On Algorithmic Verification Methods for Probabilistic Systems

OnAlgorithmicVerificationMethods forProbabilisticSystems
derFakultatfurMathematikundInformatik zurErlangungdervenialegendi Habilitationsschrift
derUniversitatMannheim
ChristelBaier ausKarlsruhe vorgelegtvon
1998

Tomyparents,GerdaandMausi
1

Acknowledgements
Firstofall,IwouldliketothanktoMilaMajster-Cederbaumwhoisbyfarmorethanjust privateaairs.Withouthersupportandencouragement,Iwouldneverhavestartednor asupervisor.Manythanksforintroducingmeinthetheoryofparallelsystems,various fruitfuldiscussionsaboutresearchtopicsandcountlesshelpfuladvicesinvocationaland researcherorteacheritisduetoher.ItisimpossibletoexpresssomanythanksthatI owetoher. nishedmyPh.D.Thesisorthishabilitationthesis.IncaseIwillbesometimeagood
WhenIvisitedMartaKwiatkowskainNovember1995,sheconvincedmethatresearchon probabilisticprocessesisanimportantandinteresting(evensointerestingthatIwrote
much. electronicmailIesteemherasasourceofinspirationaswellasafriend.Thankyouso athesiswithmorethan300pagesaboutthem!)task.Mostofthemainresultsinthis thesisweredevelopedincollaborationwithher.Evenourcontactisalmostexclusiveby
ManythankstoHolgerHermanns,JoostKatoenandPedrod'Argenioforbeingfriends andforthevarioushelpfuldiscussionsthatwehadviaelectronicmail,onthephone,at
papersthathaveservedasbasisforthiswork.Especially,IwouldliketothankEdClarke conferencesorinamorerelaxedscenariowithbeer,tequilaorchampagne. Ithankallmycoauthors,discussionpartnersandallthosewhohavecommentedonthe
ManythankstoJurgenJaapandMartinTramplerfortheirpatienceandassistencewhen- whosesupportandsuggestionshelpedmesomuch,notonlyforthisthesis.
AlexandraSchubertforallthetimeshespendedforcopyingpapersforme. withoutherhelpIwouldnothavesurvivedinthegermanbureaucracyjungleandto everIhadaproblemwithourcomputersystem,UNIXorLATEX,toRitaSommer
Eventhoughresearchonparallelsystemsisnice,Iamluckythatthereisalifeoutside myoce.SpecialthankstomybestfriendsHansHelm,MarkSchad,PetraGramlich andPetraBullerkotteforbeingtherewheneverIneedthem,listeningtomyproblems
myfriendsthere;especiallytoThomasSchmidtwhonevergaveupintryingtoteachme beavegetarianandsmokerandbeingaddictedindoingsports.However,inthepast fewyears,the\SquashLagune"turnedouttobemysecondhome.Manythankstoall andbearingmeevenwhenIaminabadmood.Itmightbeastrangecombinationto
playingsquashandHeikeStecherandAnneLuckforgivingoutstanding\powerhours".
looksforwardtoseeme. Thisthesisisdedicatedtomyparentswhosupportedmeinallareasoflife,mysister GerdaandourdogMausi,theonlycreaturewhereIamdenitelysurethatshealways
3

Contents
1Introduction 1.1Vericationmethods..............................12 1.1.1Transitionsystems...........................13 11
1.1.2Specifyingparallelsystemswithprocesscalculi...........14
1.2Probabilisticsystems..............................17 1.1.3Thetemporallogicalapproach.....................16 1.1.4Stateexplosionproblem........................17 1.2.1Modellingprobabilisticbehaviour...................18
1.3Thetopicsofthisthesis............................26 1.2.2Theprocesscalculusapproachforprobabilisticsystems.......22 1.2.3Probabilistictemporallogic......................24 1.3.1Relatedwork..............................27
2Preliminaries 1.3.2Howtoreadthisthesis.........................27
2.1Sets,relations,partitionsandfunctions....................29 2.2Distributions..................................30 29
3Modellingprobabilisticbehaviour 3.1Fullyprobabilisticsystems...........................34 3.2Concurrentprobabilisticsystems.......................38 33
3.2.1Pathsinconcurrentprobabilisticsystems...............40
3.3Labelledprobabilisticsystems.........................47 3.2.2Adversariesofconcurrentprobabilisticsystems............41 3.2.3Fairnessofnon-deterministicchoice..................45 3.3.1Action-labelledprobabilisticsystems.................47 5

6 3.3.2Proposition-labelledprobabilisticsystems...............52 CONTENTS
3.4Bisimulationandsimulation..........................53
3.5Probabilisticprocesses.............................61 3.4.1Bisimulation...............................54
3.6Relatedmodels.................................62 3.4.2Simulation................................56
3.7Proofs......................................64 3.7.1Probabilisticreachabilityanalysis...................64
4Probabilisticprocesscalculi 3.7.2Bisimulationandsimulationinimage-nitesystems.........68
4.1PCCS:anasynchronousprobabilisticcalculus................74 4.2PSCCS:asynchronousprobabilisticcalculus.................79 71
5Denotationalmodels 4.3PLSCCS:alazysynchronouscalculus....................83
5.1Denotationalmodels:concurrentcase.....................91 5.1.1ThedomainIP.............................92 89
5.1.2ThesemanticdomainID........................94 5.1.3ThesemanticdomainIM........................96
5.2Denotationalmodels:fullyprobabilisticcase.................104 5.1.4DenotationalsemanticsonIMandID.................99
5.3Proofs......................................105 5.1.5Afewremarksaboutprobabilisticpowerdomains..........103
5.3.1ThepartialordersimonDistr(D)..................105 5.3.2ThedomainID.............................110 5.3.3Themetricprobabilisticpowerdomainsofevaluations........116 5.3.4ThedomainIM.............................122
6Decidingbisimilarityandsimilarity 5.3.5Fullabstraction.............................125
6.1Computingthebisimulationequivalenceclasses...............130 6.1.1Thefullyprobabilisticcase.......................131 129
6.1.2Theconcurrentcase..........................131

CONTENTS 6.2Computingthesimulationpreorder......................143 7
6.2.1Thetestwhether 6.2.2Theconcurrentcase..........................146 6.2.3Thefullyprobabilisticcase.......................151 R0.......................143
7Weakbisimulation 6.3Proofs......................................153
7.1Weakandbranchingbisimulation.......................161 7.1.1Weakbisimulation...........................161 159
7.2Decidabilityofweakbisimulationequivalence................164 7.1.2Branchingbisimulation.........................162
7.3Connectiontootherequivalences.......................171 7.2.1Thealgorithm..............................165
7.4Compositionality................................174 7.2.2Timecomplexity............................169
7.5Proofs......................................177 7.5.1Weakandbranchingbisimulationequivalence............177
8Fairnessofprobabilisticchoice 7.5.2 andthetestingequivalences=steand0..............186
8.1P-fairnessforfullyprobabilisticsystems...................194 8.2P-fairnessforconcurrentprobabilisticsystems................199 193
9Verifyingtemporalproperties 9.1ThelogicPCTL................................207 9.1.1Interpretationoverfullyprobabilisticsystems............209 205
9.1.2Interpretationoverconcurrentprobabilisticsystems.........210 9.1.3ThesublogicsPCTLandLTL.....................211
9.2ModelcheckingalgorithmsforPCTL 9.1.4Relatedlogics..............................213
9.3ModelcheckingforPCTL...........................216 9.1.5PCTLequivalenceandbisimulationequivalence...........214
9.3.1Nextstep................................218 ....................214
9.3.2Boundeduntil..............................219

8 9.3.3Unboundeduntil............................220 CONTENTS
9.4ModelcheckingforLTL............................234 9.3.4Theconnectionbetweenj=,j=fair,j=sfairandj=Wfair.........230
9.5Proofs......................................241 9.3.5ComplexityofPCTLmodelchecking.................231
9.5.1Stateandtotalfairness.........................241 9.5.2CorrectnessofthePCTLmodelcheckingalgorithm.........243
10Symbolicmodelchecking 9.5.3CorrectnessoftheLTLmodelcheckingalgorithm..........252
10.1Thealgebraicmu-calculus...........................259 10.1.1Syntaxofthealgebraicmu-calculus..................260 255
10.2Thealgebraicmu-calculusasaspecicationlanguage............275 10.1.2Semanticsofthealgebraicmu-calculus................262 10.1.3Fixedpointoperators..........................270 10.2.1Therelationalmu-calculus.......................275 10.2.2Themodalmu-calculus.........................276
10.3A\compiler"forthealgebraicmu-calculus..................285 10.2.3ThelogicPCTL.............................279 10.2.4WordlevelCTL.............................283 10.3.1Themixedcalculus...........................286
10.4Symbolicmodelcheckingforprobabilisticprocesses.............295 10.3.2Inferencefromthealgebraictothemixedcalculus..........287 10.3.3Computingthesemanticsofthemixedcalculus...........290 10.4.1RepresentingprobabilisticsystemsbyMTBDDs...........295 10.4.2SymbolicmodelcheckingforPCTL..................297
11Concludingremarks 10.4.3Decidingbisimulationequivalence...................300
12Appendix 305
12.1Preliminariesforthedenotationalmodels...................307 12.1.1Basicnotionsofdomaintheory....................307 307
12.1.2Metricspaces..............................310

CONTENTS 12.1.3Categoricalmethodsforsolvingdomainequations..........311 9
12.2Orderedbalancedtrees.............................314 12.3Multiterminalbinarydecisiondiagrams....................315
12.1.4Evaluations...............................313

10 CONTENTS

Chapter1
Introduction
Parallelsystems(suchasoperatingsystems,telecommunicationsystems,aircraftcon-
qualityofaparallelsystemdependsonseveralproperties,typicallyclassiedintosafety trollingsystems,bankingsystems,etc.)ariseinmanyindustrialapplications.Forap situationsapreciseanalysisofthepossiblesystembehavioursisanimportanttask.The propertieswhichstatethat\nothingbadhappens"(e.g.mutualexclusion,deadlockfreeplicationswhereerrorsmightbeexpensiveandleadtodangerousorevencatastrophal propertieswhichassertthat\somethinggoodwilleventuallyhappen"(e.g.termination, starvationfreedom)[OwLa82].Inrealisticapplications,notonlythefunctionalityofa parallelsystemisimportant,alsoquantitativeaspects(suchastimeorprobabilities)play domorthecomputationofsucientlyexactnumericalvalues)andlivenessorprogress
acrucialrole.Forinstance,inpractice,itisuselesstoestablishapropertylike\each requestwilleventuallybeanswered"asthereisnoboundonhowmuchtimewillpass thistypecanbeestablishednotonlydependsonthedesignofthesystembutalsoon thereliabilityoftheinterfacewiththeenvironmentortheresourcesthatthesystemuses. betweenarequestandtheresponse.Typically,oneaimsatapropertylike\eachrequest
Forinstance,iftheresponseistransmittedviaanuncertainmediumthatmightloose willeventuallybeansweredwithinthenext5seconds".Whetherornotapropertyof
happensmightberare.Ifthefailureratesareknown(orcanbeestimatedbyexperimentalresults),itmakessensetoreasonaboutthefrequenciesforcertainevents,i.e.todeal withquantitativepropertieslike\thereisa95%chancethattherequestwillbeanswered messagesapropertyasabovecanneverhold.However,thecaseswhereaphysicalerror
withinthenext5seconds".
abstractsfromquantitativeaspectsliketime,performanceorinformationsaboutthefre- Traditionally,themodellingofparallelsystemsfocussesonthefunctionalbehaviourbut
behaviour. i.e.parallelsystemswhereprobabilitiesareusede.g.tomodeluncertaintiesorrandomized quencyofcertainsystembehaviours.Inthisthesis,weshrinkourattentiontoprobabilisticphenomenaandconsidermethodsforspecifyingandvalidatingprobabilisticsystems, 11

12 1.1 Vericationmethods CHAPTER1.INTRODUCTION
Werstgiveabriefsummaryoverthegeneraltechniquesforanalyzingparallelsystems.Thesetechniquesarecommonlyusedforreasoningaboutthefunctionalbehaviour. Suitableadaptionsofthesemethodscanbeusedtotreatvarioustypesofquantitative behaviour;inparticular,theycanbeappliedtoanalyzeprobabilisticsystems. Awidespreadtechniqueforanalyzingthepropertiesofaprogramistestingwhichmeansto observetheprogramduringtheexecutionwithcertainwell-choseninputsandtocompare thereactionwiththedesiredbehaviour.Sincetestingcoversonlya(small)subsetofthe
eitherbydeductivemethodsorbymodelchecking.Thedeductivemethodsarebasedon whichaimsataformalproofforthecorrectnessofaprogram.1Thisistypicallyachieved possibleinstancesofsystembehavioursitcanonlydetectthepresenceoferrorsbutnotthe
amanualcompositionofaprogramandacorrectnessproofusingaxiomsandinference absenceoferrors.Inthisthesis,weconsiderthecomplementarytechnique:verication
rulesforanappropriatespecicationformalism.Ingeneral,thesemethodsrequireuser
nottheprogrammeetsthespecication[ClEm81,QuSi82,CES83].Thus,themethods specicationasitsinputandreturnstheanswer\yes"or\no"dependingonwhetheror algorithmicvericationmethodthattakes(anabstractdescriptionof)aprogramandits interventiontoalargedegreeandareverytimeconsuming.Modelcheckingmeansan
cases)limitedtonite-statesystems.2Nevertheless,alargeclassofparallelprocessesthat areuserindependenttoalargeextent.Whilethedeductivemethodsareapplicableto systemsofarbitrarysize(eveninnitesystems),themodelcheckingapproachis(inmost basedonmodelcheckingautomatethetaskofvalidatingprograms;andhence,they
appearinrealisticapplicationscanbedescribed{withthehelpofseveralabstraction techniques{byasystemwithanitestatespace.3
therequiredpropertiescanbeidentied: Specicationformalisms:Anyvericationmethodrequiresaprecisedescriptionofthe desirablesystembehaviourbyaformalspecication.Twogeneralframeworkstospecify
Therstframeworkisbasedonahomogenoustechniquewheretheprogramandspeci- theformalizationofthedesirablepropertiesbyformulasofsomelogic. thespecicationbyamodelthattellshowthesystemshouldbehave,
representtheprogramandthespecication.Theprogramisdescribedbyamodel(asin tion,i.e.abinaryrelationontheobjectsofthatformalism(the\models").Thelogical frameworkfocussesonaheterogenoustechniquewheredierentformalismsareusedto cationaredescribedinthesameformalismandcomparedviaanimplementationrela
thehomogenousapproach)whilethespecicationisaformulaofsomeprogramlogic. Branchingtimeversuslineartime:4Boththehomogenousandtheheterogenous withanabstraction(amodel)oftheprogram.Hence,thevericationmethodscanonlyassurethatthe abstractmodelfulllstherequiredproperties;thus,theycanonlybeasgoodastheabstractionis. 1Whiletestingisperformedbyexercisingthe(real)implementationthevericationmethodswork trarysizeisundecidable(considere.g.thehaltingproblem);andhence,cannotbesolvedautomatically. tools,seee.g.[CPS90,McMil92,HoPe94,CCM+95,Camp96,HHW97,LPY97,HarG98]. 2Thisobservationisclearfromthefactthatawiderangeofvericationproblemsforsystemsofarbi- 3Thebenetsofthemodelcheckingapproachhavebeendocumentedfromthereportsonimplemented 4Adetaileddiscussionaboutthebranchingtimeandlineartimeviewcanbefoundin[Lamp80,

1.1.VERIFICATIONMETHODS frameworkreasonaboutthe\behaviours"ofparallelsystems.Inthelineartimeview, 13
thebehaviourisdeterminedbythepossibleexecutionsignoringthepossiblebranches possiblesteps)oftheintermediatestatesintoaccountandobservesaprocessbymeans ofa\push-button-experiment".5 intheintermediatestates.Thebranchingtimeviewtakesthebranchingstructure(the
sibletransitionsbetweenthem.Oneofthestandardmodelsaretransitionsystems 1.1.1 Modelsdescribeanabstractionofasystembyrepresentingthestatesandthepos- Transitionsystems
[Kell76,Plot81]thatdescribethesystembehaviourbyadirectedgraph.Thenodesreptypesoftransitionsystemsareproposed.Forinstance,thestatescanbelabelledbyasresentthestates;edgesstandforthepossiblestatechanges(transitions).Thebranches(edges)inastate(node)representthepossiblestepsinthatstate.6Theexecutions(sequencesofstates)aregivenbythepathsthroughthisgraph.Intheliterature,severalsertions(e.g.propositionalorrstorderlogicalformulasthatstatesomethingaboutthe
valuesoftheprogramandcontrolvariables),thetransitionscanbeequippedwithaction interleavingandfairness.Theuseofinterleavingcanbemotivatedbytheobservationthat namesorbooleanguards.Intransitionsystems,asynchronousparallelismismodelledby theeectoftheparallelexecutionakboftwo\independent"actionsaandb(eachofthem onitsownprocessor)isthesameasifaandbareexecutedinanyorderononeprocessor. Hence,fromtheinterleavingpointofview,wehavethe\equality"akb=a;b+b;a.7In
s1+QQQQQs a s0QQQQQs
b s3 ab
+ s2
otherwords,interleavingreducesparallelismtothenon-deterministicchoicethatdecides whichsubprocessperformsthenextstep.Onemightthinkofthischoicetoberesolvedby Figure1.1:akb=a;b+b;a
the\environment"(e.g.anotherprogramthatrunsinparallelorauser)whosedecisions are(insomeappropriatesense)fairwithanysubprocess.Thiskindoffairnessisoften varioustypesoffairnessareconsidered.8Allfairnessnotionshaveincommonthatthey calledprocessfairness.Intuitively,processfairnessrulesoutthepathologicalpossibility
EmHa86,dBdRR88]. thatsomesubprocessispermanentlydeniedtoperformthenextstep.Intheliterature,
thesystemexecutesthecorrespondingstepandthe\push-button-experiment"restartsinthenewstate. probabilisticphenomena,thebranchescanalsostandforthealternativesofaprobabilisticchoice. 6Intheclassicalapproach,thebranchesstandfornon-deterministicalternatives.Whendealingwith 5Forthis,thepossiblestepsinastateareviewedasbuttons.Theobserverselectsoneofthesebuttons, 7Here,;denotessequentialcompositionand+non-deterministicchoice. 8Forasurveyoffairnessnotionsseee.g.[LSP81,QuSi83,Fran88,Kwia89].

14 makerestrictionsconcerningthenon-deterministicchoicesintheinniteexecutions(in- CHAPTER1.INTRODUCTION
beessentialforestablishinglivenessproperties. nitepathsinthetransitionsystem).TheycannotaectthesafetypropertiesbutmightHomogenoustechniquesaremostlyusedinthecontextwithcompositionoperatorspro-
1.1.2 videdbysomeprocesscalculus(alsooftencalledprocessalgebra).Processcalculiare Specifyingparallelsystemswithprocesscalculi
specicationlanguagesthatdescribethereactivebehaviourofparallelsystems.The mainingedrientsofsuchprocesscalculiareoperatorsformodellingparallelcomposition
Bergstra&Klop'sACP[BeKl84],wherethecomponentsworktime-independentlyand tinctionmarkfortheprocesscalculiproposedintheliteratureisthetypeofparallelism.k,non-deterministicchoice+,sequentialcomposition;andrecursion.9Themaindis- communicateviacertainchannels.Others,suchasMilner'sSCCS[Miln83]orESTEREL [BeGon92],arebasedonsynchronousparallelismwherethestepsoftheparallelcompo- Someareasynchronouscalculi,suchasMilner'sCCS[Miln80],Hoare'sCSP[Hoar85]or
sitionarecomposedby\one-time-steps"ofitssubprocesses.The\one-time-steps"can eitherbysingleatomicsteps(asinthecaseofSCCS)orsequencesofatomicsteps(asin Implementationrelations:Typically,processalgebrasaresuppliedwithanopera- thecaseofESTEREL).
abinaryrelationontransitionsystemsthatformalizeswhatismeantforaprogramto tionalsemanticsbasedontransitionsystems10togetherwithanimplementationrelation,correctlyimplementanotherone.Theimplementationrelationmakesitpossibletocom- becorrectwithrespecttothespecicationQiPimplQforthechosenimplementation pareaprogram(theimplementation)withitsspecication.Forthis,theimplementation PandthespecicationQaredescribedbytermsoftheprocessalgebraandPissaidto relationimpl.11Processalgebrasequippedwithacongruence(i.e.animplementationrelationimplthatispreservedbythecompositionoperatorsofthecalculus)playacrucial i=1;:::;n).Moreover,congruencescanserveasbasisformodularverication,i.e.the \higher-level"processPby\lower-level"modulesQ1;:::;Qn(providedthatQiimplPi, bystepwiserenementsincetheyallowthereplacementofthemodulesP1;:::;Pnofa roleforthedesignandanalysisofparallelsystems.Congruencesareusefulforthedesign
preorders.12 aboutthemodules.Typically,suchimplementationrelationsareeitherequivalencesor separatevericationoftheprogrammodulesfromwhichthecorrectnessofthecomposed processisderivedusingjustthecorrectnessofthemodulesbutnotanyotherknowledge
22.10Often,thetermsofaprocessalgebraareidentiedwiththeassociatedtransitionsystems.Inpar- e.g.byoperatorsthatspecifytimeoutsordelaysoraprobabilisticchoiceoperator[GJS90,HaJo90, NRS+90,Hans91,Yi91].FurtherreferencestoprobabilisticprocesscalculiaregiveninSection1.2,page 9Toreasonaboutquantitativeproperties(e.g.timeorprobabilities),suchcalculicanbeextended
ticular,thecompositionoperatorsoftheprocessalgebracanalsobeviewedasoperatorsforcomposing transitionsystems. benaturalconditionsthatarelationwhichformalizeswhatismeantby\aprocessimplementsanother one"shouldhave.
11Thus,vericationamountsshowingthatPimplQ. 12Recallthatapreorderisareexiveandtransitiverelation.Bothreexityandtransitivityseemto

1.1.VERIFICATIONMETHODS Theequivalencescanbeinterpretedinsuchawaythatequivalentprogramsexhibit 15
Inmostcases,theuseofpreordersismotivatedbytheassumptionthatthespeci- behaviour)13buttheycanalsoserveasbasistocomparethequantitivebehaviourof thesame\behaviour"withrespecttoanappropriatenotionofbehaviour.
twosystems,e.g.iftheyyieldnotionsof\fasterthan"or\morereliable". cationjusttellswhich\behaviours"areallowed(butdoesnotprescribetheexact
Amongtheimplementationrelationthathaveprovedmostusefularebisimulation[Miln80, Park81,Miln89]andsimulation[Miln89,AbLa88,Jons91,LyVa91]relations,traceequivalence[Hoar85],failureequivalence[BHR84]andtestingpreorders[dNHe83].Bisimulationandsimulationarebasedonthebranchingtimeviewandestablishastep-by-stepcorreordersistodenetheprocessbehaviourbymeansofitsabilitytopasstests.Thetestsspondencebetweentwosystems.Asaclassicalrepresentativeforthelineartimerelations, traceequivalenceestablishsacorrespondencebetweentheexecutions,butabstractsfrom thepossiblebranchesintheintermediatestates.Thebasicideabehindthetestingpre-
bythecompositionoperatorsoftheunderlyingprocesscalculus(i.e.congruences)are arespecialprograms(describedintermsoftheunderlyingprocesscalculus)thatareex-
byabstraction.Forthis,equivalentstatesareidentiedandreplacedbyasinglestate. ofgreatimportancefortheanalysissincetheycanbeusedtoreducethestatespace ecutedinparallelwiththegivenprocess.Especiallytheequivalencesthatarepreserved
Theresultingquotientspacemightbemuchsmaller14andmayevenbeniteforinnite systems.
forsystemsonthesamelevelofabstraction(e.g.twoimplementations)whiletheweak frominternalcomputationswhilethestrongimplementationrelationsdonot.Being sensitivewithrespecttointernalsteps,ingeneral,strongrelationscanonlybeestablished Strongandweakrelations:Weakimplementationrelationsarethosethatabstract
Denotationalsemantics:Becauseofitsdeclarativenature,theabovementionedoper- implementationanditsspecication). relationsareappropriatetocomparesystemsondierentlevelsofabstraction(e.g.an
ationalsemantics(whichassignstoeachtermoftheprocesscalculusatransitionsystem) isoftentheonethatadesignerhasinmind.Whiletheoperationalsemanticsfocusses onthestepwisebehaviourthemainconceptsofdenotationalsemanticsarecompositionalityandtheuseofxedpointequationsformodellingrecursion.15Inmanycases,the eleganttechniquetodenethemeaningsofrecursive(orrepetitive)programs.Often, useofxedpointtheoryrequiresmethodsofseveralmathematicaldisciplines(e.g.topoldenotationalsemanticsareusedtoobtainacharacterizationoftheimplementationreogy,domaintheory,categorytheory)andleadtoasemanticsthatishardtounderstand
foranon-mathematician.However,thedenotationalapproachprovidesamuchmore
allotherdetailsabouttheprogram).Fullabstractionresultscanserveasbasisforver- lationassociatedwiththeoperationalsemanticsbymeansofafullabstractionresult. Fullabstractionmeansthatthedenotationalsemanticsofaprogramcontainsexactlythe informationthatisrelevantforthechosenimplementationrelation(butabstractsfrom
samebehaviour.
15Thexedpointequationsreectourintuitionthatarecursiveprocedureandtheirbodyhavethe 13Inthiscase,theuseofpreorderscanbeviewedasaprooftechniqueforestablishingsafetyproperties. 14Seee.g.[CGT+96]foranexpressiveexample.

16 icationmethods16orjusthelpforabetterunderstandingoftheoperationalsemantics CHAPTER1.INTRODUCTION
allowforproofsbystructuralinductionwhichisoftenausefulconcepttoestablishalink andtheimplementationrelation.Moreover,beingcompositional,denotationalsemantics
1.1.3 betweenseveralspecicationformalisms(e.g.somekindoflogicoroperationalmodels).17
mulas)andthesystemisdescribedbyamodel(e.g.atransitionsystem)vericationInthelogicalframeworkwherethespecicationisaformula(ortheconjunctionoffor- Thetemporallogicalapproach
amoutsshowingthattheformula Intheliterature,severallogicsareproposedtoreasonaboutparallelsystems,suchas dynamic[Prat76],temporal[Pnue77]ormodal[HeMi85,Koze85]logic.Inthisthesis, weconcentrateontheuseofpropositionaltemporallogicwithfuturetemporalmodalities evaluatestotruewheninterpretedoverthesystem.
like\eventually"3or\always"2.Webrieysketchthebasicideaswherewemainly concentrateonthoseaspectsthatarerelevantfortheresultsofthisthesis.Furtherdetails
executions.Lineartimeformulasarebuiltfromatomicpropositions(thatmakeassertions canbefounde.g.in[Emer90,MaPn92,CGL93,Lamp94,MaPn95].
aboutthestates,e.g.aboutthecurrentvaluesoftheprogramorcontrolvariables),the LineartimelogicLTL:Inthelineartimeapproach,formulasdescribepropertiesof usualbooleancombinators_,^,:andtemporaloperators.Forinstance,ifcrit1,crit2
thenextksteps"3kcanbeused,seee.g.[HaJo89,ACD90].18Forexample,theformula Toreasonaboutquantitativeaspects,e.g.time,specialmodalitieslike\sometimeswithin sectionthen2(:crit1^:crit2)standsforthesafetypropertystatingmutualexclusion. areatomicpropositionsstatingthatcertainsubprocesseP1andP2areintheircritical
overtheexecutions(i.e.thepathsinatransitionsystem).Foraprocess,alineartime formulaisviewedtobefullledifitholdseveninaworstcase(butrealistic)scenario, 2(request!35response)mightbeinterpretedasthelivenesspropertystatingthatany requestwillansweredwithinthenext5timeunits.Lineartimeformulasareinterpreted i.e.ifitholdsforall\possible"executions.Ingeneral,notallexecutionsareviewedto bepossible,butonlythosethatobeycertainfairnessconditions. BranchingtimelogicCTL:Branchingtimelogicsallowquanticationoverthepossible
tweenstateandpathformulas.Thestateformulassubsumethepropositionalconnectives[ClEm81]istheclassicalrepresentativeforbranchingtimelogics.CTLdistinguishesbe- withacertainproperty.19ComputationtreelogicCTLintroducedbyClarke&Emerson futureswhichleadstoformulasstatinge.g.theexistenceornon-existenceofanexecution
proceduralnatureofdenotationalsemanticscanserveasabasisforacompiler.Seee.g.[BCH98]. applications.Especiallyintheeldofsequentialprograms(butalsoforothertypesofprograms),the 17Forexample,inthisthesis,weapplythedenotationalframeworkforshowingthattwoimplementation 16Itshouldbepointedoutthatthedenotationalapproachcanalsobeofimportanceforotherpractical relationscoincideforacertainkindofprocesses. timeor{ifthesystemunderconsiderationarisesfromtheasynchronousparallelcompositionofseveral action. subsystems{onecanthinkofastepasthetimetakenbytheslowestcomponenttoperformanatomic 18Theinterpretationofa\step"dependsontheunderlyingsystem.Astepmightbeoneunitof
timeformulasmightalsoreasonabouttheprobabilityofcertainevents.SeeSection1.2.3.
19Here,weassumethetraditional(non-probabilistic)approach.Inaprobabilisticscenario,branching

1.2.PROBABILISTICSYSTEMS andbasictemporaloperatorsoftheform\apathquantierfollowedbyasingletemporal 17
andthetemporalmodalitiesareasinlineartimelogic.20ThelogicCTL[EmHa86]extendsCTLbyallowingarbitrarylineartimeformulastoserveaspathformulas;thus,it subsumesLTLandCTL. modality"wherethepathquantiersare8or9thatrangeoverallpaths(executions)
time(evenintimelinearinthesizeofthesystemandinthelengthoftheformula[CES83]) modelcheckingforLTLandCTLisPSPACE-complete[SiCl86]andcanbedoneintime linearandbranchingtimelogic.WhileCTLmodelcheckingcanbedoneinpolynomial Modelchecking:Fornitesystems,modelcheckingalgorithmsaredevelopedforboth
exponentialinthelengthoftheformulaandlinearinthesizeofthesystem[LiPn85].21 Onthebasisofdecisionproceduresforthesatisabilityproblemof(linearorbranching time)temporallogic,thetaskforsynthezisingparallelsystemsfromagiventemporal
1.1.4 logicalspecicationcanbeautomated,seee.g.[EmCl82,MaWo84,AtEm89,PnRo89].
growsexponentiallyinthenumbernofsubprocesses.Thisexplainswhyanyalgorith- Thesize(numberofstatesinthetransitionsystem)ofaparallelsystemP=P1k:::kPn Stateexplosionproblem
micvericationmethodthatworkswithanexplicitrepresentationoftransitionsystems(e.g.byadjacencylists)failsforsystemswithverymuchcomponents.Inthederreduction[Pele93,Valm94,Gode94].ThebasisideabehindtheBDD-basedaplem".Somearebasedonasymbolicrepresentationofthesystemusingbinarydecisondiagrams[BCM+90,McMil92],othersarebasedontheconceptofpartialorlastdecade,severalmethodshavebeendevelopedtoattackthe\stateexplosionprobresentingtheirtransitionrelationimplicitlybyanorderedBDD[Brya86].TheBDDapproachhasprovedtobeverysuccessfulforvarioustypesofvericationproblemsfor parallelsystems,includingthevericationagainstbranchingandlineartimetemporal proachgoesbacktoKenMcMillanwhoproposedtohandleverylargesystemsbyrep
logicalspecicationsandestablishingabranchingtimerelationbetweentwosystems [BCM+90,McMil92,EFT93,CGL93,CGH94].Partialorderreductionisbasedonthe
niqueshavebeenimplementedintoolsandsuccessfullyappliedtoverylargesystems,seeobservationthattheinterleavedexecutionofindependentactionsallowsonetoinves- e.g.[McMil92,HoPe94,Camp96,GPS96]. tigateonlyarepresentativefragmentofthestatespace.Itisapplicableforprovinglineartimetemporalpropertiesandfortheprocessalgebraicapproach.22Bothtech- Intheliterature,avarietyofextensionsoftheabovementionedvericationmethodsare 1.2 proposedthatareappropriatetoreasonaboutquantitativeaspects,e.g.forverifyingreal- Probabilisticsystems
rangeoverthefairexecutions[EmLei85]. 21See[VaWo86,CGH94,GPV+95]forotherLTLmodelcheckingalgorithms. 20TohandlefairnessthesemanticsofCTLhastobemodiedbytaking8and9asquantiersthat [PPH96].
22Moredetailsaboutthepartialorderapproachcanbefoundinseveralpapersintheproceedings

18 timeconditions,forperformanceanalysisorforcomputingtheprobabilitiesforcertain CHAPTER1.INTRODUCTION
systembehaviours.Inthisthesis,weconcentrateonprobabilisticphenomenaandconsider parallelsystemswithprobabilitiesforthestatetransitions(inthesequelcalledprobabilisticsystemsorprobabilisticprocesses).23Thereareseveralsituationswhereprobabilistic aboutaprobabilisticsystemarethefollowingtwo: aspectshavetobetakenintoaccount.Theonesthatwehaveinmindwhenspeaking
ment,onehastotakeintoconsiderationtheinterfaceswiththeenvironment.TheseTogetarealisticmodelofaparallelsystemthatreactsonthestimulioftheenviron- algorithm,i.e.usestheconceptofrandomization(\tossingafaircoin"). Thesystem(oroneormoreofitssubsystems)mightbebasedonarandomized areoftenbasedonphysicalprocessesthatareprobabilisticinnature.
Thebenetsofrandomizationareclearfromtheliterature.24Randomizationhasbeen anunreliablemediumthattransmitsmessages).Inthesecondcase,theprobabilities aredeterminedbythefrequenciesofthepossibleoutcomesofaprobabilisticchoice. Intheformercase,probabilitiesareusedtomodeluncertainties(e.g.thefailurerateof
showntobeaeleganttechniquethatmightleadtosimplerandmoreecientalgorithms thantheirnon-randomizedcounterparts.Moreover,asobservedbyLehmann&Rabin
Probabilisticchoice:Thecharacteristicfeatureofprobabilisticsystemsisthatthey [LeRa81],intheeldofparallelalgorithms,theuseofrandomizationmakesitpossible
workwiththeconceptofprobabilisticchoice.Thisreferstoanyactivitythatchooses tosolveproblemsthatarenotsolvablewithdeterministicalgorithms.
betweenseveralalternativebehaviourswherethefrequenciesofthepossibleoutcomesof thatchoicearegivenbyprobabilities(i.e.valuesintheunitinterval[0;1]thatsumup to1).Theinterpretationofthisprobabilisticchoicedependsontheconcreteprocess. Asmentionedabove,theprobabilitiesmightbeobtainedfromfailureratesofcertain unreliableresourcesormightstemfroma\trulyrandomized"actionlike\tossingafair coin".Inanycase,probabilisticchoicecanbespeciedbyatermoftheform
Here,p1;:::;pl2[0;1]suchthatp1+:::+pl=1.Assuminginternalprobabilisticchoice thatweinterpretastheprocessthatchoosesrandomlytobehaveasoneoftheprocessesPi. random(p1:P1;:::;pl:Pl)oftenwrittenas[p1]P1 :::[pl]Pl
thattheprocessPiisselected.Thisstandsincontrasttoexternalprobabilisticchoice (whichisresolvedindependentontheenvironment),thevaluepidenotestheprobability
totheconditionalprobabilities Then,theexternalprobabilisticchoiceselectsoneoftheprocessesP1;:::;Pkaccording enabled.Forthis,letusassumethatP1;:::;PkareavailablewhilePk+1;:::;Plarenot. whichassumesthattheenvironmentdetermineswhichoftheprocessesP1;:::;Plare
1.2.1 Modellingprobabilisticbehaviour p1+:::+pk,i=1;:::;k. pi
Mostofthemodelsthatareusedfortherepresentationofprobabilisticsystemsare
books[MoRa95,Lync95].
extensionsoftransitionsystemsbuttherearealsoothermodelssuchas\trueconcurrency" 24Seee.g.thepapersbyRabin[Rabi76a,Rabi76b,Rabi80],thesurveypapers[Karp91,GSB94]orthe 23Inthischapter,weusethenotions\system"and\process"assynonyms.

1.2.PROBABILISTICSYSTEMS 19
models(e.g.eventstructureswithprobabilities[KLL94,Kato96]).Inthisthesis,we
concentrateontheuseofprobabilistictransitionsystems.Toreasonaboutprobabilities,
severalextensionsoftransitionsystemshavebeenproposed.25Theyallhaveincommon,
thattheyendowthetransitionswithprobabilitiesinanappropriateway.Theresulting
modelscanbeclassiedwithrespecttotheirtreatmentofnon-determinism.
Fullyprobabilisticmodels:SeveralauthorsconsidermodelsbasedonMarkovchains
(MCs)wheretheconceptofnon-determinsmisreplacedbyprobabilisticchoice,e.g.\gen-
erativetransitionsystems"[vGSST90],\sequentialMarkovchains"[LeSh82,HaSh84,
Vard85,CoYa88,CoYa95]or\fullyprobabilisticautomata"[SeLy94,Sega95a].Inthese
models,eachstatesisassociatedwithaprobabilisticchoice;thatis,thetransitionsare
labelledbyprobabilities(valuesintheunitinterval),suchthat,foreachstates,the
probabilitiesfortheoutgoingtransitionssumupto1.26
Example1.2.1[Simplecommunicationprotocol:thesender]Weconsiderasim-
plecommunicationprotocolsimilartothatin[HaJo94].Thesystemconsistsoftwo
enitities:asenderthatworkswithanunreliablemediumwhichmightloosemessages
andareceiver.Thesender,havingproducedamessage,transmitsthemessagetothe
medium,whichinturntriestodeliverthemessagetothereceiver.Withprobability
1/100,themessagesgetslostandthemediumretriestodeliverthemessage.Withprob-
ability99/100,themessageisdeliveredcorrectly,inwhichcasethesenderwaitsforthe
acknowledgementbythereceiverandthenreturnstotheinitialstate.Forsimplicity,we
assumethattheacknowledgementcannotbecorruptedorlost.Wedescribethebehaviour
ofthesenderbythefollowingMarkovchain.
Weusethefollowingfourstates:
sinit:thestateinwhichthesenderproducesa
messageandpassesthemessagetothemedium
sdel:thestateinwhichthemediumtriestode-
liverthemessage
slost:thestatereachedwhenthemessageislost
swait:thestatereachedwhenthemessageisde-
liveredcorrectlyandinwhichthesystemwaits
fortheacknowledgementbythereceiver.
sinit
sdel
slost
swait
1
1 0:990:011
?
�
�
�
�
'-
J
J
JJ HHj
JJJJ
H
HY
Forinstance,thetransitionswait!sinitstandsforthecasewherethesendergetsthe
acknowledgementofthereceiptofthemessage;sdel!slostforthecasewherethemedium
loosesthemessages.
Probabilisticmodelswithnon-determinism:Ontheotherhand,thereisavari-
etyofmodelsbasedonMarkovdecisionprocesses(MDPs)whichallowforbothprob-
abilisticandnon-deterministicbranching.FortheMDP-basedmodels,therearedif-
ferentwaysofassociatingprobabilitiestothetransitions.Onepossibilityistodis-
25The\probabilisticautomaton"alaRabin[Rabi63](thatwereintroducedaslanguageacceptors)can
beviewedasaprecursorofthisapproach.
26Ofcourse,theremightalsobeterminalstateswithoutanyoutgoingtransitions.Moreover,many
authorsallowfor\substochasticstates"wheretheprobabilitiesoftheoutgoingtransitionssumuptoa
valuep2]0;1[.Inthiscase,theremainingvalue1�pcanbeinterpretedastheprobabilityfordeadlock.

20 tinguishbetweenprobabilisticandnon-probabilisticstates.27Representativesofsuch CHAPTER1.INTRODUCTION
deterministicallywhereeachofthenon-deterministicalternativesisassociatedwithamodelsare\concurrentMarkovchains"[Vard85,CoYa88,CoYa95]and\alternatingsysprograms")consideredin[HSP83,Pnue83,PnZu86a,PnZu86b,PnZu93],the\proba- probabilisticchoice.Examplesforsuchsystemsarethemodels(justcalled\probabilistic tems"[HaJo90,Hans91].28AnotherpossibilityistoalloweachstatetobehavenonExample1.2.2[Simplecommunicationprotocol:SenderkReceiver]Wecon-
[BidAl95,dAlf97a,dAlf97b]and\real-timeprobabilisticprograms"of[ACD91a]. bilisticautomaton"of[SeLy94,Sega95a],\probabilisticnon-deterministicsystems"ofsideravariantofthesimplecommunicationprotocolofExample1.2.1(page19)where
wespecifythebehaviouroftheparallelcompositionofthesenderandthereceiverby aprobabilisticsystemwithnon-determinism.29Forsimplicity,weassumethatboththe senderandthereceiverworkwithmailingboxesthatcannotholdmorethanonemessage
theacknowledgementforthelastmessageisnotyetarrived). beproducedbeforemisdeliveredcorrectly;similarly,themediumcannotbeactiviated aslongasthereisanunreadmessageinthemailingboxofthereceiver(i.e.aslongas atanytime.Thus,ifthesenderhasproducedamessagemthenthenextmessagecannot
Weusethefollowingfourstates: sinit:thestateinwhichthesenderproduces sinit
amessageandpassesthemessagetothe medium
deliveredcorrectly sdel:thestateinwhichthemediumtriesto deliverthemessage sdel
sack:thestateinwhichthereceiver\con- sok:thestatereachedwhenthemessageis sok
themessageandacknowledgesthereceipt). sumes"themessage(i.e.readsandworksup sack 0:99 0:01u ? '-
@@@@@
?
����
$
&�� -
Thestatesackisreachedinthecasewherethesenderhasalreadyproducedthenext messagewhilethereisstillanunreadmessageinthemailingboxofthereceiver.Thus, acknowledgesthereceipt.Instatesok,thesenderandthereceivercanworkinparallel(simultaneously):thesendermayproducethenextmessagewhilethereceivermayconsume theonlypossiblestepinsackistheonewherethereceiver\consumes"themessageand thelastmessage.Theparallelisminstatesokisdescribedbyinterleaving,i.e.thenondeterministicchoicethatdecideswhichprocessperformsthenextstep:eitherthesender behavepurelynon-probabilistic,possiblynon-deterministic. producesthenextmessageorthereceiverconsumesthelastmessage.Theinterleaving
inthe\stratiedtransitionsystems"of[vGSST90].Theseareintroducedasoperationalmodelfora 27Probabilisticstatesarethosewhereaprobabilisticchoiceisresolvedwhilenon-probabilisticstates
of[vGSST90],non-determinismisnotpresent.However,non-determinismcouldbeeasilyaddedtothe languagewithprobabilisticchoicebutlacksfornon-deterministicchoice.Thus,inthestratiedsystems 28Theideaofseparatingtheprobabilisticbranchesfromnon-probabilisticactivitiesisalsorealized languageandthemodel. eachofthesealternativesisrepresentedbyaprobabilisticchoice.
29Weusethemodelwhereanystateisassociatedwithasetofnon-deterministicalternativesandwhere

1.2.PROBABILISTICSYSTEMS sok 21
sack produce QQQQQQs consume QQQQQQs
+ consume sinit
sdel+
produce
oftheactionsproduceandconsumeinstatesokleadstotheclassical\diamond"shown Figure1.2:The\diamond"obtainedbyinterleaving
inFigure1.2statingthattheeectoftheparallelexecutionofproduceandconsumeis
Ofcourse,theclassicationMC-basedversusMDP-basedmodelsistoocoarsetocapture thesameasifproduceandconsumeareexecutedinanyorder:ineithercase,wereach
allmodelsproposedintheliterature.Severalauthorsintroducedmodelsthatcanbe thestatesdel.
classiedbetweenMCsandMDPssuchas\reactivesystems"[LaSk89,vGSST90]or \probabilisticI/Oautomaton"[WSS94].
dierencebetweeninternalandexternalprobabilisticchoicebecomesvisibleinthecontext Internalvsexternalprobabilisticchoice:Theformaldenitionofthesemodels doesnotdependonwhetherinternalorexternalprobabilisticchoiceisassumed.The speciestheprocessesoractionsthatareenabledinacertainstate)isaectedfromthe chosentypeofprobabilisticchoice. ofcompositionoperatorsofaprocesscalculus.Especiallytherestrictionoperator(that
Specifyingprobabilisticsystems:Whichofthesemodelsshouldbeuseddependson
modelsbasedonMDPscanbeusedtodescribethebehaviourofdistributedrandomized theconcreteapplication.Roughlyspeaking,themodelsbasedonMCsaresuitableto calculiwithsynchronousparallelcompositionorprobabilisticshueoperatorswhilethe algorithmsorprocessesofanasynchronuousprobabilisticcalculus. formalizethebehaviourofsequentialrandomizedalgorithmsorprocessesofprobabilistic
Theneedofnon-determinism:Whenmodellingdistributedrandomizedalgorithms orasynchronousprobabilisticsystemsbyMDP-basedmodels,non-determinismisused tomodelinterleaving(cf.Example1.2.2,page20).Asobservedbyseveralotherau-
(cf.[JoYi95]).Thissituationiswell-knowninthedesignof(sequentialordistributed) underspecicationwhichcanbe(totallyorpartly)resolvedinfurtherrenementsteps thors,e.g.[JHY94,JoYi95,Sega95a],therearealsoothersituationswheretheconcept
algorithms.Forexample,inahigh-leveldesignonemightuseastatementlike ofnon-determinismmightbehelpful.Thenon-determinismmightbeusefultorepresent
(e.g.inahigh-leveldescriptionofQuicksortthePivotelementmightbechosenbya statementlikethat)whileintheimplementationoneworkse.g.withtheassignmentx:= \choosesomeindexi2f1;:::;ngandputx:=a[i]"
a[1](orarandomizedassignmentx:=random(a[1];:::;a[n])).Anotherexampleisthat

22 \non-determinismcanbeusedtospecifytheallowedprobabilitiesoffailureofamedium CHAPTER1.INTRODUCTION
wherearenementstepisusedtodecreasethesetofallowedfailurerates[JoLa91]" beusedtorepresentincompleteinformationontheparametersofsystembehavioursuch (wherewequotefrom[JoYi95]).Second,alsoobservedin[JoYi95],non-determinismcan asMilner'sweatherconditions[Miln89].
stake.30Whenenteringthecasino,therouletteplayerstartsplayingwiththestake1$. Example1.2.3[Rouletteplayer]Figure1.3(page22)showsthe\one-day-behaviour"
Wheneverheloosesthelastgame,hedoublesthestakeforthenextgame.Ontheother ofanaddictedrouletteplayer.Forsimplicity,weassumethatheisarbitraryrichand
hand,ifhehaswonthelastgame,hedecidesnon-deterministicallytocontinueplaying(in alwayschoosesthesimplerisk\red"or\black"andthatthereisnolimitontheallowed
leavingthecasinomightbedependentonthewell-beingoftherouletteplayeroronthe risksallhismoney.Here,thenon-deterministicchoiceisusedtodescribetheincomplete whichcaseherestartswiththestake1$)ortoleavethecasinowithonelastgamewherehe
moodofhiswifeoronotherunknownfactors. informationaboutthe\environment".Thechoiceinstateswonbetweenstayinginor
sinit splay swon shappy
stake:=1$ u1212
-?6 stake:=1$ u12
stake:=2*stake -HHHHHj stake:=all
12*
-HHHHHj*
slost ssad
1.2.2 Theprocesscalculusapproachforprobabilisticsystems Figure1.3:The\one-day-behaviour"oftherouletteplayer
Intheliterature,avarietyofprobabilisticprocesscalculiareproposed.Theyeitherreplacethenon-deterministicchoiceoperatorbyaprobabilisticchoiceoperatororallowGLN+97,dAHK98]forcalculiwithprobabilisticshueoperators.31Someofthesecal- Seid95,BaKw97,Norm97]forasynchronousprocesscalculiand[BBS92,SCV92,NudF95, forbothnon-deterministicandprobabilisticchoice.Seee.g.[GJS90,JoSm90,vGSST90,
culicanbeusedtoreasonaboutpriorities[SmSt90,Toft94,Lowe95].Typically,such Toft90,LaSk92,Toft94]forsynchronousand[HaJo90,Hans91,YiLa92,Yi94,Lowe93b,
(MC-based)system[GJS90,vGSST90,BBS92,LaSk92];butalsootheroperationalseprocesscalculiaresuppliedwithanoperationalsemanticsbasedon(somekindof)probmantics(e.g.basedonthereactiveorstratiedview)arepossible[vGSST90,Toft94].abilistictransitionsystems.Inabsenceofnon-determinism,thecalculiwithsynchronous parallelismoraprobabilisticshueoperatorcanbedescribedbyafullyprobabilistic
theprobabilityforwinningagameis1=2. toaxedschedulerthatdecidesrandomlywhichprocessperformsthenextstepwheretheunderlying 30Moreover,weneglectthepossibleoutcome\Zero"(wherethebankgetsallstakes)andsupposethat randomchoicedependsonthelocalstatesoftheprocesses.
31Theprobabilisticshueoperatorsdescribetheinterleavedexecutionoftwoprocesseswithrespect

1.2.PROBABILISTICSYSTEMS Theoperationalsemanticsofprobabilisticcalculithatallowfornon-deterministicchoice 23
YiLa92,Yi94,BaKw97]. els(probabilistictransitionsystemswithnon-determinism),seee.g.[HaJo90,Hans91,and/ordealwithasynchronousparallelismcanbedenedbymeansofMDP-basedmodImplementationrelationsforprobabilisticprocesses:Severalimplementationrelationsforprobabilisticprocessesareproposed,suchastrace,failureandreadyequivalence[JoSm90],bisimulation[LaSk89,HaJo90,Hans91,SeLy94,BaHe97]32,simulationlikepreorders[JoLa91,Yi94,SeLy94,Sega95a]andvarioustypesoftestingpreorders [Chri90a,Chri90b,CSZ92,YiLa92,Chri93,YCDS94,JHY94,JoYi95,NudF95,Sega96, Vericationmethods:Eventhoughmanyimplementationrelationsforprobabilis- Norm97,KwNo98a,KwNo98b].
mentationrelation)arerelativelyrare.Forfullyprobabilisticsystems(theMC-basedticsystemshavebeenintroduced,correspondingvericationmethods(i.e.methodsforshowingthatoneprocessimplementsanotheronewithrespecttoanappropriateimple- models),bothaxiomatic[GJS90,JoSm90,LaSk92,BBS92]andalgorithmic[Chri90a,
relationsfornon-probabilisticsystemsisPSPACE-complete[KaSm83].Inthecaseof failureequivalence[HuTi92],thisfactisofinterestsincedecidabilityofthecorresponding tionedalgorithmicmethodsruninpolynomialtime.EspeciallyinthecaseoftraceandChCh91,HuTi92,Chri93,BaHe97]methodshavebeendeveloped.Alltheabovemen- (strongorweak)bisimulationorsimulation,thetimecomplexitiesarepolynomialinthe non-probabilistic[KaSm83,PaTa87,BoSm87,GroVa90,HHK95]aswellastheproba-
[Bai96,PSS98]foralgorithmicvericationmethods)while{asfarastheauthorknows models),vericationmethodsforthebranchingtimerelations(bisimulationandsimulation)areproposedsofar(see[HaJo90,Hans91,Yi94,Toft94]foraxiomatizationsandbilistic[HuTi92,BaHe97]case.Forthemodelswithnon-determinism(theMDP-based Denotationalsemantics:TheworkbyKozen[Koze79]ondenotationalsemanticsfor equivalenceala[JoYi95]oranyweaklineartimerelation). {theliteraturelacksformethodsforotherimplementationrelations(suchastesting
ofthedenotationalapproach.Jones&Plotkin[JoPl89,Jone90]introducetheprobabilis- sequentialprogramswithrandomassignmentandwhile-loopscanbeseenasaprecursor ticpowerdomainofevaluationstoprovideadenotationalsemanticsforaprogramming probabilitiesratherthansinglebehaviours.Theconceptofevaluationsisoftenusedin languagewithwhile-loopsandaprobabilisticconcurrencyoperator.Roughlyspeaking,forsemanticalpurposes,evaluationsareusedtodecoratesetsofbehaviourswith probabilisticchoiceandin[BaKw97]toobtaindenotationalsemanticsforaprobabilistic denotationalsemanticsforrandomizedprograms;e.g.forprobabilisticpredicatetransformers[Jone90,MMS96,HMS97]butalsointheeldofprobabilisticprocessalgebras. Evaluationsareusedin[MMS+94]togiveafailure/divergencesemanticsforCSPwith extensionofCCSthatareshowntobefullyabstractwithrespecttobisimulationand
testingpreordersarepresentedbyChristo[Chri90a,Chri90b],Jonsson&Yi[JoYi95] simulation.OtherdenotationalcharacterizationsforprobabilisticvariantsofCSP(that donotuseevaluations)areproposedbyLowe[Lowe93a,Lowe93b,Lowe95]andSeidel [Seid95].Denotationalmodelsandrelatedfullabstractionresultsforcertaintypesof
systemsareintroduced.
32Seealso[dViRu97,BDE+97,DEP98]wherebisimulationequivalencefor\continuous"probabilistic

24 andKwiatkoswka&Norman[KwNo96,Norm97,KwNo98a,KwNo98b].[Hart98]presents CHAPTER1.INTRODUCTION
view.Adenotational\trueconcurrency"semanticsforavariantofLOTOSwithtime abovementionedsemanticsfortheasynchronouscalculiareallbasedontheinterleaving severaldenotationalsemanticsforaCCS-likelanguagewithprobabilisticchoiceanddis-
andprobabilitiesbymeansofeventstructuresisgivenbyKatoen[Kato96]. cussestheuseofinternalorexternalprobabilisticandnon-deterministicchoice.The
1.2.3 Severalauthorsproposedextensionsofprogramlogicstoreasonaboutqualitativeor quantitativetemporalpropertiesofprobabilisticsystems.Inthisintroduction,weonly Probabilistictemporallogic
explainthemainideasbehindthetemporallogicalframework.33Qualitativeproperties assertthatacertainevent'holdswithprobability0or1whilequantitiveproperties
usealowerbound1�andstatethatacertainsafetyorlivenessconditionissatised guaranteethattheprobabilityforacertainevent'meetsgivenlowerorupperbounds.34
withsomesucientlylargeprobability(i.e.withaprobabilityintheinterval]1�;1]or Inmostapplications,thequantitivepropertiesdealwithanupperboundforsomesmall
[1�;1]).35Inthetemporallogicalframework,theevent'describesapropertyforthe andassertthattheprobabilityfora\badevent"issucientlysmall(i.e.

