RESEARCH ARTICLE

Semantics of sub-probabilistic programs

Yixiang CHEN (*)1, Hengyang WU2

1 Institute of Theoretical Computing, Shanghai Key Laboratory of Trustworthy Computing, East China Normal University,

Shanghai 200062, China

2 Information Engineering College, Hangzhou Dianzi University, Hangzhou 310037, China

E Higher Education Press and Springer-Verlag 2008

Abstract The aim of this paper is to extend the probabil-

istic choice in probabilistic programs to sub-probabilistic

choice, i.e., of the form pð ÞPj qð ÞQ where p + q( 1. It

means that program P is executed with probability p

and programQ is executed with probability q. Then, start-

ing from an initial state, the execution of a sub-probabil-

istic program results in a sub-probability distribution.

This paper presents two equivalent semantics for a sub-

probabilistic while-programming language. One of these

interprets programs as sub-probabilistic distributions on

state spaces via denotational semantics. The other inter-

prets programs as bounded expectation transformers via

wp–semantics. This paper proposes an axiomatic systems

for total logic, and proves its soundness and completeness

in a classical pattern on the structure of programs.

Keywords sub-probabilistic programs, total correctness,

wp–calculus

1 Introduction

The analysis and design of complex software and hard-ware

systems often include certain random phenomena. This

motivates one to develop some formal methods for model-

ing and reasoning about programs containing probability

information. Early in 1970’s, Gill [1] and Paz [2] established

probabilistic automata. Yao [3] and Rabin [4] grouped

research in probabilistic algorithm into two areas, which

Yao termed the distributional approach and the randomized

approach. The equivalence of these two approach was got-

ten by Yao [3] in terms of establishing a connection between

the two approaches by defining a measure of complexity

based on each. The formal semantics herein provides a com-

mon framework, in which the two approaches are unified.

Later, in 1981, Kozen [5,6] investigated semantics of

probabilistic program for a high level probabilistic

programming language including random assignment x

:5 random. Formalization of probabilistic programs has

become an important topic of investigations in theoretical

computer science and the formalization semantics of vari-

ous probabilistic programming languages has been

studied [7–18].

Chen, Plotkin andWu [9] managed to provide the logical

semantics of probabilistic programs. He et al in Ref.[11]

studied the probability version of Dijkstra’s [20] guarded

command languages containing both probabilistic choice

and non-deterministic choice. Jones and Plotkin in Refs.

[12,19] discussed the probabilistic while language contain-

ing probabilistic choices. Morgan et al [14] investigated the

semantics of He’s relational semantical model through

probabilistic predicate transformers. McIver and Morgan

[15,16] considered the correctness and semantics for prob-

abilistic demonic programs. Tix, Keimel and Plotkin [17]

studied semantics domains for combining probability and

non-determinism. Recently, Ying [18] developed formal

methods and mathematical tools for modeling and reason-

ing about programs containing probability information.

Among these investigations, one common feature is that

these considered programming languages include a prob-

abilistic choice which is of the form Pp+Q. It means that

program P is executed with probability p and program Q is

executed with probability 12 p. This choice is called a tot-

ally probabilistic choice. Meanwhile, if we pay attention to

the probabilistic valuations involved in these considera-

tions, then those investigations can be divided into two

classes of models: concrete and uniform models. In the con-

crete model, probabilistic distributions are those functions

defined on states of the state space to the unit interval [0, 1]

(Refs.[14–16,18]) and in the uniform model, they are those

functions defined on certain subsets (e.g., Scott open sub-

sets) of state space to the unit interval [5,6,9,11,12,17,19].

Our aim is to extend the totally probabilistic choice to

sub-probabilistic choice, i.e., of form pð ÞPj qð ÞQ where

p + q( 1. So, a simple sub-probabilistic while-

programming language needs to be introduced based

on the sub-probabilistic choice pð ÞPj qð ÞQ. Its meaning

Received August 16, 2007; accepted December 19, 2007

E-mail: yxchen@sei.ecnu.edu.cn, wuhengy_1974@yahoo.com.cn

Front. Comput. Sci. China 2008, 2(1): 29–38DOI 10.1007/s11704-008-0004-0

is that program P is executed with probability p and

program Q is executed with probability q. Then, starting

from an initial state, the execution of a sub-probabilistic

program results in a sub-probability distribution. Our

sub-probability choice is different from the previous

one in three aspects at least. Firstly, two parameters p

and q here are almost independently specified, whereas,

in the classic probabilistic programs, only one parameter

p is specified, the other q completely depends on the

parameter p, in fact, q5 12 p. Secondly, we adopt the

sub-stochastic model in this paper and merely require

p + q( 1 rather than the stochastic condition p + q5 1.

Thirdly, the sub-stochastic condition motivates us to

consider about the appearing of non-regular things such

as ‘‘no state at all’’ (according to Morgan [14]), and

deadlock (according to Ying [21]) with the measure of

12 p2 q. This paper focuses on the establishment of

concrete probability model for this subprobabilistic

while-programming language. Two equivalent semantics

are presented. One interprets programs as sub-probabil-

istic distributions on state spaces via denotational

semantics. The other interprets programs as bounded

expectation transformers via wp–semantics. This paper

also proposes an axiomatic system for total logic, and

proves its soundness and completeness.

2 Preliminaries

In this section, we introduce a simple sub-probabilistic

while-programming language and focus on its semantics

model. This models is concrete. A basic notion, sub-prob-

ability distribution over state space, is well-known.

Following Morgan’s paper [14] and Ying’s paper [18],

we consider the case of a countable state space S.

