figure a

1 Introduction

The important roles of randomization in algorithms and software systems are nowadays well-recognized. In algorithms, randomization can bring remarkable speed gain at the expense of small probabilities of imprecision. In cryptography, many encryption algorithms are randomized in order to conceal the identity of plaintexts. In software systems, randomization is widely utilized for the purpose of fairness, security and privacy.

Embracing randomization in programming languages has therefore been an active research topic for a long time. Doing so does not only offer a solid infrastructure that programmers and system designers can rely on, but also opens up the possibility of language-based, static analysis of properties of randomized algorithms and systems.

The current paper’s goal is to analyze imperative programs with randomization constructs—the latter come in two forms, namely probabilistic branching and assignment from a designated, possibly continuous, distribution. We shall refer to such programs as randomized programs.Footnote 1

Runtime and Termination Analysis of Randomized Programs. The runtime of a randomized program is often a problem of our interest; so is almost-sure termination, that is, whether the program terminates with probability 1. In the programming language community, these problems have been taken up by many researchers as a challenge of both practical importance and theoretical interest.

Most of the existing works on runtime and termination analysis follow either of the following two approaches.

  • Martingale-based methods, initiated with a notion of ranking supermartingale in [4] and extended [1, 6, 7, 11, 13], have their origin in the theory of stochastic processes. They can also be seen as a probabilistic extension of ranking functions, a standard proof method for termination of (non-randomized) programs. Martingale-based methods have seen remarkable success in automated synthesis using templates and constraint solving (like LP or SDP).

  • The predicate-transformer approach, pursued in [2, 17, 19], uses a more syntax-guided formalism of program logic and emphasizes reasoning by invariants.

The essential difference between the two approaches is not big: an invariant notion in the latter is easily seen to be an adaptation of a suitable notion of supermartingale. The work [33] presents a comprehensive account on the order-theoretic foundation behind these techniques.

These existing works are mostly focused on the following problems: deciding almost-sure termination, computing termination probabilities, and computing expected runtime. (Here “computing” includes giving upper/lower bounds.) See [33] for a comparison of some of the existing martingale-based methods.

Our Problem: Tail Probabilities for Runtimes. In this paper we focus on the problem of tail probabilities that is not studied much so far.Footnote 2 We present a method for overapproximating tail probabilities; here is the problem we solve.

Input: :

a randomized program \(\varGamma \), and a deadline \(d\in \mathbb {N}\)

Output: :

an upper bound of the tail probability \(\mathrm {Pr}({T_{\mathrm {run}} \ge d})\), where \(T_{\mathrm {run}}\) is the runtime of \(\varGamma \)

Our target language is a imperative language that features randomization (probabilistic branching and random assignment). We also allow nondeterminism; this makes the program’s runtime depend on the choice of a scheduler (i.e. how nondeterminism is resolved). In this paper we study the longest, worst-case runtime (therefore our scheduler is demonic). In the technical sections, we use the presentation of these programs as probabilistic control graphs (pCFGs)—this is as usual in the literature. See e.g. [1, 33].

Fig. 1.
figure 1

An example program

Full size image

An example of our target program is in Fig. 1. It is an imperative program with randomization: in Line 3, the value of z is sampled from the uniform distribution over the interval \([-2, 1]\). The symbol \(*\) in the line 4 stands for a nondeterministic Boolean value; in our analysis, it is resolved so that the runtime becomes the longest.

Given the program in Fig. 1 and a choice of a deadline (say \(d=400\)), we can ask the question “what is the probability \(\mathrm {Pr}({T_{\mathrm {run}} \ge d})\) for the runtime \(T_{\mathrm {run}}\) of the program to exceed \(d=400\) steps?” As we show in Sect. 6, our method gives a guaranteed upper bound 0.0684. This means that, if we allow the time budget of \(d=400\) steps, the program terminates with the probability at least 93%.

Fig. 2.
figure 2

Our workflow

Full size image

Our Method: Concentration Inequalities, Higher Moments, and Vector-Valued Supermartingales. Towards the goal of computing tail probabilities, our approach is to use concentration inequalities, a technique from probability theory that is commonly used for overapproximating various tail probabilities. There are various concentration inequalities in the literature, and each of them is applicable in a different setting, such as a nonnegative random variable (Markov’s inequality), known mean and variance (Chebyshev’s inequality), a difference-bounded martingale (Azuma’s inequality), and so on. Some of them were used for analyzing randomized programs [5] (see Sect. 7 for comparison).

In this paper, we use a specific concentration inequality that uses higher moments \(\mathbb {E}[{T_{\mathrm {run}}}], \dots , \mathbb {E}[{(T_{\mathrm {run}})^K}]\) of runtimes \(T_{\mathrm {run}}\), up to a choice of the maximum degree K. The concentration inequality is taken from [3]; it generalizes Markov’s and Chebyshev’s. We observe that a higher moment yields a tighter bound of the tail probability, as the deadline d grows bigger. Therefore it makes sense to strive for computing higher moments.

For computing higher moments of runtimes, we systematically extend the existing theory of ranking supermartingales, from the expected runtime (i.e. the first moment) to higher moments. The theory features a vector-valued supermartingale, which not only generalizes easily to degrees up to arbitrary \(K\in \mathbb {N}\), but also allows automated synthesis much like usual supermartingales.

We also claim that the soundness of these vector-valued supermartingales is proved in a mathematically clean manner. Following our previous work [33], our arguments are based on the order-theoretic foundation of fixed points (namely the Knaster-Tarski, Cousot–Cousot and Kleene theorems), and we give upper bounds of higher moments by suitable least fixed points.

Overall, our workflow is as shown in Fig. 2. We note that the step 2 in Fig. 2 is computationally much cheaper than the step 1: in fact, the step 2 yields a symbolic expression for an upper bound in which d is a free variable. This makes it possible to draw graphs like the ones in Fig. 3. It is also easy to find a deadline d for which \(\mathrm {Pr}({T_{\mathrm {run}} \ge d})\) is below a given threshold \(p\in [0,1]\).