1.2.PROBABILISTICSYSTEMS (seee.g.[HaJo89,Hans91,HaJo94,SeLy94,ASB+95,BidAl95,dAlf97a])integratethe 25
lower/upperboundsfortheacceptableprobabilitiesintothesyntaxanduseformulas
itativepropertiesexpressedinthetemporallogicalframeworkamountsshowingthat e.g.oftheformProbp(')thatstatethattheprobabilityfortheevent'isatleastp.
thegivenevent'holdswithprobability0or1.Fornitesystems,ithasbeenrealizedthatthisiscompletelyindependentontheprecisetransitionprobabilitiesandVericationmethods:Provingthecorrectnessofaprobabilisticprocessagainstqual- justdependsonthe\topology"oftheunderlyingdirectedgraph.Thisobservationwas
[Vard85,VaWo86,PnZu86b,CoYa88,ACD91a,ACD91b,PnZu93,CoYa95]foralgorithity1andlaterusedinseveralvericationmethodsforestablishingqualitativetemporalproperties;seee.g.[LeSh82,Pnue83,HaSh84,PnZu86a]fordeductivemethodsandrstmadebyHart,Sharir&Pnueli[HSP83]forprovingterminationwithprobabilmicmethods.Establishingquantitativetemporalpropertiesrequiresthecomputation oftheexactprobabilitiesforthegivenevent';seee.g.[LSS94,PoSe95,Sega95a]for fullyprobabilisticsystemsand[CoYa90,Hans91,BidAl95,dAlf97a,dAlf97b]foralgorith- proofrules,[CoYa88,HaJo94,ASB+95,CoYa95,IyNa96]foralgorithmicmethodsfor handlingofformulasinvolvingthe\eventuallyoperator"3istheuseoflinearequation systemsinthecaseoffullyprobabilisticsystems[CoYa88,HaJo94]andlinearoptimization problemsinthecaseofprobabilisticsystemswithnon-determinism[CoYa90,BidAl95]. micmethodsforprobabilisticsystemswithnon-determinism.Themainconceptsforthe
caseofprobabilisticsystemswithnon-determinism[Vard85,CoYa95]. thecaseoffullyprobabilisticsystemsandcompletefordoubleexponentialtimeinthe nomial[HaJo94,BidAl95].Forlineartimelogic,modelcheckingisPSPACE-completeinThetimecomplexitiesofthemodelcheckingalgorithmsforbranchingtimelogicsarepolytionsabouttheresolutionsofthenon-deterministicchoicesmightbeessentialforproving certainlivenessproperties.Clearly,thisobservationcarriesovertoprobabilisticsystems withnon-determinismandconcernsqualitativeaswellasquantitativeproperties.Asan Fairness:Fornon-probabilisticparallelsystems,itiswell-knownthatfairnessassump-
example,considertherandomizeddiningphilosophers[LeRa81]:whentwophilosophers aresimultaneouslyreadytoipafaircoininordertodecidewhichforktopickup,one canthinkofthisastwoprobabilitydistributions,eachrespectivelywithprobability12of obtainingheadsortails,enabledinthesamestate.Iftheschedulerneverselectsagiven philosopherforexecutioneventhoughheisreadytoproceed(e.g.toipthecoin)therun thusproducedwouldbeunfair,andasaresultonecouldnotguaranteethequalitative propertythatassertslackofstarvation.Asanexampleforasituationwherefairness assumptionsareessentialforestablishingquantitativeproperties,consideracommunicationprotocolwhichattemptstodeliveramessagetotherecipientifoneisreceivedonthe inputchannelfromtheenvironment,andloopsbacktotheinitialstateotherwise.Ina realisticscenario,theoutcomeofthedeliveryisprobabilistic,andwillresultinamessage beingdeliveredcorrectlywithsomesuitablyhighprobability,say0.999,oranerrorstate \themessageiseventuallydeliveredwithprobability0.9"canonlybeestablishedonconditionthattheprotocoldoesnotloopbacktotheinitialstateforever.Hence,alsointhe beingreachedifafaulthasoccurredinthetransmittingmedium.Then,theproperty probabilisticcase,itisdesirabletohavemethodsforproving(quantitativeorqualitative) temporalpropertiesunderfairnessconstraints.Establishingtemporalpropertiesunder fairnessconstraints(foraprobabilisticsystemwithnon-determinism)amountsshowing

26 thatanevent'holdswithsomesucientlysmallorlargeprobability(orwithprobability CHAPTER1.INTRODUCTION
0or1inthecaseofaqualitativeproperty),providedthatthenon-deterministicchoices
understood(seee.g.[HSP83,Vard85,PnZu86b,PnZu93]foralgorithmicmethods)only areresolvedinafairmanner. Eventhoughthevericationofqualitativepropertiesunderfairnessassumptionsiswell-
rulesforestablishingquantitative(timed)progresspropertiesforrandomizeddistributed systemswhichcanbecombinedwithseveralnotionsoffairness.Asfarastheauthor afewresearchhasbeendonesofarintheeldofvericationmethodsforestablishing quantitativepropertiesunderfairnessconstraints.[LSS94,PoSe95,Sega95a]presentproof
takefairnessintoaccount. verifyingquantitativepropertiesofprobabilisticsystemswithnon-determinismwhich knows,[BaKw98,dAlf97a]aretherstattemptstoformulatealgorithmicmethodsfor
1.3 Thisthesisinvestigatesseveralaspectsofformalreasoningaboutprobabilisticsystems.37 Thetopicsofthisthesis
(I)Theprocessalgebraapproach:Weconsiderasynchronousandsynchronous probabilisticprocesscalculi,operationalanddenotationalsemanticsforthemand homogenousalgorithmicvericationmethods.Themaincontributionsare: denotationalcharacterizationsofbisimulationandsimulation(Chapter5),
acorrespondingvericationalgorithm(Chapter7)andthedenitionofalazy thedenitionofweakbisimulationforfullyprobabilisticsystemstogetherwith algorithmsforestablishingabranchingtimerelation(bisimulationorsimula-
synchronousparallelcompositionoperatorthatpreservesweakbisimulation tion)betweenprobabilisticsystemswithnon-determinism(Chapter6),(II)Thetemporallogicapproach:Weconsiderthelinearandbranchingtimeframe-
contributionsare: workforestablishingqualitativeandquantitativetemporalproperties.Themain equivalence(Section4.3).
atechniqueforprovingqualitativelineartimepropertieswithwell-knownnonprobabilisticmethods(Chapter8),algorithmsforestablishingquantitivetemporalpropertiesofaprobabilisticsys(III)Symbolicverication:Chapter10presentsvericationalgorithmsforprobabilistemwithnon-determinismandfairnessbymeansofamodelcheckingalgorithmforaprobabilistictemporallogicPCTLwithasatisfactionrelationthatinideaisthedevelopmentofa\language"formanipulatingMTBDDsinwhichsevticsystemsthatusemulti-terminalBDDs(MTBDDs)asdatastructure.Themainvolvesfairnessofnon-deterministicchoice(Chapter9).eralvericationproblemsforprobabilisticsystemscanbeembedded.Thisyieldsductionofeachchapter.37Mostresultsarepublishedwithcoauthors.Thecorrespondingreferencecanbefoundintheintro- symbolicmodelcheckingalgorithmsforPCTL(interpretedoverfullyprobabilistic

1.3.THETOPICSOFTHISTHESIS systemsorprobabilisticsystemswithnon-determinismandfairness)andMTBDD27
basedmethodsforcheckingstrongandweakbisimulationequivalenceforfullyprob
1.3.1abilisticsystems. systems;seethereferencesmentionedbefore.38Intheauthorsopinion,itwouldmakelittle Intheliterature,alotofworkhasbeendoneintheeldofformalmethodsforprobabilistic Relatedwork
sensetolistallrelatedworkhereandtoexplaininwhichwaythisthesisisrelated.Thisis doneintherespectivechapter.Atthisplace,theauthorjustwantstorefertothethesis' systemsandhencerelatedtothisthesisatalargedegree.39Especiallytheexcellentwork [Chri90a,Jone90,Seid92,Hans91,Chri93,Lowe93a,Sega95a,dAlf97a,Norm97,HarG98] thatareallaboutspecicationformalismsand/orvericationmethodsofprobabilistic byHansHansson[Hans91],RobertoSegala[Sega95a]andLucadeAlfaro[dAlf97a](and severalpapersthattheywrotewithcoauthors)hadgreatinuenceonthedevelopment ofthisthesis.40 withtheoneof[Sega95a,dAlf97a]andisavariantoftheoneof[Hans91]. TheprocesscalculusPCCSofChapter4isavariantoftheprocesscalculus(also calledPCCS)introducedbyHansson&Jonsson[HaJo90]. Themodelforconcurrentprobabilisticsystemsthatweusehereessentiallyagrees
ThebisimulationequivalenceandthesimulationpreorderthatweconsiderinChapters5and6wereintroducedbySegala&Lynch[SeLy94]. ThemainconceptsofthelogicPCTLthatweconsiderinChapter9aretakenfrom papersbyeachofthethree,namely[HaJo89,Hans91,HaJo94,SeLy94,BidAl95, dAlf97a,dAlf97b].Moreover,theideaofusing!-automatonforourPCTLmodel checkingalgorithmwassuggestedbyLucadeAlfaro. ThesymbolicPCTLmodelcheckingalgorithmofChapter10takethemethodsof
1.3.2 Hansson&Jonsson[HaJo94]andBianco&deAlfaro[BidAl95]asbasis.
Thereaderisnotsupposedtoreadthischapterbuthe/sheshouldkeepinmindthat Chapter2collectsournotationsconcerningsets,relations,functionsanddistributions. Howtoreadthisthesis
3servesasbasisforallotherchaptersbecauseitintroduces(andtriestomotivate)the he/shehasafairchancetondtheexplanationsforournotationsinChapter2.Chapter modelsandexplainsthenotationsthatareusedinalmostallpartsofthisthesis.A readernotfamiliarwithprobabilisticsystemsshouldreadthischapterrstwhileareader
andstochasticPetrinets[Moll82,MBC84]belongtothestandardmodels)isclosetotheapproachhere. tothetopicofthatthesis.Inparticular,theeldofperformanceanalysis,seee.g.[Herz90,GHR93, GiHi94,Hill94,Pria96,dAKB98,BeGor98,Herm98,HHM98],(wherecontinuoustimeMarkovchains 39Thislistofthesis'mightbefarfrombeingcomplete.Itcontainsonlythosethesis'thattreat
38Clearly,alsoanyworkonformalmethodstoreasonaboutotherquantitativeaspectsisrelated
probabilisticsystemsastheirmaintopicandthathadinuencestothisthesis. thesisdoesnot.
40Itshouldbepointedoutthateachofthethreethesis'alsoconsidersreal-timeaspectswhilethis

28 whoisfamiliarwithprobabilisticprocessesmightskipthischapterkeepinginmindthat CHAPTER1.INTRODUCTION
thenotationsspecictothisthesiscanbefoundthere.Tosupportareaderwhoisonly interestedincertainpartsofthisthesistheauthortriedtomaketheremainingchapters asindependentaspossible.Inthosecaseswherearesultofonechapterisusedinanother chapterthereaderwillnda(page)reference.Theappendix(Chapter12)recallssome
Proofs:Forthesakeofreadability,inmostchaptersthemainresultsarepresented denitions/conceptspresentedsomewhereintheliterature;thenotationsintroducedthere arealwaysusedinconnectionwithareferencetotherelevantpartofChapter12. withoutproofs(butwithapagereferencetotheplacewheretheproofcanbefound). Theproofsaregiveninthelastsectionoftherespectivechapter.41Areadernotinterested inthetheoreticaldevelopmentoftheresultsmightskiptheappended\proof-sections". abstractexamples(withoutanyconcretemeaning)orextremelysimpliedexampleswith arealisticbackground.Examplesoftheformertypeshouldjustdemonstrateacertain Examples:Themainconceptsareillustratedbysimpletoyexamples.Theseareeither technique.Althoughunrealistic,examplesofthelattertypeshouldgivesomeinsights
example.Someproofsaredevidedintosubclaims.Thesymbolcdenotestheendofthe Thesymbols howtoapplytheproposedframeworkinrealisticsituations.
proofofsuchasubclaim. andc:Weusethesymboltodenotetheendofaproof,remarkor
Background:Evennotnecessary,somefamiliaritywiththebasicconceptsofformal methodsforparallelsystemsmightbehelpful.Elementarynotionsofseveralmathematicaldisciplines(suchasnumericalanalysis,linearalgebra,probabilityandmeasuretheory, knowledgewhatalinearequationsystemoroptimizationproblemisshouldbesucient miliarwiththem(butinterestedinthetopicsofthisthesis)shouldnotimmediatelygive uptoreadthisthesis;anintuitiveunderstandingofe.g.thenotion\probability"orthe topologyandgraphtheory)areusedwithoutanyexplanation.However,areadernotfatounderstandthemainideas.Wedonotrecallthebasicnotionsoftheabovementionedmathematicaldisciplineshereandrefertoanystandardbookabouttherespective
discipline.42
Suth77,Enge89]fortopologyand[Even79,Goul88]forgraphtheory.Basicknowledgeaboutthetheory isonlydoneinthosecaseswhereasimpleproofcanbederivedfromtheresultsofafurtherchapter. 42Forinstance,see[Halm50,Rudi66,Fell68,GrWe86]formeasureandprobabilitytheory,[Dugu66, 41Inafewcases,theproofofacertaintheoremisgiveninthe\proof-section"ofanotherchapter.This ofMarkov(decision)processes,seee.g.[Derm70,Ross83,Pute94],mightbehelpfulbutisnotnecessary.

Chapter2
Preliminaries
here. Inthischapter,webrieyexplainsomenotationsthatareusedthroughoutthethesis. Forarstreading,thereadermightskipthischapter,butshouldkeepinmindthatour notationsconcerningsets,relations,partitions,functionsanddistributionsareexplained
functionidX:X!X,idX(x)=xforallx2X.Thecharacteristicfunctionofasubset 2.1 Sets:ForXtobeaset,2XisthepowersetofX.idXdenotestheidentityonX,i.e.the Sets,relations,partitionsandfunctions
thenjXjdenotesthenumberofelementsofX.IfXisinnitethenweputjXj=1.] denotesdisjointunion. X0ofXistheboolean-valuedfunctionX!f0;1g,x7!1ix2X0.IfXisnite
Relations:LetR,R1,R2bebinaryrelationsonX.Wealsowritex1Rx2todenote that(x1;x2)2R.WedeneR�1=f(x2;x1)2X thanR1R2.Rdenotesthetransitive,reexiveclosureofR. f(x1;x2)2XX:9x2X((x1;x)2R1^(x;x2)2R2)g.WeoftenwriteR1R2rather X:(x1;x2)2RgandR1R2=
disjointnonemptysubsetsofXsuchthatSB2XB=X.Weoftenrefertotheelements denotesthequotientspace(i.e.thesetofequivalenceclasses)and,forx2X,[x]Rthe Equivalencesandpartitions:IfRisanequivalencerelationonasetXthenX=R
ofapartitionasblocks.Clearly,foreachequivalencerelationRonX,thequotientspace X=RisapartitionofX.Viceversa,eachpartitionofXinducesanequivalencerelation equivalenceclassofxwithrespecttoR.ApartitionofXisasetXconsistingofpairwise
onX:ForXtobeapartitionofX,RXdenotestheinducedequivalencerelation,i.e.RX consistsofallpairs(x1;x2)2X write[x]X(insteadof[x]RX)todenotetheuniqueblockB2Xthatcontainsx.A inducedequivalencerelationRXisnerthanRX0(i.e.ieachB2Xiscontainedinsome partitionXiscallednerthanapartitionX0(andX0iscalledcoarserthanX)ithe Xwherex1,x22BforsomeB2X.Weoften
B02X0).WesayXisstrictlynerthanX0(orX0strictlycoarserthanX)iXisner Functions:ForXandYtobesets,X!Ydenotesthefunctionspaceofallfunctions thanX0andX6=X0. fromXtoY.Iff:X!YisafunctionandX0 29
XthenfjX0denotestherestrictionoff

onX0,i.e.fjX0denotesthefunctionfjX0:X0!YwhichisgivenbyfjX0(x)=f(x).For 30 CHAPTER2.PRELIMINARIES
Y0 Y0g.Fory2Y,weputf�1(y)=f�1(fyg).Similarly,forX0 imageofX0underf,i.e.f(X0)=ff(x):x2X0g.WedeneRange(f)=f(X)todenote Y,f�1(Y0)denotestheinverseimageofY0underf,i.e.f�1(Y0)=fx2X:f(x)2
andf:X!Yarefunctionsthengf:X!Zisgivenby(gf)(x)=g(f(x)).If therange(image)off.gfdenotestheusualfunctioncomposition,i.e.ifg:Y!Z X,f(X0)denotesthe
2.2 f:X!Xisafunctionthenf0=idXand,forn=0;1;2;:::,fn+1=ffn.
Distributions:LetXbeaset.AdistributiononXisafunction Distributions
ofelementsx2Xwith(x)>0.For;6=A thatfx2X:(s)>0giscountableandPx2X(x)=1.Ifx2Xthen1xdenotesthe uniquedistributiononXwith1x(x)=1.Supp()denotesthesupportof,i.e.theset S,wewrite[A]todenotePx2A(x). :X![0;1]such
composition Thecomposition Inparticular,[;]=0.Distr(X)denotesthecollectionofalldistributionsonX. isthedistributiononXYwhichisgivenby( :Let, bedistributionsonXandYrespectively.The
respectivelyandR Weightfunctions(cf.[SeLy94,Sega95a]):Let, XY.Aweightfunctionfor(;)withrespecttoRisafunction distributionsbeonXandY )(x;y)=(x)(y).
weight:X 2.Forallx2X,y2Y: 1.weight(x;y)6=0foratmostcountablymany(x;y)2X Y![0;1]whichsatises:
Xy2Yweight(x;y)= (x); Xx2Xweight(x;y)=(y) Y.
Wewrite ifR1 3.Ifweight(x;y)>0then(x;y)2R.
respecttoR2.Hence, R2theneachweightfunctionwithrespecttoR1isalsoaweightfunctionwith R ifthereexistsaweightfunctionfor(;)withrespecttoR.1Clearly,
Remark2.2.1LetX,YandZbedistributionsonX,Y,Zrespectively,andlet RX;Y X Y,RY;Z YR1implies ZandweightX;Y:X R2.
(X;Y)withrespecttoRX;Y,weightY;Z:Y withrespecttoRY;Z.Then,weightX;Z:X Z![0;1], Z![0;1]aweightfunctionfor(Y;Z) Y![0;1]aweightfunctionfor
isaweightfunctionfor(X;Z)withrespecttoRX;YRY;Z.Thus,ifXRX;YYand weightX;Z(x;z)= y2Supp(Y)weightX;Y(x;y)weightY;Z(y;z) X Y(y) ;
theweight(x;y)=(y)-partofy.Then,thewholeofeachx2Supp()iscombinedwithcertainpartsof therelationRispreserved:if(x),(y)>0thenwe\combine"theweight(x;y)=(x)-partofxwith Y1Intuitively,theweightfunctionweightshowshowtosplittheprobabilities(x)and(y)suchthat RY;ZZthenX RZwhereR=RX;YRY;Z.Inparticular,ifXisasetand
elementsy2Supp()where(x;y)2R.

R2.2.DISTRIBUTIONS X XisatransitiverelationthenRisatransitiverelationonDistr(X).From 31
this,ifRisapreorderonXthenRisapreorderonDistr(X). Remark2.2.2LetR ThefunctionDistr(f):Forf:X!Ytobeafunction,thefunctionDistr(f): Then,0R�1. X Yand 2Distr(X),02Distr(Y)suchthat R0.
Distr(X)!Distr(Y)isgivenbyDistr(f)()(y)=[f�1(y)]. Remark2.2.3Letf:X!Ybeafunction.Then,
isaweightfunctionfor(;Distr(f)())withrespecttoR=f(x;f(x)):x2Xg.Thus, weight:X Y![0;1];weight(x;y)=((x):iff(x)=y
RDistr(f)().
0 :otherwise

32 CHAPTER2.PRELIMINARIES

Chapter3
Modellingprobabilisticbehaviour
modelsthatareextensionsof(non-probabilistic)transitionsystemswhichhavebeenes- relatednotations)thatareusedthroughoutthethesis.Weshrinkourattentiontothose tablishedasoneofthestandardmodelsfornon-probabilisticsystems. Inthischapterweintroducethemodelsforprobabilisticsystems(togetherwithsome
canbeusedtoanalyzethebehaviourofsequentialrandomizedalgorithmsorprocessesof treatmentofnon-determinism.Ontheonehand,therearevariousextensionsofMarkov chains(MCs)thatallowforprobabilistic(butnotfornon-deterministic)choice;these Themaindistinctivemarkfortheprobabilisticmodelsproposedintheliteratureisthe
acalculuswithsynchronousparallelcomposition.Ontheotherhand,thereareseveral extensionsofMarkovdecisionprocesses(MDPs)thataresuitabletospecifybothprob- composition. abilisticandnon-deterministicbehaviour;thesearesuitabletodescribethebehaviourofTheformaldenitionofamodelforprobabilisticsystemsdoesnotdependonwhetherin-
distributedrandomizedalgorithmsorprocessesofacalculuswithasynchronousparallel
independentontheenvironmentwhiletheresolutionofanexternalprobabilisticchoice ternalorexternalprobabilisticchoiceisassumed.1Internalprobabilisticchoiceisresolved assumeinternalprobabilisticchoice.ThiswillonlybeimportantinChapter4wherethe dependsontheprocesses/actionsthatareenabledinacertainstate.2Inthisthesis,we
ofthemodelsthatweuseinthatthesis.Westartwiththebasicmodelswithoutany Organizationofthatchapter:Intherstthreesectionswegivetheformaldenitions processalgebraapproachisconsidered.
labellingswhereSection3.1dealswiththeMC-basedmodels(calledfullyprobabilistic systems)andSection3.2withtheMDP-basedmodels(calledconcurrentprobabilistic systems).These\stripped"modelsareextendedinSection3.3byactionlabelsforthe transitionsandbypropositionlabelsforthestates.InSection3.4,werecallthedenition introducedbySegala&Lynch[SeLy94].Intheremainderofthethesis,wedistinguish ofprobabilisticbisimulationalaLarsen&Skou[LaSk89]andprobabilisticsimulationas between\systems"and\processes".Thenotion\system"isusedtodescribeastructure
aprocesscalculus;inparticular,therestrictionoperator.SeeRemark4.2.4(page81). 2Theunderlyingtypeofprobabilisticchoiceinuencesthesemanticsofthecompositionoperatorsof 1Seepage18forthemotivationbehindinternalandexternalprobabilisticchoice.
33

consistingofastatespaceandatransitionrelation(possiblyextendedbycertainlabels) 34 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
willbeexplainedinSection3.5.InSection3.6,wesketchhowourmodelstintothe whilea\process"denotesa\pointedsystem"(i.e.asystemwithaninitialstate).This hierarchyofmodelsstudiedintheliterature.
ThissectionintroducesthebasicconceptsfortheMC-basedmodels.Wefollowthe 3.1 notationsofSegala&Lynch[SeLy94,Sega95a]andusetheadjective\fullyprobabilistic". Fullyprobabilisticsystems
Denition3.1.1[Fullyprobabilitisticsystems]AfullyprobabilisticsystemisatupleS=(S;P)whereSisasetofstatesandP:S transitionprobabilityfunction)suchthat,foralls2S,P(s;t)>0foratmostcountably manyt2SandPt2SP(s;t)2f0;1g. S![0;1]isafunction(calledthe
thesenderinthesimplecommunicationprotocolofExample1.2.1(page19)canbe Example3.1.2[Simplecommunicationprotocol:thesender]Thebehaviourof
andP()=0inallothercases. P(sinit;sdel)=P(slost;sdel)=P(swait;sinit)=1,P(sdel;sinit)=0:01,P(sdel;swait)=0:99 formalizedbythefullyprobabilisticsystem(S;P)whereS=fsinit;sdel;slost;swaitgand
LetS=(S;P)beafullyprobabilisticsystem.SissaidtobeniteiSisnite.For thenweputP(s;C)=Pt2CP(s;t).AstatesofSiscalledterminaliP(s;S)=0. AnexecutionfragmentornitepathinSisanonemptynite\sequence"=s0!s1! nitesystems,wealsorefertoPasthetransitionprobabilitymatrix.IfC Sands2S
:::!skwherek jjdenotesthelengthof,i.e.weputjj=k. rst()denotestherststateof,i.e.rst()=s0. 0,s0;s1;:::;sk2SandP(si;si+1)>0,i=0;1;:::;k�1.
last()denotesthelaststateof,i.e.last()=sk.
Ifi>k=jjthenweput(i)=. (i)denotesthei-thprexof,i.e.(i)=s0!s1!:::!si,i=0;1;:::;k. (i)denotesthe(i+1)-ststateof,i.e.(i)=si,i=0;1;:::;k,
Ifk=jj=0thenweputP()=1.Fork P()=P(s0;s1)P(s1;s2):::P(sk�1;sk): 1,wedene
Astatetiscalledreachablefromsifthereexistsanitepath iscalledmaximalilast()isterminal.
Example3.1.3ThesysteminExample1.2.1(page19)hasnonitemaximalexecution last()=t. withrst()=sand
executionfragment(nitepath)withjj=4,rst()=sinit,last()=swait,(2)=slost, fragmentastherearenoterminalstates. (2)=sinit!sdel!slostandP()=10:0110:99=0:0099.
=sinit!sdel!slost!sdel!swaitisan

Anexecutionorfulpathiseitheramaximalexecutionfragmentoraninnite\sequence" 3.1.FULLYPROBABILISTICSYSTEMS 35
tobeaninniteexecution,(i),(i)andrst()aredenedasforexecutionfragments. Forinniteexecutionsweputjj=1anddene =s0!s1!s2!:::wheres0;s1;:::2SandP(si�1;si)>0,i=1;2;:::.For
Ifisanitepaththenweputinf()=;.Apathdenotesanitepathorafulpath. PathSfuldenotesthesetoffulpathsinS, inf()=fs2S:(i)=sforinnitelymanyindicesi 0g:
PathSnthesetofnitepathsinS, PathSn(s)thesetofnitepathsstartingins, PathSful(s)thesetoffulpathsstartingins,
IftheunderlyingfullyprobabilisticsystemSisclearfromthecontextweabbreviate PathSfultoPathful,PathSful(s)toPathful(s),PathSntoPathn,PathSn(s)toPathn(s)and ReachS(s)denotesthesetofstateswhicharereachablefroms.
ReachS(s)toReach(s).
prexdenotestheprexrelationonpaths,i.e.if1,2are(niteorinnite)pathsthen If isasetofnitepathsthen(s)= isasetoffulpathsinSands2Sthen(s)= \Pathn(s). \Pathful(s).
1prex2i 1isaprexof2(i 1=2or1=(k)
Iflast()=rst()(i.e.sk=t0)thenwedene properprexrelationonpaths,i.e.

Proof: 36 easyverication.Usesthefactthat",2,arepairwisedisjoint. CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
Wenowturnourattentionhowtocomputetheprobabilitiestoreachastateofacertain setS2viaapathleadingthroughstatesofacertainsetS1only.Moreprecisely,we considerafullyprobabilisticsystem(S;P)andtwosubsetsS1,S2ofS.Let bethesetofallnitepathssuchthat (i)2S1nS2,i=0;1;:::;jj�1, Pathn
andlet last()2S2.
Foralls2S, Lemma3.1.5Let(S;P)beafullyprobabilisticsystemandletS1,S2, = ".Then,ouraimistocomputetheprobabilitiesProb((s)). X2(s)P()=Prob((s)): and asabove.
Proof: acertainmonotonicoperatoronthefunctionspaceS7![0;1]. ThefollowingresultcharacterizestheprobabilitiesProb((s))astheleastxedpointof followsimmediatelyfromLemma3.1.4(page35).
Theorem3.1.6Let(S;P)beafullyprobabilisticsystemandletS1,S2, above.Then, p:S![0;1],p(s)=Prob((s)), and as
F(f)(s)=1ifs2S2,F(f)(s)=0ifs2Sn(S1[S2)and,ifs2S1nS2, istheleastxedpointoftheoperatorF:(S![0;1])!(S![0;1])whichisgivenby
Proof: seeSection3.7,Corollary3.7.2(page65). F(f)(s)=Xt2SP(s;t)f(t):
=Pathful(s)gandS?=Sn(SNO[SYES).Then,pistheuniquexedpointofthe Proposition3.1.7(cf.[CoYa88,HaJo94,CoYa95])Let(S;P)beanitefullyprob-
operatorF0:(S![0;1])!(S![0;1])whichisgivenby SNO=fs2S: abilisticsystemandletS1,S2, (s)=;g,SYESasubsetofSwithS2 , andpbeasinTheorem3.1.6.Moreover,let SYES fs2S: (s)"
Here,FisasinTheorem3.1.6(page36). F0(f)(s)=8>:F(f)(s):ifs2S? 0 1 :ifs2SNO. :ifs2SYES
HaJo94,CoYa95]andcanbeshowninasimilarway. Proof: Remark3.1.8[Computingtheprobabilitiesp(s)]IfSisnitethenTheorem3.1.6 Theclaimisaslightgeneralizationoftheresultsestablishedin[CoYa88,
(page36)yieldsthattheprobabilitiesp(s)=Prob((s)")canbeobtainedbyiteration:

Wetakepn(s)=1ifs2S2andpn(s)=0ifs2Sn(S1[S2),n=0;1;2;:::.For 3.1.FULLYPROBABILISTICSYSTEMS 37
s2S1nS2,wedenep0(s)=0and,forn=0;1;2;:::,
Then,limpn(s)=p(s)foralls2S.Thisiterativemethodcanbereformulatedasfollows. Letpnbethevector(pn(s))s2SandletQbethematrix(qs;t)s;t2Swhere pn+1(s)=Xt2SP(s;t)pn(t):
Then,pn=Qpn�1=Q2pn�2=:::=Qnp0:Inparticular,thevectorp=(p(s))s2S qs;t=8>:P(s;t):ifs2S1nS2 0 1 :otherwise. :ifs=t2S2
isgivenby p=lim
forcomputingthefunctionp()isbasedonProposition3.1.7(page36).First,onecom- Q2i+1=Q2iQ2i,i=0;1;2;:::).Anotherpossibility(usedin[CoYa88,HaJo94,CoYa95]) wherethematricesQ2iareobtainedbyiterativesquaring(i.e.bysuccessivelycomputing i!1Q2ip0
bs=P(s;SYES),x=(xs)s2S?,A=(P(s;t))s;t2S?andIthejS?jjS?j-identitymatrix. equationsystemx=Ax+b(orequivalently,(I�A)x=b)whereb=(bs)s2S?with putesthesetsSNOandSYESbyagraphanalysis.Second,onesolvestheregularlinear
computetheprobabilitiesthatthemessageiseventuallydeliveredcorrectlybytaking S1=S,S2=fswaitg=SYES,SNO=;andsolvingthelinearequationsystem Example3.1.9ForthesimplecommunicationprotocolofExample1.2.1(page19)we
whichyieldsxinit=xlost=xdel=1. Inthefollowinglemma,wegiveagraph-theoreticalcriteriaforProb((s))=1where xinit=1xdel;xlost=1xdel;xdel=1 100xlost+99 100
weassumethatS1=SandS2=U.Inthatcase,Prob((s))istheprobabilityforthe \progressproperty"statingthat,fromstates,thesystemwilleventuallyreachaU-state. Lemma3.1.10Let(S;P)beanitefullyprobabilisticsystemandU flast():2Pathn(s);=2 beasinTheorem3.1.6(page36)whereS1=SandS2=U.Lets2SandT= "ng.Then,wehave: S.Let and
Proof: Lemma3.1.10yieldsthatwhetherornotaqualitativeprogresspropertyofthetype\with seeSection9.5,Corollary9.5.5(page242). (t)6=;forallstatest2Ti Prob((s))=1.
probability1,thesystemwilleventuallyreachaU-state"holdsdoesnotdependonthe exactprobabilitiesbutonlythetopologyoftheunderlyingdirectedgraph.3 Example3.1.11InExample3.1.9(page37),wecomputedtheprobabilitiesx=1for
Sharir&Pnueli[HSP83](seeChapter9,page227).
thestatesofthecommunicationprotocolofExample1.2.1(page19)toreachthestate swaitbysolvingalinearequationsystem.Alternatively,wecouldapplyLemma3.1.10. 3ThisresultisnotsurprisingsinceasimilarresultforconcurrentsystemswasestablishedbyHart,

Denition3.1.12[Boundedness,cf.[LeSh82,HaSh84,LaSk89]]Afullyprobabilis- 38 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
that,foralls,t2S,ifP(s;t)>0thenP(s;t) ticsystem(S;P)iscalledboundedithereexistsarealnumbercwith0

3.2.CONCURRENTPROBABILISTICSYSTEMS s 39
s1 k s2 k ::: skk
k + p1p2QQQQQs s? pk t s k
k1? or t sk k ?
choice.ThepictureontheleftofFigure3.1standsforasteps�!whereSupp()= Figure3.1:Picturesforthetransitions�!
Example3.2.2Thepictureontherightshowsa asshowninthepicturesontheright. simpleexampleforaconcurrentprobabilisticsys- fs1;:::;skgand(si)=pi>0,i=1;:::;k.Transitionsoftheforms�!1taredepict
temwherenon-deterministicchoiceispresentonly instates.Thestatestanduare\deterministic" '-s
states(asSteps()consistsofasingledistribution inthesensethattanduhaveuniquesuccessor oftheform1xforsomestatex).Thestatevis terminal(asSteps(v)=;). tl12 l
��t@@R ���12� ul@@@Rvl Furtherexamplesforconcurrentprobabilisticsystemsaregivenintheintroduction:the simplecommunicationprotocolSenderkReceiverofExample1.2.2(page20)andthe rouletteplayerofExample1.2.3(page22).5 ingmodel[HaJo89,Hans91]orconcurrentMarkovchains[Vard85,CoYa88])capturetheSomeMDP-basedmodels(suchasstratiedtransitionsystems[vGSST90],thealternatbranchingstructureofthepurelyprobabilisticchoicesanddistinguishbetweenprobabilisticandnon-probabilisticstates.Thebehaviourinaprobabilisticstateis\purely probabilistic"whichisdescribedbyadistributiononthestatespacewhilethebehaviour
thenotationsof[vGSST90]andusetheadjective\stratied"forthesemodels.6 ineachotherstatesis\purelynon-probabilistic"inthesensethatnoneofthepossible stepsinsisrandomized,i.e.Steps(s)consistsofdistributions1t,t2S.Formally,these
Denition3.2.3[Stratiedsystem]Astratiedsystemisaconcurrentprobabilistic modelscanbedenedasspecialinstancesofconcurrentprobabilisticsystems.Wefollow
system(S;Steps)suchthatforalls2S: Let(S;Steps)beastratiedsystem.AstatesiscalledprobabilisticiSteps(s)=fg forsomedistribution Steps(s) =2f1t:t2Sg.Otherwise,siscallednon-probabilistic.Note f1t:t2SgorjSteps(s)j=1.
thatthesystembehaviourinanon-probabilisticstatesmightbenon-deterministic(if
successorstate. bedescribedbysingletonsetsconsistingofadistributionthatreturnstheprobability1fortheunique andsackbehavedeterministically.Formally,the\non-deterministic"alternativesinthesestatescan 6SeeSection3.6(page62)fortheexactrelationbetweenournotionofastratiedsystemandthe
5NotethatinthesimplecommunicationprotocolofExample1.2.2(page20),thestatessinit,sdel
originalnotionbyvanGlabbeeketal[vGSST90].

jSteps(s)j 40 2)ordeterministic(ifjSteps(s)j=1,inwhichcaseSteps(s)=f1tgforsome CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
statet)orsmightbeterminal(ifSteps(s)=;). Notation3.2.4[Stratiedtransitionprobabilities]Let(S;Steps)beastratiedsystem.Then,thetransitionprobabilityfunctionP:S P(s;t)=8>:(t):ifsisprobabilisticandSteps(s)=fg 1 :ifsisnon-probabilisticands�!t S![0;1]isgivenby
Nevertheless,thestratiedviewisaspowerfulastheconceptofconcurrentprobabilistic Wedenedstratiedsystemsasspecialinstancesofconcurrentprobabilisticsystems. 0 :otherwise.
correspondingtothechosendistribution).Ifwedevidethesetwochoicesintotwo \steps"thenthebehaviourofaconcurrentprobabilisticsystemcanbedescribedbya (thechoiceforsome systemswhereeachstatechangeinvolvestheresolutionofanon-deterministicchoice
stratiedsystem.Intuitively,inthestratiedview,thesmallcircleinthepictureofa 2Steps())andaprobabilisticchoice(therandomizedchoice
Steps0(s)=f1(s;):2Steps(s)gandSteps0(s;)=fg.Ofcourse,theresultingsystem transitions�! withthestratiedsystemS0=(S0;Steps0)whereS0=S[f(s;):s2S;2Steps(s)g, Formally,ifS=(S;Steps)isaconcurrentprobabilisticsystemthenScanbeidentied isviewedasastatewherethesystemperformsarandomizedstep.
S0canbesimpliedbyremovingstatesoftheform(s;1t).7
theprobabilisticchoicethatisresolvedwhenin temshownontheright.Thestatewrepresents(page39)canbemodelledbythestratiedsys- Example3.2.5ThesystemofExample3.2.2 '
statesthetransitionisselected;i.e.wstands fortheauxiliarystate(s;).Thestates(t;1s), (u;1u),(s;1v)and(v;1v)areomitted. t w sm
m��12 �m@@@R
���- 12�
@@@R um vm
Executionsequences(orpaths)arisebyresolvingboththenon-deterministicandprobabilisticchoices.Formally,anexecutionfragmentornitepathinaconcurrentprobabilistic 3.2.1 Pathsinconcurrentprobabilisticsystems
isterminal.Anexecutionorfulpathiseitheramaximalexecutionfragmentoraninnite k\sequence" systemS=(S;Steps)isanonemptynite\sequence" 0andsi2S,i2Steps(si�1),i(si)>0,i=1;2;:::;k.8 =s01 !s12 !s23 !:::wheres0;s1;s2;:::2Sandi2Steps(si�1), =s01 !s12 iscalledmaximalisk !s2:::k !skwhere
page34):If (thei-thprexof),jj(thelengthof),rst()(therststateof)andinf()(the setofstatesthatoccurinnitelyoftenin)aredenedasinthefullyprobabilisticcase. i(si)>0,i=1;2;:::.Weusesimilarnotationsasinthefullyprobabilisticcase(see
7Distributionsoftheform1tdonotreallyrepresentrandomizedstepsastheyyieldauniquenext
isa(niteorinnite)pathinSthen(i)(the(i+1)-ststateof),(i)
state. denotethatisapossiblestepofswhichleads(withnon-zeroprobability)tothestatet.
8Notethatwewrites!todenotethatisapossiblestepins(i.e.2Steps(s))ands!tto

Similarly,for 3.2.CONCURRENTPROBABILISTICSYSTEMS tobeanitepath,last()denotesthelaststateof, "thesetofall 41
properprexrelation

Denition3.2.7[Adversary,simpleadversary]LetS=(S;Steps)beaconcurrent 42 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
A()2Steps(last())forall everystates2Sthereexistss2Steps(s)withA()= wherelast()=s. probabilisticsystem.AnadversaryofSisafunctionA:Pathn!Distr(S)suchthat 2Pathn.AnadversaryAofSiscalledsimpleifor
AdvSdenotesthesetofalladversariesofSandAdvSsimplethesetofsimpleadversaries. last()forall 2Pathn
WhenclearfromthecontextwewriteAdvandAdvsimpleratherthanAdvSandAdvSsimple. Simpleadversariesresolvethenon-determinismbyselectingforeverystateanextstep whichisexecutedwheneverthestatesisreached{independentofthepasthistory.11 Anadversarychoosesforeverynitepath inSanoutgoingtransitionfromlast().
Example3.2.8ThesystemofFigure3.2.2(page39)hasexactlytwosimpleadversaries
GivenanadversaryA,the\behaviour"ofSunderAcanbedescribedbyaboundedfully non-deterministicallybecausethereisatmostoneoutgoingtransition. A,B.ThesearegivenbyA(s)=,B(s)=1v.Notethattheotherstatesdonotbehave
Notation3.2.9[ThefullyprobabilisticsystemSA]IfA2Advthen probabilisticsystemSA.
isthefullyprobabilisticsystemwherePAisgivenbyPA(; PA()=0inallothercases. SA=PathSn;PA
Notethat,ingeneral,SAisinniteevenifSisnite.IfAasimpleadversarythenSA �!s)=A()(s)and A()
canbeidentiedwiththefullyprobabilisticsystem(S;A)whereA(s;t)=A(s)(t)for alls,t2S.ForStobeniteandA2Advsimple,theassociatedfullyprobabilistic systemSA=(S;A)isnite.ForanadversaryAofaconcurrentprobabilisticsystem S=(S;Steps)and PathAfuldenotesthesetofallpaths2Pathfulwithstep(;i)=A((i))foralli PathAnisthesetofallnitepaths2Pathnwithstep(;i)=A((i))foralli

Weidentifyeach(niteorinnite)path=0!1!:::inSAwhichstartsinastate 3.2.CONCURRENTPROBABILISTICSYSTEMS 43
s02S(i.e.0=s0isapathoflength0)withthepathlast(0)A(0) inS.Viceversa,if (1)!(2)!:::inSA.Thisyieldsaone-to-onecorrespondencebetweenthepaths 2PathAn(s)[PathAful(s)andthepathsinSAthatstartins.Hence,theprobability 2PathAful[PathAnthenweidentify withthepath(0)! �!last(1)A(1) �!:::
measureProbonPathSA probabilityspace.Ifful(s)(denedasinSection3.1onpage35)turnsPathAful(s)intoa Example3.2.10ForthesystemofExample3.2.2(page39)andthenitepath themeasureof withrespecttoA. Pathful(s)andAismeasurablethenwerefertoProb(A)as
Example3.2.6(page41),wehave2PathAn(s)foreachadversaryAwith A(s)= andAs!t1s !s=1v. of
Theorem3.2.11Let(S;Steps)beaconcurrentprobabilisticsystem,S1,S2 Moreover,foreachsuchadversaryA,theprobabilitymeasureof"Ais1=2.
Fors2SandA2Adv,let bethesetofnitepaths suchthat(i)2S1,i=0;1;:::;jj�1,andlast()2S2. Sandlet
Then,pminandpmaxaretheleastxedpointsoftheoperators pmin(s)=inf A2AdvProb A(s)"A;pmax(s)=sup A2AdvProb A(s)"A:
F(f)(s)=0.Ifs2S1nS2then thataredenedasfollows.Ifs2S2thenF(f)(s)=1.Ifs2Sn(S1[S2)then Fmin,Fmax:(S![0;1])!(S![0;1])
Fmax(f)(s)=max(Xt2S(t)f(t): Fmin(f)(s)=min(Xt2S(t)f(t): 2Steps(s));
Proof: seeSection3.7,Corollary3.7.4(page67). 2Steps(s)):
wedenep0(s)=0and,forn=0;1;2;:::, yieldsthatthevaluesp(s)canbeapproximatedwiththefollowingiterativemethod.We putpn(s)=1ifs2S2andpn(s)=0ifs2Sn(S1[S2),n=0;1;2;:::.Fors2S1nS2, Remark3.2.12[Computingtheprobabilitiespmin(s)andpmax(s)]Theorem3.2.11
pmax pmin n+1(s)=max(Xt2S(t)pmin n+1(s)=min(Xt2S(t)pmin n(t):2Steps(s));
benite,thevaluesp(s)canalsobecomputedbysolvinglinearoptimizationproblems
Then,limpn(s)=p(s)foralls2S.Asproposedby[CoYa90,BidAl95],forSto n(t):2Steps(s)):

whichcanbesolvedinpolynomialtimewithwell-knownmethodsoflinearprogramming 44 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
[Derm70,Bert87,Schr87].
solutionofthelinearminimizationproblem0 S?=Sn(SNO[S2).Wedeneys=1ifs2S2andys=0ifs2SNO.Foreach states2S?,wechooseavariableys.Then,thevector(pmax(s))s2S?istheunique Computationofpmax(s):LetSn(S1[S2) ysSNO 1andfs2S:
(s)=;gand
wherePs2S?ysisminimal. ys Xt2S(t)yt; 2Steps(s)
solutionofthelinearmaximizationproblem0 Computationofpmin(s):LetSNO=fs2S:(s)=;gandS?=Sn(SNO[S2).We deneys=1ifs2S2andys=0ifs2SNO.Then,thevector(pmin(s))s2S?istheunique ys Xt2S(t)yt; ys2Steps(s) 1and
directedgraph.Notethatforthecomputationofthevaluespmin(s)itisessentialthatwe Thesetfs2S:(s)=;gcanbeobtainedbyareachabilityanalysisintheunderlying wherePs2S?ysismaximal.
dealwithSNO=fs2S:(s)=;g(ratherthane.g.SNO=Sn(S1[S2)asitispossible andS1=fsg,S2=;wehave problem0 forcomputingpmax()).Forinstance,forthesystem(fsg;Steps)whereSteps(s)=f1sg ys 1and ys Xt2S(t)yt; =;(andhencepmin(s)=0)whiletheoptimization
Pt1s(t)yt=ys). wherePtytismaximalyieldsys=1(becausewejustdealwiththeinequationys 2Steps(s)
therouletteplayerleavesthecasinowinningthelastgame)canbecomputedbytaking player.Themaximal/minimalprobabilitiestoreachthestateshappy(i.e.thestatewhere page22(seeFigure1.3,page22)thatdescribestheone-day-behaviouroftheroulette Example3.2.13WeconsidertheconcurrentprobabilisticsystemofExample1.2.3on
functionS![0;1]thatsatisesp(shappy)=1,p(ssad)=0and S1=;andS2=fshappyg.ByTheorem3.2.11(page43),p:S![0;1]istheleast p(sinit)=p(splay)=p(slost)=12p(swon)+12p(slost);
Notethattheminimalprobabilitiespmin(s)=0areobtainedbythesimpleadversaryA Thus,pmin(s)=0foralls2Snfshappygandpmax(s)=1=2foralls2Snfshappy;ssadg. pmin(swon)=minnpmin(splay);12o;pmax(swon)=maxnpmax(splay);12o:
forcestherouletteplayertostayforeverinthecasino).ForanyotheradversaryA,the probabilityforsinittoreachshappyisthemaximalprobabilitypmax(sinit)=1=2.
thatalwayschoosesthetransitionswon�!splay(i.e.thepathologicaladversarywhich

3.2.3 3.2.CONCURRENTPROBABILISTICSYSTEMS Fairnessofnon-deterministicchoice 45
Inthevericationofnon-probabilisticconcurrentsystems,itiswell-knownthatcertain livenesspropertiescanonlybeestablishedwhenappropriatefairnessassumptionsabout currentprobabilisticprocessesastheyalsoallowfornon-deterministicchoice.Thus,asin thenon-probabilisticcase,certain(qualitativeorquantitative)livenesspropertiescannot theresolutionofthenon-deterministicchoicesaremade.Clearly,thisalsoholdsforcon- beestablishedunlessfairnessofnon-deterministicchoiceisimposed.Forinstance,for therouletteplayerofExample1.2.3onpage22(seeFigure1.3,page22)thequantitative livenesspropertystatingthatthereisa50%chancefortherouletteplayertoleavethe establishedwhenfairnessinthestateswonisassumed(seeExample3.2.13,page44). Fairnessofnon-deterministicchoice(i.e.fairnessofadversaries)ofconcurrentprobabilis- casinowhilewinningthelastgame(i.e.eventuallytoreachthestateshappy)canonlybe
byVardi[Vard85]andseveralotherauthors.Fairnessofnon-deterministicchoicerequires that{insomesense{theenvironment(theadversary)resolvesthenon-deterministic choicesinafairmanner.[HSP83]denestwotypesoffairnessforadversaries:anadticsystemswasrstintroducedbyHart,Sharir&Pnueli[HSP83]andlaterconsideredversaryisstrictlyfairieachofitsfulpathsisfair,anditisfairifalmostallexecution sequencesarefair(i.e.ifthemeasureofitsfairfulpathsis1)wherefairnessofafulpathcan systemswhicharisebytheinterleavingofsequentialprobabilisticprocessesanddenesa bedenedasinthenon-probabilisticcase.[HSP83]dealswithconcurrentprobabilistic
probabilisticstates{anddenesafulpathtobefairifallpossiblesuccessorstatesofa fulpathtobefairieachsequentialprocessisactivatedinnitelyoftenin(i.e.[HSP83] dealswith\processfairness").[Vard85]dealswith\concurrentMarkovchains"(stratied systems,seeDenition3.2.3,page39){whichdistinguishbetweennon-deterministicand non-deterministicstate,inwhichfairnessisrequiredandwhichoccurinnitelyoftenin
versaries.WeadaptVardi'snotionoffairnesstoourmodelforconcurrentprobabilisticInthissection,wefollowtheapproachsof[HSP83,Vard85]anddenefairnessofad- ,alsooccurinnitelyoften.
processes{whichdoesnotdistinguishbetweennon-deterministicandprobabilisticstates {anddeneanexecutionsequence tivesinastateoccurringinnitelyofteninisrefusedcontinuously.Moreover,wedene W-fairnessforasetWofstatesinwhichfairnessisrequired.12 tobefairifnoneofthenon-deterministicalternaDenition3.2.14[Fairnessforfulpaths]LetS=(S;Steps)beaconcurrentproba-
step(;i)=. bilisticsystemand s2inf()andeachafulpathinS. 2Steps(s),thereareinnitelymanyindicesiwith(i)=sand iscalledfairieither isniteor,foreach
Remark3.2.15[Processfairnessala[HSP83]]Ournotionoffairnessofafulpathis strongerthanfairnessoffulpathsin[HSP83].In[HSP83]\processfairness"isconsidered, inthesensethatallsequentialprocesses(whosecompositionistheconcurrentprobabilistic systemunderconsideration)areactivatedinnitelymanytimesinfairfulpaths.IfS
relationtoournotionispresentedin[dAlf97a].
isaconcurrentprobabilisticsystemwhicharisesthroughtheinterleavingofsequential 12Analternativenotionoffairnessforconcurrentprobabilisticsystemsandadiscussionaboutthe

processeswithoutsharedvariablesthenfairnessinthesenseofDenition3.2.14(page45) 46 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
Steps(s1;:::;sk)=fi(s1;:::;sk):i=1;:::;kgwhere impliesfairnessinthesenseof[HSP83];toseethissupposethatthereareksequential Si=(Si;Pi),i=1;:::;k,andthatS=(S;Steps)whereS=S1 probabilisticprocessesP1;:::;PkwhereeachofthemisdescribedbyaMarkovchain
i(s1;:::;sk)(t1;:::;tk)=(Pi(si;ti):iftj=sj,j=1;:::;k,i6=j ::: Skand
Then,wheneverisafulpathinSthatisfairinthesenseofDenition3.2.14(page45) then isfairinthesenseof[HSP83],whichrequiresthatforeachi2f1;:::;kgthere 0 :otherwise.
areinnitelymanyindicesj thesetoffairfulpathsinS. Notation3.2.16[ThesetFairofallfairfulpaths]FairS(orshortlyFair)denotes 0withstep(;j)=i(j).
Asin[HSP83]weconsidertwokindsoffairnessforadversaries:strictlyfairadversaries,
Denition3.2.17[(Strict)fairnessofadversaries,cf.[HSP83,Vard85]]LetSbe 1,i.e.wherealmostallfulpathsarefair. whereallfulpathsarefair,andfairadversaries,wherethesetoffairpathshasprobability
aconcurrentprobabilisticsystemandFanadversaryforS.Fiscalled
AdvSsfairdenotesthesetofstrictlyfairadversaries,AdvSfairthesetoffairadversaries. fairiProb(FairF(s))=1forallstatessinS. strictlyfairiPathFful Fair,
thereexists Alpern&Schneider[AlSch84]whichstatesthateverynitecomputationcanbeextended toaninnite(fair)computation. Clearly,strictlyfairadversariesarefair.IfFisafairadversarythenforeach2PathFn 2FairFwhere isaprexof.Thisreects\liveness"inthesenseof
Example3.2.18ForthesystemofExample3.2.2(page39),thefulpath
isnotfairsinces2inf(0)and1v2Steps(s)nfstep(0;i):i 2Pathful(s)isfair(asit\ends"invoru).Thus, 0=s!t1s !s!t1s !s!:::
Fair(s)=Pathful(s)nf0g: 0g.Everyotherfulpath
ThesimpleadversaryBwithB(s)=1visstrictlyfairsince0=2PathBful.Thesimple Then,A(x)=FairA(x)forallstatesxandProb(FairA(u))=Prob(FairA(v))=1, adversaryAwithA(s)=isnotstrictlyfairsince02PathAful(s).Nevertheless,Aisfair. Toseethis,considertheset ProbFairA(s) ofallfulpaths2Pathfulwhere(i)2fu;vgforsomei.
andProbFairA(t)=Probt1s !:2FairA(s)=1.Hence,Aisfair.
=1Xi=012 12i=1

FollowingVardi[Vard85],theabovedenitionoffairfulpathsorfairadversariescan 3.3.LABELLEDPROBABILISTICSYSTEMS 47
beweakenedbyrequiringfairnesswithrespecttothenon-deterministicchoicesonlyin certainstatesratherthaninallstates. Denition3.2.19[W-Fairnessoffulpaths]LetS=(S;Steps)beaconcurrentprob- andall2Steps(s),thereareinnitelymanyindicesj FairnesswithrespecttoW=S(inthesenseofDenition3.2.19)isweakerthanfairness abilisticsystemandW S.Afulpath inSiscalledW-fairi,foralls2inf()\W
ofafulpathinthesenseofDenition3.2.14(page45).13Vardi'snotionoffairnessof 0withstep(;j)=.
Denition3.2.20[W-Fairnessofadversaries,cf.[Vard85]]LetSandWbeas before.AnadversaryFiscalledW-fairi,foralls2S,themeasureofthesetoffulpaths adversariesadaptedtoourmodelforconcurrentprobabilisticsystemsisthefollowing.
Whenclearfromthecontext,wewriteAdvsfair,AdvfairorAdvWfairratherthanAdvSsfair, AdvSfairorAdvSWfair.Clearly,Advsfair 2PathFful(s)whichareW-fairis1.AdvSWfairdenotesthesetofW-fairadversaries. Advfair AdvWfair:
thestatesand/orthetransitions.Intheliteraturetwokindsoflabellingshavebeenes- Formalreasoningaboutthebehaviourofprogramsrequiresadditionalinformationsabout 3.3 Labelledprobabilisticsystems
labelsforthestates,theotherusesactionlabelsforthetransitions.Modelsbasedon tablished:oneusesatomicpropositions(or,moregeneral,rstorderlogicalformulas)as theformertypeoflabellingsareoftencalledKripkestructuresandusedinthecontextof
proposition-labelledandaction-labelledsystems,seee.g.[JHP89,dNVa90].Eventhough oftencalledlabelledtransitionsystemsandusedinthecontextofprocessalgebrasand implementationrelations.Severalauthorsproposedtransformationtechniquesbetween temporallogicspecicationswhilethemodelsbasedonthelattertypeoflabellingsare
theyareoriginallyformulatedfornon-probabilisticsystemstheycanalsobeappliedin theprobabilisticcase.Wefollowthesestandardapproachsanduseactionlabelsforthe transitionsinChapters4,5,6and7whereweworkwithprocesscalculiandimplementationrelationsandpropositionlabelsforthestatesinChapter9wherewedealwith 3.3.1 temporallogicspecications.
Intheaction-labelledapproachoneusuallydealswithasetActofabstractactionsymbols. Eachactionsymbolarepresentsanactivityoftheprogramthatisviewedtobe\atomic" Action-labelledprobabilisticsystems
Typicalexamplesarecommunicationactionslikesendingorreceivingamessagealonga inthesensethatitcannotbeinterleavedbyactionsofprogramswhichruninparallel. certainchannel. 13NotethatinDenition3.2.19wedonotrequirethatstep(;j)=and(j)=s.

48 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
sinit
ack?,1 sdel send!,1
swait ,0:99,0:01 slost ,1
'-
���?
� JJJHHY JHHj
JJJJ
In(non-probabilistic)labelledtransitionsystems,thepossiblestepsinthestatesarede- Figure3.2:Thesenderwithactionlabels
scribedbyatransitionrelation�! setofactions),i.e.thestatechangesareassociatedwithactionlabels.Intuitively,sa SActS(whereActstandsfortheunderlying
alternativesinstates.Thiscanbeadaptedforprobabilisticsystemsasfollows:In assertsthat,instates,itispossibletoperformtheactionaandtoreachstatetafterwards.Hence,forxedstates,thesetf(a;t):sa �!tgrepresentsthenon-deterministic �!t
theconcurrentcase,thetransitionsareassociatedwithactionlabels(i.e.onedealswith Steps(s)tobeasetofpairs(a;)whereaisanactionlabeland statespace.)Inthefullyprobabilisticcase,theargumentsofthetransitionprobability functionPareextendedbyanaction(i.e.onedealswiththeprobabilitiesP(s;a;t)for statestoperformtheactionaandtoreachtafterwards). adistributiononthe
Chapters4and5,weassumethatActcontainsaspecialsymbol.Intuitively,standsfor ForL by".L+denotesthesetofnitenonemptysequencesoverAct,i.e.L+=Lnf"g.In TheactionsetAct:Throughoutallsections,Actstandsforanonemptysetofactions.
any\internal"activityofthesystemwhichisinvisibleforanobserver(ortheenvironment Act,LdenotesthesetofnitesequencesoverL.Theemptysequenceisdenoted
ofthesystem).Werefertoastheinternalaction.Theotheractionsarecalledvisible. Weusegreekletters;;:::todenotevisibleactionsandarabiclettersa;b;:::torange overallactions. Denition3.3.1[Action-labelledfullyprobabilisticsystems]Anaction-labelled fullyprobabilisticsystemisatuple(S;Act;P)consistingofasetSofstates,anonempty Pa;tP(s;a;t)2f0;1g. that,foreachs2S,P(s;a;t)>0foratmostcountablymanypairs(a;t)2Act setActofactionsandatransitionprobabilityfunctionP:S Act S![0;1]such
Example3.3.2[Thesenderwithactionlabels]Figure3.2(page48)showsanaction- Sand
labelledextensionofthesimplecommunicationprotocolofExample1.2.1(page19).We usethevisibleactionssend!(anoutputactionbywhichthesenderpassesthemessage tothemedium)andack?(aninputactionwhichstandsforthereceiptoftheacknowl-
Let(S;Act;P)beanaction-labelledfullyprobabilisticsystem.Fors2S,C edgement).Theotherstepsaresupposedtobeinvisibleandthuslabelledbythespecial actionsymbol. S,a2Act

andL 3.3.LABELLEDPROBABILISTICSYSTEMS Act,wedene 49
Anexecutionfragmentornitepathisanite\sequence" P(s;a;C)=Xt2CP(s;a;t);P(s;a)=P(s;a;S);P(s;L)=Xa2LP(s;a):
case(seepage34).If Maximality,(i),(i),rst(),last(),jj,P(), sksuchthats0;s1;:::;sk2S,a1;:::;ak2ActandP(si�1;ai;si)>0,i=1;:::;k. isasabovethenweputtrace()=a1a2:::ak:Anexecution "aredenedasintheunlabelled =s0a1 !s1a2 !s2a2 !:::ak!
i=1;2;:::.Asbefore,apathdenotesanexecutionfragmentorexecution.For aninnitepath,(i),(i),rst()andjjaredenedintheobviousway. orfulpathin(S;Act;P)iseitheramaximalexecutionfragmentoraninnite\sequence" =s0a1!s1a2 !s2a2 !:::wheres0;s1;:::;2S,a1;a2;:::2ActandP(si�1;ai;si)>0,
Example3.3.3ForthesystemofFigure3.2(page48), tobe
P((4))=10:0110:01=0:0001andtrace((4))=send! isanexecution(fulpath)with(2)=sinitsend! =sinitsend! �!sdel�!slost�!sdel�!slost�!:::
TheprobabilitiesProb(s;;C):Thesigma-eldSigmaField(s)andtheprobability �!sdel�!slost,rst()=sinit,(3)=sdel,
measureProbaredenedasintheunlabelledcase(Section3.1,page35).Fors2S, .
viaanexecutionfragmentthatislabelledbysomestringof.Theformaldenitionof Prob(s;;C)isasfollows.LetPathn(s;;C)bethesetofnitepaths trace()2 ActandC S,wedeneProb(s;;C)tobetheprobabilityforstoreachC
=Pathful(s;;S)andPathful(s;;t)=Pathful(s;;ftg).WedeneProb(s;;C)= Prob(Pathful(s;;C)),Prob(s;;t)=Prob(s;;ftg)andProb(s;)=Prob(s;;S). andlast()2C.LetPathful(s;;C)=S2Pathn(s;;C)",Pathful(s;) 2Pathn(s)
Proposition3.3.4Let(S;Act;P)beanaction-labelledfullyprobabilisticsystemand CtheoperatorF:S F(f)(s;)=1ifs2Cand"2.Ifs=2Cor"=2 S.ThefunctionS2Act![0;1],(s;)7!Prob(s;;C),istheleastxedpointof
F(f)(s;)= 2Act![0;1]!S 2Act![0;1]whichisdenedasfollows.
(a;t)2ActSP(s;a;t)f(t;=a;C) X then
where=a=fx:ax2g.14IfSisniteandSNO=fs2S:Pathful(s;;C)=;g, SYES=Cif"2,SYES=;if"=2 (s;)7!Prob(s;;C)istheuniquexedpointoftheoperatorF0:S S 2Act![0;1]whichisdenedby: andS?=Sn(SNO[SYES)thenthefunction 2Act![0;1]!
whereFisdenedasabove. F0(f)(s;)=8>:F(f)(s;):ifs2S? 0 1 :ifs2SNO :ifs2SYES
14Recallthat"denotestheemptywordinAct.

Proof: 50 easyverication.UsesTheorem3.1.6(page36). CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
TheprobabilitiesProb(s;;C)andProb(s; aregularexpression(e.g. instance,Prob(s;;t)denotestheprobabilitytoreachtfromsviainternalactions, Prob(s;a1a2:::ak)standsfortheprobabilityforstoperformthetracea1a2:::ak.Clearly, , or )withthecorrespondingsetoftraces.For ;C):Inwhatfollows,weidentify
(whichyieldsSNOandS?)andsolvingalinearequationsystem. Prob(s;;C)canbecomputedbyareachabilityanalysisintheunderlyingdirectedgraph forniteaction-labelledfullyprobabilisticsystemsandregularexpressionsoftheform , and ,thesecondpartofProposition3.3.4yieldsthattheprobabilities
bysolvingthelinearequationsystem: Example3.3.5ConsiderthesimplecommunicationprotocolofExample3.3.2onpage 48(Figure3.2,page48).TheprobabilityProb(sinit; xinit=1ydel send! ;swait)canbecomputed
(Here,y=Prob(s;;swait).)WegetProb(sinit; ylost=1ydel;ywait=1 ydel=0:01ylost+0:99ywait
Nextweextendconcurrentprobabilisticsystemsbyactionlabels.Forthis,eachtransition inthesystemisassociatedwithanactionlabel.I.e.wedealwithafunctionStepsthat send! ;swait)=xinit=1.
assignstoeachstatesasetofpairs(a;)whereaisanactionandadistributiononthe statespace.Thus,action-labelledconcurrentprobabilisticsystemsareassociatedwitha
belledconcurrentprobabilisticsystemisatuple(S;Act;Steps)whereSisasetofstates, transitionrelation�! Denition3.3.6[Action-labelledconcurrentprobabilisticsystem]Anaction-la- S Act Distr(S).
eachstatesasetSteps(s)ofpairs(a;)2Act LetS=(S;Act;Steps)beanaction-labelledconcurrentprobabilisticsystem.Siscalled ActanonemptysetofactionsandSteps:S!2ActDistr(S)afunctionwhichassignsto
niteiS,ActandSs2SSteps(s)arenite.Wewritesa Distr(S).
theelementsofSteps(s)representthenon-deterministicalternativesinthestates.Given (a;)2Steps(s)andrefertosa thenwealsowritesa �!tratherthansa �!asatransitionorastepofs.If �!1t.Asintheunlabelledcase,foreachstates, �!is2S,a2Actand
astates,anadversarychoosessomeoutgoingtransitionsa �!.Then,theactionais isoftheform1t
performedandthenextstateischosenrandomlyaccordingtothedistribution.
inFigure3.3onpage51.Here,weassumeAct=fproduce;consume;trygwhereproduce municationprotocolofExample1.2.2(page20)canbeextendedbyactionlabelsasshown standsfortheactionbywhichthesendergeneratesamessageandpassesthemessageto Example3.3.7[Thecommunicationprotocolwithactionlabels]Thesimplecom-
themedium,consumefortheactionbywhichthereceiverreadsandworksupthemessage andacknowledgesthereceiptwhiletryrepresentstheactionsbywhichthemediumtries todeliverthemessage. Pathsandadversariesofaction-labelledconcurrentprobabilisticsystemsaredenedas intheunlabelledcase(seeSections3.2.1and3.2.2)wheretheactionlabelsareadded.

3.3.LABELLEDPROBABILISTICSYSTEMS sinit 51
sdel
sok
sack 0:99
'- ? produce consume
consume @@@@@ 0:01u? try
��produce
��
$
&�� -
Forinstance,apathisoftheforms0a1;1 Figure3.3:Thesimplecommunicationprotocolwithactionlabels
A()=(a;)2Steps(last()). takeanitepath astheirinputandreturnastepofthelaststateof,i.e.apair �!s1a2;2 �!:::,adversariesarefunctionsthat
Non-probabilisticlabelledtransitionsystems(wherethetransitionrelation�!isasubset
theprobabilisticsystem(S;Act;Steps)whereSteps(s)=n(a;1t):sa identifyingeach\non-probabilistictransition"sa sa ofSActS)ariseasspecialcasesofaction-labelledconcurrentprobabilitisticsystemsby �!1t.I.e.thenon-probabilisticlabelledtransitionsystem(S;Act;�!)correspondsto �!twiththe\probabilistictransition"
LetS=(S;Act;Steps)beanaction-labelledconcurrentprobabilisticsystem. �!to.
Notation3.3.8[ThesetsStepsa(s)andact(s)]Fors2Sanda2Act,let
Denition3.3.9[Finitelybranching,image-nitesystems]Siscalled Stepsa(s)=f:sa �!g,act(s)=fa2Act:Stepsa(s)6=;g.
Denition3.3.10[Reactivesystems,cf.[LaSk89,vGSST90]]Siscalledreactive image-nitei,foreachs2Sanda2Act,Stepsa(s)isnite. nitelybranchingi,foreachs2S,Steps(s)isnite,
i,foreachs2Sanda2Act,jStepsa(s)j Theuseofreactivesystemsismotivatedbytheassumptionthatthesystem\reacts"on thestimulioftheenvironmentwhichoersthecommunicationoncertainactions.The 1.
choicebetweenseveral(dierent)actionsisnotunderthecontrolofthesystem(hence, noprobabilisticassumptionsare{orcanbe{madeabouttheresolutionofthechoice betweentheactions)whilethechoicebetweentheseveralbranchesofthesameaction isresolvedrandomlyaccordingtoacertaindistribution.Forfurtherdetailsaboutthe reactiveviewsee[LaSk89,vGSST90]. Inwhatfollows,weoftendescribereactivesystemsastuples(S;Act;P)whereP:S Act S![0;1]returnstheprobabilityP(s;a;t)forthetransitionsa �!t(ifitexists).

Notation3.3.11[Reactivetransitionprobabilities]IfSisreactivethentheinduced 52 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
transitionprobabilityfunctionPisgivenbyP(s;a;t)=0ifStepsa(s)=;andP(s;a;t)= Fortheextensionofstratiedsystems(Denition3.2.3,page39)byactionlabelswemake therequirementthatthetransitionoftheprobabilisticstatesarelabelledbyaspecial (t)ifStepsa(s)=fg.
(e.g.\tossingafaircoin"). Denition3.3.12[Actionlabelsinstratiedsystems]Anaction-labelledstratied actionsymbolarandomthatstandsforanyactivitythatresolvesaprobabilisticchoice
containsthespecialactionarandomand,foralls2S: systemisanaction-labelledconcurrentprobabilisticsystem(S;Act;Steps)suchthatAct
Thus,foranyprobabilisticstatesofanaction-labelledstratiedsystem,Steps(s)= eitherarandom=2act(s)andSteps(s) orfarandomg=act(s)andjSteps(s)j=1. f(a;1t):t2S;a2Actg
f(arandom;)gforsomedistribution.
Intheproposition-labelledapproach,astateisviewedasafunctionwhichassignsvalues 3.3.2 totheprogramandcontrolvariables.Inmanyapplications,itsucestoabstractfrom Proposition-labelledprobabilisticsystems
ax=vwhichstatesthatthecurrentvalueofvariablexisvorax

3.4.BISIMULATIONANDSIMULATION fromthedraweruntilamatchingpairisobtainedisapproximately4.Nevertheless, 53
socks).ThiscanbeseenbyanalyzingtheinducedMarkovchain:Givenaxedsequence thereisasmallchancethatthealgorithmfails(i.e.doesnotreturnamatchingpairof
thersttwocomponentsstandforthecolorsofthetwosockswehaveinhandwhilethe system.WeusethestatespaceS=fred;blueg fromthedrawerthebehaviourofthealgorithmcanbedescribedbyafullyprobabilistic sock1;sock2;:::;sock2nofsocksthatrepresentstheorderinwhichthesocksareextracted
lastcomponentisthenumberofsocksthatarestillinthedrawer.Theterminalstates arethosestateshc1;c2;kiwhereeitherc1=c2(thestateswherewehaveamatchingpair) fred;bluegf0;1;:::;2n�2gwhere
ork=0(thestateswherethedrawerisempty).Ifc16=c2andk transitionprobabilities P(hc1;c2;ki;hc;c2;k�1i)=P(hc1;c2;ki;hc1;c;k�1i)=12 1thenwehavethe
wherec=color(sock2n�k)isthecolorofsock2n�k.Figure3.4(page53)showsthefully probabilisticsystemthatweobtainforn=2andthesequencered;blue;red;blue.For red;blue;2
red;blue;1 12 red;red;1 12
red;blue;0 12 �@@@@R
���
@@@@R
����
blue;blue;0 12
successthatcharacterizesthesuccessfulstates(i.e.thestateswhereamatchingpairis analyzingthecorrectnessofthealgorithmonemightuseasingleatomicproposition Figure3.4:Thefullyprobabilisticsystemforn=2andthesequencered;blue;red;blue
found).Hence,wedealwiththelabellingfunctionLwheresuccess2L(hc1;c2;ki)i c1=c2.UsingTheorem3.1.6(page36)orProposition3.1.7(page36),itcanbeshown thattheprobabilitytoreachasuccess-labelledstatefromhc1;c2;ki(wherec16=c2)is obtainthattheprobabilitytogetamatchingpairis1�1=22n�2. 1�1=2k.Byconsideringtheinitialstatesinit=hcolor(sock1);color(sock2);2n�2iwe
naturalnotionof\processequality",i.e.anotionof\behaveslike".Whilebisimulation Bisimulationequivalence[Miln80,Park81]isoneofthestandardconceptstoobtaina 3.4 Bisimulationandsimulation
is\bi-directed"andassertsthateachstepofoneprocesscanbesimulatedbyastepof theotherprocess,simulationis\uni-directed"andstatesthatforeachstepoftherst process(the\implementation")thereisacorrespondingoneofthesecondprocess(the
Larsen&Skou[LaSk89]forreactivesystems(anditsmodicationsforaction-labelled
\specication"). Inthissection,werecallthedenitionofbisimulationequivalenceasintroducedby

54 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
concurrentprobabilisticsystems[SeLy94]andforaction-labelledfullyprobabilisticsys-
tems[vGSST90]).Section3.4.2presentsthenotionofasimulationalaSegala&Lynch
[SeLy94]foraction-labelledconcurrentprobabilisticsystems.Moreover,weshowhowto
adaptthisnotionofasimulationforfullyprobabilisticsystemswithactionlabels.15
3.4.1 Bisimulation
In[LaSk89],Larsen&Skouintroduceprobabilisticbisimulationforreactivesystemsas
anelegantextensionofbisimulationfornon-probabilisticsystems[Miln80,Park81].Van
Glabbeeketal[vGSST90]reformulateprobabilisticbisimulationforaction-labelledfully
probabilistic;Segala&Lynch[SeLy94]foraction-labelledconcurrentsystems(which{
whenappliedtoreactivesystems{yieldstheoriginaldenitionbyLarsen&Skou).
Denition3.4.1[Bisimulation(fullyprobabilisticcase),cf.[vGSST90]]Abi-
simulationonanaction-labelledfullyprobabilisticsystem(S;Act;P)isanequivalence
relationRonSsuchthatP(s;a;C)=P(s0;a;C)forall(s;s0)2R,alla2Actand
C2S=R.
Denition3.4.2[Bisimulation(concurrentcase),cf.[SeLy94]]Abisimulationon
anaction-labelledconcurrentprobabilisticsystem(S;Act;Steps)isanequivalencerelation
RonSsuchthatforall(s;s0)2R:
Ifsa
�!thenthereisatransitions0a
�!0with[C]=0[C]forallC2S=R.
Denition3.4.3[Bisimulationequivalence]Twostatess1ands2ofanaction-
labelled(fullyorconcurrent)probabilisticsystemarecalledbisimilar(denotedbys1 s2)
ithereexistsabisimulationwhichcontains(s1;s2).
Clearly,theabovenotionofabisimulationequivalenceappliedtoanon-probabilistic
system(S;Act;�!)(identiedwiththeconcurrentprobabilisticsystem(S;Act;Steps)
whereStepsa(s)=f1t:sa
�!tg)coincideswiththeclassicalbisimulationequivalence
ala[Miln80,Park81].16Jonsson&Larsen[JoLa91]giveanalternativedescriptionof
bisimulationforfullyprobabilisticsystemswithpropositionlabelswhichisbasedon
weightfunctionsfordistributions.17Thefollowingpropositionreformulatesthisresult
(Theorem4.6in[JoLa91])forconcurrentprobabilisticsystemswithactionlabels.A
similarobservationwasmadebydeVink&Rutten[dViRu97]forreactivesystems(using
acategoricalcharacterizationofwhatwecallweightfunctions).
Proposition3.4.4Let(S;Act;Steps)beanaction-labelledconcurrentprobabilisticsys-
temands,s02S.Then,sands0arebisimilarithereexistsabinaryrelationRonS
suchthat(s;s0)2Rand,forall(t;t0)2R:18
15Bisimulationequivalenceandthesimulationpreordercanalsobedenedforproposition-labelled
probabilisticsystems(seee.g.[JoLa91,ASB+95]).Thesedenitionsareomittedhere.
16ThissimpleobservationshouldnotbeconfusedwiththemoredelicateresultbyBloom&Meyer
[BlMe89]whohaveshownthatanynitelybranchingnon-probabilisticaction-labelledtransitionsystem
canbedecoratedwithprobabilitiessuchthattheresultingsystemisareactivesystemwiththesame
bisimulationequivalenceclasses.
17SeeSection2.2,page30,forthedenitionofweightfunctions.
18Recallthat R0ithereexistsaweightfunctionfor(;0)withrespecttoR(seeSection2.2,
page30).

3.4.BISIMULATIONANDSIMULATION 55
ut sa,
v1 sk
kk k v2 k u0 t0
s0a,0 sk
? b ? kkb v0 k ? �12���@@@@R ? 18 38 12 AAAAU12
Figure3.5:s s0?
Proof: Ift0a Ifta �!thenthereexistst0a �!0thenthereexiststa easyverication.Usessimilarargumentstothosein[JoLa91,dViRu97]. �!0with �!with R0.
sthereisatransitions0a bysands0respectivelyviathattransitions. (;0)withrespectto Proposition3.4.4yieldsthattwostatess,s0arebisimilariforeachtransitionsa �!0where showshowtocombinepartsofbisimilarstatesthatarereached 0.Inthatcase,theweightfunctionweightfor �!of
combinedaswellasv1,v2andv0. Example3.4.5Thestatessands0intheaction-labelledconcurrentprobabilisticsystem to showninFigure3.5onpage55arebisimilar.Aweightfunctionfor(;0)withrespect canbeobtainedasfollows.Clearly,t t t0andv1,v2 v1 v2 v0.Hence,tandt0canbe
weight 0 t0 12 18 v0
Thus,weight(t;t0)=1=2,weight(v1;v0)=1=8,weight(v2;v0)=3=8(andweight(x;y)=0 -- 38 -
Remark3.4.6The\inference"fromconcurrentprobabilisticsystemstostratiedsys- inallothercases)yieldsaweightfunctionfor(;0)withrespectto. temssketchedonpage40canbeextendedfortheactionlabelledcase.Forthis,weassociatewitheachaction-labelledconcurrentsystemS=(S;Act;Steps)theaction-labelled stratiedsystemS0=(S0;Act;Steps0)where
Itiseasytoseethatthisinferencepreservesbisimulationequivalence;i.e.,ifs,s02S S0=S[f(s;):s2S;2Stepsa(s)forsomea2Actg,
thensands0arebisimilarasstatesofSisands0arebisimilarasstatesofS0. Steps0(s)=f(a;1(s;)):(a;)2Steps(s)gandSteps0(s;)=f(arandom;)g.
TheresultofMilner[Miln89]thatineveryimage-nite(non-probabilistic)labelledtransitionsystembisimulationcanbeapproximatedby\nitarybisimulation"carriesoverto theprobabilisticcase.

Denition3.4.7[Therelationsn]Let(S;Act;Steps)beanaction-labelledconcur- 56 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
rentprobabilisticsystem.WedeneinductivelyequivalencerelationsnonS.Weset 0=S Ifsa �!thenthereisatransitions0a Sand,forn=0;1;2;:::,sn+1s0i:
Lemma3.4.8Let(S;Act;Steps)beanimage-niteaction-labelledconcurrentprobabilis- Ifs0a �!0thenthereisatransitionsa �!0with[C]=0[C]forallC2S=n.
ticsystemands,s02S.Then,s s0isns0foralln �!with[C]=0[C]forallC2S=n.
Proof: Lemma3.4.8canbeadaptedforthefullyprobabilisticcase.Inthatcase,nofurther seeSection3.7,Lemma3.7.5(page68). 0.
a2ActandC2S=n. assumptions(likeimage-niteness)areneeded.Westate(withoutproof)that,whenever alln s,s0arestatesofanaction-labelledfullyprobabilisticsystemthens 0.Here,s0s0forallstatess,s0andsn+1s0iP(s;a;C)=P(s0;a;C)forall s0isns0for
3.4.2 Simulationcanbeviewedas\uni-directionalbisimulation"inthesensethataprocessP0 \simulates"anotherprocessPifeachstepofPcanbe\simulated"byastepofP0.In Simulation
bythe\specication"P0.Thedenitionofasimulationforconcurrentprobabilistic systemswithactionlabelsbySegala&Lynchisbasedonthatidea:thenotionofa simulationisderivedfromthecharacterizationofbisimulationinProposition3.4.4(page thatcase,Pcanbeviewedasan\implementation"ofP0aseachstepofPis\allowed"
asanadaptionofthe\satisfactionrelation"proposedbyJonsson&Larsen[JoLa91]that howthisdenitionofasimulationcanbemodiedforthefullyprobabilisticcase.The resultingsimulationpreorderonaction-labelledfullyprobabilisticsystemscanbeviewed 54)bydroppingthesymmetry(cf.Denition3.4.9).Attheendofthissection,weshow
workwithfullyprobabilisticsystemsandpropositionlabels. Denition3.4.9[Simulation(concurrentcase),cf.[SeLy94]]Let(S;Act;Steps) beanaction-labelledconcurrentprobabilisticsystem.Asimulationfor(S;Act;Steps)is asubsetRofSIfsa �!thenthereexistsatransitions0a Ssuchthatforall(s;s0)2R:
lationwhichcontains(s;s0).s,s0arecalledsimilar(denotedbys1sims2)isvsims0Wesaysimplementss0ands0simulatess(denotedbysvsims0)ithereexistsasimu- �!0with
ands0vsims. R0.
for(1s;1s0)withrespecttovsim.Hence,if(S;Act;�!)isanon-probabilisticlabelled ofasimulation[Miln89].Notethatinthenon-probabilisticcase,svsims0ithefunction weightwithweight(u;u0)=0if(u;u0)6=(s;s0)andweight(s;s0)=1isaweightfunction Inthenon-probabilisticcase,theabovenotionofasimulationagreeswithMilner'snotion
onlyifRisasimulationinthesenseofMilner.
transitionsystem(i.e.Sisasetofstatesand�!asubsetofSActS)andR probabilistictransitionsystem(S;Act;Steps)whereSteps(s)=f(a;1t):sa thenRisasimulationinthesenseofDenition3.4.9(i.e.Risasimulationfortheinduced �!tg)ifand SS

3.4.BISIMULATIONANDSIMULATION Example3.4.10ConsiderthetransitionsystemofFigure3.6(page57).Clearly,uvsim 57
s
vt u v0 t0
ka,
s0 ka,0
kkb13 s k s
? ����@@@@R ? 23 �?
kk? b12��
�@@@@R12u0
k
u0andu;tvsimt0.Aweightfunctionfor(;0)withrespecttovsimcanbeobtained bycombiningcertainpartsoft(ofu)withcertainpartsoft0(ofu0andt0).The Figure3.6:svsims0
weightfunctionweightfor(;0)withrespecttovsimisgivenby:weight(t;t0)=1=3, weight(u;t0)=1=6,weight(u;u0)=1=2.
weight 0 tt0 u
13 16 u0
Weobtainsvsims0. - - 12 -
alternativedenitionsofasimulationpreorderthatdonotuseweightfunctions.OneposRemark3.4.11[Alternativesimulation-likepreorders]Therearesimplerpossibilitiestodropthesymmetryfromthedenitionofbisimulationequivalencethusyieldingsibilityistoconsiderthedownwardclosuret#Rofallelementst2Sandto(re-)dene therelationRonDistr(S)by: Anotherpossibilityistodealwiththeupwardclosurest"R.Bothpossibilitiesyielda preorderthatisstrictlycoarserthanthesimulationpreorderala[SeLy94].Wearguethat 0R0i [t#R] 0[t#R]forallt2S.
preorder. Wedenea#-simulationtobeabinaryrelationRonSsuchthatforall(s;s0)2R noneoftheserelationscanbeviewedasaprobabilisticcounterparttoMilner'ssimulation
t"R=fu2S:(t;u)2Rg.Wedenesv#s0(sv"s0)i(s;s0)2Rforsome#-simulation S:(u;t)2Rg.Similarly,a"-simulationisabinaryrelationRonSsuchthatforall (s;s0)2Randsa andsa �!thereexistss0a �!thereexistss0a �!0with[t#R] �!0with[t"R] 0[t#R]forallt2S.Here,t#R=fu2
("-simulation).UsingtheresultsofChapter5(Lemma5.3.11onpage113)weobtain that,for(S;Act;Steps)tobenite,thesimulationpreordervsimisa#-simulationanda 0[t"R]forallt2Swhere
"-simulation.Thus, svsims0impliessv#s0andsv"s0.

58 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR sa, tm
umtm? s0a,0
vmwm
tm
u0 t0 m m? b AAAUc b?
w0
v0 m m?
c
AAAAU 12 12 12 AAAAU12
InthesystemofFigure3.7(page58)wehavesv#s0buts6vsims0.Fromthebranching Figure3.7:sv#s0ands6vsims0
thesystemofFigure3.8(page58)wehavesv"s0buts6vsims0.Inouropinion,the tobeanimplementionoftheprocessontheright(i.e.theprocesswithinitialstates0) asscanreachastatewherebothactionscandbcanbeperformedwhiles0cannot.In timeview,theprocessonleft(i.e.theprocesswithinitialstates)shouldnotbeconsidered
stateafterperformingawithprobability1,whiles0canreachaterminalstate(w0)after oftheprocessontheleft(theprocesswithinitialstates)sincesreachsanon-terminal processontheright(theprocesswithinitialstates0)cannotbeviewedasasimulation
s0a,0 tm
u1 x v1 y
u0 mt0 m
v0 mw0
m
sta,
m m mu2 t v2
m
13 ?
mm ?
? b���� ? @@@@R 13 13 c b AAAU
23 AAAAU cm
b AAAU
13 c
performingawithnon-zeroprobability.19 Figure3.8:sv"s0ands6vsims0
rentprobabilisticsystem.ByinductiononnwedenerelationsvnDenition3.4.12[Therelationsvn]Let(S;Act;Steps)beanaction-labelledconcur- sv0s0forallstatess,s02S svn+1s0iwheneversa �!thenthereexistsatransitions0a �!0andaweight S S:
SimilarlytoLemma3.4.8(page56)weobtainthefollowing. 19Eventherelationv"\v#iscoarserthanvsim.InthesystemofFigure3.8,weaddatransition
functionweightfor(;0)withrespecttovn(i.e. vn0).
w0a �!1w0andobtains6vsims0while(sv"s0)^(sv#s0).

3.4.BISIMULATIONANDSIMULATION Lemma3.4.13Let(S;Act;Steps)beanimage-niteaction-labelledconcurrentproba- 59
Thefollowinglemmashowsthatvsimisapreorderanditskernelsimiscoarserthan bilisticsystemands,s02S.Then,svsims0isvns0foralln Proof: seeSection3.7,Lemma3.7.6(page68). 0.
bisimulationequivalence. Lemma3.4.14Let(S;Act;Steps)beanaction-labelledconcurrentprobabilisticsystem ands;s0;s00;s1;s01;s2;s022S.Then: (a)s (b)svsims0,s0vsims00=)svsims00 (c)s1vsims2,s1 s0=)ssims0
Proof: (page54).(c)followsby(a)and(b).Thetransitivityofvsim(item(b))canbederived (a)followsimmediatelybythedenitionofasimulationandProposition3.4.4 s01,s2 s02=)s01vsims02
Bypart(a)ofLemma3.4.14,bisimulationequivalence lencesim.Asinthenon-probabilisticcase,simulationequivalencesimdoesnotcoincide fromRemark2.2.1(page30).
withbisimulationequivalence.Forinstance,forthenon-probabilisticsystemofFigure 3.9(page59)wehavessims0buts6s0.Inthecaseofreactivesystems,simulationand isnerthansimulationequivabisimulationequivalencecoincide.Thisresultcanbeviewedastheprobabilisticcounter-
uk�a��sk@@@Ra vtk
s0
k v0 t0 k
a kka
? ?
Figure3.9:ssims0buts6s0?
a
parttothewell-knownresultthatsimulationequivalenceandbisimulationequivalence arethesamefordeterministic(non-probabilistic)transitionsystems.20 Theorem3.4.15Let(S;Act;Steps)beareactiveaction-labelledconcurrentprobabilistic
WeadaptthedenitionofthesimulationpreorderalaSegala&Lynch[SeLy94](Deni- systemands,s02S.Then,ssims0is Proof: seeSection5.3.1,Thoerem5.3.6(page110). s0.
\satisfactionrelation"forfullyprobabilisticsystemswithpropositionlabelsbyJonsson ofthesimulationpreorderonfullyprobabilisticsystemswithactionlabels(Denition 3.4.17,page60)canbeviewedastheaction-labelledcounterparttothedenitionofthe tion3.4.9,page56)foraction-labelledfullyprobabilisticsystems.Theresultingdenition
&Larsen(cf.Denition4.3in[JoLa91]).Inthesequel,S=(S;Act;P)denotesan action-labelledfullyprobabilisticsystem. statesandactiona,thereisatmostonetransitionsa 20Recallthatanon-probabilisticaction-labelledtransitionsystemiscalleddeterministici,foreach �!t.

Denition3.4.16[Weightfunctionsinfullyprobabilisticsystems]Lets,s02S 60 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
isafunctionweight:S andR S S.Ifsisnon-terminalthenaweightfunctionfor(s;s0)withrespecttoR
2. 1.Ifweight(t;a;t0)>0then(t;t0)2R. Xu02Sweight(t;a;u0)=P(s;a;t);
Act S![0;1]suchthatforalla2Actandt,t02S:
WewritesvRs0ieithersisterminalorthereexistsaweightfunctionfor(s;s0)with Xu2Sweight(u;a;t0)=P(s0;a;t0):
tobenon-terminalandletand0betheinduceddistributionsonActS,i.e.(a;t)= Inparticular,ifsisnon-terminalandsvRs0thens0isnon-terminal.Supposesands0 respecttoR.
inducesaweightfunctionweight0:(Act P(s;a;t)and0(a;t0)=P(s0;a;t0).IfsvRs0thentheweightfunctionweightfor(s;s0)
for(;0)withR0=f(ha;ti;ha;t0i:a2Act;(t;t0)2Rg.Viceversa,if weight0(ha;ti;ha;t0i)=weight(t;a;t0) S)(Act S)![0;1],
Denition3.4.17[Simulation(fullyprobabilisticcase)]AsimulationforSisa R0isasbefore)thensvRs0. R00(where
Example3.4.18Considertheaction-labelledfullyprobabilisticsystemofFigure3.10 s0simulatess(denotedbysvsims0)ithereexistsasimulationthatcontains(s;s0). binaryrelationRonSsuchthatsvRs0forall(s;s0)2R.Wesaysimplementss0and
ase.g.weight(t;a;t0)=weight(v;b;u0)=weight(u;b;u0)=1=3(andweight()=0inall onpage60.TherelationR=f(s;s0);(t;t0);(u;u0);(v;u0);(w;w0)gisasimulation
s
ta,13 ���� s0
v? b;13 @@@@R b,13u
t0a,13 ���� @@@@R b,23u0
w?
c,1 w0 ? c,1
othercases)isaweightfunctionfor(s;s0)withrespecttoR.Hence,svsims0. Figure3.10:svsims0
3.4.13(page59),itcanbeshownthatvcanbeapproximatedbythe\nitary"relation vn.Moreprecisely,ifs,s0arestatesofanaction-labelledfullyprobabilisticsystemthen svsims0isvns0foralln AsinLemma3.4.14(page59)itcanbeshownthatvsimistransitive;asinLemma
asinDenition3.4.16,page60).Then,svns0i(s;s0)2Rn.
21Here,therelationsvnaredenedasfollows.LetR0=SSandRn+1=vRn(wherevRnisdened 0.21SimilarlytoTheorem3.4.15(page59)weobtainthat,

3.5.PROBABILISTICPROCESSES foraction-labelledfullyprobabilisticsystems,bisimulationequivalenceandsimulation 61
equivalencearethesame.Thisresultcanbeviewedastheaction-labelledcounterpart toTheorem4.6of[JoLa91]whichconsidersfullyprobabilisticsystemswithproposition labelsandcharacterizesbisimulationequivalenceforthemintermsofweightfunctions. Theorem3.4.19(cf.Theorem4.6in[JoLa91])Let(S;Act;P)beanaction-labelled fullyprobabilisticsystemands,s02S.Then, Proof: seeSection5.3,Theorem5.3.7(page110). s s0i ssims0.
tems",i.e.aprobabilisticsystemtogetherwithaspeciedstate,theinitialstate.Alter 3.5 Thebehaviourofaprobabilisticprocesscanbedescribedby\pointedprobabilisticsys- Probabilisticprocesses
natively,wecoulddealwithadistributionfortheinitialstatesinthefullyprobabilistic caseandasetofinitialstatesintheconcurrentcase(asdonee.g.in[CoYa95,JoYi95,
(S;sinit)consistingofa(fullyorconcurrent)probabilisticsystemSwithstatespaceS Sega95a]).
andaninitialstatesinit2S. Denition3.5.1[Probabilisticprocesses]AprobabilisticprocessisatupleP=
Forinstance,afullyprobabilisticprocessisatupleP=(S;P;sinit)consistingofa fullyprobabilisticsystem(S;P)andaninitialstatesinit2S.Probabilisticprocesses areextendedbyactionorpropositionlabelsintheobviousway.E.g.anaction-labelled labelledconcurrentprobabilistictransitionsystem(S;Act;Steps)andaninitialstateconcurrentprobabilisticprocessisatuple(S;Act;Steps;sinit)consistingofanaction- statesinthecomposedsystem.Forinstance,letP=(S;sinit)andP0=(S0;s0init)be thedisjointunionofthetwounderlyingprobabilisticsystemsandcomparetheinitial abilisticprocessesasfollows.Weconsidertheprobabilisticsystemthatarisesbytakingsinit2S.Bisimulationequivalenceandthesimulationpreorderareadaptedforprob- twoaction-labelledconcurrentprobabilisticprocesseswhereS=(S;Act;Steps),S0= (S0;Act0;Steps0)aretheunderlyingsystems.Then,PandP0aresaidtobebisimilar (writtenP s2S0.22Similarly,wedenebisimulationequivalence(alsodenoted)foraction-labelled fullyprobabilisticprocesses,thesimulationpreordervsim,simulationequivalencesim (S]S0;Act[Act0;Steps)whereSteps(s)=Steps(s)ifs2SandSteps(s)=Steps0(s)if P0)isinitands0initarebisimilarasstatesofthecomposedsystemS]S0=
probabilisticcase,thecomposedsystemS]S0isdenedasfollows.IfS=(S;Act;P) andtherelationsnandvnforaction-labelledprobabilisticprocesses.Here,inthefully (s;a;t)2SActS,P(s;a;t)=P0(s;a;t)if(s;a;t)2S0Act0S0andP(s;a;t)=0in allothercases.Clearly,theresultsofSection3.3.1carryovertothepointedcase.Thatis, andS0=(S0;Act0;P0)thenS]S=(S]S0;Act[Act0;P)whereP(s;a;t)=P(s;a;t)if
t2Sand(t)=0ift02S0.Inthesameway,eachdistribution0onS0isviewedasadistributionon S]S0.
22Here,eachdistributiononSisidentiedwiththedistribution:S]S0![0;1],(t)=(t)if

inthefullyandconcurrentcase,vsimisapreorderonthecollectionofallaction-labelled 62 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
(fullyorconcurrent)probabilisticprocesses. Inthefullyprobabilisticcase:P Intheconcurrentcase: (a)IfPandP0areimage-nitethen (i)P P0iPnP0foralln isstrictlynerthansim.And: P0iPsimP0.
(b)IfPandP0arereactivethenP (ii)PvsimP0iPvnP0forallnP0iPsimP0. 00.
3.6 observethatincontrasttosomeauthorswerequirethat,inthefullyprobabilisticcase, Webrieyexplaintherelationofourmodelstothoseproposedintheliterature.Firstwe Relatedmodels
Pa;tP(s;a;t)2]0;1[foraction-labelledsystems)thevalue theprobabilitiesoftheoutgoingtransitionsofanon-terminalstatessumuptoone.In thosemodelsthatallowforsubstochasticstates(i.e.statesswherePtP(s;t)2]0;1[or
(or,whendealingwithactionlabels,(s)=1�Pa;tP(s;a;t))canbeviewedasthe probabilityforthesystemto\halt"ins.Dependingonthesystemunderconsideration, (s)=1�XtP(s;t)
this\halting"mightbeinterpretedaswell-termination,deadlockordivergence.Inour
P(s;0)= fullyprobabilisticmodel(whichdoesnotallowforsubstochasticstates),weassumethat \halting"isdescribedbyspecialstatetransitions.Forinstance,inabsenceofaction
P(s;0;0)=(s). labels,onecanuseanauxiliaryterminalstate0andtheprobabilisticstatetransitions anauxiliarystate0andaspecialactionsymbol,e.g.0,andthetransitionprobabilities (s)toformalize\halting".Usingactionlabels,onemightdealwithsuch
Wenowbrieysketchhowourmodelsarerelatedtothemodelsconsideredintheliterature whereweignorethedierencesarisingfromtheuseofsetsofinitialstatesordistributions fortheinitialstates(ratherthandealingwithasingleinitialstateaswedo)and/or allowingsubstochasticstates. generativeprocesses.23TheyalsoagreewiththefullyprobabilisticautomatonofSegala [Sega95a].Intheconcurrentcase,ouraction-labelledprocessescoincidewiththesimple probabilisticautomatonofSegala&Lynch[SeLy94,Sega95a]. Inthenotationsof[vGSST90],fullyprobabilisticprocesseswithactionlabelsarecalled
movingtheactionsymbolarandomfromthestepsoftheprobabilisticstates.Thestratiedmodelof[vGSST90]essentiallyagreeswiththealternatingmodel.Themaindierencebeaction-labelledstratiedprocesses(inthesenseofDenition3.3.12onpage52)byre- ThealternatingmodelofHansson&Jonsson[HaJo90,Hans91]canbeobtainedfrom
tweenstratiedsystemsala[vGSST90]andalternatingsystemsala[HaJo90,Hans91]are probabilisticchoicewhile[vGSST90]dealswithexternalprobabilisticchoice.
generativesystemsintheapproachof[vGSST90]isslightlydierentfromourssinceweassumeinternal 23Itshouldbenoticedthatthisjustholdsfortheformaldenitionofthemodel.Theinterpretationof

that[vGSST90]assumeanexternalprobabilisticchoicewhile[HaJo90,Hans91]dealwith 3.6.RELATEDMODELS 63
internalprobabilisticchoiceandthat,intheapproachof[vGSST90],thenon-probabilistic statescannotbehavenon-deterministically.24Ignoringthedierentinterpretationofthe probabilisticchoiceoperatorandallowingnon-determinisminthenon-probabilisticstates hence,byaddingtheactionsymbolarandom,action-labelledstratiedsystemsinoursense. ofastratiedsysteminthesenseof[vGSST90]weobtainthealternatingmodel;and
labelledconcurrentprobabilisticprocessesagreewithprobabilisticnon-deterministicsystemsalaBianco&deAlfaro[BidAl95,dAlf97a,dAlf97b].Inessence,theconcur Aproposition-labelledfullyprobabilisticprocessisasequentialMarkovchaininthesense
rentMarkovchainsof[Vard85,VaWo86,CoYa88,CoYa95]arethesameasstratiedofVardi[Vard85](orCourcoubetis&Yannakakis[CoYa88,CoYa95])whileproposition- ThemodelconsideredbyPnueli&Zuck[Pnue83,PnZu86a,PnZu86b,PnZu93](just proposition-labelledsystems.
signedasetof\commands"(called\transitions"intheapproachofPnueli&Zuck),where calledprobabilisticprograms)canbeviewedasageneralizationofconcurrentprobabilistic systemsinoursense.IntheapproachofPnueli&Zuck,eachprobabilisticprogramisas- eachcommandcommisassociatedwithanenablingpredicate(representedbyasubset Enabled(comm)ofthestatespaceS)andasetModes(comm)=fmode1;:::;modekgof \modes".Eachmodemodeiisassociatedwithanon-zeroprobabilityandasetofpossible nextsuccessorstates.Ifweassumethesetsofthemodestobesingletons(thatprescribe uniquesuccessorstates),eachcommandcommcorrespondstoadistributioncommon thestatespace.Inthatcase,theprobabilisticprogramsalaPnueli&Zuckspecializesto concurrentprobabilisticsystemsinoursensewhereSteps(s)isgivenbythesetofcommandsthatareenabledinstates,i.e.Steps(s)=fcomm:s2Enabled(comm)g:Ifwe assumethatinadditionthecommandsareassociatedwithanactionlabelthenthemodel ofPnueli&Zuckcanalsobeviewedasageneralizationofourconcurrentprobabilistic Remark3.6.1VanGlabbeeketal[vGSST90]presentahierarchyfortheseveralaction- systemswithactionlabels.
bereformulatedforournotations. bisimulationequivalence.Webrieysketchhowtheinferencesbetweenthemodelscan labelledsystems(reactive,generative,stratied)togetherwiththecorrespondingtypeof
transitionprobabilities mayabstractfromtheprobabilitiesforchosingacertainactionanddealwiththereactive Givenagenerative(i.e.action-labelledfullyprobabilistic)systemSG=(S;Act;PG),we
InthecasewherePG(s;a)=0weputPR(s;a;t)=0forallstatest.Asshownin PR(s;a;t)=PG(s;a;t)
[vGSST90],thisinferencefromgenerativesystemstoreactivesystemspreservesbisim- PG(s;a)(providedthatPG(s;a)>0):
choiceratherthannon-determinism.Thus,thesystemsin[vGSST90]donotbehavenon-deterministically. ulationequivalence.25Wenowcomparethegenerativeandstratiedview.LetPS=
PGQGimpliesPRQRwhiletheconversedoesnothold.
24Notethat[vGSST90]considersaprocesscalculuswithsynchronousparallelismandprobabilistic 25Formally,ifPGandQGaregenerativeprocessesandPR,QRtheassociatedreactiveprocessesthen

(S;Act;Steps;sinit)beanaction-labelledstratiedprocesswherenoneofthenon-probabilistic 64 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
statesofPSbehavesnon-deterministically(i.e.ifsisnon-probabilisticthensa atmostoneactionaandstatet)asitisthecaseforthesystemsintheapproachof [vGSST90].PScanidentiedwiththegenerativeprocessPG=(S;Act;PG;sinit)where �!tfor
PG(s;a;t)=8>:(t):ifsa 1 :ifsa �!anda=arandom
Giventwosuchaction-labelledstratiedprocessesPSandQSwherenoneofthenon- 0 :otherwise. �!tanda6=arandom
probabilisticstatesbehavesnon-deterministically,wehavewherePGandQGdenotetheassociatedgenerativeprocesses.26Thisshouldbecontrastedwiththeabstractionresultof[vGSST90]whereadierentinferenceisused.In
(*)PS QSiPG QG
theapproachof[vGSST90],the\if"-partof(*)doesnothold.Theinferencefromthe labelledstratiedsystems)removesthetransitionslabelledbyarandomanddealswiththestratiedtothegenerativemodelusedin[vGSST90](adaptedforourtypeofactioncumulativeeectofallprobabilisticchoices.Formally,ifSS=(S;Act;Steps)isanaction- that labelledstratiedsystemasabove(i.e.jSteps(s)j ActG=ActnfarandomgandP0G:S intheapproachof[vGSST90],theassociatedgenerativesystemis(S;ActG;P0G)where ActG (SnSprob)![0;1]theleastfunctionsuch 1forallnon-probabilisticstates)then,
P0G(s;a;t)=8>: Pu2S(u)P0G(u;a;t):ifsa 1 :ifsa �!anda=arandom
Here,SprobisthesetofprobabilisticstatesinSS.27 0 :otherwise. �!tanda6=arandom
3.7 3.7.1Proofs acterizestheprobabilitiestoreachcertainstatesasleastxedpoints.WegivetheproofforTheorem3.1.6(page36)andTheorem3.2.11(page43)thatchar- Probabilisticreachabilityanalysis
P(last();t)>0then!tdenotestheuniquepath2Pathnwith(i)=,jj=i+1 Infullyprobabilisticsystems,weusethefollowingnotation.If 26TheunderlyingnotionofbisimulationequivalenceforPSandQSisthatofDenition3.4.2(page 2Pathn,jj=iand
transitionprobabilitiesPG(s;)orP0G(s;)donotsumupto1.Givenanaction-labelledstratiedsystem inthenon-probabilisticstates,because,forthosestatessinwhichnon-determinismispresent,the SS(wherenon-determinismispresentinsomenon-probabilisticstates),thegenerative(fullyprobabilistic) 54)whileforPGandQGwedealwithbisimulationinthesenseofDenition3.4.1(page54). 27Bothtransformationsfromthestratiedtothegenerativemodelfailwhennon-determinismisallowed
stepjustresolvesthenon-deterministicchoices.
systemassociatedbyanadversarycanbeviewedasarenementofS.Here,theunderlyingrenement

andlast()=t.Similarly,inconcurrentprobabilisticsystems,wewrite!ttodenote 3.7.PROOFS 65
Proposition3.7.1Let(S;P)beafullyprobabilisticsystem, theuniquepath (Here,weassumethat2Pathn,jj=i,2Steps(last())andt2Supp().) 2Pathnwith(i)=,jj=i+1,step(;i)= Pathn.For2,let andlast()=t.
whichisgivenbyF(f)()=1if2 Then,pistheleastxedpointoftheoperatorF:(Pathn![0;1])!(Pathn![0;1]) ()=f02Pathn(last()): 02gandp:Pathn![0;1],p()=Prob(()").
F(f)()= t2Next()P(last();t)f(!t) Xand
leastxedpointofF.28If if Proof: =2.Here,Next()=ft2S:P(last();t)>0g.
to that Clearly,Fismonotoneandpreservesinnimaandsuprema.Letfbethe
02(!t).Then,()canbewrittenasdisjointunionofthesetst(),t2Next(). ().Thus, =2.Fort2Next(),lett()bethesetofnitepathslast()!0where ()"=Pathn(last())andp()=f()=1.Nextweassume 2 thenthepathconsistingofthestatelast()belongs
AsProb(t()")=P(last();t)p(!t)weobtain:
Thus,pisaxedpointofF.Weconcludef() p()= t2Next()Prob(t()")= X t2Next()P(last();t)p(!t)=F(p)(): X
Fork=0;1;2;:::,letk()=f02():j0j 0() 1() 2() :::and()=Sk().Thus,p()=limpk().Itiseasyto kgandpk()=Prob(k()").Then, p()forall2Pathn.
p() seethatpk+1=F(pk).Byinductiononkwegetpk() Corollary3.7.2(cf.Theorem3.1.6,page36)Let(S;P)beafullyprobabilisticsys- f().Weconcludethatp=fistheleastxedpointofF. f()forall2Pathn.Hence,
tem.LetS1,S2besubsetsofS.Let (i)2S1nS2,i=0;1;:::;jj�1,last()2S2.Let p:S![0;1],p(s)=Prob((s)), Pathnbethesetofallnitepaths = ".Then, suchthat
F(f)(s)=1ifs2S2,F(f)(s)=0ifs2Sn(S1[S2)and,ifs2S1nS2, istheleastxedpointoftheoperatorF:(S![0;1])!(S![0;1])whichisgivenby
Proof: followsimmediatelybyProposition3.7.1(page65).Usesthefactthat()= F(f)(s)=Xt2SP(s;t)f(t):
Proposition3.7.3Let(S;Steps)beaconcurrentprobabilisticsystemand For2 (last())foreach2Pathn.
pmin()=inf andA2Adv,letA()=f02Pathn(last()): A2AdvProb A()"A;pmax()=sup A2AdvProb 02Agand A()"A: Pathn.
Then,pminandpmaxaretheleastxedpointsoftheoperators e.g.Proposition12.1.1(page309).
28Theexistenceofaleastxedpointcanbeshownusingstandardargumentsofdomaintheory.See

66 Fmin,Fmax:(Pathn![0;1])!(Pathn![0;1]) CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
thataredenedasfollows.If2 Fmin(f)()=min8

Foreach>0andt2Supp(),wechoosesomeA;t2Advwith 3.7.PROOFS 67
LetAbeanadversarywithA()= Pathnwithrst(0)=t.Then, pmax !t andA pA;t !t+:
pA !t=pA;t !t !0=A;t pmax !t�: !0foreach02
Thus,forall>0: pmax() X pA()= t2Supp()(t)pA X !t
Thus,pmax Fmax(pmax).ByProposition12.1.1(page309): t2Supp()(t)pmax !t� =Fmax(pmax)()�:
LetAn()=f02A():j0j (2)pmax lfp(Fmax)=fmax.
Moreover,pAn()=1if2.If pA()=lim ngandpAn()=Prob(An()"A).Then,
pAn+1()= =2XthenpA0()=0and n!1pAn():
Byinductiononn,wegetpAn fmax.Thus,pA t2Supp(A())A()(t)pAn fmaxwhichyields �!t: A()
From(2),wegetpmax=fmax.c pmax=sup A2AdvpA fmax:
Corollary3.7.4(cf.Theorem3.2.11,page43)Let(S;Steps)beaconcurrentprob- i=0;1;:::;jj�1,andlast()2S2.Fors2SandA2Adv,let abilisticsystem,S1,S2 pmin(s)=inf A2AdvProb Sandlet A(s)"A;pmax(s)=sup bethesetofnitepaths A2AdvProbsuchthat(i)2S1, Then,pminandpmaxaretheleastxedpointsoftheoperators A(s)"A:
F(f)(s)=0.Ifs2S1nS2then thataredenedasfollows.Ifs2S2thenF(f)(s)=1.Ifs2Sn(S1[S2)then Fmin,Fmax:(S![0;1])!(S![0;1])
Fmax(f)(s)=max(Xt2S(t)f(t): Fmin(f)(s)=min(Xt2S(t)f(t): 2Steps(s));
Proof: followsimmediatelyfromProposition3.7.3(page65).
2Steps(s)):

3.7.2 68 Bisimulationandsimulationinimage-nitesystems CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR
WegivetheproofsforLemma3.4.8andLemma3.4.13thatshowthat,inimage-nite systems,(bi-)simulationcanbeapproximatedbythenitaryrelationsnandvn.Let (S;Act;Steps)beaxedimage-niteconcurrentprobabilisticsystemwithactionlabels
Proof: ands,s02S. Lemma3.7.5(cf.Lemma3.4.8,page56)s anequivalencerelation.Byinductiononnitcanbeshownthat0 Let0=Tn0 n.Wehavetoshowthat s0isns0foralln =0.Itiseasytoseethat0is 1 2 0.
Foreachn Hence,0 0andeachA2S=0,thereexistsauniqueelementAn2S=nwith .Inordertoshowthat0 weprovethat0isabisimulation. ::: .
AClaim1:Ifsa Proof:SinceA=TAnandAn An.Then,A0=S �!andA2S=0then[A]=infn0[An]. A1 A2 An+1wehave1=[A0] :::andA=TAn.
Foralln r=infn0[An].Clearly,r >0.ThereexistsanitesubsetXofSnAsuchthat[Y]< 0,An=A[(Y\An)[(X\An):ThesetsA,Y\AnandX\Anare [A].Wesupposer>[A].Let [A1] whereY=Sn(A[X).30 ::: =r�[A].Then, [A].Weput
Sincer pairwisedisjoint.Hence,
Contradiction!31c [An]=[A]+[Y\An]+[X\An]1�12k; X s02B0k0(s0)>1�12k: X S,benitesetswith
30ThisisbecausePt=2A(t)isconvergent. 31NotethatbydenitionXisasubsetofSnA.

W.l.o.g.B1 3.7.PROOFSB2 :::,B01 B02 :::.Wedenebyinductiononninnitesets 69
WeputI0=fn:0n=g.Leti forall(u;u0)2Bi I0 I1 :::ofnaturalnumberssuchthatthesequence(weightn(u;u0))n2Iiisconvergent B0i,i 1.
thereexistsaninnitesubsetJ(l)ofJsuchthat(weightn(ul;u0l))n2J(l)isconvergent.32 (u1;u01);:::;(uk;u0k)bethesequenceofpairwisedistinctpairs(u;u0)2Bi notbelongtoBi�1B0i�1.ForallinnitesetsJofnaturalnumbersandeachl2f1;:::;kg, 1.WesupposethatIi�1isalreadydened.Let B0iwhichdo
subsetofIi�1and(weightn(u;u0))n2Iiisconvergentforall(u;u0)2Bi WedeneJ1=Ii�1(1),Jl=Jl�1(l),l=2;:::;kandIi=Jk.Then,Iiisaninnite weight:S S![0;1];weight(u;u0)=lim n!1 n2Iiweightn(u;u0) B0i.Weput
if(u;u0)2Bi weightisaweightfunctionfor(;0)withrespecttov0. 1.Ifweight(u;u0)>0then(u;u0)iscontainedinthecountablesetSBi B0iandweight(u;u0)=0if(u;u0)=2Bi B0iforalli 1.Weshowthat
2.Letu2S.WeshowthatPu0weight(u;u0)=(u).If(u)=0thenweightn(u;u0)= 0forallu02Sandn (u)>0.Letibethesmallestnaturalnumberisuchthat1=2i0g u2BjforalljXi.LetA0beanitesubsetofS.Thereexistssomej B0j.Thus, isuchthat
Hence,Pu0weight(u;u0) itissucienttoshowthatforall">0thereexistsanitesubsetA0ofSwith u02A0weight(u;u0)=lim (u).InordertoshowthatPu0weight(u;u0) n!1 n2IjX u02A0weightn(u;u0) (u)
u02A0weight(u;u0) X (u)�": (u)
Let">0andj u0=2B0jweightn(u;u0) X iwith1=2j(u)�"
Similarly,itcanbeshownthatPuweight(u;u0)=0(u0). u02B0jweight(u;u0)=lim n!1 n2IjX u02B0jweightn(u;u0) (u)�":
3.Ifweight(u;u0)>0then(u;u0)2Bi manyn,andthereforeuv0u0. innitelymanyn(moreprecisely,foralmostalln2Ii).Hence,uvnu0forinnitely B0iforsomei 1andweightn(u;u0)>0for
containsaconvergentsubsequence.
32Thisisbecauseweightn(ul;u0l)2[0;1],andhence,(weightn(ul;u0l))n2Jisbounded.Therefore,it

70 CHAPTER3.MODELLINGPROBABILISTICBEHAVIOUR

Chapter4
Probabilisticprocesscalculi
ProcesscalculisuchasMilner'sCCSorSCCS[Miln80,Miln83,Miln89],Hoare'sCSP [Hoar85]orBergstra&Klop'sACP[BeKl84]cansuccessfullyserveashigh-levelspecicationlanguagesforcompositionaldesignandanalysisofparallelsystems.Forspecifying variantsofsuchprocesscalculi.Themaingoalofthatchapteristopresentthebasic conceptsofprobabilisticprocesscalculiandhowtosupplythemwithanoperationalse- thequantitativebehaviourofprobabilisticparallelsystems,variousauthorsproposed manticsbasedonaction-labelledprobabilisticprocesses.Wemainlyconcentrateonthe issueofparallelism.Detaileddiscussionsabouttheseveraltypesofnon-deterministic andprobabilisticchoicesandtheirinterplaycanbefounde.g.in[Lowe93b,MMS+94, HMS97,HarG98,HadVi98].Followingthenotationsof[Lowe93b,MMS+94],weusean internalprobabilisticchoiceoperatorwheretheprocesschoosesrandomlywhichsetof events/actionstooertheenvironmentandexternalnon-determinismwheretheenvironmentoersasetofevents/actions.1 ofP1andP2withinonetimestep.Thetransitionprobabilitiesofthecomposedsystem chronousparallelcompositioniscomposedbytheindependentexecutionoftheactivitiesP1andP2,thecomponentsworkinatime-dependentfashion;i.e.,eachstepofthesyn- Synchronousparallelism:Inthesynchronousparallelcompositionoftwoprocesses
synchronizationpoints. P1andP2.ThisreectstheassumptionthatP1andP2workindependentlybetweenthe areobtainedbymultiplyingtheprobabilitiesoftheindividualmovesofthecomponents
eachstepofP1 dealwiththe(synchronous)productP1P2inthestyleofMilner'sSCCS[Miln83]where cessesareproposed.[GJS90,JoSm90,vGSST90,SmSt90,LaSk92,Toft94,KwNo98b]Intheliterature,severaltypesofsynchronousparallelcompositionforprobabilisticpro- butperformsequencesofactionsindependentlybetweenthesesynchronizationpoints. wheretheprocessesP1andP2havetosynchronizeoncertain\synchronizationpoints" e.g.[FHZ93,HarG98],focussontheconceptofalazy(synchronous)productP1 P2iscomposedbyexactlyoneactionofP1andP2.Otherauthors,
Oneside-eectoftheuseoflazysynchronousparallelism(inanon-probabilisticorprob- P2
abilisticsetting)isthatthetransitionsystemrepresentationofP1P2isingeneralmuchtionoperators.SeeRemark4.2.4,page81.1Itshouldbenoticedthatthedierenttypesofprobabilisticchoiceoperatorsleadtodierentrestric- 71

72 smallerthanthoseofP1 P2.2Inthissense,theuseofthelazyproductcanalsobe CHAPTER4.PROBABILISTICPROCESSCALCULI
viewedasanabstractiontechniquethatattacksthestateexplosionproblem. Inmostcases,intheprobabilisticextensionsofsynchronouscalculi,theconceptof non-deterministicchoiceisreplacedbyprobabilisticchoice.Typically,suchlanguages (withsynchronousparallelismandprobabilisticchoiceratherthannon-determinism)are
guagescanalsobeprovidedwithoperationalsemanticsthatarebasedonthereactiveLaSk92,Toft94]but{ase.g.inthecaseofprobabilisticextensionsofSCCS{suchlan- equippedwithanoperationalsemanticsthatusesamodelbasedonMarkovchains(such
orstratiedview[vGSST90,Toft90,Toft94,KwNo96,Norm97,KwNo98b].Moreover, asfullyprobabilisticprocesseswithactionlabels)[GJS90,JoSm90,vGSST90,Toft90,
someoftheselanguages{togetherwiththeirstratiedsemantics{canbeusedtoreason modelsofthesecalculicanbeviewedasgeneralizationsofthereactivemodel. aboutpriority[SmSt90,Toft90,Toft94].Synchronouscalculiwithnon-deterministicand
Asynchronousparallelism:Thereareseveralprobabilisticextensionsofasynchronous probabilisticchoiceareconsiderede.g.in[FHZ93,Norm97,KwNo98b].Thesemantic
calculiwithnon-deterministicandprobabilisticchoiceoperators.Theunderlying(asynchronous)paralleloperatorsallowcommunicationoncertainactions(e.g.communication non-determinismwheretheindependentevolvementofthecomponentsismodelledby actions)butalsoindependentevolvementofthecomponents.Theoperationalsemanticsofsuchcalculiareusuallygivenintermsofprobabilistictransitionsystemswith intheCCS-styleon\complementary"actionsorCSP-likecommunicationoncommon
interleaving.Forinstance,[HaJo90,Hans91,YiLa92,Yi94]extendMilner'sCCSbya
Probabilisticshue:Baeten,Bergstra&Smolka[BBS92]introduceamodication [Lowe93a,Lowe93b,MMS+94,Lowe95,Seid95]. probabilisticchoiceoperator;probabilisticvariantsofHoare'sCSPareconsiderede.g.in
ofACP[BeKl84]whichusesprobabilisticchoiceinsteadofnon-determinismandseveral typesofprobabilisticshueoperators(withpossiblecommunication).Theprobabilisticshueoperatorsareparametrizedbytheprobabilitiesforacommunicationandthe tookuptheideaofusingprobabilityparametersthatassociateweightstothepossible autonomousmovesofthecomponents.Theoperationalsemanticsisbasedonfullyprobabilisticprocesseswithactionlabels.Severalauthors,e.g.[SCV92,NudF95,dAHK98], stepsofthecomposition(communicationoncertainactionsorindependentevolvement ofthecomponents).3[GLN+97]introducetheprocessalgebraPTPAforgenerative(and timed)processesinwhichprobabilisticshueismodelledwiththehelpofanormalization function(ratherthanprobabilityparameters).Intheapproachof[GLN+97],thecomponentsP1andP2oftheprobabilisticshueP1kAP2mustsynchronizeontheactionspossibleactionsofP1kAP2.4Bothtypesofprobabilisticshue(theonethatuseprob- probabilitiesforP1andP2toparticipateinana-stepofP1kAP2wherearangesoverall tiesofP1kAP2aredenedwiththehelpofthenormalizationfunctionthatsumsupthea2Awhiletheactionsa=2Aareperformedautonomously.Thetransitionprobabiliabilityparametersandtheonethatuseanormalizationfunction)canbeviewedastheinterleavedexecutionofthetwocomponentsP1andP2(extendedbycertainsynchronizanotionofparallelcompositionPkTofagenerativeprobabilisticprocessPandsomekindof\test"T. 2Thisisbecausethelazyproductabstractsfromcertainlocalstates. 3See[dAHK98]foranoverviewoftheseparametrizedshueoperators. 4Similarideasareusedintheapproachsofe.g.[Chri90b,CSZ92,YCDS94,NdFL95]thatdenea

73
tionmechanisms)withrespecttoaxedrandomizedscheduler.Thisschedulerdecides
randomlywhichofthepossiblestepsisexecutednext:eitherasynchronizationactionor
anindividualmoveofP1oranindividualmoveofP2.Theprobabilitiesofthepossible
stepsaregiveneitherbytheparametersoftheprobabilisticshueoperatororbythe
normalizationfunctionthatdependsonthelocalstatesofP1andP2.
Modellingasynchronicitybysynchronicity:Inthenon-probabilisticsynchronous
case(i.e.inthecaseofMilner'sSCCS),adelayoperator@canbedenedwhichmakesit
possiblee.g.toforceaprocesstowaitforapossiblecommunicationpartnerandtoembed
theasynchronouscalculusCCSintothesynchronouscalculusSCCS[Miln83].Intuitively,
@PbehavesasPbutitmayidleforindenitelymanytimestepsbeforeperformingthe
rstaction.Formally,@Pisgivenbytheprocessequation@Pdef
=P+1;@Pwhichstates
that@Pdecidesnon-deterministicallytobehaveasPortobeidleinthenextstep.Here,
+denotesnon-deterministicchoice,;sequentialcompositionand1theidleaction.In
absenceofanon-deterministicchoiceoperator,thedelayoperator@cannotbedened;
hence,ifnon-deterministicchoiceisreplacedbyprobabilisticchoice(asitisthecasefor
severalprobabilisticvariantsofsynchronousprocesscalculiproposedintheliterature),
itisnolongertruethatasynchronicitycanbereducedtothesynchronouscase(atleast,
theauthordoesnotseehow).
Organizationofthatchapter:Westudythreecalculi.Thersttwoarestandard
extensionsofMilner'sCCSandSCCS;thethirdavariantofSCCSthatusesalazy
synchronousparallelcomposition.InSection4.1weconsideranasynchronouscalculus
withCCS-likecommunicationandnon-deterministicandprobabilisticchoice(similar
tothecalculiof[HaJo90,Hans91,YiLa92])andgiveanoperationalsemanticsbased
onaction-labelledconcurrentprobabilisticprocesses.InSections4.2and4.3,wework
withsynchronouscalculiwithprobabilisticchoice(butwithoutnon-determinism)which
aresuppliedwithanoperationalsemanticsbasedongenerative(i.e.action-labelledfully
probabilistic)processes.ThecalculusinSection4.2,calledPSCCS,isaprobabilistic
extensionofMilner'sSCCSthatworkswithaparallelcompositionP1 P2wherethe
componentsP1,P2synchronizeonallactions.Basically,itagreeswiththecalculistudied
in[GJS90,JoSm90,vGSST90,Toft94].InSection4.3weproposeaprobabilisticcalculus
whichusesalazysynchronousparallelcompositionP1 P2whereP1andP2haveto
synchronizeonallvisibleactionswhiletheyevolveindependentlyontheirinternalactions.
Modellingrecursionbydeclarationsandprocessequations:Forallthreecalculi,
wemodelrecursionbydeclarations.Weuseprocessvariables(ofsomexedsetProcVar)
inthestatements.Theprocessvariablescanbeinterpretedasprocedurenames.The
bodiesoftheseproceduresaregivenbydeclarations.Formally,adeclarationisafunction
declthatassigntoeachprocessvariableZastatementdecl(Z)(thatalsomightcon-
tainprocessvariables,i.e.recursiveprocedurecalls).AprogramisapairP=hdecl;si
consistingofadeclarationdeclandastatements.Theintendedmeaningofaprogram
P=hdecl;siisthatthebehaviourofPisgivenbythestatementswhereeachoccurrence
ofaprocessvariableZinsisviewedasarecursiveprocedurecall.Thiscorrespondstothe
useofprocessequationsthatweuseinourexamples.LetZ1;:::;Zkbepairwisedistinct
processvariablesands1;:::;skstatements.Then,wewriteZjdef
=sj,j=1;:::;k,to
denotethatZjstandsfortherecursiveprocedurewhosebodyisgivenbysj.Thatis,
wedealwiththedeclarationdeclwheredecl(Zj)=sj,j=1;:::;k,andidentifyZjwith

74 theprogramhdecl;Zji.Ifopisan-aryoperatorsymboloftheunderlyingprocesscal- CHAPTER4.PROBABILISTICPROCESSCALCULI
shortfortheprogramhdecl;op(s1;:::;sn)i. culus(e.g.abinaryparallelcompositionoperatorkorthe1-ary(action-)prexoperator s7!a:s)andPi=hdecl;sii,i=1;:::;n,areprogramsthenwewriteop(P1;:::;Pn)as
InthissectionweconsideraprobabilisticextensionofMilner'sCCS[Miln89]whichis basedonthecalculusof[Hans91](seealso[HaJo90,YiLa92,Yi94]).Thesyntaxofour 4.1 PCCS:anasynchronousprobabilisticcalculus
calculus,calledPCCS,inobtainedfromCCSbyreplacingtheprexoperatora:sbyan action-guardedprobabilisticchoiceoperator
wherepiarerealnumbersbetween0and1denotingtheprobabilitythatafterperforming a: Xi2I[pi]si!
atomicactionswhichcontainsaninternalaction Inwhatfollows,ProcVarisasetofprocessvariablesandActisanitenonemptysetof atheaboveprocessbecomessi(providedthatthestatementssiarepairwisedistinct).
Act!Act,a7!a,where ofaprocess,notvisiblefortheenvironment)andwhichisequippedwithafunction = anda=aforalla2Act.IfL (representinginternalcomputations
and.Theresultofasynchronizationissupposedtobeinvisible,i.e.itisdescribedby L=fa:a2Lg.For .Synchronizationofprocessesisonlypossiblebyperformingcomplementaryactions tobeavisibleaction, iscalledthecomplementaryactionof Actthenweput
showninFigure4.1(page74).Here,a2Act,Z2ProcVar,LisasubsetofActnfg theinternalaction. SyntaxofPCCSstatements:PCCSstatementsarebuiltfromtheproductionsystem
s::=nil Z a: Xi2I[pi]si! s1+s2 s1ks2 snL s[`]
withL=L,`:Act!Actisarelabellingfunction(i.e.`()=`()forallvisibleactions and`()=),Iisanonemptycountableindexingsetand(pi)i2Iafamilyofreal Figure4.1:SyntaxofPCCSstatements
setofallPCCSprograms,i.e.allpairsP=hdecl;siwheredeclisadeclaration(afunction StmtPCCS(orshortlyStmt)denotesthesetofallPCCSstatements.PCCSdenotesthe writea:([pi1]:si1 numberspi2]0;1]suchthatPi2Ipi=1.ForniteindexingsetI=fi1;:::;ing,wealso
decl:ProcVar!StmtPCCS)andsaPCCSstatement. :::[pin]sin)insteadofa:(Pi2I[pi]si).a:sstandsshortfora:([1]s).
Theintendedmeaningofthestatementsisasfollows.nilstandsforaprocesswhich doesnotperformanyaction.Theideabehindaction-guardedprobabilisticchoiceisthat

a:(Pi2I[pi]si)rstperformstheactionaandthenrandomlychoosestobehaveast 4.1.PCCS:ANASYNCHRONOUSPROBABILISTICCALCULUS 75
afterwardsaccordingtothedistributionwhere
+modelsnon-deterministicchoice,thatis,s1+s2eitherbehaveslikes1orlikes2.kde- (t)=Xi2I notestheparallelcompositionwithCCS-stylecommunicationoncomplementaryactions si=tpi:
(i.e.,ins1ks2,s1ands2canevolveindependentlybutmayalsocommunicateviavisible snLbehaveslikesaslongassdoesnotperformanaction whereeachaction2Actisreplacedby`(). actions and).Theoperatorss7!snL,s7!s[`]modelrestrictionandrelabelling:
Example4.1.1[Thecontrollersystem]Weconsiderasimplecontrollersystemofa 2L.s[`]behaveslikes
cantestaproduct(viaanactioncalledtest).Weassumethatthereliabilityofthe productionisknown:withprobability1=100theproductfailsthetestinwhichcasethe productisreturnedtotheproductiondepartment(viaanactioncalledreturn);with plantthattestscertainproducts.Therearen\testingmachines"whereeachofthem
probability99=100theproductpassesthetestinwhichcasetheproductistransmitted tothevendingdepartment(viaanactioncalledrelease).Eachofthetestingmachines canbespeciedbythePCCSprogram Thus,thecontrollersystem(withntestingmachines)isgivenby Testdef =test:h1 100ireturn:Test h99
Pndef =Testk:::kTest100irelease:Test.
Here,weuseprocessequationstodescribetheunderlyingdeclarationasexplainedon | {z n } :
page73.
versionin[Yi94]).Incontrasttoourapproach,[HaJo90]allowforgeneralprobabilistic choiceP[pi]si(whileweuseaction-guardedprobabilisticchoicea:(P[pi]si)).Forinstance, tothecalculus(alsocalledPCCS)of[HaJo90](seealso[Hans91,YiLa92]andtheextended Remark4.1.2[PCCSalaHansson&Jonsson]OurlanguagePCCSiscloselyrelated
[HaJo90]allowstatementslikeh13ia:nilh23ib:nilwhichstandsforaprocessthatoera thecalculusof[HaJo90].Viceversa,usingsimilarideasasforthe\inference"fromactionlabelledstratiedsystemstoconcurrentprobabilisticsystems(seeRemark3.4.6,page55), respectively.Thus,syntactically,ourlanguagePCCScanbeviewedasasubcalculusof withprobability1=3andbwithprobability2=3andterminatesafterperformingaorb
thecalculusof[HaJo90]canbeembeddedsyntacticallyintooursbyintroducingaspecial actionsymbolarandom(whichrepresentsanyactivitythatresolvestheprobabilisticchoice, e.g.onemightthinkofarandomtostandfor\tossingafaircoin")and
Itshouldbenoticedthattheabovementioned\embeddings"areonlysyntactictrans- replacingXi2I[pi]sibyarandom: Xi2I[pi]si!: formations.Eventhoughtheintendedmeaningsaresimilartheformalsemanticsdonot

76 CHAPTER4.PROBABILISTICPROCESSCALCULI
a: Za �!decl Xi2I[pi]si!a ifdecl(Z)a �!decl �!decl
s1+s2a �!decl ifs1a �!decl where(s)=Xi2I ors2a �!decl si=spi
s1ks2a (i) �!decl s1a �!decl1and ifoneofthefollowingthreeconditionsissatised: (s)=(1(s01):ifs=s01ks2
(iii)a=andthereexists2Actnfgwith (ii)s2a �!decl2and (s)=(2(s02):ifs=s1ks02 0 :otherwise
suchthat s1�!decl1ands2�!decl2
snLa �!decl ifsa �!decl0,a=2Land(s)=(0(s0):ifs=s0nL (s)=( 0 1(s01) 2(s02):ifs=s01ks02 :otherwise
s[`]a �!decl ifsb �!decl0,`(b)=aand(s)=(0(s0):ifs=s0[`] 0 :otherwise
Figure4.2:OperationalsemanticsofPCCS:otherwise
coincidesincetheinterpretationsof+andkaredierent.Whilewedealwithanoperationalsemanticsbasedonconcurrentprobabilisticprocesses[HaJo90]workwithanop probabilistictransitionsaredistinguished.Incontrasttoourrulesfornon-determinism parallelcompositionandinthestyleofSegala[Sega95a]whodenesaCSP-likeparerationalsemanticsbasedonthestratied(alternating)modelwhereaction-labelledand +orparallelcompositionk(whichareimmediatederivationsofMilner'srulesfor+and allelcompositionforconcurrentprobabilisticsystems),therulesof[HaJo90]arebased onahigherpriorityfortheprobabilistictransitionsthantheaction-labelledtransitions.
performanaction-labelledtransitionunlessbothcomponentss1,s2haveresolvedtheir s1+s2rsthavetoperformtheirprobabilistictransitionsbeforethenon-determinism isresolved.Similarly,bytherulesof[HaJo90],theparallelcompositions1ks2cannot Intheapproachof[HaJo90],thesummandss1ands2ofthenon-deterministicchoice
probabilisticchoices.

OperationalsemanticsforPCCS:UsingtheclassicalSOS-stylealaPlotkin[Plot81], 4.1.PCCS:ANASYNCHRONOUSPROBABILISTICCALCULUS 77
wegiveanoperationalsemanticsforPCCSbasedonconcurrentprobabilisticprocesses withactionlabels.Letdeclbeadeclaration.Wedenethetransitionrelation�!decl StmtActDistr(Stmt)tobethesmallestrelationsatisfyingtherulesofFigure4.2on page76.Here,wewritesa processO[P]=(Stmt;Act;Stepsdecl;s)whereStepsdecl(s)=f(a;):sa assignstoeachPCCSprogramP=hdecl;sitheaction-labelledconcurrentprobabilistic �!declinsteadof(s;a;)2�!decl.Theoperationalsemantics
s �!declg.
nil23 b sa13b:nil
? s0
����@@@R nil23 sa a
b���13�
@@@R ����@@@Rb:nil Z"
Figure4.3: a
Example4.1.3TheoperationalsemanticsofthePCCSprogramhdecl;siwheres=
Figure4.4(page78)showsthesemanticsoftheprogramhdecl;(s1ks2)nLiwhere a:h13ib:nilh23inil(andwheredeclisanarbitrarydeclaration)istheprocessshownon theleftofFigure4.3(page77).Thepictureontherightshowstheoperationalsemantics O[P0]oftherecursiveprogramP0=hs0;decl0iwheres0=s+Zanddecl0(Z)=a:Z.
andL=f;;;g.t1k0t2standsshortfor(t1kt2)nL.Thea-transitionofs1k0s2 s1=:h14i:nil h34i:nil, s2=:h13i:nil h23i:nil+a:nil
s1k0s2canmakeana-movewheres1doesnotparticipate,i.e.doesnotchangeitslocal state.The-transitionofs1k0s2standsforthesynchronizationofand.Forinstance, representsthecasewherethea-transitionofs2ischosennon-deterministically.Thus,
takeplace. withprobability1413=1 statess1k0nil,:nilk0:niland:nilk0:nilnoactionsarepossiblebecauseoftherestriction operatorwhileintheglobalstates:nilk0:niland:nilk0:nilfurthersynchronizations 12,s1movestothelocalstate:nilands2to:nil.Intheglobal
Inwhatfollows,weidentifyeachprogramPwithitsoperationalmeaningO[P]andlift
precisely,ifdeclisadeclarationthenwedenedeclandvdecl bisimulationequivalence beshownthatalloperatorspreservebisimilarityandthesimulationpreorder.More deneP P0iO[P] andthesimulationpreordervsimtoPCCSprograms.We
bys O[P0]andPvsimP0iO[P]vsimO[P0].Itcaneasily
=declor=vdecl decls0ihdecl;si sim.Then: hdecl;s0iandsvdecl sims0ihdecl;sivsimhdecl;s0i.Let simasbinaryrelationonStmt
2.Ifs1s01ands2s02thens1+s2 3.Ifs1s01ands2s02thens1ks2 1.Ifsis0i,i2I,thena:(P[pi]si) a:(P[pi]s0i).
4.Ifss0thens[`] s0[`].
s01ks02. s01+s02.

78 CHAPTER4.PROBABILISTICPROCESSCALCULI
s1k0s2 t :nilk0:nila
s1k0nil
:nilk0:nil 12 1 :nilk0:nil 16HHHHHHHHj 14 HHHHHHj
? -12
:nilk0:nil
Figure4.4:ExamplefortheoperationalsemanticsofaparallelPCCSprogram &- nilk0nil %
Similarly,itcanbeshownthattheweakandbranchingbisimulationequivalencesof 5.Ifss0thensnL 6.Zdecl(Z) s0nL.
Segala&Lynch[SeLy94]arepreservedbyalloperatorswiththeexceptionofthenon-
Example4.1.4[Simpliedrepresentationofthecontrollersystem]Weconsider totheparallelcompositionkcanbederivedfromtheresultsof[Sega95a].5 deterministicchoiceoperator+.Thefactthattheserelationsarecongruenceswithrespect
a\simpler"descriptionofthebehaviourofPnwithasmallerstatespace(whosesizeis notexponentialinthenumberoftestingmachines)onecanusecountersctest,creturnand 3nstates(aseachofthencomponentsTestisdescribedbythreestates).Inordertoget thecontrollersystemofExample4.1.1onpage75.ThestatespaceofO[Pn]consistsof
creleasewherethevalueofthecountercagivesriseaboutthenumberoftestingmachines considerthePCCSprogramP0ndef thatareinthelocalstatewheretheactionahastobeperformednext.Thatis,we P(m;k;l)def =Test(m;k;l)+Return(m;k;l)+Release(m;k;l) =P(n;0;0)where
andTest(m;k;l) def =8>:test:h1 100iP(m�1;k+1;l)h99 :ifm100iP(m�1;k;l+1) Return(m;k;l)def =(return:P(m+1;k�1;l):ifk nil :otherwise
11
5Notethatourparallelcompositionissimilartotheoneintroducedin[Sega95a];theonlydierenceis Release(m;k;l)def =(release:P(m+1;k;l�1):ifl nil :otherwise. 1
nizationoncomplementaryactionsthatweuse).commonactionsandindependentevolvementonallotheractions(ratherthantheCCS-stylesynchro-
that[Sega95a]usesanothercommunicationmechanismwhichisbasedonCSP-stylesynchronizationon

Intuitively,therstcomponentmisthevalueofthecounterctestforthetestingmachines 4.2.PSCCS:ASYNCHRONOUSPROBABILISTICCALCULUS 79
respectively.ItiseasytoseethatO[Pn] nentkandthethirdcomponentlstandforthevaluesofthecounterscreturnandcreleasethatareintheirinitialstate(i.e.thathavetotestaproduct)whilethesecondcompo- theexponential-largesystemO[Pn]tothepolynomial-largesystemO[P0n]. states.Thus,bythecompositionalityofbisimulationequivalence,forinvestigatingthe behaviourofthecontrollersystemPninanenvironment:::kPnk:::onecanswitchfrom O[P0n]andthatO[P0n]has(n+1)(n+2)=2
4.2 ThespecicationlanguagePSCCSwasintroducedbyGiacalone,Jou&Smolka[GJS90] andlaterconsideredbyseveralauthors,e.g.[JoSm90,vGSST90,LaSk92].6PSCCSuses PSCCS:asynchronousprobabilisticcalculus
eachofthecomponentss1ands2performsexactlyonestep.Weassumeacommutative aSCCS-stylesynchronousparallelcompositions1s2wherealltransitionsoftheproduct andassociativefunctionAct ofthesimultaneousexecutionoftheactionsaandb.7IncontrasttoSection4.1(and s1s2arecomposedbyindividualmovesofs1ands2;moreprecisely,ineachstepofs1s2,
thefollowingSection4.3)thespecialactionsymbol itmightbecontainedinActinwhichcaseitdoesnotplayadistinguishedroleandis Act!Act,(a;b)7!abwhereabstandsfortheresult
treatedasanyotheraction. isnotneededhere.Nevertheless,
givenbythegrammarshowninFigure4.5(page79).Here,Z2ProcVar,a2Act, SyntaxofPSCCS:LetProcVarbeasetofprocessvariables.PSCCSstatementsare
s::=nilZ a:s Xi2I[pi]si s1 s2 snL s[`]
and`:Act!Actisarelabellingfunction.StmtPSCCS(orshortlyStmt)denotesthe L Act,Iisacountableindexingset,piarerealnumberspi2]0;1]withPpi=1 Figure4.5:SyntaxofPSCCSstatements
astatementanddecladeclaration(i.e.afunctiondecl:ProcVar!StmtPSCCS). Theintendedmeaningsofinactionnil,prexinga:s,restrictionsnLandrelabellings[`] collectionofallPSCCSstatements.APSCCSprogramisapairP=hdecl;siwheresis
performtheactionaiandbecomestiafterwardsi=1;2,thens1s2maymovetot1t2 areasinthecaseofCCSorPCCS.Pi2I[pi]simodelsprobabilisticchoice:ifsi,i2I,
viatheactiona1a2.Inthesynchronousparallelcomposition(alsocalledproduct)s1s2, arepairwisedistinctthen,withprobabilitypi,P[pi]sibehavesassi.Forniteindexing setI=fi1;:::;ing,wealsowrite[pi1]:si1 :::[pin]sininsteadofPi2I[pi]si.Ifsimay
sucestoassumethatiscommutativeandassociative.
extensionofSCCSandtoavoidconfusionswiththelanguagePCCSconsideredinSection4.1. 6NotethatseveralauthorsusethenamePCCSforthatcalculuswhilewecallitPSCCSsinceitisan 7InSCCS[Miln83],(Act;)issupposedtobeanAbelianmonoidwithaunit1.Forourpurposes,it

80 CHAPTER4.PROBABILISTICPROCESSCALCULI
Pdecl Pdecl(Z;a;t)=Pdecl(decl(Z);a;t);Pdecl(a:s;a;s)=1
Pdecl(s1Xi2I[pi]si;a;t!=Xi2IpiPdecl(si;a;t) Pdecl(snL;a;tnL)=Pdecl(s;a;t)ifa=2L s2;a;t1 t2)= (b;c)2SynaPdecl(s1;b;t1)Pdecl(s2;c;t2) X
Pdecl(s[`];a;t[`])= b2`�1(a)Pdecl(s;b;t) X
theprobabilisticchoicesins1ands2aresupposedtoberesolvedcausallyindependently. Figure4.6:EquationsforPdeclinthecaseofPSCCS
actionbands2tomovetot2viaanactioncsuchthata=bc. obtainedbysumminguptheproductsoftheprobabilitiesfors1tomovetot1viaan Thus,theprobabilityofthetransitionofs1 s2tothestatet1 t2viatheactionais
withinternalprobabilisticchoice(whichleadstoanotherinterpretationoftherestriction thefactthatwedonotallowsubstochasticstatesinfullyprobabilisticsystemsanddeal operator;cf.Remark4.2.4,page81){weprovidePSCCSwiththeoperationalgenerative OperationalsemanticsofPSCCS:Withslightdierences{thatmainlyarisesfrom
semanticsof[GJS90,JoSm90,vGSST90].Forthis,wexadeclarationdeclanddene thetransitionprobabilityfunctionPdecl:StmtActStmt![0;1]astheleastfunction thatsatisestheequationsofFigure4.6onpage80.8Here,fora2Act,
Example4.2.1WeconsidertherecursivePSCCSprogramhdecl;Ziwhere Syna=f(b;c)2Act Act:bc=ag:
WegettheequationPdecl(Z;a;nil)=13Pdecl(Z;a;nil)+23whoseuniquesolutionis decl(Z)=h13iZ h23ia:nil.
Pdecl(Z0;a;t)=Pdecl(Z0;a;t).Clearly,theleastsolutionis0.Hence,Pdecl(Z0;a;t)=0 FortherecursivePSCCSprogramhdecl;Z0iwheredecl(Z0)=Z0wegettheequation Pdecl(Z;a;nil)=1:
foralla2Actandt2Stmt. ThesodenedtransitionprobabilityfunctionPdecl:Stmt substochasticwhichmeansthatthesumoftheprobabilitiesfortheoutgoingtransitions theoreticarguments;seee.g.Propostion12.1.1onpage309.8TheexistenceofaleastfunctionsatisfyingtheequationsofFigure4.6followswithstandarddomain-
Act Stmt![0;1]is

4.2.PSCCS:ASYNCHRONOUSPROBABILISTICCALCULUS 81
s1
00,23 �����@@@@R 0,1 a,13 s1s2
nil 0 nilnil 0,23 ����ac,14 ab,1
0,1 HHHHHj H HH?
12
ofacertainstatementmightbearealnumberbetween0and1(ratherthan0or1). Figure4.7:ExamplesfortheoperationalsemanticsofPSCCSprograms
Pdecl(s1;b;t)=0if(b;t)6=(a;nil).Forthisreason,weintroduceanauxiliarystatement Forinstance,forthestatements1=h13ia:nilh23inilwehavePdecl(s1;a;nil)=1=3and 0thatdenotesinactionandaspecialactionsymbol0whichisneededformodelling transitionsfromastates2Stmtto0.WedeneStmt0=Stmt[f0g,Act0=Act[f0g andextendPdecltoafunctionStmt0Act0Stmt0asfollows. Fors2Stmt,weputPdecl(s;0;0)=1�X
foralla2Act0andt2Stmt0).TheoperationalsemanticsassignstoeachPSCCS andPdecl()=0inallremainingcases(e.g.Pdecl(s;0;t)=0ift2StmtorPdecl(0;a;t)=0 a2ActX t2StmtPdecl(s;a;t):
Example4.2.2Theoperationalsemanticsofhdecl;s1iwheres1=h13ia:nil programP=hdecl;sithefullyprobabilisticprocessO[P]=(Stmt0;Act0;Pdecl;s). theprocessshownontheleftofFigure4.7onpage81.Thepictureontherightshowsthe operationalsemanticsofhdecl;s1s2iwheres1isasbeforeands2=h14ib:nilh34ic:nil. h23inilis Inbothcases,declisanarbitrarydeclaration.
andruleslike probabilityfunctionPdecl.Someauthors,e.g.[vGSST90],useindicesforthetransitions Remark4.2.3Thereareseveralpossibilitiesforaformaldenitionofthetransition
fromwhichthetransitionprobabilityfunctionPdeclcanbederivedby ifsja[p] �!ktforsomej2IthenXi2I[pi]sia[p] �!j:kt
Otherauthors,e.g.[JoSm90,Toft94],usemultisetsoftransitions.However,theresulting Pdecl(s;a;t)=Xj p:sa[p] �!jt:
semanticsO[P]doesnotdependonthechosenwayfordeningthetransitionprobability functionPdecl. Remark4.2.4[Internal,externalprobabilisticchoiceandrestriction]OurinterpretationofrestrictionsnLdiersfromthosein[GJS90,JoSm90,vGSST90](wherethe syntaxsdAinsteadofsnLwhereL=ActnAisused).IntheruleforsnL,theyuse

82 anormalizationfactor(theprobabilityPdecl(s;ActnL)forstatestoperformanaction CHAPTER4.PROBABILISTICPROCESSCALCULI
a2ActnL).Theirrulefortherestrictionoperatorleadstotheequation
(providedthatPdecl(s;ActnL)>0).Thus,theydealwiththeconditionalprobabilities Pdecl(snL;a;tnL)= Pdecl(s;ActnL) Pdecl(s;a;t)
forthe(ActnL)-labelledtransitionsofsundertheassumptionthatsperformsanaction fromActnL.Incontrasttothis,inourapproachthevaluePdecl(s;ActnL)representsthe probabilityofdeadlockinsnLthatresultsfromtherestriction(butnotfromadeadlock
wedealwiththetransitionprobabilitiesPdecl(s;b;nilnfag)=Pdecl(s;0;0)=1=2while ins).Forexample,forthestatement s=tnfagwheret=h12ia:nil h12ib:nil
anexternalprobabilisticchoiceoperatorwheretheprocessrandomlychoosesoneofthe eventsoeredbyenvironment.Hence,forthestatementtofabove,iftheenvironment oersaandbthenaandbarechosenwithequalprobabilitywhile,foranenvironmentthat Pdecl(s;b;nilnfag)=1intheapproachsof[GJS90,JoSm90,vGSST90]thatfocuson
justoersb(butnota),theactionbwillbeperformed(withprobability1).Incontrastto areresolvedindependentlyontheenvironment.Thus,inourapproach,ifjustbisavailable whiletiswillingtoperformaandbwithequalprobabilitytheneitherbwillbeperformed this,weassumeaninternalprobabilisticchoiceoperatorwheretheprobabilisticchoices
probability1/2. (iftherandomizedchoiceselectsb)oradeadlockoccurs(ifaisselected),bothwith Besidetheuseofanotherprobabilisticchoiceoperator,severalothervariantsoftheoperationalsemanticsarepossibleandmightbeusefulincertainapplications. nilasawell-terminatedprocessthenonecanuseanauxiliarystatement(e.g.exit), Wedonotdistinguishbetweenwell-terminationanddeadlock.Ifonewantstoconsider insteadofPdecl(nil;0;0)=1.Then,the0-labelledtransitionsto0(thatmightarise anewactionsymbol(e.g.p)andthetransitionprobabilitiesPdecl(nil;p;exit)=1
ins1s2occursifitoccursinoneofthecomponentss1ors2.Alternatively,onecould Anotherpossiblevariantconcernstherulefortheproduct.Inourapproach,adeadlock transitionstoexitrepresentwell-termination. fromtherestrictionoperatororrecursion)representdeadlockwhilethep-labelled
allowthenon-deadlockedcomponenttoperformfurtheractionsevenifadeadlockhas componentswhiles1 theactionp)andviceversa. canuserulestospecifythatadeadlockins1 occurredintheothercomponent.If0-labelledandp-labelledtransitionsareused,one s2behavesass1ifs2haswell-terminated(i.e.hasperformed s2occursiitoccursinoneofthe
asinthecaseofPCCS(seepage77).Then,declandvdecl toalloperatorsofPSCCS.Thisresultforbisimulationequivalencedeclwasestablished byJou&Smolka(cf.Lemma4.1in[JoSm90]).Thecongruenceproofforvdecl Forxeddeclarationdecl,wedenetherelationsdeclandvdecl simarecongruenceswithrespect simforPSCCSstatements
vericationandomittedhere.
simisaneasy

4.3.PLSCCS:ALAZYSYNCHRONOUSCALCULUS 4.3 PLSCCS:alazysynchronouscalculus 83
onallvisibleactionswhiletheinternalactionsareexecutedindependently. sition.InthelazyproductP1P2,theprocessesP1andP2areforcedtosynchronize Inthissectionweproposeanewcalculus,calledPLSCCS,whicharisesfromPSCCSby replacingthesynchronousparallelcomposition byalazysynchronousparallelcompo-
AsinthecaseofPCCS,weassumeaspecialactionthatdenotesanyinternalorinvisible
somevisibleactions.Inotherwords,eachstepofs1s2iscomposedbysequencesofsteps s2mayperformarbitrarymanyinternal-stepsindependentlybeforetheysynchronizeon (i.e.istreatedasanyotheraction),inthelazyproducts1s2,thecomponentss1and computation.Whiledoesnotplayadistinguishedroleintheproducts1s2ofPSCCS
ofs1ands2,whereeachofthemstartswithanarbitrarynumberofinternalactionsand endsupwithavisibleaction.AsinthecaseofPSCCS,theprobabilisticchoicesofthe componentsaresupposedtobeindependent.Hence,theprobabilitiesforthetransitions ofs1s2aregivenbytheproductoftheindividualprobabilitieswherewedealwiththe
4.8(page83).Here,Z2ProcVar,a2Act,L cumulativeeectofthe-transitions. SyntaxofPLSCCS:PLSCCSstatementsaregivenbythegrammarshowninFigure Actnfg,Iisanonemptycountable
s::=nilZ a:s Xi2I[pi]si s1 s2 snL s[`]
indexingset,piarerealnumberspi2]0;1]withPpi=1and`:Act!Actisa relabellingfunctionwith`()=.StmtPLSCCS(orshortlyStmt)denotesthecollection Figure4.8:SyntaxofPLSCCSstatements
meaningsofnil,theprexoperatora:s,theprobabilisticchoiceoperatorP[pi]si,the ofallPLSCCSstatements.PLSCCSdenotesthesetofallPLSCCSprograms,i.e.pairs P=hdecl;siconsistingofadeclarationdeclandaPLSCCSstatement.Theintended restrictionoperatorsnLandtherelabellingoperators[`]areasinthecaseofPSCCS (seepage79).Forthelazyproducts1 (Actnfg)(Actnfg)!Act;(;)7! s2,weassumeafunction
where,asinthecaseofPSCCS, visibleactions and.Notethat standsfortheresultofthesynchronizationonthe = ispossible.Eacha-labelledtransitionof :
thatarelabelledbystringsoftheform probabilityofs1 thelazyproducts1 ofthesynchronizedexecutionofthevisibleactions s2iscomposedbysequencesofstepsofthecomponentss1ands2 and respectivelysuchthataistheresult
ofvisibleactionssuchthat probabilitiesProb(s1; s2tomoveviatheactionatot1 ;t1)Prob(s2; =a.9 ;t2)where(;)rangesoverallpairs(,) and t2isgivenbythesumoverall (i.e.a= ).Thus,the
byendingupinthestatet(cf.Section3.3.1,page50).
9RecallthatProbdecl(s; ;t)istheprobabilityforstoperformasequenceofinternalactionsfollowed

84 OperationalsemanticsforPLSCCS:WesupplyPLSCCSwithanoperationalseman- CHAPTER4.PROBABILISTICPROCESSCALCULI
(wheres,t2Stmtanda2Act)withthehelpofahigher-orderoperatoronthefunction spaceStmtActStmt![0;1].Forthedenitionofthesemanticsofthelazyproduct, adeclarationdecl:ProcVar!StmtanddenethetransitionprobabilitiesPdecl(s;a;t) ticsbasedonaction-labelledfullyprobabilisticprocesses.AsinthecaseofPSCCS,wex
wehavetodealwiththeprobabilitiesProbdecl(s; ofstepslabelledbyastringof anddenethepairhPdecl;Qdecliastheleastpairoffunctions .Forthis,wedealwithanoperatoronfunctionpairs ;t)forstomovetotviaasequence
and Qdecl:Stmt Pdecl:Stmt(Actnfg)Stmt![0;1] Act Stmt![0;1]
PSCCSandextendthesodenedfunctionPdecl:Stmt:Act functionStmt0 thatsatisestheequationsofFigure4.9onpage85.10Weproceedasinthecaseof Act0 Pdecl(s;0;0)=1�X Stmt0.Fors2Stmt,weput Stmt![0;1]toa
eachPLSCCSprogramP=hdecl;sitheaction-labelledfullyprobabilisticprocessO[P] anddenePdecl()=0inallremainingcases.11Theoperationalsemanticsassignsto a2ActX t2StmtPdecl(s;a;t)
Lemma4.3.1Foralls,t2Stmtand =(Stmt0;Act0;Pdecl;s):LetProbdecldenotetheprobabilitymeasureintheaction-labelled fullyprobabilisticsystem(Stmt0;Act0;Pdecl).
Proof: 3.3.4(page49). easyverication.UsesstructuralinductiononthesyntaxofsandProposition 2Act,Qdecl(s;;t)=Probdecl(s; ;t):12
Corollary4.3.2Foralls1,s2,t1,t22Stmtanda2Act, Pdecl(s1 s2;a;t1 t2)= (;)2SynaProbdecl(s1; X
Proof: followsimmediatelybyLemma4.3.1(page84). ;t1)Probdecl(s2; ;t2):
RecallthatProbdecl(s; sequenceof'sfollowedby Corollary4.3.3Foralls1,s22Stmt, )=PtProbdecl(s; (cf.Section3.3.1,page50). ;t)istheprobabilityforstoperforma
Pdecl(s1 s2;0;0)=1�X12Act 16= X22Act 10AsinthecaseofPSCCS,theexistenceofaleastfunctionpairsatisfyingtheequationsofFigure4.9 26=Probdecl(s1; 1)Probdecl(s2; 2):
canbederivedwithstandardmethodsofdomain-theory;seee.g.Remark12.1.2onpage309.
hdecl;sitobehaveashdecl;tiafterperformingasequenceofstepslabelledbyanelementof statement0areinterpretedasinthecaseofPSCCS.Seetheexplanationsonpage81. 12InthenotationsofSection3.3.1(page50),Probdecl(s; 11Here,Stmt0=Stmt[f0gandAct0=Act[f0gwherethenewactionsymbol0andtheauxiliary ;t)istheprobabilityfortheprogram .

4.3.PLSCCS:ALAZYSYNCHRONOUSCALCULUS 85
Pdecl(Z;a;t)=Pdecl(decl(Z);a;t);Pdecl(a:s;a;s)=1 Pdecl Pdecl(s1Xi2I[pi]si;a;t!=Xi2IpiPdecl(si;a;t) Pdecl(snL;a;tnL)=Pdecl(s;a;t)ifa=2L s2;a;t1 t2)= (;)2SynaQdecl(s1;;t1)Qdecl(s2;;t2) X
Qdecl(s;;t)=Pdecl(s;;t)+X Pdecl(s[`];a;t[`])= b2`�1(a)Pdecl(s;b;t) X
Figure4.9:EquationsforPdeclandQdeclinthecaseofPLSCCS u2StmtPdecl(s;;u)Qdecl(u;;t):
Proof: Example4.3.4WeconsiderthePLSCCSprogramsP1=hdecl;s1i,P2=hdecl;s2i wheredeclisanarbitrarydeclaration, followsimmediatelybyCorollary4.3.2(page84).
forsomesubsetLofActnfg.TheoperationalsemanticsofP1andP2areshownin s1=h12i:(nilnL) h12i:nilands2=::nil
thenoersthesynchronizationon stepandthesynchronizationon,bothwithprobability1=2.Intheformercase,s1 Figure4.10(page86).Wenowinvestigatethelazyproducts1 that =.Inthelazyproducts1 whiles1choosesrandomlybetweentheinternal s2,s2rstperformsitsinternalstepand s2whereweassume
programhdecl;s1 synchronizationon.Figure4.11(page86)showstheoperationalsemanticsofthe ands2cannotsynchronize,because,afterperformingtheinternaltransition,s2waits foreverforthesynchronizationon.Inthelattercase,s1isidleuntils2oersthe andProbdecl(s2; 1�X12Act ;nil)=1.Thus,Pdecl(s1s2;;nilnil)=1=2.Ontheotherhand, s2i.Clearly,wehaveProbdecl(s1; ;nil)=Pdecl(s1;;nil)=1=2
16= X22Act =1�Probdecl(s1; 26=Probdecl(s1; )Probdecl(s2; 1)Probdecl(s2; )=1�121=12
2)
whichyieldsPdecl(s1 Example4.3.5WeconsidertheprogramsQ1=hdecl;s1i,Q2=hdecl;s2iwhere s2;0;0)=1=2.
s1=Z,decl(Z)=h13i:Z h13i::w h13i:v,s2=h14i::th34i:u.

86 CHAPTER4.PROBABILISTICPROCESSCALCULI
nilnL ,12 s1 ,12
0,1 nil
0 0,1 0 nil
s2
���� @@@@R :nil,1
? ,1
0,1
? @@@@R ����
Figure4.10:TheoperationalsemanticsofPLSCCSprogramsP1andP2 ?
00,12 ����s1s2 0,1@@@@R
nilnil ,12
Here,t,u,v,warepairwisedierentstatements.TheoperationalsemanticsofQ1and Figure4.11:
Q2areshownininFigure4.12(page87)wheretheoutgoingtransitionsoft,u,vandw areomitted.WeconsiderthelazyproductQ1 Probdecl(s1; ;w)=Probdecl(s1; Q2.Wehave
andProbdecl(s2; ;t)=1=4,Probdecl(s2; ;u)=3=4.Thus, ;v)=1=2
Insomeapplications,itmightbehelpfultoworkwithaspecialvisibleidleaction, Pdecl(s1 s2; ;wu)=Pdecl(s1 ;wt)=Pdecl(s1 s2; ;vu)=38: ;vt)=18,
Formally,werequirethatwaitisavisibleactionsuchthatwait processwait:tdoesnotinuencetherststep,eventhoughformally,itparticipatesby e.g.calledwait,bywhichaprocesscanbeforcedtobeidleinthenexttimestep.
performingtheactionwait. 2Actnfg.Forexample,:swait:trstperformsandthenbehavesasst.I.e.the = wait=forall
waitsforthemessagesbythesender).Thesenderworkswithanuncertainmedium Example4.3.6[ThecommunicationprotocolSender variantofthesimplecommunicationprotocolofExample1.2.2onpage20whichwe specifyasthelazyproductofasender(whotriestosendmessages)andareceiver(who Receiver]Weconsidera
thatmightlosemessage(withprobability0.01).Ifthemessagegetslostthenthesender retriestodeliverthemessage.Incasewherethemessageisdeliveredcorrectly,the senderwaitsforanacknowledgementofthereceipt.Forsimplicity,weassumethatthe

4.3.PLSCCS:ALAZYSYNCHRONOUSCALCULUS 87
:w,13
s1 ,13,13
v
w,1
� ��� @@@@R
? :t,14
s2 ,34u
t,1
� ��� @@@@R
Figure4.12:TheoperationalsemanticsofPLSCCSprogramsQ1andQ2 ?
acknowledgementistransmittedbyasafemediumthatdoesnotloosemessages.The behaviourofthesendercanbespeciedusingprocessequationsasexplainedonpage73.
Trytosenddef Lostdef Senderdef =produce:Trytosend
Deliverdef =:Trytosend =deliver!:Waitforresponse =[0:01]Lost [0:99]Deliver
Weusethevisibleactionsproduce(whichmeanstheactionbywhichthesendergenerates amessage),deliver!(theoutputactionbywhichthemediumtransmitsthemessage Waitforresponsedef =wait:ack?:Sender
tothereceiver),ack?(aninputactionthatdenotesthatthesendersenderreadsthe acknowledgement)andtheactionwaitthatisusedtoforcethesendertobeidleinthe theactivitiesthatareneededforpreparingthenextattempttodeliverthemessage.The operationalsemanticsofthesenderisshowninFigure4.13(page87.)Thereceiveris stepwherethereceiverworksupthemessage.Theinvisibleactionisusedtodescribe
Sender
Trytosend produce,1
,0:01' ?
deliver!,0:99ack?:Sender ack?,1
& Waitforresponsewait,1
6@@@@@R
$
6 6
Figure4.13:Theoperationalsemanticsofthesender

88 speciedasfollows.Receiverdef
CHAPTER4.PROBABILISTICPROCESSCALCULI
Getmessagedef =wait:Getmessage
Weusetheactionsdeliver?(theinputactionthatstandsforthereceiptofthemessage), Acknowledgedef =ack!:Receiver =deliver?:consume:Acknowledge
consume(anactionbywhichthereceiverworksupthemessageandproducestheacknowledgement),ack!(theoutputactionbywhichthereceiveracknowledgesthereceiptofthe generatesthenextmessage).Wesupposethatdeliver!deliver?=ack?ack!=.The message)andtheactionwait(whichensuresthatthereceiverisidlewhilethesender operationalsemanticsofSender SenderReceiver ReceiverisshowninFigure4.14(page88.)13
TrytosendGetmessage produce,1 $
?
Waitforresponseconsume:Acknowledge ? ,1 ,1
ack?:SenderAcknowledge ? consume,1
Figure4.14:TheoperationalsemanticsofSender Receiver %
AsinthecasesofPCCSorPSCCS,weadaptbisimulationequivalence seethats1decls01,s2decls02impliess1 ulationpreordervsimforPLSCCSprogramsandstatementswhere,for wedeneP P0iO[P]O[P0]andsdecls0ihdecl;sideclhdecl;s0i.Itiseasyto andthesimlenceandthesimulationpreorderarecongruencesforPLSCCS.InChapter7wedene
s2decls01 s02.Thus,bisimulationequiva- 2f;vsimg,
weakbisimulationequivalenceforaction-labelledfullyprobabilisticsystemsforwhichwe showthatitpreservesalloperatorsofPLSCCS(excepttheprobabilisticchoiceoperator). Thisalgebraicpropertyisespeciallyuseful,sinceitallowsonetoreplacecomponentsby equivalentonesthatareminimizedwithrespecttotheirinternalbehaviour.
apathlabelledbyatraceofdeliver!is1.
13NotethattheprobabilityforthesendertoreachthestateWaitforresponsefromTrytosendvia

Chapter5
Denotationalmodels
semanticsfocussesonthestepwisebehaviour,thedenotationalapproachisbasedon Therecenttrendinthesemanticsofprogramminglanguagesistoprovideaprogramminglanguagewithseveral(pairwise\consistent")semanticsthatdescribedierentviews, e.g.anoperational,adenotationalandalogicalbasedsemantics.Whiletheoperational
parallelcompositionk).Anothercharacteristicfeaturesofdenotationalsemanticsforprocompositionality(i.e.theexistenceofsemanticoperatorsformodellingthesyntacticcon- thedenitionofthemeaningofrecursiveorrepetitiveprograms.Typically,thesexed structsofthelanguagesuchasnon-deterministicchoice+,sequentialcomposition;orgramminglanguageswithrecursionorrepetitionisatheuseofxedpointequationsfor orderormetric.Thus,denotationalsemantics,beingcompositional,providethetheory pointequationsaresolvedwiththehelpofTarski'sorBanach'sxedpointtheoremsin
(inthepartialordersetting)orequality(inthemetricsetting)inthemodelprecisely whichcasesthesemanticdomainissupposedtobeequippedwithanappropriatepartial
correspondstotheoperational(pre)orderorequivalence,thedenotationalsemanticscan provideadditionalinsightintothenatureofoperationalnotions,andeventuallyserveas thatunderpinssystemdecomposition;and,iffullyabstract,i.e.,iftheinherentorder
anintermediatelinkbetweentheoperationalsemanticsandanappropriatelogic. Severalauthorsproposeddenotationalsemanticsforprobabilisticprocesscalculi(seeSection1.2.2,page23),butonlyafewoftheminvestigatetheissueoffullabstractionwith respecttoanoperationalnotionof\processequality".Inthecontextofprobabilistic processcalculiwithrecursion,denotationalmodelsandrelatedfullabstractionresults arepresentedfortesting[Chri90a,Chri90b,Norm97,KwNo98a,KwNo98b]andfailure [MMS+94]equivalence.Tohandlerecursiveprocesses,Morganetal[MMS+94]usethe standardpartialorderapproachforestablishingdenotationalleastxedpointseman-
avariantofthestandardmetricdenotationalapproachanddenethesemanticsasthe ceptancetrees.Kwiatkowska&Norman[KwNo96,Norm97,KwNo98a,KwNo98b]use[Henn88]andmodelsrecursionbyequationsaslabellingsforthebranchesintheseactics.Christo[Chri90a,Chri90b]dealswithavariantofacceptancetreesalaHennessy limitofaCauchysequenceinacompletemetricspace. BasedonthejointworkwithMartaKwiatkowska[BaKw97],thischapterpresentsa thatarefullyabstractwithrespecttobisimulationandsimulation.Fullabstractionof methodforprovidingdenotationalsemanticsforprobabilisticcalculilikePCCSorPSCCS
89

90 adenotationalsemanticsDwithrespecttobisimulationmeansthatDidentiesexactly CHAPTER5.DENOTATIONALMODELS
thoseprogramsthatarebisimilar,i.e.D[P]=D[P0]iP Thepartialorderapproachisusedtoobtainafullyabstractdenotationalsemantics withrespecttosimulationmeansthatthesemanticdomain(therangeofD)isequipped withanordervthatreectsthesimulationpreorder,i.e.D[P]vD[P0]iPvsimP0. P0whilefullabstraction
bisimulation. Asinthenon-probabilisticcase(e.g.[dBaZu82,GoRo83,dBaMe88,Abra91,RuTu93, withrespecttosimulation;themetricsettingtoobtainfullabstractionwithrespectto
cessPwithadistributionspectivelyareobtainedbyapplyingstandardcategoricalmethodsforsolvingrecursivedomainequations.1ThemainideaofthefullyprobabilisticcaseistoidentifyeachproBai97])thesemanticdomainsIDandIMofthepartialorderandmetricsemanticsre- Thisleadstorecursiveequationsoftheform and(a;Q)theprobabilityforPtoperformtheactionaandtobehaveasQafterwards. onpairs(a;Q)whereaisanactionlabel,Qisaprocess
forthesemanticdomainX.2Here,0isaspecialsymboltodenoteinaction(i.e.aprocess likenilthatdoesnotperformanyaction).Thecentralideaintheconcurrentcaseisto X=f0g[Distr(Act X)
representaprocessPbyasetofpairs(a;)consistingofanactionaandadistribution alternative.Fromthis,weobtaindomainequationsoftheform onprocesseswhereeachelement(a;)ofthatsetrepresentsanon-deterministic
wherePow()denotesasuitablepowerdomainconstructionandwhereinactionismodellede.g.by;.Unfortunately,inbothcasestheequationcannotbesolvedwiththestan X=Pow(Act Distr(X))
dardmethodsof[SmPl82,AbJu94]or[AmRu89,MaZe91,RuTu93]forsolvingrecursivedomainequationsinthepartialorderormetricapproachrespectivelysincethedistributionoperatorX7!Distr(X)failsthenecessaryconditionofpreservingcompleteness.3 Nevertheless,theequationsX=f0g[Distr(ActX)andX=Pown(ActDistr(X)) havenalsolutionsinSET,thecategoryofsetsandfunctions,whichyieldsnalse-
Inordertoobtainfullyabstractdenotationalmodelsthatcanserveassemanticdomains manticsinthesenseofRutten&Turi[RuTu93]thatarefullyabstractwithrespectto bisimulation.4 forprovidingdenotationalsemanticsinthemetricorpartialorderframeworkweswitch fromDistr()totheprobabilisticpowerdomainEval()ofevaluationsinthesenseofJones
allevaluationson()coversDistr().Wesolvedomainequationsoftheform toelements,theevaluationsdecoratesetswith\probabilities"(valuesin[0,1]).Inour cases,wheretheunderlyingdomainisametricspaceorpartialorder,thesetEval()of &Plotkin[JoPl89](cf.Section12.1.4,page313).Whiledistributionsassignprobabilities
3SeeRemark5.1.13(page95)andRemark5.1.18(page97). 1Therecursivedomainequationsreectthecoinductivenatureofbisimulationandsimulation. 2RecallthatDistr()denotesthesetofdistributionson().SeeSection2.2(page30). X=f0g[Eval(Act X)andX=Pow(Act Eval(X))
4Here,Pown()denotesthecollectionofnitesubsetsof().

5.1.DENOTATIONALMODELS:CONCURRENTCASE whereweapplythemethodofAbramsky&Jung[AbJu94]inthepartialorderapproach 91
andthemethodofRutten&Turi[RuTu93]inthemetricsetting.TheresultingdomainsIDandIMareshowntobeinternallyfullyabstractwithrespectto(bi-)simulation whichmeansthattheinherentorderonIDagreeswiththesimulationpreorderandthat bisimulationequivalencecoincideswiththeequalityonIM.Usingthestandardprocedurestogivedenotationalsemanticsinthepartialorderandmetricapproachweobtain denotationalsemanticsonIDandIMandthedesiredfullabstractionresults.
(seeSection4.1,page74)whereweshrinkourattentiontonitelybranchingsystems.5 TheresultsforthefullyprobabilisticcaseandPSCCS(seeSection4.2,page79)are complicate)caseofconcurrentprobabilisticprocessesindetailandthelanguagePCCS Organizationofthatchapter:InSection5.1weconsiderthe(moreinterestingand
tional(leastxedpointormetric)semanticsandcategoricalmethodsforsolvingrecursive summarizedinSection5.2.
domainequations.Themathematicalpreliminariesthatareneededinthischaptercan befoundintheappendix(Sections12.1.1,12.1.2,12.1.3and12.1.4;seepage307). Inthischapter,thereaderissupposedtobefamiliarwiththebasicconceptsofdenota-
Moreover,thereadershouldrecallthenotationsthatweusefordistributionsandweight functions(Section2.2,page30).
Wetakeasbasisnitelybranchingaction-labelledconcurrentprobabilisticprocessestogetherwiththebisimulationequivalence(Denition3.4.3,page54)andthesimulation 5.1 Denotationalmodels:concurrentcase
withnon-determinism,probabilisticchoiceandrecursion(suchasPCCS).Westartwith theequationX=Pow(Act semanticdomainswhichcanserveasfullyabstractdenotationalmodelsforlanguages preorder(Denition3.4.9,page56).First,weturnourattentiontotheconstructionof
semantics"inthesenseof[RuTu93](seeSection5.1.1).Then,takingthedomainequationsfornon-probabilisticprocessesasbasis,wederivedomainequationsinvolvingthe probabilisticpowerdomainofevaluationswhich{whensolvedrespectivelyinappropriate Distr(X))thatwesolveinSETandthatyields\nal
fullyabstractsemanticdomains,weusethestandardproceduresforestablishingdenota- probabilisticprocessesthatareinternallyfullyabstractwithrespecttosimulationand bisimulationrespectively(seeSections5.1.2and5.1.3).Havingobtainedtheseinternally categoriesofpartiallyorderedsetsormetricspaces{giverisetosemanticdomainsfor
tionalsemanticsondcpo'sandcompletemetricspacesandobtaindentationalsemantics forPCCSthatareshowntobefullyabstractwithrespecttobisimulationandsimulation respectively(seeSection5.1.4). Simpliednotations:Intheremainderofthissectionwedealwithnitelybranch-
systems/processesoftheform(S;Act;Steps)or(S;Act;Steps;s). ingaction-labelledconcurrentprobabilisticsystemsorprocesseswithactionlabelsofatemsorprobabilisticprocessesratherthannitelybranchingaction-labelledconcurrentxednitenonemptysetAct.Forsimplicicity,webrieyspeakaboutprobabilisticsys- choice)alwaysyieldsanitelybranchingprocess.
5NotethattheoperationalsemanticsforPCCS(whichdoesnotallowforunboundednon-deterministic

92 5.1.1 ThedomainIP CHAPTER5.DENOTATIONALMODELS
SETyieldsacharacterizationof\action-labelledtrees"[Barr93,RuTu93,Bai97].These canbeviewedascanonicalrepresentativesofthebisimulationequivalenceclassesof(nonprobabilistic)nitelybranchinglabelledtransitionsystemswithactionlabelsinAct. Inthenon-probabilisticcase,thenalsolutionoftheequationX=Pown(ActX)in
Here,Pown()denotesthecollectionofnitesubsetsof().Weadaptthisideafor
Notation5.1.1[ThedomainIP]LetIPbethesetofbisimulationequivalenceclasses theprobabilisticcaseandshowthatthebisimulationequivalenceclassesofprobabilistic processesformthenalsolutionofthedomainequationX=Pown(Act ofprobabilisticprocesses.6 Distr(X)).
bilisticprocess,[P]denotesthebisimulationequivalenceclassofP.Notation5.1.2[Thebisimulationequivalenceclasses[P]]ForPtobeaproba- WeusesymbolslikeT;T0;T1;T2;:::torangeobertheelementsofIP.
Notation5.1.4[TheelementsTA]LetP=(S;Act;Steps;s)beaprobabilisticprocess andt2S.Then,Ptdenotestheprobabilisticprocess(S;Act;Steps;t). Notation5.1.3[TheprocessPt]LetP=(S;Act;Steps;s)beaprobabilisticprocess
andA2S=.LetTAbetheuniqueelementofIPwithTA=[Pt]forall(some)t2A. WeassociatewithIPtheprobabilisticsystemS(IP)=(IP;Act;StepsIP)where
wheref:S!IPisgivenbyf(t)=[Pt].Hence,ifTisthebisimulationequivalence classofP=(S;Act;Steps;s)(i.e.T=[P])thenTa StepsIP([P])=f(a;Distr(f)()):(a;)2Steps(s)g:
followinglemmaanditscorollaryshowthatforeachprobabilisticprocessP,[P](viewed sa eachelementTofIPisidentiedwiththeprobabilisticprocess(IP;Act;Steps;T).The �!with(TA)=[A]forallbisimulationequivalenceclassesA2S=.Inthesequel, �!ithereexistsatransition
asaprobabilisticprocess)istheuniqueelementofIPwhichisbisimilartoP. Lemma5.1.5LetP,P0beprobabilisticprocesses. (a)P (b)P (c)PvsimP0ifandonlyif[P]vsim[P0] P0ifandonlyif[P]=[P0] [P]
().(c)followsby(a)andpart(c)ofLemma3.4.14(page59).Weshow(a).Let Proof: 6InordertoseethatIPisreallyasetconsideraxedsetStatesofcardinality!anddeneIPtobe (b)isclearsince[]isdenedtobethebisimulationequivalenceclassof
representsallbisimulationclassesofprobabilisticprocesses.Notethatthesetofstatesswhichcanbe thesetofbisimulationequivalenceclassesofprobabilisticprocesseswhosestatesbelongtoStates.Then, reachedfromtheinitialstateisalwayscountable.RecallthatweassumeaxednitesetActofactions andthatweonlyconsidernitelybranchingprocesses.
eachprobabilisticprocessisbisimilartosomeprobabilisticprocesswhosestatesbelongtoStates.I.e.IP

5.1.DENOTATIONALMODELS:CONCURRENTCASE P=(S;Act;Steps;s)andR=f(t;[Pt]):t2Sg.WeshowthatRfulllstheconditions 93
toseethat ofProposition3.4.4(page54).7Letf:S!IPbeasbefore(i.e.f(t)=[Pt]).Itiseasy
-If[Pt]a -Ifta �!then[Pt]�!Distr(f)().
f(t)=[Pt]forallt2S.Inparticular,witht=s,weobtainP ByRemark2.2.3(page31), �!then=Distr(f)()forsometransitionsa RDistr(f)().ByProposition3.4.4(page54),Pt �!.
T,T02IP:T Corollary5.1.6IPisinternallyfullyabstractwithrespecttobisimulation,i.e.forall T0iT=T0. [P].
T=[P]=[P0]=T0. Proof: (a)ofLemma5.1.5,T LetP,P0beprobabilisticprocesswithT=[P],T0=[P0].Then,bypart
NextweshowthatIPisanalsolutionoftheequationX=Pown(ActDistr(X))in PandT0 P0.Hence,T T0impliesP P0,andtherefore
SET. Theorem5.1.7IPisthenalcoalgebra(andhencethenalxedpoint)ofthefunctor PownFActDistr:SET!SET.8
whereweputSteps(y)=f(y).Hence,ya Proof: i.e.f:Y!F(Y)isafunction.WeassociatewithYaprobabilisticsystem(Y;Act;Steps) f(a;):Ta �!g.Then,(IP;e)isacoalgebraofF.Let(Y;f)beacoalgebraofK, LetF=PownFActDistr.Wedenee:IP!F(IP)bye(T)=
ofFasafunctionY!IPsatisfyingF(F)f=eF.WheneverF0:Y!IPisa functionF:Y!IP,F(y)=[Py]satisesF(F)f=eF.Weshowtheuniqueness functionwithF(F0)f=eF0thenweshowthatR=f(y;F0(y)):y2Ygsatisesthe �!i(a;)2f(y).Itiseasytoseethatthe
conditionsofProposition3.4.4(page54).9Itiseasytoseethat -Ifya -IfF0(y)a �!thenF0(y)a �!thenya �!Distr(F0)().
Lemma5.1.5andCorollary5.1.6,F0(y)=[Py]forally2Y.Hence,F=F0. ByRemark2.2.3(page31), �!forsome2Distr(Y)where=Distr(F0)().
SinceIPisthenalcoalgebrawegetanalsemanticsinthesenseofRutten&Turi RDistr(F0)().Thus,Py F0(y)forally2Y.By
[RuTu93].Let(S;Act;Steps)beaprobabilisticsystem.Then,(S;f)isacoalgebraof
Lemma5.1.5(page92),thenalsemanticsisfullyabstractinthesensethatitidenties wesawintheproofofTheorem5.1.7,F(s)=[Ps]wherePs=(S;Act;Steps;s).By F=PownFActDistrwheref:S!F(S)isgivenbyf(s)=f(a;):sa nalsemanticsF:S!IPisdenedastheuniquefunctionwithF(F)f=eF.As �!g.The
twostatesitheyarebisimilarandthatitpreservesthesimulationpreordervsim.
SET!SETwhichassignstoeachsetXthesetActX(seepage312)andthefunctorPown:SET! asdescribedonpage61). 8RecallthedenitionsofthedistributionfunctorDistr:SET!SET(page312),thefunctorFAct: 7Here,Risviewedasabinaryrelationonthestatespaceofthecomposedsystem(whichisdened
asdescribedonpage61).
SETwhichassignstoeachsetXthesetPown(X)ofnitesubsetsofX(seepage312). 9Here,Risviewedasabinaryrelationonthestatespaceofthecomposedsystem(whichisdened

94 Example5.1.8WeconsidertheprocessesPandP0ofFigure3.6onpage57.(I.e.P CHAPTER5.DENOTATIONALMODELS
andP0aretheprocesseswithinitialstatesands0respectively.)Thenalsemantics[P] and[P0]ofPandP0(aselementsofIP=Pown(Act where(T)=1=3,(;)=2=3,0(T)=0(;)=1=2andT=f(b;1;)g. [P]=f(a;)gand[P0]=f(a;0)g Distr(IP)))are
5.1.2 WeaimatsolvingarecursivedomainequationoftheformD=Pow(ActEval(D))in anappropriatecategoryofdcpo's.ThereasonnottodealtheequationD=Pow(Act ThesemanticdomainID
Distr(D))isthatthedistributionfunctorDistrdoesnotpreservecompletenessofpartially orderedsets(cf.Remark5.1.13,page95),andhence,failsforthestandardmethods powerdomainPow()shouldbeused.Wefollowtheideasofthenon-probabilisticcase forsolvingrecursivedomainequationsfordcpo's.Firstweturntothequestionwhich wheretheinitialsolutionofthedomainequation
yieldsasemanticdomainthatisinternallyfullyabstractwithrespecttothesimulation preorder[Bai97].10Notethattheauxiliaryelement?isneededasAct D=PowHoare(f?g[Act D)
dcpo(becauseitdoesnothaveabottomelement).Inaction(nil)isthenmodelledbythe adaptthisideaanddealwiththeequation setf?g,thebottomelementinPowHoare(f?g[Act D).Intheprobabilisticcase,we Dfailstobea
continuousfunctions(seepages308and311)andofthelocallyd-continousfunctorsRecallthedenitionsofthecategoryCONT?ofcontinuousdomainsandstrictandd- D=PowHoare(f?g[Act Eval(D)):
Eval:CONT?!CONT?whichassignstoeachcontinuousdomainDthepowerdomain Eval(D)ofevaluationsonD(seepage314),PowHoare:CONT?!CONT?(seepage 308)andFcont domainf?g[Act CONT?ofcontinuousdomains(alternatively,wecouldworkwiththelargercategory DCPO?ofdcpo'sandstrictandd-continuousfunctions).Forthis,wehavetoshowthe Act:CONT?!CONT?whichassignstoeachcontinuousdomainDthe
locald-continuityoftheassociatedfunctorPowHoareFcont D(seepage312).Wesolvetheaboveequationinthecategory
d-continuous. Lemma5.1.9ThefunctorFcont=PowHoareFcont ActEval:CONT?!CONT?islocally Act Eval.
Notation5.1.10[ThedomainID]IDdenotestheinitialxedpointofFcont.11 Proof: followsfromthelocald-continuityofEval,Fcont ActandPowHoare.
Inwhatfollows,wedealwiththeisomorphismasanequality,i.e.if(ID;j)istheinitial xedpointofFcontthenwesupposeID=Fcont(ID)andj=idID.Notethatthepartial 11Bytheresultsof[AbJu94](seepage311),Fconthasaninitialxedpoint.
10Here,PowHoare()denotestheHoarepowerdomain(cf.Section12.1.1,page308).

