Abstract
We revisit two wellestablished verification techniques, kinduction and bounded model checking (BMC), in the more general setting of fixed point theory over complete lattices. Our main theoretical contribution is latticed kinduction, which (i) generalizes classical kinduction for verifying transition systems, (ii) generalizes Park induction for bounding fixed points of monotonic maps on complete lattices, and (iii) extends from naturals k to transfinite ordinals \(\kappa \), thus yielding \(\kappa \)induction.
The latticetheoretic understanding of kinduction and BMC enables us to apply both techniques to the fully automatic verification of infinitestate probabilistic programs. Our prototypical implementation manages to automatically verify nontrivial specifications for probabilistic programs taken from the literature that—using existing techniques—cannot be verified without synthesizing a stronger inductive invariant first.
Keywords
 kinduction
 Bounded model checking
 Fixed point theory
 Probabilistic programs
 Quantitative verification
This work has been partially funded by the ERC Advanced Project FRAPPANT under grant No. 787914.
Download conference paper PDF
1 Introduction
Bounded model checking (BMC) [12, 17] is a successful method for analyzing models of hardware and software systems. For checking a finitestate transition system (TS) against a safety property (“bad states are unreachable”), BMC unrolls the transition relation until it either finds a counterexample and hence refutes the property, or reaches a precomputed completeness threshold on the unrolling depth and accepts the property as verified. For infinitestate systems, however, such completeness thresholds need not exist (cf. [64]), rendering BMC a refutationonly technique. To verify infinitestate systems, BMC is typically combined with the search for an inductive invariant, i.e., a superset of the reachable states which is closed under the transition relation. Proving a—not necessarily inductive—safety property then amounts to synthesizing a sufficiently strong, often complicated, inductive invariant that excludes the bad states. A plethora of techniques target computing or approximating inductive invariants, including IC3 [14], induction [13, 20], interpolation [50, 51], and predicate abstraction [27, 36]. However, invariant synthesis may burden full automation, as it either relies on usersupplied annotations or confines pushbutton technologies to semidecision or approximate procedures.
kinduction [65] generalizes the principle of simple induction (aka 1induction) by considering k consecutive transition steps instead of only a single one. It is more powerful: an invariant can be kinductive for some \(k >1\) but not 1inductive. Following the seminal work of Sheeran et al. [65] which combines kinduction with SAT solving to check safety properties, kinduction has found a broad spectrum of applications in the realm of hardware [29, 37, 45, 65] and software verification [10, 21,22,23, 55, 63]. Its success is due to (1) being a foundational yet potent reasoning technique, and (2) integrating well with SAT/SMT solvers, as also pointed out in [45]: “the simplicity of applying kinduction made it the goto technique for SMTbased infinitestate model checking”. This paper explores whether kinduction can have a similar impact on the fully automatic verification of infinitestate probabilistic programs. That is, we aim to verify that the expected value of a specified quantity—think: “quantitative postcondition”—after the execution of a probabilistic program is bounded by a specified threshold.
Example 1
(Bounded Retransmission Protocol [19, 32]). The loop
models a simplified version of the bounded retransmission protocol, which attempts to transmit \(\textit{toSend} \) packages via an unreliable channel (that fails with probability 0.1) allowing for at most \(\textit{maxFail} \) retransmissions per package.
Using our generalization of kinduction, we can fully automatically verify that the expected total number of failed transmissions is at most 1, if the number of packages we want to (successfully) send is at most 3. In terms of weakest preexpectations [38, 44, 49], this quantitative property reads
The bound on the righthandside of the inequality is 4inductive, but not 1inductive; verifying the same bound using 1induction requires finding a nontrivial—and far less perspicuous—inductive invariant. Moreover, if we consider an arbitrary number of packages to send, i.e., we drop \(\left[ {\textit{toSend} \le 3} \right] \), this bound becomes invalid. In this case, our BMC procedure produces a counterexample, i.e., values for \(\textit{toSend} \) and \(\textit{maxFail} \), proving that the bound does not hold.
Lifting the classical formalization (and SAT encoding) of kinduction over TSs to the probabilistic setting is nontrivial. We encounter the following challenges:
(A) Quantitative reachability. In a TS, a state reachable within k steps remains reachable on increasing k. In contrast, reachability probabilities in Markov chains—a common operational model for probabilistic programs [28]—may increase on increasing k. Hence, proving that the probability of reaching a bad state remains below a given threshold is more intricate than reasoning about qualitative reachability.
(B) Counterexamples are subsystems. In a TS, an acyclic path from an initial to a bad state suffices as a witness for refuting safety, i.e., nonreachability. SAT encodings of kinduction rely on this by expressing the absence of witnesses up to a certain pathlength. In the probabilistic setting, however, witnesses are no longer single paths [30]. Rather, a witness for the probability of reaching a bad state to exceed a threshold is a subsystem [15], i.e., a set of possibly cyclic paths.
(C) Symbolic encodings. To enable fully automated verification, we need a suitable encoding such that our lifting integrates well into SMT solvers. Verifying probabilistic programs involves reasoning about execution trees, where each (weighted) branch corresponds to a probabilistic choice. A suitable encoding needs to capture such trees which requires more involved theories than encoding paths in classical kinduction.
We address challenges (A) and (B) by developing latticed kinduction, which is a proof technique in the rather general setting of fixed point theory over complete lattices. Latticed kinduction generalizes classical kinduction in three aspects: (1) it works with any monotonic map on a complete lattice instead of being confined to the transition relation of a transition system, (2) it generalizes the Park induction principle for bounding fixed points of such monotonic maps, and (3) it extends from natural numbers k to (possibly transfinite) ordinals \(\kappa \), hence its short name: \(\kappa \)induction.
It is this latticetheoretic understanding that enables us to lift both kinduction and BMC to reasoning about quantitative properties of probabilistic programs. To enable automated reasoning, we address challenge (C) by an incremental SMT encoding based on the theory of quantifierfree mixed integer and real arithmetic with uninterpreted functions (\(\textsf {QF\_UFLIRA} \)). We show how to effectively compute all needed operations for \(\kappa \)induction using the SMT encoding and, in particular, how to decide quantitative entailments.
A prototypical implementation of our method demonstrates that \(\kappa \)induction for (linear) probabilistic programs manages to automatically verify nontrivial specifications for programs taken from the literature which—using existing techniques—cannot be verified without synthesizing a stronger inductive invariant.
Due to space restrictions, most proofs and details about individual benchmarks have been omitted; they are found in an extended version of this paper [8].
Related Work. Besides the aforementioned related work on kinduction, we briefly discuss other automated analysis techniques for probabilistic systems and other approaches for bounding fixed points. Symbolic engines exist for exact inference [26] and sensitivity analysis [33]. Other automated approaches focus on bounding expected costs [56], termination analysis [2, 16], and static analysis [3, 67]. BMC has been applied in a rather rudimentary form to the onthefly verification of finite unfoldings of probabilistic programs [35], and the enumerative generation of counterexamples in finite Markov chains [68]. (Semi)automated invariantsynthesis techniques can be found in [6, 24, 41]. A recent variant of IC3 for probabilistic programs called PrIC3 [7] is restricted to finitestate systems. When applied to finitestate Markov chains, our \(\kappa \)induction operator is related to other operators that have been employed for determining reachabilitiy probabilities through value iteration [4, 31, 61]. In particular, when iterated on the candidate upper bound, the \(\kappa \)induction operator coincides with the (upper value iteration) operator in interval iteration [4]; the latter operator can be used together with the upto techniques (cf. [53, 58, 59]) to prove our \(\kappa \)induction rule sound (in contrast, we give an elementary proof). However, the \(\kappa \)induction operator avoids comparing current and previous iterations. It is thus easier to implement and more amenable to SMT solvers. Finally, the proof rules for bounding fixed points recently developed in [5] are restricted to finitestate systems.
2 Verification as a Fixed Point Problem
We start by recapping some fundamentals on fixed points of monotonic operators on complete lattices before we state our target verification problem.
Fundamentals. For the next three sections, we fix a complete lattice \((E,\, \sqsubseteq )\), i.e. a carrier set E together with a partial order \(\sqsubseteq \), such that every subset \(S \subseteq E\) has a greatest lower bound \(\sqcap S\) (also called the meet of S) and a least upper bound \(\bigsqcup S\) (also called the join of S). For just two elements \(\{g, h\} \subseteq E\), we denote their meet by \(g\sqcap h\) and their join by \(g\sqcup h\). Every complete lattice has a least and a greatest element, which we denote by \(\bot \) and \(\top \), respectively.
In addition to \((E,\, \sqsubseteq )\), we also fix a monotonic operator \(\varPhi :E\rightarrow E\). By the KnasterTarski theorem [43, 47, 66], every monotonic operator \(\varPhi \) admits a complete lattice of (potentially infinitely many) fixed points. The least fixed point \({\textsf {{lfp}}}~\varPhi \) and the greatest fixed point \({\textsf {{gfp}}}~\varPhi \) are moreover constructible by (possibly transfinite) fixed point iteration from \(\bot \) and \(\top \), respectively: Cousot & Cousot [18] showed that there exist ordinals \(\alpha \) and \(\beta \), such that^{Footnote 1}
where denotes the upper \(\delta \)fold iteration and \(\varPhi ^{\left\lfloor \delta \right\rfloor }\left( g\right) \) denotes the lower \(\delta \)fold iteration of \(\varPhi \) on \(g\), respectively. Formally, is given by^{Footnote 2}
Intuitively, if \(\delta \) is the successor of \(\gamma \), then we simply do another iteration of \(\varPhi \). If \(\delta \) is a limit ordinal, then can also be thought of as a limit, namely of iterating \(\varPhi \) on \(g\). However, simply iterating \(\varPhi \) on \(g\) need not always converge, especially if the iteration does not yield an ascending chain. To remedy this, we take as limit the join over the whole (possibly transfinite) iteration sequence, i.e., the least upper bound over all elements that occur along the iteration. The lower \(\delta \)fold iteration \(\varPhi ^{\left\lfloor \delta \right\rfloor }\left( g\right) \) is defined analogously to , except that we take a meet instead of a join whenever \(\delta \) is a limit ordinal.
An important special case for fixed point iteration (see (\(\dagger \))) is when the operator \(\varPhi \) is Scottcontinuous (or simply continuous), i.e., if . In this case, \(\alpha \) in (\(\dagger \)) coincides with the first infinite limit ordinal \(\omega \) (which can be identified with the set \(\mathbb {N} \) of natural numbers). This fact is also known as the Kleene fixed point theorem [1].
Problem Statement. Fixed points are ubiquitous in computer science. Prime examples of properties that can be conveniently characterized as least fixed points include both the set of reachable states in a transition system and the function mapping each state in a Markov chain to the probability of reaching some goal state (cf. [60]). However, least and greatest fixed points are often difficult or even impossible [39] to compute; it is thus desirable to bound them.
For example, it may be sufficient to prove that a system modeled as a Markov chain reaches a bad state from its initial state with probability at most \(10^{{}6}\), instead of computing precise reachability probabilities for each state. Moreover, if said probability is not bounded by \(10^{{}6}\), we would like to witness that as well.
In general latticetheoretic terms, our problem statement reads as follows:
For proving, we will present latticed kinduction; for refuting, we will present latticed bounded model checking. Running both in parallel may (and under certain conditions: will) lead to a decision of the above problem.
3 Latticed kInduction
In this section, we generalize the wellestablished kinduction verification technique [23, 29, 37, 45, 55, 65] to latticed kinduction (for short: \(\kappa \)induction; reads: “kappa induction”). With \(\kappa \)induction, our aim is to prove that \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\). To this end, we attempt “ordinary” induction, also known as Park induction:
Theorem 1
(Park Induction [57]). Let \(f\in E\). Then
Intuitively, this principle says: if pushing our candidate upper bound \(f\) through \(\varPhi \) takes us down in the partial order \(\sqsubseteq \), we have verified that \(f\) is indeed an upper bound on \({\textsf {{lfp}}}~\varPhi \). The true power of Park induction is that applying \(\varPhi \) once tells us something about iterating \(\varPhi \) possibly transfinitely often (see (\(\dagger \)) in Sect. 2).
Park induction, unfortunately, does not work in the reverse direction: If we are unlucky, \(f\sqsupset {\textsf {{lfp}}}~\varPhi \) is an upper bound on \({\textsf {{lfp}}}~\varPhi \), but nevertheless \(\varPhi \left( f \right) \not \sqsubseteq f\). In this case, we say that \(f\) is not inductive. But how can we verify that \(f\) is indeed an upper bound in such a noninductive scenario? We search below \(f\) for a different, but inductive, upper bound on \({\textsf {{lfp}}}~\varPhi \), that is, we
In order to perform a guided search for such an \(h\), we introduce the \(\kappa \)induction operator—a modified version of \(\varPhi \) that is parameterized by our candidate \(f\):
Definition 1
(\(\boldsymbol{\kappa }\)Induction Operator). For \(f\in E\), we call
the \(\kappa \) induction operator (with respect to \(f\) and \(\varPhi \)).
What does \(\varPsi _{f}\) do? As illustrated in Fig. 1, if \(\varPhi \left( f \right) \not \sqsubseteq f\) (i.e. \(f\) is noninductive) then “at least some part of \(\varPhi \left( f \right) \) is greater than \(f\)”. If the whole of \(\varPhi \left( f \right) \) is greater than \(f\), then \(f\sqsubset \varPhi \left( f \right) \); if only some part of \(\varPhi \left( f \right) \) is greater and some is smaller than \(f\), then \(f\) and \(\varPhi \left( f \right) \) are incomparable. The \(\kappa \)induction operator \(\varPsi _{f}\) now rectifies \(\varPhi \left( f \right) \) being (partly) greater than \(f\) by pulling \(\varPhi \left( f \right) \) down via the meet with f (i.e., via ), so that the result is in no part greater than f. Applying \(\varPsi _{f}\) to \(f\) hence always yields something below or equal to f.
Together with the observation that \(\varPsi _{f}\) is monotonic, iterating \(\varPsi _{f}\) on \(f\) necessarily descends from \(f\) downwards in the direction of \({\textsf {{lfp}}}~\varPhi \) (and never below):
Lemma 1
(Properties of the \(\boldsymbol{\kappa }\)Induction Operator). Let \(f\in E\) and let \(\varPsi _{f}\) be the \(\kappa \)induction operator with respect to \(f\) and \(\varPhi \). Then

(a)
\(\varPsi _{f}\) is monotonic, i.e., \( \forall \, g_1,g_2 \in E:~ g_1 ~{}\sqsubseteq {}~g_2 ~~\text {implies}~~ \varPsi _{f}(g_1) ~{}\sqsubseteq {}~\varPsi _{f}(g_2) \).

(b)
Iterations of \(\varPsi _{f}\) starting from f are descending, i.e., for all ordinals \(\gamma \), \(\delta \),
$$\begin{aligned} \gamma ~{}<{}~\delta ~\quad \text {implies}\quad ~\varPsi _{f}^{\left\lfloor \delta \right\rfloor }(f) ~{}\sqsubseteq {}~\varPsi _{f}^{\left\lfloor \gamma \right\rfloor }(f). \end{aligned}$$ 
(c)
\(\varPsi _{f}\) is dominated by \(\varPhi \), i.e., \(\forall \, g\in E:~ \varPsi _{f}(g) ~{}\sqsubseteq {}~\varPhi \left( g \right) . \)

(d)
If \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\), then for any ordinal \(\delta \),
$$\begin{aligned} {\textsf {{lfp}}}~\varPhi ~{}\sqsubseteq {}~{\ldots } ~{}\sqsubseteq {}~\varPsi _{f}^{\left\lfloor \delta \right\rfloor }(f) ~{}\sqsubseteq {}~{\ldots } ~{}\sqsubseteq {}~\varPsi _{f}^{\left\lfloor 2 \right\rfloor }(f) ~{}\sqsubseteq {}~\varPsi _{f}(f) ~{}\sqsubseteq {}~f. \end{aligned}$$
The descending sequence \(f\sqsupseteq \varPsi _{f}(f) \sqsupseteq \varPsi _{f}^{\left\lfloor 2 \right\rfloor }(f) \sqsupseteq {\ldots }\) constitutes our guided search for an inductive upper bound on \({\textsf {{lfp}}}~\varPhi \). For each ordinal \(\kappa \) (hence the short name: \(\kappa \)induction), \({\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f)}\) is a potential candidate for Park induction:
For efficiency reasons, e.g., when offloading the above inequality check to an SMT solver, we will not check the inequality (\(\ddagger \)) directly but a property equivalent to (\(\ddagger \)), namely whether \(\varPhi (\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f))\) is below \(f\) instead of \(\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f)\):
Lemma 2
(Park Induction from \(\boldsymbol{\kappa }\)Induction). Let \(f\in E\). Then
Proof
The ifdirection is trivial, as \(\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f) \sqsubseteq f\) (Lemma 1(d)). For onlyif:
If \(\varPhi \bigl ( \varPsi _{f}^{\left\lfloor \kappa \right\rfloor } (f) \bigr ) \sqsubseteq f\), then Lemma 2 tells us that \(\varPsi _{f}^{\left\lfloor \kappa \right\rfloor } (f)\) is Park inductive and thereby an upper bound on \({\textsf {{lfp}}}~\varPhi \). Since iterating \(\varPsi _{f}\) on f yields a descending iteration sequence (see Lemma 1(b)), \(\varPsi _{f}^{\left\lfloor k \right\rfloor } (f)\) is below f and therefore f is also an upper bound on \({\textsf {{lfp}}}~\varPhi \). Put in more traditional terms, we have shown that \(\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f)\) is an inductive invariant stronger than \(f\). Formulated as a proof rule, we obtain the following induction principle:
Theorem 2
(\(\boldsymbol{\kappa }\)Induction). Let \(f\in E\) and let \(\kappa \) be an ordinal. Then
Proof
Following the argument above, for details see [8, Appx. A.2]. \(\square \)
An illustration of \(\kappa \)induction is shown in (the right frame of) Fig. 1. For every ordinal \(\kappa \), if \(\varPhi (\varPsi _{f}^{\left\lfloor \kappa \right\rfloor }(f))\sqsubseteq f\), then we call \(f\) \((\kappa {+}1)\)inductive (for \(\varPhi \)). In particular, \(\kappa \)induction generalizes Park induction, in the sense that 1induction is Park induction and, \((\kappa > 1)\)induction is a more general principle of induction.
Algorithm 1 depicts a (semi)algorithm that performs latticed kinduction (for \(k < \omega \)) in order to prove \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\) by iteratively increasing k. For implementing this algorithm, we require, of course, that both \(\varPhi \) and \(\varPsi _{f}\) are computable and that \(\sqsubseteq \) is decidable. Notice that the loop (lines 2–3) never terminates if \(f\sqsubset \varPhi \left( f \right) \)—a condition that can easily be checked before entering the loop. Even with this optimization, however, Algorithm 1 is a proper semialgorithm: even if \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\), then \(f\) is still not guaranteed to be kinductive for some \(k < \omega \). And even if an algorithm could somehow perform transfinitely many iterations, then \(f\) is still not guaranteed to be \(\kappa \)inductive for some ordinal \(\kappa \):
Counterexample 1
(Incompleteness of \(\boldsymbol{\kappa }\)Induction). Consider the carrier set \(\{0, 1, 2\}\), partial order \(0 \sqsubset 1 \sqsubset 2\), and the monotonic operator \(\varPhi \) with \(\varPhi (0) = 0 = {\textsf {{lfp}}}~\varPhi \), and \(\varPhi (1) = 2\), and \(\varPhi (2) = 2 = {\textsf {{gfp}}}~\varPhi \). Then \({\textsf {{lfp}}}~\varPhi \sqsubseteq 1\), but for any ordinal \(\kappa \), \(\varPsi _{1}^{\left\lfloor \kappa \right\rfloor }(1) = 1\) and \(\varPhi (1) = 2 \not \sqsubseteq 1\). Hence 1 is not \(\kappa \)inductive.
Despite its incompleteness, we now provide a sufficient criterion which ensures that every upper bound on \({\textsf {{lfp}}}~\varPhi \) is \(\kappa \)inductive for some ordinal \(\kappa \).
Theorem 3
(Completeness of \(\boldsymbol{\kappa }\)Induction for Unique Fixed Point). If \({\textsf {{lfp}}}~\varPhi = {\textsf {{gfp}}}~\varPhi \) (i.e. \(\varPhi \) has exactly one fixed point), then, for every \(f\in E\),
Proof
By the KnasterTarski theorem, we have \(\varPhi ^{\left\lfloor \beta \right\rfloor }(\top ) = {\textsf {{gfp}}}~\varPhi \) for some ordinal \(\beta \). We then show that \(f\) is \((\beta {+}1)\)inductive; see [8, Appx A.3] for details.
\(\square \)
The proof of the above theorem immediately yields that, if the unique fixed point can be reached through finite fixed point iterations starting at \(\top \), then \(f\) is kinductive for some natural number k; Algorithm 1 thus eventually terminates.
Corollary 1
If \(\varPhi ^{\left\lfloor n \right\rfloor }\left( \top \right) = {\textsf {{lfp}}}~\varPhi \) for some \(n \in \mathbb {N} \), then, for every \(f\in E\),
4 Latticed vs. Classical kInduction
We show that our purely latticetheoretic \(\kappa \)induction from Sect. 3 generalizes classical kinduction for hardware and software verification. To this end, we first recap how kinduction is typically formalized in the literature [10, 23, 29, 37]: Let \(\text {TS} = (S,\, I, T)\) be a transition system, where \(S \) is a (countable) set of states, \(I \subseteq S \) is a nonempty set of initial states, and \(T \subseteq S \times S \) is a transition relation. As in the seminal work on kinduction [65], we require that \(T \) is a total relation, i.e., every state has at least one successor. This requirement is sometimes overlooked in the literature, which renders the classical SATbased formulation of kinduction ((1a) and (1b) below) unsound in general.
Our goal is to verify that a given invariant property \(P \subseteq S \) covers all states reachable in \(\text {TS} \) from some initial state. Suppose that \(I \), \(T \) and \(P \) are characterized by logical formulae \(I (s)\), \(T (s,s')\) and \(P (s)\) (over the free variables s and \(s'\)), respectively. Then, achieving the above goal with classical kinduction amounts to proving the validity of
Here, the base case (1a) asserts that \(P \) holds for all states reachable within k transition steps from some initial state; the induction step (1b) formalizes that \(P \) is closed under taking up to k transition steps, i.e., if we start in \(P \) and stay in \(P \) for up to k steps, then we also end up in \(P \) after taking the \((k{+}1)\)st step. If both (1a) and (1b) are valid, then classical kinduction tells us that the property \(P \) holds for all reachable states of \(\text {TS} \). How is the above principle reflected in latticed kinduction (cf. Sect. 3)? For that, we choose the complete lattice \((2^S,\, \subseteq )\), where \(2^S\) denotes the powerset of \(S \); the least element is \(\bot = \emptyset \) and the meet operation is standard intersection \(\cap \).
