Skip to main content
SpringerLink
Log in

Correctness by Construction for Probabilistic Programs

  • Conference paper
  • First Online:
Leveraging Applications of Formal Methods, Verification and Validation: Verification Principles (ISoLA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12476))

Included in the following conference series:

Abstract

The “correct by construction” paradigm is an important component of modern Formal Methods, and here we use the probabilistic Guarded-Command Language pGCL to illustrate its application to probabilistic programming.

pGCL extends Dijkstra’s guarded-command language GCL with probabilistic choice, and is equipped with a correctness-preserving refinement relation \((\mathrel \sqsubseteq )\) that enables compact, abstract specifications of probabilistic properties to be transformed gradually to concrete, executable code by applying mathematical insights in a systematic and layered way.

Characteristically for correctness by construction, as far as possible the reasoning in each refinement-step layer does not depend on earlier layers, and does not affect later ones.

We demonstrate the technique by deriving a fair-coin implementation of any given discrete probability distribution. In the special case of simulating a fair die, our correct-by-construction algorithm turns out to be “within spitting distance” of Knuth and Yao’s optimal solution.

We are grateful for the support of the Australian Research Council.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A game-show host, Monty Hall, exhibits three curtains, behind one of which sits a Cadillac; the other two curtains conceal goats. The contestant guesses which curtain hides the prize, and Monty then opens another, making sure however that it reveals a goat. The contestant is allowed to change his mind. Should he?

  2. 2.

    If the program is a mathematical object, then as Andrew Vazonyi [14] pointed out: “I’m not interested in ad hoc solutions invented by clever people. I want a method that works for lots of problems... One that mere mortals can use. Which is what a correctness-by-construction method should be.”.

  3. 3.

    Constructor \({\mathbb {P}}\) is “subsets of” and \(\mathbb {D}\) is “discrete distributions on”.

  4. 4.

    See Sect. 3.5 for a further discussion of this.

  5. 5.

    Kozen’s work did not restrict to discrete distributions; but that is all we need here.

  6. 6.

    The expected value of the characteristic function of an event is equal to the probability that itself holds.

  7. 7.

    Note that if contains ( ) somewhere, the above does not apply: Dijkstra semantics has no definition for ( ).

  8. 8.

    This is particularly compelling when wp is Curried: sequential composition is then the functional composition .

  9. 9.

    This is not a novelty: demonic choice is usually treated that way in semantics—that’s why it’s called “demonic”.

  10. 10.

    This intent of this section can be understood based on the syntax given in Figs. 2, 3, and 4.

  11. 11.

    We will sometimes include Dijkstra’s closing .

  12. 12.

    As before, we usually use Dijkstra’s loop-closing .

  13. 13.

    By “reasonably good” we mean that it deals with most loops, but not all: it is sound, but not complete. There are more complex rules for dealing with more complex situations [11]. Strictly speaking, over infinite state spaces “non-zero” must be strengthened to “bounded away from zero” [13].

  14. 14.

    Recall from Sect. 2.2 that \(\mathbb {D}\mathcal{X}\) is the set of discrete distributions over finite set \(\mathcal X\).

  15. 15.

    Summing over all possible values e of would give the same result, since the extra values have probability zero anyway. Some find this formulation more intuitive.

  16. 16.

    In probability theory this would be the cardinality of its support.

  17. 17.

    And if an error was made in the proofs, the “successful” path can be audited to see what the mistake was, why it was made, and how to fix it.

  18. 18.

    Applying to a set means the sum of the -probabilities of the elements of the set.

  19. 19.

    If for example C were much smaller, so that the dividing line went through D, the new distribution would have support 4, the same as itself. But would then have support 1, strictly smaller.

  20. 20.

    The range is inclusive-exclusive (as in Python). A similar coupling invariant applies to and . All three invariants are applied at once.

  21. 21.

    Note the necessity of keeping this as two steps: first data-refine, then (if you can) optimise algorithmically.

References

  1. Dijkstra, E.W.: On the reliability of programs (EWD303)

    Google Scholar 

  2. Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Upper Saddle River (1976)

    MATH  Google Scholar 

  3. Floyd, R.W.: Assigning meanings to programs. In: Schwartz, J.T. (ed.) Mathematical Aspects of Computer Science. Proceedings of Symposium on Applied Mathematics, vol. 19, pp. 19–32. American Mathematical Society (1967)

    Google Scholar 

  4. Hoare, C.A.R.: An axiomatic basis for computer programming. Comm. ACM 12(10), 576–580 (1969)

    Article  Google Scholar 

  5. Jones, C.B., Plotkin, G.: A probabilistic powerdomain of evaluations. In: Proceedings of the IEEE 4th Annual Symposium on Logic in Computer Science, Los Alamitos, CA, pp. 186–195. Computer Society Press (1989)

    Google Scholar 

  6. Knuth, D., Yao, A.: The complexity of nonuniform random number generation. In: Algorithms and Complexity: New Directions and Recent Results. Academic Press (1976)

    Google Scholar 

  7. Kozen, D.: Semantics of probabilistic programs. J. Comput. Syst. Sci. 22, 328–350 (1981)

    Article  MathSciNet  Google Scholar 

  8. Kozen, D.: A probabilistic PDL. In: Proceedings of the 15th ACM Symposium on Theory of Computing, pp. 291–297. ACM, New York (1983)

    Google Scholar 

  9. Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511-4_20

    Chapter  MATH  Google Scholar 

  10. McIver, A.K., Morgan, C.C.: Abstraction, Refinement and Proof for Probabilistic Systems. Monographs in Computer Science. Springer, New York (2005). https://doi.org/10.1007/b138392

    Book  MATH  Google Scholar 

  11. McIver, A.K., Morgan, C.C., Kaminski, B.-L., Katoen, J.-P.: A new proof rule for almost-sure termination. Proc. ACM Program. Lang. 2(POPL), 1–28 (2017)

    Article  Google Scholar 

  12. Morgan, C.C., McIver, A.K., Seidel, K.: Probabilistic predicate transformers. ACM Trans. Program. Lang. Syst. 18(3), 325–353 (1996)

    Article  Google Scholar 

  13. Morgan, C.C.: Proof rules for probabilistic loops. In: Jifeng, H., Cooke, J., Wallis, P. (eds.) Proceedings of the BCS-FACS 7th Refinement Workshop, Workshops in Computing. Springer, Heidelberg (July 1996). http://www.bcs.org/upload/pdf/ewicrw96paper10.pdf

  14. Vazsonyi, A.: Which Door has the Cadillac: Adventures of a Real-Life Mathematician. Writers Club Press (2002)

    Google Scholar 

  15. Wirth, N.: Program development by stepwise refinement. Commun. ACM 14(4), 221–227 (1971)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Macquarie University, Sydney, Australia

    Annabelle McIver

  2. University of New South Wales and Trustworthy Systems, Data61, CSIRO, Sydney, Australia

    Carroll Morgan

Authors
  1. Annabelle McIver
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carroll Morgan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Annabelle McIver or Carroll Morgan .

Editor information

Editors and Affiliations

  1. Lero, Limerick, Ireland

    Tiziana Margaria

  2. TU Dortmund, Dortmund, Germany

    Bernhard Steffen

A Program (14) implemented in Python

A Program (14) implemented in Python

figure hl
figure hm
figure hn

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

McIver, A., Morgan, C. (2020). Correctness by Construction for Probabilistic Programs. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation: Verification Principles. ISoLA 2020. Lecture Notes in Computer Science(), vol 12476. Springer, Cham. https://doi.org/10.1007/978-3-030-61362-4_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61362-4_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61361-7

  • Online ISBN: 978-3-030-61362-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation