Latticed k -Induction with an Application to Probabilistic Programs

. We revisit two well-established veriﬁcation techniques, k -in- duction and bounded model checking (BMC), in the more general setting of ﬁxed point theory over complete lattices. Our main theoretical contribution is latticed k -induction , which (i) generalizes classical k -induction for verifying transition systems, (ii) generalizes Park induction for bounding ﬁxed points of monotonic maps on complete lattices, and (iii) extends from naturals k to transﬁnite ordinals κ , thus yielding κ -induction . The lattice-theoretic understanding of k -induction and BMC enables us to apply both techniques to the fully automatic veriﬁcation of inﬁnite-state probabilistic programs . Our prototypical implementation manages to automatically verify non-trivial speciﬁcations for probabilistic programs taken from the literature that—using existing techniques—cannot be veriﬁed without synthesizing a stronger inductive invariant ﬁrst.


Introduction
Bounded model checking (BMC) [11,17] is a successful method for analyzing models of hardware and software systems.For checking a finite-state transition system (TS) against a safety property ("bad states are unreachable"), BMC unrolls the transition relation until it either finds a counterexample and hence refutes the property, or reaches a pre-computed completeness threshold on the unrolling depth and accepts the property as verified.For infinite-state systems, however, such completeness thresholds need not exist (cf.[65]), rendering BMC a refutation-only technique.To verify infinite-state systems, BMC is typically combined with the search for an inductive invariant, i.e., a superset of the reachable states which is closed under the transition relation.Proving a-not necessarily inductive-safety property then amounts to synthesizing a sufficiently strong, often complicated, inductive invariant that excludes the bad states.A plethora of techniques target computing or approximating inductive invariants, including IC3 [14], induction [20,12], interpolation [51,52], and predicate abstraction [27,37].However, invariant synthesis may burden full automation, as it either relies on user-supplied annotations or confines push-button technologies to semi-decision or approximate procedures.
k-induction [66] generalizes the principle of simple induction (aka 1-induction) by considering k consecutive transition steps instead of only a single one.It is more powerful: an invariant can be k-inductive for some k>1 but not 1-inductive.Following the seminal work of Sheeran et al. [66] which combines k-induction with SAT solving to check safety properties, k-induction has found a broad spectrum of applications in the realm of hardware [66,38,29,46] and software verification [21,22,23,64,9,56].Its success is due to (1) being a foundational yet potent reasoning technique, and (2) integrating well with SAT/SMT solvers, as also pointed out in [46]: "the simplicity of applying k-induction made it the goto technique for SMT-based infinite-state model checking".This paper explores whether k-induction can have a similar impact on the fully automatic verification of infinite-state probabilistic programs.That is, we aim to verify that the expected value of a specified quantity-think: "quantitative postcondition"-after the execution of a probabilistic program is bounded by a specified threshold.
Using our generalization of k-induction, we can fully automatically verify that the expected total number of failed transmissions is at most 1, if the number of packages we want to (successfully) send is at most 3.In terms of weakest preexpectations [45,50,39], this quantitative property reads The bound on the right-hand-side of the inequality is 4-inductive, but not 1inductive; verifying the same bound using 1-induction requires finding a nontrivial-and far less perspicuous-inductive invariant.Moreover, if we consider an arbitrary number of packages to send, i.e., we drop [toSend ≤ 3], this bound becomes invalid.In this case, our BMC procedure produces a counterexample, i.e., values for toSend and maxFail, proving that the bound does not hold.⊳ Lifting the classical formalization (and SAT encoding) of k-induction over TSs to the probabilistic setting is non-trivial.We encounter the following challenges: (A) Quantitative reachability.In a TS, a state reachable within k steps remains reachable on increasing k.In contrast, reachability probabilities in Markov chains-a common operational model for probabilistic programs [28]-may increase on increasing k.Hence, proving that the probability of reaching a bad state remains below a given threshold is more intricate than reasoning about qualitative reachability.
(B) Counterexamples are subsystems.In a TS, an acyclic path from an initial to a bad state suffices as a witness for refuting safety, i.e., non-reachability.SAT encodings of k-induction rely on this by expressing the absence of witnesses up to a certain path-length.In the probabilistic setting, however, witnesses are no longer single paths [30].Rather, a witness for the probability of reaching a bad state to exceed a threshold is a subsystem [15], i.e., a set of possibly cyclic paths.
(C) Symbolic encodings.To enable fully automated verification, we need a suitable encoding such that our lifting integrates well into SMT solvers.Verifying probabilistic programs involves reasoning about execution trees, where each (weighted) branch corresponds to a probabilistic choice.A suitable encoding needs to capture such trees which requires more involved theories than encoding paths in classical k-induction.
We address challenges (A) and (B) by developing latticed k-induction, which is a proof technique in the rather general setting of fixed point theory over complete lattices.Latticed k-induction generalizes classical k-induction in three aspects: (1) it works with any monotonic map on a complete lattice instead of being confined to the transition relation of a transition system, (2) it generalizes the Park induction principle for bounding fixed points of such monotonic maps, and (3) it extends from natural numbers k to (possibly transfinite) ordinals κ, hence its short name: κ-induction.
It is this lattice-theoretic understanding that enables us to lift both k-induction and BMC to reasoning about quantitative properties of probabilistic programs.To enable automated reasoning, we address challenge (C) by an incremental SMT encoding based on the theory of quantifier-free mixed integer and real arithmetic with uninterpreted functions (QF UFLIRA).We show how to effectively compute all needed operations for κ-induction using the SMT encoding and, in particular, how to decide quantitative entailments.
A prototypical implementation of our method demonstrates that κ-induction for (linear) probabilistic programs manages to automatically verify non-trivial specifications for programs taken from the literature which-using existing techniques-cannot be verified without synthesizing a stronger inductive invariant.

