v and such that (n,,)S(n,,).
Definition 2. We say that the metric property ~cp)S{lp~~ is satisfied if for any p for which cp is satisfied there is v satisfying 4 such that (nJS(nv) is satisfied.
If for any measure we have q (the negation of (p), then the property {cp}S{g) issatisfied for any postcondition @.
2. Rules for proving metric properties.
1. Satisfiability criterion for metric properties. It is easy to show that the metric property
{cp(Cr(a,),...))S{g(~(~,),...)) holds if and only if
(P(P(a,),... )=?(F(WP(S, Bl)),...).
2. Weakening of metric properties. Let the metric property {cp}S(lp) be satisfied, then the following statements are true:
1) if cp,=q, then (cpr}S($) is satisfied, since any measure satisfying cp, also satisfies cp;
2) if $=$,, then (cp}S{g,} is satisfied.
3. Multiplication of metric properties. Directly from the definition we obtain that if the metric properties {cpJS(g,) and (&S($J a) is also satisfied.
are satisfied, then the property (cp,r\cp,}S(g,A
4. The metric property of a compound instruction. S;Q.
Consider the compound instruction Note that if the properties (n,,}S{n,} and (n,)Q(n,)
Q(n.,), holds, and conversely: if the property {n,,}S;Q(n,,,} hold, then the property (n,)S; is satisfied, then there is a
measure p1 such that the corresponding pair of properties are satisfied. the metric property {(p)S;Q($}
This implies that i s satisfied if and only if there exists e such that the
properties {(p)S(6) and (E}Q($} are satisfied.
5. The metric property of the assignment instruction. The metric property
*Zh.vychisl.Mat.mat.Fiz.,28,3,429-438,1988 82
83
{~(~(a~(a, b, . . . , r)), . . .)}r:=f(a, b, _. . , 5) (9(1.4&b, b> . . . , df,. . .)I
hold if and only if
cp(~(o,(s, b,...,s)),...)~g(~(Bl(a,b,...,f(a,b,...,s))),...).
Example 1. variables take values in the set of non-negative reals. Truthoftheproperties
{~Ua~z~(m=a)A~u~lR~~=a~I\(~(m~Z~=O))
v:=~~+2cl{(pfm~2)~3)A(&4(uc20)=0)),
{(~(m~2)<3)~(~(~<20)=0))k: =m~(p(k<20)83)
implies truth of the property
k: =mf{r(k~20)=G3).
6. The metric property of the short conditional instruction. Consider the property {n&f p then Q fi (n,}. Define the functions pLI and v, as follows: ~,(a)=~(aAB),v,(a)=v(a)-~(a/\ 8) for any a. From the definition of metric property we obtain
Theorem 1. The property (q)if p thenQfi {xv} is satisfied if and only if p, and v, are measures and (n,lQ(~vJ.
Theorem 2. The metric property
((p(p(aI). . .)) if B then Q fi {g(~L(r~l,. . .)) (2.1) holds if and only if the property
I~(~(al)+~(a~),...)A(~L(B)=O)Aol(B)= (2.2) 0)) Q Ilp(drl)+rltri)T ‘. .)I
holds. Here n is a measure which is not changed by the execution of the program Q. Its use is similar to the use of constants in Hoare properties, e.g., reflecting the fact that the values of some expressions do not change during program execution.
Example 2. Let V be the set of reals. We will prove the property ((p(t=O)>0.5)/\(p(s=1)>0.3)} if s>O then s:=s-l
fi {ii (s=O)>O.S).
To this end, it suffices to show the truth of the property
0.3)/j(p(scO)=O)/\(n(5>0)=0)}5:=5--1
Note that [(~(r=O)+t)(s=O)>0.5)~(p(~=l)+n(x=l)>0.3)A (F( z~O)=O)A(n(z>O)=O)] = [(n(z= 0)>0.5)A(~(~-1)>0.3)] and [(~(~=0)>0.5)~(~(x=1)>0.3)]~[~(~-l=O)+~(s-O)~0.8],whence by rules 2 and 5 we obtain that this property holds.
Proof of Theorem 2. We can show that the preconditions of the properties (2.1) and (2.2) can be only identically false at the same time. Let (2.2) be satisfied, if its pre- condition is identically false, then for any measure 9 holds and property (2.1) is satisfied. Assume that the precondition of property (2.2) is not identically false, then cp#F. Consider an arbitrary )r for which cp is true. Define n and p' in the following way: for any a on
V let q(a)=~(aAb) and p’(a) = pL(aAB). It is easy to check that the functions p' and n are measures. The precondition of the property (2.2) is true for these p' and q, and there- fore a measure v' exists satisfying the postconditionand such that the property b)Qbw), i.e., p'(wp(Q,a))=v'(a) is satisfied for any cz on V. As v in (2.1) take the measure v(a)=v'(a)+n(a). Then $~(v(r~),...), since $(v'(yl)+n(yl),...). It remains to show that for any a on V we have p(wp(ifpthenQfi, a))=v(a). From p'(wp(Q, a))=v'(a) we have p’(wp(Q, a))+
q(a)=v’(a)+ti(af. P(~P(Q, a)APl+p(aA j)=v(a), h w ence follows the equality required. Thus, property (2.1) is satisfied.
Now assume that property (2.1) holds. If q-F, then the precondition of the property (2.2) is also identically false, and thus property (2.2) is also satisfied. Let m*F, then the precondition of property (2.2) is not identically false. Take p' and r( for which the precondition of the property (2.2) is true. Consider the function p: for every a and V let p(a)-ti'(a)+rl(o). It can easily be checked that p is a measure. The precondition ofproperty (2.2) implies that (F(P) is true. Since (2.1) is satisfied, there exists a measure v such that @p(v) is true and {n,) if@thenQfi(n,}. Define v'(a) as via)-tlta) for any a on V. Using Theorem 1 andthedependences between u, p'. v, v', we can show that V' is a measure and the property {x,*)Q(n,*} holds. Since 9(v) is true, then *(v'(y,)+n((r,)....) is also true. Thus, the postcondition of property (2.2) is true for this v' and (2.2) is satisfied. The theorem is proved.
84
7. The metric property of the loop. Consider the instruction whilepdoQod. Let u be an arbitrary measure. By Remark 1, there is a unique measure PI such that {n,} if#thenQfi{n,,}; it is defined by the following rule: for any a on V, p~(~)==p(wp(tf B then Q fi, a))=p(BAwp(Q, aA B)VBAWP(Q,~AB) VBAa) is true.
We can similarly construct pr, PS etc., for which the following equalities hold:
clr(a)=~(qa(a)V...Vtlr(a))+lL(er(a)), k=2, 3,..., (2.3)
where
%(a)-BAa, %(a)-BAwdQ, w(a)),
Wa)=BAa, b(oc)=,BAwp(Q,e,-,(a)), i=2,3, . . . .
We call the measures p,, p2,... the successors of p. Consider the function
P(a)-limIrb(a). I-r_
We will show that p(p)=O. Note that Ilr@)-F, and so f.h(B)=p(Oh(p)) and that g,+,(P)= e&B); hence
It is easy to see that the right-hand side of this expression is a loop invariant, and there- fore the assumption that it is identically F contradicts the termination of our programs. (Here and henceforth, Hoare properties of programs are understood in the set-theoretic sense: the pre- and post-conditions are not predicate formulas, but predicates on the state set /3/l.
Using the continuity property of the measure relative to a monotone set sequence, we obtain
P(B)-lim~,,(B)=limCL(Br(B))=~(limer(B))=Cr(F)EO. L-r- *-- L-0
This implies that the value of p is defined for any a.
Theorem 3. The function p is a measure.
Proof. We will prove the a-additivityof p. Let us establish the truth of the equality _
P@ai)-r(P(aJ g-1
for an arbitrary sequence of predicates such that a&6-F if l&l. It is transformed to the form
We will fix an arbitrary 6>0. We have to show that there exists N such that for any n>N,
(2.4)
Note that
since both limits on the right-hand side exist. Now,
.
