Healthiness Conditions for Predicate Transformers

AbstractThe behavior of a program can be modeled by describing how it transforms input states to output states, the state transformer semantics. Alternatively, for verification purposes one is interested in a 'predicate transformer semantics' which, for every condition on the output, yields the weakest precondition on the input that guarantees the desired property for the output.In the presence of computational effects like nondeterministic or probabilistic choice, a computation will be modeled by a map t:X→TY, where T is an appropriate computational monad. The corresponding predicate transformer assigns predicates on Y to predicates on X. One looks for necessary and, if possible, sufficient conditions (healthiness conditions) on predicate transformers that correspond to state transformers t:X→TY.In this paper we propose a framework for establishing healthiness conditions for predicate transformers. As far as the author knows, it fits to almost all situations in which healthiness conditions for predicate transformers have been worked out. It may serve as a guideline for finding new results; but it also shows quite narrow limitations

Healthiness from Duality

Healthiness is a good old question in program logics that dates back to Dijkstra. It asks for an intrinsic characterization of those predicate transformers which arise as the (backward) interpretation of a certain class of programs. There are several results known for healthiness conditions: for deterministic programs, nondeterministic ones, probabilistic ones, etc. Building upon our previous works on so-called state-and-effect triangles, we contribute a unified categorical framework for investigating healthiness conditions. We find the framework to be centered around a dual adjunction induced by a dualizing object, together with our notion of relative Eilenberg-Moore algebra playing fundamental roles too. The latter notion seems interesting in its own right in the context of monads, Lawvere theories and enriched categories.Comment: 13 pages, Extended version with appendices of a paper accepted to LICS 201

Aiming Low Is Harder -- Induction for Lower Bounds in Probabilistic Program Verification

We present a new inductive rule for verifying lower bounds on expected values of random variables after execution of probabilistic loops as well as on their expected runtimes. Our rule is simple in the sense that loop body semantics need to be applied only finitely often in order to verify that the candidates are indeed lower bounds. In particular, it is not necessary to find the limit of a sequence as in many previous rules

Weighted programming: A programming paradigm for specifying mathematical models

We study weighted programming, a programming paradigm for specifying mathematical models. More specifically, the weighted programs we investigate are like usual imperative programs with two additional features: (1) nondeterministic branching and (2) weighting execution traces. Weights can be numbers but also other objects like words from an alphabet, polynomials, formal power series, or cardinal numbers. We argue that weighted programming as a paradigm can be used to specify mathematical models beyond probability distributions (as is done in probabilistic programming). We develop weakest-precondition- and weakest-liberal-precondition-style calculi à la Dijkstra for reasoning about mathematical models specified by weighted programs. We present several case studies. For instance, we use weighted programming to model the ski rental problem - an optimization problem. We model not only the optimization problem itself, but also the best deterministic online algorithm for solving this problem as weighted programs. By means of weakest-precondition-style reasoning, we can determine the competitive ratio of the online algorithm on source code level

Dijkstra Monads for Free

International audienceDijkstra monads are a means by which a dependent type theory can beenhanced with support for reasoning about effectful code. Thesespecification-level monads computing weakest preconditions, and theirclosely related counterparts, Hoare monads, provide the basis on whichverification tools like F*, Hoare Type Theory (HTT), and Ynot arebuilt. In this paper we show that Dijkstra monads can be derived "forfree" by applying a continuation-passing style (CPS) translation tothe standard monadic definitions of the underlying computational effects.Automatically deriving Dijkstra monads provides acorrect-by-construction and efficient way of reasoning aboutuser-defined effects in dependent type theories. We demonstrate theseideas in EMF*, a new dependently typed calculus, validating it both byformal proof and via a prototype implementation within F*. Besidesequipping F* with a more uniform and extensible effect system, EMF*enables within F* a mixture of intrinsic and extrinsic proofs that waspreviously impossible

Mixed powerdomains for probability and nondeterminism

We consider mixed powerdomains combining ordinary nondeterminism and probabilistic nondeterminism. We characterise them as free algebras for suitable (in)equation-al theories; we establish functional representation theorems; and we show equivalencies between state transformers and appropriately healthy predicate transformers. The extended nonnegative reals serve as `truth-values'. As usual with powerdomains, everything comes in three flavours: lower, upper, and order-convex. The powerdomains are suitable convex sets of subprobability valuations, corresponding to resolving nondeterministic choice before probabilistic choice. Algebraically this corresponds to the probabilistic choice operator distributing over the nondeterministic choice operator. (An alternative approach to combining the two forms of nondeterminism would be to resolve probabilistic choice first, arriving at a domain-theoretic version of random sets. However, as we also show, the algebraic approach then runs into difficulties.) Rather than working directly with valuations, we take a domain-theoretic functional-analytic approach, employing domain-theoretic abstract convex sets called Kegelspitzen; these are equivalent to the abstract probabilistic algebras of Graham and Jones, but are more convenient to work with. So we define power Kegelspitzen, and consider free algebras, functional representations, and predicate transformers. To do so we make use of previous work on domain-theoretic cones (d-cones), with the bridge between the two of them being provided by a free d-cone construction on Kegelspitzen