We implemented a prototype that synthesizes vector-valued supermartingales using linear and polynomial templates. The resulting constraints are solved by LP and SDP solvers, respectively. Experiments show that our method can produce nontrivial upper bounds in reasonable computation time. We also experimentally confirm that higher moments are useful in producing tighter bounds.

Our Contributions. Summarizing, the contribution of this paper is as follows.

  • We extend the existing theory of ranking supermartingales from expected runtimes (i.e. the first moment) to higher moments. The extension has a solid foundation of order-theoretic fixed points. Moreover, its clean presentation by vector-valued supermartingales makes automated synthesis as easy as before. Our target randomized programs are rich, embracing nondeterminism and continuous distributions.

  • We study how these vector-valued supermartingales (and the resulting upper bounds of higher moments) can be used to yield upper bounds of tail probabilities of runtimes. We identify a concentration lemma that suits this purpose. We show that higher moments indeed yield tighter bounds.

  • Overall, we present a comprehensive language-based framework for overapproximating tail probabilities of runtimes of randomized programs (Fig. 2). It has been implemented, and our experiments suggest its practical use.

Organization. We give preliminaries in Sect. 2. In Sect. 3, we review the order-theoretic characterization of ordinary ranking supermartingales and present an extension to higher moments of runtimes. In Sect. 4, we discuss how to obtain an upper bound of the tail probability of runtimes. In Sect. 5, we explain an automated synthesis algorithm for our ranking supermartingales. In Sect. 6, we give experimental results. In Sect. 7, we discuss related work. We conclude and give future work in Sect. 8. Some proofs and details are deferred to the appendices available in the extended version [22].

2 Preliminaries

We present some preliminary materials, including the definition of pCFGs (we use them as a model of randomized programs) and the definition of runtime.

Given topological spaces X and Y, let \(\mathcal {B}(X)\) be the set of Borel sets on X and \(\mathcal {B}(X, Y)\) be the set of Borel measurable functions \(X \rightarrow Y\). We assume that the set \(\mathbb {R}\) of reals, a finite set L and the set \([0, \infty ]\) are equipped with the usual topology, the discrete topology, and the order topology, respectively. We use the induced Borel structures for these spaces. Given a measurable space X, let \(\mathcal {D}(X)\) be the set of probability measures on X. For any \(\mu \in \mathcal {D}(X)\), let \(\mathrm {supp}(\mu )\) be the support of \(\mu \). We write \(\mathbb {E}[{X}]\) for the expectation of a random variable X.

Our use of pCFGs follows recent works including [1].

Definition 2.1

(pCFG). A probabilistic control flow graph (pCFG) is a tuple \(\varGamma = (L, V, l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}}, {\mapsto }, \mathrm {Up}, \mathrm {Pr}, G)\) that consists of the following.

  • A finite set L of locations. It is a disjoint union of sets \(L_D\), \(L_P\), \(L_n\) and \(L_A\) of deterministic, probabilistic, nondeterministic and assignment locations.

  • A finite set V of program variables.

  • An initial location \(l_{\mathrm {init}} \in L\).        – An initial valuation \(\varvec{x}_{\mathrm {init}} \in \mathbb {R}^{V}\)

  • A transition relation \({\mapsto } \subseteq L \times L\) which is total (i.e. \(\forall l.\, \exists l'.\,l \mapsto l'\)).

  • An update function \(\mathrm {Up} : L_A \rightarrow V \times \bigl (\,\mathcal {B}(\mathbb {R}^V, \mathbb {R}) \cup \mathcal {D}(\mathbb {R}) \cup \mathcal {B}(\mathbb {R})\,\bigr )\) for assignment.

  • A family \(\mathrm {Pr} = (\mathrm {Pr}_l)_{l \in L_P}\) of probability distributions, where \(\mathrm {Pr}_l \in \mathcal {D}(L)\), for probabilistic locations. We require that \(l' \in \mathrm {supp}(\mathrm {Pr}_l)\) implies \(l \mapsto l'\).

  • A guard function \(G : L_D \times L \rightarrow \mathcal {B}(\mathbb {R}^V)\) such that for each \(l \in L_D\) and \(\varvec{x} \in \mathbb {R}^V\), there exists a unique location \(l' \in L\) satisfying \(l \mapsto l'\) and \(\varvec{x} \in G(l, l')\).

The update function can be decomposed into three functions \(\mathrm {Up}_D : L_{AD} \rightarrow V \times \mathcal {B}(\mathbb {R}^V, \mathbb {R})\), \(\mathrm {Up}_P : L_{AP} \rightarrow V \times \mathcal {D}(\mathbb {R})\) and \(\mathrm {Up}_N : L_{AN} \rightarrow V \times \mathcal {B}(\mathbb {R})\), under a suitable decomposition \(L_A = L_{AD} \cup L_{AP} \cup L_{AN}\) of assignment locations. The elements of \(L_{AD}\), \(L_{AP} \) and \(L_{AN}\) represent deterministic, probabilistic and nondeterministic assignments, respectively. See e.g. [33].

figure b

An example of a pCFG is shown on the right. It models the program in Fig. 1. The node \(l_4\) is a nondeterministic location. \(\mathrm {Unif}(-2, 1)\) is the uniform distribution on the interval \([-2, 1]\).

A configuration of a pCFG \(\varGamma \) is a pair \((l, \varvec{x}) \in L \times \mathbb {R}^V\) of a location and a valuation. We regard the set \(S= L \times \mathbb {R}^V\) of configurations is equipped with the product topology where L is equipped with the discrete topology. We say a configuration \((l', \varvec{x}')\) is a successor of \((l, \varvec{x})\), if \(l\mapsto l'\) and the following hold.

  • If \(l \in L_D\), then \(\varvec{x}' = \varvec{x}\) and \(\varvec{x} \in G(l, l')\).    – If \(l \in L_N \cup L_P\), then \(\varvec{x}' = \varvec{x}\).