Using (2.3), the continuity property of a measure relative to a monotone system of sets, and the formula of wp for a loop from /2/ reduced for deterministic instructions, we obtain
85
Ilimpn( .+-
V a,)I-Ilimp(?,(,~+~u,)V... ,*+a b-r e m
Vqa( v at))+limab( v d)I- 4-n+, .*r t-n+*
I p (wp (while p do Q od, G a,))+limp@,( c aJ)l. 1-n+, L-r. I-*+*
Noting that
and
* e,( v ac)=)W8), P@,( G mO)>O
1-r)+, ,-I%+,
limr(&(B)) -0, I-r
we have
Note that
limA&( \J/ aO)==O. hr ‘-“+I
Indeed, if {C,) is a sequence of predicates such that C@A+t for k=l, 2,..., then
wp (while @doQod, i7I C,) = kqI wp (while BdoQod, Ck)
(see /Z/I. Taking
G-L ‘.-I
and noting that wp(S,aVi%)=wp(S, a)Vwp(S, p), we obtain
wp(whilefideQed, ~raJ=wp (wbile&loQod, kGICx)=
In our case, we conclude that
co
z p(wp (whilepdoQed, al)). I=?%+1
Since the series is convergent, then for a fixed e there is an Ni such that for any naNit
W
IE y(wp(while!.3doQod,a,)) <FL I <-“+I
If we take N, as the required N, (2.4) is satisfied. Moreover, p(a)aO, i.e., p isameasure. The theorem is proved.
Definition 3. The predicate E is called the metric invariant of the loop while B doQod if 1) the property {e} if BthenQ fi{l) is satisfied; 2) for any u satisfying b, the limit p of the sequence of successors of I( also satisfies g.
Note that if the number of loop execution stages is bounded for all initial values of the variables that are changed in the body of the loop, then condition 1) implies condition 2).
Consider the metric property
(rp} whileBdoQod($}. (2.5)
Theorem 4. If there exists a metric invariant $ such that cp=E then property (2.5) is satisfied.
and EA(P(B)=O)~%
Proof. Since cp=&, then for any measure p0 satisfying cp, there is a limit p of the sequence of successors which satisfies 6. From (2.3) and the weakest precondition formula
86
for a loop it follows that the property (n,)while~doQod{n,) holds. Since p(tl)-Ov EA(p(p)- O)=+ implies that q(p). Thus, the definition of metric property is satisfied. The theorem is proved. The converse is also true.
Theorem 5. Let the metric property (2.5) hold. Then there exists a metric invariant % such that (~2% and %Ao.G)--O)=@-.
Proof. We specify % by describing its truth set: 1) it includes the measures satisfying cp; 2) for any p such that cp(p) is true, this set includes the sequence of its successors together with the limit. Hence it follows that % is a metric invariant and cp=%. It remains to check that E/j(p(fl)=O)=Q is true. Let v satisfy the condition %A(JL(B)=O). From v(p)=0 and by construction of % it follows that Y is the limit of the sequence of suc- cessors of some measure p satisfying (p; thus, we have (n,)whilepdo Qod {a,}, whence noting that (2.5) holds and using Remark 1 , we conclude that v satisfies Ip. Since rp is arbitrary, we have proved the truth of the implication. The theorem is proved.
3. Probabilistic properties. We will now restrict the class of relevant properties: we will assume that the pre- and
post-conditions contain probability measures. A probabilistic property of the form {nP{n.) may be interpreted as follows: if for any a there is a probability p(a) that the input data satisfy a, then the state after termination of S satisfies the condition 7 with probability
v(r). There exists the following dependence between Hoare and probabilistic properties. Let
(c)s(P) (3.4) be a Hoare property. It holds if and only if the probabilistic property
(P(c)=1)S(P(B)=G (3.2) holds.