5.1.DENOTATIONALMODELS:CONCURRENTCASE orderonIDistheinclusion.Thebottomelement?IDinIDisf?gwhere?denotesthe 95
thentheleastupperboundFxiis(Sxi)cl,theScott-closureofSxiinf?g[ActEval(ID). Acl bottomelementinf?g[Act IfA,Barenitesubsetsoff?g[Act Eval(ID).If(xi)i2IisadirectedfamilyofelementsinID
ThedesiredinternalfullabstractionresultforIDstatesthat(insomesense)theinherent BclifandonlyifAvLBwherevLdenotesthelowerpreorder.12 Eval(ID)thentheScott-closureAcl=A#and
orderonID(i.e.theinclusion)\reects"thesimulationpreorder.Forthis,weshowthat IP(togetherwiththepreordervsim)canbeembeddedintoIDviaafunction{ID:IP!ID
Distr(D)andEval(D)thatholdforanydcpoD:Distr(D)equippedwiththeweight- suchthatTvsimT0i{ID(T) thisfullabstractionresultisTheorem5.1.12whichassertsageneralconnectionbetween simulationequivalenceclassesofprobabilisticprocesses.Thebasiclemmafortheproofof {ID(T0).Thus,thesubspace{ID(IP)ofIDrepresentsthe
function-basedpreordersim(asdenedinNotation5.1.11)isasubspaceofEval(D);in particular,Theorem5.1.12yieldsthatsimisapartialorderonDistr(D). Notation5.1.11[Thepartialordersim]LetDbeapartiallyorderedset(withpartialorderv)and,02Distr(D).Then, Thefollowingtheoremshowsthat,foreachdcpoD,thesetDistr(D)equippedwiththe (;0)withrespecttov.13 sim0ithereexistsaweightfunctionfor
functionDistr(D)!Eval(D), ordersimcanbeviewedasasubspaceofEval(D).Moreprecisely,weshowthatthe
Theorem5.1.12IfDisadcpothensimisapartialorderonDistr(D).Moreover,for canbeidentiedwiththeevaluationE.14 7!E,isorder-preserving.Thus,eachdistribution
all,02Distr(D), Proof: seeSection5.3,Theorem5.3.2(page105)andCorollary5.3.4(page109). sim 0iEvE0.
equippedwiththeprexordering.Letkbethedistributionwith Remark5.1.13[IncompletenessofDistr(D)]Ingeneral,Distr(D)isnotcomplete. ConsiderthedcpoD=f0;1g1ofall(niteorinnite)wordsbuiltfrom0and1
Itiseasytoseethat(k)k1isamonotonesequenceinDistr(D)whichdoesnothavean upperboundinDistr(D).Inordertoseethatkvsim k(x)=(1=2k:ifxisawordoflengthk 0 :otherwise.
weightonD andweight(x;y)=0inallothercases. Dwithweight(x;x0)=weight(x;x1)=1=2k+1ifxisawordoflengthk k+1considerthedistribution
UsingTheorem5.1.12wecanshowthefollowingconnectionbetweenIPandID. Theorem5.1.14Thereexistsauniquefunction{ID:IP!IDsuchthat
thatxvy.Here,vdenotestheorderonf?g[ActEval(ID). 13Notethatsim=v(withthenotationsofSection2.2,page30). 12RecallthatthatthelowerpreorderisgivenbyAvLBiforallx2Athereexistsy2Bsuch {ID(T)=n(a;EDistr({ID)()):Ta �!ocl:
14RecallthatEisgivenbyE(U)=[U],seepage313.

96 Moreover,forallT,T02IP,TvsimT0i{ID(T) CHAPTER5.DENOTATIONALMODELS
ThenalsemanticsofSection5.1.1(page93)yieldsasemanticsonIDwhichisfully Proof: seeSection5.3,Theorem5.3.10(page111). {ID(T0).
probabilisticprocessesthenPvsimP0i{ID([P]) abstractwithrespecttothesimulationpreorderinthefollowingsense.IfP,P0are andTheorem5.1.14).Thus,theelement{ID([P])canbeconsideredasthesimulation equivalenceclassofP. {ID([P0])(Lemma5.1.5,page92,
Example5.1.15WeconsidertheprocessesPandP0ofExample5.1.8(cf.Figure3.6, page57).PandP0arerepresentedinIDby {ID([P0])=f(a;E0)gcl=f?g[f(a;E):E2E12g: {ID([P])=f(a;E)gcl=f?g[f(a;E):E2E23g;
Here, andp(f(b;E1?ID)gcl)=1�p.Thepictureontheright showsthe\maximaltransitions"ofxp=f(a;Ep)gcl. pisistheuniquedistributiononIDwithp(?ID)=p =23,0=12,Ep=fEq:p q 1gwhere xp
asa\transition"xa xa Foreachx2ID,eachelement(a;E)2xcanbeviewed �!meansthat,wheneverxa �!.Maximalityofatransition �!then ?IDp sa,p ? HHHj 1�py
sim. ?ID ? b
domain-theoreticpropertiesofthedomainIDandshowthedomain-theoreticdierences betweenIDandthecorrespondingdomainfornon-probabilisticprocesses. WerefertheinterestedreadertoSection5.3.2(page114)whereweinvestigatesome
Inthenon-probabilisticcase,acompleteultrametricspaceMthatisinternallyfully abstractwithrespecttobisimulationisobtainedbysolvingtherecursivedomainequation 5.1.3 ThesemanticdomainIM
(see[dBaZu82,GoRo83,dBaMe88,RuTu93,Bai97]).Thesubscript1=2denotesthatthe distanceonMismultipliedwiththefactor1=2andPowcomp()denotesthecollectionof M=Powcomp(Act M12)
compactsubsetsof()(seepage311).Weadaptthisideatotheprobabilisticcaseand
Recallthenotationsforultrametricspaces(Section12.1.2,page310)andthemethod solvetheequation
byRutten&Turi[RuTu93]forsolvingrecursivedomainequationsinthecategoryCUM M=Powcomp(Act Eval(M)12):
First,weshowthattheprobabilisticpowerdomainEval()ofevaluationscanbeconsidered asanendofunctoronCUMwhichislocallynon-expansiveinthesenseof[RuTu93].Itis easytoseethatforeachdistributiononM: ofcompleteultrametricspacesandnon-expansivefunctions(Section12.1.3,page312).
(x)=inffE(U):x2U2Opens(M)g=inffE(B):x2B2Balls(M)g

5.1.DENOTATIONALMODELS:CONCURRENTCASE whereEisgivenbyE(U)=[U](seepage313).15Bytheabove,whenever,02 97
canbeconsideredasasubspaceofEval(M).WesupposeEval(M)tobeendowedwith Distr(M)withE=E0then thedistanced(E1;E2)=inff>0:E1(B)=E2(B)8B2Balls(M)g:
=0.Hence,thesetDistr(M)ofdistributionsonM
trametricspace.Inthiscase,Eval(M)isthecompletionofDistr(M)(consideredasaTheorem5.1.16IfMisacompleteultrametricspacethenEval(M)isacompleteul- subspaceofEval(M)). Proof: TheultrametricdonEval(M)canbecharacterizedasfollows:d(E1;E2) seeSection5.3Theorem5.3.22(page120)andTheorem5.3.23(page122).
M0andBisanopenballinM0withradiusthenf�1(B)isa-set.Fromthis,whenever Wheneverf:M!M0isanon-expansivefunctionbetweenultrametricspacesMand E2(B)forallB2S>rBalls(M)iE1(U)=E2(U)forall-setsUwhere riE1(B)=
E1,E2areevaluationsonEval(M)then >r.
i.e.Eval(f)isnon-expansive.Hence,EvalcanbeconsideredasanendofunctorofCUM. d(Eval(f)(E1);Eval(f)(E2)) d(E1;E2);
Lemma5.1.17ThefunctorEval:CUM!CUMislocallynon-expansive.
Remark5.1.18[IncompletenessofDistr(M)]SimilarlytoRemark5.1.13(page95) thesetf0;1g1equippedwiththenaturaldistance Proof: easyverication.
(wherez[n]denotesthen-thprexofz)yieldsanexampleforacompletemetricspace d(x;y)=inf 12n:x[n]6=y[n] MwhereDistr(M)isnotcomplete(i.e.Distr(M)asasubspaceofEval(M)isnot closed).Considerthesequence(k)whichisdenedasinRemark5.1.13(page95).
RecallthedenitionsofthefunctorsPowcomp:CUM!CUMwhichassignstoeach Then,d(k;i) doesnothavealimitinDistr(M).16 1=2iforallk i.Thus,(k)isaCauchysequenceinDistr(M)which
onMismultipliedwiththefactor1=2(seepage312). completeultrametricspaceMthesetPowcomp(M)ofcompactsubsetsofM(seepage 312)andFcum
thesetofallsubsetsUofMsuchthat,foreachx2M,thereissomeopenballBwithx2BU(see 15RecallthatforeachultrametricspaceM,wedealwiththetopologyofopenballs,i.e.Opens(M)is ActwithFcum Act(M)=ActM12wherethesubscript12meansthatthedistance
page310). E(B)=1=2nifB=B(x;1=2n)forsomenitewordxofthelengthn,andE(B)=0inallothercases (i.e.thosecaseswhereB=fxgforsomenitewordx).ThisevaluationEisnotoftheformEforsome 2Distr(M).
16Thelimitof(k)inEval(M)istheuniqueevaluationEonMsuchthatforallopenballsB,

98 Lemma5.1.19ThefunctorFcum=PowcompFcum CHAPTER5.DENOTATIONALMODELS
contracting. Notation5.1.20[ThedomainIM]LetIMdenotetheuniquexedpointofFcum.17 Act Eval:CUM!CUMislocally
AsinthecaseofID,wedealwiththeisomorphismasanequality,i.e.if(IM;j)isthe uniquexedpointofFcumthenwesupposeIM=Fcum(IM))andj=idIM. Theorem5.1.21IPisadensesubspaceofIM.Moreprecisely,thereexistsaunique function{IM:IP!IMsuchthatforallT2IP,
Thisfunction{IMisinjectiveand{IM(IP)isadensesubspaceofIM. {IM(T)=f(a;EDistr({IM)()):Ta �!g:
ByLemma5.1.5(page92)andTheorem5.1.21,IMisfullyabstractwithrespectto bisimulationinthefollowingsense.IfP,P0areprobabilisticprocessesthenP Proof: seeSection5.3,Theorem5.3.27(page124).
Example5.1.22WeconsidertheprocessesPandP0ofExample5.1.8(cf.Figure3.6, {IM([P])={IM([P0]). P0i
page57);seealsoExample5.1.15,page96.PandP0arerepresentedinIMby
where(f(b;E1;)g)=1=3,(;)=2=3and0(f(b;E1;)g)=0(;)=1=2. {IM([P])=f(a;E)gand{IM([P0])=f(a;E0)g
Remark5.1.23[The\distance"betweenprocesses]Theorem5.1.21(page98)yields a\distance"forprobabilisticprocesseswhichgeneralizestheonethatisobtainedfrom theapproachofdeBakker&Zucker[dBaZu82]fornon-probabilisticprocesses:ForP,P0 tobeprobabilisticprocesses,the\distance"betweenPandP0isgivenby
Roughlyspeaking,thedistancebetweentwoprocessesPandP0is1=2nifnisthemaximal numbersuchthatthen-cutsoftheunwindingsofPandP0arebisimilar.Forinstance, d(P;P0)=dIM({IM([P]);{IM([P0])):
PnshownontheleftofFigure5.2(page99)\converge"totheprocessP(shownonthe isnotbasedonn-cuts.Forinstance,intheapproachof[KwNo96,Norm97]theprocesses theprocessesPandP0onFigure5.1(page99)havethedistance1=2astheir1-cutsare
rightofFigure5.2)whileinoursettingthesequence(Pn)(moreprecisely,theinduced bisimilar.18Kwiatkowska&Norman[KwNo96,Norm97]dealwithadierentmetricwhich
sequence({IM([Pn]))inIM)isnotaCauchysequence.
transitions.
17TheexistenceofauniquexedpointofFcumisensuredbytheresultsof[RuTu93](seepage312). 18Notethatinthe1-cut,thestatest,t0,uandu0areviewedtobebisimilarasweignoretheb-labelled

5.1.DENOTATIONALMODELS:CONCURRENTCASE s 99
vt u v0 t0
ka,
s0 ka,0
kkb13 s k s
? ����@@@@R ? 23 �?
kk? b12��
�@@@@R12u0
k
Figure5.1:Twoprocesseswithdistance1=2 sn
t u
v v ts
na,n
n
n n n
nb
nb
a 1�1 2n �����t@@@@@R ? 2n 1 ?
? ?
5.1.4 DenotationalsemanticsonIMandID Figure5.2:Twoprocesseswithdistance1
(seeSection4.1,page74)onIMandIDandthedesiredfullabstractionresults. Denotationalsemanticsinthemetricandpartialorderapproach:Weassumethe ThissectionshowshowtoestablishdenotationalsemanticsfortheprocessalgebraPCCS
inthemetricapproach[Stoy77,Niva79,dBaZu82].Here,weonlygiveabriefsummary. Wereferto[BMC94,dBdV96]forafulltreatment.ThedomainXofadenotational inthepartialorderapproachandthestandardproceduretogivedenotationalsemantics readertobefamiliarwiththeScott-Stracheyapproachtoestablishdenotationalsemantics
semanticsDforaprocessalgebraPA(likeCCSoraprobabilisticcalculuslikePCCS) isequippedwithasetSemOpofsemanticoperatorsthatreecttheoperatorsofPAin thefollowingsense.Ifopisann-aryoperatorsymbol(likethebinaryoperatorsymbol+ formodellingnon-deterministicchoiceorthe1-ary(action-)prexoperators7!a:s)and opXthecorrespondingsemanticoperatoronXthen
forallPAprogramsP1;:::;Pn.Moreover,foranydeclarationdecl,themeaningsofa procedurename(processvariable)Zandthebodyoftheproceduredecl(Z)arethesame. D[op(P1;:::;Pn)]=opX(D[P1];:::;D[Pn])
Thatis,foranyxeddeclarationdecl,thefunctions7!D[hdecl;si]isahomomorphism fromthewordalgebra(Stmt;Op)to(X;SemOp)suchthatthemeaningofprocessvariable

100 Zisgivenbydecl(Z),i.e.D[hdecl;Zi]=D[hdecl;decl(Z)i].Itisknown(see,forinstance, CHAPTER5.DENOTATIONALMODELS
[BMC94])thatfunctionDsatisestheseconditionsi,foranyxeddeclarationdecl,the functionStmt!X,s7!D[hdecl;si],isaxedpointoftheoperatorFdecl:(Stmt! X)!(Stmt!X),denedby
GiventhisfunctionFdecl,thedenotationalsemanticsofPA{regardlessofwhetherwe foreachoperatoropofPAand,foreachprocessvariableZ,Fdecl(f)(Z)=f(decl(Z)). Fdecl(f)(op(s1;:::;sn))=opX(Fdecl(f)(s1);:::;Fdecl(f)(sn))
Fdeclisd-continuousonthefunctionspaceStmt!X(whichisthecaseifallsemantic followthepartialorderormetricapproach{isobtainedbyD[hdecl;Pi]=fdecl(P) wherefdecl:Stmt!XisacertainxedpointofFdecl.Inthepartialorderapproachitis guaranteed{byTarski'sxpointtheorem{thatFdeclhasaleastxedpoint,providedthat operatorsared-continuous).Inthemetricapproachitisguaranteed{byBanach's InordertoguaranteethatFdecliscontractingitissucientthatthesemanticoperators arenon-expansiveandcontractingincertainarguments.Forthelatter,onehastoshrink thedomainofDtoguardedprograms,i.e.thoseprogramshdecl;sisuchthat,forall xpointtheorem{thatFdeclhasauniquexedpoint,providedthatFdecliscontracting.
preceededbyatleastoneaction. GuardedPCCS:TheformaldenitionofguardednessfortheprocessalgebraPCCSis procedures(processvariables)Z,Z0,eachrecursiveprocedurecallofZ0indecl(Z)is
asfollows.GuardedPCCSstatementsarebuiltfromthefollowingproductionsystem.
g::=nil a: Xi2I[pi]si! g1+g2 g1kg2 gnL g[`]
isguardedforallZ2ProcVar.GPCCSthesubsetofguardedprograms,i.e.allprograms hdecl;siwheredeclisaguardeddeclaration. wheresiarearbitraryPCCSstatements.Adeclarationdecliscalledguardedidecl(Z)
SemanticoperatorsonIDandIM:WegiveadenotationalsemanticsforGPCCSon semanticsforPCCSonID,whichisfullyabstractwithrespecttothesimulationpreorder. IM,whichisfullyabstractwithrespecttobisimulationequivalence,andadenotational Forthis,weneednon-expansive/contractingsemanticoperatorsonIMandd-continuous semanticoperatorsonID.Inthesequel,X=IMorX=ID.Weusetheclosuenotations AofAand;cl=f?g. forsubsetsofActEval(IM)andsubsetsoff?g[ActEval(ID)whereweputAcl=Aif
Theprocessnilismodelledby;inIMandby?ID=f?ginID. ActEval(IM)andwhere,for;6=A f?g[ActEval(ID),AclistheScott-closure
Action-guardedprobabilisticchoice:Leta2Actand(pi)i2Ibeacountablefamilyof realnumberspi>0withPi2Ipi=1.Let(xi)i2IbeafamilyinX.Weput NondeterministicchoiceonIMandIDismodelledbyset-theoreticunion.
a: Xi2I[pi]xi!=f(a;E)gclwhere2Distr(X)isgivenby (x)=Xi2I xi=xpi:

5.1.DENOTATIONALMODELS:CONCURRENTCASE Wedenesemanticoperatorsformodellingrestriction,relabellingandparallelismasxed 101
pointsofsuitableoperators.Thisreectstherecursivenatureofrestriction,relabelling andparallelism(cf.Milner'sexpansionlaw[Miln89]forparallelism). Restriction:LetL FXL(f)(x)=f(a;Eval(f)(E)):(a;E)2x;a=2Lgcl: ActwithL=L.WedeneFXL:(X!X)!(X!X)by:
Relabelling:Let`bearelabellingfunction.FX`:(X!X)!(X!X)isgivenby
Parallelcomposition:Weusethefollowingnotations.Iff:X FX`(f)(x)=f(`(a);Eval(f)(E)):(a;E)2xgcl:
f(;y0)(x)=f(x;y0).WedeneFXk:(X andx0,y02Xthenwedenef(x0;);f(;y0):X!Xbyf(x0;)(y)=f(x0;y)and X!X)!(X X!X)by X!Xisafunction
where FX1(f)(x;y)=f(a;Eval(f(;y))(E)):(a;E)2xg, FXk(f)(x;y)=FX1(f)(x;y)[FX2(f)(x;y)[FXsyn(f)(x;y)cl
InSection5.3,Lemma5.3.12(page113)andLemma5.3.29(page125)weshow:The FX2(f)(x;y)=f(a;Eval(f(x;))(E)):(a;E)2yg,
operatorsFID FX syn(f)(x;y)=f(;Eval(f)(E1E2)):(;E1)2x;(;E2)2yforsome6=g.
pointsarenon-expansive.Thus,theuniquexedpointsoftheoperatorsFX`,FXLand FXkyieldnon-expansive,resp.d-continuous,semanticoperatorsx7!x[`],x7!xnL, d-continuous.TheoperatorsFIM `,FID LandFID kared-continuousandhaveuniquexedpoints.Theseare
(x;y)7!xkyonIDandIMformodellingrelabelling,restrictionandparallelism.Clearly, `,FIM LandFIM karecontractingandtheiruniquexed
theunionisd-continuousasanoperatoronID,andnon-expansivewhenconsideredas anoperatoronIM.TheoperatorPiscontractingonIMandd-continuousonID.More precisely,if(xi)i2I,(x0i)i2IarecountablefamiliesinIMthen
If(xi)i2IisafamilyinIDsuchthatxi=FXiwhereXiisadirectedsubsetofIDthen d a: Xi2I[pi]xi!;a: Xi2I[pi]x0i!! 12maxfd(xi;x0i):i2Ig
a: Xi2I[pi]xi!=G(a: Xi2I[pi]yi!:yi2Xi;i2I): DenotationalsemanticsonIDandIM:Asbefore,weassumethatX=IDorX=IM. Letdeclbeadeclarationwherewesupposethatdeclisguardedwhendealingwith X=IM.WedenetheoperatorFXdecl:(Stmt!X)!(Stmt!X)asfollows: FXdecl(f)(nil)=;; FXdecl(f) a: Xi2I[pi]si!!=a: FXdecl(f)(Z)=f(decl(Z)) Xi2I[pi]FXdecl(f)(si)!

102 CHAPTER5.DENOTATIONALMODELS
FXdecl(f)(s1+s2)=FXdecl(f)(s1)[FXdecl(f)(s2) FXdecl(f)(s1ks2)=FXdecl(f)(s1)kFXdecl(f)(s2)
Bytheresultsof[BMC94],FID FIM FXdecl(f)(snL)=FXdecl(f)(s)nL; declisd-continuous,andhencehasaleastxedpointfID FXdecl(f)(s[`])=FXdecl(f)(s)[`]
semanticsforPCCSonIDandforGPCCSonIM: decliscontractingandhencehasauniquexedpointfIM decl.Weobtainadenotational decl;
Theorem5.1.24ThedenotationalsemanticsDIDandDIMarefullyabstractwithrespect aregivenbyDX[hdecl;si]=fXdecl(s). DID:PCCS!ID;DIM:GPCCS!IM
tosimulationandbisimulationrespectively.Moreprecisely:
Here,IPisconsideredasasubspaceofIM(Theorem5.1.21,page98)and{ID:IP!IDis (a)IfP,P02PCCSthenDID[P]={ID([P])andPvsimP0iDID[P] (b)IfP,P02GPCCSthenDIM[P]=[P]andP P0iDIM[P]=DIM[P0]. DID[P0].
Example5.1.25LetP0=hdecl0;s0ibeasinExample4.1.3onpage77,i.e. asinTheorem5.1.14,page95. Proof: seeSection5.3,Theorem5.3.34(page127)andTheorem5.3.34(page127).
ThedenotationalsemanticsDX[P0]isx[ywherexandyareasfollows. CaseX=ID:y=f(a;E)gclandtheuniquedistributionwith s0=s+Zanddecl0(Z)=a:Zwheres=a:h13ib:nilh23inil.
CaseX=IM:y=f(a;E)gand whilexistheuniqueelementinIDsuchthatx=f(a;E1x)gcl.19 (?ID)=2=3,(yb)=1=3,yb=f(b;E1?ID)gcl
Clearly,IDismore\abstract"thanIMsincesimulationequivalenceiscoarserthanbisim- 1=3,yb=f(b;E1;)gandxtheuniqueelementinIMwithx=f(a;E1x)g.20 theuniquedistributionwith(;)=2=3,(yb)=
ulationequivalence.WeobtainthefollowingconsistencyresultforDIDandDIM.21 Theorem5.1.26Thereexistsauniquefunctionf:IM!IDsuchthat forallx2IM.ThisfunctionfsatisesfDIM[P] f(x)=f(a;Eval(f)(x)):(a;E)2xgcl
IDandFcont(ID)asanequality.Theprecisedenitionofxisasfollows.Wedenex=Fxnwhere x0=?ID,xn+1=f(a;E1xn)gcl. 19Notethatthenotationx=f(a;E1x)gclonlymakessenseaswetreattheisomorphismbetween =DID[P]forallP2GPCCS.
21Forthenotion\consistency"see[BMC97].
20Formally,x=limxnwherex0=;,xn+1=f(a;E1xn)g.

5.1.DENOTATIONALMODELS:CONCURRENTCASE 5.1.5 Afewremarksaboutprobabilisticpowerdomains 103
Toconstructthedenotationalmodelswehavegeneralizedtotheprobabilisticsettingthe establishedcatgoricalmethodsforsolvingdomainequationsfornon-probabilisticprocesses.Thesegeneralizeddomainequationsinvolvedappropriatelyadjustedprobabilistic powerdomainsofevaluations.TheprobabilisticpowerdomainEval(D)ofevaluationfora dcpoDissmoothinthesensethat,forexample,theprobabilisticpowerdomainEval(D) ofatwo-pointspaceDistherealinterval[0;1].Thus,limitscanbeapproximatedby approachingthemarbitrarilyclose.Ontheotherhand,intheultrametriccaseweobtain adiscreteconstruction,inthesensethatthetwo-pointspaceliftedtotheprobabilistic casegivestherealinterval[0;1]withthediscretetopology.Inparticular,itisnotpossible togetarbitrarilyclosetoalimit.22Anotherdierencebetweenthemetricandpartial orderapproachisthedensityof{IM(IP)inIMthatstandsincontrasttoLemma5.3.15 (page116)whichshowsthat{ID(IP)isnotabasisofID.
states(ratherthanadistribution)andgeneralizethedenitionofbisimulationequivalence alaLarsen&Skou[LaSk89]tocontinuousreactivesystems.Moreprecisely,[dViRu97] DeVink&Rutten[dViRu97]consider\continuous"reactivesystemswhereeachstates
solvethedomainequation andpossibleactionainsisassociatedwithaprobabilitymeasureforthepossiblenext
inCUM(alsowiththemethodsof[RuTu93])andshowthattheresultingdomainis internallyfullyabstractwithrespecttotheproposednotionofbisimulation.Here, M=Act!f0g[ProbMeascs(M)12
ProbMeascs(M)denotesthecollectionofprobabilitymeasuresontheBorel-eldinontheBorel-eldofMinauniqueway;but,ingeneral,theinducedprobabilitymea-
eachevaluationEonanultrametricspaceMcanbeextendedtoaprobabilitymeasure ducedbytheopensonMwithcompactsupportwhichmeansprobabilitymeasuresthatsuredoesnothaveacompactsupport.Viceversa,aprobabilitymeasurewithcompact
vanishoutsideacompactset.Thespecialsymbol0isneededtomodelinaction.Clearly,
ontheBorel-eldofanultrametricspaceMthen supportmightfailtheaxiomofcontinuity.Moreprecisely,ifEisaprobabilitymeasure
foranydirectedcountablefamily(Ui)i2IofopensinMwhile E [i2IUi!=sup i2IE(Ui)
E0@[
ProbMeascs(M)arenon-comparablesubsetsofthespaceProbMeas(M)ofallprobability foradirecteduncountablefamilyofopensVjinMispossible.Thus,Eval(M)and j2JVj1A6=sup j2JE(Vj)
consistentwiththeestablishedmethodology(inparticular,themetricsatisestheintuitiveproperty thatanattempttoobtaina\smooth"metricconstructionmightmeanhavingtogobeyondtheknown d(x;y) 22WeshouldemphasisethoughthatthemethodologyweusedtoderivetheultrametricmodelIMis techniques,see[KwNo96,Norm97].
2nixandyagreeuptothen-thstep,andweobtainfullabstractionforbisimulation),and 1

104 measuresontheBorel-eldofM.Nevertheless,toobtainadenotationalmodelthatis CHAPTER5.DENOTATIONALMODELS
workwiththepowerdomainProbMeascs()ofprobabilitymeasureswithcompactsupport (ratherthantheprobabilisticpowerdomainEval()ofevaluations).Thatis,alternatively fullyabstractwithrespecttobisimulationwecouldfollowtheapproachof[dViRu97]and wecoulddealwiththeequation
thatcanalsobesolvedinCUMwiththemethodof[RuTu93].Inthatcase,wewould havetoshrinkthesemanticsforPCCSonthoseprogramsthatonlyusenitebranching M=PowcompAct ProbMeascs(M)12
action-guardedprobabilisticchoicea:(Pi2I[pi]si).23 action-guardedprobabilisticchoicea:([p1]s1:::[pn]sn)ratherthancountablebranching
5.2 Webrieysummarizehowtheresultsoftheprevioussectioncanbemodiedforthe fullyprobabilisticcase,i.e.toobtainfullyabstractdenotationalsemanticsfortheprocess Denotationalmodels:fullyprobabilisticcase
calculusPSCCS(seeSection4.2,page79).Asbefore,weassumeActtobeaxed thecollectionofallbisimulationequivalenceclassesoffullyprobabilisticprocesseswith actionlabelsinAct.Then,IPfisthenalsolutionoftheequation nitenonemptysetofactionsandusethesymbol0todenoteinaction.LetIPfdenote
inSET.Fromthis,weobtainnalsemanticsala[RuTu93].Usingtheevaluationfunctor EvalonthecategoriesCONT?andCUM,internallyfullyabstractsemanticdomainsIDf X=f0g[Distr(Act X)
andIMfcanbederivedasfollows.Applyingthemethodsof[AbJu94,RuTu93]wedene
ThedomainIPfcanbe\embedded"intoIDfandIMfinasimilarwayasIPis\embedded" IDfastheinitialsolutionoftheequationD=Eval(f?g[Act IMfastheuniquesolutionoftheequationM=f0g[EvalActD)inCONT?,24 intoIDandIM.25UsingappropriatesemanticoperatorsonIDfandIMf{thatcanbe M12inCUM.
obtainedinasimilarwayaswedenedthesemanticoperatorsonIDandIM{and thestandardprocedurestogivedenotationalsemanticsinthepartialorderandmetric approachweobtaindenotationalsemantics
PvsimP0iDIDf[P]vIDfDIDf[P0]andP thatarefullyabstractwithrespecttosimulationandbisimulationrespectively.26I.e. DIDf:PSCCS!IDfandDIMf:GPSCCS!IMf
anon-compactsupport. 23Thisisbecausetheassociatedprobabilitymeasureofadistributionwithinnitesupportmighthave 24NotethatinIDf,inactionismodelledbytheevaluationE1?. P0iDIMf[P]=DIMf[P0].
bisimulatonequivalenceclassofthefullyprobabilisticprocessP. Thereisafunction{:IPf!IDfsuchthatTvsimT0i{(T)vIDf{(T0).Inparticular,{([P])can beviewedasacanonicalrepresentativeforthesimulationequivalenceclassofP.Here,[P]denotesthe 26Here,GPSCCSdenotesthesetofguardedPSCCSprogramswhicharedenedintheobviousway.
25IPfcanbeviewedasadensesubspaceofIMf(whichyieldsadistanceforfullyprobabilisticprocesses).

5.3.PROOFS 5.3 Proofs 105
5.3.1 WegivetheproofforTheorem5.1.12(page95)thatstatesthatsim(inthesenseof Notation5.1.11,page95)isapartialorderondistributionsofadcpoDandthatthe Thepartialorder simonDistr(D)
functionDistr(D)!Eval(D), 3.4.15(page59)andTheorem3.4.19(page61)statingthatsimulationandbisimulation tiallyorderedsetDistr(D)intothedcpoEval(D).AsacorollaryweobtainTheorem equivalencecoincideforreactiveorfullyprobabilisticsystems. 7!Eisanorder-preservingembeddingonthepar-
Lemma5.3.1LetDbeadcpoand,02Distr(D)suchthatEvE0.Then,[U]
dealwithU0i=U1\:::\Ui).Then,Ai=DnUiareclosedsetswithA1 Proof: 0[U]forallG-setsU.27
EvE0wehave[Ai] toshowthat[A] LetU=Ti0UiwhereUi2Opens(D).W.l.o.g.U1 U2 :::(otherwisewe
Then, >0.ThereexistsanitesubsetXofAwith0[X]>0[A]�.SinceXis 0[A].Wesuppose[A]

(1)f(x;y)6=0foratmostcountablymany(x;y)2D. 106 CHAPTER5.DENOTATIONALMODELS
(3)Iff(x;y)6=0thenxvy. (2)Forallx,y2D,f(x) Weshowthatthereisafunctionf2Fsuchthatf= (x)and0f(y) 0(y).
functionfisaweightfunctionfor(;0)withrespecttov.Hence, f2F,weput (f)=X and0f=0.(Then,this
x;y2Df(x;y) sim0.)For
aimistoshowtheexistenceofafunctionf2Fwith(f)=1.(Then,wemayconclude and
thatfisaweightfunctionfor(;0)andtherefore ItiseasytoseethatXf=;i Xf=fx2D:(x)>f(x)g;Yf=fy2D:0(y)>0f(y)g: f= iYf=;i sim0.) 0f=0i (f)=1.Thus,our
thatn Iff2Fthenwedeneaf-pathtobeanitesequence~p=(x0;y0;:::;xn;yn)inDsuch
(ii)xivyi,i=0;1;:::;n (i)f(xi+1;yi)>0,i=0;1;:::;n�1 0and
Wedenerst(~p)=x0,last(~p)=ynand (iii)x0;:::;xnandy0;:::;ynarepairwisedistinct(butxi=yjispossible).
Claim1:Letf2Fandx2Xf.Then,Rf(x)\Yf6=;. (Intuitively,Rf(x)isthesetofally2Dthatcanbereachedfromxviaaf-path.) Rf(x)=flast(~p):~pisaf-pathwithrst(~p)=xg:
Proof:LetA=fz2D:(z)>0_0(z)>0g,Z=AnRf(x)and
AsZiscountableandz#Scott-closed,UisaG-set.Thus,byLemma5.3.1(page105): U=\
(*)0[U] [U] z2ZDnz#:
ItiseasytoseethatA\U=A\Rf(x).28Thus,[U]=[Rf(x)]and0[U]=0[Rf(x)]. Sincex2Rf(x)(as(x;x)isaf-path)andx2Xfwehave
WesupposethatRf(x)\Yf=;.Then,0(y)=0f(y)forally2Rf(x).Hence, (**) [U]= z2Rf(x)(z)> X z2Rf(x)f(z)= X z2Rf(x)Xy2Df(z;y): X
Iff(z;y)>0and(x0;y0;:::;xn;yn)isaf-pathwithz=2fx0;y0;:::;xn;yngx0= (***) 0[U]= y2Rf(x)0(y)= X y2Rf(x)0f(y)= X y2Rf(x)Xz2Df(z;y): X
xandyn=ythen(x0;y0;:::;xn;yn;z;z)isaf-path.Ifz=xiforsomeithen (x0;y0;:::;xi;yi)isaf-pathwithlast(~p)=z.Thus, ~p=(x0;y0;:::;xi;xi)isaf-pathwithlast(~p)=z.Ifz=yiforsomeithen~p= 28FortheinclusionA\Rf(x)A\UweusethefactthatRf(x)isupward-closed.

5.3.PROOFS ify2Rf(x)andf(z;y)>0thenz2Rf(x). 107
Hence,
Weobtainby(***)and(**): f(z;y)2DD:f(z;y)>0;y2Rf(x)g 0[U]= X f(z;y)2D D:f(z;y)>0;z2Rf(x)g:
Thiscontradicts(*).Thus,Rf(x)\Yf6=;.c y2Rf(x)Xz2Df(z;y) z2Rf(x)Xy2Df(z;y)0,f[~p]2Fand
(III)Foreachy2Dthereisatmostonex2Dwithf(x;y)6=f[~p](x;y). (II)Foreachx2Dthereisatmostoney2Dwithf(x;y)6=f[~p](x;y). (I) (f[~p])= (f)+(f;~p).
(II)and(III)followbycondition(iii)off-paths.Byinductiononiwedeneasequence (fi)i0offunctionsfi2Fasfollows. (IV)jf(x;y)�f[~p](x;y)j (f;~p).
{Nowwesupposei {Letf0begivenbyf0(x;y)=0forallx,y2D. fi=fi�1.Otherwise,wedene i=supn(fi�1;~p):~pisaf-pathwithrst(~p)2Xfi�1andlast(~p)2Yfi�1o: 1andthatf0;:::;fi�1aredened.If(fi�1)=1thenweset
Wechoosesomefi�1-path~piwith
Claim2:limfiexistsandlimfi2F,(limfi)=1. Wedenefi=fi�1[~pi]. rst(~pi)2Xfi�1,last(~pi)2Yfi�1,(fi�1;~pi)>i�1=2i.
convergent.Let>0andi Proof:By(I)weget1 kXj 1suchthat (fi)=P1ji (fj�1;~pj).Thus,Pj (fj�1;~pj)is
=i (fj�1;~pj)< forallk i i.

108 By(IV),forallx,y2Dandk i i: CHAPTER5.DENOTATIONALMODELS
jfk(x;y)�fi(x;y)j j=i+1jfj(x;y)�fj�1(x;y)j kX j=i+1(fj�1;~pj)0,i i.
(VII) (VI) j0f(y)�0fi(y)j jf(x)�fi(x)j Xji(fj�1;~pj) Xji(fj�1;~pj) forall>0,i i,y2D. i,x2D.
usingthefactthatf(xj+1;yj) Thus,f(x)=limfi(x) showthat(f)=1.Weassumethat(f)1=2j�1.Then,foralliiand(fi;~p) (f;~p).
(fi;~p) i, 12 (f;~p)>12j: 1=2 (f;~p).Letj 1suchthat
Hence,i (fi�1;~p)>1=2jforalli (fi�1;~pi)> i�12i>12j�12i i.Bydenitionof~pi:
foralli maxfi;j+1g.Contradiction(asPi(fi�1;~pi)isconvergent).c 2j+1 1
Py2A0(y)areconvergentthereexistsanitesubsetC0ofAwithx2C0and Proof: Lemma5.3.3LetDbeadcpoand,02Distr(D)suchthatE=E0.Then,=0. 0(x)�(x).Then, Suppose(x)6=0(x)forsomex2D.W.l.o.g.(x)0.LetA=x#.Then,AisScott-closed.SincePy2A(y)and X =
y2AnC0(y)< ; y2AnC00(y)< X :

5.3.PROOFS LetK=[AnC0],K0=0[AnC0],C=C0nfxgandB=Sfz#:z2Cg.Then, 109
K

110 Theorem5.3.6(cf.Theorem3.4.15,page59)If(S;Act;Steps)isareactiveaction- CHAPTER5.DENOTATIONALMODELS
Proof: onS.WeassumeStobeequippedwiththepreorderR=vsim.Lets,s02S,ssims0 labelledconcurrentprobabilisticsystemands,s02Sthenssims0impliess Weshowthatsimisabisimulation.Clearly,simisanequivalencerelation s0.
andsa (S;Act;Steps)isreactivewehave=00.ByLemma5.3.5(page109),[A]=0[A]for allA2S=sim. �!.Thereexisttransitionss0a �!0andsa �!00with R0and0R00.As
Proof: Theorem5.3.7(cf.Theorem3.4.19,page61)Let(S;Act;P)beanaction-labelled fullyprobabilisticsystemands,s02S.Then,ssims0impliess Clearly,ifssims0andsisterminalthens0isterminalands s0
therelationR=fha;ti;ha;t0i:tvsimt0;a2Actg.Then, X=Act 02Distr(X)begivenby(ha;ti)=P(s;a;t)and0(ha;ti)=P(s0;a;t).Weconsider Sandlets,s0benon-terminalstatesinSsuchthats R0and0R.By sims0.Let, s0.Let
Lemma5.3.5(page109):Ifa2ActandC2S=simthen
whereC0=f(a;t):t2Cg.(NotethatC02X=(R\R�1).)Weconcludethatsimisa bisimulation. P(s;a;C)=[C0]=0[C0]=P(s0;a;C)
ThissectionshowstheconnectionbetweenIPandID(Theorem5.1.14,page95)andthed- 5.3.2 continuityofthesemanticoperatorsformodellingrestriction,relabellingandparallelism ThedomainID
andpresentssomedomain-theoreticpropertiesofID.
followingisstandard. RecallthatIDdenotestheinitialxedpointofthefunctorFcont=PowHoareFcont CONT?!CONT?wherewedealwiththeisomorphismasanequality(Notation5.1.10, page94).ThepartialorderonIDistheinclusion,thebottomelementis?ID=f?g.The ActEval:
Notation5.3.8[Then-thprojectionprojIDn]ThefunctionsprojIDn:ID!IDaredenedasfollows.LetprojID0(x)=?IDforallx2IDand Then,projIDn+1(x)=f(a;Eval(projIDn)(E)):(a;E)2xgcl.(projIDn)n0isamonotone sequenceofstrictandcontinuousfunctionsonIDsatisfying projIDn+1=FcontprojIDn:
xFn0projIDn=idID projIDnyiprojIDn(x) projIDk=projIDk projIDn(y)foralln projIDn=projIDnforall0 0. n k
withthepartialorderf1vf2if1(x)vf2(x)forallx2X.Then,X!IDisadcpo (seeSection12.1.1,page308).Weoftenusethefollowingfact.
Recallthat,forXtobeaset,wesupposethesetoffunctionsX!IDtobeendowed

5.3.PROOFS Lemma5.3.9LetXbeaset.Eachd-continuousoperatorF:(X!ID)!(X!ID) 111
withF(projIDn Proof: andf0arexedpointsofFthenitcanbeshownbyinductiononnthatprojIDn TheexistenceofaxedpointffollowsbyTarski'sxedpointtheorem.Iff f)=projIDn+1F(f)hasauniquexedpoint.
projIDn f0.Hence, f(x)=Gn0projIDn(f(x))=Gn0projIDn(f0(x))=f0(x) f=
forallx2ID. WedenotethepartialordersonEval(ID)andonf?g[ActEval(ID)byv.Recallthat subsetsoff?g[Act thatxvy.Moreover, vLdenotesthelowerpreorderonf?g[Act Eval(ID)thenAvLBiforallx2Athereexistsy2Bsuch Eval(ID),i.e.ifA,Barenitenonempty
Theorem5.3.10(cf.Theorem5.1.14,page95)Thereexistsauniquefunction{ID: Acl Acl=A#=fx:x BclifandonlyifAvLB.
IP!IDsuchthat yforsomey2Ag.
Moreover,forallT,T02IP:TvsimT0i{ID(T) {ID(T)=n(a;EDistr({ID)()):Ta {ID(T0). �!ocl:
Proof: ID)!(IP!ID)begivenbyF(f)(T)=Af(T)clwhere Forsimplicity,wewriteprojnand{ratherthanprojIDnand{ID.LetF:(IP!
Notethat{sinceTisnitelybranching{Af(T)isniteandhenceF(f)(T)=Af(T)#. WehavetoshowthatFhasauniquexedpoint{andthatthisfunction{satises: Af(T)=f(a;EDistr(f)()):Ta �!g:
Proof:Iff=Fi2IfithenweshowthatforeachT2IP: {(T) Claim1:TheoperatorFisd-continuous. {(T0)iTvsimT0.
(1)Afi(T)vLAf(T)(whichimpliesF(fi)(T) (2)Whenevery2IDwithAfi(T) yforalli2IthenAf(T) F(f)(T))
Then,from(1)and(2), F(f)(T) yforeachupperboundyof(F(fi)(T))i2I. Gi2IF(fi)(T)=F(f)(T):
y.Thisimpliesthat
ad(1)If(a;E)2Afi(T)thenTa WehaveEDistr(f)()=Eval(f)()=FEval(fi)()=FEDistr(fi)()byRemark12.1.3 (page313)andLemma12.1.4(page314).Hence: Then,EvEDistr(f)().Hence,(a;E)v(a;EDistr(f)())2Af(T).
�!forsomedistribution withE=EDistr(fi)().

ad(2)Ify2ID,Afi(T) 112 yforalli2Iand(a;E)2Af(T)thenE=EDistr(f)()for CHAPTER5.DENOTATIONALMODELS
somedistribution i2I.Since whereTa (a;E)=Gi2I(a;EDistr(fi)()) �!.Then,(a;EDistr(fi)())2Afi(T) yforall
Then,{(T)=F({)(T)=A{(T)#.IfT2IPthenweput Denition:Let{:IP!IDbetheleastxedpointofF(Tarski'sxedpointtheorem). inf?g[Act Eval(ID)andyislub-closedweget(a;E)2y.c
Claim2:ForallT,T02IP,{(T) Then,projn({(T))=An(T)#.Thus,projn({(T)) An(T)=f(a;EDistr(projn�1{)()):Ta
{(T0)iTvsimT0. projn({(T0))iAn(T)vLAn(T0). �!g:
Proof:SinceallelementsofIP(viewedasaction-labelledconcurrentprobabilisticprocesses)arenitelybranching(andhenceimage-nite)itissucienttoshowthat nothingtoshow.Intheinductionstepn=)n+1wesupposeprojn({(T)) (Lemma3.4.13,page59).Weprovethisbyinductiononn.Inthecasen=0thereis projn({(T)) projn({(T0))iTvnT0
iTvnT0forallT,T02IP. LetT,T02IP,projn+1({(T)) projn+1({(T0))andletTa �!beatransition.Let projn({(T0))
T0a (a;E0)2An+1(T0)withEvE0.BydenitionofAn+1(T0)thereexistsatransition =Distr(projn{)().Then,(a;E)2An+1(T)vLAn+1(T0):Hence,thereexists �!0withE0=E0and0=Distr(projn{)(0).ByTheorem5.3.2(page105),
UsingRemark2.2.1(page30)andRemark2.2.2(page31)weobtain sim0.ByRemark2.2.3, R=f(T1;projn({(T1)):T12IPg: R,0R0where
Byinductionhypothesis,R0 R0=R R�1=f(T1;T0 vn.Hence, 1):projn({(T1)) vn0.Thus,TvnT0. projn({(T0 1))g: R00where
Distr(projn{)().SinceTvn+1T0thereexistsatransitionT0a LetT,T02IP,Tvn+1T0.ItsucestoshowthatAn+1(T)vLAn+1(T0).Let (a;E)2An+1(T).ThereexistsatransitionTa Then,(a;E0)2An+1(T0)where0=Distr(projn{)(0).ByRemark2.2.3(page31), R,0R0whereRisasabove.UsingRemark2.2.1(page30)andRemark �!suchthatE=Ewhere �!0with vn0. =
2.2.2(page31)weobtain R00=R�1vnR=f(projn({(T1));projn({(T0 R000where
Thus,(a;E)=(a;E)v(a;E0)2An+1(T0).c Byinductionhypothesisweobtain sim0.ByTheorem5.3.2(page105),EvE0. 1))):T1vnT0 1g:
Proof:ItiseasytoseethatF(projnf)=projn+1F(f)forallfunctionsf:IP!ID. Hence,byLemma5.3.9(page111),Fhasauniquexedpoint.Therefore,{0={.c
Claim3:If{0:IP!IDisalsoaxedpointofFthen{0={.

5.3.PROOFS Lemma5.3.11(cf.Remark3.4.11,page57)Let(S;Act;Steps)beanaction-labelled 113
f(s;s0)2S concurrentprobabilisticsystemand,02Distr(S)suchthat (a)[t#sim] S:svsims0g.Then,foreacht2S: 0[t#sim] R0whereR=
Here,t"sim=fu2S:tvsimugandt#sim=fu2S:uvsimtg. (b)IfSupp()andSupp(0)arenitethen[t"sim] 0[t"sim]. Proof: Theorem5.3.10(page111)andLemma5.1.5(page92): (*)svsims0ixs Fors2S,wedenePs=(S;Act;Steps;s)andxs={ID([Ps]).Then,by
For Ux=fu2S:xu=xg.By(*): tobeadistributiononS,wedeneID2Distr(ID)byID(x)=[Ux]where xs0.
Wexsomet2Sand,02Distr(S)with andE0=E0ID.Then,EvE0(byTheorem5.3.2,page105).Asxt#isScott-closedwe (**)If2Distr(S)then[t#sim]=ID[xt#]; R0.Clearly,IDsim0.LetE=EID [t"sim]=ID[xt"]:
get
B=fv2A:t6vsimvgand NowweassumethatSupp()andSupp(0)arenite.LetA=Supp()[Supp(0), [t#sim]=ID[xt#]=E(xt#) E0(xt#)=0ID[xt#]=0[t#sim]:
Then,AandBarenite.Thus,UistheniteintersectionofScott-opens.Hence,Uis Scott-open.Clearly,xt" U=\
Thus,ID[xt"]=E(U):By(**),[t"sim]=E(U).Similarly,Supp(0)\U UandU\fxv:v2Ag v2B(IDnxv#):
and0[t"sim]=E0(U).AsUisScott-openandEvE0weobtain xt".Hence,Supp(ID)\U xt".
[t"sim]=E(U) E0(U)=0[t"sim]: xt"
RecallthedenitionsoftheoperatorsFID (IDID!ID)!(IDID!ID)thatweregivenonpage101. Lemma5.3.12TheoperatorsFID `,FID LandFID L,FID `:(ID!ID)!(ID!ID)andFID kared-continuousandhaveuniquexed k:
Proof: points.Theseared-continuous. page314)itiseasytoseethatFislocallyd-continuous.Moreover, LetF2fFID `;FID L;FID F(projIDn kg.Usingthelocald-continuityofEval(Lemma12.1.4,
Then,byLemma5.3.9(page111),Fhasauniquexedpointf.fisd-continuoussinceF mapsd-continuousfunctionstod-continuousfunctionsandsincethesetofd-continuous
f)=projIDn+1F(f):

114 functionislub-closed.Notethat{byTarski'sxedpointtheorem{theunique(least) CHAPTER5.DENOTATIONALMODELS
f0(x)=?IDforallx2ID.Thus,byinductiononn,allfunctionsFn(f0)ared-continuous. Hence,f=FFn(f0)isd-continuous. xedpointofFcanbewrittenasleastupperboundofthesequence(Fn(f0))n0where
ofelementsthatarenotexplainedinthatthesisbutcanbefounde.g.in[AbJu94].The domainID.WeusesomebasicnotionsofdomaintheorylikeSFPdomainsorcompactness Intheremainderofthissectionweinvestigatesomedomain-theoreticpropertiesofthe
section. Inthenon-probabilisticcasewhereadomain-theoreticmodelIDnonprobforthesimulation readernotfamiliarwith(ornotinterestedin)domaintheorymightskiptherestofthat
preordercanbeobtainedfromtheequationD=PowHoare(f?g[Act besolvedinthecategoryofSFPdomains.ThesetTreeofnitelybranchingtrees(the function{:Tree!IDnonprobsimilartothewaywhereIPis\embedded"intoIDvia{ID. nalsolutionofX=Pown(Act X)inSET)canbe\embedded"intoIDnonprobviaa D))whichcan
elementsofIDnonprob.Inparticular,theset{(Tree)isabasisofIDnonprob.Moreover,ifthe Theimagesofnitelybranchingtreesofniteheightwithrespectto{arethecompact
probabilisticcase: detailsaboutthenon-probabilisticcasesee[Bai97]).Thesituationisdierentinthe underlyingalphabetActisnitethen,forthen-thprojectionprojn:IDnonprob!IDnonprob, theelementsofprojn({(Tree))arecompactandprojn(IDnonprob) {(Tree).(Forfurther
Ifn {ID(IP)isnotabasisofID(cf.Lemma5.3.15,page116). TheelementsofprojIDn({ID(IP))arenotcompact(cf.Lemma5.3.13,page114).
Lemma5.3.13TheelementsofprojIDn({ID(IP))nprojID1({ID(IP)),n 2thenprojIDn(ID)6{ID(IP)(cf.Lemma5.3.16,page116).
Proof: element(a;E)2xwhichismaximalinxandwith(y)>0forsomey2ID,y6=f?g. Letn 2andx2projIDn({ID(IP))nprojID1({ID(IP)).Then,thereexistsan 2,arenotcompact.
WechooseN 0with1=2N:(z) (f?g)+1=2n:ifz=f?g :ifz6=f?g,z6=y Nweput
butx6vxnforalln Then,FEn=E.Hence,x=Fxnwherexn=Acl (y)�1=2n :ifz=y.
Lemma5.3.14Distr(ID)(asasubspaceofEval(ID))isnotabasisofEval(ID). N.Thus,xisnotcompact. n,An=(xnf(a;E)g)[f(a;En)g
Proof: asE=FE.Lety=f(b;E)gclwhere Example5.1.15(page96),i.e.pistheuniquedistributiononIDwithp(y)=pand p(?ID)=1�p.Let WegiveanexampleforanevaluationE2Eval(ID)thatcannotbewritten =1?ID.Forp2[0;1],letpbeasin
iq

5.3.PROOFS Claim1:If2Distr(ID),EvEthen(x)=0forallx2IDn(f?IDg[fxp:p2[0;1]g). 115
have[U0] WesupposethatE=F2MEwhereM Proof:FirstweobservethatIDnfxp:p2[0;1]g E(U0)=0.Hence,(x)=0forallx2U0.c Distr(ID)suchthatfE: IDnx1#=U0.AsisScott-openwe
directed.(I.e.Misdirectedwithrespecttosim.)Then,forall2Mandp2[0;1], p=supf[Up]:2Mg: 2Mgis
Claim2:Forall>0thereissome2Msuchthat[Up] Proof:Foreachp2[0;1]wechoosesomepwithp[Up] XpbeanitesubsetofIDsuchthatp[IDnXp]0with p�(axiomofchoice).Let p�forallp2[0;1].
p1;:::;pk2[0;1]suchthat p0andn x1�p2UqnUpandUp q n[Uq] n[Up]+n(x1�p) Uq.Hence,forallqwithp

116 Lemma5.3.15{ID(IP)isnotabasisofID. CHAPTER5.DENOTATIONALMODELS
X subsetXof{ID(IP).Then,yistheScottclosureofSx2Xxinf?g[ActEval(ID).Since (page114).Wesupposethatycanbewrittenintheformy=FXforsomedirected Proof: {ID(IP)eachelementxofXisoftheformf(a;Ex1);:::;(a;Exrx)gclwherexiare Weconsidertheelementy=f(a;E)gclofIDwhereEisasinLemma5.3.14
MisdirectedandE=FfE: (page114). distributionswithExivE.LetM=fxi:i=1;:::;rx;x2Xg.Itiseasytoseethat
Lemma5.3.16Ifn 2thenprojIDn(ID)6 2MgwhichisimpossibleasshowninLemma5.3.14
Proof: distributiononIDwithn(yb)=1=nandn(yc)=1�1=n. Considerx=AclwhereA=f(a;En):n {ID(IP).
x 1gandnistheunique
yb sa,n
?IDb1n
?
? = ZZZ~ 1�1n
?ID yc ? c
incomparable.Hence,xcannotbewrittenintheformx=Xcl(=X#)whereXisnite. Here,yb=f(b;E1?D)gcl,yc=f(c;E1?D)gcl.Theelements(a;En),n Therefore,x=2{ID(IP),butx=projID2(x)2projID2(ID). 1arepairwise
NotethatLemma5.3.16doesnotholdforn=1.Wehave:
where=1?ID. projID1(ID)=f?IDg[f(;E):2Actg {ID(IP)
5.3.3 ThissectionpresentstheproofofTheorem5.1.16(page97)statingthat,foranycomplete ultrametricspaceM,theprobabilisticpowerdomainEval(M)ofevaluationsonMisthe Themetricprobabilisticpowerdomainsofevaluations
completionofDistr(M).RecallthatthedistanceonEval(M)isgivenby
canbewrittenasdisjointunionofopenballs.IfUisa-setthenUcanbewrittenas Lemma5.3.17LetMbeanultrametricspace.EverynonemptyopensubsetUofM d(E1;E2)=inff>0:E1(B)=E2(B)8B2Balls(M)g:
disjointunionofopenballswithradius. Proof: LetUbeanonemptyopensubsetofM.Ifx2Uthenweput (x)=supfr>0:B(x;r) Ug:

5.3.PROOFS Let bethefollowingequivalencerelationonU:x yi (x)=(y).LetVbea 117
subsetofUsuchthatV\[x]consistsexactlyofoneelement(axiomofchoice).Then,
Lemma5.3.18LetMbeanultrametricspaceandEanevaluationonM.Then,for Uisa-setwedealwiththeequivalencerelationx UcanbewrittenasdisjointunionoftheopenballsB(x;(x)),x2V.Inthecasewhere
eachopensubsetUofM,wheneverU=Si2IBiwhere(Bi)i2Iisafamilyofpairwise yid(x;y)0thereexistsanitesubsetJofIwith E(U)� Xj2JE(Bj)
Let>0.WeshowthatthereexistsanitesubsetJofIwithE(BJ) Proof: Hence,E(U)=supJ2KE(BJ).Inparticular,thereexistsanitesubsetJofIwith bethesetofnitesubsetsofI.Then,thefamily(BJ)J2KisdirectedandSJ2KBJ=U. IfJ IisnitethenweputBJ=Sj2JBj.Then,E(BJ)=Pj2JE(Bj).
E(BJ) E(U)�. E(U)�:LetK
ImmediatelybyLemma5.3.18weget:
Lemma5.3.20LetMbeanultrametricspace,EanevaluationonMand0

118 2.IfB1;:::;Bnarepairwisedisjointopenballswhicharecontainedinsomeopenball CHAPTER5.DENOTATIONALMODELS
Bthen
3.WheneverBisanopenballandB=Si2IBiwhere(Bi)i2Iisafamilyofpairwise nXi=1F(Bi) disjointopenballsthenforeach>0thereexistsanitesubsetJofIwith F(B):
F(B)� Xj2JF(Bj):
whichextendsF.WedeneEasfollows: Proof: Then,thereexistsauniqueevaluationEonMwithE(B)=F(B)forallB2Balls(M). ByCorollary5.3.19(page117)thereexistsatmostoneevaluationEonM
whereI(U)denotesthecollectionofallnitesetsconsistingofpairwisedisjointopenballs E(U)=sup(XB2IF(B):I2I(U))
BE(M)=1sinceI=fMg2I(M)andF(M)=1.ThemonotonicityofEisclearsince I2I(M)weputFI=PB2IF(B).WeshowthatEisanevaluation:wehave wheneverU U.ByLemma5.3.17(page116),I(U)isnonemptywheneverU6=;.Whenever VthenI(U) E(U\V)+E(U[V)=E(U)+E(V): I(V).LetU,V Mbenonemptyopens.Weshowthat
Step1:WeshowthatE(U\V)+E(U[V) thatthereexistsIU2I(U)andIV2I(V)with E(U[V)+E(U\V)� E(U)+E(V).Let>0.Weshow
(Then,wemayconcludethatE(U)+E(V) Hence,E(U)+E(V) E(U[V)+E(U\V).) E(U[V)+E(U\V)�forall>0. FIU+FIV:
Then, LetJ2I(U[V),K2I(U\V)withFJ (*) FJ+FK E(U[V)+E(U\V)�12
E(U[V)�14 andFK E(U\V)�14.
Claim:EachballB2JcanbewrittenasdisjointunionofopenballsCsatisfyingC Proof:LetB2J.Foreachx2Bweput: orC V. U
Then,r(x)>0forallx2B.WeputBx=B(x;r(x)).Then,eitherBx r(x)=(supfr>0:B(x;r) supfr>0:B(x;r) B\Ug:ifx2B\U,
LetXbethesetofelementsx2B\UwithBx B\Vg:ifx2B\(VnU). Byforsomey2B\(VnU).We
UorBx V.