  • If \(l \in L_A\), then \(\varvec{x}' = {\varvec{x}}({x_j} \leftarrow {a})\), where \({\varvec{x}}({x_j} \leftarrow {a})\) denotes the vector obtained by replacing the \(x_j\)-component of \(\varvec{x}\) by a. Here \(x_{j}\) is such that \(\mathrm {Up}(l) = (x_j, u)\), and a is chosen as follows: (1) \(a = u(\varvec{x})\) if \(u \in \mathcal {B}(\mathbb {R}^V, \mathbb {R})\); (2) \(a \in \mathrm {supp}(u)\) if \(u \in \mathcal {D}(\mathbb {R})\); and (3) \(a \in u\) if \(u \in \mathcal {B}(\mathbb {R})\).

An invariant of a pCFG \(\varGamma \) is a measurable set \(I \in \mathcal {B}(S)\) such that \((l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}}) \in I\) and I is closed under taking successors (i.e. if \(c \in I\) and \(c'\) is a successor of c then \(c' \in I\)). Use of invariants is a common technique in automated synthesis of supermartingales [1]: it restricts configuration spaces and thus makes the constraints on supermartingales weaker. It is also common to take an invariant as a measurable set [1]. A run of \(\varGamma \) is an infinite sequence of configurations \(c_0 c_1 \dots \) such that \(c_0\) is the initial configuration \((l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})\) and \(c_{i+1}\) is a successor of \(c_i\) for each i. Let \(\mathrm {Run}({\varGamma })\) be the set of runs of \(\varGamma \).

A scheduler resolves nondeterminism: at a location in \(L_{N}\cup L_{AN}\), it chooses a distribution of next configurations depending on the history of configurations visited so far. Given a pCFG \(\varGamma \) and a scheduler \(\sigma \) of \(\varGamma \), a probability measure \(\nu _{\sigma }^{\varGamma }\) on \(\mathrm {Run}({\varGamma })\) is defined in the usual manner. See [22, Appendix B] for details.

Definition 2.2

(reaching time \(T_{C}^{\varGamma }, T_{C,\sigma }^{\varGamma }\)). Let \(\varGamma \) be a pCFG and \(C\subseteq S\) be a set of configurations called a destination. The reaching time to C is a function \(T_C^{\varGamma } : \mathrm {Run}({\varGamma }) \rightarrow [0, \infty ]\) defined by \( (T_C^{\varGamma })(c_{0}c_{1}\cdots ) = {\mathrm {argmin}}_{i\in \mathbb {N}} (c_{i}\in C) \). Fixing a scheduler \(\sigma \) makes \(T_{C}^{\varGamma }\) a random variable, since \(\sigma \) determines a probability measure \(\nu _{\sigma }^{\varGamma }\) on \(\mathrm {Run}({\varGamma })\). It is denoted by \(T_{C,\sigma }^{\varGamma }\).

Runtimes of pCFGs are a special case of reaching times, namely to the set of terminating configurations.

The following higher moments are central to our framework. Recall that we are interested in demonic schedulers, i.e. those which make runtimes longer.

Definition 2.3

(\( \mathbb {M}_{C, \sigma }^{\varGamma , k}\) and \(\overline{\mathbb {M}}_{C}^{\varGamma , k}\)). Assume the setting of Definition 2.2, and let \(k\in \mathbb {N}\) and \(c \in S\). We write \(\mathbb {M}_{C, \sigma }^{\varGamma , k}(c)\) for the k-th moment of the reaching time of \(\varGamma \) from c to C under the scheduler \(\sigma \), i.e. that is, \( \mathbb {M}_{C, \sigma }^{\varGamma , k}(c) = \mathbb {E}[{(T^{\varGamma _c}_{C,\sigma })^k}] = \int (T^{\varGamma _c}_C)^k\, \mathrm {d} \nu _{\sigma }^{\varGamma _c} \) where \(\varGamma _c\) is a pCFG obtained from \(\varGamma \) by changing the initial configuration to c. Their supremum under varying \(\sigma \) is denoted by \( \overline{\mathbb {M}}_{C}^{\varGamma , k} := \sup _{\sigma } \mathbb {M}_{C, \sigma }^{\varGamma , k} \).

3 Ranking Supermartingale for Higher Moments

We introduce one of the main contributions in the paper, a notion of ranking supermartingale that overapproximates higher moments. It is motivated by the following observation: martingale-based reasoning about the second moment must concur with one about the first moment. We conduct a systematic theoretical extension that features an order-theoretic foundation and vector-valued supermartingales. The theory accommodates nondeterminism and continuous distributions, too. We omit some details and proofs; they are in [22, Appendix C].

The fully general theory for higher moments will be presented in Sect. 3.2; we present its restriction to the second moments in Sect. 3.1 for readability.

Prior to these, we review the existing theory of ranking supermartingales, through the lens of order-theoretic fixed points. In doing so we follow [33].

Definition 3.1

(“nexttime” operation \(\overline{\mathbb {X}}\) (pre-expectation)). Given \(\eta : S\rightarrow [0, \infty ]\), let \(\overline{\mathbb {X}} \eta : S\rightarrow [0, \infty ]\) be the function defined as follows.

  • If \(l \in L_D\) and \(\varvec{x} \vDash G(l, l')\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \eta (l', \varvec{x})\).

  • If \(l \in L_P\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \sum _{l \mapsto l'} \mathrm {Pr}_l(l') \eta (l', \varvec{x})\).

  • If \(l \in L_N\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \sup _{l \mapsto l'} \eta (l', \varvec{x})\).

  • If \(l \in L_A\), \(\mathrm {Up}(l) = (x_j, u)\) and \(l \mapsto l'\), if \(u \in \mathcal {B}(\mathbb {R}^V, \mathbb {R})\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \eta (l', {\varvec{x}}({x_j} \leftarrow {u(\varvec{x})}))\); if \(u \in \mathcal {D}(\mathbb {R})\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \int _{\mathbb {R}} \eta (l', {\varvec{x}}({x_j} \leftarrow {y}))\, \mathrm {d} u(y)\); and if \(u \in \mathcal {B}(\mathbb {R})\), then \((\overline{\mathbb {X}} \eta ) (l, \varvec{x}) = \sup _{y \in u} \eta (l', {\varvec{x}}({x_j} \leftarrow {y}))\).