Related Work.
Besides the aforementioned related work on k-induction, we briefly discuss other automated analysis techniques for probabilistic systems and other approaches for bounding fixed points.Symbolic engines exist for exact inference [26] and sensitivity analysis [33].Other automated approaches focus on bounding expected costs [57], termination analysis [16,2], and static analysis [68,3].BMC has been applied in a rather rudimentary form to the on-the-fly verification of finite unfoldings of probabilistic programs [36], and the enumerative generation of counterexamples in finite Markov chains [69].(Semi-)automated invariant-synthesis techniques can be found in [42,24,6].A recent variant of IC3 for probabilistic programs called PrIC3 [7] is restricted to finite-state sys-tems.When applied to finite-state Markov chains, our κ-induction operator is related to other operators that have been employed for determining reachabilitiy probabilities through value iteration [62,4,31].In particular, when iterated on the candidate upper bound, the κ-induction operator coincides with the (upper value iteration) operator in interval iteration [4]; the latter operator can be used together with the up-to techniques (cf.[54,59,60]) to prove our κ-induction rule sound (in contrast, we give an elementary proof).However, the κ-induction operator avoids comparing current and previous iterations.It is thus easier to implement and more amenable to SMT solvers.Finally, the proof rules for bounding fixed points recently developed in [5] are restricted to finite-state systems.

Verification as a Fixed Point Problem
We start by recapping some fundamentals on fixed points of monotonic operators on complete lattices before we state our target verification problem.
Fundamentals.For the next three sections, we fix a complete lattice (E, ⊑), i.e. a carrier set E together with a partial order ⊑, such that every subset S ⊆ E has a greatest lower bound S (also called the meet of S) and a least upper bound S (also called the join of S).For just two elements {g, h} ⊆ E, we denote their meet by g ⊓ h and their join by g ⊔ h.Every complete lattice has a least and a greatest element, which we denote by ⊥ and ⊤, respectively.
If δ is a limit ordinal, then Φ ⌈δ⌉ (g) can also be thought of as a limit, namely of iterating Φ on g.However, simply iterating Φ on g need not always converge, especially if the iteration does not yield an ascending chain.To remedy this, we take as limit the join over the whole (possibly transfinite) iteration sequence, i.e., the least upper bound over all elements that occur along the iteration.The lower δ-fold iteration Φ ⌊δ⌋ (g) is defined analogously to Φ ⌈δ⌉ (g), except that we take a meet instead of a join whenever δ is a limit ordinal.An important special case for fixed point iteration (see ( †)) is when the operator Φ is Scott-continuous (or simply continuous), i.e., if Φ {g 1 ⊑ g 2 ⊑ . ..} = Φ {g 1 ⊑ g 2 ⊑ . ..} .In this case, α in ( †) coincides with the first infinite limit ordinal ω (which can be identified with the set N of natural numbers).This fact is also known as the Kleene fixed point theorem [1].
Problem statement.Fixed points are ubiquitous in computer science.Prime examples of properties that can be conveniently characterized as least fixed points include both the set of reachable states in a transition system and the function mapping each state in a Markov chain to the probability of reaching some goal state (cf.[61]).However, least and greatest fixed points are often difficult or even impossible [40] to compute; it is thus desirable to bound them.
For example, it may be sufficient to prove that a system modeled as a Markov chain reaches a bad state from its initial state with probability at most 10 −6 , instead of computing precise reachability probabilities for each state.Moreover, if said probability is not bounded by 10 −6 , we would like to witness that as well.
In general lattice-theoretic terms, our problem statement reads as follows: Given a complete lattice (E, ⊑), a monotonic operator Φ : E → E, and a candidate upper bound f ∈ E on lfp Φ, prove or refute that lfp Φ ⊑ f .
For proving, we will present latticed k-induction; for refuting, we will present latticed bounded model checking.Running both in parallel may (and under certain conditions: will ) lead to a decision of the above problem.

Latticed k-Induction
In this section, we generalize the well-established k-induction verification technique [66,21,56,38,29,46] to latticed k-induction (for short: κ-induction; reads: "kappa induction").With κ-induction, our aim is to prove that lfp Φ ⊑ f .To this end, we attempt "ordinary" induction, also known as Park induction: Theorem 1 (Park Induction [58]).Let f ∈ E. Then Intuitively, this principle says: if pushing our candidate upper bound f through Φ takes us down in the partial order ⊑, we have verified that f is indeed an upper Fig. 1: κ-induction and latticed BMC in case that lfp Φ ⊑ f .An arrow from g to h indicates g ⊑ h.The solid blue arrow from Φ(Ψ ⌊κ⌋ f (f )) to f is the premise of κinduction, i.e., the LHS of Lemma 2, which implies the dash-dotted blue arrow from bound on lfp Φ.The true power of Park induction is that applying Φ once tells us something about iterating Φ possibly transfinitely often (see ( †) in Section 2).
Park induction, unfortunately, does not work in the reverse direction: If we are unlucky, f ⊐ lfp Φ is an upper bound on lfp Φ, but nevertheless Φ (f ) ⊑ f .In this case, we say that f is not inductive.But how can we verify that f is indeed an upper bound in such a non-inductive scenario?We search below f for a different, but inductive, upper bound on lfp Φ, that is, we In order to perform a guided search for such an h, we introduce the κ-induction operator-a modified version of Φ that is parameterized by our candidate f : Definition 1 (κ-Induction Operator).For f ∈ E, we call the κ-induction operator (with respect to f and Φ).
What does Ψ f do?As illustrated in Figure 1, if Φ (f ) ⊑ f (i.e.f is non-inductive) then "at least some part of Φ (f ) is greater than f ".If the whole of Φ (f ) is greater than f , then f ⊏ Φ (f ); if only some part of Φ (f ) is greater and some is smaller than f , then f and Φ (f ) are incomparable.The κ-induction operator Ψ f now rectifies Φ (f ) being (partly) greater than f by pulling Φ (f ) down via the meet with f (i.e., via ⊓ f ), so that the result is in no part greater than f .Applying Ψ f to f hence always yields something below or equal to f .Together with the observation that Ψ f is monotonic, iterating Ψ f on f necessarily descends from f downwards in the direction of lfp Φ (and never below): Lemma 1 (Properties of the κ-Induction Operator).Let f ∈ E and let Ψ f be the κ-induction operator with respect to f and Φ.Then (a) Ψ f is monotonic, i.e., ∀ g 1 , g 2 ∈ E : (b) Iterations of Ψ f starting from f are descending, i.e., for all ordinals γ, δ, . .constitutes our guided search for an inductive upper bound on lfp Φ.For each ordinal κ (hence the short name: κ-induction), Ψ ⌊κ⌋ f (f ) is a potential candidate for Park induction: For efficiency reasons, e.g., when offloading the above inequality check to an SMT solver, we will not check the inequality ( ‡) directly but a property equivalent to ( ‡), namely whether Φ(Ψ Proof.The if-direction is trivial, as Ψ ⌊κ⌋ f (f ) ⊑ f (Lemma 1(d)).For only-if: and thereby an upper bound on lfp Φ.Since iterating Ψ f on f yields a descending iteration sequence (see Lemma 1(b)), Ψ ⌊k⌋ f (f ) is below f and therefore f is also an upper bound on lfp Φ.Put in more traditional terms, we have shown that Ψ ⌊κ⌋ f (f ) is an inductive invariant stronger than f .Formulated as a proof rule, we obtain the following induction principle: Theorem 2 (κ-Induction).Let f ∈ E and let κ be an ordinal.Then Proof.Following the argument above, for details see Appendix A.2.
⊓ ⊔ In particular, κ-induction generalizes Park induction, in the sense that 1-induction is Park induction and, (κ>1)-induction is a more general principle of induction.
Algorithm 1 depicts a (semi-)algorithm that performs latticed k-induction (for k < ω) in order to prove lfp Φ ⊑ f by iteratively increasing k.For implementing this algorithm, we require, of course, that both Φ and Ψ f are computable and that ⊑ is decidable.Notice that the loop (lines 2-3) never terminates if f ⊏ Φ (f )-a condition that can easily be checked before entering the loop.Even with this optimization, however, Algorithm 1 is a proper semi-algorithm: even if lfp Φ ⊑ f , then f is still not guaranteed to be k-inductive for some k < ω.And even if an algorithm could somehow perform transfinitely many iterations, then f is still not guaranteed to be κ-inductive for some ordinal κ: Counterexample 1 (Incompleteness of κ-Induction) Consider the carrier set {0, 1, 2}, partial order 0 ⊏ 1 ⊏ 2, and the monotonic operator Φ with Φ(0) = 0 = lfp Φ, and Φ(1) = 2, and Φ(2) = 2 = gfp Φ.Then lfp Φ ⊑ 1, but for any ordinal κ, Ψ ⌊κ⌋ Despite its incompleteness, we now provide a sufficient criterion which ensures that every upper bound on lfp Φ is κ-inductive for some ordinal κ.

⊓ ⊔
The proof of the above theorem immediately yields that, if the unique fixed point can be reached through finite fixed point iterations starting at ⊤, then f is kinductive for some natural number k; Algorithm 1 thus eventually terminates.

Latticed vs. Classical k-Induction
We show that our purely lattice-theoretic κ-induction from Section 3 generalizes classical k-induction for hardware-and software verification.To this end, we first recap how k-induction is typically formalized in the literature [21,9,38,29]: Let TS = (S, I, T ) be a transition system, where S is a (countable) set of states, I ⊆ S is a non-empty set of initial states, and T ⊆ S × S is a transition relation.As in the seminal work on k-induction [66], we require that T is a total relation, i.e., every state has at least one successor.This requirement is sometimes overlooked in the literature, which renders the classical SAT-based formulation of k-induction ((1a) and (1b) below) unsound in general.
Our goal is to verify that a given invariant property P ⊆ S covers all states reachable in TS from some initial state.Suppose that I, T and P are characterized by logical formulae I(s), T (s, s ′ ) and P (s) (over the free variables s and s ′ ), respectively.Then, achieving the above goal with classical k-induction amounts to proving the validity of Here, the base case (1a) asserts that P holds for all states reachable within k transition steps from some initial state; the induction step (1b) formalizes that P is closed under taking up to k transition steps, i.e., if we start in P and stay in P for up to k steps, then we also end up in P after taking the (k+1)st step.If both (1a) and (1b) are valid, then classical k-induction tells us that the property P holds for all reachable states of TS.How is the above principle reflected in latticed k-induction (cf.Section 3)?For that, we choose the complete lattice (2 S , ⊆), where 2 S denotes the powerset of S; the least element is ⊥ = ∅ and the meet operation is standard intersection ∩.Moreover, we define a monotonic operator Φ whose least fixed point precisely characterizes the set of reachable states of the transition system TS: That is, Φ maps any given set of states F ⊆ S to the union of the initial states I and of those states Succs(F ) that are reachable from F using a single transition. 3sing the κ-induction operator Ψ P constructed from Φ and P according to Definition 1, the principle of κ-induction (cf.Theorem 2) then tells us that For our above choices, the premise of κ-induction equals the classical formalization of k-induction-formulae (1a) and (1b)-because the set of initial states I is "baked into" the operator Φ.More concretely, for the base case (1a), we have In other words, formula (1a) captures those states that are reachable from I via at most k transitions.If we assume that (1a) is valid, then P contains all initial states and formula (1b) coincides with the premise of κ-induction: ∧P (s 2 ) Proof.See Appendix A.4. ⊓ ⊔

Latticed Bounded Model Checking
We complement κ-induction with a latticed analog of bounded model checking [11,10] for refuting that lfp Φ ⊑ f .In lattice-theoretic terms, bounded model checking amounts to a fixed point iteration of Φ on ⊥ while continually checking whether the iteration exceeds our candidate upper bound f .If so, then we have indeed refuted lfp Φ ⊑ f : Furthermore, if we were actually able to perform transfinite iterations of Φ on ⊥, then latticed bounded model checking is also complete: If f is in fact not an upper bound on lfp Φ, this will be witnessed at some ordinal: Theorem 6 (Completeness of Latticed BMC).Let f ∈ E. Then More practically relevant, if Φ is continuous (which is the case for Bellman operators characterizing reachability probabilities in Markov chains), then a simple finite fixed point iteration, see Algorithm 2, is sound and complete for refutation: Corollary 2 (Latticed BMC for Continuous Operators).Let f ∈ E and let Φ be continuous.Then

Probabilistic Programs
In the remainder of this article, we employ latticed k-induction and BMC to verify imperative programs with access to discrete probabilistic choices-branching on the outcomes of coin flips.In this section, we briefly recap the necessary background on formal reasoning about probabilistic programs (cf.[45,50] for details).

The Probabilistic Guarded Command Language
Syntax.Programs in the probabilistic guarded command language pGCL adhere to the grammar in Figure 2a.The semantics of most statements is standard.
In particular, the probabilistic choice If the coin yields heads, it executes C 1 ; otherwise, C 2 .In addition to the syntax in Figure 2, we admit standard expressions that are definable as syntactic sugar, e.g., true, false, ϕ 1 ∨ ϕ 2 , e 1 = e 2 , e 1 ≤ e 2 , etc.
Program states.A program state σ maps every variable in Vars to its value, i.e., a natural number in N. 4 To ensure that the set of program states Σ remains countable 5 , we restrict ourselves to states in which only finitely many variablesthose that appear in a given program-evaluate to non-zero values.Formally, The evaluation of expressions e and guards ϕ under a state σ, denoted by e(σ) and ϕ(σ), is standard.For example, we define the evaluation of "monus" as

Weakest Preexpectations
Expectations.An expectation f : Σ → R ∞ ≥0 is a map from program states to the non-negative reals extended by infinity.We denote by E the set of all expectations.Moreover, (E, ) forms a complete lattice, where the partial order is given by the pointwise application of the canonical ordering ≤ on R ∞ ≥0 , i.e., To conveniently describe expectations evaluating to some r ∈ R ∞ ≥0 for every state, we slightly abuse notation and denote by r the constant expectation λσ.r.Similarly, given an arithmetic expression e, we denote by e the expectation λσ.e(σ).The least element of (E, ) is 0 and the greatest element is ∞.We employ the Iverson bracket notation [35] to cast Boolean expressions into expectations, i.e., [ϕ] = λσ.
The weakest preexpectation transformer wp : pGCL → (E → E) is defined in  More formally, if µ σ C is the distribution over final states obtained by executing C on initial state σ, then for any postexpectation g [45], For a gentle introduction to weakest preexpectations, see [39, Chap. 2 and 4].

BMC and k-Induction for Probabilistic Programs
We now instantiate latticed κ-induction and BMC (as developed in Sections 2 to 5) to enable verification of loops written in pGCL; we discuss practical aspects later in Sections 7.1 to 7.3 and Section 8.For the next two sections, we fix a loop For simplicity, we assume that the loop body C is loop-free (every probabilistic program can be rewritten as a single while loop with loop-free body [63]).
Given an expectation g ∈ E and a candidate upper bound f ∈ E on the expected value of g after executing C loop (i.e.wp C loop (g)), we will apply latticed verification techniques to check whether f indeed upper-bounds wp C loop (g).
To this end, we denote by Φ the characteristic functional of C loop and g, i.e., whose least fixed point defines wp C loop (g) (cf.Table 1).We remark that Φ is a monotonic-and in fact even continuous-operator over the complete lattice (E, ) (cf.Section 6.2).In this lattice, the meet is a pointwise minimum, i.e., By Definition 1, Φ and g then induce the (continuous) κ-induction operator With this setup, we obtain the following proof rule for reasoning about probabilistic loops as an immediate consequence of Theorem 2: Corollary 3 (k-Induction for pGCL).For every natural number k ∈ N, Analogously, refuting that f upper-bounds the expected value of g after execution of C loop via bounded model checking is an instance of Corollary 2: Corollary 4 (Bounded Model Checking for pGCL).
Example 2 (Geometric Loop).The pGCL program keeps flipping a fair coin x until it flips heads, sets x to 0, and terminates.Whenever it flips tails instead, it increments the counter c and continues.We refer to C geo as the "geometric loop" because after its execution, the counter variable c is distributed according to a geometric distribution.
What is a (preferably small) upper bound on the expected value wp C geo (c) of c after execution of C geo ?Using 2-induction, we can (automatically) verify that c + 1 is indeed an upper bound: Since Φ (Ψ c+1 (c + 1)) c + 1, where Φ denotes the characteristic functional of C geo , Corollary 3 yields wp C geo (c) c + 1.
However, c + 1 cannot be proven an upper bound using Park induction as it is not inductive.Moreover, it is indeed the least upper bound, i.e., any smaller bound is refutable using BMC (cf.Corollary 4).For example, we have wp C geo (c) c + 0.99, since Φ ⌈11⌉ (0) c + 0.99.Finally, we remark that some correct upper bounds only become κ-inductive for transfinite ordinals κ.For instance, the innocuous-looking bound 2 • c + 1 is not k-inductive for any natural number k, but it is (ω + 1)-inductive, since Φ Ψ In principle, we can semi-decide whether wp C loop (g) f holds or whether f is k-inductive for some k: it suffices to run Algorithms 1 and 2 in parallel.However, for these two algorithms to actually be semi-decision procedures, we cannot admit arbitrary expectations.Rather, we restrict ourselves to a suitable subset Exp of expectations in E satisfying all of the following requirements: 1. Exp is closed under computing the characteristic functional Φ, i.e., ∀ h ∈ Exp : Φ (h) is computable and belongs to Exp .

(For k-induction)
Exp is closed under computing meets, i.e., ∀ h, h ′ ∈ Exp : h min h ′ is computable and belongs to Exp .
Below, we show that linear expectations meet all of the above requirements.

Linear Expectations
Recall from Figure 2b that we assume all expressions appearing in pGCL programs to be linear.For our fragment of syntactic expectations, we consider extended linear expressions ẽ that (1) are defined over rationals instead of natural numbers and (2) admit ∞ as a constant (but not as a subexpression).Formally, the set of extended linear expressions is given by the following grammar: Similarly, we admit extended linear expressions (without ∞) in linear guards ϕ. 6With these adjustments to expressions and guards in mind, the set LinExp of linear expectations is defined by the grammar We write h = h ′ if h and h ′ are syntactically identical ; and h ≡ h ′ if they are semantically equivalent, i.e., if for all states σ, we have h(σ) = h ′ (σ).Furthermore, the rescaling c•h of a linear expectation h by a constant c ∈ Q ≥0 is syntactic sugar for rescaling suitable7 arithmetic subexpressions of h, e.g., A formal definition of the rescaling c • h is found in Appendix A. 5.
If we choose a linear expectation h as a postexpectation, then a quick inspection of Table 1 reveals that the weakest preexpectation wp C (h) of any loop-free pGCL program C and h yields a linear expectation again.Hence, linear expectations are closed under applying Φ-Requirement 1 above-because

Deciding Quantitative Entailments between Linear Expectations
To prove that linear expectations meet Requirement 2-decidability of quantitative entailments-we effectively reduce the question of whether an entailment h h ′ holds to the decidable satisfiability problem for QF LIRA-quantifier-free mixed linear integer and real arithmetic (cf.[43]).
As a first step, we show that every linear expectation can be represented as a sum of mutually exclusive extended arithmetic expressions-a representation we refer to as the guarded normal form (similar to [42, Lemma 1]).
The number of summands |GNF (h) | in GNF (h) is, in general, exponential in the number of summands in h.In practice, however, this exponential blow-up can often be mitigated by pruning summands with unsatisfiable guards.Throughout the remainder of this paper, we denote the components of GNF (h) and GNF (h ′ ), where h and h ′ are arbitrary linear expectations, as follows: We now present a decision procedure for the quantitative entailment over LinExp.
Let σ be some state.By definition of the GNF, σ satisfies exactly one guard ϕ i and exactly one guard ψ j .Hence, the inequality GNF (h) (σ) ≤ GNF (h ′ ) (σ) does not hold iff ẽi (σ) > ãj (σ) holds for the expressions ẽi and ãj guarded by ϕ i and ψ j , respectively.Based on this observation, we construct a QF LIRA formula cex (h, h ′ ) that is unsatisfiable iff there is no counterexample to the entailment h h ′ (see Appendix A.7 for a soundness proof): Here, we identify every program variable in h or h ′ with an N-valued SMT variable.Moreover, to account for comparisons with ∞, we rely on the fact that our (extended) arithmetic expressions either evaluate to ∞ for every state or never evaluate to ∞.To deal with the case ẽi > ∞, which is always false, we can thus safely exclude cases in which ãj = ∞ holds.To deal with the case ∞ > ãj , we represent ∞ by some unbounded number, i.e., we introduce a fresh, unconstrained N-valued SMT variable infty and set encodeInfty (ẽ) to infty if ẽ = ∞; otherwise, encodeInfty (ẽ) = ẽ.Since QF LIRA is decidable (cf.[43]), we conclude that the quantitative entailment problem is decidable.

⊓ ⊔
Since quantitative entailments are decidable, we can already conclude that, for linear expectations, Algorithm 2 is a semi-decision procedure.

Computing Minima of Linear Expectations
To ensure that latticed k-induction on pGCL programs (cf.Algorithm 1 and Section 7) is a semi-decision procedure when considering linear expectations, we have to consider Requirement 3-the expressability and computability of meets: Theorem 8. LinExp is effectively closed under taking minima.
Proof.For k ∈ N, let k {1, . . ., k}.Then, for two linear expectations h, h ′ , the linear expectation GNF (h) min GNF (h ′ ) ∈ LinExp is given by: where we exploit that, for every state, exactly one guard ϕ i and exactly one guard ψ j is satisfied (cf.Lemma 3).Notice that in the last case we indeed obtain a linear expectation since neither ẽ nor ã are equal to ∞.

⊓ ⊔
In summary, all requirements stated in Section 7 are satisfied.

Implementation
We have implemented a prototype called kipro2-k-Induction for PRObabilistic PROgrams-in Python 3.7 using the SMT solver Z3 [55] and the solver-API PySMT [25].Our tool, its source code, and our experiments are available online.8 kipro2 performs in parallel latticed k-induction and BMC to fully automatically verify upper bounds on expected values of pGCL programs as described in Section 7. In addition to reasoning about expected values, kipro2 supports verifying bounds on expected runtimes of pGCL programs, which are characterized as least fixed points à la [41].Rather than fixing a specific runtime model, we took inspiration from [57] and added a statement tick (n) that does not affect the program state but consumes n ∈ N time units.
To discharge quantitative entailments and compute the meet, we use the constructions in Theorems 7 and 8, respectively.As an additional optimization, we do not iteratively apply the k-induction operator Ψ f directly but use an incremental encoding.We briefly sketch our encoding for k-induction (Algorithm 2); the encoding for BMC is similar.In both cases, we employ uninterpreted functions on top of mixed integer and real arithmetic, i.e., QF UFLIRA.
Recall Example 2, the geometric loop C geo , where we used k-induction to prove wp C geo (c) c + 1.For every k ∈ N, Φ(Ψ ⌊k⌋ c+1 (c + 1)) is given by To obtain an incremental encoding, we introduce an uninterpreted function P k : N × N → R ≥0 and a formula ρ k (c, x) specifying that P k (c, x) characterizes Φ(Ψ ⌊k⌋ c+1 (c + 1)), i.e., for all σ ∈ Σ and r ∈ R ≥0 with Φ(Ψ , c) ensures that the above conjunction is satisfiable for arbitrarily large r.Analogously, we introduce an uninterpreted function In particular, the formula ρ k (c, x) may use all uninterpreted functions introduced for smaller or equal values of k-not just the function P k (c, x) it needs to characterize.This enables an incremental encoding in the sense that ρ k (c, x) can be computed on top of ρ k−1 (c, x) by reusing P k−1 (c, x), Q k (c, x), and the construction in Theorem 8.

Experiments
We evaluate kipro2 on two sets of benchmarks.The first set, shown in Table 2, consists of four (infinite-state) probabilistic systems compiled from the literature; each benchmark is evaluated on multiple variants of candidate upper bounds: (1) brp is a pGCL variant of the bounded retransmission protocol [32,19].The goal is to transmit toSend many packages via an unreliable channel allowing for at most maxFail many retransmissions per package (cf.Example 1).The variable totalFail keeps track of the total number of failed attempts to send a package.We verified upper bounds on the expected outcome of totalFail (variants 1-4).In doing so, we bound the number of packages to send by 4 (10, 20, 70) while keeping maxFail unbounded, i.e., we still verify an infinite-state system.We notice that k > 1 is required for proving any of the candidate bounds; for up to k = 11, kipro2 manages to prove non-trivial bounds within a few seconds.However, unsurprisingly, the complexity increases rapidly with larger k.While kipro2 can prove variant 3, it needs to increase k to 23; we observe that the 9 Notice that we do not axiomatize in ρ k (c, x) that Φ(Ψ ⌊k⌋ c+1 (c + 1)) and P k (c, x) are the same function because we have no access to universal quantifiers.Rather, we specify that both functions coincide for any fixed concrete values assigned to c and x.This weaker notion is not robust against formal modifications of the parameters, e.g., through substitution.For example, to assign the correct interpretation to complexity grows rapidly both in terms of the size of formulae and in terms of runtime with increased k.Furthermore, variants 5-7 correspond to (increasing) incorrect candidate bounds (totalFail + 1, totalFail + 1.5, totalFail + 3) that are refuted (or time out) when not imposing any restriction on toSend.
(2) geo corresponds to the geometric loop from Example 2. We verify that c + 1 upper-bounds the expected value of c for every initial state (variant 1); we refute the incorrect candidates c + 0.99 and c + 0.999999999999 (variants 2-3).
(4) unif gen implements the algorithm in [49] for generating a discrete uniform distribution over some interval {l, . . ., l + n − 1} using only fair coin flips.We aim to verify that 1 /n upper-bounds the probability of sampling a particular element from any such interval of size at most n = 2 (3, 4, 5, 6) (variants 1-5).
Our second set of benchmarks, shown in Table 3, confirms the correctness of (1-inductive) bounds on the expected runtime of pGCL programs synthesized by the runtime analyzers Absynth [57] and (later) KoAT [53]; this gives a baseline for evaluating the performance of our implementation.Moreover, it demonstrates the flexibility of our approach as we effortlessly apply the expected runtime calculus [41] instead of the weakest preexpectation calculus for verification.
Further details about individual benchmarks, including all considered pGCL programs and candidate upper bounds, can be found in Appendix B.
Setup.We ran Algorithms 1 and 2 in parallel using an AMD Ryzen 5 3600X processor with a shared memory limit of 8GB and a 15-minute timeout.For every benchmark finishing within the time limit, kipro2 either finds the smallest k required to prove the candidate bound by k-induction or the smallest unrolling depth k to refute it.If kipro2 refutes, the SMT solver provides a concrete initial state witnessing that violation.In Tables 2 and 3, column #formulae gives the maximal number of conjuncts on the solver stack; formulae t, sat t, and total t give the amount of time spent on (1) computing formulae, (2) satisfiability checking, and (3) everything (including preprocessing), respectively.The input consists of a program, a candidate upper bound, and a postexpectation; in Table 3, the latter is fixed to "postruntime" 0 and thus omitted.
Evaluation of Benchmark Set 1. Table 2 empirically underlines that probabilistic program verification can benefit from k-induction to the same extent as classical software verification: kipro2 fully automatically verifies relevant properties of infinite-state randomized algorithms and stochastic processes from the literature that require k to be strictly larger than 1.That is, proving these properties using (1-)inductive invariants requires either non-trivial invariant synthesis or additional user annotations.This indicates that k-induction mitigates the need for complicated specifications in probabilistic program verification (cf.[41]).
We observe that k-induction tends to succeed if some variable is bounded in the candidate upper bound under consideration (cf.brp, rabin, unif gen).How- ever, k-induction can also succeed without any bounds (cf.geo).The time and formulae required for checking k-inductivity increases rapidly for larger k; this is particularly striking for rabin and unif gen.When refuting candidate bounds with BMC, we obtain a similar picture.Both the time and formulae required for refutation increase if the candidate bound increases (cf.brp, geo, rabin).
For both k-induction and BMC, we observe a direct correlation between the complexity of the loop, i.e., the number of possible traces through the loop from some fixed initial state after some bounded number of iterations, and the required time and space (number of formulae).Whereas for geo and brp-which exhibit a rather simple structure-these checks tend to be fast, this is not the case for rabin and unif gen, which have more complex loop bodies.For such complex loops, k-induction and BMC quickly become infeasible as k increases.
Evaluation of Benchmark Set 2. From Table 3, we observe that-in almost every case-verification is instantaneous and requires very few formulae.The programs we verify are equivalent to the programs provided in [57] up to interpreting minus as monus and using N-typed (instead of Z) variables.A manual inspection reveals that this matters for C4B t303 and rdwalk, which is the reason why the runtime bound for C4B t303 is 3-inductive rather than 1-inductive.
There are two timeouts (2drwalk, bayesian network) due to the GNF construction from Lemma 3, which exhibits a runtime exponential in the number of possible execution branches through the loop body.We conjecture that further preprocessing (by pruning infeasible branches upfront) can mitigate this, rendering 2drwalk and bayesian network tractable as well.We consider a thorough investigation of suitable preprocessing strategies for GNF construction, which is outside the scope of this paper, a worthwhile direction for future research.

Conclusion
We presented κ-induction, a generalization of classical k-induction to arbitrary complete lattices, and-together with a complementary bounded model checking approach-obtained a fully automated technique for verifying infinite-state probabilistic programs.Experiments showed that this technique can prove nontrivial properties in an automated manner that using existing techniques cannot be proven-at least not without synthesizing a stronger inductive invariant.If a given candidate bound is k-inductive for some k, then our prototypical tool will find that k for linear programs and linear expectations.In theory, our tool is also applicable to non-linear programs at the expense of an undecidability quantitative entailment problem.It is left for future work to consider (positive) real-valued program variables for non-linear expectations.

A Appendix
A.1 Proof of Lemma 1 For item (a), observe that h 1 ⊑ h 2 implies h 1 ⊓ f ⊑ h 2 ⊓ f .We then have (by monotonicity of Φ and the above property) = Ψ f (g 2 ) .
(by definition of Ψ f ) For item (b), we proceed by transfinite induction on the γ.
The case δ = 0.This case is trivial as there exists no ordinal γ < δ.
The case δ = β + 1 successor ordinal.For every α < β, consider the following: This proves the claim for every γ = α + 1 < δ.For the missing case γ = 0, consider the following: The case δ limit ordinal.For every γ < δ consider the following (by definition of For item (c), we first observe that Ψ f (g) ⊑ Φ (g) holds for every element g ∈ E. The claim then follows from a straightforward transfinite induction on the number of iterations and the fact that Φ ⌊δ⌋ (g) ⊑ Φ ⌈δ⌉ (g) holds by definition.
For item (d), assume lfp Φ ⊑ f .It suffices to prove that, for all ordinals δ < ν, we have lfp Φ ⊑ Ψ ⌊δ⌋ f (f ); the remaining inequalities are immediate by definition of Ψ f and item (b).We proceed by transfinite induction on δ.
The case δ limit ordinal.
We next observe that for this ordinal β, we have Premises.We first recap our assumptions and introduce some useful notation.We assume the setting from Section 4, in particular where Succs(X) = {t ′ | ∃t ∈ X : (t, t ′ ) ∈ T }.We denote by µ interpretations that assign to every variable a state in S; µ |= ϕ denotes that µ is a model of formula ϕ.Moreover, we treat I(s), T (s, s ′ ), and P (s) as relational symbols whose interpretation is I, T , and P , respectively.Recall the formula 1a depicted below.We denote by ϕ k (s 1 , . . ., s k ) the LHS of the implication and by ψ k (s 1 , . . ., s k ) the RHS of the implication, respectively.
Moreover, recall the formula 1b; as shown below, we define a shortcut for the LHS of the implication excluding the last transition.
∧T (s k , s k+1 ) =⇒ P (s k+1 ) . (1b) Finally, we define an auxiliary transformer capturing all successors of a given set of states that satisfy the property P : 10 That is, by fixing an interpretation, we abstract from how I(s), T (s, s ′ ), and P (s) are axiomatized.Moreover, by interpreting every variable as a state in S, we abstract from common encodings of the state space in which a single state is given by the evaluation of a set of state variables (cf.[46,13,21]).
(by the assumption Proof.By induction on k.

A.5 Formal Definition of Linear Rescaling
Let h ∈ LinExp be a linear expectation.Moreover, let c ∈ Q ≥0 be some rational constant.For c = 0, we define the rescaling as 0 • g 0. For c > 0, the rescaling c • h is given by the table below.
Claim.Every linear expectation h ∈ LinExp can effectively be transformed into an equivalent linear expectation GNF (h) ≡ h in guarded normal form.
Proof.Let h ∈ LinExp.As shown in [8, Lemma A.2], h can effectively be transformed into an equivalent (linear) expectation h ′ of the form that is not necessarily in GNF (as the guards ψ 1 , . . ., ψ n do not necessarily partitition the state space).We can then construct an equivalent linear expectation GNF (h) in guarded normal form as follows: We show that h h ′ holds iff cex (h, h ′ ) is unsatisfiable: iff cex (h, h ′ ) is unsatisfiable .
Lemma 12.For n ∈ N, if Proof.We have Theorem 9.For every n ≥ 1, Proof.By induction on n.
Base case n = 1.We have

B.1 Brp
A pGCL variant of the bounded retransmission protocol [19,32].The goal is to transmit toSend number of packages via an unreliable channel allowing for at most maxFail number of retransmissions per package.Variable totalFail keeps track of the total number of failed attempts to send a package.We verified upper bounds on the expected outcome of totalFail (variants 1-4).In doing so, we bound the number of packages to send by 4 (variant 1) until 70 (variant 4) while keeping maxFail unbounded, i.e., we still verify an infinite-state system.We notice that k > 1 is required for proving any of the candidate bounds; for up to k = 11, kipro2 manages to prove non-trivial bounds within a few seconds.However, unsurprisingly, the complexity increases rapidly with larger k.While kipro2 can prove variant 4, it needs to increase k to 23; we observe that, unsurprisingly, the complexity grows rapidly both in terms of formulae and in terms of runtime with increased k.Furthermore, variants 5 -7 correspond to (increasing) incorrect candidate bounds that are refuted (or time out) when not imposing any restriction on toSend.
the RHS of Lemma 2. The dashed blue arrow from lfp Φ to Φ(Ψ ⌊κ⌋ f (f )) is a consequence of the dash-dotted arrow (by Park induction, Theorem 1) and ultimately proves that lfp Φ ⊑ f .

Fig. 2 :
Fig.2: Syntax of pGCL programs, linear expressions, and guards, where x is a variable taken from a countable set Vars of program variables (evaluating to natural numbers), p ∈ [0, 1] ∩ Q is a rational probability, and n ∈ N is a constant.

#
The number of total p a c k a g e s to send nat toSend ; # Number of p a c k a g e s sent nat sent ; # The m a x i m a l number of r e t r a n s m i s s i o n tries nat m a x F a i l e d; # The number of failed r e t r a n s m i s s i o n tries nat failed ; nat t o t a l F a i l e d ; while ( failed < m a x F a i l e d & sent < toSend ) { { # T r a n s m i s s i o n of c u r r e n t p a c k a g e s s u c c e s s f u l failed := 0; sent := sent + 1; } [0.9] { # T r a n s m i s s i o n not s u c c e s s f u l failed := failed +1; t o t a l F a i l e d := t o t a l F a i l e d + 1; } } Preexpectations for the different variants: -[toSend ≤ 4] • (totalF ailed + 1) + [toSend > 4] • ∞ -[toSend ≤ 10] • (totalF ailed + 3) + [toSend > 10] • ∞ -[toSend ≤ 20] • (totalF ailed + 3) + [toSend > 20] • ∞

Table 1 ,
where g [x/e] denotes the substitution of variable x by expression e, i.e., g [x/e] λσ.g(σ [x → e(σ)]), where σ [x → e(σ)]λy.e(σ)if y = x , σ(y) otherwise .We call wp C (g) the weakest preexpectation of program C w.r.t.postexpectation g.The weakest preexpectation wp C (g) is itself an expectation of type E, which maps each initial state σ to the expected value of g after running C on σ.

Table 2 :
Empirical results for the first benchmark set (time in seconds).
Proof (of the claim aka Theorem 4).Let k ≥ 1.We rely on several lemmata, which are presented further below.With this in mind, consider the following: