Proof techniques for Nondeterministic and Probabilistic Processes - - PowerPoint PPT Presentation

sfi Induction Coinduction A-simulations Inequivalences

Proof techniques for Nondeterministic and Probabilistic Processes

Matthew Hennessy

Trinity College Dublin (joint work with Yuxin Deng, Rob van Glabbeek, Carroll Morgan, Chenyi Zhang)

BASICS, Shanghai October 09

1/38

sfi Induction Coinduction A-simulations Inequivalences

Outline

Inductive methods Coinductive methods A-simulations Proving inequivalences

2/38

sfi Induction Coinduction A-simulations Inequivalences

Outline

Inductive methods Coinductive methods A-simulations Proving inequivalences

3/38

sfi Induction Coinduction A-simulations Inequivalences

Inductive methods

Induction:

Given A ⇐ D,

◮ D{Q/A} ⊑ Q implies A ⊑ Q

Inequations:

Some examples: a.(P p⊕ Q) ⊑pmay a.P p⊕ a.Q a.P b.Q ≃pmay a.P ⊓ b.Q

• CSP

a.P (Q ⊓ R) ≃pmust (a.P Q) ⊓ (a.P R)

• CSP

Compositional reasoning

◮ P ⊑ Q implies C[P] ⊑ C[Q] ◮ eg: P ⊑ Q implies P | R ⊑ Q | R

4/38

sfi Induction Coinduction A-simulations Inequivalences

Inductive methods

Induction:

Given A ⇐ D,

◮ D{Q/A} ⊑ Q implies A ⊑ Q

Inequations:

Some examples: a.(P p⊕ Q) ⊑pmay a.P p⊕ a.Q a.P b.Q ≃pmay a.P ⊓ b.Q

• CSP

a.P (Q ⊓ R) ≃pmust (a.P Q) ⊓ (a.P R)

• CSP

Compositional reasoning

◮ P ⊑ Q implies C[P] ⊑ C[Q] ◮ eg: P ⊑ Q implies P | R ⊑ Q | R

4/38

sfi Induction Coinduction A-simulations Inequivalences

Inductive methods

Induction:

Given A ⇐ D,

◮ D{Q/A} ⊑ Q implies A ⊑ Q

Inequations:

Some examples: a.(P p⊕ Q) ⊑pmay a.P p⊕ a.Q a.P b.Q ≃pmay a.P ⊓ b.Q

• CSP

a.P (Q ⊓ R) ≃pmust (a.P Q) ⊓ (a.P R)

• CSP

Compositional reasoning

◮ P ⊑ Q implies C[P] ⊑ C[Q] ◮ eg: P ⊑ Q implies P | R ⊑ Q | R

4/38

sfi Induction Coinduction A-simulations Inequivalences

Outline

Inductive methods Coinductive methods A-simulations Proving inequivalences

5/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in LTSs

Given R ⊆ (S × S) define Sim(R) ⊆ (S × S) by: P Sim(R) Q P Sim(R) Q implies P′ P′ R Q′ µ µ µ Let ⊳S ⊆ (S × S) be largest fixpoint of ⊳S = Sim(⊳S)

6/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in LTSs

Given R ⊆ (S × S) define Sim(R) ⊆ (S × S) by: P Sim(R) Q P Sim(R) Q implies P′ P′ R Q′ µ µ µ Let ⊳S ⊆ (S × S) be largest fixpoint of ⊳S = Sim(⊳S)

6/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: Characterisation of simulation preorder ⊳S

Largest relation over S × S satisfying: P ⊳S Q P ⊳S Q implies P′ P′ ⊳S Q′ µ µ µ

Weak moves:

◮ P a

= ⇒ P′ means P

τ

− → P1

τ

− → . . . Pn

a

− → P′

1 τ

− → . . .

τ

− → P′

◮ P τ

= ⇒ P′ means P

τ

− → P1

τ

− → . . .

τ

− → . . .

τ

− → P′

7/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in pLTSs

Recall: A pLTS is also an LTS

from s

µ

− → Θ to ∆

µ

− → Θ

Application:

Let ⊳S

dist

⊆ D(S) × D(S) be largest relation satisfying: ∆ ⊳S

dist

Θ ∆ ⊳S

dist

Θ implies ∆′ ∆′ ⊳S

dist

Θ′ µ µ µ

8/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in pLTSs

Recall: A pLTS is also an LTS

from s

µ

− → Θ to ∆

µ

− → Θ

Application:

Let ⊳S

dist

⊆ D(S) × D(S) be largest relation satisfying: ∆ ⊳S

dist

Θ ∆ ⊳S

dist

Θ implies ∆′ ∆′ ⊳S

dist

Θ′ µ µ µ

8/38

sfi Induction Coinduction A-simulations Inequivalences

First problem

a 1

2 ⊕ b

⊳S

dist

because distribution a 1

2 ⊕ b can perform no actions

But a 1

2 ⊕ b

⊑pmay because test a.ω

◮ on a 1

2 ⊕ b succeeds 50% of the time

◮ on 0 succeeds 0% of the time

Moral:

Simulations must be state based in some manner

9/38

sfi Induction Coinduction A-simulations Inequivalences

First problem

a 1

2 ⊕ b

⊳S

dist

because distribution a 1

2 ⊕ b can perform no actions

But a 1

2 ⊕ b

⊑pmay because test a.ω

◮ on a 1

2 ⊕ b succeeds 50% of the time

◮ on 0 succeeds 0% of the time

Moral:

Simulations must be state based in some manner

9/38

sfi Induction Coinduction A-simulations Inequivalences

First problem

a 1

2 ⊕ b

⊳S

dist

because distribution a 1

2 ⊕ b can perform no actions

But a 1

2 ⊕ b

⊑pmay because test a.ω

◮ on a 1

2 ⊕ b succeeds 50% of the time

◮ on 0 succeeds 0% of the time

Moral:

Simulations must be state based in some manner

9/38

sfi Induction Coinduction A-simulations Inequivalences

First problem

a 1

2 ⊕ b

⊳S

dist

because distribution a 1

2 ⊕ b can perform no actions

But a 1

2 ⊕ b

⊑pmay because test a.ω

◮ on a 1

2 ⊕ b succeeds 50% of the time

◮ on 0 succeeds 0% of the time

Moral:

Simulations must be state based in some manner

9/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS

Largest relation ⊳S ⊆ S × S satisfying: s ⊳S t s ⊳S t implies ∆ ∆ lift(⊳S) Θ µ µ µ

Lifting relations:

lift(−) lifts R ⊆ S × S to lift(R) ⊆ D(S) × D(S)

10/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS

Largest relation ⊳S ⊆ S × S satisfying: s ⊳S t s ⊳S t implies ∆ ∆ lift(⊳S) Θ µ µ µ

Lifting relations:

lift(−) lifts R ⊆ S × S to lift(R) ⊆ D(S) × D(S)

10/38

sfi Induction Coinduction A-simulations Inequivalences

Lifting relations

Recall: from s

µ

− → Θ to ∆

µ

− → Θ Given R ⊆ S × D(S), lift(R) ⊆ D(S) × D(S) whenever

◮ ∆ = i∈I pi · si ,

I a finite index set

◮ For each i ∈ I there is a distribution Θi s.t. si

R Θi

◮ Θ = i∈I pi · Θi ◮ i∈I pi = 1

Many different formulations For subdistributions:

i∈I pi ≤ 1

11/38

sfi Induction Coinduction A-simulations Inequivalences

Lifting relations

Recall: from s

µ

− → Θ to ∆

µ

− → Θ Given R ⊆ S × D(S), lift(R) ⊆ D(S) × D(S) whenever

◮ ∆ = i∈I pi · si ,

I a finite index set

◮ For each i ∈ I there is a distribution Θi s.t. si

R Θi

◮ Θ = i∈I pi · Θi ◮ i∈I pi = 1

Many different formulations For subdistributions:

i∈I pi ≤ 1

11/38

sfi Induction Coinduction A-simulations Inequivalences

Lifting relations

Recall: from s

µ

− → Θ to ∆

µ

− → Θ Given R ⊆ S × D(S), lift(R) ⊆ D(S) × D(S) whenever

◮ ∆ = i∈I pi · si ,

I a finite index set

◮ For each i ∈ I there is a distribution Θi s.t. si

R Θi

◮ Θ = i∈I pi · Θi ◮ i∈I pi = 1

Many different formulations For subdistributions:

i∈I pi ≤ 1

11/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS

revision

Largest relation ⊳S ⊆ S × D(S) satisfying: s ⊳S t s ⊳S t implies ∆ ∆ lift(⊳S) Θ µ µ µ

Lifting relations:

Here lift(−) lifts R ⊆ S × D(S) to lift(R) ⊆ D(S) × D(S)

12/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS

revision

Largest relation ⊳S ⊆ S × D(S) satisfying: s ⊳S t s ⊳S t implies ∆ ∆ lift(⊳S) Θ µ µ µ

Lifting relations:

Here lift(−) lifts R ⊆ S × D(S) to lift(R) ⊆ D(S) × D(S)

12/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

d.(a

1 2 ⊕ b) ⊳S d.((a 1 2 ⊕ b) 1 2 ⊕ (a + b)) because

a

1 2 ⊕ b

lift(⊳S) (a

1 2 ⊕ b) 1 2 ⊕ (a + b)

1 2 · a + 1 2 · b lift(⊳S) 1 4 · a + 1 2 · (a + b) + 1 4 · b

Because:

◮ a ⊳S 1 2 · a + 1 2 · (a + b) ◮ b ⊳S 1 2 · b + 1 2 · (a + b) ◮ 1 2 ·a + 1 2 ·b lift(⊳S) 1 2 ·(1 2 ·a+ 1 2 ·(a+b)) + 1 2 ·(1 2 ·b+ 1 2 ·(a+b))