Intuitively, \(\overline{\mathbb {X}} \eta \) is the expectation of \(\eta \) after one transition. Nondeterminism is resolved by the maximal choice.

We define \(F_1 : (S\rightarrow [0, \infty ]) \rightarrow (S\rightarrow [0, \infty ])\) as follows.

The function \(F_1\) is an adaptation of the Bellman operator, a classic notion in the theory of Markov processes. A similar notion is used e.g. in [19]. The function space \((S \rightarrow [0, \infty ])\) is a complete lattice structure, because \([0, \infty ]\) is; moreover \(F_1\) is easily seen to be monotone. It is not hard to see either that the expected reaching time \(\overline{\mathbb {M}}^{\varGamma , 1}_{C}\) to C coincides with the least fixed point \(\mu F_1\).

The following theorem is fundamental in theoretical computer science.

Theorem 3.2

(Knaster–Tarski, [34]). Let \((L, \le )\) be a complete lattice and \(f : L \rightarrow L\) be a monotone function. The least fixed point \(\mu f\) is the least prefixed point, i.e. \(\mu f = \min \{ l \in L \mid f(l) \le l \}\).    \(\square \)

The significance of the Knaster-Tarski theorem in verification lies in the induced proof rule: \(f(l)\le l\Rightarrow \mu f\le l\). Instantiating to the expected reaching time \( \overline{\mathbb {M}}^{\varGamma , 1}_{C}\!=\! \mu F_{1}\), it means \(F_1 (\eta ) \!\le \! \eta \Rightarrow \overline{\mathbb {M}}^{\varGamma , 1}_{C} \!\le \! \eta \), i.e. an arbitrary prefixed point of \(F_{1}\)—which coincides with the notion of ranking supermartingale [4]—overapproximates the expected reaching time. This proves soundness of ranking supermartingales.

3.1 Ranking Supermartingales for the Second Moments

We extend ranking supermartingales to the second moments. It paves the way to a fully general theory (up to the K-th moments) in Sect. 3.2.

The key in the martingale-based reasoning of expected reaching times (i.e. first moments) was that they are characterized as the least fixed point of a function \(F_1\). Here it is crucial that for an arbitrary random variable T, we have \(\mathbb {E}[{T+1}]=\mathbb {E}[{T}]+1\) and therefore we can calculate \(\mathbb {E}[{T+1}]\) from \(\mathbb {E}[{T}]\). However, this is not the case for second moments. As \(\mathbb {E}[{(T+1)^2}] = \mathbb {E}[{T^2}] + 2 \mathbb {E}[{T}] + 1\), calculating the second moment requires not only \(\mathbb {E}[{T^2}]\) but also \(\mathbb {E}[{T}]\). This encourages us to define a vector-valued supermartingale.

Definition 3.3

(time-elapse function \(\mathrm {El}_{1}\)). A function \(\mathrm {El}_{1} \!:\! [0, \infty ]^2 \rightarrow [0, \infty ]^2\) is defined by \(\mathrm {El}_{1}(x_1, x_2) = (x_1 + 1, x_2 + 2 x_1 + 1)\).

Then, an extension of \(F_1\) for second moments can be defined as a combination of the time-elapse function \(\mathrm {El}_{1}\) and the pre-expectation \(\overline{\mathbb {X}}\).

Definition 3.4

(\(F_2\)). Let I be an invariant and \(C \subseteq I\) be a Borel set. We define \(F_2 : (S\rightarrow [0, \infty ]^2) \rightarrow (S\rightarrow [0, \infty ]^2)\) by

$$ (F_2 (\eta )) (c) = {\left\{ \begin{array}{ll} (\overline{\mathbb {X}}(\mathrm {El}_{1} \mathrel {\circ }\eta ))(c) &{} c \in I \setminus C \\ (0, 0) &{} \text {otherwise.} \end{array}\right. } $$

Here \(\overline{\mathbb {X}}\) is applied componentwise: \((\overline{\mathbb {X}} (\eta _1, \eta _2)) (c) = ((\overline{\mathbb {X}} \eta _1) (c), (\overline{\mathbb {X}} \eta _2) (c))\).

We can extend the complete lattice structure of \([0, \infty ]\) to the function space \(S \rightarrow [0, \infty ]^2\) in a pointwise manner. It is a routine to prove that \(F_2\) is monotone with respect to this complete lattice structure. Hence \(F_2\) has the least fixed point. In fact, while \(\overline{\mathbb {M}}^{\varGamma , 1}_{C}\) was characterized as the least fixed point of \(F_1\), a tuple \((\overline{\mathbb {M}}^{\varGamma , 1}_{C}, \overline{\mathbb {M}}^{\varGamma , 2}_{C})\) is not the least fixed point of \(F_2\) (cf. Example 3.8 and Theorem 3.9). However, the least fixed point of \(F_2\) overapproximates the tuple of moments.

Theorem 3.5

For any configuration \(c \in I\), \((\mu F_2) (c) \ge (\overline{\mathbb {M}}^{\varGamma , 1}_{C} (c), \overline{\mathbb {M}}^{\varGamma , 2}_{C} (c))\).    \(\square \)

Let \(T^{\varGamma }_{C, \sigma , n} = \min \{ n, T^{\varGamma }_{C, \sigma } \}\). To prove the above theorem, we inductively prove

$$ \textstyle (F_2)^n(\bot )(c) \ge \left( \int T^{\varGamma _c}_{C, \sigma , n}\, \mathrm {d} \nu _{\sigma }^{\varGamma _c}, \;\int (T^{\varGamma _c}_{C, \sigma , n})^2\, \mathrm {d} \nu _{\sigma }^{\varGamma _c} \right) $$

for each \(\sigma \) and n, and take the supremum. See [22, Appendix C] for more details.

Like ranking supermartingale for first moments, ranking supermartingale for second moments is defined as a prefixed point of \(F_2\), i.e. a function \(\eta \) such that \(\eta \ge F_2 (\eta )\). However, we modify the definition for the sake of implementation.

Definition 3.6

(ranking supermartingale for second moments). A ranking supermartingale for second moments is a function \(\eta : S\rightarrow \mathbb {R}^2\) such that: (i) \(\eta (c) \ge (\overline{\mathbb {X}}(\mathrm {El}_{1} \mathrel {\circ }\eta ))(c)\) for each \(c \in I \setminus C\); and (ii) \(\eta (c) \ge 0\) for each \(c \in I\).

Here, the time-elapse function \(\mathrm {El}_{1}\) captures a positive decrease of the ranking supermartingale. Even though we only have inequality in Theorem 3.5, we can prove the following desired property of our supermartingale notion.

Theorem 3.7

If \(\eta : S\rightarrow \mathbb {R}^2\) is a supermartingale for second moments, then \(\bigl (\overline{\mathbb {M}}^{\varGamma , 1}_{C}(c), \overline{\mathbb {M}}^{\varGamma , 2}_{C}(c)\bigr ) \le \eta (c)\) for each \(c \in I\).    \(\square \)

The following example and theorem show that we cannot replace \(\ge \) with \(=\) in Theorem 3.5 in general, but it is possible in the absence of nondeterminism.

figure c

Example 3.8

The figure on the right shows a pCFG such that \(l_2 \in L_P\) and all the other locations are in \(L_N\), the initial location is \(l_0\) and \(l_{12}\) is a terminating location. For the pCFG, the left-hand side of the inequality in

Theorem 3.5 is \(\mu F_2 (l_0) = \left( 6, 37.5 \right) \). In contrast, if a scheduler \(\sigma \) takes a transition from \(l_1\) to \(l_2\) with probability p, \((\mathbb {M}^{\varGamma , 1}_{C, \sigma }(l_0), \mathbb {M}^{\varGamma , 2}_{C, \sigma }(l_0)) = \left( 6 - \frac{1}{2} p, 36 - \frac{5}{2} p \right) \). Hence the right-hand side is \((\overline{\mathbb {M}}^{\varGamma , 1}_{C}(l_0), \overline{\mathbb {M}}^{\varGamma , 2}_{C}(l_0)) = (6, 36)\).

Theorem 3.9

If \(L_N = L_{AN} = \emptyset \), \(\forall c\in I.\, (\mu F_2) (c) = (\overline{\mathbb {M}}^{\varGamma , 1}_{C}(c), \overline{\mathbb {M}}^{\varGamma , 2}_{C}(c))\).    \(\square \)

3.2 Ranking Supermartingales for the Higher Moments

We extend the result in Sect. 3.1 to moments higher than second.

Firstly, the time-elapse function \(\mathrm {El}_{1}\) is generalized as follows.

Definition 3.10

(time-elapse function \(\mathrm {El}_{1}^{K, k}\)). For \(K\!\in \!\mathbb {N}\) and \(k\!\in \!\{1, \dots , K\}\), a function \(\mathrm {El}_{1}^{K, k} : [0, \infty ]^K \rightarrow [0, \infty ]\) is defined by \(\mathrm {El}_{1}^{K, k}(x_1, \dots , x_K) = 1 + \sum _{j=1}^k \left( {\begin{array}{c}k\\ j\end{array}}\right) x_j\). Here \(\left( {\begin{array}{c}k\\ j\end{array}}\right) \) is the binomial coefficient.

Again, a monotone function \(F_K\) is defined as a combination of the time-elapse function \(\mathrm {El}_{1}^{K, k}\) and the pre-expectation \(\overline{\mathbb {X}}\).

Definition 3.11

(\(F_K\)). Let I be an invariant and \(C \subseteq I\) be a Borel set. We define \(F_K : (S\rightarrow [0, \infty ]^K) \rightarrow (S\rightarrow [0, \infty ]^K)\) by \(F_K(\eta )(c) = (F_{K, 1}(\eta )(c), \dots ,\) \( F_{K, K}(\eta )(c))\), where \(F_{K, k} : (S\rightarrow [0, \infty ]^K) \rightarrow (S\rightarrow [0, \infty ])\) is given by

$$ (F_{K, k} (\eta )) (c) = {\left\{ \begin{array}{ll} (\overline{\mathbb {X}}(\mathrm {El}_{1}^{K, k} \mathrel {\circ }\eta ))(c) &{} c \in I \setminus C \\ 0 &{} \text {otherwise.} \\ \end{array}\right. } $$

As in Definition 3.6, we define a supermartingale as a prefixed point of \(F_K\).

Definition 3.12

(ranking supermartingale for K-th moments). We define \(\eta _1, \dots , \eta _K : S\rightarrow \mathbb {R}\) by \((\eta _1(c), \dots , \eta _K(c)) = \eta (c)\). A ranking supermartingale for K-th moments is a function \(\eta : S\rightarrow \mathbb {R}^K\) such that for each k, (i) \(\eta _k(c) \ge (\overline{\mathbb {X}} (\mathrm {El}_{1}^{K, k} \mathrel {\circ }\eta _k))(c)\) for each \(c \in I \setminus C\); and (ii) \(\eta _k(c) \ge 0\) for each \(c \in I\).

For higher moments, we can prove an analogous result to Theorem 3.7.

Theorem 3.13

If \(\eta \) is a supermartingale for K-th moments, then for each \(c \in I\), \((\overline{\mathbb {M}}^{\varGamma , 1}_{C}(c), \dots , \overline{\mathbb {M}}^{\varGamma , K}_{C}(c)) \le \eta (c)\).    \(\square \)

4 From Moments to Tail Probabilities

We discuss how to obtain upper bounds of tail probabilities of runtimes from upper bounds of higher moments of runtimes. Combined with the result in Sect. 3, it induces a martingale-based method for overapproximating tail probabilities.

We use a concentration inequality. There are many choices of concentration inequalities (see e.g. [3]), and we use a variant of Markov’s inequality. We prove that the concentration inequality is not only sound but also complete in a sense.