Moreover, we define a monotonic operator \(\varPhi \) whose least fixed point precisely characterizes the set of reachable states of the transition system \(\text {TS} \):
That is, \(\varPhi \) maps any given set of states \(F \subseteq S \) to the union of the initial states I and of those states \({\textsf {Succs}} (F)\) that are reachable from F using a single transition.^{Footnote 3}
Using the \(\kappa \)induction operator constructed from \(\varPhi \) and \(P \) according to Definition 1, the principle of \(\kappa \)induction (cf. Theorem 2) then tells us that
For our above choices, the premise of \(\kappa \)induction equals the classical formalization of kinduction—formulae (1a) and (1b)—because the set of initial states \(I \) is “baked into” the operator \(\varPhi \). More concretely, for the base case (1a), we have
In other words, formula (1a) captures those states that are reachable from \(I \) via at most k transitions. If we assume that (1a) is valid, then \(P \) contains all initial states and formula (1b) coincides with the premise of \(\kappa \)induction:
It follows that, when considering transition systems, our (latticed) \(\kappa \)induction is equivalent to the classical notion of kinduction for \(\kappa < \omega \):
Theorem 4
For every natural number \(k \ge 1\),
5 Latticed Bounded Model Checking
We complement \(\kappa \)induction with a latticed analog of bounded model checking [11, 12] for refuting that \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\). In latticetheoretic terms, bounded model checking amounts to a fixed point iteration of \(\varPhi \) on \(\bot \) while continually checking whether the iteration exceeds our candidate upper bound \(f\). If so, then we have indeed refuted \({\textsf {{lfp}}}~\varPhi \sqsubseteq f\):
Theorem 5
(Soundness of Latticed BMC). Let \(f\in E\). Then
Furthermore, if we were actually able to perform transfinite iterations of \(\varPhi \) on \(\bot \), then latticed bounded model checking is also complete: If \(f\) is in fact not an upper bound on \({\textsf {{lfp}}}~\varPhi \), this will be witnessed at some ordinal:
Theorem 6
(Completeness of Latticed BMC). Let \(f\in E\). Then
More practically relevant, if \(\varPhi \) is continuous (which is the case for Bellman operators characterizing reachability probabilities in Markov chains), then a simple finite fixed point iteration, see Algorithm 2, is sound and complete for refutation:
Corollary 2
(Latticed BMC for Continuous Operators). Let \(f\in E\) and let \(\varPhi \) be continuous. Then
6 Probabilistic Programs
In the remainder of this article, we employ latticed kinduction and BMC to verify imperative programs with access to discrete probabilistic choices—branching on the outcomes of coin flips. In this section, we briefly recap the necessary background on formal reasoning about probabilistic programs (cf. [44, 49] for details).
6.1 The Probabilistic Guarded Command Language
Syntax. Programs in the probabilistic guarded command language \({\textsf {{pGCL}}} \) adhere to the grammar in Fig. 2a. The semantics of most statements is standard. In particular, the probabilistic choice \(\left\{ \, {C_1} \,\right\} \mathrel {\left[ \,p\,\right] }\left\{ \, {C_2} \,\right\} \) flips a coin with bias \(p \in [0,1] \cap \mathbb {Q} \). If the coin yields heads, it executes \(C_1\); otherwise, \(C_2\). In addition to the syntax in Fig. 2, we admit standard expressions that are definable as syntactic sugar, e.g., \(\mathsf {true}\), \(\mathsf {false}\), \(\varphi _1 \vee \varphi _2\), \(e_1 = e_2\), \(e_1 \le e_2\), etc.
Program States. A program state \(\sigma \) maps every variable in \(\mathsf {Vars} \) to its value, i.e., a natural number in \(\mathbb {N} \).^{Footnote 4} To ensure that the set of program states \(\varSigma \) remains countable^{Footnote 5}, we restrict ourselves to states in which only finitely many variables—those that appear in a given program—evaluate to nonzero values. Formally,
The evaluation of expressions \(e\) and guards \(\varphi \) under a state \(\sigma \), denoted by \(e(\sigma )\) and \(\varphi (\sigma )\), is standard. For example, we define the evaluation of “monus” as
6.2 Weakest Preexpectations
Expectations. An expectation \(f:\varSigma \rightarrow \mathbb {R}_{\ge 0}^\infty \) is a map from program states to the nonnegative reals extended by infinity. We denote by \(\mathbb {E}\) the set of all expectations. Moreover, \((\mathbb {E},\, \preceq )\) forms a complete lattice, where the partial order \(\preceq \) is given by the pointwise application of the canonical ordering \(\le \) on \(\mathbb {R}_{\ge 0}^\infty \), i.e.,
To conveniently describe expectations evaluating to some \(r \in \mathbb {R}_{\ge 0}^\infty \) for every state, we slightly abuse notation and denote by \(r \) the constant expectation . Similarly, given an arithmetic expression \(e\), we denote by \(e\) the expectation . The least element of \((\mathbb {E},\, \preceq )\) is 0 and the greatest element is \(\infty \). We employ the Iverson bracket notation to cast Boolean expressions into expectations, i.e.,
The weakest preexpectation transformer \(\textsf {{wp}}:{\textsf {{pGCL}}} \rightarrow (\mathbb {E}\rightarrow \mathbb {E})\) is defined in Table 1, where denotes the substitution of variable x by expression \(e\), i.e.,
We call \(\textsf {{wp}}\llbracket C\rrbracket \left( g\right) \) the weakest preexpectation of program \(C\) w.r.t. postexpectation \(g\). The weakest preexpectation \(\textsf {{wp}}\llbracket C\rrbracket \left( g\right) \) is itself an expectation of type \(\mathbb {E}\), which maps each initial state \(\sigma \) to the expected value of \(g\) after running \(C\) on \(\sigma \). More formally, if \(\mu _C^\sigma \) is the distribution over final states obtained by executing \(C\) on initial state \(\sigma \), then for any postexpectation \(g\) [44],
For a gentle introduction to weakest preexpectations, see [38, Chap. 2 and 4].
7 BMC and kInduction for Probabilistic Programs
We now instantiate latticed \(\kappa \)induction and BMC (as developed in Sects. 2 to 5) to enable verification of loops written in \({\textsf {{pGCL}}} \); we discuss practical aspects later in Sects. 7.1 to 7.3 and Sect. 8. For the next two sections, we fix a loop
For simplicity, we assume that the loop body \(C\) is loopfree (every probabilistic program can be rewritten as a single while loop with loopfree body [62]).
Given an expectation \(g\in \mathbb {E}\) and a candidate upper bound \(f\in \mathbb {E}\) on the expected value of \(g\) after executing \(C_{\text {loop}}\) (i.e. \(\textsf {{wp}}\llbracket C_{\text {loop}}\rrbracket \left( g\right) \)), we will apply latticed verification techniques to check whether \(f\) indeed upperbounds \(\textsf {{wp}}\llbracket C_{\text {loop}}\rrbracket \left( g\right) \).
To this end, we denote by \(\varPhi \) the characteristic functional of \(C_{\text {loop}}\) and \(g\), i.e.,
whose least fixed point defines \(\textsf {{wp}}\llbracket C_{\text {loop}}\rrbracket \left( g\right) \) (cf. Table 1). We remark that \(\varPhi \) is a monotonic—and in fact even continuous—operator over the complete lattice \((\mathbb {E}, \, \preceq )\) (cf. Sect. 6.2). In this lattice, the meet is a pointwise minimum, i.e.,
By Definition 1, \(\varPhi \) and \(g\) then induce the (continuous) \(\kappa \)induction operator
With this setup, we obtain the following proof rule for reasoning about probabilistic loops as an immediate consequence of Theorem 2:
Corollary 3
(\(\boldsymbol{k}\)Induction for ). For every natural number \(k \in \mathbb {N} \),
Analogously, refuting that \(f\) upperbounds the expected value of \(g\) after execution of \(C_{\text {loop}}\) via bounded model checking is an instance of Corollary 2:
Corollary 4
(Bounded Model Checking for ).
Example 2 (Geometric Loop)
The \({\textsf {{pGCL}}} \) program
keeps flipping a fair coin x until it flips heads, sets x to 0, and terminates. Whenever it flips tails instead, it increments the counter c and continues. We refer to \(C_{\text {geo}}\) as the “geometric loop” because after its execution, the counter variable c is distributed according to a geometric distribution.
What is a (preferably small) upper bound on the expected value \(\textsf {{wp}}\llbracket C_{\text {geo}}\rrbracket \left( c\right) \) of c after execution of \(C_{\text {geo}}\)? Using 2induction, we can (automatically) verify that \(c+1\) is indeed an upper bound: Since \(\varPhi \left( \varPsi _{c+1}(c+1) \right) \preceq c+1\), where \(\varPhi \) denotes the characteristic functional of \(C_{\text {geo}}\), Corollary 3 yields \(\textsf {{wp}}\llbracket C_{\text {geo}}\rrbracket \left( c\right) \preceq c + 1\).
