On the Relative Completeness of Satisfaction-based Probabilistic Hoare Logic With While Loop

Xin Sun xin.sun.logic@gmail.com Zhejiang LabHangzhouZhejiangChina , Xingchi Su x.su1993@gmail.com Zhejiang LabHangzhouZhejiangChina , Xiaoning Bian bian@zhejianglab.com Zhejiang LabHangzhouZhejiangChina and Anran Cui 52265902013@stu.ecnu.edu.cn East China Normal UniversityShanghaiChina

(2018)

Abstract.

Probabilistic Hoare logic (PHL) is an extension of Hoare logic and is specifically useful in verifying randomized programs. It allows researchers to formally reason about the behavior of programs with stochastic elements, ensuring the desired probabilistic properties are upheld. The relative completeness of satisfaction-based PHL has been an open problem ever since the birth of the first PHL in 1979. More specifically, no satisfaction-based PHL with While-loop has been proven to be relatively complete yet. This paper solves this problem by establishing a new PHL with While-loop and prove its relative completeness. The programming language concerned in our PHL is expressively equivalent to the existing PHL systems but brings a lot of convenience in showing completeness. The weakest preterm for While-loop command reveals how it changes the probabilistic properties of computer states, considering both execution branches that halt and infinite runs. We prove the relative completeness of our PHL in two steps. We first establish a semantics and proof system of Hoare triples with probabilistic programs and deterministic assertions. Then, by utilizing the weakest precondition of deterministic assertions, we construct the weakest preterm calculus of probabilistic expressions. The relative completeness of our PHL is then obtained as a consequence of the weakest preterm calculus.

Hoare logic, Probabilistic program, Relative completeness, Formal verification, Weakest precondition

^†^†copyright: acmlicensed^†^†journalyear: 2018^†^†doi: XXXXXXX.XXXXXXX^†^†conference: Make sure to enter the correct conference title from your rights confirmation emai; October 14-18, 2024; Salt Lake City, U.S.A.^†^†isbn: 978-1-4503-XXXX-X/18/06

1. Introduction

Hoare Logic. Hoare logic provides a formalization with logical rules on reasoning about the correctness of programs. It was originally designed by C. A. R. Hoare in 1969 in his seminal paper (Hoare, 1969) which was in turn extended by himself in (Hoare, 1971a). The underpinning idea captures the precondition and postcondition of executing a certain program. The precondition describes the property that the command relies on as a start. The postcondition describes the property that the command must lead to after each correct execution. Hoare logic has become one of the most influential tools in the formal verification of programs in the past decades. It has been successfully applied in analysis of deterministic (Hoare, 1969, 1971a; Winskel, 1993), nondeterministic (Dijkstra, 1975, 1976; Apt, 1984), recursive (Hoare, 1971b; Foley and Hoare, 1971; Apt et al., 2009b), probabilistic (Ramshaw, 1979; Den Hartog and de Vink, 2002; Chadha et al., 2007; Rand and Zdancewic, 2015) and quantum programs (Ying, 2011; Liu et al., 2019; Unruh, 2019; Zhou et al., 2019; Deng and Feng, 2022). A comprehensive review of Hoare logic is referred to Apt, Boer, and Olderog (Apt et al., 2009a; Apt and Olderog, 2019).

Probabilistic Hoare Logic. Probabilistic Hoare logic (PHL) (Ramshaw, 1979; Den Hartog and de Vink, 2002; Chadha et al., 2007; Rand and Zdancewic, 2015) is an extension of Hoare logic. It introduces probabilistic commands to handle programs with randomized behavior, providing tools to derive probabilistic assertions that guarantee a program fulfills its intended behavior with certain probabilities. Nowadays PHL plays important roles in the formal verification of cryptographic algorithm (Corin and den Hartog, 2005; den Hartog, 2008; Barthe et al., 2009, 2012, 2013), machine learning algorithm (Sutskever et al., 2013; Srivastava et al., 2014) and others systems involving uncertainty.

Ramshaw (Ramshaw, 1979) developed the first Probabilistic Hoare Logic (PHL) using a truth-functional assertion language, where logic formulas are interpreted as either true or false. This type of PHL is called satisfaction-based PHL within the Hoare logic community. There are two types of formulas in this logic: deterministic formulas and probabilistic formulas. The truth value of deterministic formulas is interpreted on program states, which are functions that map program variables to their values. On the other hand, the truth value of probabilistic formulas is interpreted on the probability distribution of program states. However, Ramshaw’s PHL is incomplete and may not be able to prove some simple and valid assertions.

