Probabilistic Guarded Commands Mechanized in HOL

Abstract

The probabilistic guarded-command language pGCL [Carroll Morgan, Annabelle McIver. pGCL: formal reasoning for random algorithms. South African Computer Journal (1999)] contains both demonic and probabilistic nondeterminism, which makes it suitable for reasoning about distributed random algorithms [Carroll Morgan. Proof rules for probabilistic loops. In Proceedings of the BCS-FACS 7th Refinement Workshop. He Jifeng, John Cooke and Peter Wallis (eds). Springer Verlag Workshops in Computing, 1996]. Proofs are based on weakest precondition semantics, using an underlying logic of real- (rather than Boolean-) valued functions.We present a mechanization of the quantitative logic for pGCL [Carroll Morgan, Annabelle McIver, and Karen Seidel, Probabilistic predicate transformers. ACM Transactions on Programming Languages and Systems, 18(3): 325–353, May 1996] using the HOL theorem prover [M.J.C. Gordon and T.F. Melham. Introduction to HOL (A theorem-proving environment for higher order logic). Cambridge University Press, 1993], including a proof that all pGCL commands satisfy the new condition sublinearity, the quantitative generalization of conjunctivity for standard GCL [E.W. Dijkstra. A Discipline of Programming. Prentice Hall, 1976].The mechanized theory also supports the creation of an automatic proof tool which takes as input an annotated pGCL program and its partial correctness specification, and derives from that a sufficient set of verification conditions. This is employed to verify the partial correctness of the probabilistic voting stage in Rabin's mutual-exclusion algorithm [Eyal Kushilevitz and Michael O. Rabin. Randomized mutual exclusion algorithms revisited. In Maurice Herlihy, editor, Proceedings of the 11th Annual Symposium on Principles of Distributed Computing, pages 275–283, Vancouver, BC, Canada, August 1992. ACM Press].