Formally, our goal is to calculate is an upper bound of \(\mathrm {Pr}({T^{\varGamma }_{C, \sigma } \ge d})\) for a given deadline \(d > 0\), under the assumption that we know upper bounds \(u_1, \dots , u_K\) of moments \(\mathbb {E}[{T^{\varGamma }_{C, \sigma }}], \dots , \mathbb {E}[{(T^{\varGamma }_{C, \sigma })^K}]\). In other words, we want to overapproximate \(\sup _{\mu } \mu ([d, \infty ])\) where \(\mu \) ranges over the set of probability measures on \([0, \infty ]\) satisfying \(\left( \int x\, \mathrm {d}\mu (x), \dots , \int x^K\, \mathrm {d}\mu (x) \right) \le (u_1, \dots , u_K)\).

To answer this problem, we use a generalized form of Markov’s inequality.

Proposition 4.1

(see e.g. [3, §2.1]). Let X be a real-valued random variable and \(\phi \) be a nondecreasing and nonnegative function. For any \(d \in \mathbb {R}\) with \(\phi (d) > 0\),

$$\begin{aligned} \mathrm {Pr}({X \ge d}) \le \frac{\mathbb {E}[{\phi (X)}]}{\phi (d)} . \end{aligned}$$

   \(\square \)

By letting \(\phi (x) = x^k\) in Proposition 4.1, we obtain the following inequality. It gives an upper bound of the tail probability that is “tight.”

Proposition 4.2

Let X be a nonnegative random variable. Assume \(\mathbb {E}[{X^k}] \le u_k\) for each \(k \in \{ 0, \dots , K \}\). Then, for any \(d > 0\),

$$\begin{aligned} \mathrm {Pr}({X \ge d}) \le \min _{0 \le k \le K} \frac{u_k}{d^k}. \end{aligned}$$
(1)

Moreover, this upper bound is tight: for any \(d > 0\), there exists a probability measure such that the above equation holds.

Proof

The former part is immediate from Proposition 4.1. For the latter part, consider \(\mu = p \delta _d + (1-p) \delta _0\) where \(\delta _x\) is the Dirac measure at x and p is the value of the right-hand side of (1).    \(\square \)

By combining Theorem 3.13 with Proposition 4.2, we obtain the following corollary. We can use it for overapproximating tail probabilities.

Corollary 4.3

Let \(\eta : S\rightarrow \mathbb {R}^K\) be a ranking supermartingale for K-th moments. For each scheduler \(\sigma \) and a deadline \(d > 0\),

$$\begin{aligned} \mathrm {Pr}({T^{\varGamma }_{C, \sigma } \ge d}) \le \min _{0 \le k \le K} \frac{\eta _k(l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})}{d^k}. \end{aligned}$$
(2)

Here \(\eta _0, \dots , \eta _K\) are defined by \(\eta _0(c) = 1\) and \(\eta (c) = (\eta _1(c), \dots , \eta _K(c))\).    \(\square \)

Note that if \(K = 1\), Corollary 4.3 is essentially the same as [5, Thm 4]. Note also that for each K there exists \(d>0\) such that \(\frac{\eta _K(l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})}{d^K}=\min _{0 \le k \le K} \frac{\eta _k(l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})}{d^k}\). Hence higher moments become useful in overapproximating tail probabilities as d gets large. Later in Sect. 6, we demonstrate this fact experimentally.

5 Template-Based Synthesis Algorithm

We discuss an automated synthesis algorithm that calculates an upper bound for the k-th moment of the runtime of a pCFG using a supermartingale in Definitions 3.6 or 3.12. It takes a pCFG \(\varGamma \), an invariant I, a set \(C \subseteq I\) of configurations, and a natural number K as input and outputs an upper bound of K-th moment.

Our algorithm is adapted from existing template-based algorithms for synthesizing a ranking supermartingale (for first moments)  [4, 6, 7]. It fixes a linear or polynomial template with unknown coefficients for a supermartingale and using numerical methods like linear programming (LP) or semidefinite programming (SDP), calculate a valuation of the unknown coefficients so that the axioms of ranking supermartingale for K-th moments are satisfied.

We hereby briefly explain the algorithms. See [22, Appendix D] for details.

Linear Template. Our linear template-based algorithm is adapted from [4, 7]. We should assume that \(\varGamma \), I and C are all “linear” in the sense that expressions appearing in \(\varGamma \) are all linear and I and C are represented by linear inequalities. To deal with assignments from a distribution like \(x:=\mathrm {Norm}(0,1)\), we also assume that expected values of distributions appearing in \(\varGamma \) are known.

The algorithm first fixes a template for a supermartingale: for each location l, it fixes a K-tuple \( \bigl ( \sum _{j=1}^{|V|} a^l_{j, 1} x_j + b^l_{1}, \ldots , \sum _{j}^{|V|} a^l_{j, K} x_j + b^l_{K} \bigr ) \) of linear formulas. Here each \(a^l_{j,i}\) and \(b^l_i\) are unknown variables called parameters. The algorithm next collects conditions on the parameters so that the tuples constitute a ranking supermartingale for K-th moments. It results in a conjunction of formulas of a form \(\varphi _1\ge 0\wedge \cdots \wedge \varphi _m\ge 0\,\Rightarrow \, \psi \ge 0\). Here \(\varphi _1,\ldots ,\varphi _m\) are linear formulas without parameters and \(\psi \) is a linear formula where parameters linearly appear in the coefficients. By Farkas’ lemma (see e.g. [29, Cor 7.1h]) we can turn such formulas into linear inequalities over parameters by adding new variables. Its feasibility is efficiently solvable with an LP solver. We naturally wish to minimize an upper bound of the K-th moment, i.e. the last component of \(\eta (l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})\). We can minimize it by setting it to the objective function of the LP problem.

Polynomial Template. The polynomial template-based algorithm is based on [6]. This time, \(\varGamma \), I and C can be “polynomial.” To deal with assignments of distributions, we assume that the n-th moments of distributions in \(\varGamma \) are easily calculated for each \(n\in \mathbb {N}\). It is similar to the linear template-based one.