However, \(c+1\) cannot be proven an upper bound using Park induction as it is not inductive. Moreover, it is indeed the least upper bound, i.e., any smaller bound is refutable using BMC (cf. Corollary 4). For example, we have \(\textsf {{wp}}\llbracket C_{\text {geo}}\rrbracket \left( c\right) \not \preceq c + 0.99\), since . Finally, we remark that some correct upper bounds only become \(\kappa \)inductive for transfinite ordinals \(\kappa \). For instance, the innocuouslooking bound \(2 \cdot c + 1\) is not kinductive for any natural number k, but it is \((\omega +1)\)inductive, since \(\varPhi \bigl (\varPsi _{2\cdot c+1}^{\left\lfloor \omega \right\rfloor }(2 \cdot c+1) \bigr ) \preceq 2\cdot c+1\).
In principle, we can semidecide whether \(\textsf {{wp}}\llbracket C_{\text {loop}}\rrbracket \left( g\right) \not \preceq f\) holds or whether \(f\) is kinductive for some k: it suffices to run Algorithms 1 and 2 in parallel. However, for these two algorithms to actually be semidecision procedures, we cannot admit arbitrary expectations. Rather, we restrict ourselves to a suitable subset \(\mathsf {Exp} \) of expectations in \(\mathbb {E}\) satisfying all of the following requirements:

1.
\(\mathsf {Exp} \) is closed under computing the characteristic functional \(\varPhi \), i.e.,
$$\begin{aligned} \forall \, h\in \mathsf {Exp} :\quad \varPhi \left( h \right) ~\text {is computable and belongs to } \mathsf {Exp}. \end{aligned}$$ 
2.
Quantitative entailments between expectations in \(\mathsf {Exp} \) are decidable, i.e.,
$$\begin{aligned} \forall \, h, h' \in \mathsf {Exp} :\quad \text {it is decidable whether}~h~{}\preceq {}~h'. \end{aligned}$$ 
3.
(For kinduction) \(\mathsf {Exp} \) is closed under computing meets, i.e.,
$$\begin{aligned} \forall \, h, h' \in \mathsf {Exp} :\quad h\mathrel {\mathsf {min}} h'~\text {is computable and belongs to}~\mathsf {Exp}. \end{aligned}$$
Below, we show that linear expectations meet all of the above requirements.
7.1 Linear Expectations
Recall from Fig. 2b that we assume all expressions appearing in \({\textsf {{pGCL}}} \) programs to be linear. For our fragment of syntactic expectations, we consider extended linear expressions \(\tilde{e}\) that (1) are defined over rationals instead of natural numbers and (2) admit \(\infty \) as a constant (but not as a subexpression). Formally, the set of extended linear expressions is given by the following grammar:
Similarly, we admit extended linear expressions (without \(\infty \)) in linear guards \(\varphi \).^{Footnote 6} With these adjustments to expressions and guards in mind, the set \(\mathsf {LinExp} \) of linear expectations is defined by the grammar
We write \(h= h'\) if \(h\) and \(h'\) are ; and \(h\equiv h'\) if they are , i.e., if for all states \(\sigma \), we have \(h(\sigma ) = h'(\sigma )\).
Furthermore, the rescaling \(c \cdot h\) of a linear expectation \(h\) by a constant \(c \in \mathbb {Q}_{\ge 0}\) is syntactic sugar for rescaling suitable^{Footnote 7} arithmetic subexpressions of \(h\), e.g.,
A formal definition of the rescaling \(c \cdot h\) is found in [8, Appx A.5].
If we choose a linear expectation \(h\) as a postexpectation, then a quick inspection of Table 1 reveals that the weakest preexpectation \(\textsf {{wp}}\llbracket C\rrbracket \left( h\right) \) of any loopfree \({\textsf {{pGCL}}} \) program \(C\) and \(h\) yields a linear expectation again. Hence, linear expectations are closed under applying \(\varPhi \)— Requirement 1 above—because
7.2 Deciding Quantitative Entailments Between Linear Expectations
To prove that linear expectations meet Requirement 2—decidability of quantitative entailments—we effectively reduce the question of whether an entailment \(h\preceq h'\) holds to the decidable satisfiability problem for QF_LIRA—quantifierfree mixed linear integer and real arithmetic (cf. [42]).
As a first step, we show that every linear expectation can be represented as a sum of mutually exclusive extended arithmetic expressions—a representation we refer to as the guarded normal form (similar to [41, Lem. 1], [9, Lem. A.2]).
Definition 2 (Guarded Normal Form (GNF))
\(h\in \mathsf {LinExp} \) is in GNF if
where \(\tilde{e}_1,\ldots ,\tilde{e}_n\) are extended linear expressions, \(n \in \mathbb {N} \) is some natural number, and \(\varphi _1, \ldots , \varphi _n\) are linear Boolean expressions that partition the set of states, i.e., for each \(\sigma \in \varSigma \) there exists exactly one \(i \in \{1,\ldots ,n\}\) such that \(\varphi _i (\sigma ) = \mathsf {true}\).
Lemma 3
Every linear expectation \(h\in \mathsf {LinExp} \) can effectively be transformed into an equivalent linear expectation \(\mathsf {GNF} \left( h\right) \equiv h\) in guarded normal form.
The number of summands \(\mathsf {GNF} \left( h\right) \) in \(\mathsf {GNF} \left( h\right) \) is, in general, exponential in the number of summands in \(h\). In practice, however, this exponential blowup can often be mitigated by pruning summands with unsatisfiable guards. Throughout the remainder of this paper, we denote the components of \(\mathsf {GNF} \left( h\right) \) and \(\mathsf {GNF} \left( h'\right) \), where \(h\) and \(h'\) are arbitrary linear expectations, as follows:
We now present a decision procedure for the quantitative entailment over \(\mathsf {LinExp} \).
Theorem 7
(Decidability of Quantitative Entailment over ). For \(h,h'\in \mathsf {LinExp} \), it is decidable whether \(h\preceq h'\) holds.
Proof
Let \(h,h'\in \mathsf {LinExp} \). By Lemma 3, we have \(h\preceq h'\) iff \(\mathsf {GNF} \left( h\right) \preceq \mathsf {GNF} \left( h'\right) \).
Let \(\sigma \) be some state. By definition of the GNF, \(\sigma \) satisfies exactly one guard \(\varphi _i\) and exactly one guard \(\psi _j\). Hence, the inequality \(\mathsf {GNF} \left( h\right) (\sigma ) \le \mathsf {GNF} \left( h'\right) (\sigma )\) does not hold iff \(\tilde{e}_i(\sigma ) > \tilde{a}_j(\sigma )\) holds for the expressions \(\tilde{e}_i\) and \(\tilde{a}_j\) guarded by \(\varphi _i\) and \(\psi _j\), respectively. Based on this observation, we construct a \(\textsf {QF\_LIRA} \) formula \(\textsf {cex}_{\preceq }\left( h , h' \right) \) that is unsatisfiable iff there is no counterexample to \(h\preceq h'\):
Here, we identify every program variable in \(h\) or \(h'\) with an \(\mathbb {N} \)valued SMT variable. Moreover, to account for comparisons with \(\infty \), we rely on the fact that our (extended) arithmetic expressions either evaluate to \(\infty \) for every state or never evaluate to \(\infty \). To deal with the case \(\tilde{e}_i > \infty \), which is always false, we can thus safely exclude cases in which \(\tilde{a}_j = \infty \) holds. To deal with the case \(\infty > \tilde{a}_j\), we represent \(\infty \) by some unbounded number, i.e., we introduce a fresh, unconstrained \(\mathbb {N} \)valued SMT variable \(\textsf {infty} \) and set \(\textsf {encodeInfty} \left( \tilde{e}\right) \) to \(\textsf {infty} \) if \(\tilde{e}= \infty \); otherwise, \(\textsf {encodeInfty} \left( \tilde{e}\right) = \tilde{e}\). Since \(\textsf {QF\_LIRA} \) is decidable (cf. [42]), we conclude that the quantitative entailment problem is decidable. \(\square \)
Since quantitative entailments are decidable, we can already conclude that, for linear expectations, Algorithm 2 is a semidecision procedure.