Moral:

◮ ⊳S must have type S × D(S) ◮ NOT type S × S

13/38

sfi Induction Coinduction A-simulations Inequivalences

Second problem

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B a = ⇒ b because a.B

τ

− →∗ a − → τ − →∗ b

Moral:

weak internal actions must include limiting behaviour B reaches state s2 with probability 1

14/38

sfi Induction Coinduction A-simulations Inequivalences

Second problem

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B a = ⇒ b because a.B

τ

− →∗ a − → τ − →∗ b

Moral:

weak internal actions must include limiting behaviour B reaches state s2 with probability 1

14/38

sfi Induction Coinduction A-simulations Inequivalences

Second problem

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B a = ⇒ b because a.B

τ

− →∗ a − → τ − →∗ b

Moral:

weak internal actions must include limiting behaviour B reaches state s2 with probability 1

14/38

sfi Induction Coinduction A-simulations Inequivalences

Second problem

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B a = ⇒ b because a.B

τ

− →∗ a − → τ − →∗ b

Moral:

weak internal actions must include limiting behaviour B reaches state s2 with probability 1

14/38

sfi Induction Coinduction A-simulations Inequivalences

Weak internal actions in a pLTS

∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ = ∆go

0 +

∆stay ∆go

τ

− → ∆go

0 +

∆stay

1

. . . . . . ∆go

k τ

− → ∆go

(k+1)+

∆stay

(k+1)

. . . . . . . . . . . . Total: Θ = ∞

k=0 ∆stay k

∆stay: any subdistribution ∆go: any subdistribution which can perform τ

Note: use of subdistributions 15/38

sfi Induction Coinduction A-simulations Inequivalences

Weak internal actions in a pLTS

∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ = ∆go

0 +

∆stay ∆go

τ

− → ∆go

0 +

∆stay

1

. . . . . . ∆go

k τ

− → ∆go

(k+1)+

∆stay

(k+1)

. . . . . . . . . . . . Total: Θ = ∞

k=0 ∆stay k

∆stay: any subdistribution ∆go: any subdistribution which can perform τ

Note: use of subdistributions 15/38

sfi Induction Coinduction A-simulations Inequivalences

Weak internal actions in a pLTS

∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ = ∆go

0 +

∆stay ∆go

τ

− → ∆go

0 +

∆stay

1

. . . . . . ∆go

k τ

− → ∆go

(k+1)+

∆stay

(k+1)

. . . . . . . . . . . . Total: Θ = ∞

k=0 ∆stay k

∆stay: any subdistribution ∆go: any subdistribution which can perform τ

Note: use of subdistributions 15/38

sfi Induction Coinduction A-simulations Inequivalences

Weak internal actions in a pLTS

∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ = ∆go

0 +

∆stay ∆go

τ

− → ∆go

0 +

∆stay

1

. . . . . . ∆go

k τ

− → ∆go

(k+1)+

∆stay

(k+1)

. . . . . . . . . . . . Total: Θ = ∞

k=0 ∆stay k

∆stay: any subdistribution ∆go: any subdistribution which can perform τ

Note: use of subdistributions 15/38

sfi Induction Coinduction A-simulations Inequivalences

Example

a.B B s1 s2 a τ

3 4 1 4

τ b

go stay B = B + empDist B

τ

− →

3 4 · s1 + 1 4 · s2 3 4 · s2 τ

− →

3 4 · B +

empDist

3 4 · B τ

− → ( 3

4 )2 · s1 +

( 3

4 ) 1 4 · s2

. . . . . . ( 3

4 )k · B τ

− → ( 3

4 )(k+1) · B +

( 3

4 )k 1 4 · s2

. . . . . . . . . . . . Total: s2 = P∞

k=0( 3 4 )k 1 4 · s2

B = ⇒ s2

16/38

sfi Induction Coinduction A-simulations Inequivalences

Example

a.B B s1 s2 a τ

3 4 1 4

τ b

go stay B = B + empDist B

τ

− →

3 4 · s1 + 1 4 · s2 3 4 · s2 τ

− →

3 4 · B +

empDist

3 4 · B τ

− → ( 3

4 )2 · s1 +

( 3

4 ) 1 4 · s2

. . . . . . ( 3

4 )k · B τ

− → ( 3

4 )(k+1) · B +

( 3

4 )k 1 4 · s2

. . . . . . . . . . . . Total: s2 = P∞

k=0( 3 4 )k 1 4 · s2

B = ⇒ s2

16/38

sfi Induction Coinduction A-simulations Inequivalences

The empty (sub)Distribution: empDist

A feature:

empDist

µ

− → empDist for every action µ

Consequence:

◮ ∆ τ

− → Θ implies ∆ = ⇒ Θ

◮ ∆ τ

− → τ − → Θ implies ∆ = ⇒ Θ

◮ . . .

Sanity check:

∆

τ

− →∗ Θ implies ∆ = ⇒ Θ

17/38

sfi Induction Coinduction A-simulations Inequivalences

The empty (sub)Distribution: empDist

A feature:

empDist

µ

− → empDist for every action µ

Consequence:

◮ ∆ τ

− → Θ implies ∆ = ⇒ Θ

◮ ∆ τ

− → τ − → Θ implies ∆ = ⇒ Θ

◮ . . .

Sanity check:

∆

τ

− →∗ Θ implies ∆ = ⇒ Θ

17/38

sfi Induction Coinduction A-simulations Inequivalences

The empty (sub)Distribution: empDist

A feature:

empDist

µ

− → empDist for every action µ

Consequence:

◮ ∆ τ

− → Θ implies ∆ = ⇒ Θ

◮ ∆ τ

− → τ − → Θ implies ∆ = ⇒ Θ

◮ . . .

Sanity check:

∆

τ

− →∗ Θ implies ∆ = ⇒ Θ

17/38

sfi Induction Coinduction A-simulations Inequivalences

The empty (sub)Distribution: empDist

A feature:

empDist

µ

− → empDist for every action µ

Consequence:

◮ ∆ τ

− → Θ implies ∆ = ⇒ Θ

◮ ∆ τ

− → τ − → Θ implies ∆ = ⇒ Θ

◮ . . .

Sanity check:

∆

τ

− →∗ Θ implies ∆ = ⇒ Θ

17/38

sfi Induction Coinduction A-simulations Inequivalences

The empty (sub)Distribution: empDist

A feature:

empDist

µ

− → empDist for every action µ

Consequence:

◮ ∆ τ

− → Θ implies ∆ = ⇒ Θ

◮ ∆ τ

− → τ − → Θ implies ∆ = ⇒ Θ

◮ . . .

Sanity check:

∆

τ

− →∗ Θ implies ∆ = ⇒ Θ

17/38

sfi Induction Coinduction A-simulations Inequivalences

Lost in divergence

s2 s3 s4 s5 s6

τ 1 22 a τ 1 32 a τ 1 42 a τ 1 52 a τ 1 62 a

Total probability of reaching a from s2:

1 4 + 1 12 + 1 24 + 1 40 . . . . . .

=

1 2

s2 = ⇒ 1

2 · a

Remainder of mass

1 2 is lost in divergence

18/38

sfi Induction Coinduction A-simulations Inequivalences

Lost in divergence

s2 s3 s4 s5 s6

τ 1 22 a τ 1 32 a τ 1 42 a τ 1 52 a τ 1 62 a

Total probability of reaching a from s2:

1 4 + 1 12 + 1 24 + 1 40 . . . . . .

=

1 2

s2 = ⇒ 1

2 · a

Remainder of mass

1 2 is lost in divergence

18/38

sfi Induction Coinduction A-simulations Inequivalences

Lost in divergence

s2 s3 s4 s5 s6

τ 1 22 a τ 1 32 a τ 1 42 a τ 1 52 a τ 1 62 a

Total probability of reaching a from s2:

1 4 + 1 12 + 1 24 + 1 40 . . . . . .

=

1 2

s2 = ⇒ 1

2 · a

Remainder of mass

1 2 is lost in divergence

18/38

sfi Induction Coinduction A-simulations Inequivalences

Lost in divergence

s2 s3 s4 s5 s6

τ 1 22 a τ 1 32 a τ 1 42 a τ 1 52 a τ 1 62 a

Total probability of reaching a from s2:

1 4 + 1 12 + 1 24 + 1 40 . . . . . .

=

1 2

s2 = ⇒ 1

2 · a

Remainder of mass

1 2 is lost in divergence

18/38

sfi Induction Coinduction A-simulations Inequivalences

Lost in divergence

s2 s3 s4 s5 s6

τ 1 22 a τ 1 32 a τ 1 42 a τ 1 52 a τ 1 62 a

Total probability of reaching a from s2:

1 4 + 1 12 + 1 24 + 1 40 . . . . . .

=

1 2

s2 = ⇒ 1

2 · a

Remainder of mass

1 2 is lost in divergence

18/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS finally

Largest relation ⊳S ⊆ S × D(S) satisfying: s ⊳S Θ s ⊳S Θ implies ∆ ∆ lift(⊳S) Θ′ µ µ µ

◮ Θ a

= ⇒ Θ′: now means Θ = ⇒ Θ1

a

− → Θ2 = ⇒ Θ

◮ Θ τ

= ⇒ Θ′: now means Θ = ⇒ Θ′

19/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations in a pLTS finally

Largest relation ⊳S ⊆ S × D(S) satisfying: s ⊳S Θ s ⊳S Θ implies ∆ ∆ lift(⊳S) Θ′ µ µ µ

◮ Θ a

= ⇒ Θ′: now means Θ = ⇒ Θ1

a

− → Θ2 = ⇒ Θ

◮ Θ τ

= ⇒ Θ′: now means Θ = ⇒ Θ′

19/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B

a

= ⇒ b

Also:

a.B ⊳S a.b

20/38

sfi Induction Coinduction A-simulations Inequivalences

Example simulation

a.B B s1 s2 a τ

3 4 1 4

τ b a.b ⊳S a.B because a.B

a

= ⇒ b

Also:

a.B ⊳S a.b

20/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and testing

Soundness:

s ⊳S Θ implies s ⊑pmay Θ

proof is straightforward

Completeness:

In a finitary pLTS s ⊑pmay Θ implies s ⊳S Θ

difficult proof 21/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and testing

Soundness:

s ⊳S Θ implies s ⊑pmay Θ

proof is straightforward

Completeness:

In a finitary pLTS s ⊑pmay Θ implies s ⊳S Θ

difficult proof 21/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and testing

Soundness:

s ⊳S Θ implies s ⊑pmay Θ

proof is straightforward

Completeness:

In a finitary pLTS s ⊑pmay Θ implies s ⊳S Θ

difficult proof 21/38

sfi Induction Coinduction A-simulations Inequivalences

Weak transfer property: WTP

R satisfies the weak transfer property if s R t s R t implies ∆ ∆ lift(R) Θ µ µ µ

In LTSs:

The simulation preorder ⊳S satisfies the WTP

In pLTSs:

The simulation preorder ⊳S does NOT satisfy the WTP

In finitary pLTSs:

The simulation preorder ⊳S satisfies the WTP

22/38

sfi Induction Coinduction A-simulations Inequivalences

Weak transfer property: WTP

R satisfies the weak transfer property if s R t s R t implies ∆ ∆ lift(R) Θ µ µ µ

In LTSs:

The simulation preorder ⊳S satisfies the WTP

In pLTSs:

The simulation preorder ⊳S does NOT satisfy the WTP

In finitary pLTSs:

The simulation preorder ⊳S satisfies the WTP

22/38

sfi Induction Coinduction A-simulations Inequivalences

Weak transfer property: WTP

R satisfies the weak transfer property if s R t s R t implies ∆ ∆ lift(R) Θ µ µ µ

In LTSs:

The simulation preorder ⊳S satisfies the WTP

In pLTSs:

The simulation preorder ⊳S does NOT satisfy the WTP

In finitary pLTSs:

The simulation preorder ⊳S satisfies the WTP

22/38

sfi Induction Coinduction A-simulations Inequivalences

Weak transfer property: WTP

R satisfies the weak transfer property if s R t s R t implies ∆ ∆ lift(R) Θ µ µ µ

In LTSs:

The simulation preorder ⊳S satisfies the WTP

In pLTSs:

The simulation preorder ⊳S does NOT satisfy the WTP

In finitary pLTSs:

The simulation preorder ⊳S satisfies the WTP

22/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder via induction

Using coinduction:

⊳S ⊆ S × D(S) is the largest solution to ⊳S = Sim(⊳S)

Using induction:

⊳S

0 = S × D(S)

⊳S

1 = Sim(⊳S 0)

. . . = . . . ⊳S

(k+1) = Sim(⊳S k)

. . . = . . . ⊳S

∞ =

∩k≥0 ⊳S

k

In general

s ⊳S Θ implies s ⊳S

∞ Θ

23/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder via induction

Using coinduction:

⊳S ⊆ S × D(S) is the largest solution to ⊳S = Sim(⊳S)

Using induction:

⊳S

0 = S × D(S)

⊳S

1 = Sim(⊳S 0)

. . . = . . . ⊳S

(k+1) = Sim(⊳S k)

. . . = . . . ⊳S

∞ =

∩k≥0 ⊳S

k

In general

s ⊳S Θ implies s ⊳S

∞ Θ

23/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder via induction

Using coinduction:

⊳S ⊆ S × D(S) is the largest solution to ⊳S = Sim(⊳S)

Using induction:

⊳S

0 = S × D(S)

⊳S

1 = Sim(⊳S 0)

. . . = . . . ⊳S

(k+1) = Sim(⊳S k)

. . . = . . . ⊳S

∞ =

∩k≥0 ⊳S

k

In general

s ⊳S Θ implies s ⊳S

∞ Θ

23/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

The simulation preorder: coinduction v. induction

◮ In an LTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finite state LTS: s ⊳S ∞ Θ implies s ⊳S Θ ◮ In a pLTS: s ⊳S ∞ Θ does NOT imply s ⊳S Θ ◮ In a finitary pLTS: s ⊳S ∞ Θ implies s ⊳S Θ

Key property of finitary pLTS:

{ ∆ | s = ⇒ ∆ } is finitely generable

IE:

There exists finite ∆1 . . . ∆k such that

◮ s =

⇒ ∆i

◮ s =

⇒ ∆ only if ∆ = p1 · ∆1 + . . . pn · ∆k pi ≤ 1

24/38

sfi Induction Coinduction A-simulations Inequivalences

Outline

Inductive methods Coinductive methods A-simulations Proving inequivalences

25/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations for must testing

Ingredients:

◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence

∆

τ

− → . . .

τ

− → ∆k

τ

− → . . .

Alternatively: ∆ = ⇒ EmpDist

◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ

= ⇒ Θ implies Θ

a

= ⇒ for some a in ∆

26/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations for must testing

Ingredients:

◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence

∆

τ

− → . . .

τ

− → ∆k

τ

− → . . .

Alternatively: ∆ = ⇒ EmpDist

◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ

= ⇒ Θ implies Θ

a

= ⇒ for some a in ∆

26/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations for must testing

Ingredients:

◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence

∆

τ

− → . . .

τ

− → ∆k

τ

− → . . .

Alternatively: ∆ = ⇒ EmpDist

◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ

= ⇒ Θ implies Θ

a

= ⇒ for some a in ∆

26/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations for must testing

Ingredients:

◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence

∆

τ

− → . . .

τ

− → ∆k

τ

− → . . .

Alternatively: ∆ = ⇒ EmpDist

◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ

= ⇒ Θ implies Θ

a

= ⇒ for some a in ∆

26/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

A-simulations in a pLTS

Largest relation ⊲

acc

⊆ Dsub(S) × S satisfying: Θ ⊲

acc s implies:

whenever Θ ⇓,

◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and

Θ ⊲

acc

s Θ ⊲

acc

s implies ∆ Θ′ lift(⊲

acc)

∆ µ µ µ Use of subdistributions Dsub(S) facilitates the treatment of divergence

27/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and must testing

Soundness:

In a finitary pLTS Θ ⊲

acc s implies Θ ⊑pmust s difficult proof because of divergence

Completeness:

In a finitary pLTS Θ ⊑pmust s implies Θ ⊳S s

difficult proof 28/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and must testing

Soundness:

In a finitary pLTS Θ ⊲

acc s implies Θ ⊑pmust s difficult proof because of divergence

Completeness:

In a finitary pLTS Θ ⊑pmust s implies Θ ⊳S s

difficult proof 28/38

sfi Induction Coinduction A-simulations Inequivalences

Simulations and must testing

Soundness:

In a finitary pLTS Θ ⊲

acc s implies Θ ⊑pmust s difficult proof because of divergence

Completeness:

In a finitary pLTS Θ ⊑pmust s implies Θ ⊳S s

difficult proof 28/38

sfi Induction Coinduction A-simulations Inequivalences

Outline

Inductive methods Coinductive methods A-simulations Proving inequivalences

29/38

sfi Induction Coinduction A-simulations Inequivalences

Are these distinguishable by any test ?

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

Q ⊑pmay P

Use test T = d.a.ω:

◮ sup of Apply(T, Q) = 1 ◮ sup of Apply(T, P) = 1 2

30/38

sfi Induction Coinduction A-simulations Inequivalences

Are these distinguishable by any test ?

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

Q ⊑pmay P

Use test T = d.a.ω:

◮ sup of Apply(T, Q) = 1 ◮ sup of Apply(T, P) = 1 2

30/38

sfi Induction Coinduction A-simulations Inequivalences

Is P ⊑pmay Q?

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With T = d.(τ.a.(ω 1

2⊕ 0)

+ τ.(b.ω 1

2⊕ c.ω))

◮ sup of Apply(T, P) = 3 4 ◮ sup of Apply(T, Q) = 1 2 ◮ Distinguishing tests can be hard to find.

31/38

sfi Induction Coinduction A-simulations Inequivalences

Is P ⊑pmay Q?

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With T = d.(τ.a.(ω 1

2⊕ 0)

+ τ.(b.ω 1

2⊕ c.ω))

◮ sup of Apply(T, P) = 3 4 ◮ sup of Apply(T, Q) = 1 2 ◮ Distinguishing tests can be hard to find.

31/38

sfi Induction Coinduction A-simulations Inequivalences

Is P ⊑pmay Q?

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With T = d.(τ.a.(ω 1

2⊕ 0)

+ τ.(b.ω 1

2⊕ c.ω))

◮ sup of Apply(T, P) = 3 4 ◮ sup of Apply(T, Q) = 1 2 ◮ Distinguishing tests can be hard to find.

31/38

sfi Induction Coinduction A-simulations Inequivalences

Characterising preorders using logical properties

A set of properties Prop characterises ⊑ whenever

◮ P ⊑ Q implies for every φ in Prop

Q satisfies φ whenever P satisfies φ

◮ P ⊑ Q whenever there is some φ in Prop such that

◮ P satisfies φ ◮ Q does not satisfy φ

Consequence:

To show P ⊑ Q it is sufficient to find some φ such that

◮ P satisfies φ ◮ Q does not satisfy φ

32/38

sfi Induction Coinduction A-simulations Inequivalences

Characterising preorders using logical properties

A set of properties Prop characterises ⊑ whenever

◮ P ⊑ Q implies for every φ in Prop

Q satisfies φ whenever P satisfies φ

◮ P ⊑ Q whenever there is some φ in Prop such that

◮ P satisfies φ ◮ Q does not satisfy φ

Consequence:

To show P ⊑ Q it is sufficient to find some φ such that

◮ P satisfies φ ◮ Q does not satisfy φ

32/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: A modal logic for process properties

φ ::= tt | ff | φ ∧ φ′ | φ ∨ φ′ | µ φ | [µ] φ | acc A

Satisfaction:

◮ P |

= µ φ if P

µ

= ⇒ Q and Q | = φ

◮ P |

= [µ] φ if

◮ P ⇓ ◮ Q |

= φ whenever P

µ

= ⇒ Q

◮ P |

= acc A if

◮ P ⇓ ◮ P

τ

= ⇒ Q implies Q

a

= ⇒ for some a in A

33/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: A modal logic for process properties

φ ::= tt | ff | φ ∧ φ′ | φ ∨ φ′ | µ φ | [µ] φ | acc A

Satisfaction:

◮ P |

= µ φ if P

µ

= ⇒ Q and Q | = φ

◮ P |

= [µ] φ if

◮ P ⇓ ◮ Q |

= φ whenever P

µ

= ⇒ Q

◮ P |

= acc A if

◮ P ⇓ ◮ P

τ

= ⇒ Q implies Q

a

= ⇒ for some a in A

33/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: A modal logic for process properties

φ ::= tt | ff | φ ∧ φ′ | φ ∨ φ′ | µ φ | [µ] φ | acc A

Satisfaction:

◮ P |

= µ φ if P

µ

= ⇒ Q and Q | = φ

◮ P |

= [µ] φ if

◮ P ⇓ ◮ Q |

= φ whenever P

µ

= ⇒ Q

◮ P |

= acc A if

◮ P ⇓ ◮ P

τ

= ⇒ Q implies Q

a

= ⇒ for some a in A

33/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: A modal logic for process properties

φ ::= tt | ff | φ ∧ φ′ | φ ∨ φ′ | µ φ | [µ] φ | acc A

Satisfaction:

◮ P |

= µ φ if P

µ

= ⇒ Q and Q | = φ

◮ P |

= [µ] φ if

◮ P ⇓ ◮ Q |

= φ whenever P

µ

= ⇒ Q

◮ P |

= acc A if

◮ P ⇓ ◮ P

τ

= ⇒ Q implies Q

a

= ⇒ for some a in A

33/38

sfi Induction Coinduction A-simulations Inequivalences

LTS: Property logics and testing

May testing:

◮ ⊑may characterised by L = { tt, µ, ∨ }

Must testing:

◮ ⊑must characterised by L = { ff, [µ], ∧ , acc A }

34/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: A modal logic for probabilistic process properties

φ ::= . . . . . . µ ψdist | [µ] ψdist . . . ψdist := φ | φ

p∧ ψdist | φ p∨ ψdist

Satisfaction: ∆ | = φ

◮ ∆ |

= µ ψdist if ∆

µ

= ⇒ Θ and Θ | = ψdist

◮ ∆ |

= [µ] ψdist if

◮ ∆ ⇓ ◮ Θ |

= ψdist whenever ∆

µ

= ⇒ Θ

◮ ∆ |

= ψ1

p∧ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 and ∆2 | = ψ2

◮ ∆ |

= ψ1

p∨ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 or ∆2 | = ψ2

35/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: A modal logic for probabilistic process properties

φ ::= . . . . . . µ ψdist | [µ] ψdist . . . ψdist := φ | φ

p∧ ψdist | φ p∨ ψdist

Satisfaction: ∆ | = φ

◮ ∆ |

= µ ψdist if ∆

µ

= ⇒ Θ and Θ | = ψdist

◮ ∆ |

= [µ] ψdist if

◮ ∆ ⇓ ◮ Θ |

= ψdist whenever ∆

µ

= ⇒ Θ

◮ ∆ |

= ψ1

p∧ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 and ∆2 | = ψ2

◮ ∆ |

= ψ1

p∨ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 or ∆2 | = ψ2

35/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: A modal logic for probabilistic process properties

φ ::= . . . . . . µ ψdist | [µ] ψdist . . . ψdist := φ | φ

p∧ ψdist | φ p∨ ψdist

Satisfaction: ∆ | = φ

◮ ∆ |

= µ ψdist if ∆

µ

= ⇒ Θ and Θ | = ψdist

◮ ∆ |

= [µ] ψdist if

◮ ∆ ⇓ ◮ Θ |

= ψdist whenever ∆

µ

= ⇒ Θ

◮ ∆ |

= ψ1

p∧ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 and ∆2 | = ψ2

◮ ∆ |

= ψ1

p∨ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 or ∆2 | = ψ2

35/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: A modal logic for probabilistic process properties

φ ::= . . . . . . µ ψdist | [µ] ψdist . . . ψdist := φ | φ

p∧ ψdist | φ p∨ ψdist

Satisfaction: ∆ | = φ

◮ ∆ |

= µ ψdist if ∆

µ

= ⇒ Θ and Θ | = ψdist

◮ ∆ |

= [µ] ψdist if

◮ ∆ ⇓ ◮ Θ |

= ψdist whenever ∆

µ

= ⇒ Θ

◮ ∆ |

= ψ1

p∧ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 and ∆2 | = ψ2

◮ ∆ |

= ψ1

p∨ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 or ∆2 | = ψ2

35/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: A modal logic for probabilistic process properties

φ ::= . . . . . . µ ψdist | [µ] ψdist . . . ψdist := φ | φ

p∧ ψdist | φ p∨ ψdist

Satisfaction: ∆ | = φ

◮ ∆ |

= µ ψdist if ∆

µ

= ⇒ Θ and Θ | = ψdist

◮ ∆ |

= [µ] ψdist if

◮ ∆ ⇓ ◮ Θ |

= ψdist whenever ∆

µ

= ⇒ Θ

◮ ∆ |

= ψ1

p∧ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 and ∆2 | = ψ2

◮ ∆ |

= ψ1

p∨ ψ2 if ◮ ∆ = p · ∆1 + (1 − p) · ∆2 ◮ ∆1 |

= ψ1 or ∆2 | = ψ2

35/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS example: using formulae

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With φ = d(a tt

1 2∧ (b tt ∧ c tt))

◮ P |

= φ

◮ Q |

= φ

◮

So P ⊑pmay Q

36/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS example: using formulae

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With φ = d(a tt

1 2∧ (b tt ∧ c tt))

◮ P |

= φ

◮ Q |

= φ

◮

So P ⊑pmay Q

36/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS example: using formulae

P d

1 2 1 2

a b c Q d

1 2 1 2

a b a c

With φ = d(a tt

1 2∧ (b tt ∧ c tt))

◮ P |

= φ

◮ Q |

= φ

◮

So P ⊑pmay Q

36/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: Property logics and testing

In a finitary pLTS:

May testing:

◮ ⊑pmay characterised by L = { tt, µ, ∨, ∧, p∧ }

Must testing:

◮ ⊑pmust characterised by L = { ff, [µ], ∧, ∨, p∨, acc A }

Proofs are very indirect, via simulations

37/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: Property logics and testing

In a finitary pLTS:

May testing:

◮ ⊑pmay characterised by L = { tt, µ, ∨, ∧, p∧ }

Must testing:

◮ ⊑pmust characterised by L = { ff, [µ], ∧, ∨, p∨, acc A }

Proofs are very indirect, via simulations

37/38

sfi Induction Coinduction A-simulations Inequivalences

pLTS: Property logics and testing

In a finitary pLTS:

May testing:

◮ ⊑pmay characterised by L = { tt, µ, ∨, ∧, p∧ }

Must testing:

◮ ⊑pmust characterised by L = { ff, [µ], ∧, ∨, p∨, acc A }

Proofs are very indirect, via simulations

37/38

sfi Induction Coinduction A-simulations Inequivalences

Conclusions

◮ Testing provides basis for a natural extensional theory of

processes

◮ Applies to processes which exhibit both

◮ nondeterministic ◮ probabilistic

behaviour

◮ Coinductive simulations provide powerful proof method for

relating processes

◮ Probabilistic modal logic provides powerful proof method for

distinguishing processes

◮ Both techniques are complete for finitary processes

38/38

sfi Induction Coinduction A-simulations Inequivalences

Conclusions

◮ Testing provides basis for a natural extensional theory of

processes

◮ Applies to processes which exhibit both

◮ nondeterministic ◮ probabilistic

behaviour

◮ Coinductive simulations provide powerful proof method for

relating processes

◮ Probabilistic modal logic provides powerful proof method for

distinguishing processes

◮ Both techniques are complete for finitary processes

38/38

sfi Induction Coinduction A-simulations Inequivalences

Conclusions

◮ Testing provides basis for a natural extensional theory of

processes

◮ Applies to processes which exhibit both

◮ nondeterministic ◮ probabilistic

behaviour

◮ Coinductive simulations provide powerful proof method for

relating processes

◮ Probabilistic modal logic provides powerful proof method for

distinguishing processes

◮ Both techniques are complete for finitary processes

38/38

sfi Induction Coinduction A-simulations Inequivalences

Conclusions

◮ Testing provides basis for a natural extensional theory of

processes

◮ Applies to processes which exhibit both

◮ nondeterministic ◮ probabilistic

behaviour

◮ Coinductive simulations provide powerful proof method for

relating processes

◮ Probabilistic modal logic provides powerful proof method for

distinguishing processes

◮ Both techniques are complete for finitary processes

38/38

sfi Induction Coinduction A-simulations Inequivalences

Conclusions

◮ Testing provides basis for a natural extensional theory of

processes

◮ Applies to processes which exhibit both

◮ nondeterministic ◮ probabilistic

behaviour

◮ Coinductive simulations provide powerful proof method for

relating processes

◮ Probabilistic modal logic provides powerful proof method for

distinguishing processes

◮ Both techniques are complete for finitary processes

38/38