Reactive Systems: Modelling, Specification and Verification - Cs.ioc.ee

110 CHAPTER 5. HENNESSY-MILNER LOGIC
This transition can only be matched by either
or
B a → 0
B a → a.B .
However, neither 0 nor a.B is strongly bisimilar to A, because this process can
perform an a-labelled transition and become 0 in doing so. On the other hand,
a.B a → B
is the only transition that is possible from a.B, and B is not strongly bisimilar to 0.
Based on this analysis, it seems that a property distinguishing the processes A
and B is 〈a〉〈a〉[a]ff—that is, the process can perform a sequence of two a-labelled
transitions, and in so doing reach a state from which no a-labelled transition is
possible. In fact, you should be able to establish that A satisfies this property, but
B does not. (Do so!)
Again, faced with two non-bisimilar processes, we have been able to find a formula
in the logic M that distinguishes them, in the sense that one process satisfies
it, but the other does not. Is this true in general? And what can we say about two
processes that satisfy precisely the same formulae in M? Are they guaranteed to
be strongly bisimilar?
We shall now present a seminal theorem, due to Hennessy and Milner, that
answers both of these questions in one fell swoop by establishing a satisfying,
and very fruitful, connection between the apparently unrelated notions of strong
bisimilarity and the logic M. The theorem applies to a class of processes that we
now proceed to define.
Definition 5.3 [Image finite process] A process P is image finite iff the collection
{P ′ | P a → P ′ } is finite for each action a.
An LTS is image finite if so is each of its states.
For example, the process Arep (for ‘A replicated’) defined thus:
Arep def
= a.0 | Arep
is not image finite. In fact, you should be able to prove by induction on n that, for
each n ≥ 1,
Arep a → a.0 | · · · | a.0 |0 | Arep .
n times