7.3 Computing Minima of Linear Expectations
To ensure that latticed kinduction on \({\textsf {{pGCL}}} \) programs (cf. Algorithm 1 and Sect. 7) is a semidecision procedure when considering linear expectations, we have to consider Requirement 3—the expressability and computability of meets:
Theorem 8
\(\mathsf {LinExp} \) is effectively closed under taking minima.
Proof
For \(k\in \mathbb {N} \), let \(\mathbf {k} {}\triangleq {}\{1,\ldots ,k\}\). Then, for two linear expectations \(h, h'\), the linear expectation \(\mathsf {GNF} \left( h\right) \mathrel {\mathsf {min}} \mathsf {GNF} \left( h'\right) \in \mathsf {LinExp} \) is given by:
where we exploit that, for every state, exactly one guard \(\varphi _i\) and exactly one guard \(\psi _j\) is satisfied (cf. Lemma 3). Notice that in the last case we indeed obtain a linear expectation since neither \(\tilde{e}\) nor \(\tilde{a}\) are equal to \(\infty \). \(\square \)
8 Implementation
We have implemented a prototype called \(\textsc {kipro2}\)—kInduction for PRObabilistic PROgrams—in Python 3.7 using the SMT solver Z3 [54] and the solverAPI PySMT [25]. Our tool, its source code, and our experiments are available online.^{Footnote 8} \(\textsc {kipro2}\) performs in parallel latticed kinduction and BMC to fully automatically verify upper bounds on expected values of \({\textsf {{pGCL}}} \) programs as described in Sect. 7. In addition to reasoning about expected values, \(\textsc {kipro2}\) supports verifying bounds on expected runtimes of \({\textsf {{pGCL}}} \) programs, which are characterized as least fixed points à la [40]. Rather than fixing a specific runtime model, we took inspiration from [56] and added a statement \({\texttt {tick}} \left( n \right) \) that does not affect the program state but consumes \(n \in \mathbb {N} \) time units.
To discharge quantitative entailments and compute the meet, we use the constructions in Theorems 7 and 8, respectively. As an additional optimization, we do not iteratively apply the kinduction operator \(\varPsi _{f}\) directly but use an incremental encoding. We briefly sketch our encoding for kinduction (Algorithm 2); the encoding for BMC is similar. In both cases, we employ uninterpreted functions on top of mixed integer and real arithmetic, i.e., \(\textsf {QF\_UFLIRA} \).
Recall Example 2, the geometric loop \(C_{\text {geo}}\), where we used kinduction to prove \(\textsf {{wp}}\llbracket C_{\text {geo}}\rrbracket \left( c\right) \preceq c + 1\). For every \(k \in \mathbb {N} \), \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1))\) is given by
To obtain an incremental encoding, we introduce an uninterpreted function \(P_k:\mathbb {N} \times \mathbb {N} \rightarrow \mathbb {R}_{\ge 0}\) and a formula \(\rho _{k}(c,x)\) specifying that \(P_k(c,x)\) characterizes \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1))\), i.e., for all \(\sigma \in \varSigma \) and \(r \in \mathbb {R}_{\ge 0}\) with \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1))(\sigma ) < \infty \),^{Footnote 9}
If \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1))(\sigma ) = \infty \), our construction of \(\rho _{k}(x,c)\) ensures that the above conjunction is satisfiable for arbitrarily large r. Analogously, we introduce an uninterpreted function \(Q_k:\mathbb {N} \times \mathbb {N} \rightarrow \mathbb {R}_{\ge 0}\) that characterizes \(\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1)\).
In particular, may use all uninterpreted functions introduced for smaller or equal values of k—not just the function \(P_k(c,x)\) it needs to characterize. This enables an incremental encoding, i.e., \(\rho _{k}(c,x)\) can be computed on top of \(\rho _{k1}(c,x)\) by reusing \(P_{k1}(c,x)\), \(Q_k(c,x)\), and the construction in Theorem 8.
Moreover, we can reuse \(\rho _{k}(c,x)\) to avoid computing the (expensive) GNF for deciding certain quantitative entailments (cf. Theorem 7): For example, to check whether \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1)) \not \preceq h'\) holds, we only need to transform the righthand side into GNF (cf. Sect. 7.2), i.e., if \(\mathsf {GNF} \left( h'\right) = \sum _{j=1}^{m} \left[ {\psi _j} \right] \cdot \tilde{a}_j\), then
9 Experiments
We evaluate \(\textsc {kipro2}\) on two sets of benchmarks. The first set, shown in Table 2, consists of four (infinitestate) probabilistic systems compiled from the literature; each benchmark is evaluated on multiple variants of candidate upper bounds:

(1)
brp is a \({\textsf {{pGCL}}} \) variant of the bounded retransmission protocol [19, 32]. The goal is to transmit \(\textit{toSend} \) many packages via an unreliable channel allowing for at most \(\textit{maxFail} \) many retransmissions per package (cf. Example 1). The variable \(\textit{totalFail} \) keeps track of the total number of failed attempts to send a package. We verified upper bounds on the expected outcome of \(\textit{totalFail} \) (variants 1–4). In doing so, we bound the number of packages to send by 4 (10, 20, 70) while keeping \(\textit{maxFail} \) unbounded, i.e., we still verify an infinitestate system. We notice that \(k > 1\) is required for proving any of the candidate bounds; for up to \(k = 11\), \(\textsc {kipro2}\) manages to prove nontrivial bounds within a few seconds. However, unsurprisingly, the complexity increases rapidly with larger k. While \(\textsc {kipro2}\) can prove variant 3, it needs to increase k to 23; we observe that the complexity grows rapidly both in terms of the size of formulae and in terms of runtime with increased k. Furthermore, variants 5–7 correspond to (increasing) incorrect candidate bounds (\(\textit{totalFail} +1\), \(\textit{totalFail} +1.5\), \(\textit{totalFail} +3\)) that are refuted (or time out) when not imposing any restriction on \(\textit{toSend} \).

(2)
geo corresponds to the geometric loop from Example 2. We verify that \(c+1\) upperbounds the expected value of c for every initial state (variant 1); we refute the incorrect candidates \(c+0.99\) and \(c+0.999999999999\) (variants 2–3).

(3)
rabin is a variant of Rabin’s mutual exclusion algorithm [46] taken from [34]. We aim to verify that the probability of obtaining a unique winning process is at most \(\nicefrac {2}{3}\) for at most 2 (3, 4) participants (variants 1–3) and refute both \(\nicefrac {1}{3}\) (variant 4) and \(\nicefrac {3}{5}\) (variant 5) for an unbounded number of participants.

(4)
implements the algorithm in [48] for generating a discrete uniform distribution over some interval \(\{ \textit{l}, \ldots ,\textit{l}+\textit{n}1 \}\) using only fair coin flips. We aim to verify that \(\nicefrac {1}{n}\) upperbounds the probability of sampling a particular element from any such interval of size at most \(n=2\) (3, 4, 5, 6) (variants 1–5).
Our second set of benchmarks, shown in Table 3, confirms the correctness of (1inductive) bounds on the expected runtime of \({\textsf {{pGCL}}} \) programs synthesized by the runtime analyzers Absynth [56] and (later) KoAT [52]; this gives a baseline for evaluating the performance of our implementation. Moreover, it demonstrates the flexibility of our approach as we effortlessly apply the expected runtime calculus [40] instead of the weakest preexpectation calculus for verification.
Setup. We ran Algorithms 1 and 2 in parallel using an AMD Ryzen 5 3600X processor with a shared memory limit of 8GB and a 15minute timeout. For every benchmark finishing within the time limit, \(\textsc {kipro2}\) either finds the smallest k required to prove the candidate bound by kinduction or the smallest unrolling depth k to refute it. If \(\textsc {kipro2}\) refutes, the SMT solver provides a concrete initial state witnessing that violation. In Tables 2 and 3, column #formulae gives the maximal number of conjuncts on the solver stack; formulae_t, sat_t, and total_t give the amount of time spent on (1) computing formulae, (2) satisfiability checking, and (3) everything (including preprocessing), respectively. The input consists of a program, a candidate upper bound, and a postexpectation; in Table 3, the latter is fixed to “postruntime” 0 and thus omitted.
Evaluation of Benchmark Set 1. Table 2 empirically underlines that probabilistic program verification can benefit from kinduction to the same extent as classical software verification: \(\textsc {kipro2}\) fully automatically verifies relevant properties of infinitestate randomized algorithms and stochastic processes from the literature that require k to be strictly larger than 1. That is, proving these properties using (1)inductive invariants requires either nontrivial invariant synthesis or additional user annotations. This indicates that kinduction mitigates the need for complicated specifications in probabilistic program verification (cf. [40]).
We observe that kinduction tends to succeed if some variable is bounded in the candidate upper bound under consideration (cf. brp, rabin, ). However, kinduction can also succeed without any bounds (cf. geo). The time and formulae required for checking kinductivity increases rapidly for larger k; this is particularly striking for rabin and . When refuting candidate bounds with BMC, we obtain a similar picture. Both the time and formulae required for refutation increase if the candidate bound increases (cf. brp, geo, rabin).
For both kinduction and BMC, we observe a direct correlation between the complexity of the loop, i.e., the number of possible traces through the loop from some fixed initial state after some bounded number of iterations, and the required time and space (number of formulae). Whereas for geo and brp—which exhibit a rather simple structure—these checks tend to be fast, this is not the case for rabin and , which have more complex loop bodies. For such complex loops, kinduction and BMC quickly become infeasible as k increases.
Evaluation of Benchmark Set 2. From Table 3, we observe that—in almost every case—verification is instantaneous and requires very few formulae. The programs we verify are equivalent to the programs provided in [56] up to interpreting minus as monus and using \(\mathbb {N} \)typed (instead of \(\mathbb {Z} \)) variables. A manual inspection reveals that this matters for and rdwalk, which is the reason why the runtime bound for is 3inductive rather than 1inductive.
There are two timeouts (2drwalk, ) due to the GNF construction from Lemma 3, which exhibits a runtime exponential in the number of possible execution branches through the loop body. We conjecture that further preprocessing (by pruning infeasible branches upfront) can mitigate this, rendering 2drwalk and tractable as well. We consider a thorough investigation of suitable preprocessing strategies for GNF construction, which is outside the scope of this paper, a worthwhile direction for future research.
10 Conclusion
We presented \(\kappa \)induction, a generalization of classical kinduction to arbitrary complete lattices, and—together with a complementary bounded model checking approach—obtained a fully automated technique for verifying infinitestate probabilistic programs. Experiments showed that this technique can prove nontrivial properties in an automated manner that using existing techniques cannot be proven—at least not without synthesizing a stronger inductive invariant. If a given candidate bound is kinductive for some k, then our prototypical tool will find that k for linear programs and linear expectations. In theory, our tool is also applicable to nonlinear programs at the expense of an undecidability quantitative entailment problem. It is left for future work to consider (positive) realvalued program variables for nonlinear expectations.
Notes
 1.
We use lowercase greek letters \(\alpha \), \(\beta \), \(\gamma \), \(\delta \), etc. to denote arbitrary (possibly transfinite) ordinals and i, j, k, m, n, etc. to denote natural (finite) numbers in \(\mathbb {N} \).
 2.
To ensure welldefinedness of transfinite iterations, we fix an ambient ordinal \(\nu \) and tacitly assume \(\delta < \nu \) for all ordinals \(\delta \) considered throughout this paper. Formally, \(\nu \) is the smallest ordinal such that \(\nu  > E\). Intuitively, \(\nu \) then upperbounds the length of any repetitionfree sequence over elements of \(E\).
 3.
Formally, .
 4.
We prefer unsigned integers because our quantitative “specifications” (aka expectations) must evaluate to nonnegative numbers. Otherwise, expectations like \(x+y\) are not welldefined, and, as a remedy, we would frequently have to take the absolute value of every program variable. Restricting ourselves to unsigned variables does not decrease expressive power as signed variables can be emulated (cf. [9, Sec. 11.2]).
 5.
In order to avoid any technical issues pertaining to measurability.
 6.
We do not admit \(\infty \) in guards for convenience. In principle, all comparisons with \(\infty \) in guards can be removed by a simple preprocessing step.
 7.
We do not rescale every subexpression to account for the corner cases \(c \cdot \infty = \infty \) and \(0 \cdot \infty = 0\).
 8.
 9.
Notice that we do not axiomatize in \(\rho _{k}(c,x)\) that \(\varPhi (\varPsi _{c+1}^{\left\lfloor k \right\rfloor }(c+1))\) and \(P_k(c,x)\) are the same function because we have no access to universal quantifiers. Rather, we specify that both functions coincide for any fixed concrete values assigned to c and x. This weaker notion is not robust against formal modifications of the parameters, e.g., through substitution. For example, to assign the correct interpretation to , we have to construct a (second) formula .
References
Abramsky, Jung: Domain theory. In: Handbook of Logic in Computer Science, vol. 3 (1994)
Agrawal, Chatterjee, Novotný: Lexicographic ranking supermartingales. PACMPL 2(POPL) (2018)
Amtoft, Banerjee: A theory of slicing for imperative probabilistic programs. TOPLAS 42(2) (2020)
Baier, C., Klein, J., Leuschner, L., Parker, D., Wunderlich, S.: Ensuring the reliability of your model checker: interval iteration for Markov decision processes. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10426, pp. 160–180. Springer, Cham (2017). https://doi.org/10.1007/9783319633879_8
Baldan, et al.: Fixpoint theory  upside down. In: FoSSaCS (2021)
Barthe, G., Espitau, T., Ferrer Fioriti, L.M., Hsu, J.: Synthesizing probabilistic invariants via Doob’s decomposition. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 43–61. Springer, Cham (2016). https://doi.org/10.1007/9783319415284_3
Batz, K., Junges, S., Kaminski, B.L., Katoen, J.P., Matheja, C., Schröer, P.: PrIC3: property directed reachability for MDPs. In: Lahiri, S.K., Wang, C. (eds.) CAV 2020. LNCS, vol. 12225, pp. 512–538. Springer, Cham (2020). https://doi.org/10.1007/9783030532918_27
Batz, et al.: Latticed kinduction with an application to probabilistic programs (extended version). arXiv (2021)
Batz, et al.: Relatively complete verification of probabilistic programs. PACMPL 5(POPL) (2021)
Beyer, D., Dangl, M., Wendler, P.: Boosting kinduction with continuouslyrefined invariants. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 622–640. Springer, Cham (2015). https://doi.org/10.1007/9783319216904_42
Biere: Bounded model checking. In: Handbook of Satisfiability (2009)
Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Heidelberg (1999). https://doi.org/10.1007/3540490590_14
Biere, A., Clarke, E., Raimi, R., Zhu, Y.: Verifying safety properties of a PowerPC – microprocessor using symbolic model checking without BDDs. In: Halbwachs, N., Peled, D. (eds.) CAV 1999. LNCS, vol. 1633, pp. 60–71. Springer, Heidelberg (1999). https://doi.org/10.1007/3540486836_8
Bradley, A.R.: SATbased model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642182754_7
Chadha, Viswanathan: A counterexampleguided abstractionrefinement framework for Markov decision processes. TOCL 12(1) (2010)
Chakarov, A., Sankaranarayanan, S.: Probabilistic program analysis with martingales. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 511–526. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_34
Clarke, et al.: Bounded model checking using satisfiability solving. Formal Methods Syst. Des. 19(1) (2001)
Cousot, Cousot: Constructive versions of Tarski’s fixed point theorems. Pacific J. Math. 82(1) (1979)