5.3.PROOFS candealwiththesetofballsC=Bxwherex2Vorx2UnX.(Notethatforallx, 119
consistingofpairwisedisjointopenballsC LetjJjbethecardinalityofJandletB2J.ByassumptionthereexistsanitesetIB y2B\(V[(UnX))eitherBx=ByorBx\By=;.)c
F(B)�1 2jJjUorCFIB: Vwith
LetJ0bethesetofallballsC2IB,B2J.Then,J0isniteand
Weput: FJ�12 =XB2J0F(B)�12 XB2J0X
J0U=fB2J0:B Ug,J0V=J0nJ0U, C2IBF(C):
Then,IU2I(U).WeshowIV2I(V).ItisclearthatallballsB2IVarecontained KU=fC02K:C\B=;8B2J0Ug,
inVandthattheballsofJ0V(andtheballsofKV)arepairwisedisjoint.Supposethere KV=KnKU,IU=J0U[KU,IV=J0V[KV.
areballsB2J0VandC2KVwithB\C6=;.Then,eitherB caseisimpossiblesincethenC\B06=;forsomeB2J0UandhenceeitherB0 orC rstcaseisimpossiblesinceB6U(bydenitionofJ0V)andC U\V.Thesecond CorC B.The
obtainB\B0(whichcontradicttheassumptionthattheballsB,B0aredisjoint).We C B
FIU+FIV=XB2J0X FJ�12 +FKC2IBF(C)+FK Step2:WeshowthatE(U\V)+E(U[V) E(U[V)+E(U\V)�:
IU2I(U),IV2I(V)suchthat FIU E(U)�12;FIV E(V)�12: E(U)+E(V).Let>0andlet
Then,K=fB\C:B2IU;C2IV;B\C6=;gisanitesetofdisjointopenballs whicharecontainedinU\V.LetJbethesetconsistingofthefollowingballs: -B[CwhereB2IU,C2IV,B\C6=;
JisanitesetofpairwisedisjointopenballscontainedinU[V.(Notethatwhenever -B2IUwhereB\C=;forallC2IV
B,CareopenballswithB\C6=;theneitherB -B2IVwhereB\C=;forallB2IU
FK+FJ=FIU+FIV.Hence, E(U[V)+E(U\V) FK+FJ=FIU+FIV CorCE(U)+E(V)� B.)Itiseasytoseethat

120 forall>0.Therefore,E(U[V)+E(U\V) CHAPTER5.DENOTATIONALMODELS
adirectedfamilyofopensetswithU=SUi.SinceUi Step3:WeshowthatEiscontinuous.LetUbeanonemptyopensetandlet(Ui)i2Ibe E(U)+E(V).
thereforesupE(Ui) E(U).Foreachx2Uandi2Iweputri(x)=0ifx=2Uiand ri(x)=supfr>0:B(x;r) UwehaveE(Ui) Uig E(U)and
ifx2Ui.Letr(x)=supi2Iri(x).Then,ri(x)>0andBx=B(x;r(x)) Wedeneanequivalencerelation x6 classA,wedeneBA=BxandrA=r(x),wherexisarepresentativeofA.Wechoose yiBx\By=;andthatBxistheequivalenceclassofx.Foreachequivalence onUbyx yiBx=By.Itiseasytoseethat U.
x2CsuchthatA

5.3.PROOFS 1.ItisclearthatF(M)=1. 121
2.LetBbeanopenballandB1;:::;BnbedisjointopenballswithB1[:::[Bn numberNwith1=2N0suchthatB,Bi2Balls(M),i=1;:::;n,andsomenatural B.
F(B)=EN(B) nXi=1EN(Bi)=nXi=1F(Bi): 3.LetB2Balls(M)and(Bi)i2IafamilyofdisjointopenballsBiwithSBi=B.Let n>0.WechooseanaturalnumberNwith1=2N0such Nwith1=2n1=2N.Therefore,d(E;EN) 7!E,isinjective.Thus,Distr(M)canbeviewedasasubspaceofEval(M).
1=2NandE=limEn.

122 Theorem5.3.23(cf.Theorem5.1.16,page97)LetMbeacompleteultrametric CHAPTER5.DENOTATIONALMODELS
space.Then,Eval(M)isthecompletionofDistr(M).
E(B(x;1=2n))6=0impliesd(x;y)

5.3.PROOFS Lemma5.3.25LetXbeaset.EveryoperatorF:(X!IM)!(X!IM)with 123
iscontractingandhencehasauniquexedpoint. FprojIMn f=projIMn+1F(f)
Lemma5.3.26Foralln (Banach'sxedpointtheorem). Proof: ItiseasytoseethatFiscontractingandhencehasauniquexedpoint
(a;E)wherea2Actand2Distr(IM)suchthatSupp() Proof: Forsimplicity,projn=projIMn. 1andx2IM,projIMn(x)isanitesetconsistingofpairs projIMn�1(IM).
Distr(IM)withSupp() Proof:IMcanbewrittenasdisjointunionoftheopenballsB(x;1=2n�2),x2projn�1(IM). Claim1:IfE2Eval(IM)thenEval(projn�1)(E)=Eforsomedistribution projn�1(IM). 2
E(B(x;1=2n�2))6=0impliesx2N.ForallopensU, ByLemma5.3.20(page117),thereexistsacountablesubsetNofprojn�1(IM)with
where2Distr(IM)isgivenby(x)=0ifx=2N,(x)=E(B(x;1=2n�2))ifx2N.c Eval(projn�1)(E)(U)=E(proj�1 n�1(U))= x2N\UE(B(x;1=2n�2))=[U] X
then Claim2:IfE,E02Eval(IM)andd(Eval(projn�1)(E);Eval(projn�1)(E0)) Eval(projn�1)(E)=Eval(projn�1)(E0): 1=2n�1
projn�1(IM).Then,B(x;1=2n�2)\projn�1(IM)=fxg.Hence, Proof:BecauseofClaim1itsucestoshowthatd(E;E0) 0where,02Distr(IM)suchthatSupp(),Supp(0) projn�1(IM).Letx2 1=2n�1implies =
forallx2projn�1(IM).Therefore,=0.c (x)=[B(x;1=2n�2)]=0[B(x;1=2n�2)]=0(x)
Claim3:projn(x)isanitesetconsistingofpairs(a;E)where Proof:Theelementsofprojn(x)areoftheform(a;E)where Supp() projn�1(IM). 2Distr(IM)suchthat 2Distr(IM)with
Supp() Eval(IM))andsinceprojn(x) projn(x)with projn�1(IM)(seeClaim1).Sinceprojn(x)iscompact(asasubsetofAct projn(x) S2projn(x)B(;1=2n)thereexistsanitesubset [2B(;1=2n): of
where2Distr(IM)withSupp() NotethatB(;)isanopenballinAct Claim2yields=.Therefore,=(a;E)2.Hence,projn(x)= (a;E)2projn(x).Thereexists2 projn�1(IM).Then,a=bandd(E;E)

124 Theorem5.3.27(cf.Theorem5.1.21,page98)IPisadensesubspaceofIM.More CHAPTER5.DENOTATIONALMODELS
precisely,thereexistsauniquefunction{IM:IP!IMsuchthatforallT2IP,
Thisfunction{IMisinjectiveand{IM(IP)isadensesubspaceofIM. {IM(T)=f(a;EDistr({IM)()):Ta �!g:
Proof: (IP!IM)begivenbyF(f)(T)=f(a;EDistr(f)()):Ta auniquexedpoint{andthatthisfunction{isinjectiveand{(IP)adensesubspaceof nitelybranching{F(f)(T)isniteandhencecompact.WehavetoshowthatFhas Weshortlywriteprojnand{insteadofprojIMnand{IM.LetF:(IP!IM)!
IM.ItiseasytoseethatF(projnf)=projn+1F(f)forallfunctionsf:IP!IM. �!g.Notethat{sinceTis
Claim1:{isinjective. Denition:Let{betheuniquexedpointofF(Banach'sxedpointtheorem). Hence,Fiscontracting(Lemma5.3.25,page123).
Proof:BecauseofLemma3.4.8(page56)itsucestoshowthat{(T)={(T0)implies TgetT Weshowbyinductiononnthatprojn({(T))=projn({(T0))iT nT0foralln T0.Hence,T=T0(Corollary5.1.6,page93). 0.SinceT,T0arenitelybranching(andthereforeimage-nite)we
induction(n=0)thereisnothingtoshow.Intheinductionstepn=)n+1wesuppose that,forallT1,T0 12IP,projn({(T1))=projn({(T0 1))iT1nT0 1. nT0.Inthebasisof
1.Letprojn+1({(T))=projn+1({(T0))andTa
Byinductionhypothesis,A=fT0 T0a �!0with =Distr(projn{)().Since(a;E)2projn+1({(T0))thereexistsatransition =Distr(projn{)(0).LetA2IP=n,T12Aandx=projn({(T1)). �!.Then,(a;E)2projn+1({(T))where
2.LetT Hence,A={�1(proj�1 n(x)).Thus,[A]=(x)=0[A].Bysymmetry,T 12IP:x=projn({(T0 1))g:
Let(a;E)2projn+1({(T)).ThereisatransitionTa SinceTn+1T0.Bysymmetryitsucestoshowthatprojn+1({(T)) �!withE=EDistr(projn{)(). projn+1({(T0)). n+1T0.
Weshown+1T0thereexistsatransitionT0a Distr(projn{)()=Distr(projn{)(0): �!0with[A]=0[A]forallA2IP=n.
Claim2:{(IP)isadensesubspaceofIM. Letx2IMandA={�1(proj�1 Distr(projn{)()(x)=[A]=0[A]=Distr(projn{)(0)(x).c n(x)).Byinductionhypothesis,A2IP=n.Thus,
Proof:Sincex=limprojn(x)forallx2IMthesetSprojn(M)isadensesubspaceofIM. Hence,itsucestoshowthatprojn(IM) Since{isinjectivethereexistsauniquefunction|:IM!IPsuchthat|{=idIP.Letx2 Thecasen=0isclear.Intheinductionstepn=)n+1wesupposeprojn(IM) projn+1(IM).ByLemma5.3.26(page123),xisoftheformx=f(ai;Ei):i=1;:::;kg {(IP)foralln 0.Weuseinductiononn.
wherei2Distr(IM)suchthatSupp(i) projn(IM).Thus,Supp(i) {(IP)which {(IP).
yields

5.3.PROOFS (*)Distr({|)(i)=i,i=1;:::;k. 125
(Theorem5.1.7,page93).ByRemark12.1.3(page313)and(*): LetX=n(ai;EDistr(|)(i)):i=1;:::;koandT=e�1(X)wheree:IP!Pown(Act Distr(IP))isthebijectionsuchthat(IP;e)isthenalcoalgebraofPownFActDistr
Hence,{(T)=f(a;Eval({)(E)):(a;E)2Xg=f(ai;Ei):i=1;:::;kg=x.Thus, x2{(IP).c Eval({)(EDistr(|)(i))=EDistr({|)(i)=Ei;i=1;:::;k:
projIMn(IM) projIDn(ID)6{ID(IP)(cf.Lemma5.3.16,page116). Remark5.3.28InClaim2intheproofofTheorem5.3.27(page124)wesawthat
RecallthedenitionsoftheoperatorsFIM {IM(IP).Thisshouldbecontrastedwiththedomain-theoreticsettingwhere
Lemma5.3.29TheoperatorsFIM (IM IM!IM)!(IM IM!IM)(seepage101). `,FIM LandFIM L,FIM `:(IM!IM)!(IM!IM)andFIM karecontractingandtheuniquexed k:
pointsarenon-expansive.
-expansiveweobservethatFmapsnon-expansivefunctionstonon-expansivefunctions. Sincethesetofnon-expansivefunctionsIM!IMisaclosedsubspaceofthecomplete Proof: Hence,byLemma5.3.25(page123),Fhasauniquexedpointf.Toseethatfnon- LetF2fFIM `;FIM L;FIM kg.ItiseasytoseethatF(projIMnf)=projIMn+1F(f):
metricspaceofallfunctionsIM!IM,theuniquexedpointfisnon-expansive. Remark5.3.30Inthemetricapproach{whereEval(M)isacompletionofDistr(M) (Theorem5.3.23,page122){theproductofevaluationsE1E2(denedasinSection 12.1.4,page314)canbedenedwithoutusingtheresultofHeckmann[Heck95];namely, asthecanonicalextensionofthenon-expansiveoperator (Forthedenitionof1 product(whichleadstothesameoperator)usesLemma5.3.21(page117):ifE1,E2are Distr(M)Distr(M)!Distr(M 2seeSection2.2,page30.)Analternativedenitionofthe M),(1;2)7!1 evaluationsonMthenE1E2denotestheuniqueevaluationonM Msuchthat,for 2.
5.3.5 allopenballsB,B0ofM,(E1E2)(B Fullabstraction B0)=E1(B)E2(B0):31
102)andshowthe\consistency"ofthepartialorderandmetricsemanticsonIDandIM Inthissectionwegivetheproofofthefullabstractionresult(Theorem5.1.24,page (Theorem5.1.26,page102). Notation5.3.31[Theelements[s]decl]IfsisaPCCSstatementanddecladeclarationthen[s]decldenotesthebisimulationequivalenceclassoftheoperationalmeaningof thePCCSprogramhdecl;si,i.e.oftheprobabilisticprocessO[hdecl;si]. ballsofthesameradius.
31NotethattheopenballsoftheproductspaceMMhavetheformBB0whereB,B0areopen

126 Thebasiclemmaforthefullabstractionresult(Theorem5.1.24,page102)isthefollowing. CHAPTER5.DENOTATIONALMODELS
Recallthat
SeeTheorem5.3.10(page111)andTheorem5.3.27(page124). {ID:IP!IDistheuniquefunctionwith{ID(T)=f(a;EDistr({)()):Ta {IM:IP!IMtheuniquefunctionsuchthat{IM(T)=f(a;EDistr({)()):Ta �!gcl, �!g.
Lemma5.3.32LetX=IMorX=ID.Then,foreachdeclarationdecl: 0.{IM([nil]decl)=;,{ID([nil]decl)=?ID. 1.{X([a:(Pi2I[pi]si)]decl)=a:(Pi2I[pi]{X([si]decl)) 2.{X([s1+s2]decl)={X([s1]decl)[{X([s2]decl) 3.{X([s1ks2]decl)={X([s1]decl)k{X([s2]decl) 4.{X([s[`]]decl)={X([s]decl)[`]
Proof: 6.{X([Z]decl))={X([decl(Z)]decl) 5.{X([snL]decl)={X([s]decl)nL
Hence,byLemma5.1.5(page92),[Z]decl=[decl(Z)]decl: Inwhatfollows,weshortlywriteprojn,{ratherthanprojXnand{Xand[s]insteadof 0.,1.and2.areclear.6.isclearsinceO[hdecl;Zi] O[hdecl;decl(Z)i]:
A(ifA6=;)and;cl=?ID,asbefore.WhendealingwithIM,weputAcl=A.Then, subsetsoff?g[Act [s]decl.Asbefore,weusetheclosurenotationAclforsubsetsofAct Eval(ID).WhendealingwithID,AcldenotestheScott-closureof Eval(IM)andfor
foralls2Stmt.Weshow3.Byinductiononnweshowthat {([s])=n(a;EDistr({[])()):sa �!declocl
foralls1,s22Stmt.Then,bythenon-expansitivity/d-continuityofkandthefactthat x=limprojn(x)inIMandx=Fprojn(x)inIDweobtain projn({([s1ks2]))=projn({([s1]))kprojn({([s2]))
Thebasisofinduction(n=0)isclearas;k;=;inIMand?IDk?ID=?IDinID.Inthe inductionstepn=)n+1wesupposethat {([s1ks2])={([s1])k{([s2]):
page313)andE12=E1E2wehave forallt1,t22Stmt.Lets1,s22Stmt.SinceEDistr(f)()=Eval(f)(E)(Remark12.1.3, projn({([t1kt2]))=projn({([t1]))kprojn({([t2]))
{([s1ks2])=f(a;EDistr({[])()):s1ks2a =f(;EDistr({[k])(12)):s1�!decl1;s2�!decl2;6=gcl [f(a;EDistr({[ks2])()):s1a �!gcl
[f(a;EDistr({[s1k])()):s2a �!declgcl.
�!declgcl

5.3.PROOFS Wedenefunctionsf,g:Stmt Stmt!Xby 127
Wehave g(t1;t2)=projn({([t1kt2])). f(t1;t2)=projn({([t1]))kprojn({([t2])),
whereM=M1[M2if6=andM=M1[M2[Msyn, projn+1({([s1ks2]))=[
Ma1=fDistr(g(;s2))():s1a a2Actf(a;E):2Magcl
Msyn=fDistr(g)(1 Ma2=fDistr(g(s1;)():s2a 2):s1�!decl1;s2�!decl2;6=g. �!declg, �!declg,
Ontheotherhand,
whereN=N1[N2if6=andN=N1[N2[Nsyn, projn+1({([s1]))kprojn+1({([s2]))=[
Na1=fDistr(f(;s2))():s1a �!declg, a2Actf(;E):2Nagcl
Theinductionhypothesisyieldsf(t1;t2)=g(t1;t2)forallt1,t22Stmt.Thus,Ma1=Na1, Nsyn=fDistr(f)(1 Na2=fDistr(f(s1;)():s2a 2):s1�!decl1;s2�!decl2;6=g. �!declg,
Ma2=Na2andMsyn=Nsyn.Weconclude:
Theproofsof4.and5.aresimilartotheproofof3. RecallthatfID projn+1({([s1ks2]))=projn+1({([s1]))kprojn+1({([s2])):
5.1.4,page101).Inthenextlemmaweshowthat{asinthemetriccasewherefIM decldenotestheleastxedpointofthed-continuousoperatorFID decl(seeSection
Lemma5.3.33Letdeclbeadeclaration.Then,fID theuniquexedpointofFIM decl{fID declisuniqueasaxedpointofFID declistheuniquexedpointofFID decl. declis
Proof: iff,f0arexedpointsofFID ItiseasytoseethatprojIDn+1 declthen(byinductiononn)projIDn FID decl(projIDnf)=projIDn+1 f=projIDn FID decl(f).Hence, f0.Hence, decl.
foralls2Stmt.Thereforef=f0. f(s)=Gn0projIDn(f(s))=Gn0projIDn(f0(s))=f0(s)
andDIMarefullyabstractwithrespecttosimulationandbisimulationrespectively.More Theorem5.3.34(cf.Theorem5.1.24,page102)ThedenotationalsemanticsDID precisely: (a)IfP,P02PCCSthenDID[P]={ID([P])andPvsimP0iDID[P] (b)IfP,P02GPCCSthenDIM[P]=[P]andP P0iDIM[P]=DIM[P0].
DID[P0].

128 Here,IPisconsideredasasubspaceofIM(Theorem5.3.27,page124)and{ID:IP!ID CHAPTER5.DENOTATIONALMODELS
isasinTheorem5.3.10,page111. thesyntaxofs2StmtthatFXdecl({X[]decl)(s)={X([s]decl):BytheuniquenessoffXdecl Proof: asaxedpointofFXdecl(Lemma5.3.33,page127),wegetfXdecl={X[]decl.Hence, UsingLemma5.3.32(page126)itcanbeshownbystructuralinductionon
Lemma5.1.5(page92)yieldsPvsimP0iDID[P] DX[hdecl;si]=fXdecl(s)={X([hdecl;si]):
Theorem5.3.35(cf.Theorem5.1.26,page102)Thereexistsauniquefunctionf: DIM[P0]. DID[P0]andP P0iDIM[P]=
IM!IDsuchthatf(x)=f(a;Eval(f)(x)):(a;E)2xgclforallx2IM.Thisfunction fsatisesfDIM[P] Proof: Wedeneafunctionf:IM!IDasfollows.Weconsiderthefunction =DID[P]forallP2GPCCS.
ItiseasytoseethatFisd-continuousandF(projIDn satisestheconditionsofLemma5.3.9(page111).Letf:IM!IDbetheuniquexed F:(IM!ID)!(IM!ID);F(f)(x)=f(a;Eval(f)(x)):(a;E)2xgcl:
pointofF.Itiseasytoseethatfisa\homomorphism"withrespecttothesemantic operatorsonIMandID.Usingtheresultsof[BMC97]itcanbeshownthat,forxed f)=projIDn�1F(f).Thus,F
fID result"fDIM=DIDjGPCCS.
guardeddeclarationdecl,ffIM declistheuniquexedpointofFID declisaxedpointofFID decl.Hence,ffIM decl=fID decl.ByLemma5.3.33(page127), declwhichyieldsthe\consistency

Chapter6
Decidingbisimilarityandsimilarity
straction.Formechanisedpurposes,thedevelopmentofmethodsforshowingthattwoBisimulationandsimulationrelationshaveprovedveryusefulforthedesignandabodsand[HuTi92]foradecisionprocedure.Theissueofaxiomatizationsforbisimulationcrucialaspect.Severaltechniquesforcheckingbisimulationequivalenceforfullyprobabilisticprocesseshavebeenproposed;see[JoSm90,BBS92,LaSk92]foraxiomaticmeth processesarebisimilarorrelatedviasimulationandtheeciencyofsuchmethodsisa
andsimulationinprobabilisticsystemswithnon-determinismhasbeenconsideredin bisimulationandsimulationforconcurrentprobabilisticprocesses.Inthischapterwe presentarevisedversionof[Bai96]wherealgorithmsfordecidingbisimulationequiva- [HaJo90,Hans91,Yi94].1Asfarastheauthorknows,[Bai96]andtheforthcomingwork [PSS98,BSV98]aretherstattemptstoformulatealgorithmicmethodsthatdealwith lenceandforcomputingthesimulationpreorderinniteconcurrentprobabilisticsystems areproposed.Moreover,weshowthatavariantofthemethodforsimulationisapplicable forfullyprobabilisticsystemsandthe\satisfactionrelation"of[JoLa91]. Decidingbisimulationequivalence:Huynh&Tian[HuTi92]presentedanO(klogn) algorithmforcomputingthebisimulationequivalenceclassesinnitefullyprobabilistic systemswherenisthenumberofstatesandkthenumberofnon-zeroentriesinthe transitionprobabilitymatrix(P(s;a;t))s;a;t.Themethodof[HuTi92]isamodicationof thethepartitioning/splitter-techniqueala[KaSm83,PaTa87]whichperformsasequence ofrenementstepsthatreplaceagivenpartitionXbyanerone,eventuallyresultingin renementoperationRene(X)isbasedonasplitterofthecurrentpartitionX.This thesetofbisimulationequivalenceclasses.Asinthenon-probabilisticcase,theunderlying partition/splitter-techniquealsoworksforreactivesystemsbutfailsforgeneralconcurrent probabilisticsystems.Ourmethodfordecidingbisimulationequivalenceworks{asinthe non-probabilisticorfullyprobabilisticcase{withapartitioningtechniquebutavoidsthe useofsplitters.ItrunsintimeO(mn(logm+logn))wheremisthenumberoftransitions andnthenumberofstates.Invariousapplications,e.g.whenthesystemarisesfromthe interleavingofl\sequential"probabilisticsystems,wemaysupposethatthenumbermof transitionsispolynomialinn.InthesecasesweobtainthetimecomplexityO(mnlogn).
simulationisdierentfromtheoneproposedby[SeLy94]. intervalsofprobabilities{ratherthanpreciseprobabilities{areused.Theunderlyingnotionofa 1Itshouldbementionedthat[Yi94]dealswithavariantofaction-labelledstratiedsystemswhere
129

130 Computingthesimulationpreorder:Theschemaforcomputingthesimulationpre- CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
orderofaniteprobabilisticsystemisthesameasinthenon-probabilisticcase[HHK95].forwhichthereisastepofsthatcannotbe\simulated"byastepofs0.Intheprobabilis- WestartwiththerelationR=S distributions,0arerelatedviaaweightfunctionwithrespecttothecurrentrelation ticcase,thetestwhetherastep\simulates"anotheroneamountsdecidingwhethertwo Sandsuccessivelyremovethosepairs(s;s0)fromR
R,i.e.whether canbereducedtoamaximumowprobleminasuitablechosennetworkwhichyieldsan O((mn6+m2n3)=logn))algorithmforcomputingthesimulationpreorderwhenapplying themethodof[CHM90]forsolvingthemaximumowproblem. R0(seepage30).Weshowthatthequestionwhether R0
givesanalgorithmforcomputingthesimulationpreorderwherewerstconsiderconcur- probabilisticsystemsandthendealwithconcurrentprobabilisticsystems.Section6.2 Organizationofthatchapter:Section6.1presentsanalgorithmfordecidingbisimrentprobabilisticsystems(Section6.2.2)andthenthefullyprobabilisticcase(SectionulationequivalencewherewerstrecalltheresultsbyHuynh&Tian[HuTi92]forfully
Inthischapter,weneedthedenitionsofbisimulationandsimulation(seeSection3.4, 6.2.3).Wealsoshowhowourmethodforcomputingthesimulationpreordercanbe
page53)wherethelatterusesthedenitionofweightfunctionsfordistributions(see modiedforthe\satisfactionrelation"introducedbyJonsson&Larsen[JoLa91].
Throughoutthischapter,wedealwithniteandaction-labelledsystems. Section2.2,page30).Moreover,weoftenusethenotationsforpartitionsasexplained inSection2.1(page29).Forthecomputationofcertainequivalenceclasseswepropose theuseoforderedbalancedtrees.OurnotationscanbefoundinSection12.2(page314).
6.1 Themainideaforcomputingtheprobabilisticbisimulationequivalenceclassesisthe Computingthebisimulationequivalenceclasses
thetrivialpartitionX=fSgandthensuccessivelyreneXbysplittingtheblocksB useofapartitioningtechniqueasproposedbyKanellakis&Smolka[KaSm83](andits improvementbyPaige&Tarjan[PaTa87])forthenon-probabilisticcase.Westartwith ofXintosubblocks,eventuallyresultinginthebisimulationequivalenceclasses.This
X.Intuitively,asplitterdenotesapair(a;C)consistingofanactionaandablockC2X schemaissketchedinFigure6.1onpage131.
thatpreventstheinducedequivalenceRXtofullltheconditionofabisimulation;thatis, Inthenon-probabilisticcase,therenementoperatorRene(X)dependsona\splitter"of
inX(i.e.sands0belongtothesameblockofX)andwheresa asplitterisapair(a;C)2ActXsuchthattherearestatess,s02Sthatareidentied
thepartition eachblockB2XintothesubblocksB(a;C)=fs2B:sa (a;C)tobeasplitterofX,therenementoperatorRene(X)=Rene(X;a;C)devides �!CgandBnB(a;C)andreturns �!Cwhiles0a 6�!C.2For
2Here,wewriteta �!Cita �!uforsomeu2C.
fB(a;C);BnB(a;C):B2Xgnf;g:

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES 131
Output:thesetS= Computingthebisimulationequivalenceclasses
Method: Input:anite(non-probabilisticorprobabilistic)systemwithstatespaceS
X=fSg; ofbisimulationequivalenceclasses
ReturnX. WhileXcanbereneddoX:=Rene(X);
Clearly,ifXiscoarserthanS= Figure6.1:Schemaforcomputingthebisimulationequivalenceclasses
Hence,Rene(X;a;C)isagaincoarserthanS=XandstrictnerthanX(providedthat (a;C)isasplitterofX).Thus,afteratmostjSjrenementstepsthecurrentpartition coincideswithS=.ThismethodcanbeimplementedintimeO(mlogn)wherenisthe thens6s0foralls2B(a;C)ands02BnB(a;C).
numberofstatesandmthenumberoftransitions(i.e.thesizeof�!)[PaTa87](seealso [Fern89]).
systems,thusyieldinganO(klogn)algorithmfordecidingbisimilarityinfullyproba- 6.1.1 Thepartitioning/splittermethodisadaptedin[HuTi92]forfullyprobabilistictransition Thefullyprobabilisticcase
bilistictransitionsystemswherenisthenumberofstatesandkthenumberoftuples (s;a;t)suchthatP(s;a;t)>0.Intheworstcase,wehavek=jActjn2.Ifwesuppose equivalenceinfullyprobabilisticsystems.Moreover,wesawinTheorem3.4.19(page 61)thatsimulationequivalencesimandbisimulationequivalence probabilisticsystems.Thus: ActtobexedthenweobtainthetimecomplexityO(n2logn)fordecidingbisimulation
Theorem6.1.1(cf.[HuTi92])Infullyprobabilisticsystems,bisimulationandsimula- coincideforfully
ofstates. ThebasicideaisforthefullyprobabilisticcaseistodeneasplitterofapartitionXto tionequivalencecanbedecidedintimeO(n2logn)andspaceO(n2)wherenisthenumber
eachblockB2XbythesubblocksB='(a;C)wheres'(a;C)s0iP(s;a;C)=P(s0;a;C). identiedinX.Then,therenementoperatoraccordingtothesplitter(a;C)replaces beapair(a;C)2ActXsuchthatP(s;a;C)6=P(s0;a;C)forsomestatess,s0thatare
Asmentionedin[HuTi92],thepartitioning/splittertechniquecaneasilybemodiedforre- 6.1.2 activesystems(withthesametimecomplexityO(n2logn)).Inthegeneralcase,i.e.deal Theconcurrentcase
ingwithconcurrentprobabilisticsystems,thesplittertechniquefails(seeExample6.1.4,

132 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Computingthebisimulationequivalenceclassesinreactivesystems Input:anitereactivesystem(S;Act;Steps) Output:thesetS= Method: X=fSg; ofbisimulationequivalenceclasses
ReturnX. Whilethereexistsasplitter(a;C)ofXdoX:=Rene(X;a;C);
page133).WeproposeamethodthatcanbeimplementedintimeO(mn(logm+logn)) Figure6.2:Partioning/splittertechnique
wherenisthenumberofstatesandmthenumberoftransitions.
Denition6.1.2[Thesplitter-basedrenementoperator]IfXisapartitionofS probabilisticsystem(S;Act;Steps). Inwhatfollows,wexanitesetActofactionsandaniteaction-labelledconcurrent
anda2Act,B,C2XthenRene(B;a;C)=B='(a;C) wheretheequivalencerelation'(a;C)=(a;C)\�1 B Bwhichisgivenby: s(a;C)s0iwheneversa �!thenthereexistss0a (a;C)isthekerneloftherelation(a;C)
ForXtobeapartitionofS,asplitterofXisapair(a;C)2Act �!0with[C]=0[C].
Themethodof[PaTa87](orthemethodof[HuTi92]forfullyprobabilisticsystems)mod- Rene(B;a;C)6=fBgforsomeB2X. Xsuchthat
iedforreactivesystemsissketchedinFigure6.2onpage132.Fortheimplementation ofthismethodweproposetheuseofaqueueQofpossiblesplitters,initiallycontaining andremove(a;C)fromQ.ForeachB2X,wecomputetheprobabilities thepairs(a;S),a2Act.AslongasQisnonempty,wetaketherstelement(a;C)ofQ
WeconstructanorderedbalancedtreeTree(B;a;C)forthevaluesps,s2B,withadditional ps=(0 [C]:ifStepsa(s)=fg;s2B: :ifStepsa(s)=;
labelsv:statesforeachnodevsuchthatnallyv:states=fs2B:v:key=psg.3The nodesinthenaltreerepresentRene(B;a;C);moreprecisely,
thepairs(b;B0),b2Act,totheendofQ.4Usinganimplementationsimilartotheonein IfRene(B;a;C)6=fBgthenforeachB02Rene(B;a;C)butoneofthelargestweadd Rene(B;a;C)=fv:states:visanodeinTree(B;a;C)g:
3SeeSection12.2,page314,forthenotationsthatweusefororderedbalancedtrees. 4BythelargestblockswemeanthoseblocksB02Rene(B;a;C)wherejB0jismaximal.

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES s1 133
a,1 m
t1mt����@@@@R a,1 s2 m
u1 m v1 mt a,2 a,2
w1 m t2mt����@@@@R 12 AAAAU12
12 AAAAU12
12 AAAAU12v2
m u2 m12 tAAAAU12
Figure6.3:s16s2,buts1ands2cannotbedistinguishedbysplitters. w2 m
[PaTa87]weobtainthetimecomplexityO(n2logn).Forreactivesystems,bisimulation Hence: Theorem6.1.3Inreactivesystems,bisimulationandsimulationequivalencecanbede- equivalence andsimulationequivalencesimarethesame(Theorem3.4.15,page59).
cidedintimeO(n2logn)andspaceO(n2)wherenisthenumberofstates.Beforewepresentourmethodforcomputingthebisimulationequivalenceclassesinarbitraryniteaction-labelledconcurrentprobabilisticsystemswegiveanexamplewhich explainswhythesplittertechniquefailsinthegeneralcase.
bisimilar.5Then,s16s2.Ontheotherhand,s1,s2cannotbedistinguishedbysplitters.6 Thus,thealgorithmfordecidingbisimilaritybasedonthesplittertechniquewouldreturn posethatt1Example6.1.4WeconsiderasystemasshowninFigure6.3(page133)wherewesup- thats1ands2arebisimilar. t2,u1 u2,v1 v2,w1 w2andthatt1;u1;v1;w1arepairwisenon-
replaceeachblockBofthegivenpartitionXbytheequivalenceclassesofBwithrespect totheequivalencerelationXwhichidentiesexactlythosestatess,s02Bsuchthatfor arenementoperatorthatdoesnotdependonasplitter.Ineachrenementstep,we Forthegeneralcase,wemaintaintheschemasketchedinFigure6.1(page131)butuse
S.[X]denotesthevector([B])B2X.XisassociatedwiththeequivalencerelationX eachtransitionsa Notation6.1.5[Thevector[X]andtheequivalenceX]LetXbeapartitionof �!thereexistsatransitions0a �!0with[C]=0[C]forallC2X.
Denition6.1.6[Therenementoperator]Wedene
onSthatisgivenby: sXs0i f(a;[X]):sa �!g=f(a;0[X]):s0a �!0g.
Lemma6.1.7LetXbeapartitionofSwhichiscoarserthanS=.Then: Rene(X)= B2XB=X: [
(a)Rene(X)isapartitionwhichiscoarserthanS=. 5Theoutgoingtransitionsofthestatesti,ui,vi,wiareomittedinthepicture. 6I.e.s1'(b;C)s2forallactionsbandallblocksCofapartitionXofSthatiscoarserthanS=.

134 (b)IfRene(X)=XthenX=S=. CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Lemma6.1.7ensuresthetotalcorrectnessofourschemafordecidingbisimilaritysketched Proof: inFigure6.1(page131).Westateourmainresult: easyverication.
mthenumberoftransitions. Theorem6.1.8Inconcurrentprobabilisticsystems,bisimulationequivalencecanbede-
Remark6.1.9Inmanysituations,mispolynomialinn.Forexample,whenthesystem cidedintimeO(mn(logm+logn))andspaceO(mn)wherenisthenumberofstatesand
arisesfromtheinterleavingofl\sequential"probabilisticsystemsthenm cases,thetimecomplexityfordecidingbisimulationequivalenceisO(mnlogn). Intheremainderofthissectionwedecribehowtoimplementthealgorithmsketched ln.Inthese
andspacecomplexitywhereweusetherenementoperatorRene(X)ofDenition6.1.6 inFigure6.1(page131)forconcurrentprobabilisticsystemstoobtainthedesiredtime (page133).ThemainideafortheimplementationoftheoperatorRene(X)isrstto computethesetof\stepclasses"withrespecttoXfromwhichthesetsB=X,B2X, Denition6.1.10[Stepclasses]LetXbeapartition,B2Xanda2Act.Then, canbederived.
Twodistributions,02Stepsa(B)arecalledX-equivalent(denoted Stepsa(B)=[ s2BStepsa(s):
a2Actandafunctionh:B!2Distr(S)withh(s) [X]=0[X].AstepclassofBwithrespecttoXisapair(a;h)consistingofanaction Stepsa(s)foralls2Bsuchthat X 0)i
ForB02Rene(X),wedeneastepclassofB0withrespecttoXtobeapair(a;h0) s2Bh(s)2Stepsa(B)=X: [
BdenotestheuniqueblockinXwhichcontainsB0.StepClX()denotesthesetofstep wherea2Actandh0=hjB0forsomestepclass(a;h)ofBwithrespecttoXwhere
respecttoX,h(s)6=;ih(s0)6=;.LetXbethecurrentpartitionforwhichwewant Clearly,ifB2Xands,s02BthensXs0i,foreachstepclass(a;h)ofBwith classesof()withrespecttoX.
eachstepclass(a;h0)ofasubblockB02Rene(X)ofB(withrespecttoX)thereisstep tocomputeRene(X)andletXoldbethepartitioninthepreviousrenementstep.7For
stepclassofBwithrespecttoXold,letC(a;hold)bethesetofalltuples(a;L;h)where class(a;hold)ofBwithrespecttoXoldsuchthath0(s) precisely,thesubblocksB02Rene(X)ofBandtheirstepclasseswithrespecttoXcan bederivedfromthestepclassesofBwithrespecttoXoldasfollows.For(a;hold)tobea hold(s)foralls2B0.More
7I.e.weassumethatthecurrentpartitionXisRene(Xold).
;6=L B

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES h:L!2Distr(S)isafunctionwith;6=h(s) hold(s)foralls2L 135
thereexistsarealvectorp=(pC)C2Xsuchthat {[X]=pforall2h(s),s2L
Fors,s02BwehavesXs0i {Ifs2BnLthenh(s)\f2Distr(S):[X]=pg=;. {Ifs2Land2hold(s)nh(s)then[X]6=p.
Wereformulatethisobservationasfollows.Let(a1;L1;h1);:::;(ar;Lr;hr)beanenumerationof 8(a;hold)2StepClXold(B)8(a;L;h)2C(a;hold)[s2Lis02L].
LetL1i=Li,L0i=BnLiandLb=Lb1 (a;hold)2StepClXold(B)C(a;hold): [
B=X=fLb:b2f0;1grgnf;g: 1\Lb2 2\:::\Lbr rifb=(b1;:::;br)2f0;1gr.Then,
Moreover,forthenewsubblockL(b1;:::;br)(whereb=(b1;:::;br))wehave
whereh0i:L(b1;:::;br)!2Distr(S)isgivenbyh0i(s)=hi(s).(I.e.h0i=hijL(b1;:::;br)isthe restrictionofhionthestatesofL(b1;:::;br).)Clearly,forcomputingthesetsLbandtheir StepClX(L(b1;:::;br))=f(ai;h0i):i=1;:::;r;bi=1g
stepclasses,thetuples(ai;Li;hi)whereLi=Band(ai;hi)2StepClX(B)arenotof importance.Therefore,wedividethetuples(ai;Li;hi)intotwoclasses: OldClX(B)denotesthesetoftuples(ai;Li;hi)thatrepresentan\oldstepclass" (i.e.Li=Band(ai;hi)2StepClXold(B)).
Li6=Bor(ai;hi)=2StepClXold(B)). NewClX(B)thesetoftuples(ai;Li;hi)thatrepresenta\newstepclass"(i.e.either OldClX(B)=n(a;B;hold)2C(a;hold):(a;hold)2StepClX(B)o
Forthetestwhether[X]=0[X]weusethefollowingfacts.Let,02Distr(S)such that[Xold]=0[Xold]andB2X,Bold2Xold. NewClX(B)=n(a;L;h)2C(a;hold):(a;hold)2StepClX(B);(L;h)6=(B;hold)o:
(1)IfB2Xold(i.e.Bisablockthathasnotbeenrenedinthelastrenementstep) (2)IfBoldisrenedintothesubblocksB1;:::;Bk+12Xthen then[B]=0[B].
Becauseof(2),forcomputingRene(X),itsucestoconsiderforeachblockBold2 Becauseof(1),weonlyhavetoconsiderthe\new"blocks,i.e.theblocksB2XnXold. [Bi]=0[Bi],i=1;:::;k+1 i [Bi]=0[Bi],i=1;:::;k.
XoldnXallsubblocksB2XofBoldbutoneofthelargest.Theseobservations(1)and
suchthat:
(2)leadtotheuseofaset New XnXold

136 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Input:aniteaction-labelledconcurrentprobabilisticsystem(S;Act;Steps) Output:thesetS= Computingthebisimulationequivalenceclassesinconcurrentprobabilisticsystems
Method: (0)computeXinit,NewinitandStepClXtrivial(B)forallB2Xinit ofbisimulationequivalenceclasses
(1)X:=Xinit;New:=Newinit; (2)WhileNew6=;dobegin (2.1)New0:=;andX0:=;; (2.2)ForallB2Xdo (2.2.1)computeNewClX(B)andOldClX(B)withthemethodofFigure (2.2.2)computeB=X,NewBandStepClX(C)forC2B=Xwiththe methodexplainedonpage139; 6.6(page142);
(3)ReturnX. (2.3)X:=X0;New:=New0; (2.2.3)New0:=New[NewBandX0:=X0[B=X;
(*)IfBold2XoldnX(i.e.therenementoperationRene(Xold)splitstheblockBold Figure6.4:Algorithmfordecidingbisimulationequivalenceinconcurrentsystems
intotwoormoresubblocks)thenthereexistk {jBoldn(B1[:::[Bk)j {B1;:::;Bk {Boldn(B1[:::[Bk)2XnNew Bold jBij,i=1;:::;k. 1andB1;:::;Bk2Newsuchthat
Then(by(1)and(2)),if,02Distr(S)suchthat[Xold]=0[Xold]then ThealgorithmforcomputingthebisimulationequivalenceclassesisshowninFigure6.4, page136. [X]=0[X]i [C]=0[C]forallC2New.
Initialization(step(0)inFigure6.4(page136)):Weskiptherstrenementstep
nodevislabelledby andstartwiththepartitionXinit=S= becomputedwiththefollowingmethod.Wechoosewithaxedenumerationa1;:::;ak ofActandconstructabinarytreeTreebysuccessivelyinsertingnodesandedges.Each wheres s0iact(s)=act(s0).8Xinitcan
itsdepthv:depthinTree,
8I.e.wedealwiththeinitialpartitionXinit=Rene(fSg)ratherthantrivialpartitionfSg.
asubsetv:actionsofAct, thenamesv:leftandv:rightoftheleftandrightsonofvinTree.

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES Inthecasewherevdoesnothavealeft(right)sonv:left(v:right)isundened(?).Each 137
nodevofdepthkisaleafandisadditionallylabelledby asubsetv:statesofS,
v0:right=?.Then,foreachstates2S,wetraversethetreestartingintheroot Initially,Treeconsistsofitsrootv0wherev0:depth=0,v0:actions=;,v0:left= anaturalnumberv:counterthatcountsthenumberofelementsinv:states.
v0.Ifwehavereachedanodevwithv:depth=i

138 s1 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
u1
v1 t1 u01 u2 k k s2 s3 t3 s4
kk l v2 t2 u02 u00 2 v3 wv
v4 t4
k k
k k k n n k �a��@@@@R a,1 k k
12 sBBBBBN 12 � ��@@@@R
12a,2 JJJJJJ^
s1838 ab a,4
b b k??
ck13
s?
23
? ? ? BBBBBBN
Figure6.5: ? b?
andStepClXtrivial(B4)=;. Therenementstep(step(2)inFigure6.4(page136)):Asbefore,letX= Rene(Xold)bethecurrentpartitionandXoldthepartitionofthepreviousrenement step.Moreover,NewisapropersubsetofXnXoldthatsatisescondition(*)(seepage
eachB2X,wecomputeNewClX(B)andOldClX(B)withthemethodsketchedinFigure 136).
a2Act,L 6.6(page142).WeuseasetQoftupleshj;b;a;L;hiwhere0 Step(2.2.1)inFigure6.4(page136):LetC1;:::;ClbeanenumerationofNew.For
Ifb=oldthenL=Band(a;h)2StepClXold(B) Bandh:L!2Distr(S)isafunctionwithh(s) Stepsa(s)suchthat: j l,b2fold;newg,
TheelementsofQcanbeviewedasnodesofaforest(acollectionoftrees)wherethe rootsarethenodesoftheformh0;old;a;B;holdiwith(a;hold)2StepClXold(B).Therst Foralls,s02Land2h(s),02h(s0),[Ci]=0[Ci],i=1;:::;j.
thenwehave: componentjofanodehj;b;a;L;histandsforthedepthofthatnode.Thesonsofthe alls2L0.Moreprecisely,ifhj+1;bi;a;Li;hii,i=1;:::;r,arethesonsofhj;b;a;L;hi nodehj;b;a;L;hiareoftheformhj+1;b0;a;L0;h0iwhereL0
b1=:::=br=(new:ifr 2 Landh0(s) h(s)for
Moreover,ifH=Ss2Lh(s)andHi=Ss2Lihi(s),i=1;:::;r,then b :ifr=1.
(**) fH1;:::;Hrg=H=j+1 Xwhere j+1 X 0i hi;old;a;B;hi,i=0;1;:::;j.Theleavesare Thenodesonthepathfromtheroottoanodeoftheformhj;old;a;B;hiarethenodes [Cj+1]=0[Cj+1].
{allnodesoftheformhl;b;a;L;hi(i.e.allnodesofdepthlwherel=jNewj)
havefoundabisimulationequivalenceclassconsistingofasinglestate.
{allnodeshj;b;a;L;hiwherejLj=1.9 9Forthesenodes,thepossiblesplittingsofthestepclassesofthesetLarenotofinterestsincewe

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES Aleafoftheformhl;old;a;B;hirepresentsanelementofOldClX(B)(because(a;h)2 139
\new"stepclasses. StepClXold(B)).Thiscasecorrespondstostep(1.7)wheretheorderedbalancedtreeT
Step(2.2.2)inFigure6.4(page136):HavingobtainedthesetsNewClX(B)and constructedinstep(1.2)consistsofitsroot.Leavesoftheformhj;new;a;L;histandfor
(a;L;h)2NewClX(B)(ratherthanalltuples(a;L;h)2S(a;hold)C(a;hold)).Wechoosean enumeration(a1;L1;h1);:::;(ar;Lr;hr)ofNewClX(B)andconstructabinarytreeTreeB OldClX(B),wederiveB=Xasdescribedonpage135whereweonlyconsiderthetuples suchthateachleafvofdepthrislabelledbythesetv:states=Lv1\:::\Lvrwhere v0v1:::vr=visthepathfromtherootofTreeBtovand
Theconstructionofthistreeissimilartotheinitializationstep.Westartwiththetree Lvi=(Li BnLi:ifviistherightsonofvi�1. :ifviistheleftsonofvi�1
totherightsonv:rightifs=2Li+1(possiblyinsertingtheleftorrightsonifnecessary). Ifhehavereachedaleaf(anodevofdepthr)thenweinsertsintothesetv:states. Ifwereachedanodevofdepthi

140 Thistreemightbeofthefollowingform. CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
v1v0 k v2v3 kAAAUAAAU k v0:key=1=2v0:states=fs1;s2gv0:steps(si)=fig
k v1:key=0 v2:key=2=3v2:states=fs4g v3:key=1 v1:states=fs1;s2gv1:steps(si)=f1uig v3:states=fs3g v2:steps(s4)=f4g
weaddtheelements WegetV1=fv2;v3gandV2=fv0;v1g.Thus,instep(1.4)ofFigure6.6(page142), v3:steps(s3)=f1t3g
toQwhereh1;1(si)=figandh1;2(si)=f1uig,i=1;2.Instep(1.5)ofFigure6.6(page 142),thetuples(a;fs4g;v2:steps)and(a;fs3g;v3:steps)areinsertedintoNewClXinit(B1). h2;new;a;fs1;s2g;h1;1iandh2;new;a;fs1;s2g;h1;2i
andh2;new;a;fs1;s2g;h1;2iofQweconstructorderedbalancedtreesforthevalues sultingtreeconsistsofasinglenode;thus,instep(1.6)ofFigure6.6(page142),the Then,againinstep(1.2)ofFigure6.6(page142),fortheelementsh2;new;a;fs1;s2g;h1;1i
obtainOldClXinit(B1)=;and tuples(a;fs1;s2g;h1;1)and(a;fs1;s2g;h1;2)areinsertedintoNewClXinit(B1).Hence,we 1[B3]=2[B3]=0and1u1[B3]=1u2[B3]=0respectively.Inbothcases,there-
whereh03(s3)=f1t3g,h04(s4)=f4g.Instep(2.2.2)ofthemainalgorithm(Figure6.4, page136),weapplythemethoddescribedonpage139andconstructthetreeTreeB1 NewClXinit(B1)=f(a;fs1;s2g;h1;1);(a;fs1;s2g;h1;2);(a;fs3g;h03);(a;fs4g;h04)g
whichisofthefollowingform.
s�@@R �s
sHHHHjHHHHj
s s
@@Rfs1;s2g
fs3gfs4g s+AAU sQQQss
Thus,weobtainB1=Xinit=ffs1;s2g;fs3g;fs4gg,NewB1=ffs3g;fs4ggand StepClXinit(fsig) StepClXinit(fs1;s2g)=f(a;h1;1);(a;h1;2)g
FortheblocksB2fB2;B3;B4g,weobtainNewClXinit(Bi)=OldClXinit(B4)=;and whereh1;1,h1;2,h03andh04areasabove. =f(a;h0i)g;i=3;4:
Figure6.6(page142)andobtainNewClXinit(Bi)=OldClXinit(B4)=;and Instep(2.2.1)ofthemainalgorithm(Figure6.4,page136),weapplythemethodof OldClXinit(B2)=f(b;B2;StepsbjB2)g;OldClXinit(B3)=f(c;B3;StepscjB3)g:
OldClXinit(B2)=f(b;B2;StepsbjB2)g,OldClXinit(B3)=f(c;B3;StepscjB3)g

6.1.COMPUTINGTHEBISIMULATIONEQUIVALENCECLASSES ForallthreeblocksB2;B3;B4,instep(2.2.2)ofthemainalgorithm(Figure6.4,page 141
136),theconstructionofthetreeTreeBiisskippedbecauseNewClXinit(Bi)=;.Hence, wegetBi=Xinit=fBig,NewBi=;andStepClXinit(Bi)=StepClXtrivial(Bi),i=1;2.In summary,therstrenementstepyieldsthepartition
andNew=fB1;B2;B3g.Inthesecondrenementstep,alltreesconstructedinstep (2.2.1)ofthemainalgorithmofFigure6.4(i.e.instep(1.2)ofmethodofFigure6.6 X=Rene(Xinit)=ffs1;s2g;fs3g;fs4g;B2;B3;B4g
(page142))consistofasinglenode.Thus,B=X=fBg,NewB=;forallB2X.In step(3),ouralgorithmreturnsXasthesetofbisimulationequivalenceclasses. Complexity:Letn=jSjbethenumberofstates,mthenumberoftransitions,i.e.m= theinitialization(step(0)ofFigure6.4,page136)takesO(njActj)=O(n)timeas, foreachstates2S,wetraverseatreeofdepthjActj.10Inwhatfollows,letNbethe Ps2SjSteps(s)j.ItisclearthatourmethodcanbeimplementedinspaceO(nm).Clearly,
costfortheexecutionsofstep(2.2.1)ofthemainalgorithm(Figure6.4,page136)where Figure6.4)andletXibethepartitionwhichweobtaininthe(i+1)-strenementstep, totalnumberofrenementsteps(thenumberofexecutionsoftheloopinstep(2)in
werangeoverallblocksB2Xi,i=0;1;:::;N�1andlet i.e.X0=XinitXi+1=Rene(Xi),i=0;1;:::;N�1,XN=S=.LetCosti(2:2:1)bethe
bethetotalcostcausedbystep(2.2.1).Similarly,wedeneCost(2:2:2)tobethetotal Cost(2:2:1)=N�1 Xi=0Costi(2:2:1)
renementsteps.WeshowinSection6.3(Lemma6.3.4(page155)andLemma6.3.6 costthatarisesfromtheexecutionsofstep(2.2.2)ofFigure6.4wherewerangeoverall (page157)):Cost(2:2:1)=O(mn(logm+logn));Cost(2:2:2)=O(mn): Thus,weobtainthetimecomplexityO(mn(logm+logn))forcomputingthebisimulation equivalenceclasses.
10RecallthatweassumeActtobexed.