It first fixes a polynomial template for a supermartingale, i.e. it assigns each location l a K-tuple of polynomial expressions with unknown coefficients. Likewise the linear template-based algorithm, the algorithm reduces the axioms of supermartingale for higher moments to a conjunction of formulas of a form \(\varphi _1\ge 0\wedge \cdots \wedge \varphi _m\ge 0\,\Rightarrow \,\psi \ge 0\). This time, each \(\varphi _i\) is a polynomial formula without parameters and \(\psi \) is a polynomial formula whose coefficients are linear formula over the parameters. In the polynomial case, a conjunction of such formula is reduced to an SDP problem using a theorem called Positivstellensatz (we used a variant called Schmüdgen’s Positivstellensatz [28]). We solve the resulting problem using an SDP solver setting \(\eta (l_{\mathrm {init}}, \varvec{x}_{\mathrm {init}})\) as the objective function.

6 Experiments

We implemented two programs in OCaml to synthesize a supermartingale based on (a) a linear template and (b) a polynomial template. The programs translate a given randomized program to a pCFG and output an LP or SDP problem as described in Sect. 5. An invariant I and a terminal configuration C for the input program are specified manually. See e.g. [20] for automatic synthesis of an invariant. For linear templates, we have used GLPK (v4.65) [12] as an LP solver. For polynomial templates, we have used SOSTOOLS (v3.03) [31] (a sums of squares optimization tool that internally uses an SDP solver) on Matlab (R2018b). We used SDPT3 (v4.0) [30] as an SDP solver. The experiments were carried out on a Surface Pro 4 with an Intel Core i5-6300U (2.40 GHz) and 8 GB RAM. We tested our implementation for the following two programs and their variants, which were also used in the literature [7, 19]. Their code is in [22, Appendix E].

Coupon collector’s problem. A probabilistic model of collecting coupons enclosed in cereal boxes. There exist n types of coupons, and one repeatedly buy cereal boxes until all the types of coupons are collected. We consider two cases: (1-1) \(n=2\) and (1-2) \(n=4\). We tested the linear template program for them.

Random walk. We used three variants of 1-dimensional random walks: (2-1) integer-valued one, (2-2) real-valued one with assignments from continuous distributions, (2-3) with adversarial nondeterminism; and two variants of 2-dimensional random walks (2-4) and (2-5) with assignments from continuous distributions and adversarial nondeterminism. We tested both the linear and the polynomial template programs for these examples.

Experimental results. We measured execution times needed for Step 1 in Fig. 2. The results are in Table 1. Execution times are less than 0.2 s for linear template programs and several minutes for polynomial template programs. Upper bounds of tail probabilities obtained from Proposition 4.2 are in Fig. 3.

Fig. 3.
figure 3

Upper bounds of the tail probabilities (except (2-5)). Each gray line is the value of \(\frac{u_k}{d^k}\) where \(u_k\) is the best upper bound in Table 1 of k-th moments and d is a deadline. Each black line is the minimum of gray lines, i.e. the upper bound by Proposition 4.2. The red lines in (1-1), (1-2) and (2-1) show the true tail probabilities calculated analytically. The red points in (2-2) show tail probabilities calculated by Monte Carlo sampling where the number of trials is 100000000. We did not calculate the true tail probabilities nor approximate them for (2-4) and (2-5) because these examples seem difficult to do so due to nondeterminism. (Color figure online)

Full size image
Table 1. Upper bounds of the moments of runtimes. “-” indicates that the LP or SDP solver returned “infeasible”. The “degree” column shows the degree of the polynomial template used in the experiments.
Full size table
Fig. 4.
figure 4

A variant of (2-2).

Full size image

We can see that our method is applicable even with nondeterministic branching ((2-3), (2-4) and (2-5)) or assignments from continuous distributions ((2-2), (2-4) and (2-5)). We can use a linear template for bounding higher moments as long as there exists a supermartingale for higher moments representable by linear expressions ((1-1), (1-2) and (2-3)). In contrast, for (2-1), (2-2) and (2-4), only a polynomial template program found a supermartingale for second moments.

It is expectable that the polynomial template program gives a better bound than the linear one because a polynomial template is more expressive than a linear one. However, it did not hold for some test cases, probably because of numerical errors of the SDP solver. For example, (2-1) has a supermartingale for third moments that can be checked by a hand calculation, but the SDP solver returned “infeasible” in the polynomial template program. It appears that our program fails when large numbers are involved (e.g. the third moments of (2-1), (2-2) and (2-3)). We have also tested a variant of (2-1) where the initial position is multiplied by 10000. Then the SDP solver returned “infeasible” in the polynomial template program while the linear template program returns a nontrivial bound. Hence it seems that numerical errors are likely to occur to the polynomial template program when large numbers are involved.

Figure 3 shows that the bigger the deadline d is, the more useful higher moments become (cf. a remark just after Corollary 4.3). For example, in (1-2), an upper bound of \(\mathrm {Pr}({T^{\varGamma }_{C, \sigma } \ge 100})\) calculated from the upper bound of the first moment is 0.680 while that of the fifth moment is 0.105.

To show the merit of our method compared with sampling-based methods, we calculated a tail probability bound for a variant of (2-2) (shown in Fig. 4 on p. 12) with a deadline \(d = 10^{11}\). Because of its very long expected runtime, a sampling-based method would not work for it. In contrast, the linear template-based program gave an upper bound \(\mathrm {Pr}({T^{\varGamma }_{C, \sigma } \ge 10^{11}}) \le 5000000025 / 10^{11} \approx 0.05\) in almost the same execution time as (2-2) (\(<0.02\) s).

7 Related Work

Martingale-Based Analysis of Randomized Programs. Martingale-based methods are widely studied for the termination analysis of randomized programs. One of the first is ranking supermartingales, introduced in [4] for proving almost sure termination. The theory of ranking supermartingales has since been extended actively: accommodating nondeterminism [1, 6, 7, 11], syntax-oriented composition of supermartingales [11], proving properties beyond termination/reachability [13], and so on. Automated template-based synthesis of supermartingales by constraint solving has been pursued, too [1, 4, 6, 7].

Other martingale-based methods that are fundamentally different from ranking supermartingales have been devised, too. They include: different notions of repulsing supermartingales for refuting termination (in [8, 33]; also studied in control theory [32]); and multiply-scaled submartingales for underapproximating reachability probabilities [33, 36]. See [33] for an overview.