To address this problem, expectation-based PHL was introduced in a series of work (Kozen, 1985; Jones, 1990; Morgan et al., 1996; Morgan and McIver, 1999). This approach employs arithmetical assertions instead of truth-functional assertions. In this context, a Hoare triple $\{f\}C\{g\}$ represents that the expected value of the function $g$ after the execution of program $C$ should be at least as high as the expected value of the function $f$ before the execution.

Different Probabilistic Commands. Satisfaction-based PHL was developed further by den Hartog, Vink and Ricardo (Den Hartog and de Vink, 2002; Corin and den Hartog, 2005; den Hartog, 2008). Their PHL captures randomized behaviors by probabilistic choices, where the command $S_{1}$ is chosen with probability $\rho$ and the command $S_{2}$ is chosen with probability $1-\rho$ , represented as $S_{1}\oplus_{\rho}S_{2}$ . They also provide a denotational semantics accordingly and establish the completeness of the proof system without a while-loop. On the other hand, Chadha et al. (Chadha et al., 2007) constructed their PHL by incorporating randomness from tossing a biased coin. They showed that their PHL without the while-loop is complete and decidable. Rand and Zdancewic (Rand and Zdancewic, 2015) established the randomness of their PHL by also using a biased coin. They formally verified their logic in the Coq proof assistant.

Our Contribution. While recent work (Batz et al., 2021) has proved that expectation-based PHL with the While loop is relatively complete, the work to date has not proven the relative completeness of any satisfaction-based PHL with the While loop. This is just the main contribution of this paper. To elaborate:

(1)

We propose a new satisfaction-based PHL in which the randomness is introduced by the command of probabilistic assignment, i.e., $X\xleftarrow{\$}\{a_{1}:k_{1},...,a_{n}:k_{n}\}$ . This construction makes our logic concise in expressing random assignments with respect to discrete distribution, which are commonly seen in areas of cryptography, computer vision, coding theory and biology (Gordon et al., 2014). For example, in cryptographic algorithms, almost all nonces are chosen from some prepared discrete distributions on integers, rational or real numbers. Similarly, in the phase of parameter setting, a machine learning algorithm would choose parameters from a distribution over floating point numbers w.r.t. with some accuracy (discrete as well). The probabilistic assignment also brings a lot of convenience to the completeness proof since it can be treated as a probabilistic extension of the normal assignment. It is also expressively equivalent to the existing randomized commands, like probabilistic choices and biased coins.
(2)

We find out the appropriate weakest preterm for probabilistic expressions w.r.t. While-loop. It shows how While-loop changes the probabilistic properties of computer states, considering both execution branches that halt and infinite runs. As a preview, we prove the relative completeness of our PHL in two steps. We first establish a proof system of Hoare triples with deterministic assertions. Then, by utilizing the weakest precondition of deterministic assertions, we construct the weakest preterm calculus of probabilist expressions. The relative completeness of our PHL is then obtained as an application of the weakest preterm calculus.

The outline of this paper is as follows. We first introduce our PHL with deterministic assertions in Section 2. We define the denotational semantics of deterministic assertions, construct a proof system and show that it is sound and relatively complete. Then Section 3 introduces the proof system for probabilistic assertions based on weakest preconditions and proves that it is relatively complete as well. We conclude this paper with future work in Section 4.

2. Probabilistic Hoare Logic with Deterministic Assertion

Hoare logic is a formal system that reasons about ”Hoare triples” of the form $\{\phi\}C\{\psi\}$ . A Hoare triple characterizes the effect of a command $C$ on the states that satisfy the precondition $\phi$ , which means that if a program state satisfies $\phi$ , it must also satisfy the postcondition $\psi$ after the correct execution of $C$ on the state. These assertions, also known as formulas, are built from deterministic and probabilistic expressions and will be defined in this section and the next. The commands $C$ are based on classical program statements such as assignment, conditional choice, while loop, and so on. This section will focus on the deterministic formulas.

2.1. Deterministic Expressions and Formulas

Let $\mathbb{PV}=\{X,Y,Z,\ldots\}$ be a set of program variables denoted by capital letters. Let $\mathbb{LV}=\{x,y,z,\ldots\}$ be a set of logical variables. We assume $\mathbb{LV}$ and $\mathbb{PV}$ are disjoint. Program variables are those variables that may occur in programs. They constitute deterministic expressions. Deterministic expressions are classified into arithmetic expression $E$ and Boolean expression $B$ . The arithmetic expression consists of integer constant $n\in\mathbb{Z}$ and variables from $\mathbb{PV}$ . It also involves arithmetic operators between these components. The arithmetic operator set is defined as $\{+,-,\times,...\}\subseteq\mathbb{Z}\times\mathbb{Z}\rightarrow\mathbb{Z}$ . In contrast, logical variables are used only in assertions.

Definition 2.1 (Arithmetic expressions).

Given a set of program variables $\mathbb{PV}$ , we define the arithmetic expression $E$ as follows:

$E:=n\mid X\mid(E\ aop\ E)$ .

This syntax allows an arithmetic expression ( $E$ ) to be either an integer constant ( $n$ ), a program variable ( $X$ ), or a composition of two arithmetic expressions ( $E\ aop\ E$ ) built by an arithmetic operation ( $aop$ ). They intuitively represent integers in programs.

The Boolean constant set is $\mathbb{B}=\{\top,\bot\}$ . We define relational operators ( $rop$ ) to be performed on arithmetic expressions including $\{>,<,\geq,=,\leq,...\}\subseteq\mathbb{Z}\times\mathbb{Z}\rightarrow\mathbb{B}$ . And logical operators, e.g., $\wedge,\vee,\neg,\rightarrow,...$ , can be applied to any Boolean expressions.

Definition 2.2 (Boolean expressions).

The Boolean expression is defined as follows:

$B:=\top\mid\bot\mid(E\ rop\ E)\mid\neg B\mid(B\ lop\ B).$

A Boolean expression represents some truth value, true or false. The expression $(E\ rop\ E)$ represents that the truth value is determined by the binary relation $rop$ between two integers.

The semantics of deterministic expressions is defined on deterministic states $S$ which are denoted as mappings $S:\mathbb{PV}\rightarrow\mathbb{Z}$ . Let $\mathbb{S}$ be the set of all deterministic states. Each state $S\in\mathbb{S}$ is a description of the value of every program variable. Accordingly, the semantics of arithmetic expressions is $[\![E]\!]:\ \mathbb{S}\rightarrow\mathbb{Z}$ which maps each deterministic state to an integer. Analogously, the semantics of Boolean expressions is $[\![B]\!]:\ \mathbb{S}\rightarrow\mathbb{B}$ which maps each state to a Boolean value.

Definition 2.3 (Semantics of deterministic expressions).

The semantics of deterministic expressions are defined inductively as follows:

$[\![X]\!]S$	=	$S(X)$
$[\![n]\!]S$	=	$n$
$[\![E_{1}\ aop\ E_{2}]\!]S$	=	$[\![E_{1}]\!]S\ aop\ [\![E_{2}]\!]S$
$[\![\top]\!]S$	=	$\top$
$[\![\bot]\!]S$	=	$\bot$
$[\![E_{1}\ rop\ E_{2}]\!]S$	=	$[\![E_{1}]\!]S\ rop\ [\![E_{2}]\!]S$
$[\![\neg B]\!]S$	=	$\neg[\![B]\!]S$
$[\![B_{1}\ lop\ B_{2}]\!]S$	=	$[\![B_{1}]\!]S\ lop\ [\![B_{2}]\!]S$

As mentioned above, the interpretation of an arithmetic expression is an integer. A program variable $X$ on a deterministic state is interpreted as its value on the state. A constant is always itself over any state. An arithmetic expression $E_{1}\ aop\ E_{2}$ is mapped to the integer calculated by the operator $aop$ applied on the interpretation of $E_{1}$ and the interpretation of $E_{2}$ on the state. The Boolean expressions can be understood similarly. For example, let $S$ be a state such that $S(X)=1$ and $S(Y)=2$ . Then $[\![X\ +\ 1]\!]S=2$ and $[\![(X+2\leq 3)\wedge\ (X+Y=3)]\!]S=\top$ .

Next we define deterministic formulas based on deterministic expressions.

Definition 2.4 (Syntax of deterministic formulas).

The deterministic formulas are defined by the following BNF:

$\phi:=\top\mid\bot\mid(e\ rop\ e)\mid\neg\phi\mid(\phi\ lop\ \phi)\mid\forall x\phi$

where $e$ represents arithmetic expression build on $\mathbb{LV}\cup\mathbb{PV}$ :

$e:=n\mid X\mid x\mid(e\ aop\ e)$ .

We restricts $lop$ to the classical operators: $\neg$ and $\wedge$ . $\vee$ and $\to$ can be expressed in the standard way. The formula $\forall x\phi$ applies universal quantifier to the logical variable $x$ in formula $\phi$ .

An interpretation $I:\mathbb{LV}\mapsto\mathbb{Z}$ is a function which maps logical variables to integers. Given an interpretation $I$ and a deterministic state $S$ , the semantics of $e$ is defined as follows.

$[\![n]\!]^{I}S$	=	$n$
$[\![X]\!]^{I}S$	=	$S(X)$
$[\![x]\!]^{I}S$	=	$I(x)$
$[\![E_{1}\ aop\ E_{2}]\!]^{I}S$	=	$[\![E_{1}]\!]^{I}S\ aop\ [\![E_{2}]\!]^{I}S$

The semantics of a deterministic formula is denoted by $[\![\phi]\!]^{I}=\{S\mid S\models^{I}\phi\}$ which represents the set of all states satisfying $\phi$ .

Definition 2.5 (Semantics of deterministic formulas).

The semantics of deterministic formulas is defined inductively as follows:

$[\![\top]\!]^{I}$	=	$\mathbb{S}$
$[\![\bot]\!]^{I}$	=	$\emptyset$
$[\![e_{1}\ rop\ e_{2}]\!]^{I}$	=	$\{S\in\mathbb{S}\mid[\![e_{1}]\!]^{I}S\ rop\ [\![e_{2}]\!]^{I}S=\top\}$
$[\![\neg\phi]\!]^{I}$	=	$\mathbb{S}\backslash[\![\phi]\!]^{I}$
$[\![\phi_{1}\wedge\phi_{2}]\!]^{I}$	=	$[\![\phi_{1}]\!]^{I}\cap[\![\phi_{2}]\!]^{I}$
$[\![\forall x\phi]\!]$	$=$	$\{S\mid$ for all integer $n$ and $I^{\prime}=I[x\mapsto n]$ , $S\models^{I^{\prime}}\phi\}$

The $[\![\top]\!]^{I}$ defaults to all deterministic states $\mathbb{S}$ , while $[\![\bot]\!]^{I}$ is interpreted as the empty set. The symbol $\backslash$ denotes complement, and $[\![\neg\phi]\!]^{I}$ represents the set of remaining states in $\mathbb{S}$ after removing all states satisfying $\phi$ . The logical operations $\wedge$ and $\vee$ between formulas can be interpreted as intersection and union operation of state sets which satisfy corresponding formulas, respectively. And the formula $\forall x\phi$ is satisfied on a deterministic state with interpretation $I$ if and only if $\phi$ is true with respect to all interpretations $I^{\prime}$ which assigns the same values to every variable as $I$ except $x$ .

For example, let $S$ be a state such that $S(X)=1$ and let $I(x)=3$ . The deterministic formula $\forall x((x>0)\to(x+X>X))$ is satisfied on $S$ , i.e. $S\models^{I}\forall x(x>0\to x+X>X)$ . It is also valid (satisfied on arbitrary state and interpretation).

2.2. Commands

Commands are actions that we perform on program states. They change a deterministic state to a probabilistic distribution of deterministic states. We introduce the probabilistic assignment command to capture the randomized executions of probabilistic programs.

Definition 2.6 (Syntax of command expressions).

The commands are defined inductively as follows:

$C:=\texttt{skip}\mid X\leftarrow E\mid X\xleftarrow[]{\$}R\mid C_{1};C_{2}\mid% \texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C_{2}\mid\texttt{while}% \mbox{ }B\mbox{ }\texttt{do}\mbox{ }C$

where $R=\{a_{1}:k_{1},\cdots,a_{n}:k_{n}\}$ in which $\{k_{1},\cdots,k_{n}\}$ is a set of integers and $a_{1},\ldots,a_{n}$ are real numbers such that $0\leq a_{i}\leq 1$ and $a_{1}+\ldots+a_{n}=1$ . We omit those $a_{i}$ s when they are all equal to $\frac{1}{n}$ . $B$ is deterministic formula.

The command skip represents a null command doing nothing. $X\leftarrow E$ is the deterministic assignment. $C_{1};C_{2}$ is the sequential composition of $C_{1}$ and $C_{2}$ as usual. The last two expressions are the conditional choice and loop, respectively. $X\xleftarrow[]{\$}R$ can be read as a value $k_{i}$ is chosen with probability $a_{i}$ and is assigned to $X$ . The probabilistic assignment is the way to introduce randomness in this paper. It is worth noting that the language we use for command expressions is just as expressive as the languages that are constructed by using biased coins or probabilistic choices. This can be easily understood through an example: a probabilistic choice $C_{1}\oplus_{\frac{1}{3}}C_{2}$ is equivalent to the following program in our language (assuming that $X$ is a new program variable):

X\xleftarrow[]{\$}\{\frac{1}{3}:0,\frac{2}{3}:1\};\texttt{if}\ (X=0)\ \texttt{% then}\ C_{1}\ \texttt{else}\ C_{2}

The semantics of commands is defined on probabilistic states. It shows how different commands update probabilistic states. A probabilistic state, denoted by $\mu$ , is a probability sub-distribution on deterministic states, i.e., $\mu\in D(\mathbb{S})$ . Thus, each $\mu:\mathbb{S}\to[0,1]$ requires that $\Sigma_{S\in\mathbb{S}}\mu(S)\leq 1$ . We use sub-distributions to take into account the situations where some programs may never terminate in certain states. For a deterministic state $S\in\mathbb{S}$ , $\mu_{S}$ is a special probabilistic state that assigns the value of 1 to $S$ and the value of 0 to any other state. We call it the probabilistic form of a deterministic state. A deterministic state $S$ is considered to be a support of $\mu$ if $\mu(S)>0$ . The set of all supports of $\mu$ is denoted by $sp(\mu)$ .

Definition 2.7 (Semantics of command expressions).

The semantics of commands is a function $[\![C]\!]\in D(\mathbb{S})\rightarrow D(\mathbb{S})$ . It is defined inductively as follows:

•

$[\![\texttt{skip}]\!](\mu)=\mu$
•

$[\![X\leftarrow E]\!](\mu)=\displaystyle\sum\limits_{S\in\mathbb{S}}\mu(S)% \cdot\mu_{S[X\mapsto[\![E]\!]S]}$
•

$[\![X\xleftarrow{\$}\{a_{1}:k_{1},...,a_{n}:k_{n}\}]\!](\mu)=\displaystyle\sum% _{i=1}^{n}a_{i}[\![X\leftarrow k_{i}]\!](\mu)$
•

$[\![C_{1};\ C_{2}]\!](\mu)=[\![C_{2}]\!]([\![C_{1}]\!](\mu))$
•

$[\![\texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C_{2}]\!](\mu)=[\![C_% {1}]\!](\downarrow_{B}(\mu))+[\![C_{2}]\!](\downarrow_{\neg B}(\mu))$
•

$[\![\texttt{while}\mbox{ }B\mbox{ }\texttt{do}\mbox{ }C]\!](\mu)=\displaystyle% \sum_{i=0}^{\infty}\downarrow_{\neg B}(([\![C]\!]\circ\downarrow_{B})^{i}(\mu))$

The command skip changes nothing. We write $S[X\mapsto[\![E]\!]S]$ to denote the state which assigns variables the same values as $S$ except that the variable $X$ is assigned the value $[\![E]\!]S$ . Here $\downarrow_{B}(\mu)$ denotes the distribution $\mu$ restricted to those states where $B$ is true. Formally, $\downarrow_{B}(\mu)=v$ with $v(S)=\mu(S)$ if $[\![B]\!]S=\top$ and $v(S)=0$ otherwise. We can write $[\![C]\!]S$ to denote $[\![C]\!]\mu_{S}$ if the initial state is deterministic.

In general, if $\mu=[\![C]\!]S$ , $S^{\prime}\in sp(\mu)$ and $\mu(S^{\prime})=a$ . Then it means that executing command $C$ from state $S$ will terminate on state $S^{\prime}$ with probability $a$ .

Example 2.8.

Let $R=\{\frac{1}{2}:0,\frac{1}{2}:1\}$ and let $S$ be a deterministic state such that $S(X)=1$ . If we run the command $X\xleftarrow{\$}R$ on $S$ , then distribution $[\![X\xleftarrow{\$}\{\frac{1}{2}:0,\frac{1}{2}:1\}]\!]\mu_{S}=\frac{1}{2}(\mu% _{S[X\mapsto 0]})+\frac{1}{2}(\mu_{S[X\mapsto 1]})$ is obtained.

Example 2.9.

Let 0 be the probabilistic state that maps every deterministic state to 0. For any probabilistic state $\mu$ ,

[\![\texttt{while}\mbox{ }\top\mbox{ }\texttt{do}\mbox{ }\texttt{skip}]\!](\mu% )=\textbf{ 0}.

This is because

[\![\texttt{while}\mbox{ }\top\mbox{ }\texttt{do}\mbox{ }\texttt{skip}]\!](\mu)=

\displaystyle\sum_{i=0}^{\infty}\downarrow_{\neg(\top)}(([\![\texttt{skip}]\!]% \circ\downarrow_{\top})^{i}(\mu))=

\downarrow_{\neg(\top)}(\mu)+\downarrow_{\neg(\top)}(([\![\texttt{skip}]\!]% \circ\downarrow_{\top})(\mu))+\downarrow_{\neg(\top)}(([\![\texttt{skip}]\!]% \circ\downarrow_{\top})^{2}(\mu))+\ldots

It’s easy to see that $\downarrow_{\neg(\top)}(\mu)=\textbf{ 0}$ and $([\![\texttt{skip}]\!]\circ\downarrow_{\top})^{k}(\mu)=\mu$ for all $k$ . Therefore, $[\![\texttt{while}\mbox{ }\top\mbox{ }\texttt{do}\mbox{ }\texttt{skip}]\!](\mu% )=\textbf{ 0}$ . The statement implies that certain programs that never terminate result in probabilistic states 0.

Example 2.10.

Assume that there are two variables $X,Y$ and infinitely many states $S_{0},S_{1},\ldots$ where $S_{0}(X)=0,S_{0}(Y)=0$ , $S_{i}(X)=1,S_{i}(Y)=i$ for all $i>0$ . Consider the command $C:=\texttt{while}\mbox{ }X=0\mbox{ }\texttt{do}\mbox{ }(X\leftarrow\{\frac{1}{% 2}:0,\frac{1}{2}:1\};Y\leftarrow Y+1)$ . If we let $\mu=[\![C]\!](S_{0})$ , then $\mu(S_{0})=0$ and $\mu(S_{i})=\frac{1}{2^{i}}$ for all $i>0$ .

Definition 2.5 gives the semantics of deterministic formulas over deterministic states. A deterministic formula describes some property of deterministic states. But how to evaluate a deterministic formula on probabilistic states? The semantics is given as follows:

$\mu\models^{I}\phi$ iff for each support $S$ of $\mu$ , $S\in[\![\phi]\!]^{I}$ .

We call it possibility semantics because the definition intuitively means that a formula $\phi$ is true on a probabilistic state if and only if $\phi$ is true on all possible deterministic states indicated by the probabilistic state. That implies that all supports of a distribution share a common property. Hence we can claim that the distribution satisfies the formula. The possibility semantics makes our PHL with deterministic formula (PHL_d) essentially equivalent to Dijkstra’s non-deterministic Hoare logic (Dijkstra, 1975). However, the former serves as a better intermediate step towards PHL with probabilistic formulas than the latter. Therefore, we will still present PHL_d in detail, especially the weakest precondtion calculus of PHL_d, which is not concretely introduced in non-deterministic Hoare logic.

2.3. Proof System with deterministic assertions

A proof system for PHL is comprised of Hoare triples. A Hoare triple, written as $\{\phi\}C\{\psi\}$ , is considered valid if, for every deterministic state that satisfies $\phi$ , executing command C results in a probabilistic state that satisfies $\psi$ . Formally,

$\models\{\phi\}C\{\psi\}$ if for all interpretation $I$ and deterministic state $S$ , if $S\models^{I}\phi$ , then $[\![C]\!](\mu_{S})\models^{I}\psi$ .

We now build a proof system for PHL_d for the derivation of Hoare triples with probabilistic commands and deterministic assertions. Most rules in our proof system are standard, and they are inherited from Hoare logic or natural deduction (Apt and Olderog, 2019). Only one new rule for probabilistic assignment is added, along with some structural rules. The symbol $\phi[X/E]$ represents the formula which replaces every occurrence of $X$ in $\phi$ with $E$ .

Definition 2.11 (Proof system of PHL_d).

The proof system of PHL_d consists of the following inference rules:

$SKIP:$	$\frac{}{\vdash\{\phi\}\texttt{skip}\{\phi\}}$
$AS:$	$\frac{}{\vdash\{\phi[X/E]\}X\leftarrow E\{\phi\}}$
$PAS:$	$\frac{}{\vdash\{\phi[X/k_{1}]\wedge\ldots\wedge\phi[X/k_{n}]\}X\xleftarrow{\$}% \{a_{1}:k_{1},...,a_{n}:k_{n}\}\{\phi\}}$
$SEQ:$	$\frac{\vdash\{\phi\}C_{1}\{\phi_{1}\}\quad\vdash\{\phi_{1}\}C_{2}\{\phi_{2}\}}% {\vdash\{\phi\}C_{1};C_{2}\{\phi_{2}\}}$
$IF:$	$\frac{\vdash\{\phi\wedge B\}C_{1}\{\psi\}\quad\vdash\{\phi\wedge\neg B\}C_{2}% \{\psi\}}{\vdash\{\phi\}\texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C% _{2}\{\psi\}}$
$CONS:$	$\frac{\models\phi^{\prime}\rightarrow\phi\quad\vdash\{\phi\}C\{\psi\}\quad% \models\psi\rightarrow\psi^{\prime}}{\vdash\{\phi^{\prime}\}C\{\psi^{\prime}\}}$
$AND:$	$\frac{\vdash\{\phi_{1}\}C\{\psi_{1}\}\quad\vdash\{\phi_{2}\}C\{\psi_{2}\}}{% \vdash\{\phi_{1}\wedge\phi_{2}\}C\{\psi_{1}\wedge\psi_{2}\}}$
$OR:$	$\frac{\vdash\{\phi_{1}\}C\{\psi_{1}\}\quad\vdash\{\phi_{2}\}C\{\psi_{2}\}}{% \vdash\{\phi_{1}\vee\phi_{2}\}C\{\psi_{1}\vee\psi_{2}\}}$
$WHILE:$	$\frac{\vdash\{\phi\wedge B\}C\{\phi\}}{\vdash\{\phi\}\texttt{while}\mbox{ }B% \mbox{ }\texttt{do}\mbox{ }C\{\phi\wedge\neg B\}}$

The majority of the above inference rules are easy to comprehend. $(CONS)$ is special since it involves semantically valid implications in the premise part. It characterizes the monotonicity of Hoare triples, which means that a stronger precondition must also lead to the same postcondition or some weaker one. In rule $(WHILE)$ , formula $\phi$ is called loop invariant which will not be changed by command $C$ . In the remaining part of this section, we prove the soundness and completeness of PHL_d. Most of the proofs are similar to their analogue in classical Hoare logic, the confident readers may feel free to skip them.

Theorem 2.12 (Soundness).

For all deterministic formula $\phi$ and $\psi$ and command $C$ , $\vdash\{\phi\}C\{\psi\}$ implies $\models\{\phi\}C\{\psi\}$ .

Proof.

We prove by structural induction on $C$ . Let $I$ be an arbitrary interpretation.

•

(SKIP) It’s trivial to see that that $\models\{\phi\}\texttt{skip}\{\phi\}$ .
•

(AS) Assume $S\models^{I}\phi[X/E]$ . This means that $\phi$ is true if the variable $X$ is assigned to the value $[\![E]\!]S$ and all other values are assigned to a value according to $S$ . Let $S^{\prime}=[\![X\leftarrow E]\!](S)=S[X\mapsto[\![E]\!]S]$ . Then $S^{\prime}$ assigns $X$ to the value $[\![E]\!]S$ and all other variables to the same value as $S$ . Therefore, $S^{\prime}\models^{I}\phi$ .
•

(PAS) Assume $S\models^{I}\phi[X/k_{1}]\wedge\ldots\wedge\phi[X/k_{n}]$ . This means that $\phi$ is true if the variable $X$ is assigned to the any of $\{k_{1},\ldots,k_{n}\}$ and all other values are assigned to a value according to $S$ . Let $\mu^{\prime}=[\![X\xleftarrow{\$}\{a_{1}:k_{1},...,a_{n}:k_{n}\}]\!](\mu_{S})$ . Then $\mu^{\prime}$ is a distribution with support $\{S_{1},\ldots,S_{n}\}$ , where $S_{i}=S[X\mapsto k_{i}]$ for $i\in\{1,\ldots,n\}$ . Since $S_{i}$ assigns $X$ to the value $k_{i}$ and all other variables to the same value as $S$ . We know that $S_{i}\models^{I}\phi$ . This means that $\phi$ is true on all supports of $\mu^{\prime}$ . Therefore, $\mu^{\prime}\models^{I}\phi$ .
•

(SEQ) If rule (SEQ) is used to derive $\vdash\{\phi\}C_{1};C_{2}\{\phi_{2}\}$ from $\vdash\{\phi\}C_{1}\{\phi_{1}\}$ and $\vdash\{\phi_{1}\}C_{2}\{\phi_{2}\}$ , then by induction hypothesis we have $\models\{\phi\}C_{1}\{\phi_{1}\}$ and $\models\{\phi_{1}\}C_{2}\{\phi_{2}\}$ . Assume $S\in[\![\phi]\!]^{I}$ . Let $S^{\prime}\in sp([\![C_{1};C_{2}]\!](\mu_{S}))$ be an arbitrary state which belongs to the support of $[\![C_{1};C_{2}]\!](\mu_{S})$ . From $[\![C_{1};C_{2}]\!](\mu_{S})=[\![C_{2}]\!]([\![C_{1}]\!](\mu_{S}))$ we know that there is a state $S_{1}\in sp([\![C_{1}]\!](\mu_{S}))$ such that $S^{\prime}\in sp([\![C_{2}]\!](\mu_{S_{1}}))$ . Now by $\models\{\phi\}C_{1}\{\phi_{1}\}$ we know that $[\![C_{1}]\!](\mu_{S})\models^{I}\phi_{1}$ and $S_{1}\models^{I}\phi_{1}$ . By $\models\{\phi_{1}\}C_{2}\{\phi_{2}\}$ we know that $[\![C_{2}]\!](\mu_{S_{1}})\models^{I}\phi_{2}$ and $S^{\prime}\models^{I}\phi_{2}$ .
•

(IF) Assume $S\in[\![\phi]\!]^{I}$ , $\vdash\{\phi\wedge B\}C_{1}\{\psi\}$ and $\vdash\{\phi\wedge\neg B\}C_{2}\{\psi\}$ . By induction hypothesis we know that $\models\{\phi\wedge B\}C_{1}\{\psi\}$ and $\models\{\phi\wedge\neg B\}C_{2}\{\psi\}$ . Let $S^{\prime}$ be an arbitrary state which belongs to $sp([\![\texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C_{2}]\!](\mu_{S}))$ .

Since $S$ is a deterministic state, we know that either $S\in[\![B]\!]$ or $S\in[\![\neg B]\!]$ .
- –
  
  If $S\in[\![B]\!]$ , then $[\![\texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C_{2}]\!](\mu_{S})=[% \![C_{1}]\!](\downarrow_{B}(\mu_{S}))=[\![C_{1}]\!](\mu_{S})$ . Hence $S^{\prime}\in sp([\![C_{1}]\!](\mu_{S}))$ . From $S\in[\![\phi]\!]^{I}$ and $S\in[\![B]\!]$ we know that $S\models^{I}\phi\wedge B$ . Now by $\models\{\phi\wedge B\}C_{1}\{\psi\}$ we deduce that $[\![C_{1}]\!](\mu_{S})\models^{I}\psi$ . Therefore, $S^{\prime}\models^{I}\psi$ .
- –
  
  If $S\in[\![\neg B]\!]$ , then $[\![\texttt{if}\ B\ \texttt{then}\ C_{1}\ \texttt{else}\ C_{2}]\!](\mu_{S})=[% \![C_{2}]\!](\downarrow_{\neg B}(\mu_{S}))=[\![C_{2}]\!](\mu_{S})$ . Hence $S^{\prime}\in sp([\![C_{2}]\!](\mu_{S}))$ . From $S\in[\![\phi]\!]^{I}$ and $S\in[\![\neg B]\!]$ we know that $S\models^{I}\phi\wedge\neg B$ . Now by $\models\{\phi\wedge\neg B\}C_{2}\{\psi\}$ we deduce that $[\![C_{2}]\!](\mu_{S})\models^{I}\psi$ . Therefore, $S^{\prime}\models^{I}\psi$ .
•

(CONS) Assume $\models\phi^{\prime}\rightarrow\phi$ , $\vdash\{\phi\}C\{\psi\}$ and $\models\psi\rightarrow\psi^{\prime}$ . By induction hypothesis we obtain that $\models\{\phi\}C\{\psi\}$ . Let $S$ be a state such that $S\models^{I}\phi^{\prime}$ . Then by $\models\phi^{\prime}\rightarrow\phi$ we know that $S\models^{I}\phi$ . By $\models\{\phi\}C\{\psi\}$ we know that $[\![C]\!](S)\models^{I}\psi$ . Hence $S^{\prime}\models^{I}\psi$ for all $S^{\prime}$ which belongs to $sp([\![C]\!](S))$ . Now by $\models\psi\rightarrow\psi^{\prime}$ we know that $S^{\prime}\models^{I}\psi^{\prime}$ .
•

(AND) Assume $\vdash\{\phi_{1}\}C\{\psi_{1}\}$ and $\vdash\{\phi_{2}\}C\{\psi_{2}\}$ . By induction hypothesis we know that $\models\{\phi_{1}\}C\{\psi_{1}\}$ and $\models\{\phi_{2}\}C\{\psi_{2}\}$ . Let $S$ be a state such that $S\models^{I}\phi_{1}\wedge\phi_{2}$ . Let $S^{\prime}$ be a state in $sp([\![C]\!](S))$ . Then $S\models^{I}\phi_{1}$ and by $\models\{\phi_{1}\}C\{\psi_{1}\}$ we have $[\![C]\!](S)\models^{I}\psi_{1}$ . Hence $S^{\prime}\models^{I}\psi_{1}$