142 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
ComputingNewClX(B)andOldClX(B) Input: {apartitionXandB2X {anenumerationC1;:::;ClofNew
(0)WesetNewClX(B):=;,OldClX(B):=;and Method: {StepClXold(B)(thestepclassesofBwithrespecttothepreviouspartition)
(1)WhileQ6=;do (1.1)Choosesomehj;b;a;L;hi2QandsetQ:=Qnfhj;b;a;L;hig; Q:=nh0;old;a;B;holdi:(a;hold)2StepClXold(B)o;
(1.2)ConstructanorderedbalancedtreeTforp=[Cj+1],2h(s),s2Lwhere eachnodevislabelledbyarecord(v:key;v:states;v:steps)suchthat {v:stepsisthefunctionthatassignstoeachstates2v:statestheset {v:states=fs2B:v:key=[Cj+1]forsome2h(s)g,
Wedene: v:steps(s)=f2h(s):v:key=[Cj+1]g;
(1.3)IfTconsistsoftwoormorenodesthenb0:=newelseb0:=b; V2:=fv:vnodeinTwithjv:statesj V1 :=fv:vnodeinTwithjv:statesj=1g; 2g;
(1.4)Ifj

6.2.COMPUTINGTHESIMULATIONPREORDER 6.2 Computingthesimulationpreorder 143
thenon-probabilisticcase[HHK95]:WestartwiththetrivialpreorderR=S thensuccessivelyremovethosepairs(s;s0)fromRwhereshasatransitionthatcannotbe concurrentprobabilisticsystem(S;Act;Steps).Theschemaofouralgorithmisasin Wepresentanalgorithmthatcomputesthesimulationpreorderofaniteaction-labelled
\simulated"byatransitionofs0.ThisschemaissketchedinFigure6.7(page144).Inthe non-probabilisticcase,svRs0iforeachtransitionsa �!tthereisatransitions0a �!t0with Sand
(t;t0)2R.For(S;Act;Steps)tobeanaction-labelledconcurrentprobabilisticsystem ands,s02S,therelationvRisgivenby:svRs0iforeachtransitionsa transitions0a Denition3.4.16(page60),i.e.svRs0ieithersisterminalorP(s;)R0P(s0;)where R0=fha;ti;ha;t0i):(t;t0)2R;a2Actg. �!0with R0.11Inthefullyprobabilisticcase,svRs0isdenedasin �!thereisa
Fornon-probabilisticsystems,theschemaofFigure6.7canbeimplementedintime O(mn)[HHK95].Itseemstobehardtomodifythemethodof[HHK95]fortheprobabilis- ofsomestatet(inthesensethatthereisatransitionsa ticcasebecauseitsuccessivelyremovesthosepairs(s;s0)ofRwheresisana-predecessora-successorinft0:(t;t0)2Rg.Theproblemintheprobabilisticcaseisthattheintheprobabilitiesforthea-successors/predecessorsofthestatesdonotcontainthenecesducedpredecessor/successorrelationsonstates12doesnotgiveenoughinformation.Even �!t)ands0doesnothavean
statesthatcannotbedistinguishedwiththesepredecessor/successorrelations(cf.Remark saryinformationforcomputingthesimulationpreordersincetheremightbenon-similar
testwhethersvRs0isdonewiththehelpofamethodfordecidingwhether Intheprobabilisticcase,weimplementtheschemaofFigure6.7insuchawaythatthe 3.4.11,page57).
chosennetwork. somedistributions,0onanitesetXandabinaryrelationRonX.Weshowthat thequestionwhether R0canbereducedtoamaximumowprobleminasuitable R0for
viaamaximumowproblem.Then,inSection6.2.2wedescribeouralgorithmfor Weproceedinthefollowingway.InSection6.2.1,weexplainhowtotestwhether concurrentprobabilisticsystemswhileSection6.2.3dealswithfullyprobabilisticsystems. R0
6.2.1 Weshowthatthequestionwhethertwodistributionsarerelatedviaaweightfunction (i.e.whether Thetestwhether R0)canbereducedtoamaximumowprobleminasuitablechosen R0
network. Networksandtheirmaximumow:Webrieyrecallthebasicdenitionsofnetworks. Forfurtherdetailsaboutnetworksandmaximumowproblemsseee.g.[Even79].A (thesink)andacapacitycap,i.e.afunctioncap:E!IR0whichassignstoeachedge networkisatupleN=(N;E;?;>;c)where(N;E)isanitedirectedgraph(i.e.Nisa setofnodes,E 11Here,Ristheweight-function-basedrelationdenedasinSection2.2,page30. 12E.g.inconcurrentprobabilisticsystems,sisana-predecessorofti(t)>0forsome2Stepsa(s)
N Nasetofedges)withtwospeciednodes?(thesource)and>

144 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Computingthesimulationpreorder
Method: Output:thesimulationpreordervsimonS Input:anite(probabilisticornon-probabilistic)systemwithstatespaceS
ReturnR. Whilethereexists(s;s0)2Rwiths6vRs0doR:=Rnf(s;s0)g; R:=S S;
(v;w)2Eanon-negativerealnumbercap(v;w).AowfunctionfforNisafunction Figure6.7:Generalschemaforcomputingthesimulationpreorder
whichassignstoeachedgeearealnumberf(e)suchthat: {0 {Letin(v)bethesetofincomingedgestonodevandout(v)thesetofoutgoingedges fromnodev.Then,foreachnodev2Nnf?;>g: f(e) cap(e)foralledgese.
e2in(v)f(e)= X e2out(v)f(e) X
TheowFlow(f)offisgivenby
ThemaximumowinNisthesupremum(maximum)overthevaluesFlow(f)wheref Flow(f)= e2out(?)f(e)�X X
rangesoverallowfunctionsinN.Algorithmstocomputethemaximumowaregiven e2in(?)f(e):
Thetestwhether e.g.in[FoFu62,Dini70,MPM78,CHM90].
Wechoosenewelements?and>notcontainedinS[S,?6=>.Weassociatewith (;0)thefollowingnetworkN(;0;R).ThenodesaretheelementsofS[Sand?(the 02Distr(S).LetS=ft:t2Sgwheretarepairwisedistinct\new"states(i.e.t=2S). R0:LetSbeaniteset,RasubsetofS Sandlet,
source)and>(thesink),i.e.N=f?;>g[S[S.Theedgesare
I.e.theunderlyinggraph(N;E)isoftheform E=f(s;t):(s;t)2Rg[f(?;s):s2Sg[f(t;>):t2Sg:
? sn > s2 s1
sn
s2 k k s1 m
HHHHHHHj
*: . ZZZZZZZ~
-
k . XXXXXXXz* HHHHHHHj -* m k : ZZZZZZZ~
XXXXXXz

6.2.COMPUTINGTHESIMULATIONPREORDER whereS=fs1;:::;sngandwherethearrowsbetweenthenodessiandthenodessj 145
Thecapacitiescap(e)2[0;1]aregivenby: describetherelationRinthesensethatthereisanarrowfromsitosji(si;sj)2R.
Asin(?)=;wegetcap(?;s)=(s),cap(t;>)=0(t),cap(s;t)=1. foreachowfunctionfinN(;0;R). Flow(f)= s2Supp()f(?;s) X
Lemma6.2.1 Proof: Firstweassumethat R0ithemaximumowinN(;0;R)is1.
Flow(f)=Xs2Sf(?;s) R0.ForeachowfunctionfinN(;0;R):
Letweightbeaweightfunctionfor(;0)withrespecttoR.Wedeneaowfunction Xs2Scap(?;s)=Xs2S(s)=1:
fasfollows:f(?;s)=(s),f(t;>)=0(t)andf(s;t)=weight(s;t).Then,
Hence,themaximumowofN(;0;R)is1. Flow(f)= s2Supp()f(?;s)= X s2Supp()(s)=1: X
Next,weassumethatthemaximumowis1.LetfbeaowfunctionwithFlow(f)=1. Sincef(?;s) cap(?;s)=(s)andsince
wegetf(?;s)=(s)foralls2S.Similarly,wegetf(t;>)=0(t)forallt2S.Let Xs2Sf(?;s)=Flow(f)=1=Xs2S(s)
weight(s;t)=f(s;t)forall(s;t)2Randweight(s;t)=0if(s;t)=2R.Then,
andsimilarly,Ps2Sweight(s;t)=0(t).Hence,weightisaweightfunctionfor(;0) Xt2Sweight(s;t)=Xt2Sf(s;t)=f(?;s)=(s);
withrespecttoR.Thus, Lemma6.2.1(page145)yieldsamethodfordecidingwhether thenetworkN(;0;R)andcomputethemaximumowwithwell-knownmethods(see Figure6.8,page146). R0. R0.Weconstruct
TheassociatednetworkN(;0;R)isofthefollowingform. Example6.2.2LetS=ft;ug,R=f(t;t);(u;u);(u;t)gand,02Distr(S)with (t)=13; (u)=23; 0(t)=0(u)=12:
? tu u > t k kk m k m HHHj 1323* * - HHHj* 12

146 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Output:\Yes"if Testwhether Input:anonemptynitesetS,distributions,02Distr(S)andR R0
Method: R0,\No"otherwise. S S
ifF)=f(t;>)=12
networkisthoseof[CHM90]whichhastimeandspacecomplexityO(n3=logn)and R0.
O(n2)respectivelywherenisthenumberofnodesinthenetwork.Hence: Lemma6.2.3Thetestwhether O(n2)wheren=jSj. Remark6.2.4Anotherpossibilityfortestingwhether R0canbedoneintimeO(n3=logn)andspace
inglinearinequalitysystemwiththevariablesxs;t,(s;t)2R: Xt2S
R0istoconsiderthefollow-
(s;t)2Rxs;t=(s)foralls2S
(s;t)2Rxs;t=0(s)forallt2S Xs2S
TheabovesystemhasjRj=O(n2)variablesandjRj+2jSj=O(n2)equations.Toour andxs;t thatcase,thesolution(xs;t)(s;t)2Ryieldsaweightfunctionfor(;0)withrespecttoR. knowledge,thereisnomethodforsolvinginequalitysystemsofthistypethatbeatthe 0forall(s;t)2R.Then, R0ithesystemabovehasasolution.In
6.2.2 timecomplexityO(n3=logn).
Inthesequel,(S;Act;Steps)isaniteaction-labelledconcurrentprobabilisticsystem.If RisabinaryrelationonSands,s02Sthen Theconcurrentcase
ThealgorithmforcomputingthesimulationpreorderissketchedinFigure6.9(page 148).WerstcomputethesetR=f(s;s0)2S svRs0iwheneversa �!thenthereissomes0a S:act(s) �!0withact(s0);s6=s0g:If R0.

6.2.COMPUTINGTHESIMULATIONPREORDER R=f(s;s0):s6=s0gthenallstatesaresimilarandwearedone.Inwhatfollows,we 147
yieldstherstelementofQ,Remove(Q)whichremovestherstelementofQ(bothunder supposethatRdoesnotcontainallpairs(s;s0),s6=s0.WeorganizeRasaqueueQwhere theorderingintheinitialqueueisarbitrary.WeusetheusualoperatorsFront(Q)which
Initially,wedealwithSim(s;a;)(s0)=Stepsa(s0).Adistribution02Stepsa(s0)isremoved thatarestillcandidatestomatchthetransitionsa theassumptionthatQisnotempty)andAdd(Q;x)whichaddsxattheendofQ.For
fromSim(s;a;)(s0)justinthemomentwhere (s;s0)2Rand(a;)2Steps(s),weuseasetSim(s;a;)(s0)ofdistributions02Stepsa(s0) 6R0isdetected.Then, �!,i.e.6R0isnotyetdetected.
yieldstherstelementof()andNext()whichremovestherstelementof(),i.e.the elementsofStepsa(s0).FortheselistsSim(s;a;)(s0),weusetheoperationsFirst()which followingiterations.WerepresentthesetSim(s;a;)(s0)asalistconsistingof(pointersto) 6R0inall
Inwhatfollows,werefertoRasthesetofpairs(s;s0)thatarecontainedinQ.Byan listpointerisshiftedtothesecondelement. iteration,wemeantheexecutionofsteps(1)and(2)(includingthesubsteps(2.1)-(2.6)). Wesayapair(s;s0)isinvestigatedinsomeiterationifitisthoseelementofQthatis chosenintheelse-branchofstep(1). Initially,wedenelasttobethelastelementofQ.Inalliterations,lastiseitherundened (last=?)ortheleftmostelement(s;s0)ofQsuchthat{afterthelastinvestigation
investigatedthenwesetlast=?(step(2.5))and\wait"forthenextpair(t;t0)inQ Risthesimulationpreorder(cf.step(2.3)).Ifs6vRs0fortheelement(s;s0)whichis of(s;s0){noelement(t;t0)isremovedfromQ.Hence,ifweinvestigate(s;s0)where
whichwedonotremovefromQ(step(2.4.2)).
(s;s0)=lastandobtainsvRs0thenwehavetvRt0forallpairs(t;t0)2R.Thus,

148 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Computingthesimulationpreorder
Method: Output:thesimulationpreordervsim Input:aniteaction-labelledconcurrentprobabilisticsystem(S;Act;Steps)
(0)[Initialization] (0.1)Q:=;; (0.2)Forall(s;s0)2S (0.2.1)Add(Q;(s;s0)); (0.2.2)last:=(s;s0); Swiths6=s0andact(s) act(s0)do
(1)IfQ=;thengoto(3)elsebegin(s;s0):=Front(Q);Remove(Q);end; (2)Forall(a;)2Steps(s)do (0.2.3)Forall(a;)2Steps(s)doSim(s;a;)(s0):=Stepsa(s0);
(2.2)While:simandSim(s;a;)(s0)6=;do (2.1)sim:=false;
(2.2.2)If (2.2.1)0:=First(Sim(s;a;)(s0));
(2.4)Ifsimandlast6=(s;s0)then (2.3)Ifsimandlast=(s;s0)thengoto(3); R0thensim:=trueelseNext(Sim(s;a;)(s0));
(2.4.1)Add(Q;(s;s0));
(2.6)goto(1); (2.5)If:simthenlast:=?; (2.4.2)Iflast=?thenlast:=(s;s0);
(3)ReturnR[f(s;s):s2SgwhereRisthesetofpairsthatarecontainedinQ. Figure6.9:Algorithmforcomputingthesimulationpreorder

6.2.COMPUTINGTHESIMULATIONPREORDER Example6.2.5Weapplyouralgorithmforcomputingthesimulationpreorder(Figure 149
6.9,page148)tothesystemshowninFigure6.10(page149).Intheinitializationstep (step(0))weobtainthequeueQcontainingthepairs {(u;u0),u,u02U,u6=u0 {(t1;t2),(t2;t1) {(si;sj),(si;v),(v;si),(v;v0),i;j=1;2,i6=j,v,v02fv1;v2;wg,v6=v0
Here,U=fuk1;uh2:k=0;:::;4;h=0;1;2gdenotesthesetofterminalstates.Thepairs {(u;t1),(u;si),(u;v),u2U,v2fv1;v2;wg,i=1;2.
u01 s1 ? HHHHHHHj t1 s s2
u21 v1 u31 u41 u1 t2 ?
s����@@@R
+ @@@R
w s����@@@R
u02 u12 v2 AAAU #"
AAAU
? u2 s?
?
?
-
a aa; a a
14 b c 34 b c
a13
23 38 a; a
58
12 12
Forinstance: (s2;s1),(si;w),(w;vj),(si;vj),i,j=1;2,areremovedduringtheirrstinvestigation. Figure6.10:
Forthepair(w;v1)thealgorithmcomputesthemaximumowofthenetwork ? HHj 3858* wu2 : u21 -
whichis5=8.Thus,thereisnotransitionofv1thatcan\simulate"thetransition 1>
thetransitions2a wa Forthepair(s2;s1)thealgorithmtriestondatransitionofs1whichcan\simulate" �!.
Therstinvestigationof(s1;s2)yields (s2;s1)isremovedfromR. �!1t2.As 6R1t2forall 2Stepsa(s1)=f1u01;1s1;gthepair
Sim(s1;a;1s1)(s2)=f1s2g;Sim(s1;a;)(s2)=f1t2g
Sim(s1;a;1u01)(s2)=f1t2;1s2g

150 as6R1s2and1s16R1t2. CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
(x;y)2R.Hence,if(x;y)istheelementofQwhichisinvestigatedimmediatelyafterthe isalreadyremovedfromQ).Aftertheremovementof(t2;t1)wehavexvRyforall theinitializationstep).Then,therstinvestigationof(t2;t1)yieldst26vRt1(as(w;v1) Wesupposethatinitiallythepair(t2;t1)isthelastelementofQ(i.e.last=(t2;t1)after
of(x;y).AfterinvestigatingallremainingelementsofQoncemore,wereachagainthe thesimulationpreorderwhichconsistsofthefollowingpairs. removementof(t2;t1)thenthealgorithmsetslast=(x;y)afterthe(second)investigation pair(x;y)=last.Thus,theconditionofstep(2.3)isfullledandthealgorithmreturns {(s1;s2),(t1;t2)
andallpairs(x;x),x2S. {(u;x),u2U,x2fs1;s2;t1;t2;v1;v2;wg {(vi;sj),(w;sj),(vi;w),i,j=1;2
(Then,m=Ps2Sms.) Complexity:Letn=jSjbethenumberofstatesandmthenumberoftransitions,
Wesupposearepresentationof(S;Act;Steps)whichcontainsforeachstates2Sandeach i.e.m=Ps2SjSteps(s)j.Fors2Sanda2Act,letms=jSteps(s)j,ma;s=jStepsa(s)j.
times.Then,thetimecomplexityofouralgorithmisO(Nn3=logn)ifthetestwhether Then,theinitializationstep(i.e.thecomputationoftheinitialsetR,thesetsSim(s;a;;s0) andlast)takesO(n2jActj)=O(n2)time.Wesupposethatstep(2.2.2)isexecutedN- actiona2Actapointertoalistwhoseelementsrepresentthedistributions2Stepsa(s).
thenwereachstep(3)wherethealgorithmhalts.Hence,atmostaftern2iterations Ifinstep(2.3)theconditionsim^last=(s;s0)isfullled,i.e.tvRt0forall(t;t0)2R, [CHM90].WeshowthatN R0isdonebycomputingthemaximumowinN(;0;R)withthealgorithmof mn3+m2.13
atmostma;s0unsuccessfulattemptstond02Stepsa(s0)with isinvestigatedatmostn2-times.Foreachpair(s;s0)and(a;)2Steps(s),thereare eithersomepair(s;s0)isremovedfromRorthealgorithmshalts.Thus,eachpair(s;s0)
N(s;a;;s0)-timeswhereN(s;a;;s0)=n2+ma;s0:Weobtain (s;s0)isinvestigatedandforxed(a;)2Steps(s),step(2.2.2)isexecutedatmost as 6R0isdetected0isremovedfromSim(s;a;)).Rangingoveralliterationswhere R0(sinceassoon
ThespacecomplexityisO(mn+n2)astherepresentationofthetransitionrelationtakes N Xs2SX a2Act2Stepsa(s)Xs02SN(s;a;;s0) X Xs2S(a;)2Steps(s)(n3+m)=mn3+m2: X
O(mn)space,therepresentationofR(i.e.thequeueQ)O(n2)space.Foreachofthe listsSim(s;a;)(s0)weneedO(ma;s0)space.Summingupoveralls0,a,s,weneed
spacefortherepresentationofthelistsSim(s;a;)(s0).Weobtain: O0@Xs2SX
13Intuitively,thenumberofunsuccessfultestswhether a2ActXs02Sma;s01A=O(mn)
upperboundforthenumberofsuccessfultestswhether R0.
R0isboundedbym2whilemn3isan

6.2.COMPUTINGTHESIMULATIONPREORDER Theorem6.2.6Inconcurrentprobabilisticsystems,thesimulationpreordercanbecom- 151
statesandmthenumberoftransitions. Thefollowingremark(Remark6.2.7)showsthateachalgorithmforcomputingthesimuputedintimeO((mn6+m2n3)=logn)andspaceO(mn+n2)wherenisthenumberof testswhethersvRs0viathecondition lationpreorderwhichisbasedontheschemasketchedinFigure6.7(page144)andwhich
hastotestwhether thenumberofunsuccessfultestswhether R0for(m2)pairs(;0).14Thus,fortheworstcasecomplexity (*) 8sa �!9s0a �!0: R0instep(2.2.2)cannotbereduced. R0
However,itmightbepossibletoimprovethealgorithm,e.g.byreplacing(*)byasimpler conditionorbyreducingthenumberofsuccessfultestsinstep(2.2.2).
Moreover,wesupposethatthereissomeactionasuchthat: whereS=fs0;:::;skg[fs;s0g,sivsimsjii Remark6.2.7Let(S;Act;Steps)beanaction-labelledconcurrentprobabilisticsystem
-Stepsb(s)=Stepsb(s0)=;forallb6=a jandjSteps(si)j 1,i=0;:::;k.15
Then,forallpairs(;0)2Stepsa(s)Stepsa(s0)wehavetotestwhether -If2Stepsa(s),02Stepsa(s0)thenthereisnoweightfunctionfor(;0)withrespect tothesimulationpreordervsim.
whether m=ms+ms0+kwegetforxedk:(msms0)=(m2).Thus,thenumberoftests R0is(m2). R0.Since
numberoftestswhether Theorem6.2.8Inreactivesystems,thesimulationpreordercanbecomputedintime Dealingwithareactivsystem,wehaveN(s;a;;s0) R0)Weobtain: n2andN jActjn4(whereNisthe
O(n7=logn)andspaceO(n2)wherenisthenumberofstates. 6.2.3 Inwhatfollows,wexaniteaction-labelledfullyprobabilisticsystem(S;Act;P).Recall thatsvRs0ieithersisterminalorP(s;)R0P(s0;)where Thefullyprobabilisticcase
thenetwork(N;E;cap)where (seeDenition3.4.16,page60).Fors,s02SandR R0=fha;ti;ha;t0i):(t;t0)2R;a2Actg
N=f?;>g[Act (S[S),S=ft:t2Sg S SwedeneN(s;s0;R)tobe
E=f(?;ha;ti);(ha;ti;>):t2S;a2Actg[f(ha;ti;ha;ui):(t;u)2Rg cap(?;ha;ti)=P(s;a;t),cap(ha;ti;>)=P(s0;a;t),cap(ha;ti;ha;ui)=1. 15E.g.Steps(s0)=;andSteps(si)=f(a;i)gwherei(s0)=1=iandi(si)=1�1=i.
14Here,()denotesasymptoticlowerbounds.

152 SimilarlytoLemma6.2.1(page145)itcanbeshownthat CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
Thus,thesimulationpreorderofafullyprobabilisticsystemcanbecomputedbythe followingmethod.Westartwiththepreorder svRs0ieithersisterminalorthemaximumowinN(s;s0;R)is1.
Aslongasthereisapair(s;s0)2Rwheres6vRs0weremove(s;s0)fromR.16This methodcanbeimplementedsimilartotheoneproposedinSection6.2(Figure6.9,page R=f(s;s0)2S S0:ifs0isterminalthensisterminalg:
148).Thetimecomplexityisasinthereactivecase.Weobtain: Theorem6.2.9Infullyprobabilisticsystems,thesimulationpreorderofcanbecomputed intimeO(n7=logn)andspaceO(n2)wherenisthenumberofstates. Inmanyapplications,onewantsonlytogivelowerandupperboundsonthepreobabilitiesofanacceptablesystembehaviourratherthantheexactprobabilities.Jonsson &Larsen[JoLa91]deneanotionof\satisfactionrelation"thatrelatesthestatesofa whichprescribesintervalsofallowedprobabilities.Notethatincontrastto[JoLa91]we labelledbyatomicpropositions.Wemodifythedenitionsof[JoLa91]asfollows. givenfullyprobabilisticsystemandthestatesofafullyprobabilisticspecicationsystem
Denition6.2.10[Action-labelledfullyprobabilisticspecicationsystems]An dealwithaction-labelledsystemswhile[JoLa91]dealswithsystemswherethestatesare
action-labelledfullyprobabilisticspecicationsystemisatuple(S;Act;P)whereSisa
Denition6.2.11[Thesatisfactionrelationsat]Let(S;Act;P)beaniteaction- suchthat,foralls,t2Sanda2Act,P(s;a;t)isaclosedintervalcontainedin[0;1]. nitesetofstates,ActanitesetofactionsandP:S Act S!2[0;1]isafunction
labelledfullyprobabilisticsystemand(S;Act;P)anaction-labelledfullyprobabilisticspec asfollows:ssatRsieithersisterminalorthereexsitsaweightfunctionfor(s;s)with respecttoR,i.e.afunctionweight:S t2S,t2S: icationsystem.IfR SSands2S,s2SthenwedenetherelationsatR Act S![0;1]suchthatforalla2Actand SS
2. 1.Ifweight(t;a;t)>0then(t;t)2R.
Asatisfactionrelationfor(S;Act;P)and(S;Act;P)isabinaryrelationR Xu2Sweight(t;a;u)=P(s;a;t); Xu2Sweight(u;a;t)2P(s;a;t):
suchthatssatRsforall(s;s)2R.Wewritessats0i(s;s)iscontainedinsome satisfactionrelationfor(S;Act;P)and(S;Act;P). S S
Therelationsat ofnetworkswithlowerandupperbounds,seee.g.[Even79].Westartwiththerelation simulationpreordervsimofafullyprobabilisticsystem;theonlydierencebeingtheuse R=S Sandsuccessivelyremovethosepairs(s;s)fromRwhere:(ssatRs).For S Scanbecomputedsimilartothewayinwhichwecomputethe
16Thetests6vRs0canbedonebycomputingthemaximumowinN(s;s0;R).

6.3.PROOFS thetestwhetherssatRswecomputethemaximumowinthenetworkN(s;s;R)= 153
boundcapl(e)andupperboundcapu(e)ofthepossibleowthrougheandwhere (N;E;capl;capu)wherecapl,capuarefunctionsthatassigntoeachedgee2Ethelower N=f?;>g[Act E=f(?;ha;ti);(ha;ui;>):t2S;a2Act;u2Sg[f(ha;ti;ha;ui):(t;u)2Rg (S]S)
capl(?;ha;ti)=capl(ha;ti;ha;ui)=0;capl(ha;ti;>)=minP(s;a;t)
capu(ha;ti;ha;ui)=1: capu(?;ha;ti)=P(s;a;t);capu(ha;ti;>)=maxP(s;a;t);
SimilarlytoLemma6.2.1(page145),ssatRsieithersisterminalorthemaximum andupperboundscanbereducedtothecomputationofthemaximumowina\usual" networkofthesameasymptoticsize(seee.g.[Even79]).Hence: owinN(s;s;R)is1.Theproblemofndingthemaximumowinanetworkwithlower
wheren=jSjandn=jSj. relationsat aniteaction-labelledfullyprobabilisticspecicationsystem(S;Act;P),thesatisfaction Theorem6.2.12Foraniteaction-labelledfullyprobabilisticsystem(S;Act;P)and SScanbecomputedintimeO((n+n)7=log(n+n))andspaceO((n+n)2)
6.3 ThissectioncompletestheproofofTheorem6.1.8(page134)byshowingthatthetotal costCost(2:2:1)ofstep(2.2.1)andCost(2:2:2)ofstep(2.2.2)inthealgorithmforcomuting Proofs
areO(mn(logm+logn))andO(mn)respectively. thebisimulationequivalenceclasseswiththemethodsketchedinFigure6.4(page136) Lemma6.3.1LetXbeanonemptynitesetand(X0;:::;Xr)asequenceofpartitions onXsuchthatXiisnerthanXi�1,i=1;:::;r.Then,
whereX0 =0jX0 rXi i=XinXi�1,i=0;:::;r,andX�1=fXg. ij 2(jXj�1)
deneKX=PijX0 thatr Proof: 0andXiisnerthanXi�1,i=0;:::;r.IfX=(X0;:::;Xr)2KXthenwe LetKXbethesetofnitesequencesX=(X0;:::;Xr)ofpartitionsofXsuch ijwhereX0 KX=maxnKX:X2KXo: i=XinXi�1,i=0;:::;r.Weset
jXj WeshowbyinductiononjXjthatKX 2.Byinductionhypothesis,KB 2jBj�2forallnonemptypropersubsetsB
2(jXj�1).ThecasejXj=1isclear.Let

154 ofX.Clearly,foreachsequenceX=(X0;:::;Xr)2KX:IfX0 CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
KX=0.Otherwisewemaysupposew.l.o.g.thatX06=;.Ifr=0then KX=jX0j jXj 2(jXj�1): i=;,i=0;:::;r,then
NowweassumethatX06=;andr (*) B2X0jBj X1.Then,
ForB2X0,letXB=(XB1;:::;XBr)whereXB jXj; i=fC2Xi:C jX0j 2:
andX0 i=SB2X0(XB inXB i�1),i=1;:::;r.Byinductionhypothesis, KXB KB 2jBj�2: Bg.Then,XB2KB
Hence,by(*):KX=jX0j+X 2jXj�jX0jB2X0KXB 2jXj�2: jX0j+2X B2X0jBj�2jX0j
XsuchthatXiisnerthanXi�1,i=1;:::;r.LetX�1=fXg.Foreachi2f0;:::;rg, Thus,KX Lemma6.3.2LetXbeanonemptynitesetand(X0;:::;Xr)asequenceofpartitionson 2(jXj�1).
letYibeapropersubsetofXinXi�1suchthat:
Then, (*)ForeachC2Xi�1nXithereissomeA2XinYiwithA B2YiwithB rXi=0jYijC. C,andjBj jAjforall
2(jXj�1) and rXi=0X Proof: ByLemma6.3.1(page153): B2YijBj jXjlogjXj:
WeshowbyinductiononjXjthateachelementx2XiscontainedinSB2YiBforat XijYij XijXinXi�1j 2(jXj�1):
mostlogjXjindicesi2f0;:::;rg.Thisyields =0X rXi whereI(x)=f0 iB2YijBj=Xx2XX r:x2BforsomeB2Yig. i2I(x)1 Xx2XlogjXj=jXjlogjXj
WehavetoshowthatjI(x)j jBj foralli.LetjXj jXj=2forallB2Y0[:::[Yr.IfjXj=1thenthereisnothingtoshowsinceYi=; 2andx2X.WemaysupposethatI(x)6=;,i.e.x2SiSB2YiB.
logjXjforallx2X.Firstweobservethat(*)yields

6.3.PROOFS Letibethesmallestindex 0suchthatx2BforsomeB2Yi(i.e.i=minI(x)).By 155
SincejBj inductionhypothesis,
Asbefore,weassume(S;Act;Steps)tobeaniteaction-labelledconcurrentproba- jXj=2wegetjI(x)j jfi+1;:::;rg\I(x)j 1+logjBj=log(2jBj) logjBj:
bilisticsystem.n=jSjdenotesthenumberofstates,mthenumberoftransitions, logjXj.
Ps2SjStepsa(s)j.(Then,m=Pa2Actma.)RecallthatweassumeActtobexed.Hence, i.e.m=Ps2SjSteps(s)j.Fora2Act,maisthenumberofa-transitions,i.e.ma= wetreatjActjasaconstant. LetX0=Xinit;X1;:::;XNbethesequenceofpartitionsthatareobtainedbyouralgorithm (Figure6.4,page136).I.e.
step.I.e.New0=Newinitand whereX�1=Xtrivial=fSg.LetNewidenotethesetNewinthe(i+1)-strenement X0=Xinit,Xi=Rene(Xi�1),i=0;:::;N�1,andXN=S=
Newi= B2Xi�1NewB;i=1;:::;N�1: [
LetCi1;:::;CilibetheenumerationofNewiandletC1;:::;Clbethesequence
Lemma6.3.3Wehavel C01;:::;C0l0;C1;:::;C1l1;C12;:::;C2l2;:::;CN�1 2(n�1)and 1 ;:::;CN�1 lN�1:
=1jCij lXi Proof: WeconsiderthesetX=SandthepartitionsX0=Xinit;X1;:::;XNofX. nlogn:
A2XinNewiwithA (*)onpage136).Lemma6.3.2(page154)yields: Then,NewiisapropersubsetofXinXi�1suchthatforeachC2Xi�1nXithereissome CandjBj jAjforallB2NewiwhereB C(cf.condition
and l=N�1 Xi=0jNewij lXi=1jCij=N�1 2(n�1)
(wherewedealwithYi=Newi.) Xi=0B2NewijBj X nlogn
6.4onpage136(i.e.thecomputationsofNewCl()andOldCl()withthemethodof Lemma6.3.4Rangingoverallrenementsteps,theexecutionsofstep(2.2.1)inFigure Figure6.6,page142)takeO(mn(logm+logn))time.

156 Proof: Itsucestoshowthat,rangingoverallblocksB2X0[:::[XN�1,the CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
constructionoftheorderedbalancedtreesinstep(1.2)ofFigure6.6(page142)takes O(mn(logm+logn))time.
upoverallblocksCiandusingLemma6.3.3(page155),wegetthetimecomplexity tions,forxedi,thecomputationofthevalues[Ci]takesO(jCijm)time.Summing Foreachi2f1;:::;lg,wehavetocomputetheprobabilities[Ci],2Sa;sStepsa(s).For
O(mnlogn)forthecomputationofthevalues[Ci],i=1;:::;l,2Sa;sStepsa(s). xediand,thecomputationof[Ci]takesO(jCij)time.Summingupoveralldistribu-
Foreachi2f1;:::;lg,weconstructanorderedbalancedtreeforthevalues[Ci],2H andHisoftheformH=Ss2Lh(s)forsometuple(a;L;h).Inthatcase,wespeakabout setsHforwhichthereexistsan(i;H)-executionofstep(1.2)inFigure6.6.Then: the(i;H)-executionofstep(1.2)inFigure6.6(page142).LetExec(i)bethesetofall
LetT(i;H)betheorderedbalancedtreewhichisconstructedinthe(i;H)-execution.If {IfH1,H22Exec(i)thenH1=H2orH1\H2=;.
jT(i;H)jdenotesthenumberofnodesinT(i;H)thenthe(i;H)-executioncausesthecost {ForxediandH,thereisatmostone(i;H)-execution.
O(K(i;H))where
ofallexecutionsofstep(1.2)inFigure6.6areO(K)where (andwherethecostforcomputingthevalues[Ci],2H,areneglected).Thetotalcost K(i;H)=jHjlogjT(i;H)j+1
K=lXi=1H2Exec(i)K(i;H)=lXi=1 X H2Exec(i)jHjlogjT(i;H)j+1: X
wedene eachofthemcontainedinsomeH2Exec(i)(cf.condition(**)onpage138).Fori

6.3.PROOFS K0(l�i+1;Hj) ijHjjlog(jHjj+1),j=1;:::;r. 157
SincejH1j+:::+jHrj K0(l�i;H) jHjlogjT(l�i;H)j+1 jHjandjT(l�i;H)j jHjweget
jHjlog(jHj+1)+ijHjlog(jHj+1)=(i+1)jHjlog(jHj+1): +irXj=1jHjjlog(jHjj+1)
SinceExec(1)=fSs2SStepsa(s):a2Actgnf;gweget
Hence,by(I)and(II): H2Exec(1)jHj=X X a2ActXs2SjStepsa(s)j=m:
ByLemma6.3.3(page155),wehavel K= H2Exec(1)K0(1;H) X H2Exec(1)ljHjlogjHj 2n.Therefore, X lmlogm:
(1.2)inFigure6.6(page142)whereweneglectthecostforcomputingthevalues[Ci]. Thus,wegetthetimecomplexityO(mnlogm)fortheconstructionsofthetreesinstep K lmlogm 2nmlogm:
Addingthecostforthecomputationsofthevalues[Ci]weobtainthetimecomplexity O(mn(logm+logn))forallexecutionsofstep(2.2.1)inthemainalgorithm. Lemma6.3.5 N�1
Proof: LetMi=PB2XijNewClXi(B)j.Then,Mi=Pa2ActjHa;ijwhere Xi=0X B2XijNewClXij 2(m�1):
WeconsiderthesetXa=Ss2SStepsa(s)ofalla-labelledtransitionsin(S;Act;Steps). Ha;i=([
ThesetsHa;icanbeextendedtopartitionsXa;iofXasuchthatXa;iisnerthanXa;i�1 s2Lh(s):B2Xi;(a;L;h)2NewClXi(B)):
andHa;i Xa;inXa;i�1(cf.condition(**)onpage138).Thus, N�1 Xi=0Mi=X 2(jXj�1) a2ActN�1 Xi=0jHa;ij X a2ActN�1 XXi=0jX0a;ij
byLemma6.3.1(page153).Here,X0a;i=Xa;inXa;i�1. Lemma6.3.6Summingupoverallrenementsteps,theexecutionsofstep(2.2.2)in a2Act2(ma�1)=2(m�1)
Figure6.4onpage136(thecomputationsofB=Xwiththemethoddecsribedonpage 139)takeO(nm)time.

158 Proof: WedeneKi=maxfjNewClXi(B)j:B2Xig.Inthe(i+1)-strenement CHAPTER6.DECIDINGBISIMILARITYANDSIMILARITY
since,foreachstates2S,wetraverseabinarytreeofheight (page157): step(i.e.inthecomputationofXi+1=Rene(Xi)),step(2.2.2)causesthecostO(nKi) N�1 Xi=0Ki N�1 Xi=0X Ki.ByLemma6.3.5
Thus,step(2.2.2)causesthecostO(nm).
B2XijNewClXij 2(m�1):

Chapter7
Weakbisimulationforfully probabilisticprocesses
andotheroperators{theymakeitpossibletoreplacecomponentsbyequivalentonesthat bisimulationequivalencearefundamentalforvericationmethodsthatexploitabstraction frominternalcomputationas{beingcompositionalwithrespecttoparallelcomposition Inthenon-probabilisticcase,weak[Miln80,Park81,Miln89]orbranching[vGlWe89]
frominternalcomputationsareproposedbyIvanandLindaChristo[Chri90a,Chri90b, setting,appropriatenotionsofweakequivalencetogetherwithecientdecisionprocedures arehighlydesirable.Testingequivalencesforfullyprobabilisticsystemsthatabstract areminimizedwithrespecttotheirinternalbehaviour.Clearly,alsointheprobabilistic
etal[CSZ92,YCDS94].Forthelatter,theauthorspresentaprooftechniquebutdo ChCh91,Chri93](whoalsopresentpolynomialtimedecisionprocedures)andCleaveland notinvestigatethedecidability.Segala&Lynch[SeLy94]introducenotionsofweak andbranchingbisimulationforconcurrentprobabilisticsystemsthatappearasnatural extensionsofweakandbranchingequivalencesfornon-probabilisticsystems.Recentwork showsthatweak[PSS98]andbranching[BSV98]bisimulationequivalencearedecidablefor inteamworkwithHolgerHermanns[BaHe97])proposesnotionsofweakbisimulation andbranchingbisimulationinthefullyprobabilisticsettingandpresentsapolynomial decisionprocedure. niteconcurrentprobabilisticsystems.Thischapter(whosemainresultsaredeveloped
Weakbisimulationinnon-probabilisticsystems:Theweakbisimulationequivalenceclassesofanite(non-probabilistic)labelledtransitionsystem(S;Act;�!)can becomputedasthe(strong)bisimulationequivalenceclassesoftheinducedsystem (S;(Actnfg)[f"g;=)).Here,the\doublearrowrelation"
isdenedwiththehelpofthetransitive,reexiveclosure(�!)ofinternaltransitions.1 Thus,theproblemofdecidingweakbisimulationequivalenceisreducedtothecompu- =) S ((Actnfg)[f"g)S
reachablefromsviainternalactions)while=)=(�!)�!(�!). tationofthetransitive,reexiveclosure(�!)oftheinternaltransitionsanddeciding 1Fortheemptyword",thetransitionrelation" =)agreeswith(�!)(i.e.s" =)tassertsthattis
159

(strong)bisimulationequivalenceinanitesystem.Usingthetransitiveclosureoperation 160 CHAPTER7.WEAKBISIMULATION
from[CoWi87]andthepartitioning/splittertechniqueby[PaTa87]thetimecomplexityfor decidingweakbisimulationequivalenceisO(n2:3)wherenisthenumberofstates.Groote &Vaandrager[GroVa90]proposeanalgorithmforcomputingthebranchingbisimulation
(i.e.thesizeof�!). andrunsintimeO(nm)wherenisthenumberofstatesandmthenumberoftransitions tioning/splittertechniqueala[PaTa87]thatusesbothtransitionrelations�!and=)equivalenceclassesofanon-probabilisticsystemwhichworkswithavariantoftheparti- reachstatetfromsviaasequenceoftransitionslabelledbyatraceoftheform Weakbisimulationinfullyprobabilisticsystems:Thischapterintroducesnotions ofweakbisimulationandbranchingbisimulationforfullyprobabilisticsystems.The basicideaistoreplaceMilner's\doublearrowrelation"s=)tbytheprobabilitiesto
fullyprobabilisticsystems.Theproposednotionofweak(orbranching)bisimulation Incontrasttothenon-probabilisticcasewherebranchingbisimulationisstrictlyner thanweakbisimulation,weakandbranchingbisimulationequivalencecoincidefornite.
equivalenceisdecidablefornitesystems.Wepresentanalgorithmtocomputetheweak bisimulationequivalenceclasseswithamodicationofthepartitioning/splittertechnique ala[KaSm83,PaTa87].Thetimecomplexityofourmethodiscubicinthenumberof states;thus,itmeetstheworstcasecomplexityfordecidingbranchingbisimulationinthe non-probabilisticcase[GroVa90](where,intheworstcase,O(m)=O(n2)).Moreover, weakbisimulationisshowntobeacongruencewithrespecttotheoperatorsofPLSCCS probabilisticsystemsthatworkwiththelazyproductP1 (seeSection4.3,page83)withtheexceptionoftheprobabilisticchoiceoperator.2 Therefore,weakbisimulationisapplicableformechanisedcompositionalvericationof
tions.InSection7.2wepresentouralgorithmfordecidingweakbisimulationequivalence.Organizationofthatchapter:Section7.1introducesweakandbranchingbisimula- P2asparallelcomposition.
intheappendix(Section7.5).Theproofsusetheregularityofcertainmatrices(with Section7.3discussestheconnectionbetweenweak(andbranching)bisimulationequiv-
columnsandrowsforeachstateoftheunderlyingsystem).Thus,themainresultsare establishedinSection7.4.Mostoftheproofsfortheresultsofthischapteraregiven alenceandotherequivalencesforfullyprobabilisticsystems.Thecongruenceresultis
ThischaptermakesuseofthenotationsforpartitionsasexplainedinSection2.1(page toarbitraryfullyprobabilisticsystems(withpossiblyinnitelymanystates). onlyestablishedfornitesystems.Itisanopenquestionwhetherourresultscarryover
29)andfororderedbalancedtrees(seeSection12.2,page314).Moreover,weoftenuse (seeSection3.3.1,page49).Throughoutthischapter,wedealwithaction-labelledfully theprobabilitiesProb(s;;t)forstoreachaC-stateviaapathwhosetracebelongto probabilisticsystems.
isnotsurprisingasalreadyinthenon-probabilisticcase,weakandbranchingbisimulationequivalence failtobecongruenceswithrespecttonon-deterministicchoice.
2Thefactthatweak(andbranching)bisimulationequivalencearenotpreservedbyprobabilisticchoice

7.1.WEAKANDBRANCHINGBISIMULATION 7.1 Weakandbranchingbisimulation 161
Inthissectionwedeneweakandbranchingbisimulationforfullyprobabilisticsystems. Whileinthenon-probabilisticcasebranchingbisimulationequivalenceisstrictlynerthan weakbisimulationequivalence,thesetworelationscoincidefornitefullyprobabilistic systems(Theorem7.1.10,page163). 7.1.1 Forthedenitionofweakbisimulation,wereplaceMilner's\doublearrow"relation" =(�!)(wheres" Weakbisimulation
dealwiththeprobabilitiesProb(s; Prob(s;;t)toreachstatetfromsviainternalactions.Similarly,for2Actnfg,we =)tstatesthatscanmovetotviainternalsteps)bytheprobability ;t)ratherthanMilner'sweaktransitionrelations =)
=)=(�!)�!(�!).3 Denition7.1.1[Weakbisimulation]Aweakbisimulationonanaction-labelledfully probabilisticsystem(S;Act;P)isanequivalencerelationRonSsuchthatforall(s;s0)2 RandallequivalenceclassesC2S=R:
Twostatess,s0arecalledweaklybisimilar(denotedbys (1)Prob(s;;C)=Prob(s0;;C) (2)Prob(s; ;C)=Prob(s0; ;C)forall2Actnfg.
Remark7.1.2NotethatProb(s;;C)=1ifs2C.Hence,condition(1)isalways weakbisimulationR. s0)i(s;s0)2Rforsome
InSection7.5.1(Lemma7.5.16,page185)weshowthat,fornitesystems, bisimulation.TwofullyprobabilisticprocessesP=(S;Act;P;sinit),P0=(S0;Act;P0;s0init) fullledfortheequivalenceclassCofsands0withrespecttoR.
aresaidtobeweaklybisimilaritheirinitialstatessinitands0initareweaklybisimilarin thecomposedsystemwhichisdenedasexplainedinSection3.5(page61). isaweak
Example7.1.3WeconsiderthesimplecommunicationprotocolofExample3.3.2(page Usingweakbisimulationequivalenceas theunderlyingimplementationrelationthe 48)andthefullyprobabilisticsystemforthesendershowninFigure3.2onpage48.
shownontheright. sendercanbeveriedagainstthespecicationgivenbythefullyprobabilisticprocess ack?,1AAA s0init
s0waitsend!,1 A
fCI;CWgwhereCI=fsinit;s0initgistheequivalenceclassoftheinitialstatesandCW= fsdel;swait;slost;s0waitgtheequivalenceclassoftheotherstates.ForsI2CIandsW2CW, LetRbetheequivalenceonS=fsinit;sdel;swait;slost;s0init;s0waitgsuchthatS=R= Forthis,wehavetoshowthattheinitialstatessinitands0initareweaklybisimilar.
3SeeSection3.3.1,page49,forthedenitionofProb(s;;t).

wehave:Prob(sI;;CI)=1;
162 CHAPTER7.WEAKBISIMULATION
Prob(sI;;CW)=0; Prob(sI; send! ;CI)=0; Prob(sW;;CI)=0;
Prob(sI; ack? send! ;CI)=0; ;CW)=1; Prob(sW;;CW)=1; Prob(sW; send! ack? send! ;CI)=1; ;CI)=0;
Hence,Risaweakbisimulation.Inparticular,theinitialstatessinitofthesenderand Prob(sI; ack? ;CW)=0; Prob(sW; ack? ;CW)=0: ;CW)=0;
Inthenon-probabilisticcase,itholdsforweaklybisimilarstatess;s0thatifs1:::k thens01:::k s0initofitsspecicationareweaklybisimilar. =)t0suchthattandt0areweaklybisimilar.Here,1:::k =)denotes(�!) =)t
Theorem7.1.4Let(S;Act;P)beaniteaction-labelledfullyprobabilisticsystemand (�!):::(�!) �!(�!).Thisresultcarriesovertonitefullyprobabilisticsystems. k �! 1
Proof: aregularexpressionoftheform seeSection7.5.1,Theorem7.5.17(page186). Ifs s0thenProb(s;;C)=Prob(s0;;C)forallC2S=. 1 2::: kor 1 2::: k.Then:
VanGlabbeek&Weijland[vGlWe89]introducebranchingbisimulationwhichisstrictly 7.1.2 nerthanweakbisimulation.Thebasicideaofbranchingbisimulationisthatinorder Branchingbisimulation
intermediatestatesonthepathfroms0tos00alsofallintheequivalenceclassofsands0) manyinternalactionsleadingtoastates00whichisstillequivalenttosands0(i.e.the andthentoperform tosimulateasteps�!tbyanequivalentstates0,s0isallowedtoperformarbitrary
internalactionsinsidetheequivalenceclassofsands0andthentoperformavisible case,werequirethatforequivalentstatess,s0,theprobabilitiesforsands0toperform action leadingtostateofacertainequivalenceclassCarethesame. reachingastatet0whichisequivalenttot.Intheprobabilistic
Notation7.1.5[Thesymbolsba,a2Act]Fora2Act,let
Recallthat"denotestheemptywordinAct.Hence, ba=(a:ifa6= ":ifa=.
Notation7.1.6[TheprobabilitiesProbR(s;ba;C)]Let(S;Act;P)beanaction-labelledfullyprobabilisticsystem,RanequivalencerelationonS,s2S,C ba= ifa=.
a2Act.Then,PathRful(s;ba;C)denotesthesetoffulpaths thereissomek 0with 2Pathful(s)suchthat Sand
(s;(i))2R,i=1;:::;k�1, trace((k))2ba,

7.1.WEAKANDBRANCHINGBISIMULATION (k)2C. 163
LetProbR(s;ba;C)=Prob(PathRful(s;ba;C)),ProbR(s;ba;t)=Prob((s;ba;ftg).
Example7.1.8FortherelationRinExample7.1.3,page161,wehave Remark7.1.7Fors2C,Pathful(s)=PathRful(s;;C).Hence,ProbR(s;;C)=1if s2C.
forallstatessandC2fCI;CWganda2f;send!;ack?g. ProbR(s;ba;C)=Prob(s;ba;C)
\identityrelation"R(i.e.theequivalencerelationRwith(x;y)2Rix=y)wehave ProbR(s; Forthesystemshownontherightandthe
1=2. ;v)=0whileProb(s; ;v)= vt,12 s ,12
? ,1 u � �� @@@R
RonSsuchthatforall(s;s0)2R,C2S=R: Denition7.1.9[Branchingbisimulation]Let(S;Act;P)beanaction-labelledfully probabilisticsystem.Abranchingbisimulationon(S;Act;P)isanequivalencerelation (1)ProbR(s;;C)=ProbR(s;;C)
branchingbisimulationR. Twostatess,s0arecalledbranchingbisimilar(denotedsbrs0)i(s;s0)2Rforsome (2)ProbR(s; ;C)=ProbR(s; ;C)forall2Actnfg.
InSection7.5.1,Lemma7.5.15(page185)weshowthat,for(S;Act;P)tobenite, branchingbisimulationequivalencebrisabranchingbisimulation.Incontrasttothe
Theorem7.1.10Let(S;Act;P)beaniteaction-labelledfullyprobabilisticsystemand non-probabilisticcase,branchingbisimulationequivalenceandweakbisimulationequivalencecoincidefornitesystems. s,s02S.Then,s Theclassicalexamplefordistinguishingweakandbranchingbisimulationequivalenceis Proof: seeSection7.5.1,Corollary7.5.13(page184). s0is brs0.
thesystemshowninFigure7.1onpage164(see[vGlWe89]).Inthenon-probabilistic
1=Prob(s; nolongerweaklybisimilar.Thiscanbeseenasfollows.Weassumes (whichturnthesystemofFigure7.1intoafullyprobabilisticsystem)thensands0are case,sands0areweaklybutnotbranchingbisimilar.Ifweaddnon-zeroprobabilities
equivalenceclassoft.Clearly,v006tastcanperform(sinceP(t;)>0)whilev00cannot (sinceProb(v00; )=0).Hence,v00=2TandthereforeP(s0;;t0)=1,P(s0;;v00)= ;T)=Prob(s0; ;T)whereTdenotestheweakbisimulation s0.Then,
Figure7.1).
0.Contradiction(asweaddednon-zeroprobabilitiestothenon-probabilisticsystemof

164 CHAPTER7.WEAKBISIMULATION
wv ts
u w0 v0 ? t0 s0
AAAU AAAU ���@@@R u0 w00 v00
? ? ?
Figure7.1:Distinguishingweakandbranchingbisimulationinthenon-probabilisticcase 7.2 Inthissectionwedevelopanalgorithmtocomputetheweakbisimulationequivalence classes.Thegeneralideaofouralgorithmistouseapartitioning/splitter-technique Decidabilityofweakbisimulationequivalence
[PaTa87]fordecidingstrongbisimulationinthenon-probabilisticcase(cf.theschema similartotheonesproposedbyKanellakis&Smolka[KaSm83]resp.Paige&Tarjan
equivalenceclasses.Thecrucialpointisthedenitionofasplitter.Apossiblecandidate sketchedinSection6.1,Figure6.1onpage131).Thealgorithmstartswithsome\simple"
fora\splitter"ofapartitionXisapair(a;C)2Act partitionXinitthatiscoarserthan withthehelpofa\splitter"ofX,eventuallyresultinginthesetofweakbisimulation andthensuccessivelyrenesthegivenpartitionX
Xtobeaweakbisimulation,i.e. (*)Prob(s;ba;C)6=Prob(s0;ba;C)forsomeB2Xands,s02B. Xthatviolatestheconditionfor
Oneideaforapartioning/splitter-algorithmwouldbetoreneXaccordingtoasplitter inthesenseof(*),i.e.toreplaceXbyRene0(X;a;C)=fB='(a;C):B2Xgwhere TheprobabilitiesProb(s;ba;C)canbecomputedbysolvingthelinearequationsystem s'(a;C)s0iProb(s;ba;C)=Prob(s0;ba;C).
xs=1 xs=0 xs=Xt2SP(s;;t)xt+P(s;a;C) ifa=ands2C ifPathful(s;ba;C)=;
(cf.Proposition3.3.4,page49).ThetestwhetherPathful(s;ba;C)=;canbedone byareachabilityanalysisoftheunderlyingdirectedgraph,e.g.withadepthrstsearch ifPathful(s;ba;C)6=;anda6=_s=2C.
likemethod.Then,(n3:8)isanasymptoticlowerboundforthetimecomplexityof
renementstepwehavetosolvealinearequationsystemwithnvariablesandnequations(whichtakes thismethod.4Here,wepresentanalternativemethodthatrunsintimeO(n3).The (n2:8)timewiththemethodof[AHU74]).
4Here,nisthenumberofstates.Notethatintheworstcaseweneednrenementstepsandineach

7.2.DECIDABILITYOFWEAKBISIMULATIONEQUIVALENCE basicideaistoreplace(*)byaconditionthatassertsthatXviolatestheconditionsofa 165
branchingbisimulation.Forthis,weuseanalternativedenitionofasplitterthatisbased onancharacterizationofbranchingbisimulationswhichusestheconditionalprobabilities conditionthatthesystemdoesnotmakeaninternalmoveinsidetheblockthatcontainss. PX(s;a;C)toreachablockCfromastatesviaanactionawithinonestepunderthe
havetosolvelinearequationsystems. Theseconditionalprobabilitiescanbecomputedbysimplearithmeticoperations.Thus, theuseofthiskindofsplittershastheadvantagethatintherenementstepswedonot
apartitionXofS.WesaythatXisaweak(branching)bisimulationitheinduced Inwhatfollows,wexaniteaction-labelledfullyprobabilisticsystem(S;Act;P)and 7.2.1 Thealgorithm
equivalencerelationRXisaweak(branching)bisimulation.
Notation7.2.2[ThesetSX]WedeneSX=fs2SnSterm:P(s;;[s]X)

166ProbRX(s;;C)=PX(B;;C)forallC2XCHAPTER7.WEAKBISIMULATION Here, ProbRX(s; ;C)=PX(B;;C)forall2ActnfgandC2X.
Proof: PX(B;a;C)=(PX(t;a;C):if(a;C)6=(;B)andt2B\SX seeSection7.5.1,Lemma7.5.9(page181). 1 :if(a;C)=(;B).
Foralls2B,eithersisterminalorP(s;;B)=1.Ineithercase,ProbRX(s; Remark7.2.5LetXbeabranchingbisimulationandB2XsuchthatB\SX=;. andProbRX(s;;C)=0ifC2XnfBg.Hence,ifweputPX(B;;B)=1and PX(B;a;C)=0if(a;C)6=(;B).thenweget ;C)=0
foralls2B,C2Xanda2Act. ProbRX(s;ba;C)=PX(B;a;C)
P(s0;;[s0]X)=1andP(v0;;[v0]X)=1.Thus,SX=fs;s0;t;t0g. Example7.2.6ConsiderthesystemofFigure7.2(page167)andthepartitionX= allblocksofXsatisfytheconditionsofLemma7.2.4.WehaveSterm=fw;w0;vg, fB1;B2;B3gwhereB1=fs0;s;s0g,B2=ft;t0gandB3=fw;w0;v;v0g.Weshowthat
FortheblockB1,werstconsiderthestatessands0.Wehave: andPX(s;a;C)=PX(s0;a;C)=0forall(a;C)=2f(;B2);(;B3)g.Hence,B1 satisescondition(1).Secondweshowcondition(2)forB1.Forthis,wehaveto considerthestates02B1nSX.Thenitepathleadingfroms0toastateofB1\SX PX(s;;B2)=PX(s0;;B2)=12;PX(s;;B3)=PX(s0;;B3)=12
fulllscondition(2). isgivenbys0!s.
AsB3\SX=;fortheblockB3thereisnothingtoshow. PX(t0;a;C)=0forall(a;C)6=(;B3).Hence,B2satises(1).AsB2\SX=;,B2 FortheblockB2=ft;t0gweget:PX(t;;B3)=PX(t0;;B3)=1andPX(t;a;C)=
Lemma7.2.4yieldsthatXisabranchingbisimulation. Remark7.2.7IfXisabranchingbisimulation,B2Xands,s02B\SXthen
ispossible.Forinstance,forthestatessands0inExample7.2.6(Figure7.2onpage167) 1�P(s;;B)6= P(s;;B) 1�P(s0;;B) P(s0;;B)
wehavesbrs0butP(s;;B1)=(1�P(s;;B1))=0whileP(s0;;B1)=(1�P(s0;;B1))=
actiona2ActandsomeC2XsuchthatthereexistssomeB2Xwith(;B)6=(a;C) Denition7.2.8[Splitter]AsplitterofapartitionXisatuple(a;C)consistingofan 1=2(whereB1=fs0;s;s0gisthebranchingbisimulationequivalenceclassofsands0).
andPX(s;a;C)6=PX(s0;a;C)forsomestatess,s02B\SX.

7.2.DECIDABILITYOFWEAKBISIMULATIONEQUIVALENCE 167
wt,12 ss0,1
,1 ,12 v w0 t0 ,13 s0
,1 ,13,13 v0 ,1 � ? �� @@@R
? ���@@@R ?
ThemainideaforreningagivenpartitionXviaasplitter(a;C)istoisolateineach Figure7.2:
thatcannotreachanyotherequivalenceclassA0ofB\SXwithoutpassingA. enrichedwithexactlythosestatess2BnSXthatcanreachAviainternalactionsand Bycondition(2)ofLemma7.2.4,eachsuchequivalenceclassAofB\SXhastobe B2Xwith(;B)6=(a;C)thosestatess,s02B\SXwherePX(s;a;C)=PX(s0;a;C).
B2Xsuchthat(;B)6=(a;C).Wedene Notation7.2.9[ThesetSplit(B;a;C)]Let(a;C)beasplitterofapartitionXand
where,fors,s02B\SX,sXs0iPX(s;a;C)=PX(s0;a;C). Split(B;a;C)=(B\SX)=X
Notation7.2.10[TheclosureA]Let(a;C)beasplitterofapartitionXandB2X withrespectto(a;C)tobethelargestsetV s2VnA: suchthat(;B)6=(a;C).IfA2Split(B;a;C)thenwedenetheclosureAofAinX
P(s;;V[A)=1 BwhichcontainsAandsuchthatforall
Thereexistsanitepath -last()2A. -rst()=s, -(i)2V,i=0;1;:::;jj�1, with
Notation7.2.11[TheresiduumRes(B;a;C)]LetX,a,BandCbeasbefore.The residuumofBwithrespectto(a;C)isgivenby
Remark7.2.12NotethattheresiduumRes(B;a;C)iseitherempty(ifallstatess2 Res(B;a;C)=fB0gnf;gwhereB0=Bn A2Split(B;a;C)A: [
thatdonotbelongtoanyclosureA.IfA2Split(B;a;C)thenAconsistsofAandall statess2BnSXsuchthat SnSXarecontainedinsomeclosureA)orasingletonsetconsistingofallstatess2BnSX
Here,(s)=f2Pathn(s):rst()=s;(i)2BnSX,i=0;1;:::;jj�1g.
last()2Aforsome2(s) Whenever2 andlast()2SXthenlast()2A.

