Lexicographic Ranking Supermartingales with
Lazy Lower Bounds

Background 1: Lexicographic RFs with different non-negativity conditions. Ranking function (RF) is one of the most well-studied tools for verifying program termination. An RF is typically a real-valued function over program states that satisfies: (a) the ranking condition, which requires an RF to decrease its value by a constant through each transition; and (b) the non-negativity condition, which imposes a lower bound on the value of the RF so that its infinite descent through transitions is prohibited. The existence of such a function implies termination of the underlying program, and therefore, one can automate verification of program termination by RF synthesis algorithms.

Improving the applicability of RF synthesis algorithms, i.e., making them able to prove termination of a wider variety of programs, is one of the core interests in the study of RF. A lexicographic extension of RF (LexRF) [BradleyMS05, Ben-AmramG15] is known as a simple but effective approach to the problem. Here, a LexRF is a function to real-valued vectors instead of the reals, and its ranking condition is imposed with respect to the lexicographic order. For example, the value of a LexRF may change from $(1,1,1)$ to $(1,0,2)$ through a state transition; here, the value “lexicographically decreases by 1” through the transition, that is, it decreases by 1 in some dimension while it is non-increasing on the left to that dimension. LexRF is particularly good at handling nested structures of programs, as vectors can measure the progress of different “phases” of programs separately. LexRF is also used in top-performing termination provers (e.g., [ultimateAutomizer]).

There are several known ways to impose non-negativity on LexRFs (see also Fig. 1): (a) Strong non-negativity, which requires non-negativity in every dimension of the LexRF; (b) leftward non-negativity, which requires non-negativity on the left of the ranking dimension of each transition, i.e., the dimension where the value of the LexRF should strictly decrease through the transition; and (c) single-component non-negativity, which requires non-negativity only in the ranking dimensions. It is known that any of these non-negativity conditions makes the resulting LexRF sound [BradleyMS05, Ben-AmramG15], i.e., a program indeed terminates whenever it admits a LexRF with either of these non-negativity conditions. For better applicability, single-component non-negativity is the most preferred, as it is the weakest constraint among the three.

Such a probabilistic extension has been actively studied, in fact: probabilistic programs are used in e.g., stochastic network protocols [parker2013verification], randomized algorithms [dubhashi2009concentration, karp1991introduction], security [barthe2016proving, lobo2021programming, barthe2016programming], and planning [canal2019probabilistic]; and there is a rich body of studies in RSM as a tool for automated verification of probabilistic programs (see §8). Similar to the RF case, a lexicographic extension of RSM (LexRSM, [AgrawalCP18, ChatterjeeGNZZ21]) is an effective approach to improve its applicability. In addition to its advantages over nested structures, LexRSM can also witness almost-sure termination of certain probabilistic programs with infinite expected runtime [AgrawalCP18, Fig. 2]; certifying such programs is known as a major challenge for RSMs.

Problem: Sound probabilistic extension of LexRF with weaker non-negativity. strongly non-negative LexRF soundly extends to LexRSM in a canonical way [AgrawalCP18], i.e., basically by changing the clause “decrease by a constant” in the ranking condition of LexRF to “decrease by a constant in expectation”. In contrast, the similar extension of leftward or single-component non-negative LexRF yields an unsound LexRSM notion [ferrer2015probabilistic, ChatterjeeGNZZ21]. To date, a sound LexRSM with the weakest non-negativity in the literature is Generalized LexRSM (GLexRSM) [ChatterjeeGNZZ21], which demands leftward non-negativity and an additional one, so-called expected leftward non-negativity. Roughly speaking, the latter requires LexRSMs to be non-negative in each dimension (in expectation) upon “exiting” the left of the ranking dimension. For example, in Fig. 1, it requires $b_{2}$ to be non-negative, as the second dimension of $\boldsymbol{\eta}$ “exits” the left of the ranking dimension upon the transition $\ell_{1}\rightarrow\ell_{2}$. GLexRSM does not generalize either leftward or single-component non-negative LexRF, in the sense that the former is strictly more restrictive than the latter two when it is considered over non-probabilistic programs.

These results do not mean that leftward or single-component non-negative LexRF can never be extended to LexRSM, however. More concretely, the following problem is valid (see the last paragraph of $\S$3 for a formal argument):

KEY PROBLEM: Find a sound LexRSM notion that instantiates¹¹1 We use the term “instantiate” to emphasize that we compare LexRSM and LexRF. single-component non-negative LexRF, i.e., a LexRSM notion whose condition is no stronger than that of single-component non-negative LexRF in non-probabilistic settings.

Second, relaxing the non-negativity condition of LexRSM is highly desirable if we wish to fully unlock the benefit of the lexicographic extension in automated verification. A motivating example is given in Fig. 2. The probabilistic program in Fig. 2 terminates almost-surely, but it does not admit any linear GLexRSM (and hence, the GLexRSM synthesis algorithms in [ChatterjeeGNZZ21] cannot witness its almost-sure termination); for example, the function $\boldsymbol{\eta}$ ranks every transition of the program, but violates both leftward and expected leftward non-negativity at the transition $\ell_{1}\rightarrow\ell_{2}$ (note $\boldsymbol{\eta}$ ranks this transition in the third dimension; to check the violation of expected leftward non-negativity, also note $\boldsymbol{\eta}$ ranks $\ell_{2}\rightarrow\ell_{4}$ in the first dimension). Here, the source of the problem is that the program has two variables whose progress must be measured (i.e., increment $y$ to 10 in $\ell_{3}$; and increment $x$ to 5 in $\ell_{4}$), but one of their progress measures can be arbitrarily small during the program execution ($y$ can be initialized with any value). Not only that this structure is rather fundamental, it is also expected that our desired LexRSM could handle it, if it exists. Indeed, modify the probabilistic program in Fig. 2 into a non-probabilistic one by changing “$\mathit{Unif}[1,2]$” to “$1$”; then the program admits $\boldsymbol{\eta}$ as a single-component non-negative LexRF.

• •

  First, in response to the first motivation we stated above, we devise a novel notion of fixability as a theoretical tool to analyze if negative values of a LexRSM “cause trouble”. Roughly speaking, we identify the source of the trouble as “ill” exploitation of unbounded negativity of LexRSM; our $\varepsilon$-fixing operation prohibits such exploitation by basically setting all the negative values of a LexRSM into the same negative value $-\varepsilon$, and we say a LexRSM is $\varepsilon$-fixable if it retains the ranking condition through such a transformation. We give more details about its concept and key ideas in §2.

  The soundness of $\varepsilon$-fixable LexRSM immediately follows from that of strongly non-negative one [AgrawalCP18] because any LexRSM becomes strongly non-negative through the $\varepsilon$-fixing operation (after globally adding $\varepsilon$). Fixable LexRSM instantiates single-component non-negative LexRF for general stochastic processes (Thm. 4), while also serving as a technical basis for proving the soundness of other LexRSMs. Meanwhile, fixable LexRSM cannot be directly applied to automated verification algorithms due to the inherent non-linearity of $\varepsilon$-fixing; this observation leads us to our second contribution.

• •

  Second, in response to the second motivation we stated above, we introduce Lazy LexRSM (LLexRSM) as another LexRSM notion that instantiates single-component non-negative LexRF. LLexRSM does not involve the $\varepsilon$-fixing operation in its definition; thanks to this property, we have a subclass of LLexRSM that is amenable to automated synthesis via linear programming (see §6). The LLexRSM condition consists of the single-component non-negative LexRSM condition and stability at negativity we propose (Def. 5), which roughly requires the following: Once the value of a LexRSM gets negative in some dimension, it must stay negative until that dimension exits the left of the ranking one. For example, $\boldsymbol{\eta}$ in Fig. 2 is an LLexRSM; indeed, $\ell_{2}\rightarrow\ell_{4}$ and $\ell_{1}\rightarrow\ell_{5}$ are the only transitions where $\boldsymbol{\eta}$ possibly changes its value from negative to non-negative in some dimension (namely, the second one), which is although the right to the ranking dimension (the first one).

  We prove linear LLexRSM is sound for probabilistic programs over linear arithmetics (see Thm. 5 for the exact assumption). The proof is highly nontrivial, which is realized by subtle use of a refined variant of fixability; we explain its core idea in §2. Furthermore, Thm. 5 shows that expected leftward non-negativity in GLexRSM [ChatterjeeGNZZ21] is actually redundant under the assumption in Thm. 5. This is surprising, as expected leftward non-negativity has been invented to restore the soundness of leftward non-negative LexRSM, which is generally unsound.

• •

  Third, we present a synthesis algorithm for the subclass of LLexRSM we mentioned above, and do experiments; there, our algorithms verified almost-sure termination of various programs that could not be handled by (a better proxy of) the GLexRSM-based one. The details can be found in §7.

Here we demonstrate by examples how intricate the treatment of negative values of LexRSM is, and how we handle it by our proposed notion of fixability.

This example reveals an inconsistency between the ways how the single-component non-negativity and ranking condition evaluate the value of a LexRSM, say $\boldsymbol{\eta}=(\eta_{1},\ldots,\eta_{n})$. The single-component non-negativity claims $\boldsymbol{\eta}$ cannot rank a transition in a given dimension $k$ whenever $\eta_{k}$ is negative; intuitively, this means that any negative value in the ranking domain $\mathbb{R}$ should be understood as the same state, namely the “bottom” of the domain. Meanwhile, the ranking condition evaluates different negative values differently; a smaller negative value of $\eta_{k}$ can contribute more to satisfy the ranking condition, as one can see from the behavior of $\eta_{2}$ in Fig. 3 at $\ell_{3}$. The function $\boldsymbol{\eta}$ in Fig. 3 satisfies the ranking condition over a possibly non-terminating program through “ill” exploitation of this inconsistency; as $t$ becomes larger, the value of $\eta_{2}$ potentially drops more significantly through the transition from $\ell_{3}$, but with a smaller probability.

The first variant of our fixability notion, called $\varepsilon$-fixability, enables us to ensure that such exploitation is not happening. We simply set every negative value in a LexRSM $\boldsymbol{\eta}$ to a negative constant $-\varepsilon$, and say $\boldsymbol{\eta}$ is $\varepsilon$-fixable if it retains the ranking condition through the modification²²2 To give the key ideas in a simpler way, the description here slightly differs from the actual definition in §4; referred results in §2 are derived from the latter. See Rem. 4. . For example, the $\varepsilon$-fixing operation changes the value of $\eta_{2}$ in Fig. 3 at $\ell_{4}$ from $-2^{t}$ to $-\varepsilon$, and $\boldsymbol{\eta}$ does not satisfy the ranking condition after that. Therefore, $\boldsymbol{\eta}$ in Fig. 3 is not $\varepsilon$-fixable for any $\varepsilon>0$ (i.e., we successfully reject this $\boldsymbol{\eta}$ through the fixability check). Meanwhile, an $\varepsilon$-fixable LexRSM witnesses almost-sure termination of the underlying program; indeed, the fixed LexRSM is a strongly non-negative LexRSM (by globally adding $\varepsilon$ to the fixed $\boldsymbol{\eta}$), which is known to be sound [AgrawalCP18].

The notion of $\varepsilon$-fixability is operationally so simple that one might even feel it is a boring idea; nevertheless, its contribution to revealing the nature of possibly negative LexRSM is already significant in our paper. Indeed, (a) $\varepsilon$-fixable LexRSM instantiates single-component non-negative LexRF with an appropriate $\varepsilon$ (Thm. 4); (b) $\varepsilon$-fixable LexRSM generalizes GLexRSM [ChatterjeeGNZZ21], and the proof offers an alternative proof of soundness of GLexRSM that is significantly simpler than the original one (Thm. 4); and (c) its refined variant takes the crucial role in proving soundness of our second LexRSM variant, lazy LexRSM.

Linear LLexRSM is sound over probabilistic programs with linear arithmetics (Thm. 5). The key to the proof is, informally, the following observation: Restrict our attention to probabilistic programs and functions $\boldsymbol{\eta}$ that are allowed in the LP-based synthesis. Then “ill” exploitation in Fig. 3 never occurs, and therefore, a weaker condition than $\varepsilon$-fixability (namely, the LLexRSM one) suffices for witnessing program termination. In fact, Fig. 3 involves (a) non-linear arithmetics in the program, (b) parametrized if-branch in the program (i.e., the grammar “ if prob$(p)$ then $P$ else $Q$ fi ” with $p$ being a variable), and (c) non-linearity of $\boldsymbol{\eta}$. None of them are allowed in the LP-based synthesis (at least, in the standard LP-based synthesis via Farkas’ Lemma [chakarov2013probabilistic, AgrawalCP18, ChatterjeeGNZZ21]). Our informal statement above is formalized as Thm. 5, which roughly says: Under such a restriction to probabilistic programs and $\boldsymbol{\eta}$, any LLexRSM is $(\varepsilon,\gamma)$-fixable. Here, $(\varepsilon,\gamma)$-fixability is a refined version of $\varepsilon$-fixability; while it also ensures that “ill” exploitation is not happening in $\boldsymbol{\eta}$, it is less restrictive than $\varepsilon$-fixability by allowing “harmless” unbounded negative values of $\boldsymbol{\eta}$.

Fig. 4 gives an example of such a harmless behavior of $\boldsymbol{\eta}$ rejected by $\varepsilon$-fixability. It also shows why we cannot simply use $\varepsilon$-fixability to check an LLexRSM does not do “ill” exploitation. The function $\boldsymbol{\eta}=(\eta_{1},\eta_{2})$ in Fig. 4 is leftward non-negative over the global invariant $[0\leq x\leq 1\land t\geq 1]$, so it is an LLexRSM for the probabilistic program there; the program and $\boldsymbol{\eta}$ are also in the scope of LP-based synthesis; but $\boldsymbol{\eta}$ is not $\varepsilon$-fixable for any $\varepsilon>0$. Indeed, the $\varepsilon$-fixing operation changes the value of $\eta_{2}$ at $\ell_{4}$ from $-2t-4$ to $-\varepsilon$, and $\boldsymbol{\eta}$ does not satisfy the ranking condition at $\ell_{2}$ after the change. Here we notice that, however, the unbounded negative values of $\eta_{2}$ are “harmless”; that is, the “ill-gotten gains” by the unbounded negative values of $\eta_{2}$ at $\ell_{4}$ are only “wasted” to unnecessarily increase $\eta_{2}$ at $\ell_{3}$. In fact, $\boldsymbol{\eta}$ still satisfies the ranking condition if we change the value of $\eta_{2}$ at $\ell_{1},\ell_{2},\ell_{3}$ to $2,1$, and $0$, respectively.

We resolve this issue by partially waiving the ranking condition of $\boldsymbol{\eta}$ after the $\varepsilon$-fixing operation. It is intuitively clear that the program in Fig. 4 almost-surely terminates, and the intuition here is that the program essentially repeats an unbiased coin tossing until the tail is observed (here, “observe the tail” corresponds to “observe $\mbox{\bf prob}(0.5)=\mbox{\bf true}$ at $\ell_{2}$”). This example tells us that, to witness the almost-sure termination of this program, we only need to guarantee the program (almost-surely) visits either the terminal location $\ell_{5}$ or the “coin-tossing location” $\ell_{2}$ from anywhere else. The $\varepsilon$-fixed $\boldsymbol{\eta}$ in Fig. 4 does witness such a property of the program, as it ranks every transition except those that are from a coin-tossing location, namely $\ell_{2}$.

We generalize this idea as follows: Fix $\gamma\in(0,1)$, and say a program state is a “coin-tossing state” for $\boldsymbol{\eta}=(\eta_{1},\ldots,\eta_{n})$ in the $k$-th dimension if $\eta_{k}$ drops from non-negative to negative (i.e., the ranking is “done” in the $k$-th dimension) with the probability $\gamma$ or higher. Then we say $\boldsymbol{\eta}$ is $(\varepsilon,\gamma)$-fixable (Def. 4) if the $\varepsilon$-fixed $\boldsymbol{\eta}$ is a strongly non-negative LexRSM (after adding $\varepsilon$) except that, at each coin-tossing state, we waive the ranking condition of $\boldsymbol{\eta}$ in the corresponding dimension. For example, $\boldsymbol{\eta}$ in Fig. 4 is $(\varepsilon,\gamma)$-fixable for any $\gamma\in(0,0.5]$. As expected, $(\varepsilon,\gamma)$-fixable LexRSM is sound for any $\varepsilon>0$ and $\gamma\in(0,1)$ (Cor. 4).

We recall the technical preliminaries. Omitted details are in Appendix A.

For a finite variable set $V$ and the set $val^{V}$ of its valuations, we form predicates as first-order formulas with atomic predicates of the form $f\leq g$, where $f,g\colon val^{V}\to R$ and $R$ is linearly ordered. Often, we are only interested in the value of a predicate $\varphi$ over a certain subset $\mathcal{X}\subseteq val^{V}$, in which case, we call $\varphi$ a predicate over $\mathcal{X}$. We identify a predicate $\varphi$ over $\mathcal{X}$ with a function $\tilde{\varphi}\colon\mathcal{X}\to\{0,1\}$ such that $\tilde{\varphi}(x)=1$ if and only if $\varphi(x)$ is true. The semantics of $\varphi$, i.e., the set $\{x\in\mathcal{X}\mid\varphi(x)\mbox{ is true}\}$, is denoted by $\llbracket\varphi\rrbracket$. The characteristic function ${\bf 1}_{A}:\mathcal{X}\to\{0,1\}$ of a subset $A$ of $\mathcal{X}$ is a function such that $\llbracket{\bf 1}_{A}=1\rrbracket=A$. For a probability space $(\Omega,\mathcal{F},\mathbb{P})$, we say $\varphi$ over $\Omega$ is ($\mathcal{F}$-)measurable when $\llbracket\varphi\rrbracket\in\mathcal{F}$. For such a $\varphi$, the satisfaction probability of $\varphi$ w.r.t. $\mathbb{P}$, i.e., the value $\mathbb{P}(\llbracket\varphi\rrbracket)$, is also denoted by $\mathbb{P}(\varphi)$; we say $\varphi$ holds $\mathbb{P}$-almost surely ($\mathbb{P}$-a.s.) if $\mathbb{P}(\varphi)=1$.

In §4-6 we give our novel technical notions and results. In this section, we will introduce the notion of fixability and related results. Here we focus on technical rigorousness and conciseness, see §2 for the underlying intuition. Proofs are given in appendices. We begin with the formal definition of $\varepsilon$-fixability.

As in Footnote 2, our formal definitions of fixability in this section slightly differ from an informal explanation in §2. One difference is that the $\varepsilon$-fixing in Def. 4 changes the value of a LexRSM at dimension $k$ whenever it is negative or $k$ is strictly on the right to the ranking dimension. This modification is necessary to prove Thm. 4. Another is that we define fixability as the notion for an instance $\mathcal{I}$, rather than for an MM $\boldsymbol{\eta}$. While the latter can be also done in an obvious way (as informally done in §2), we do not formally do that because it is not necessary for our technical development. One can “fix” the argument in §2 into the one over instances by translating “fixability of $\boldsymbol{\eta}$” to “fixability of an instance induced by $\boldsymbol{\eta}$”.

[$\varepsilon$-fixing of an instance] Let $\mathcal{I}=((\mathbf{X}_{t})_{t=0}^{\infty}),(\mathsf{Lv}_{t})_{t=0}^{\infty})$ be an instance for a stopping time $T$, and let $\varepsilon>0$. The $\varepsilon$-fixing of $\mathcal{I}$ is another instance $\tilde{\mathcal{I}}=((\tilde{\mathbf{X}}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ for $T$, where

We say an SC-LexRSM $\mathcal{I}$ is $\varepsilon$-fixable, or call it an $\varepsilon$-fixable LexRSM, if its $\varepsilon$-fixing $\tilde{\mathcal{I}}$ is an UN-LexRSM with the bottom $\bot=-\varepsilon$.

Observe that the $\varepsilon$-fixing of any instance is uniformly well-founded with the bottom $\bot=-\varepsilon$, so the $\varepsilon$-fixability only asks if the ranking condition is preserved through $\varepsilon$-fixing. Also, observe that the soundness of $\varepsilon$-fixable LexRSM immediately follows from that of UN-LexRSM [AgrawalCP18].

While we do not directly use $\varepsilon$-fixability as a technical tool, the two theorems below show its conceptual value. The first one answers our key problem: $\varepsilon$-fixable LexRSM instantiates SC-LexRF with sufficiently large $\varepsilon$.

[fixable LexRSM instantiates SC-LexRF] Suppose $\mathcal{I}=((\boldsymbol{x}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ is an SC-LexRSM for a stopping time $T$ over the trivial probability space with a constant $c$, and let $\varepsilon\geq c$. Then $\mathcal{I}$ is $\varepsilon$-fixable. ∎

The second theorem offers a formal comparison between $\varepsilon$-fixable LexRSM and the state-of-the-art LexRSM variant in the literature, namely GLexRSM [ChatterjeeGNZZ21]. We show the former subsumes the latter. In our terminology, GLexRSM is LW-LexRSM that also satisfies the following expected leftward non-negativity:

We note that our result can be also seen as an alternative proof of the soundness of GLexRSM [ChatterjeeGNZZ21, Thm. 1]. Our proof is also significantly simpler than the original one, as the former utilizes the soundness of UN-LexRSM as a lemma, while the latter does the proof “from scratch”.

[fixable LexRSM generalizes GLexRSM] Suppose $\mathcal{I}$ is a GLexRSM for a stopping time $T$. Then $\mathcal{I}$ is $\varepsilon$-fixable for any $\varepsilon>0$. ∎

Now we move on to a refined variant, $(\varepsilon,\gamma)$-fixability. Before its formal definition, we give a theorem that justifies the partial waiving of the ranking condition described in §2. Below, $\overset{\infty}{\exists}t.\varphi_{t}$ stands for $\forall k\in\mathbb{N}.\exists t\in\mathbb{N}.[t>k\land\varphi_{t}]$.

[relaxation of the UN-LexRSM condition] Suppose the following are given: a probability space $(\Omega,\mathcal{F},\mathbb{P})$; a filtration $(\mathcal{F}_{t})_{t=0}^{\infty}$ on $\mathcal{F}$; and a stopping time $T$ w.r.t. $(\mathcal{F}_{t})_{t=0}^{\infty}$. Let $\mathcal{I}=((\mathbf{X}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ be an instance for $T$, and let $\bot\in\mathbb{R}$. For each $k\in\{1,\ldots,n\}$, let $(\varphi_{t,k})_{t=0}^{\infty}$ be a sequence of predicates over $\Omega$ such that

Suppose $\mathcal{I}$ is an UN-LexRSM with the bottom $\bot$ except that, instead of the ranking condition, $\mathcal{I}$ satisfies the inequality (1) only for $t\in\mathbb{N}$, $k\in\{1,\ldots,n\}$, and $\omega\in\llbracket k\leq\mathsf{Lv}_{t}\land\lnot(\mathbf{X}_{t}[k]>\bot\land\varphi_{t,k})\rrbracket$ (with $c=1$). Then $T$ is AST w.r.t. $\mathbb{P}$. ∎ The correspondence between the argument in §2 and Thm. 4 is as follows. The predicate $\varphi_{t,k}$ is an abstraction of the situation “we are at a coin-tossing state at time $t$ in the $k$-th dimension”; and the condition (2) corresponds to the infinite coin-tossing argument (for a given $k$, if $\varphi_{t,k}$ is satisfied at infinitely many $t$, then the ranking in the $k$-th dimension is “done” infinitely often, with probability 1). Given these, Thm. 4 says that the ranking condition of UN-LexRSM can be waived over $\llbracket\mathbf{X}_{t}[k]>\bot\land\varphi_{t,k}\rrbracket$. In particular, the theorem amounts to the soundness of UN-LexRSM when $\varphi_{t,k}\equiv\mathit{false}$ for each $t$ and $k$.

Based on Theorem 4, we introduce $(\varepsilon,\gamma)$-fixability as follows. There, $\mathbb{P}[\varphi\mid\mathcal{F}^{\prime}]:=\mathbb{E}[{\bf 1}_{\llbracket\varphi\rrbracket}\mid\mathcal{F}^{\prime}]$ is the conditional probability of satisfying $\varphi$ given $\mathcal{F}^{\prime}$.

[$(\varepsilon,\gamma)$-fixability] Let $\mathcal{I}=((\mathbf{X}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ be an instance for $T$, and let $\gamma\in(0,1)$. We call $\mathcal{I}$ a $\gamma$-relaxed UN-LexRSM for $T$ if $\mathcal{I}$ satisfies the properties in Thm. 4, where $\varphi_{t,k}$ is as follows:

We say $\mathcal{I}$ is $(\varepsilon,\gamma)$-fixable if its $\varepsilon$-fixing $\tilde{\mathcal{I}}$ is a $\gamma$-relaxed UN-LexRSM. The predicate $\varphi_{t,k}(\omega)$ in (3) is roughly read “the ranking by $(\mathbf{X}_{t})_{t=0}^{\infty}$ is done at time $t+1$ in dimension $k$ with probability $\gamma$ or higher, given the information about $\omega$ at $t$”. This predicate satisfies Condition (2); hence we have the following corollary, which is the key to the soundness of lazy LexRSM in §5. {mycorollary}[soundness of $(\varepsilon,\gamma)$-fixable instances] Suppose there exists an instance $\mathcal{I}$ over $(\Omega,\mathcal{F},\mathbb{P})$ for a stopping time $T$ that is $(\varepsilon,\gamma)$-fixable for any $\varepsilon>0$ and $\gamma\in(0,1)$. Then $T$ is AST w.r.t. $\mathbb{P}$. ∎

Here we introduce another LexRSM variant, Lazy LexRSM (LLexRSM). We need this variant for our LexRSM synthesis algorithm; while $\varepsilon$-fixable LexRSM theoretically answers our key question, it is not amenable to LP-based synthesis algorithms because its case distinction makes the resulting constraint nonlinear.

We define LLexRSM map as follows; see Contributions in §1 for its intuitive meaning with an example. The definition for an instance is in Appendix C.

[LLexRSM map] Fix a pCFG $\mathcal{C}$ with an invariant $I$. Let $\boldsymbol{\eta}$ be an MM associated with a level map $\mathsf{Lv}$. The MM $\boldsymbol{\eta}$ is called a Lazy LexRSM map (LLexRSM map) over $\mathcal{C}$ supported by $I$ if it is an SC-LexRSM map over $\mathcal{C}$ supported by $I$, and satisfies stability at negativity defined as follows:

We first observe LLexRSM also answers our key question.

[LLexRSM instantiates SC-LexRF] Suppose $\boldsymbol{\eta}$ is an SC-LexRSM over a non-probabilistic CFG $\mathcal{C}$ supported by an invariant $I$, with a level map $\mathsf{Lv}$. Then $\boldsymbol{\eta}$ is stable at negativity under $I$ and $\mathsf{Lv}$, and hence, $\boldsymbol{\eta}$ is an LLexRSM map over $\mathcal{C}$ supported by $I$, with $\mathsf{Lv}$. ∎

Below we give the soundness result of LLexRSM map. We first give the necessary assumptions on pCFGs and MMs, namely linearity and well-behavedness. we say a pCFG is linear if the update element of each $\tau\in\Delta_{d}$ is a linear function (this corresponds to the restriction on PPs to the linear ones); and an MM $\boldsymbol{\eta}$ is linear if $\lambda\boldsymbol{x}.\boldsymbol{\eta}(\ell,\boldsymbol{x})$ is linear for each $\ell\in L$. We say a pCFG is well-behaved if its variable samplings are done via well-behaved distributions, which roughly means that their tail probabilities vanish to zero toward infinity quickly enough. We give its formal definition in the appendix (Def. C.1.2), which is somewhat complex; an important fact from the application perspective is that the class of such distributions covers all distributions with bounded supports and some distributions with unbounded supports such as the normal distributions (Prop. C.1.2). Possibly negative (Lex)RSM typically requires some restriction on variable samplings of pCFG (e.g., the integrability in [ChatterjeeGNZZ21]) so that the pre-expectation is well-defined.

The crucial part of the soundness proof is the following theorem, where $(\varepsilon,\gamma)$-fixability takes the key role. Its full proof is given in Appendix C.

Let $\boldsymbol{\eta}:\mathcal{S}\to\mathbb{R}^{n}$ be a linear LLexRSM map for a linear, well-behaved pCFG $\mathcal{C}$. Then for any $\Delta$-deterministic scheduler $\sigma$ and initial state $s_{I}$ of $\mathcal{C}$, the induced instance is $(\varepsilon,\gamma)$-fixable for some $\varepsilon>0$ and $\gamma\in(0,1)$.

Proof (sketch). We can show that the $\varepsilon$-fixing $\tilde{\mathcal{I}}=((\tilde{\mathbf{X}}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ of an induced instance ${\mathcal{I}}=(({\mathbf{X}}_{t})_{t=0}^{\infty},(\mathsf{Lv}_{t})_{t=0}^{\infty})$ almost-surely satisfies the inequality (1) of the ranking condition for each $t$, $\omega$, and $k$ such that $\tilde{\mathbf{X}}_{t}[k](\omega)=-\varepsilon$ and $1\leq k\leq\mathsf{Lv}_{t}(\omega)$ [TakisakaZWL24arXiv, Prop. C.2]. Thus it suffices to show, for each $\omega$, $k$, and $t$ such that $\tilde{\mathbf{X}}_{t}[k](\omega)\geq 0$ and $1\leq k\leq\mathsf{Lv}_{t}(\omega)$, either $\tilde{\mathcal{I}}$ satisfies the inequality (1) or (1) as a requirement on $\tilde{\mathcal{I}}$ is waived due to the $\gamma$-relaxation.

Now take any such $t,\omega$, and $k$, and suppose the run $\omega$ reads the program line prog at time $t$. Then we can show the desired property by a case distinction over prog as follows. Here, recall $\omega$ is a sequence $s_{0}s_{1}\ldots s_{t}s_{t+1}\ldots$ of program states; we defined ${\mathbf{X}}_{t}$ by ${\mathbf{X}}_{t}[k](\omega)=\boldsymbol{\eta}[k](s_{t})$; and $\mathbb{E}[{\mathbf{X}}_{t+1}[k]\mid\mathcal{F}_{t}](\omega)$ is the expectation of $\boldsymbol{\eta}[k](s^{\prime})$, where $s^{\prime}$ is the successor state of $s_{0}\ldots s_{t}$ under $\sigma$ (which is not necessarily $s_{t+1}$). Also observe the requirement (1) on $\tilde{\mathcal{I}}$ is waived for given $t,\omega$, and $k$ when the value of $\boldsymbol{\eta}[k](s^{\prime})$ is negative with the probability $\gamma$ or higher.

1. 1.

   Suppose prog is a non-probabilistic program line, e.g., ‘$x_{i}:=f(\boldsymbol{x})$’ or ‘while $\varphi$ do’. Then the successor state $s^{\prime}$ of $s_{t}$ is unique. If $\boldsymbol{\eta}[k](s^{\prime})$ is non-negative, then we have $\mathbb{E}[\tilde{\mathbf{X}}_{t+1}[k]\mid\mathcal{F}_{t}](\omega)=\mathbb{E}[{\mathbf{X}}_{t+1}[k]\mid\mathcal{F}_{t}](\omega)$, so the inequality (1) is inherited from $\mathcal{I}$ to $\tilde{\mathcal{I}}$; if negative, then the requirement (1) on $\tilde{\mathcal{I}}$ is waived. The same argument applies to ‘if $\star$ then’ (recall ${\mathcal{I}}$ is induced from a $\Delta$-deterministic scheduler).

2. 2.

   Suppose $\mbox{\it prog}\equiv\mbox{`{if} {prob$(p)$} {then}'}$. By letting $\gamma$ strictly smaller than $p$, we see either $\boldsymbol{\eta}[k](s^{\prime})$ is never negative, or it is negative with a probability more than $\gamma$. Thus we have the desired property for a similar reason to Case 1 (we note this argument requires $p$ to be a constant).

3. 3.

   Suppose $\mbox{\it prog}\equiv`x_{i}:=\mbox{\bf sample}(d)$’. We can show the desired property by taking a sufficiently small $\gamma$; roughly speaking, the requirement (1) on $\tilde{\mathcal{I}}$ is waived unless the chance of $\boldsymbol{\eta}[k](s^{\prime})$ being negative is very small, in which case the room for “ill” exploitation is so small that the inequality (1) is inherited from $\mathcal{I}$ to $\tilde{\mathcal{I}}$. Almost the same argument applies to ‘$x_{i}:=\mbox{\bf ndet}(D)$’.