In the literature on martingale-based methods, the one closest to this work is [5]. Among its contribution is the analysis of tail probabilities. It is done by either of the following combinations: (1) difference-bounded ranking supermartingales and the corresponding Azuma’s concentration inequality; and (2) (not necessarily difference-bounded) ranking supermartingales and Markov’s concentration inequality. When we compare these two methods with ours, the first method requires repeated martingale synthesis for different parameter values, which can pose a performance challenge. The second method corresponds to the restriction of our method to the first moment; recall that we showed the advantage of using higher moments, theoretically (Sect. 4) and experimentally (Sect. 6). See [22, Appendix F.1] for detailed discussions. Implementation is lacking in [5], too.

We use Markov’s inequality to calculate an upper bound of \(\mathrm {Pr}({T_{\mathrm {run}} \ge d})\) from a ranking supermartingale. In [7], Hoeffding’s and Bernstein’s inequalities are used for the same purpose. As the upper bounds obtained by these inequalities are exponentially decreasing with respect to d, they are asymptotically tighter than our bound obtained by Markov’s inequality, assuming that we use the same ranking supermartingale. However, Hoeffding’s and Bernstein’s inequalities are applicable to limited classes of ranking supermartingales (so-called difference-bounded and incremental ones, respectively). There exists a randomized program whose tail probability for runtimes is decreasing only polynomially (not exponentially, see [22, Appendix G]); this witnesses that there are cases where the methods in [7] do not apply but ours can.

The work [1] is also close to ours in that their supermartingales are vector-valued. The difference is in the orders: in [1] they use the lexicographic order between vectors, and they aim to prove almost sure termination. In contrast, we use the pointwise order between vectors, for overapproximating higher moments.

The Predicate-Transformer Approach to Runtime Analysis. In the runtime/termination analysis of randomized programs, another principal line of work uses predicate transformers [2, 17, 19], following the precedent works on probabilistic predicate transformers such as [21, 25]. In fact, from the mathematical point of view, the main construct for witnessing runtime/termination in those predicate transformer calculi (called invariants, see e.g. in [19]) is essentially the same thing as ranking supermartingales. Therefore the difference between the martingale-based and predicate-transformer approaches is mostly the matter of presentation—the predicate-transformer approach is more closely tied to program syntax and has a stronger deductive flavor. It also seems that there is less work on automated synthesis in the predicate-transformer approach.

In the predicate-transformer approach, the work [17] is the closest to ours, in that it studies variance of runtimes of randomized programs. The main differences are as follows: (1) computing tail probabilities is not pursued [17]; (2) their extension from expected runtimes to variance involves an additional variable \(\tau \), which poses a challenge in automated synthesis as well as in generalization to even higher moments; and (3) they do not pursue automated analysis. See Appendix F.2 of the extended version [22] for further details.

Higher Moments of Runtimes. Computing and using higher moments of runtimes of probabilistic systems—generalizing randomized programs—has been pursued before. In [9], computing moments of runtimes of finite-state Markov chains is reduced to a certain linear equation. In the study of randomized algorithms, the survey [10] collects a number of methods, among which are some tail probability bounds using higher moments. Unlike ours, none of these methods are language-based static ones. They do not allow automated analysis.

Other Potential Approaches to Tail Probabilities. We discuss potential approaches to estimating tail probabilities, other than the martingale-based one.

Sampling is widely employed for approximating behaviors of probabilistic systems; especially so in the field of probabilistic programming languages, since exact symbolic reasoning is hard in presence of conditioning. See e.g. [35]. We also used sampling to estimate tail probabilities in (2-2), Fig. 3. The main advantages of our current approach over sampling are threefold: (1) our upper bounds come with a mathematical guarantee, while the sampling bounds can always be erroneous; (2) it requires ingenuity to sample programs with nondeterminism; and (3) programs whose execution can take millions of years can still be analyzed by our method in a reasonable time, without executing them. The latter advantage is shared by static, language-based analysis methods in general; see e.g. [2].

Another potential method is probabilistic model checkers such as PRISM [23]. Their algorithms are usually only applicable to finite-state models, and thus not to randomized programs in general. Nevertheless, fixing a deadline d can make the reachable part \(S_{\le d}\) of the configuration space S finite, opening up the possibility of use of model checkers. It is an open question how to do so precisely, and the following challenges are foreseen: (1) if the program contains continuous distributions, the reachable part \(S_{\le d}\) becomes infinite; (2) even if \(S_{\le d}\) is finite, one has to repeat (supposedly expensive) runs of a model checker for each choice of d. In contrast, in our method, an upper bound for the tail probability \(\mathrm {Pr}({T_{\mathrm {run}} \ge d})\) is symbolically expressed as a function of d (Proposition 4.2). Therefore, estimating tail probabilities for varying d is computationally cheap.

8 Conclusions and Future Work

We provided a technique to obtain an upper bound of the tail probability of runtimes given a randomized algorithm and a deadline. We first extended the ordinary ranking supermartingale notion using the order-theoretic characterization so that it can calculate upper bounds of higher moments of runtimes for randomized programs. Then by using a suitable concentration inequality, we introduced a method to calculate an upper bound of tail probabilities from upper bounds of higher moments. Our method is not only sound but also complete in a sense. Our method was obtained by combining our supermartingale and the concentration inequality. We also implemented an automated synthesis algorithm and demonstrated the applicability of our framework.

Future Work. Example 3.8 shows that our supermartingale is not complete: it sometimes fails to give a tight bound for higher moments. Studying and improving the incompleteness is one possible direction of future work. For example, the following questions would be interesting: Can bounds given by our supermartingale be arbitrarily bad? Can we remedy the completeness by restricting the type of nondeterminism? Can we define a complete supermartingale?

Making our current method compositional is another direction of future research. Use of continuations, as in [18], can be a technical solution.

We are also interested in improving the implementation. The polynomial template program failed to give an upper bound for higher moments because of numerical errors (see Sect. 6). We wish to remedy this situation. There exist several studies for using numerical solvers for verification without affected by numerical errors [14,15,16, 26, 27]. We might make use of these works for improvements.