Definition 2.1 For a countable state space S, the set of sub-

probability distributions over S is

D Sð Þ : ~ m : S? 0,1½ �Xs [S

m sð Þf1

�����( )

:

According toMorgan’s paper [14], ifP

s [S m sð Þ~1 then

m(s)(s9) is the probability that m takes s to s9; but ifPs [S m sð Þv1 then m(s)(s9) is only a lower bound for that

probability. So, for m in D(S), the difference

1{Xs [S

m sð Þ

may be regarded as the probability of ‘‘no state at all’’–

a convenient treatment of nontermination that allows to

forgo H. We can consider the point-wise order between

sub-probability distributions, i.e., for any m, m9 [D(S),

m v m0 : ~ Vs [S: d sð Þfd 0 sð Þð Þ:

Then, (D(S), ~) is a poset. Furthermore, we have the

following proposition.

Proposition 2.1 (1) If S is a single point set {1}, then D(1)

is isomorphic to the interval [0, 1].

(2) For a countable state space S, its sub-probability

distributions (D(S), ~) is a complete partial order set

(Ref.[15], Lemma 2.4, page 518), the least element is

0(s)5 0, for any s [S.(3) D(S) is convex. That is, for any m1, m2 [D(S) and p,

q [ [0, 1] with p + q( 1, p?m1 + q?m2 [D(S).

(4) SRD(S) is a cpo under the pointwise order ~.�

The definition below is due to Kozen (Ref.[5], page 331),

Morgan (Ref.[14], page 329), or He (Ref.[11], page 174).

Definition 2.2 For state s [S, the point distribution or

point mass at s is defined:

�s s0ð Þ~ 1, if s~s0,0, otherwise:

�

Basing on point masses, one can define a map gS: SRD(S) by setting gs sð Þ~�s, which is an embeddingmap. Here,

we introduce the notion of probabilistic predicates following

Morgan (Ref.[14], page 332) and Ying (Ref.[18], page 325).

Definition 2.3 A probabilistic predicate on the state space

S is defined to be a bounded expectation on S, namely, a

function a of type SRR+ (the set of non-negative reals)

such that there is M [R+ with a(s)(M, for all s [S.We denote all probabilistic predicates on S by PS. The

order between probabilistic predicates is defined point-

wise, i.e., for any a, b [PS,

a b : ~ Vs [S: a sð Þfb sð Þð Þ:It is clear that sups [S a(s) is a finite real, for any prob-

abilistic predicate a.

In the sense of Ying (Ref.[18], page 325), intuitively

means ‘‘everywhere no more than’’. Ying also pointed out

(Ref.[18], page 326) that (PS, ) is ay-complete, atomless,

distribute lattice, but not z-complete because the least

upper bound of infinite bounded expectations may be no

longer bounded. But, clearly, one can get that if an(M for

any n [v, then zn[van is a probabilistic predicate over S.

Ying (Ref.[18], page 326) defined the arithmetic opera-

tions on P(S). Let a, b [PS, r [ [0, 1]. Then the sum a+ band scalar product r[ a are in P(S) and for each s [S,

a+bð Þ sð Þ : ~ a sð Þzb sð Þ,r8að Þ sð Þ : ~ r|a sð Þ:

Clearly, the point distribution �s at s is also a probabil-

istic predicate. The next proposition gives a representation

of probabilistic predicates in terms of point masses.

30 Yixiang CHEN, Hengyang WU, Semantics of sub-probabilistic programs

Proposition 2.2 For any a [PS, we have

a~Xs [S

a sð Þ8�sð Þ%

The following definition is important to probabilistic

computation. It shows a connection between sub-probabi-

listic distributions and probabilistic predicates. Mean-

while, it also gives a kind of measure of probabilistic

predicates with respect to sub-probabilistic distributions.

This measure gives the expected value of expectations,

denoted by using the integration notation .

Definition 2.4 For probabilistic predicate a: SRR+ and

sub-probability distribution m [D(S), the expected value

of a over m is [14]:ða dm : ~

Xs [S

a sð Þ|m sð Þð Þ:

The following lemma is useful.

Lemma 2.1 If S is a state space, (SRR+) represents all

functions from S to R+.

(1) Let S be finite. If {fj | j [ I} is any directed subset of

(SRR+). Then Xs [S

_j [ I

fj sð Þ~_j [ I

Xs [S

fj sð Þ:

(2) Let S be countable. {fj | j [ I} is any directed subset

of (SRR+). Let Sn~Pn

i~1

Wj [ I fj sið Þ, if there exists M:R+

such that Sn(M for any n. Then,Xs [S

_j [ I

fj sð Þ~_j [ I

Xs [S

fj sð Þ:

This is to say that at this time the directed sup and coun-

table sum can be interchanged. %By the definition of sub-probabilistic distributions, it

follows easily that a dm( sups [S a(s). On the integ-

ration, one can get some properties below.

Proposition 2.3 (1) a dm( a, where a [R+,

(2) (a+ b)dm5 a dm + b dm,

(3) r[ a dm5 r6 a dm, where r [R+,

(4)Ða d

Pni~1 ri

:mi� �

~Pn

i~1 ri:Ða dmi

� �, where

Pni~1 ri

f1, mI [D(S),

(5) a d(+i [ Imi)5 supi [ I a dmi, for any directed subsets{mi|i [ I} of D(S). %

3 Denotational semantics

This section mainly introduces a simple sub-probabilistic

while langauge and studies its semantics based on the sub-

probabilistic distributions. This language is defined here.

P :: ~ skip assign f pð ÞPj qð ÞQjj P;Qj jif B then P else Q while B do Pj ,

where p, q [ [0, 1] with p + q( 1, and f:SRS is a function.

Our sub-probabilistic while language is different from

the classic while language (in which there is no sub-prob-

abilistic construct) and also from probabilistic while lan-

guage (there is the probabilistic construct Pp+Q rather

than of sub-probabilistic one).

The denotation of sub-probabilistic program P will be

given by a function fPg:SRD(S).

Let b5 fBg for a Boolean expression B, whose mean is:

b sð Þ~ 1, if ½½B�� sð Þ~true,

0, if ½½B�� sð Þ~false:

�

For any state s [S, Table 1 is given for the definition of

denotational semantics of sub-probabilistic programs.

We must take care for these meanings of fP;Qg and

fwhile B do Pg.We define { first. For a given f : SRD(S), we notice

that ls9:S.f(s9)(s) is a function from S into [0, 1]. So, the

integrationðs0 [S

f s0ð Þ sð Þdm~ðls0 : S:f s0ð Þ sð Þdm

is well-defined for any m [D(S) and s [S. Thus, we can

get a map, denoted as f{, of D(S)RD(S), defined by the

equation

f { mð Þ sð Þ~ðs0 [S

f s0ð Þ sð Þdm m [D Sð Þ, s [Sð Þ:

The map { has the following properties.

Table 1 Denotational semantics of sub-probabilistic programs

fskipg(s) :5 �s

fassign fg(s) :5 f sð Þ, for a function f:SRS

pð ÞPj qð ÞQ½ �½ � sð Þ :5 p?fPg(s)+ q?fQg(s)fP;Qg(s) :5 fQg{ fPg(s), (see below how fPg{ lifted)

fif B then P else Qg(s) :5 b(s)?fPg(s)+ (12 b(s))?fQg(s)fwhile B do Pg(s) :5 zn [v fn(s), where fn:SRD(S) is defined by f05 ls.0

and fnz1 sð Þ~b sð Þ:fzn P½ �½ � sð Þð Þz 1{b sð Þð Þ:�s

Front. Comput. Sci. China, 2008, 2(1) 31

Proposition 3.1 The mapping { : (SRD(S))R (D(S)RD(S)) is Scott continuous, i.e., the following two items hold:

(1) It is monotone, i.e., g{( h{ whenever g( h of type

SRD(S);

(2) For any increase family {hn}n [v, we have

zn [vhnð Þ{~zn [vh{n:

Proof It is easy to verify the monotony of the mapping{.However, the item (2) holds by the following computing.

For any m [D(S) and s [S, we have

zn [vhnð Þ{ mð Þ sð Þ

~

ðs0 [S

zn [vhnð Þ s0ð Þ sð ÞÞdm

~

ðs0 [S

_n [vhn s0ð Þð Þ sð Þdm

~X

s0 [S_n [vhn s0ð Þ sð Þð Þ|m s0ð Þ

~X

s0 [S_n [vhn s0ð Þ sð Þ|m s0ð Þ

~ _n [v

Xs0 [S

hn s0ð Þ sð Þ|m s0ð Þ

~ _n [v

ðs0 [S

hn s0ð Þ sð Þdm

~ _n [v h{n mð Þ sð Þ:As a result, this proposition makes the denotational

semantics of fP;Qg(s)5 fQg{ + fPg(s)5 fQg{(fPg)(s) definedwell.

Proposition 3.2 Assume b is a probabilistic predicate.

Hence, for any s [S, we haveðs0 [S

bd P;Q½ �½ � sð Þ~ðt [S

ðs0 [S

bd Q½ �½ � tð Þ� �

d P½ �½ � sð Þ:

Proof Indeed, we have the following computing.ðs0 [S

b s0ð Þd P;Q½ �½ � sð Þ

~

ðs0 [S

b s0ð Þd Q½ �½ �{ P½ �½ � sð Þð Þ

~X

s0 [Sb s0ð Þ| Q½ �½ �{ P½ �½ � sð Þð Þ s0ð Þ

~X

s0 [Sb s0ð Þ|

ðt [S

Q½ �½ � tð Þ s0ð Þd P½ �½ � sð Þ

~X

s0 [Sb s0ð Þ|

Xt [S

Q½ �½ � tð Þ s0ð Þ| P½ �½ � sð Þ tð Þ~X

s0 [S

Xt [S

b s0ð Þ| Q½ �½ � tð Þ s0ð Þ| P½ �½ � sð Þ tð Þ~X

t [S

Xs0 [S

b s0ð Þ| Q½ �½ � tð Þ s0ð Þ| P½ �½ � sð Þ tð Þ

~X

t [S

ðs0 [S

b s0ð Þd Q½ �½ � tð Þ� �

| P½ �½ � sð Þ tð Þ

~

ðt [S

ðs0 [S

b s0ð Þd Q½ �½ � tð Þ� �

d P½ �½ � sð Þ: %

Now, we consider the the meaning of while program.

Proposition 3.3 For any n [v and s [S, we have

(1) fn(s) is a sub-probability distribution on S, i.e., fn is

defined well;

(2) fn( fn+ 1, that is, {fn}n [v is an increase chain;

(3) zn [vfn [ (SRD(S)), and it is the least fixed point

of F, where F:(SRD(S))R (SRD(S)) is defined by:

F hð Þ sð Þ~b sð Þ|h{ P½ �½ �ð Þ sð Þz 1{b sð Þð Þ|�s,

for any h : SRD(S) and s [S.

Proof We only prove (3). By (2), we know that {fn} is an

increase family of (SRD(S)). By Proposition 3.1, we can

get for any s [S,

F znfnð Þ sð Þ~b sð Þ| zn [vfnð Þ{ P½ �½ �ð Þ sð Þz 1{b sð Þð Þ|�s

~b sð Þ| zn [vf{n

� �P½ �½ �ð Þ sð Þz 1{b sð Þð Þ|�s

~b sð Þ| _n [vf{n P½ �½ �ð Þ sð Þ� �

z 1{b sð Þð Þ|�s

~ _n [vb sð Þ|f {n P½ �½ �ð Þ sð Þ� �z 1{b sð Þð Þ|�s

~ _n [v b sð Þ|f {n P½ �½ �ð Þ sð Þz 1{b sð Þð Þ|�s� �

~zn [vfnz1 sð Þ~ zn [vfnð Þ sð Þ:

Hence, F(zn fn)5zn fn. That is,zn fn is a fixed point of F.

Now, suppose that g is any fixed point of F, i.e., F(g)5 g.

In the following, we will show fn~g for any n by math-

ematical induction on the n.

Case 1 n5 0. Since f05 0, f0~g.

Case 2 Assume when n5 k, the conclusion holds, i.e.,

fk~g. Then, we consider the case of n5 k + 1. For any s,

t [S, we have, (by fk~g),

fkz1 sð Þ tð Þ~b sð Þ|f

{k P½ �½ � sð Þð Þ tð Þz 1{b sð Þð Þ|�s tð Þ

~b sð Þ|ðs0 [S

fk s0ð Þ tð Þd P½ �½ � sð Þz 1{b sð Þð Þ|�s tð Þ

fb sð Þ|ðs0 [S

g s0ð Þ tð Þd P½ �½ � sð Þz 1{b sð Þð Þ|�s tð Þ

~b sð Þ|g{ P½ �½ � sð Þð Þ tð Þz 1{b sð Þð Þ|�s tð Þ~F gð Þ sð Þ tð Þ~g sð Þ tð Þ g is a fixed point of Fð Þ:

So, fk + 1~g. Thus we get fn~g for any n, thenzn fn~g.

This meanszn fn is the least fixed point of F. We complete

the proof.

%

32 Yixiang CHEN, Hengyang WU, Semantics of sub-probabilistic programs

4 Axiomatic semantics for total correctness

This section studies the total logic of triples of the form a{P}b, where a and b are probabilistic predicates and P is a

sub-probabilistic program, whose means is given through

the denotational semantics in the previous section.

We say that a state s satisfies a probabilistic predicate awith an expected value i [R+ if a(s)> i and that a sub-

probabilistic distribution m satisfies a probabilistic predic-

ate a with an expected value i if the integral a dm> i.

Total correctness for a sub-probabilistic triple a{P}bwith the expected value i means that, for any state s [S,if s satisfies awith the expected value i, then program Pwill

terminate at state s, and the output P(s) satisfies the post-

condition b with the expected value i too. That is, if a(s)> ithenP terminates at s and b dfPg(s)> i, for any state s [S.

We call triple a{P}b valid if for any state s [S and any

the expected value i, whenever s satisfies the preconditiona with i, then the program P will terminate at s and theoutput P(s) satisfies the postcondition b with i. For the

risk of convenience, we do not consider the terminating

issue. Thus, we have the following claim.

Claim The triple a{P}b is valid if and only ;s [S?a(s)( b dfPg(s).

We use the notation� afPgb to indicate that this triple

is valid.

Now, we give an axiomatic system for total correctnessin Table 2.

A proof of a triple is a sequence of triples, in which each

term is an instance of an axiom or is derived from previous

terms by one of the rules. The last triple, e.g., a{P}b, iscalled a theorem and denoted by ‘ a Pf gb.

Usually, although an are probabilistic predicates,

zn[van does not need to be a probabilistic predicate.This is because the least upper bound of infinite bounded

expectations may be no longer bounded. So we need to

show that +n[van is a probabilistic predicate in [while] of

axiomatic semantics (Proposition 4.1). We give its sound-

ness and completeness, whose proofs are in a pattern

similarto that of Jones’ [19] and appended.

Theorem 4.1 (Soundness) Given sub-probabilistic triples

a{P}b, we have that ‘ a Pf gb implies � afPgb. %The following proposition guarantees the correctness of

the while rule in this axiomatic system.

Proposition 4.1 If ‘ anz1fPg(b8an+(1{b)8b)(Vn [N),

then an(s)( supt [Sb(t) for any s [S and n [v, where

a05 ls.0. So, +n[van is a probabilistic predicate.

Proof It can be proved by using mathematical inductionon n.

Firstly, we consider the case of n5 0. Hence, for any

s [S, a0(s)5 0( supt [Sb(t).Secondly, suppose that this inequality holds for n5 k,

i.e., ak(s)( supt [Sb(t). We consider the case of n5 k + 1.Since ‘ akz1fPg(b8ak+(1{b)8b), we have that by the

soundness theorem, for any s [S,akz1 sð Þ

fð

b8ak+ 1{bð Þ8bd P½ �½ �ð sð Þ

fð

b| supt [S b tð Þz 1{bð Þ| supt [S b tð Þð Þd P½ �½ � sð Þ

~

ðsupt [S b tð Þd P½ �½ � sð Þ

f supt [S b tð Þ:

As a result, for any n [v and s [S, an(s)( supt [Sb(t).Thus, zn [van is a probabilistic predicate.

Theorem 4.2 (Completeness) Given sub-probabilistictriple a{P}b, we have that � afPgb implies ‘ a Pf gb. %

5 Equivalence between semantics

This section studies the equivalence of semantics of sub-

probabilistic programs through wp– calculus.

Table 2 Axiomatic system for total correctness

[skip] a{skip}a

[ass] a{assign f}b, if a(s)5 b(f(s))

[probability] a1 Pf gb, a2 Qf gbp8a1+q8a2 pð ÞPj qð ÞQf gb

[comp] a Pf gb, b Qf gca P;Qf gc

[if] a Pf gb, a0 Qf gbb8a+ 1{bð Þ8a0 if B then P else Qf gb

[while] anz1 Pf g b8an+ 1{bð Þ8bð Þb8 zn [vanð Þ+ 1{bð Þ8b while B do Pf gb a0~0ð Þ

[cons] a Pf gba0 Pf gb0, if a0:wa and b:wb0

Front. Comput. Sci. China, 2008, 2(1) 33

Given sub-probabilistic program P (whose denotation

is a function from S intoD(S)) and probabilistic predicate

b, one can define the weakest precondition wp(P, b) to be

the weakest one of probabilistic predicates a making

a{P}b valid. Note that the weakest one in the total logic

means the largest predicate. So, we define wp(P, b) by

setting, for any state s [S,

wp P,bð Þ sð Þ~ðbd P½ �½ � sð Þ:

It follows that wp(P, b) is a probabilistic predicate overstate space S, for sub-probabilistic program P and a prob-

abilistic predicate b by bdfPg(s)( supt [Sb(t).

These two theorems followed indicate those properties

the wp is object to and can be easily shown with

Proposition 2.3.

Theorem 5.1 Given a probabilistic predicate b, wp is com-

puted through the following equations:

(1) wp(skip, b)5 b,

(2) wp(assign f, b)5 ls:S.b(f(s)),

(3) wp pð ÞPj qð ÞQ, bð Þ~p8wp P,bð Þ+q8wp Q,bð Þ,(4) wp(P;Q, b)5wp(Q, wp(P, b)),

(5) wp(if B then P else Q, b)5 b[wp(P, b)+ (12 b)

[wp(Q, b),

(6) wp(while B do P, b)5zn [van, where a05 ls.0,an + 15 b[wp(P, an)+ (12 b)[ b. %Theorem 5.2 Given a sub-probabilistic program P, wp has

the following properties.

Miracle: wp(P, 0)5 0.

Monotonicity: wp(P, b1)(wp(P, b2), if b1 b2.

Homogeneity: wp(P, r[ b)5 r[wp(P, b), where r [R+.

Affineness: wp P,Pn

i~1 ri:bi

� �~Pn

i~1 ri8wp P, bið Þ,where ri [R+.

Continuity: If {bi : i [ I} is a directed subset of probabilistic

predicates, and zi [ Ibi exists, then wp(P, zi [ I bi)5zi [ Iwp(P, bi).

Boundness: for any s [S,P

y [S wp P, �yð Þ sð Þf1. %Given a sub-probabilistic program P, wp(P, –) defines a

function from PS into PS, which is indeed a probabilistic

predicate transformer over state space S. This transformer

can be used to define a semantics of sub-probabilistic pro-

grams as wp(P)5wp(P, –), which is called wp–semantics.

The denotational semantics and wp–semantics have the

connection below.

Theorem 5.3 Given sub-probabilistic program P, we haveðbd P½ �½ �{ mð Þ~

ðwp P,bð Þdm,

for any probabilistic predicate b over S and any sub-prob-

abilistic distribution m and S. %

Definition 5.1 (1) A probabilistic predicate transformer

over state space S is a mapping from PS to PS.

(2) A probabilistic predicate transformer t is said to be

healthy, if it satisfies the following conditions:

(i) For any s [S,P

y [St �yð Þ sð Þf1;

(ii) For any y [S, r [R+, t r8�yð Þ~r8t �yð Þ;(iii) t

Py [Sry8�y

� �~P

y [Sry8t �yð Þ, where ry [R+.

The notation (PSRH PS) will denote the set of all

healthy probabilistic predicate transformers over state

space S with the pointwise order ~.

Proposition 5.1 (PSRH PS) is closed under lin-

ear operator. That is, for any ti [ (PSRHPS),Pni~1 riti [ PY?HPXð Þ, where Pn

i~1 rif1.

Proposition 5.2 Let t1 and t2 be healthy probabilistic pre-

dicate transformers. If t1 �sð Þ~t2 �sð Þ for any s [Y, then

t15 t2.

Proposition 5.3 Given any a [PS and t [ (PSRH PS), we

have t(a)(s)( supy [Sa(y), for any s [S.

Proof It follows from, for any s [S,

t að Þ sð Þ~tX

y [Sa yð Þ8�y�

sð Þ

~X

y [Sa yð Þ8t �yð Þ sð Þ

fX

y [S supy [Sa yð Þ8t �yð Þ�

sð Þ

fsupy [Sa yð Þ8X

y [St �yð Þ sð Þfsupy [Sa yð Þ:

%Theorem 5.2 shows that given a sub-probabilistic pro-

gram P, the weakest precondition function wp(P, 2) is

healthy. One natural question is whether or not a healthy

predicate transformer can be defined by a sub-probabil-

istic program. The remains of this section will answer it.

We firstly define a mapping rp from (PSRH PS) to

(SRD(S)) by, for any t [ (PSRH PS), s [S and y [S,

rp tð Þ sð Þ yð Þ~t �yð Þ sð Þ:By the definition of healthy probabilistic predicate

transformers, one can getXy [S

rp tð Þ sð Þ yð Þ~Xy [S

t �yð Þ sð Þf1:

So, rp(t)(s) [D(S). Then rp(t) [ (SRD(S)).

Theorem 5.4 (1) For any t [ (PSRH PS) and h [ (SRD(S)), we have wp(rp(t))5 t and rp(wp(h))5 h. That is,

wp + rp5 id and rp +wp5 id hold.

(2) (PSRH PS) is isomorphic to (SRD(S)) under the

pair of functions wp and rp.

Proof (1) For any h:(SRD(S)) and x, y [S, one can get

34 Yixiang CHEN, Hengyang WU, Semantics of sub-probabilistic programs

rp0wpð Þ hð Þ xð Þ yð Þ~rp wp hð Þð Þ xð Þ yð Þ~wp hð Þ �yð Þ xð Þ

~

ðs [S�ydh xð Þ

~X

s [S�y sð Þ|h xð Þ sð Þ~h xð Þ yð Þ:

So, rp uwp(h)5 h.

On the converse, one can get that, for any t:(PSR

H PS), a [PS and x [S,

wp0rpð Þ tð Þ að Þ xð Þ~wp rp tð Þð Þ að Þ xð Þ

~

ðs [Sadrp tð Þ xð Þ

~X

s [Sa sð Þ|rp tð Þ xð Þ sð Þ~X

s [Sa sð Þ|t �sð Þ xð Þ

~X

s [Sa sð Þ|t �sð Þ�

xð Þ

~tX

s [Sa sð Þ|�s�

xð Þ since t is healthyð Þ

~t að Þ xð Þ:So, wp + rp(t)5 t.

(2) Let t1, t2 [ (PSRH PS). We will prove t1~t2 if and

only if rp(t1)( rp(t2).

Firstly, if t1~t2, then for any x, y [S, we have

rp t1ð Þ xð Þ yð Þ~t1 �yð Þ xð Þft2 �yð Þ xð Þ~rp t2ð Þ xð Þ yð Þ:

So, rp(t1)( rp(t2).

Secondly, if rp(t1)( rp(t2), then for any x, y [S. So, wecan get t1 �yð Þ xð Þft2 �yð Þ xð Þ.

Now, suppose a [P(S). Then

t1 að Þ xð Þ~t1Xy [S

a yð Þ|�y

!xð Þ

~Xy [S

a yð Þ|t1 �yð Þ !

xð Þ

~Xy [S

a yð Þ|t1 �yð Þ xð Þ

fXy [S

a yð Þ|t2 �yð Þ xð Þ

~Xy [S

a yð Þ|t2 �yð Þ !

xð Þ

~t2Xy [S

a yð Þ|�y

!xð Þ

~t2 að Þ xð Þ:

This means that t1~t2. According to (1) and (2), we can

get (SRD(S))> (PSRH PS).

The proof is completed. %This theorem tells us that if rp(t) can be defined by using

a sub-probabilistic program P, then this healthy probabil-istic predicate transformer t can be defined by using thesame program P and wp(P)5 t. So, this theorem shows anequivalence relationship between denotational semanticsand wp-semantics of sub-probabilistic programs. But, itstill remains that any state transformer f:SRD(S) can bedefined by a sub-probabilistic program. A closer to thenotion of healthy predicate transformers is the notion oflinearity of Ref. [16] and strong monotonicity of Ref. [18].McIver and Morgan show that a transformer is linear if itis thewp-image of a deterministic relational program (Ref.[16], Theorem 3.5, page 339). Ying shows that any mono-tone probabilistic predicate transformer can be written asa statement term consisting of a probabilistic angelicupdate followed by a probabilistic demonic update (Ref.[18], Theorem 12, page 343).

6 Conclusions and future works

This paper has contributed to the introductions of a weak

version of probability programming language, sub-probabi-

lity while language, based on sub-probability distributions

and of both its denotational and wp– semantics which are

equivalent. This paper has also set up an axiomatic systems

for total logic and shown its soundness and completeness.

We have shown that a sub-probability program can derive

a predicate transformer which is healthy and that a healthy

predicate transformer can induce a state transformer. But, it

remains to be studied that how to define a sub-probability

program for given a state transformer. Clearly, it is not sure

that all state transformers can be defined by sub-probabilityprograms. So, it still remains which state transformers can be

defined by sub-probability programs.

Appendix

Theorem 4.1 (Soundness) Given sub-probabilistic triples

a{P}b, we have that ‘ a Pf gb implies � afPgb.Proof It follows by induction on structure of program P.

Case 1 P5 skip.

Then by the skip rule, we have that b5a. So,� a skipf gb.Case 2 P5 assign f.

Then, we have that a(s)5 b(f(s)). But,ðbd½½assign f �� sð Þ~

ðbdf sð Þ

~X

s0 [Sb s0ð Þ|f sð Þ s0ð Þ~b f sð Þð Þ~a sð Þ:

Front. Comput. Sci. China, 2008, 2(1) 35

So, � a assign ff gb.Case 3 P~ pð ÞPj qð ÞQ.

Then, by the rule of probability, we get

a~p8a1+q8a2,

and

‘ a1 Pf gb ‘ a2 Qf gb:So, one can get that a1(s)( bdfPg(s) and a2(s)(bdfQg(s).

But, ðbd pð ÞPj qð ÞQ½ �½ � sð Þ

~

ðbd p| P½ �½ � sð Þzq| Q½ �½ � sð Þð Þ

~p|

ðbd P½ �½ � sð Þzq|

ðbd Q½ �½ � sð Þ

op|a1 sð Þzq|a2 sð Þ~a sð Þ:

Therefore, � a pð ÞPj qð ÞQf gb.Case 4 P5P;Q.

Then, we have

‘ a Pf gc, ‘ c Qf gb:By the inductive hypothesis on P, we know

a sð Þfðcd P½ �½ � sð Þ and c tð Þf

ðbd Q½ �½ � tð Þ:

Proposition 3.2 impliesðbd½½P;Q�� sð Þ~

ðt [S

ðbd½½Q�� tð Þ

� �d½½P�� sð Þ

oðt [Sc tð Þd½½P�� sð Þ

oa sð Þ:So, � a P;Qf gb.

Case 5 P5 if B then P else Q.

Then, ‘ a1 Pf gb and a2{Q}b, as well as a5b[a1+ (12b)[a2, in which b5 fBg.So, a1(s)( bdfPg(s) and a2(s)( bdfQg(s).Since ð

bd½½if B then P else Q�� sð Þ

~

ðbdb sð Þ|½½P�� sð Þz 1{b sð Þð Þ|½½Q�� sð Þ

~b sð Þ|ðbd½½P�� sð Þz 1{b sð Þð Þ|

ðbd½½Q�� sð Þ

ob sð Þ|a1 sð Þz 1{b sð Þð Þ|a2 sð Þ~a sð Þ:

Therefore, � afif B then P else Qgb.Case 6 P5while B do P.

Then, there is a sequence an(n [v) of probabilistic pre-dicates such that

‘ anz1 Pf g b8an+ 1{bð Þ8bð Þ,and

a~b8 zn [vanð Þ+ 1{bð Þ8b,

where a05 0.

So we need to show that

b sð Þ| supnan sð Þð Þz 1{b sð Þð Þ|b sð Þ

fðbd½½while B do P�� sð Þ:

We know that fwhile B do Pg(s)5zn [vfn(s), where

f0(s)5 0, and

fnz1 sð Þ~b sð Þ|f {n ½½P�� sð Þð Þz 1{b sð Þð Þ|s:

Proposition 3.3 implies that {fn(s) | n [v} is a directed

subset of D(S). Hence, we haveðbd½½while B do P�� sð Þ~ sup

n

ðbdfn sð Þ:

So, what we want is show that

supn

b sð Þ|an sð Þz 1{b sð Þð Þ|b sð Þð Þf supn

ðbdfn sð Þ:

Clearly, we only need to show that the following equal-

ity holds for any n [v,ðbdfnz1 sð Þob sð Þ|an sð Þz 1{b sð Þð Þ|b sð Þ:

(1) If n5 0, then f1 sð Þ~ 1{b sð Þð Þ|s and a0(s)5 0.

This equality holds.

(2) Suppose that the inequality holds for n5 k.

(3) Now, we consider the case of n5 k + 1.We will have

to verifyðbdfkz2 sð Þob sð Þ|akz1 sð Þz 1{b sð Þð Þ|b sð Þ:

By the definition of fk + 2, we have

ðbdfkz2 sð Þ

~

ðbd b sð Þ|f

{kz1 ½½P�� sð Þð Þz 1{b sð Þð Þ|s

�

~b sð Þ|ðbdf {kz1 ½½P�� sð Þð Þz 1{b sð Þð Þ|

ðbd sð Þ

~b sð Þ|ðt [S

ðbdfkz1 tð Þ

� �d½½P�� sð Þz 1{b sð Þð Þ|b sð Þ

o 1{b sð Þð Þ|b sð Þzb sð Þ|ðt [S

b sð Þ|ak sð Þð

z 1{b sð Þð Þ|b sð ÞÞ d½½P�� sð Þo 1{b sð Þð Þ|b sð Þzb sð Þ|akz1 sð Þ:

b�

b�

b�

36 Yixiang CHEN, Hengyang WU, Semantics of sub-probabilistic programs

Hence, for any n,

b sð Þ|an sð Þz 1{b sð Þð Þ|b sð Þfðbdfnz1 sð Þ,

which is required.

Case 7 P5P.

Then, we have the case of ‘ a0 Pf gb0 and a a0 as wellas b0 b. So, a9(s)( b9dfPg(s). But, a(s)( a9(s) andb9(s)( b(s). Therefore, a(s)( bdfPg(s). %

Theorem 4.2 (Completeness) Given sub-probabilistic tri-

ple a{P}b, we have that � afPgb implies ‘ afPgb.Proof This proof can be gotten by using induction on the

structure of program P.

Case 1 P5 skip.

If � afskipgb then for any s [S,

a sð Þfðbd½½skip�� sð Þ~

ðbd�s~b sð Þ:

Then, a b. However, ‘ b skipf gb by the skip rule.

Hence, the rule of cons implies ‘ a skipf gb.Case 2 P5 assign f.

Hence, � a assign ff gb implies that

a sð Þfðbd½½assign f �� sð Þ:

Let c(s)5 bfassign fg(s). We have a c. Since fassignfg5 f(s), it follows that c(s)5 b(f(s)). The assign rule

deduces ‘ c assign ff gb. By the consequence rule, one

can get ‘ a assign ff gb.Case 3 P~ pð ÞQj qð ÞR.Then, we have that, for any s,

a sð Þfðbd½½ pð ÞQj qð ÞR�� sð Þ:

Let, for any s [S,

a1 sð Þ~ðbd½½Q�� sð Þ,

and

a2 sð Þ~ðbd½½R�� sð Þ:

Then, we have that � a1 Qf gb and � a2 Rf gb. By the

inductive hypothesis, we have that ‘ a1 Qf gb and

‘ a2 Rf gb. Hence, the probability rule induces that

‘ p8a1+q8a2 pð ÞQj qð ÞRÞf gb:

Butðbd½½ pð ÞQj qð ÞR�� sð Þ~p

ðbd½½Q�� sð Þ

� �zq

ðbd½½R�� sð Þ

� �:

So, ðbd½½ pð ÞQj qð ÞR�� sð Þ~p|a1 sð Þzq|a2 sð Þ:

Therefore, a p8a1+q8a2. By the cons rule, one can

deduce ‘ a pð ÞQj qð ÞRf gb.Case 4 P5Q; R.

Hence, a(s)( bdfQ; Rg(s), for any s [S. Let

c sð Þ~ðbd½½R�� sð Þ:

Then, � c Rf gb. Furthermore, by the inductive hypo-thesis for R, we can deduce ‘ c Rf gb. By Proposition

3.2, we have

a sð Þfðbd½½Q;R�� sð Þ~

ðcd½½Q�� sð Þ:

So, one can get that ‘ a Qf gc. The comp rule implies

‘ a Q;Rf gb.Case 5 P5 if B then Q else R.

Then, for any s [S,

a sð Þfðbd½½if B then Q else R�� sð Þ:

Letc1 sð Þ~

ðbd½½Q�� sð Þ,

and

c2 sð Þ~ðbd½½R�� sð Þ:

Hence, ‘ c1 Qf gb and ‘ c2 Rf gb. So, we can deduce, by

using the rule of probability,

‘ b8c1+ 1{bð Þ8c2 if B then Q else Rf gb:Since ð

bd½½if B then Q else R�� sð Þ

~b sð Þ|ðbd½½Q�� sð Þz 1{b sð Þð Þ|

ðbd½½R�� sð Þ,

we get

a sð Þfb sð Þ|c1 sð Þz 1{b sð Þð Þ|c2 sð Þ:Therefore, a b8c1+ 1� bð Þ8c2. So, we get‘ a if B then Q else Rf gb.

Case 6 P5while B do Q.

Then, for any s [S,

a sð Þfðbd½½while B do Q�� sð Þ:

Front. Comput. Sci. China, 2008, 2(1) 37

But, fwhile B do Qg5zn [vfn, where f05 0. So,

a sð Þf supn [v

ðbdfn sð Þ:

Define

cn sð Þ~ðbdfn sð Þ:

Then, we have c05 0, and

cnz1 sð Þ~ðbdfnz1 sð Þ

~

ðbd b sð Þ|f {n ½½Q�� sð Þð Þz 1{b sð Þð Þ|�s �

~ 1{b sð Þð Þ|b sð Þzb sð Þ|ðbdf {n ½½Q��ð Þ sð Þ

~ 1{b sð Þð Þ|b sð Þ

zb sð Þ|ðt [S

ðs0 [Sbdfn tð Þ

� �d½½Q�� sð Þ

~ 1{b sð Þð Þ|b sð Þzb sð Þ|ðcnd½½Q�� sð Þ:

Let an(s)5 cndfQg(s). Then, a0(s)5 0 and by the

inductive hypothesis one can deduce ‘ an Qf gcn and

then, ‘ anz1 Qf gcnz1. However,

cnz1~ 1{bð Þ8b+b8an:

So, ‘ anz1 Qf gb8an+ 1{bð Þ8b. By the while rule, wecan deduce

b8 zn [vanð Þ+ 1{bð Þ8b while B do Qf gb:But

a sð Þfsupn [v

ðbdfn sð Þ

~supn [vcn sð Þ~supn [v 1{b sð Þð Þ|b sð Þzb sð Þ|an sð Þ½ �~ 1{b sð Þð Þ|b sð Þzb sð Þ| supn [vanð Þ sð Þ:

So, a 1� bð Þ8b+b8 zn [vanð Þ. Thus, we can deduce

‘ a while B do Qf gb.We finish the proof. %Acknowledgements Research of this paper was begun by the secondauthor when he studied for his P.h. Degree at Shanghai NormalUniversity following the first author. The final version was written whilethe first author began his position at East ChinaNormal University. Thispaper was accepted by CiE07 at Siena, June 2007, for a regular talk. Thiswork was supported by the National High-Tech Research andDevelopment of China (863 Program) (2007AA01Z189), the NationalNatural Science Foundation of China (Grant No. 60673117), theSpecialized Research Fund for Doctoral Program (20050270004), theSTCSM (06JC14022) and the Shanghai Leading Academic DisciplineProject (B412). The final version of the paper profited from careful read-ings and remarks by anonymous referees. The authors would like tothank for their invaluable comments and suggestions.

References

1. Gill J. Computational complexity of probabilistic Turingmachines. In: Proceedings of 6th ACM Annual Symposiumon Theory of Computing. New York: ACM Press, 1974, 91–95

2. Paz A. Introduction to Probabilistic Automata. New York:Academic Press, 1971

3. Yao A. Probabilistic computations: toward a unified measureof complexity. In: Proceeding of 18th IEEE Symposiumon Foundations of Computer Science. Providence: IEEEComputer Society Press, 1977, 222–227

4. Rabin M O. Probabilistic algorithm. In: Traub J F, eds.Proceedings of Alorithm and Complexity. New York:Academic Press, 1976, 21–40

5. Kozen D. Semantics of probabilistic programs. Journal ofComputer and System Science, 1981, 22: 328–350

6. Kozen D. A probabilistic PDL. Journal of Computer andSystem Science, 1985, 30: 162–178

7. Chen Y X. Stable semantics of weakest prepredicates. Journalof Software, 2003, 24(Suppl.): 161–167

8. Chen Y X, Jung A. An introduction to fuzzy predicate trans-formers. In: Proceedings of the 3rd International Symposiumon Domain Theory. Xi’an: Shaanxi Normal University,2004

9. Chen Y X, Plotkin G, Wu H Y. On healthy fuzzy predicatetransformers. In: Proceedings of the 4th International Sympo-sium on Domain Theory. changsha, Hunan University,2006

10. Gierz G, Hofmann K H, Keimel K, et al. Continuous Latticesand Domains, Encyclopedia of Mathemmatics and itsApplications (volume 93). Cambridge: Cambridge UniversityPress, 2003

11. He J F, Seidel K, McIver A K. Probabilistic models for theguarded command language. Science of ComputerProgramming, 1997, 28: 171–192

12. Jones C, Plotkin G. A probabilistic powerdomain of evalua-tions. In: Proceedings of the 4th Annual Symposium on Logicin Computer Science. IEEE Computer Society Press, 1989,186–195

13. Plotkin G D. Dijkstra’s predicate transformers and Smyth’spowerdomains. In: Bjørner D, ed. Abstract SoftwareSpecifications. Lecture Notes in Computer Science, 1980, 86:527–553

14. Morgan C, McIver A, Seidel K. Probabilistic predicate trans-formers. ACM Trans. Programming Languages and Systems,1996, 18: 325–353

15. McIver A K, Morgan C. Partial correctness for probabilisticdemonic programs. Theoretical Computer Science, 2001, 266:513–541

16. McIver A K, Morgan C. Demonic, angelic and unboundedprobabilistic choices in sequential programs. Acto Informa-tica, 2001, 37: 329–354

17. Tix R, Keimel K, Plotkin G. Semantics domains for combin-ing probability and non-determinism. Electronic Notes inTheoretical Computer Science, 2005, 129: 1–104

18. Ying M S. Reasoning about probabilistic sequential pro-grams in a probabilistic logic. Acta Informatica, 2003, 39:315–389

19. Jones C. Probabilistic non-determinism. PhD thesis.Edinburgh: University of Edinburgh, 1990. Also publishedas Techniccal report No. CST-63-90.

20. Dijkstra E W. A Discipline of Programming. Prentice HallInternational, Englewood Cliffs, 1976

21. Ying M S. Additive models of probabilistic processes.Theoretical Computer Science, 2002, 275: 481–519

38 Yixiang CHEN, Hengyang WU, Semantics of sub-probabilistic programs