D’Argenio, P.R., Jeannet, B., Jensen, H.E., Larsen, K.G.: Reachability analysis of probabilistic systems by successive refinements. In: de Alfaro, L., Gilmore, S. (eds.) PAPMPROBMIV 2001. LNCS, vol. 2165, pp. 39–56. Springer, Heidelberg (2001). https://doi.org/10.1007/3540448047_3
Déharbe, D., Moreira, A.M.: Using induction and BDDs to model check invariants. In: Advances in Hardware Design and Verification. IAICT, vol. 105, pp. 203–213. Springer, Boston, MA (1997). https://doi.org/10.1007/9780387351902_13
Donaldson, A.F., Kroening, D., Rümmer, P.: Automatic analysis of scratchpad memory code for heterogeneous multicore processors. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 280–295. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642120022_24
Donaldson, Kroening, Rümmer: Automatic analysis of DMA races using model checking and kinduction. Formal Methods Syst. Des. 39(1) (2011)
Donaldson, A.F., Haller, L., Kroening, D., Rümmer, P.: Software verification using kinduction. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 351–368. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642237027_26
Feng, Y., Zhang, L., Jansen, D.N., Zhan, N., Xia, B.: Finding polynomial loop invariants for probabilistic programs. In: D’Souza, D., Narayan Kumar, K. (eds.) ATVA 2017. LNCS, vol. 10482, pp. 400–416. Springer, Cham (2017). https://doi.org/10.1007/9783319681672_26
Gario, Micheli: PySMT: a solveragnostic library for fast prototyping of SMTbased algorithms. In: SMT Workshop (2015)
Gehr, T., Misailovic, S., Vechev, M.: PSI: exact symbolic inference for probabilistic programs. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 62–83. Springer, Cham (2016). https://doi.org/10.1007/9783319415284_4
Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997). https://doi.org/10.1007/3540631666_10
Gretz, Katoen: McIver: operational versus weakest preexpectation semantics for the probabilistic guarded command language. Perform. Eval. 73 (2014)
Gurfinkel, Ivrii: Kinduction without unrolling. In: FMCAD (2017)
Han, Katoen, Damman: Counterexample generation in probabilistic model checking. IEEE Trans. Softw. Eng. 35(2) (2009)
Hartmanns, A., Kaminski, B.L.: Optimistic value iteration. In: Lahiri, S.K., Wang, C. (eds.) CAV 2020. LNCS, vol. 12225, pp. 488–511. Springer, Cham (2020). https://doi.org/10.1007/9783030532918_26
Helmink, L., Sellink, M.P.A., Vaandrager, F.W.: Proofchecking a data link protocol. In: Barendregt, H., Nipkow, T. (eds.) TYPES 1993. LNCS, vol. 806, pp. 127–165. Springer, Heidelberg (1994). https://doi.org/10.1007/3540580859_75
Huang, Z., Wang, Z., Misailovic, S.: PSense: automatic sensitivity analysis for probabilistic programs. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 387–403. Springer, Cham (2018). https://doi.org/10.1007/9783030010904_23
Hurd, McIver, Morgan: Probabilistic guarded commands mechanized in HOL. Theor. Comput. Sci. 346(1) (2005)
Jansen, N., Dehnert, C., Kaminski, B.L., Katoen, J.P., Westhofen, L.: Bounded model checking for probabilistic programs. In: Artho, C., Legay, A., Peled, D. (eds.) ATVA 2016. LNCS, vol. 9938, pp. 68–85. Springer, Cham (2016). https://doi.org/10.1007/9783319465203_5
Jhala, R., McMillan, K.L.: A practical and complete approach to predicate refinement. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 459–473. Springer, Heidelberg (2006). https://doi.org/10.1007/11691372_33
Jovanović, Dutertre: Propertydirected kinduction. In: FMCAD (2016)
Kaminski: Advanced weakest precondition calculi for probabilistic programs. Ph.D. thesis, RWTH Aachen University, Germany (2019)
Kaminski, Katoen, Matheja: On the hardness of analyzing probabilistic programs. Acta Inform. 56(3) (2019)
Kaminski, et al.: Weakest precondition reasoning for expected runtimes of randomized algorithms. J. ACM 65(5) (2018)
Katoen, J.P., McIver, A.K., Meinicke, L.A., Morgan, C.C.: Linearinvariant generation for probabilistic programs: automated support for proofbased methods. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 390–406. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642157691_24
King, Barrett, Tinelli: Leveraging linear and mixed integer programming for SMT. In: SMT (2014)
Knaster: Un théorème sur les functions d’ensembles. Ann. Soc. Pol. Math. 6 (1928)
Kozen: A probabilistic PDL. J. Comput. Syst. Sci. 30(2) (1985)
Vediramana Krishnan, H.G., Vizel, Y., Ganesh, V., Gurfinkel, A.: Interpolating strong induction. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 367–385. Springer, Cham (2019). https://doi.org/10.1007/9783030255435_21
Kushilevitz, Rabin: Randomized mutual exclusion algorithms revisited. In: PODC (1992)
Lassez, Nguyen, Sonenberg: Fixed point theorems and semantics. Inf. Process. Lett. 14(3) (1982)
Lumbroso: Optimal discrete uniform generation from coin flips, and applications. arXiv (2013)
McIver, Morgan: Abstraction, refinement and proof for probabilistic systems (2005)
McMillan, K.L.: Interpolation and SATbased model checking. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540450696_1
McMillan: An interpolating theorem prover. Theor. Comput. Sci. 345(1) (2005)
Meyer, Hark, Giesl: Inferring expected runtimes of probabilistic integer programs using expected sizes. In: TACAS (2021, to appear)
Milner: Communication and concurrency (1989)
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24
de Moura, L., Rueß, H., Sorea, M.: Bounded model checking and induction: from refutation to verification. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 14–26. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540450696_2
Ngo, Carbonneaux, Hoffmann: Bounded expectations: resource analysis for probabilistic programs. In: PLDI (2018)
Park: Fixpoint induction and proofs of program properties. Mach. Intell. 5 (1969)
Pous, D.: Complete lattices and upto techniques. In: Shao, Z. (ed.) APLAS 2007. LNCS, vol. 4807, pp. 351–366. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540766377_24
Pous, Sangiorgi: Enhancements of the bisimulation proof method. In: Advanced Topics in Bisimulation and Coinduction, vol. 52 (2012)
Puterman: Markov Decision Processes (1994)
Quatmann, T., Katoen, J.P.: Sound value iteration. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 643–661. Springer, Cham (2018). https://doi.org/10.1007/9783319961453_37
Rabehaja, Sanders: Refinement algebra with explicit probabilism. In: TASE (2009)
Rocha, W., Rocha, H., Ismail, H., Cordeiro, L., Fischer, B.: DepthK: a kinduction verifier based on invariant inference for C programs. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 360–364. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545805_23
Schüle, Schneider: Bounded model checking of infinite state systems. Formal Methods Syst. Des. 30(1) (2007)
Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SATsolver. In: Hunt, W.A., Johnson, S.D. (eds.) FMCAD 2000. LNCS, vol. 1954, pp. 127–144. Springer, Heidelberg (2000). https://doi.org/10.1007/354040922X_8
Tarski: A latticetheoretical fixpoint theorem and its applications. Pacific J. Math. 5(2) (1955)
Wang, Hoffmann, Reps: PMAF: an algebraic framework for static analysis of probabilistic programs. In: PLDI (2018)
Wimmer, R., Braitling, B., Becker, B.: Counterexample generation for discretetime Markov chains using bounded model checking. In: Jones, N.D., MüllerOlm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 366–380. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540939009_29
Acknowledgements
B. L. Kaminski thanks Larry Fischer for his linguistic advice.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Batz, K., Chen, M., Kaminski, B.L., Katoen, JP., Matheja, C., Schröer, P. (2021). Latticed kInduction with an Application to Probabilistic Programs. In: Silva, A., Leino, K.R.M. (eds) Computer Aided Verification. CAV 2021. Lecture Notes in Computer Science(), vol 12760. Springer, Cham. https://doi.org/10.1007/9783030816889_25
Download citation
DOI: https://doi.org/10.1007/9783030816889_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030816872
Online ISBN: 9783030816889
eBook Packages: Computer ScienceComputer Science (R0)