Indeed, let (3.1) be satisfied. If &X, then the precondition of the property (3.2) is false and the probabilistic property is satisfied; otherwise for any )( such that P(a)=+ we may take v (occurring in the definition of metric property) as the measure v(r)Y+P(& 1)); then the postcondition of the property (3.2) is satisfied: since u~wp(S,@) and p(a)=i, we have v(~)=p(wp(S,~))-1 and (3.2) holds.
Now let (3.2) be satisfied. Assume that (3.1) does not hold; hence oA(wp(& B)A4*FF Take p such that p(ccr\(wp(S, p)Aa))=1, p(aAwp(S, b))-0. This measure ,satisfies the post- condition of property (3.2) :
By the definition of metric property, there exists a measure v such that v(B)-1 and P(WP(& B))-v(B). Thus,
P(~VWP(K B))=P(wP(& !))+~(oA(wp(S, B)Ao))=2. We have obtained a contradiction with the definition of probability measure.
In order to prove properties whose pre- and post-conditions contain probability measures, Rule 6 of Sect.2 should be replaced with the following.
6'. The probabilistic property
{cp(p(aJ,...)) if B then Qfi Hdr~),..4) holds if and only if the metric property
(cp(P(ol)+n(oJ ,...)A(~L(B)EO)A(~(B)=O)A
(r(T)+11(T)=l))Q{~(~(rl)fn(rl), . s .)A
(P(T)+~(T)=I))v
holds, where p and T) satisfy additional constraints ensuring normalization of the probability measures.
Example 3. Consider the program
whilei~~doifa,>MthenM:-a,fi; l:=l+ied;
whilea,<Mdo I:--ii-l od,
whose variables take values in thesetof non-negative integers and, moreover, n is even. We will prove the probabilistic property of the program with the following pre- and post-
conditions.
Precondition: (vkVl(~@, is the k-th number by value)-l/s)); We note by A the condition "a, is the k-th number by value"; it may be written as
at ,, . . . , L((vF(L.. . , i,-Jq>aJA
(Vie{L . *. , L}q<a,)).
87
Fostcondition.
Proof. 1. {T)i:= 1; M:==al{p(M=a,)==~} by Rule 1 of Sect.2 and noting that Tz~(p(a,=a~)=
1);
wf=a,)=1)
while 1< +doifa,>MtheaM: ==a,fi; i:=i+lod(p(M= max a,)-l), 1-L.lG
since the following Hoare property is satisfied:
(M=a,}whileig~doifa,>thenM:=a,fi; i:=i+lod(M= maxa,}. I-L,n,*
2. Using Rule 1 of Sect.2, we check that the property
(VkVZ(cL(A)=l/n)}l:=1; M:=-a,(VkvI(~(A)=Iln)}
holds. The property
(VkV1(~(A)--l/n))whilei~~doifa,>~thenM:-s,fi;
i:==i+lod(VkVZ(~(A)=l/n)}
also holds. Indeed, (VkVZ(p(A)=lh)) is a metric invariant, since the body of the loop is executed
n/2 times and, by Rule 1.
(VkVI(p(A)=l/n)}ifif- "2 thenffa,>MthenM:=a,fi;
f:~i+ifi(VkVE(~(A)~l/n));
by Rule 7.
(VkVI(~(A)=i/n)}whflei~~doif~,>MthenM:=a~fi;
i:=i+iod(VkVZ(~(A)==lln)A(~(i<n/2)=0)};
by Rule 2, using
(VkV~(~(A)~~ln)A(~(i~nl2)~O))~{VkVl(~(A)-~/n)}
we obtain the required result. 3. By Rule 3, we have
((r(M-a,)-1)A(VkVZ(~(A)=~/n)))wbilef4~-
doffa,>MthenM: =a, fi; i :=-i+lod((~(M-- max a,)- I-r.n/l
l)A\VkV1(~L(A)al/n))).
4. Denote by B the assertion "M is the second number by value". Note that
(P(M== max s~)~l)~(VkVZ(~(A)~lIn))~(~(B)-lI,). I-*.n,*
5. The property
(~(B)-*/,}whilea,~Mdot:~l+lod(~(BI\(s>M))--l/,)
is satisfied, and therefore (v(B)-'/,} is an invariant and
(~r(a(~M)~o)-(~(~'M)--l),
((cL(~)~‘/,)A\(~(~,~M)~~))~,(cI(BA(~,>M))-’/,).
6. Now note that
since
(P (Bl\(a,>M))='/,)=(~l(a, = ,rn;; at)*'/O, -I
By Rule 2 of Sect.2, this property holds.
4. A remark on the full conditional instruction. Consider the metric property of the conditional instruction
(cp) if Bthen Q, else@ fi (9). (4.1)
88
Theorem 6. Ignoring Q, and QI, in general , we cannot construct predicates cp,,Cp, and cpr,*~ such that (4.1) holds if and
Proof. Let the pre- and post-condition specify the unique measures p and v,respectively; V-(1, 2, 3); p(x-1)-‘/a, p(x-2)-_% p(2=3)4; v(x=i)=O, v(x=2)=4, v(o-3)-I/*.
Assume that the predicates 01, $1, Cpa, 9, mentioned in the body of the theorem exist. Consider the property
(nU) if x+3 then 5 : =2 else fi (n,}.
Then p(wp(s, s=l))=O-v(z=l); k(wp(s,- 2=2))=~((5~1)v(z-2))-/,=Y(z=~); p(wp(S, x-~))=*/P=v(s-3), and the property is satisfied. Therefore, by assumption the property (cpl)z: =2(g,) is also satisfied. Now consider the property
(nd if xZ3 then x : =3 else x : =2 fi (n,).
For this property we have p(wp(S,x--l))=p(F)=O=v(x=l); p(wp(s,x=2))- p(s=3)--"/~-v(z-2); p(wp(S, x=3))=p( (x=l)V(x=2))=‘/a=v(x=3) and the property is satisfied; hence (cp& :-2&J is also satisfied. Therefore,
(a@} if x23 then x : =2 else x : =2 fi (n,)
should hold, but p(wp(S, x: =2))=p((x=l)V(x=2)V(x=3))=1+~(2); this property is not satisfied, and the assumption is false. The theorem is proved,
Remark 2. We do not have to stipulate termination of the program from any starting state: it suffices to consider measures such that the state set on which the program does not stop is of measure 0. In this case, all the proofs remain valid , except the proof of the equality jZ(b)=O in para. of Sect.2, whose truth follows from P(wlp(whlleBdoQod,F))-0.
REFERENCES
1. WBGBREIT B., Verifying program performance, J. ACM, 23, 4, 691-699, 1976. 2. DIJKSTRA E., The discipline of programming /Russian translation/, Moscow, Mir, 1978. 3. WIRTH N., Systematic programming /Russian translation/, Moscow, Mir, 1977.
Translated by Z.L.
U.S.S.R. Comput.Maths.Math.Phys.,Vo1.28,No.2,pp.88-91,1988 Printed in Great Britain
SHORT COMMUNICATIONS
SOLUTION OF SYSTEMS OF ALGEBRAIC EQUATIONS
N.A. NEDASHKOVSKII
0041-5553/88 $lO.GQ+O.OO 01069 Pergamon Press plc
WITH 1, MATRICES*
A numerical method is proposed for solving systems of algebraic equations with h-matrices, by reduction to a system of linear algebraic equations.
1, Let A(h) be an nxn matrix whose elements are polynomials in L. Let us assume that both h and the coefficients of the polynomials are assigned values in some field F, so that if the elements of A are computed for a particular A, say L-ho, then A(ho)=Fm~,,. In this note we shall discuss the solution of systems of algebraic equations
A(I)X--B(b), (0 where A(h) is a non-singular matrix of order n and B(L)-(~,,~+,(h),,,.,a~,~+~()i))~ a vector of degree I, i.e.,
Problems of this type arise in algorithms for optimizing electronic circuits, in dynamic programming, non-classical problems for differential equations and so on. The solution of systems of type (1) is also a major element in the following algebraic problem.
*Zh.vychisl.Mat.mat.Fiz.,28,3,439-443,1988