Notation7.2.13[TherenementoperatorRene()]LetXbeapartition,(a;C)a 168 CHAPTER7.WEAKBISIMULATION
splitterofX.ForB2X,wedene: If(a;C)=(;B)thenRene(B;a;C)=fBg.
WedeneRene(X;a;C)=SB2XRene(B;a;C). If(a;C)6=(;B)then
Clearly,foreachpartitionXwhichiscoarserthanS=brandeachsplitter(a;C)ofX, Rene(B;a;C)=fA:A2Split(B;a;C)g[Res(B;a;C):
thepartitionRene(X;a;C)iscoarserthanS=brandstrictlynerthanX.
condition(2)ofLemma7.2.4andthatiscoarserthanS=brandthereisnosplitterfor blocksA2Rene(B;a;C)fulllcondition(2).Moreover,ifXisapartitionthatfullls Ourrenementoperatorpreservescondition(2)ofLemma7.2.4(page165).Morepre-
XthenX=S=br=S=.Theseobservationsleadtothefollowingalgorithm.We cisely,ifB2XsuchthatB\SX=;andcondition(2)ofLemma7.2.4isfullledthenall
forX){weapplytherenementoperatortoX,eventuallyresultinginthepartition X=S=. startwitha\simple"partitionXthatsatisescondition(2)ofLemma7.2.4andthatis coarserthan.Then{aslongasXcanberened(i.e.aslongasthereexistsasplitter
Astheinitialpartitionhastofulllcondition(2)ofLemma7.2.4wecannotstartwiththe instance,forasystemwithtwostates,aterminalstatetandastateswithP(s;;t)=1, \trivial"partitionX=fSgthatidentiesallstatesasitmightviolatecondition(2).For withXtrivialthenouralgorithmwouldreturnthatsandtareweaklybisimilarwhichis thetrivialpartitionXtrivial=ffs;tggdoesnothaveasplitter.Hence,ifwewouldstart notthecase.Ourinitialpartitionconsiststwoblocks:theweakbisimulationequivalence classoftheterminalstatesanditscomplement.(Ofcourse,ifoneoftheseblocksisempty thenweonlystartwithoneblock.)Tobeprecise,theweakbisimulationequivalenceclass oftheterminalstatesconsistsofall\divergent"states,i.e.allstatesthatcannotreacha
;forall2Actnfg.LetDivbethesetofdivergentstates. statewhereavisibleactioncanbeperformedwithsomenon-zeroprobability.
NotethatSterm Denition7.2.14[Divergentstates]AstatesiscalleddivergentiPathful(s; Div.Ouralgorithmforcomputingtheweakbisimulationequivalence )=
Example7.2.15PartitioningthesystemfromExample7.2.6(Figure7.2,page167) classesissketchedinFigure7.3onpage169.
splitter(;fw;w0;v;v0g)weobtain SX=fs;s0;t;t0g.(;fw;w0;v;v0g)and(;fs0;s;s0;t;t0g)aresplittersofX.Forthe proceedsasfollows.TheinitialpartitionisX=ffs0;s;s0;t;t0g;fw;w0;v;v0gg.Then,
andPX(t;;fw;w0;v;v0g)=0=PX(t0;;fw;w0;v;v0g).Hence,thesplitoperatorsepa- PX(s;;fw;w0;v;v0g)=12= 1�13=PX(s0;;fw;w0;v;v0g) 13 ratessands0fromtandt0.Moreprecisely,weget: Split(fw;w0;v;v0g;;fw;w0;v;v0g)=ffw;w0;v;v0gg:
Split(fs0;s;s0;t;t0g;;fw;w0;v;v0g)=ffs;s0g;ft;t0gg;

7.2.DECIDABILITYOFWEAKBISIMULATIONEQUIVALENCE 169
Computingtheweakbisimulationequivalenceclasses Output:thesetS= Method: Input:aniteaction-labelledfullyprobabilisticsystem(S;Act;P)
ComputethesetDivofdivergentstates; ofweakbisimulationequivalenceclasses
ReturnX. WhileXcontainsasplitter(a;C)doX:=Rene(X;a;C); X:=fDiv;SnDivgnf;g;
Theclosureoperatoryieldsfs;s0g=fs0;s;s0g.Hence,wegetthepartition Figure7.3:Schemaforcomputingtheweakbisimulationequivalenceclasses
setofweakbisimulationequivalenceclasses. forwhichnosplitterexists.Thus,ouralgorithmreturnsRene(X;;fw;w0;v;v0g)asthe Rene(X;;fw;w0;v;v0g)=ffs0;s;s0g;ft;t0g;fw;w0;v;v0gg
Inwhatfollows,n=jSj.WesupposethatthealphabetActisxed(thus,wetreatthe 7.2.2 sizejActjasaconstant). Timecomplexity
O(n3)andspaceO(n2). Proof: Theorem7.2.16ThealgorithmofFigure7.3(page169)canbeimplementedintime
directedgraph.Wecomputeallstatesthatcanreachastateofft2S:P(t;)> 0forsome2Actnfgg,e.g.byadepthrstsearch.Thus,thecomputationofthe initialpartitionXneedsO(n2)timeandspace. Clearly,Divcanbecomputedbyareachabilityanalysisintheunderlying
Initializationoftherenestep:LetXbethecurrentpartition.Wecomputethe valuesP(s;a;C)andPX(s;a;C)foreachs2S,a2ActandC2X.ThesetSXcan bederivedfromtheprobabilitiesPX(s;;C),s2C.Foreachpair(a;C)(wherea2Act andC2X)andA2Xwecompute
Then,(a;C)isasplitterofXimin(A;a;C)

valuesPX(s;a;C),s2B\SX.(SeeSection12.2,page314forthenotationsthatwe 170 CHAPTER7.WEAKBISIMULATION
startingintherootandwesearchforthevaluePX(s;a;C). usefororderedbalancedtrees.)EachnodevofTree(B)isrepresentedasarecordwith componentsv:keyandv:states.Foreachstates2B\SX,wetraversethetreeTree(B) Ifwereachanodevwithv:key=PX(s;a;C)thenweinsertsintov:states. Otherwise,PX(s;a;C)isnotyetrepresentedinTree(B)andweinsertanodevwith
thenodesofthenaltreeTree(B)representthesetsA2Split(B;a;C).Moreprecisely, Inthenaltree,v:statesisthesetofstatess2B\SXwithPX(s;a;C)=v:key.Thus, v:key=PX(s;a;C)andv:states=fsg.
EBiP(t;;s)>0andt2BnSX.WecomputethesetsA,A2Split(B;a;C),bythe WederiveRene(B;a;C)asfollows.LetGBbethedirectedgraph(B;EB)where(s;t)2 Split(B;a;C)=fv:states:visanodeinTree(B)g:
followingbreadthrstsearchlikemethod.Weusethreekindsoflabelsforthestates: label(s)=A2Split(B;a;C)isisreachableinGBfromsomestateinAbutthere detected. label(s)=?is2BnSXandsisnotyetvisited.
label(s)=itherearetwosetsA,A02Split(B;a;C)suchthatsisreachablefrom astateinAandfromastateinA0.(Inparticular,,allsuccessorsofa-labelledstate isnootherA02Split(B;a;C)whereapathfromastateofA0tosinGBisalready
Initially,wedenelabel(s)=Aforalls2AandA2Split(B;a;C)andlabel(s)=? foralls2BnSX.WeuseaqueueQwhichinitiallycontainsthestatess2A,A2 inGBarealsolabelledby.)
Split(B;a;C).WhileQisnotemptywetaketherstelementsofQ,removesfromQ and,iflabel(s)6=then,forallt2BnSXwith(s;t)2EB,wedo: (1)Iflabel(t)=?thenweaddttoQandsetlabel(t)=label(s). (2)Iflabel(t)2Split(B;a;C),label(t)6=label(s),thenwesetlabel(u)=foru=tand
Complexity:Itisclearthatthemethoddescribedabovecanbeimplementedinspace Then,A=fs2B:label(s)=Ag,Res(B;a;C)=ffs2B:label(s)2f?;gggnf;g. allsuccessorsuoftinGB.6
renementsteptakestimeO(n2). thereareatmostniterationsoftherenementstep.Thus,itsucestoshowthateach O(n2).WeshowthatthetimecomplexityofourmethodisO(n3).First,weobservethat
time.7RangingoverallB,theconstructionofthetreesTree(B)(thus,thecomputation ofthesetsSplit(B;A;C))takesO(nlogn)timeifoneusessomekindoforderedbalanced trees(seeSection12.2,page314).Weshowthat,rangingoverallB2X,thesetsAand Clearly,foreachiteration(i.e.eachrenementstep),theinitializationrequiresO(n2)
alreadylabelledbyareignored. 6Forthis,wemightuseadepthrstsearchstartinginttondallsuccessorsoft.Statesthatare P(s;a;C)canbecomputedintimeO(n2).
overalls2S,C2X,wegetthetimecomplexityO(n2).SincewesupposeActtobexed,thevalues 7Notethat,foreachtuple(s;a;C),wehavetocalculatePt2CP(s;a;t).Hence,forxedaandranging

7.3.CONNECTIONTOOTHEREQUIVALENCES Res(B;a;C)canbederivedintimeO(n2):ForxedB2X,thedirectedgraphGBcan 171
beconstructedintimeO(jBj2).Eachstates2BisaddedtoQatmostonce.8Eachstate visitedinstep(2)onceagain.Asaconsequence,eachstatecausestimecosts(atmost) twhichisvisitedbyadepthrstsearchinstep(2)islabelledby.Thus,itcanneverbe
weobtainRene(X;a;C)intimeO(n2). label6=thatisvisitedinstep(2).EithercaseinvolvesO(n)computations.Summing upoveralls2B,thecomputationofRene(B;a;C)hastimecomplexityO(jBjn).So, oforder2ninthecomputationofRene(B;a;C):asanelementofQandasastatewith
Inthissectionwediscusshowtheproposednotionofweakbisimulationequivalencerelates tootherequivalencesforfullyprobabilisticsystems. 7.3 Connectiontootherequivalences
Clearly,weakbisimulation Skou[LaSk89](Denition3.4.3,page54)whichdoesnotabstractfrominternalmoves. sands0areweaklybisimilar.Moreover,ifthesystemis-free(i.e.P(t;)=0forall Formally,if(S;Act;P)isafullyprobabilisticsystemands,s0arebisimilarstatesthen isstrictlycoarserthan(strong)bisimulationalaLarsen&
readyequivalenceinthesenseofJou&Smolka[JoSm90]as statest)thenweakbisimulationequivalence coincide.9Ofcourse,wecannotexpect stepswhiletheequivalencesof[JoSm90]donottreatthe-stepsinaspecialwayand tobecomparablewithstrongtrace,failureor and(strong)bisimulationequivalence
arestrictlycoarserthanstrong(andweak)bisimulationfor-freesystems.Forinstance, thestatessands0ofthesystembelowarestronglytraceequivalentbutnot(stronglyor abstractsfromtheinternal
weakly)bisimilar.
v ts
u t01 s0
,1 ? ,1 ,1 �,1 v0,1
��@@@R,1
u0 t02
Viceversa,thestatessands0ofthesystem(fs;s0;tg;f;g;P)whereP(s;;s0)= AAAU ? ? ,1
P(s0;;t)=1andP()=0inallothercasesareweaklybisimilarbutnotstrongtrace,
arecalledweaklytraceequivalenti systems, failureorreadyequivalentinthesenseof[JoSm90].Dealingwiththe\weak"counterparts oftheequivalencesproposedin[JoSm90],Theorem7.1.4(page162)yieldsthat,fornite isstrictlynerthanweaktrace,failureorreadyequivalence.Here,e.g.s,s0
forallk Christo[Chri90b,Chri90a]andCleavelandetal[CSZ92](seealso[YCDS94])introduce 0and1;:::;k2Actnfg. Prob(s; 1::: k)=Prob(s0; 1::: k)
testingequivalencesforniteaction-labelledfullyprobabilisticprocessesthatrelatetwo 8Notethatonlystateswithlabel?canbeaddedtoQ. 9Notethat,for(S;Act;P)tobe-free,Prob(s; ;C)=P(s;;C).

processesintermsofthereliabilityincertainenvironments.While[Chri90b]dealwith 172 CHAPTER7.WEAKBISIMULATION
frominternalcomputations.Intheremainderofthissectionwediscusstherelation deterministicenvironments[CSZ92]considerprobabilistictestingscenarios.Bothabstract betweenthesetestingpreordersandournotionofweakbisimulation.Forthis,wexa TestingequivalencealaChristo:Weshowthatweakbisimulationisstrongerthan thetestingequivalencesintroducedbyChristo[Chri90b](seealso[Chri90a,ChCh91]). niteaction-labelledfullyprobabilisticsystem(S;Act;P).
[Chri90b]distinguishesfullyprobabilisticprocessesthroughtheconditionalprobabilities ofcertaindeterministictestingscenarios.Theseveraltestingscenariosleadtothedenitionsofprobabilistictraceequivalence=tr,weakprobabilistictestingequivalence=wteand strongprobabilistictestingequivalence=ste.Asshownin[Chri90b],=tr showthatweakbisimulationequivalence equivalence=ste(andthus,itisalsostrongerthan=wteand=tr). isstrongerthanstrongprobabilistictesting =wte =ste.We
Webrieyrecallthedenitionofstrongprobabilistictestingequivalence.Moreprecisely, weuseanequivalentcharacterizationof=stewhichisgivenin[ChCh91]. Notation7.3.1[ThesetOerings]LetOeringsbethesetofnonemptysubsetsof Actnfg(thesetofoerings)andOeringsthesetof(nite)stringsofoerings."O denotestheemptystringofoerings.
ofL1:::Lk.TheformaldenitionofQ()isasfollows. theprobabilityforperformingthestring ForL1;:::;Lk2Oeringsand1;:::;r2Actnfg,Q(s;L1:::Lk;1:::r;t)denotes
Notation7.3.2[ThevaluesQ(s;~L;~;C)]Thefunction 1::: rendingupintwhenoeredastring
isdenedasfollows.Lets2S,C ~2(Actnfg).Q(s;"O;~;C)=0if~6="
Q:S Oerings S,L2Oerings, (Actnfg) 2S![0;1] 2Actnfg,~L2Oerings,
Q(s;L~L;~;C)=Xu2SQ(s;L;;C)Q(u;~L;~;C) Q(s;~L;";C)=(1:ifs2C
Q(s;L;;C)=0if 0:otherwise
followinglinearequationsystem. If 2LthenthevaluesQ(s;L;;C),s2S,C =2L
1.Q(s;L;;C)=0ifProb(s; ;C)=0. Saretheuniquesolutionofthe
2.IfProb(s; Q(s;L;;C)= ;C)>0then
NotethatProb(s; ;C)>0,2LimpliesP(s;)+P(s;L)>0.
P(s;)+P(s;L)+Xu2S P(s;;C) P(s;)+P(s;L)Q(s;L;;C): P(s;;u)

7.3.CONNECTIONTOOTHEREQUIVALENCES 173
u,34 ���s@@@R,14 t v0 w0 ,12 s0
,12 ,12 ,12
���@@@Ru0 t0 � �� @@@R
Notation7.3.3[ThevaluesQ(s;~L;~)]If~L2Oeringsand~2(Actnfg)then Figure7.4:s=stes0buts6s0
weputQ(s;~L;~)=Q(s;~L;~;S): Denition7.3.4[Thetestingequivalence=ste,cf.[Chri90b,ChCh91]]
Theorem7.3.5 s=stes0iQ(s;~L;~)=Q(s0;~L;~)forall~L2Oerings,~2(Actnfg).
Proof: =ste.Toseethat=steand InSection7.5.2,Theorem7.5.19(page188),weshowthat isstrictlynerthan=ste.
Figure7.4(page173).Then,s=stes0as,forinstance, donotcoincideconsiderthefullyprobabilisticsystemof isnerthan
andQ(s;fg;)=1=Q(s0;fg;).Ontheotherhand, Q(s;f;g;)=34=12+1212=Q(s0;f;g;)
Hence,s06w0.Thus,Prob(s0;;W)=1=2>0=Prob(s;;W)whereWistheweak bisimulationequivalenceclassofw0.Thus,s6s0. Prob(s0; ;S)=3=4>1=2=Prob(w0; ;S):
[ChCh91]presentsalgorithmsfordecidingthethreekindsofequivalenceswhicharebased onsolvinglinearequationsystemsandrunintimeO(n4)wherenisthenumberofstates oftheunderlyingsystem.Incontrasttothis,theuseofweak(orbranching)bisimulation hastheadvantagethatitallowstheuseoftheconditionalprobabilitiesPX()whichcanbe computedbysimplearithmeticoperations(ratherthansolvinglinearequationsystems). TestingequivalencesalaCleavelandetal[CSZ92]:[CSZ92](seealso[YCDS94] presentquantitativeextensionsofthenon-probabilistictestingpreordersbydeNicola& Hennessy[dNHe83,Henn88].GivenatestT{whichisrepresentedbyafullyprobabilisticsystemequippedwithasetofsuccessstates{theprobabilityforafullyprobabilisticprocessPtopassthetestTisdenedastheprobabilitymeasureofthesetof\inter- probabilisticprocessesP,P0aretestingequivalentwithrespecttoacertainclassoftests iPandP0passalltestsTofthatclasswiththesameprobability.[CSZ92]consider twoclassesoftests: actionsequences"leadingtoasuccessstate.Intuitively,givenaclassoftests,twofully
TheclassTests0of-freetestswhichyieldsthetestingequivalencedenotedby0. TheclassTestsofallteststhatdonotcontain\-loops"whichyieldsthetesting equivalencedenotedby.

174 CHAPTER7.WEAKBISIMULATION
wu,12 ts,1
,1 ,12
xv,1
w0 u0 ? t01,12 � s0
,1 ��@@@R,12
t02
,1 x0 v0,1
? ���@@@R ? ? ?
Figure7.5:s s0buts6s0 ? ? ,1
denitionof Section7.5.2(page188)whereweprovethat0iscoarserthan.Fortheprecise Theexactdenition(moreprecisely,analternativecharacterization)of0isgivenin
Theorem7.3.6see[CSZ92]or[YCDS94].
(a) (b) and isstrictlynerthan0.
Proof: InSection7.5.2,Theorem7.5.27(page191),weshowthat arenotcomparable.
to0).Ontheotherhand,sands0arenotweaklybisimilarasProb(s; 174)aretestingequivalentwithrespectto 0.Asshownin[YCDS94],thestatessands0ofthesystemshowninFigure7.5(page (andhence,testingequivalentwithrespect isnerthan
shownbelowareweaklybisimilarwhiles06s0. whileProb(s0; t.(Notethatneithert01nort02isweaklybisimilartot.)Thestatess0ands0ofthesystem ;T)=0whereTdenotestheweakbisimulationequivalenceclassof ;T)=1
s0 ,1 -s0 ,1-u success ,12 ���t@@@R,12 probabilityfors0topassthetestTis3/4whiletheprobabilityfors0topassTis1/2. Forinstance,thetestTshownontherightdistinguishesthestatess0ands0.The u
7.4 Weestablishthecongruenceresult(Theorem7.4.2,page175)statingthecompositionalityofweakbisimulationequivalencewithrespecttotheoperatorsofPLSCCS.10More Compositionality
probabilisticchoice. precisely,weshowthatweakbisimulationequivalence thePLSCCSoperatorsactionprexing,restriction,relabelling,lazyproductandguarded 10RecallthesyntaxandsemanticsofthelazysynchronouscalculusPLSCCSwhichwasintroducedin
isacongruencewithrespectto
Section4.3(page83).

7.4.COMPOSITIONALITY Inwhatfollows,weshrinkourattentiontonitaryPLSCCSprograms,i.e.programsP 175
Notation7.4.1[FinitaryPLSCCSprograms]APLSCCSprogramhdecl;siiscalled wheretheassociatedfullyprobabilisticprocessO[P]isnite(orcanbeidentiedwitha
nitaryithereareonlynitelymanystatementst2Stmt0thatarereachablefromsin niteprocess).
(Stmt0;Act0;Pdecl).Adeclarationdecl:ProcVar!StmtPLSCCSiscallednitaryi,for
arisesfromO[P]byremovingallstatementst2Stmt0thatarenotreachablefromthe IfPisnitarythenO[P]canbeidentiedwiththenitefullyprobabilisticprocessthat eachZ2ProcVar,hdecl;Ziisnitary.
initialstate.Clearly,ifdeclisnitarythen,foreachstatements,hdecl;siisnitary.11For PLSCCSprogramsP,P0,wedeneP wedenetherelationsdeclforPLSCCSstatementsbysdecls0ihdecl;si P0iO[P] O[P0].Forxeddeclarationdecl,
actionprexing,restriction,relabellingandlazyproduct.Moreprecisely,ifdeclisa Theorem7.4.2WeakbisimulationequivalenceispreservedbythePLSCCSoperators hdecl;s0i.
(a)Ifsdecls0thena:sdecla:s0,snL (b)Ifsidecls0i,i=1;2,thens1
nitarydeclaration,thenforallPLSCCSstatementss,s0,si,s0i: s2 decls01 decls0nLands[`] s02;andthus, decls0[`].
(c)Weakbisimulationequivalenceisacongruencewithrespecttoguardedprobabilistic s1 s2 decls01 choice,i.e.ifsidecls0i,i2I,then s02:
Xi2I[pi]ai:si Proof: Part(a)isaneasyverication.Weshow(b)and(c).Moreprecisely,we declXi2I[pi]ai:s0i:
Pdecl(t;a;u)>0thenu2Si).Weshowthat thatareclosedwithrespecttothetransitionrelationinducedbyPdecl(i.e.ift2Siand xanitarydeclarationdecl,somenitesubsetsS1,S2,ofStmt0thatcontain0and
isabisimulation(inthesenseofDenition3.4.3,page54).Here,weputt0=0t=0 andtdecl0iO[hdecl;ti] R=n(s1 s2;s01 (Stmt0;Act0;Pdecl;0).ForsubsetsC1ofS1andC2ofS2, s02):si;s0i2Si;sidecls0i;i=1;2o
Clearly,RisanequivalencerelationonS1 wedene
theformC=C1 C2whereCi2Si=decl,i=1;2.Leta2Act,C=C1 C1 C2=fs1 s2:s12C1;s22C2g: S2.EachequivalenceclassC2S=Risof
that,forallprocessvariablesZ,Z02ProcVar,thereisnooccurrenceofZ0indecl(Z)thatiscontained 11Asucientconditionwhichguaranteesthatdeclisnitaryisthe\simplicity"ofdeclinthesense C22S=R
inasubstatementoftheformt[`],tnLort1t2.

and(s;s0)2Rwheres=s1 176 s2,s0=s01 s02,sidecls0i,i=1;2.Then,byTheorem CHAPTER7.WEAKBISIMULATION
7.1.4(page162)andCorollary4.3.2(page84): Pdecl(s;a;C)= = (1;2)2SynaProbdecl(s1; X
(1;2)2SynaProbdecl(s01; X 1;C1)Probdecl(s02; 1;C1)Probdecl(s2; 2;C2)=Pdecl(s0;a;C): 2;C2)
C0=[0]Ristheequivalenceclassof0withrespecttoR.WeconcludePdecl(s;a;C)= Pdecl(s0;a;C)foralla2Act0andC2S=R.Hence,Risabisimulation.Inparticular, whenever(s;s0)2Rthensdecls0.Thisyieldstheclaimofpart(b).Part(c)can Similarly,Corollary4.3.3(page84)yieldsthatPdecl(s;0;C0)=Pdecl(s0;0;C0)where
Pi2I[pi]ai:si,Probdecl(s;a;C)=Xi2IpiProbdecl(si;a;C)+Xj2Jpj bederivedfromTheorem7.1.4(page162)andthefactthat,forC Stmt0ands=
whereI=fi2I:ai=gandJ=fi2I:ai=a;si2Cg. Example7.4.3WeconsiderthePLSCCSprogramSenderReceiverofExample4.3.6 onpage86whichweverifyagainstthespecication
Clearly,theoperationalsemanticsofSender Specdef =produce:consume:Spec:
congruenceresult(part(b)ofTheorem7.4.2)allowsustouse\modularverication" (i.e.toverifythecomponentsSenderandReceiverseparately)avoidingtheconstruction 88)andtheoperationalsemanticsofSpecareweaklybisimilar.Ontheotherhand,our Receiver(showninFigure4.14onpage
ofO[Sender Receiver]andusing
andO[SenderSpec]areweaklybisimilar.Thus,byTheorem7.4.2(page175): asthespecicationforthesender.Clearly,O[Sender](showninFigure4.13onpage87) SenderSpecdef =produce:deliver!wait:ack?:SenderSpec
andSpecareweaklybisimilar(bythetransitivityof). ItiseasytoseethatSpec SenderSenderSpecReceiverwhichyieldsthatSenderReceiver Receiver SenderSpec Receiver:
Ofcourse,wecannotexpectweakbisimulationequivalencetobeacongruenceforthe s1 synchronousparallelcompositionofPSCCSasPSCCSdoesnottreattheinternalaction inanydistinguishedway.Forexample,ifs1=:nil,s01=::nilands2=:nilthen
choiceoperatorisalmostthesameasthecounterexampleinthenon-probabilisticcase demonstratesthatweakbisimulationequivalenceisnotacongruencefortheprobabilistic s1s2ands01s2arenotweaklybisimilarwhiles1ands01are.Thecounterexamplethat s2canmakea -movewhiles01 s2preforms .Thus,if 6= then
choice.ConsiderthePLSCCSstatementss1=:nil,s01=::nil,s2=:niland
whichshowsthatweakbisimulationequivalenceisnotpreservedbynon-deterministic

7.5.PROOFS s=h12is1 h12is2,s0=h12is01 h12is2. 177
Then,s1decls01buts6decls0assreachsviainternalactionstheweakbisimulation equivalenceclassCofs1=:nilwithprobability1=2whiles0cannotmovetoastate thatisweaklybisimilartos1.Formally,wehave whereCistheweakbisimulationequivalenceclassofs1anddeclanarbitrarydeclaration. Probdecl(s;;C)=12>0=Probdecl(s0;;C)
7.5 Inthissectionwegivetheproofsofthemainresultsofthatchapter.Inwhatfollows, Proofs
wexaniteaction-labelledfullyprobabilisticsystem(S;Act;P).Weusethefollowing notations:IfRisanequivalencerelationonSand Prob(s;;C)=Prob(s0;;C)forall(s;s0)2RandC2S=Rthenwedeneforall A2S=R:Prob(A;;C)=Prob(s;;C)wheres2A.Wesimplywrite[s]todenotethe weakbisimulationequivalenceclassofs(i.e.[s]=[s]). aregularexpressionsuchthat
InthissectionwegivetheproofofTheorem7.1.10(page163)whichstatesthat 7.5.1 Weakandbranchingbisimulationequivalence
Denition7.5.1[Completenessofaweakbisimulation]LetRbeaweakbisimula- andtheproofofTheorem7.1.4(page162). =br
tion.Riscalledcompletei Whenevers2S,C2S=RandProb(s;;C)=1thens2C.
(inparticular,Adoesnotcontainterminalstates)andthereisastates2Awith Notethat,ifRisacompleteweakbisimulationandA2S=R,A6=Div,thenA\Div=; IfDiv6=;thenDiv2S=R.
P(s;;A)

Notation7.5.3[ThematricesARandA0R]ForRtobeacompleteweakbisimula- 178 CHAPTER7.WEAKBISIMULATION
equivalenceclassesAi2S=Rwhichcontainsomestatesi2SnStermwithP(si;;Ai)

7.5.PROOFS Forh,j=1;:::;kandh6=j: 179
NotethatProb(A0;;Aj)=0forallj Prob(Ah;;Aj)=Prob(sh;;Aj)=kXi=1P(sh;;Ai)Prob(Ai;;Aj)=dh;j:
matrix.Nextweshowthatej>0,j=1;:::;k. ThisyieldsCAR+E=AR.Thus,E=(I�C)ARwhereIdenotesthekk-identity 1.
IfProb(Ai0;;Aj)6=0forsomei02f1;:::;kgnfjgwithP(sj;;Ai0)>0then ej i6=i0P(sj;;Ai)+P(sj;;Ai0)Prob(Ai0;;Aj)

Therefore,itsucestoshowthatL06H.WesupposethatL0 180 CHAPTER7.WEAKBISIMULATION
vectorsa,csuchthatL0=fa+tc:t2IRgwherea=(a0;:::;ak)andc=(c0;:::;ck) withal=cl=0andc6=0.BydenitionofL0wehaveL=fxA0R:x2L0g.Hence, H.Then,therearereal
forallj=0;:::;k,j6=landt2IR.Thus, bj=kXi=0aiProb(Ai;;Aj)+tkXi=0ciProb(Ai;;Aj)
=0ciProb(Ai;;Aj)=0ifj6=l. kXi Hence,
(since,otherwisetherowsofA0RwouldbelineardependentincontradictiontotheregularityofA0R).W.l.o.g.c=1.Then,cisthel-throwof(AR0)�1.Inparticular, cdef =kXi=0ciProb(Ai;;Al)6=0
Weshowthat right-branchingbisimulation. 0=cl=al;l.Butthiscontradictstheconstraintal;l>0from(*).
Notation7.5.5[Right-branchingbisimulation]Aright-branchingbisimulationis coincideswithanotherkindofbisimulationequivalencethatwecall
branchingbisimulationR.R,a2ActandallequivalenceclassesC2S=R.srbrs0i(s;s0)2Rforsomeright- anequivalencerelationRonSsuchthatProb(s;ba;C)=Prob(s0;ba;C)forall(s;s0)2
Proof: lationisaweakbisimulation. Lemma7.5.6s LetRbearight-branchingbisimulation.WeshowthatRisaweakbisimu- rbrs0impliess s0.Moreprecisely:Eachright-branchingbisimulation.Let2Actnfg,s2SandC2S=R.Then,forallB2S=Rands2B:
Prob(s; =X A2S=RProb(B; ;C)=Xt2SProb(s; ;A)Prob(A;;C): ;t)Prob(t;;C)
Hence,if(s;s0)2RthenProb(s; Lemma7.5.7s 2Actnfg. s0impliess rbrs0.Moreprecisely:Eachcompleteweakbisimu- ;C)=Prob(s0; ;C)forallC2S=Rand
lationisaright-branchingbisimulation.
all,weobtainthatRisaright-branchingbisimulation.Thus, Proof: thatProb(s; LetRbeacompleteweakbisimulation.Wexsome2Actnfgandshow ;A)=Prob(s0; ;A)foralls s0andallA2S=R.(Rangingover rbr.)

7.5.PROOFS BytheregularityofA0R(Lemma7.5.4,page178):Wheneverwexarealvectora(of 181
lengthk+1)thenthelinearequationsystemxA0R=ahasauniquesolution.Fors2S andj=0;1;:::;kwehave: Prob(s; ;Aj)=Xt2SProb(s; =kXi=0Prob(s; ;t)Prob(t;;Aj)
Thus,forxedl:Forallstatess2Al,thevector(Prob(s; ;Ai)Prob(Ai;;Aj):
thelinearequationsystemxA0R=awherea=(aj)0jkandaj=Prob(Al; BytheregularityofA0R:If(s;s0)2R(i.e.s,s02Alforsomel)thenProb(s; Prob(s0; ;Ai),i=0;:::;k. ;Ai))0ikisasolutionof ;Ai)= ;Aj).
Proof: Lemma7.5.8s isaweakbisimulation. LetRbeabranchingbisimulation.ItsucestoshowthatRisaright- brs0impliess s0.Moreprecisely:Eachbranchingbisimulation
branchingbisimulation(Lemma7.5.6,page180).Forr �rbethesetoftuples(C0;:::;Cr)suchthat Ci2S=R,i=0;1;:::;r, 1andA,C2S=R,A6=C,let
Then,foralls2A: C0=A,Cr=C, Ci6=Ci+1,i=0;:::;r�1.
Hence,Prob(s;;C)=Prob(s0;;C)foralls,s02A.Similarly, Prob(s;;C)=1Xr=1(C1;:::;Cr)2�rr�1 X Yi=0ProbR(Ci;;Ci+1)
foralls,s02A,2ActnfgandC2S=R. Prob(s; ;C)=Prob(s0; ;C)
R: Lemma7.5.9(cf.Lemma7.2.4,page165)LetRbeanequivalencerelationonS. Then,RisabranchingbisimulationifandonlyifforallC2S=R,a2Actand(s;s0)2 (1)IfP(s;;[s]R),P(s0;;[s0]R)

Inthiscase:Ifs2SwithP(s;;[s]R)

7.5.PROOFS Then,xa;C=P(s;;A)xa;C+P(s;a;C)foralls2A.Hence,ifs2A\Tthen183
Ifs2A\TandA6Tthenxa;C6=0forsomepair(a;C)asabove.Thus, xa;C= 1�P(s;;A): P(s;a;C)
Then,thereexistsanitepath0startinginsoflengthr ProbR(s;ba;C)=xa;C>0:
(i)2A,i=1;:::;r�1andP(last();;A)0). 0(i)2A,i=0;1;:::;r�1andlast(0)2C.Letbethe(r�1)-thprexof0.Then, 1withtrace(0)2 a,
Proposition7.5.10s Proof: followsbyLemma7.5.6(page180)andLemma7.5.7(page180). s0i s rbrs0
Notation7.5.11[TheconditionalprobabilitiesPR()]LetRbeanequivalencerelationonS. P(s;;[s]R)

NotethatProb(C;;C)=1.Nowwesupposethats2AjnT.Then, 184 CHAPTER7.WEAKBISIMULATION
1�P(s;;Aj)=kXi=0P(s;;Ai) Prob(s;;C)
= kXi=0 1�P(s;;Aj)Prob(Ai;;C)
i6=j1�P(s;;Aj)Prob(Ai;;C)+ P(s;;Ai) 1�P(s;;Aj)Prob(Aj;;C) P(s;;Aj)
= i6=jPR(s;;Ai)Prob(Ai;;C)+ kXi=0 1�P(s;;Aj)Prob(s;;C) P(s;;Aj)
Here,weusethefactthatProb(s;;C)=Prob(Aj;;C).Weobtain: Prob(s;;C)=Prob(s;;C) 1�P(s;;Aj)�P(s;;Aj) 1
=kXi=0 1�P(s;;Aj)!
Thus,foreachs2AjnT,thevector(PR(s;;Ai))0iksolvestheequationsystem i6=jPR(s;;Ai)Prob(Ai;;C)
Lemma7.5.4(page178)yieldsPR(s;;C)=PR(s0;;C)foralls;s02AjandC2S=R, xj=0; kXi=0xiProb(Ai;;C)=Prob(Aj;;C):
C6=Aj.Let Forall2Actnfgands2Aj: PR(Aj;;C)=PR(s;;C)wheres2Aj\T.
Asbefore,weobtainfors2AjnT: Prob(s; ;C)=kXi=0P(s;;Ai)Prob(Ai; ;C)+P(s;;C)
Then,foralls2AjnT,2ActandC2S=R: Prob(s; ;C)=kXi=0 i6=jPR(s;;Ai)Prob(Ai; ;C)+PR(s;;C):
WeobtainPR(s;;C)=PR(s0;;C)foralls,s02AjnT. Prob(Aj; ;C)=kXi=0 i6=jPR(Aj;;Ai)Prob(Ai; ;C)+PR(s;;C)
Corollary7.5.13(cf.Theorem7.1.10,page163)s s0is brs0.

7.5.PROOFS Lemma7.5.14LetR1,R2bebranchingbisimulations.Then,R=(R1[R2)isa 185
branchingbisimulation.
C0=C0[:::[CrwhereCi2S=Rj. Proof: Firstweobservethatforj2f1;2g,eachequivalenceclassC02S=Rcanbewrittenas WeshowthatRfulllstheconditions(1)and(2)ofLemma7.5.9(page181).
Then: withP(s;;C0),P(s0;;C0)

Proof: 186 Lemma7.5.8(page181),Lemma7.5.15(page185)andCorollary7.5.13(page CHAPTER7.WEAKBISIMULATION
k184)yieldthat Theorem7.5.17(cf.Theorem7.1.4,page162)Ifs =brisaweakbisimulation.
(a)Prob(s; 1and1;:::;k2Actnfg: 1 2::: k;C)=Prob(s0; 1 2::: s0.then,forallC2S=,
Proof: (b)Prob(s; 1 2::: k;C)=Prob(s0; 1 2::: k;C)
havetoshowthatProb(s; Weprovepart(a)byinductiononk.Inthebasisofinduction(k=1)we ;C)=Prob(s0; ;C)forallvisibleactionsandallweak k;C)
183)andLemma7.5.16(page185).Intheinductionstepk�1=)kweassumethat kbisimulationequivalenceclassesC.ThisfollowsimmediatelybyProposition7.5.10(page Prob(s; Prob(t;;C)=Prob(t0;;C)forallt 2,1;:::;k2Actnfgand 1;A)=Prob(s0; 1;A)forallA2S= = 2::: t0andC2S= k.Then,
(inductionhypothesis).Thus: Prob(s; = A2S=Prob(s0; X 1;C)=X
1;A)Prob(A;;C)=Prob(s0; A2S=Prob(s; 1;A)Prob(A;;C)
Here,weusethefactthatPathful(u; 1;C)canbewrittenasdisjointunionofthe 1;C):
setsA(u),A2S=,whereAisthesetoffulpathssuchthat trace((k))2 (k)2A, =(k) where2Pathful((k);;C) 1,
forsomekProb(s;;C)=X 0.Part(b)canbederivedfrom(a):
= A2S=Prob(s0; X A2S=Prob(s; 1::: k;A)Prob(A;;C)=Prob(s0;;C): 1::: k;A)Prob(A;;C)
7.5.2 where = andthetestingequivalences=steand 1::: k.
WecompletetheproofsofTheorem7.3.5(page173)andTheorem7.3.6(page174)by showingthat isnerthanthetestingequivalences=steand0. 0
Lemma7.5.18IfA,C2S=,s,s02A,L Q(s;L;;C)=Q(s0;L;;C):
Actnfgand 2Lthen

7.5.PROOFS Proof: Firstweobservethat,forallA,B2S= =S=br,s,s02AwithP(s;;A), 187
P(s0;;A)0then ;C)=0.
qA=1 rA0B@P0(A;;C)+X Theuniquenessoftheequationsystemaboveisaneasyverication.ForallA2S= B2S=
suchthatrA>0andProb(A; ;C)>0ands2AwithP(s;;A)>0wehave: B6=AP0(A;;B)qB1CA:
and P(s;;SnA)+P(s;L)>0
1�P(s;)+P(s;L)!qA=P(s;;SnA)+P(s;L) P(s;;A)
=P(s;;SnA)+P(s;L) P(s;)+P(s;L) qA
P(s;)+P(s;L) rA 10B@P0(A;;C)+X
= B2S=
P(s;)+P(s;L) 1�P(s;;A) B6=AP0(A;;B)qB1CA 0B@P0(A;;C)+X
= B2S=
P(s;)+P(s;L) 1 B6=AP0(A;;B)qB1CA 0B@P(s;;C)+X
= P(s;)+P(s;L)+X P(s;;C) B2S= B2S=
B6=AP(s;)+P(s;L)qB: P(s;;B) B6=AP(A;;B)qB1CA

Thus, 188 CHAPTER7.WEAKBISIMULATION
ForA2S= ands2A,letqs=qAandrs=rA.Then,thevector(qs)s2Ssolvesthe qA= P(s;)+P(s;L)+X P(s;;C) B2S= P(s;)+P(s;L)qB: P(s;;B)
followingregularlinearequationsystem.IfProb(s; Otherwise, qs= P(s;)+P(s;L)+Xu2S P(s;;C) P(s;)+P(s;L)qu: P(s;;u) ;C)=0orrs=0thenqs=0.
Itiseasytoseethat,ifrs=0thenQ(s;L;;C)=0.Thus,thevector(Q(s;L;;C))s2S
Weconclude:Q(s;L;;C)=qA=Q(s0;L;;C)foralls,s02A,A2S=. isalsoasolutionoftheequationsystemabove.Hence, qs=Q(s;L;;C)foralls2S.
Proof: Theorem7.5.19(cf.Theorem7.3.5,page173) Asobservedin[Chri90b],s=stes0i isnerthan=ste.
Lemma7.5.18(page186)weobtainthat,ifs forallL1;:::;Lk2Oeringsand1;:::;k2Actnfg.Byinductiononkandusing Q(s;L1:::Lk;1:::k)=Q(s0;L1:::Lk;1:::k)
Q(s;L1:::Lk;1:::k;C)=Q(s0;L1:::Lk;1:::k;C) s0then
forallC2S=.SummingupoverallC2S= Q(s;L1:::Lk;1:::k)=Q(s0;L1:::Lk;1:::k): weobtain
Hence,s=stes0.
x2X. sistingofalldistributionsonXandthefunctionNotation7.5.20[ThesetDistr0(X)]ForXtobeaset,letDistr0(X)bethesetcon- Notation7.5.21[Probabilistictraces]Aprobabilistictraceisanitesequence :X![0;1]with(x)=0forall
overDistr0(Actnfg)(Actnfg)."PrTrdenotestheemptyprobabilistictrace,ProbTraces thecollectionofallprobabilistictraces. =h1;1ih2;2i:::hk;ki
thenormalizatorofsandisdenedby Notation7.5.22[Thenormalizatornorm(s;)]For2Distr0(Actnfg)ands2S, norm(s;)= 2ActnfgP(s;)()+P(s;):
X

7.5.PROOFS [CSZ92,YCDS94]denetheprobabilitiesN(s;;;C)thatfromstatesthestatetis 189
reachedviaanitepathlabelledby samevalues). accordancewith.Here,weuseaslightlydierentwaytodeneN()(whichyieldsthe giventhattheenvironmentisenablingactions
Notation7.5.23[ThevaluesN(s;;;C)]Let
linearequationsystem: bedenedasfollows.Thevector(N(s;;;C))s2Sistheuniquesolutionofthefollowing N:S (Actnfg)Distr0(Actnfg)2S![0;1]
1.IfProb(s; 2.IfProb(s; ;C)=0ornorm(s;)=0thenN(s;;;C)=0.
N(s;;;C)= ;C)>0andnorm(s;)>0then
Clearly,if()=0forallnorm(s;)P(s;;C)+Xt2SP(s;;t) thenN(s;;;C)=0forallstatessandC () norm(s;)N(t;;;C):
M(s;"PrTr)=1and Notation7.5.24[ThevaluesM(s;)]LetM:S ProbTraces![0;1]begivenby: S.
Denition7.5.25[Thetestingequivalence0,cf.[CSZ92,YCDS94]] M(s;h;i)=Xt2SN(s;;;t)M(t;)
Lemma7.5.26Ifs s 0s0iM(s;)=M(s0;)forall2ProbTraces.
Proof: 2Distr0(ActnfgandC2S=. If()=0forall s0thenN(s;;;C)=N(s0;;;C)forall thenN(s;;;C)=N(s0;;;C)=0.Nowweassume 2Actnfg,
that P(s;;A)0.
)=0foralls2Aand 2Actnfgwith

Letnorm(A;)=0and2Actnfgwith()>0.Then: 190 CHAPTER7.WEAKBISIMULATION
Hence,P(s;)=0andP(s;;SnA)=0foralls2A.Inparticular,Prob(s;;SnA)=0 P0(A;;C)=0forallC2S=,C6=A. P0(A;;C)=0forallC2S=,
foralls2A.ThisyieldsProb(s; ForA,C2S=, 2Actnfgand )=0.
system: asfollows.Thevector(N(A;;;C))A2S=istheuniquesolutionofthelinearequation 2Distr0(Actnfg),wedeneN(A;;;C)
1.Ifnorm(A;)=0thenN(A;;;C)=0. 2.Ifnorm(A;)>0then N(A;;;C)= norm(A;)P0(A;;C)+X ()
Inwhatfollows,wesuppose,andCtobexed.Itsucestoshowthat B2S= B6=AP0(A;;t) norm(A;)N(B;;;C):
Foralls2Swedenexs=N([s];;;C).(Recallthat[s]denotestheweakbisimulation equivalenceclassofs.)Clearly,(*)holdsifnorm(A;)=0.NowweassumeA2S= (*)N(s;;;C)=N(A;;;C)foralls2AandA2S=.
(2)Ifs2AwithP(s;;A)0.(Inparticular,A6=Div.)Then:
(3)Ifs2AwithP(s;;A)0.Itiseasytoseethat,ifProb(A; )=0foralls2A.Thus,by
xs=0=N(A;;;C)foralls2A.Inwhatfollows,wesupposeProb(A; By(2)and(3), ;C)=0then
norm(s;)>0foralls2A, ;C)>0.
Lets2AwithP(s;;A)P(s;;A)foralls2AwithP(s;;A)

7.5.PROOFS + 1�P(s;;A) 191
norm(s;)�P(s;;A)X t2SnA1�P(s;;A)xt P(s;;t)
= + norm(s;)�P(s;;A)P(s;;C) ()
Thus, norm(s;)�P(s;;A)Xt2SP(s;;t)xt� 1 norm(s;)�P(s;;A)xs P(s;;A)
xs = norm(s;)�P(s;;A)=xs norm(s;) 1 1+ norm(s;)�P(s;;A)! P(s;;A)
Hence, norm(s;)�P(s;;A) ()P(s;;C)+Xt2SP(s;;t)xt!:
Thisyieldsxs=N(s;;;C)foralls2A. xs= norm(s;)P(s;;C)+ () norm(s;)Xt2SP(s;;t)xt: 1
probabilistictraces.
Proof: Theorem7.5.27(cf.part(a)ofTheorem7.3.6,page174) followsbyLemma7.5.26(page189)andinductiononthelengthofthe isnerthan0.

192 CHAPTER7.WEAKBISIMULATION

Chapter8
Fairnessofprobabilisticchoice
InSection3.2.3(page45)wearguedthat,forconcurrentprobabilisticsystems,certain livenesspropertiescannotbeestablishedunlessfairnessassumptionsaremadeabout thewayinwhichthenon-deterministicchoicesareresolved.Forprobabilisticsystems, onemightalsoconsiderfairnesswithrespecttotheprobabilisticchoices.Clearly,the probabilitiesforthetransitionscanbeviewedasconditionsonthefrequencieswithwhich acertaintransitionischosen.Thus,fairnessassumptionsabouttheprobabilisticchoices seemtobesuperuousastheyareexpressedimplicitlybythetransitionprobabilities. Nevertheless,theprobabilisticchoicesmightberesolvedunfair,andhence{asinthe non-probabilistic(orconcurrentprobabilistic)case{itispossiblethatcertainliveness probabilitiesareviolatedinsomeexecutionswhiletheyholdinallexecutionsthatare fairwithrespecttotheprobabilisticchoices.Forinstance,ifweipacoininnitely
Thus,fromapurelydescriptivepointofview,fairnesswithrespecttotheprobabilistic unfairbehaviouriszero;i.e.theevent\eventuallyhead"holdsforalmostallexecutions. executionsasitispossiblethatwealwaysobtain\tail".Buttheprobabilityforsuchan oftenthenthepropertythateventuallytheoutcomeis\head"doesnotholdforall
choicesisirrelevantbecausetheprobabilitymeasureofallexecutionsthatsatisfyacertain lineartimepropertydoesnotdependonwhetherornotweshrinktheattentiontothose
systems.[Pnue83,PnZu86a,PnZu93]introducestwokindsoffairnesswithrespecttothe theresultsofPnueli&Zuck[Pnue83,PnZu86a,PnZu93]fairnesswithrespecttothe probabilisticchoicesmightbehelpfulforverifyingqualitativepropertiesforprobabilistic executionswheretheprobabilisticchoicesareresolvedinafairmanner.However,by
qualitativelineartimepropertiesinthefollowingsense:Wheneveralineartimeproperty 'holdsforallexecutionsequencesthatareextremelyfair(or-fair)then'holdswith probabilisticchoices(calledextremelyfairnessand-fairness)for(avariantof)concurrent
probability1(independentontheadversary). probabilisticsystems.Extremeand-fairnessareshowntobesoundforthevericationof
Themaingoalofthatchapter(whoseresultsarepublishedin[BaKw98a],ajointwork withMartaKwiatkowska)istopresentageneralnotionoffairnesswithrespecttothe weshowthatinordertodemonstratethevalidityofaqualitativelineartimeproperty' forprobabilisticprocessesitsucestoshow{forsomeinstanceofourgeneralp-fairness probabilisticchoices(shortlycalledp-fairness)thatsubsumesextremelyand-fairnessa la[Pnue83,PnZu86a,PnZu93]andtheabovementionedsoundnessresult.Moreprecisely,
193

194 notion{that'holdsforallp-fairexecutionsequences.Thisallowsone,givenaninstance CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE
probabilisticprocessestothenon-probabilisticcase:ratherthancomputetheexactprobabilitiesofthesetofpathsfullling',itissucienttoestablishthat'holdsforallp-fair ofourp-fairnessnotion,toreducethevericationofqualitativelineartimepropertiesof executionsequencesbymeansofwell-knownnon-probabilisticmethods(deductivemeth-
Givenaset P-fairnessmightalsobeusefulforcomputingtheprobabilitymeasureofcertainevents. odsormodelchecking,seee.g.[LiPn85,MaPn92,CGH94,Lamp94,GPV+95,MaPn95]).
(whichyieldsProb((s))=Prob(0(s))).Thus,themore\complicate"set replacedbythe\simpler"set0.1 a\simpler"set0offulpathsandshowthat,foranyp-fairfulpath,2 offulpathsforwhichwewanttocomputeProb((s)),onemightdene imightbe 20
probabilisticandconcurrentprobabilisticsystems.InSection8.1,weintroducep-fairness forfullyprobabilisticsystemsandpresentourmainresultstatingthat,foreveryinstance ofourgeneralnotionofp-fairness,thesetofp-fairexecutionsequencesinboundedsystems Organizationofthischapter:Thenotionofp-fairnessisintroducedforbothfully
probabilisticsystemsandshowsthatextremeand-fairnessandtheabovementioned soundnessresultalaPnueli&Zuckcanbeobtainedfromourgeneralp-fairnessnotion. hasprobability1(Theorem8.1.5,page196).Section8.2dealswithp-fairnessconcurrent
8.1 Weintroduceageneralnotionof(strong)fairnesswithrespecttotheprobabilisticchoices P-fairnessforfullyprobabilisticsystems
action.Wesayanexecutionsequenceisp-fairifwheneveralabelisenabledinnitely manytimesthenitistakeninnitelymanytimes. choicesareassociatedwith\labels",witheachlabeldenotinge.g.aprocessnameoran infullyprobabilitsicsystems.Forthis,wesupposethatthealternativesoftheprobabilistic
Denition8.1.1[p-fairnessforfullyprobabilisticsystems]Let(S;P)beafully Let`2L.`iscalled emptycountablesetoflabelsandl:SS!2Lafunctionwithl(s;t)=;ifP(s;t)=0.probabilisticsystem.Ap-fairnessconditionfor(S;P)isapair(L;l)whereLisanon- Afulpathiscalledp-fairwithrespectto(L;l;`)ieither`isenabledonlynitelymany takeninthei-thstepofafulpath enabledinastatesi`2l(s;t)forsomet2S,
timesin or`istakeninnitelyoftenin. i`2l((i);(i+1)).
(L;l)-fair)i,foreachlabel`2L, Notethatallnitefulpathsare(L;l)-fairsinceeachlabel`isenabledonlynitelymany isp-fairwithrespectto(L;l;`). iscalledp-fairwithrespectto(L;l)(or
times.If(L;l)areunderstoodfromthecontextthenwebrieyspeakaboutp-fairness thistechniqueandintroducestateandtotalfairnessasspecialinstancesofp-fairness(resp.acombination ofp-fairnessandfairnessofnon-deterministicchoiceinthecaseoftotalfairness)thatweusetogivesimple characterizationsforthewantedprobabilitymeasures.
1Forinstance,inthecorrectnessproofsofthemodelcheckingalgorithmsinChapter9wemakeuseof

8.1.P-FAIRNESSFORFULLYPROBABILISTICSYSTEMS withrespecttoalabel`2L(ratherthanp-fairnesswithrespectto(L;l;`))andp-fairness 195
ThesetLoflabelsshouldbethoughtofasanabstractionwhichallowstoexpressdierent (ratherthan(L;l)-fairness). kindsoffairness.Clearly,whetherornotafairprobabilistictransitionsystemyieldsa reasonablenotionoffairnessdependsonthechoiceofLand`. Example8.1.2[Processfairness]Toseewhyweneedsetsoflabelsweshowhowto deneprocessfairness.Weconsiderafullyprobabilisticsystemwhichisobtainedfrom
aglobalstatesofthecomposedsystem,theschedulerdecides{accordingtoacertain schedulerthatdecidesrandomlywhichoftheprocessesPiperformsthenextstep.Given theparallel(interleaved)executionofP1;:::;Pnonasingleprocessorwhereweassumea aprobabilisticmergeofsequentialrandomizesprocessesP1;:::;Pn.Forthis,weconsider
distributions{whichstephastobeperformednext.Thetransitionprobabilitiesofthe composedsystemaregivenbythesedistributionssinthesensethatP(s;t)=s(t).2
s!tarisesfromanautonomousmovebyPiwhiletheotherprocessesareidle)orofa l(s;t)thesetofprocessesthattakepartinthetransitionfromtheglobalstatestothe globalstatet.Thus,l(s;t)mightconsistofasingleprocessPi(iftheglobaltransition Todeneprocessfairness,letLtobethesetofprocessnames(i.e.L=fP1;:::;Png)and
takespartinthetransitions!t.Let=s0!s1!:::beaninnitefulpath.Then, isprocessfairnessinthefollowingsense.Forstobeaglobalstateofthesystem,wesay thatprocessPiisenabledinsithereissomeglobaltwithP(s;t)>0suchthatPi setconsistingoftwoormoreprocesses(ifacommunicationoccurs).Then,(L;l)-fairness
Similarly,wecandeneinteractionfairnesswhichensuresthatwheneverthesynchroniza- manyindicesiwherePiisactivatedinthetransitionsi!si+1. is(L;l)-fairiwheneverPiisenabledininnitelymanystatessithenthereareinnitely
functionlthatassignstoeachtransitions!tthesingletonsetl(s;t)ofallprocesses nizedstep.Forthis,wedealwithLtobethepowersetoffP1;:::;Pngandthelabellingareinnitelymanystepswhere(exactly)theprocessesPi1;:::;PikperformasynchrotionofcertainprocessesPi1;:::;Pikispossibleininnitelymanyglobalstatesthenthere thatareactivatedinthesteps!t.Then,(L;l)-fairnessisinteractionfairness.
Act action-labelledfullyprobabilisticsystems(S;Act;P)weusealabellingfunctionl:S Remark8.1.3[Actionfairness]Todeneaction(event)fairnessinaction-labelled
fairness,wedealwithL=Actanddenel(s;a;t)=fag.Then,(L;l)-fairnessensures probabilisticsystemswehavetodealwithaslightmodicationofp-fairness.Foran
thatwheneveranactiona2Actisenabledinnitelyoftenthenaistakeninnitelyoften. Moreprecisely,if=s0a1 S!2Lthatassignstoeach(action-labelled)stepasetoflabels.Todeneaction
P(si;a)>0forinnitelymanyithena=aiforinnitelymanyi. 2ThiscanbeviewedasageneralizationoftheprobabilisticmergeoperatorproposedbyBaeten, !s1a2!:::isaninnitefulpaththenis(L;l)-fairiwhenever
Bergstra&Smolka[BBS92].[BBS92]dealwitha(binary)probabilisticmergeoperatorP1kp;qP2 parametrizedbyprobabilitiesp,q2[0;1](withp+q autonomousmovewhileP2isidle;similarly,(1�p)qistheprobabilityforP2tomakeanautonomous municationbetweenP1andP2occurswithprobability1�q.pqistheprobabilityforP1tomakean movewhileP1isidle.
1)whichareinterpretedasfollows.Acom

196 Notation8.1.4[ThesetspFair`andpFair(L;l)]Let(L;l)beap-fairnessconditionfor CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE
thatarep-fairwithrespectto`.pFair(L;l)=\`2LpFair(L;l;`) afullyprobabilisticsystem(S;P).For`2L,wedenepFair(L;l;`)tobethesetoffulpaths
denotesthesetofallfulpathsthatare(L;l)-fair.
p-fairnessasalineartimeformula,andthenuseawell-knownresult[Vard85,PnZu93] andpFair`ratherthanpFair(L;l;`).ToseethatpFair(s)ismeasurablewerstexpress statingthatthesetofpathsfulllingagivenlineartimeformulaismeasurable.The If(L;l)areunderstoodfromthecontextthenwebrieywritepFairratherthanpFair(L;l)
operatorX.Formulasarebuiltfrom:thetruthvaluesttand,theatomicpropositions enabled(`)foreachlabel`2L,theusualbooleanconnectives^,_,:,!,andthe underlyinglineartimelogicisaslightmodicationofLTL(seeSection9.1.3,page212)
temporaloperators2(\always"),3(\eventually")andanext-stepoperatorX`foreach whichuseslabellednextstepoperatorsX`ratherthantheusual(unlabelled)nextstep
label`2L.Theformulasareinterpretedoverthefulpathsoffullyprobabilisticsystem Letbeafulpathin(S;P).Then, (S;P)withap-fairnesscondition(L;l).Wedenethesatisfactionrelationj=asfollows.
Theotheroperatorsareinterpretedintheusualway(seee.g.[MaPn92]).Wewritej=' (;j)j=X`'ijj (;j)j=enabled(`)i`isenabledin(j)
i(;0)j='.Asshowne.g.in[Vard85,PnZu93],foragivenformula',thesetoffulpaths j+1,`2l((j);(j+1))and(;j+1)j='.
startinginaxedstates2Ssuchthatj='ismeasurable.Wedene
Clearly,j='`i '`=23enabled(`)!23taken(`)wheretaken(`)=X`tt: isp-fairwithrespectto`.Thus,
Ourresultsrelyontheboundednessof(possiblyinnite-state)fullyprobabilisticsystems andpFair(L;l)(s)=T`2LpFair`(s)aremeasurable. pFair`(s)=f2Pathful(s): j='`g
(seeDenition3.1.12,page38).Wenowstateourmainresultwhichshowsthatforeach instanceofp-fairnessinaboundedsystem,themeasureforthep-fairfulpathsis1. Theorem8.1.5Let(L;l)beap-fairnessconditionforaboundedfullyprobabilisticsystem (S;P)ands2S.Then, Proof: toshowthatpFair`(s)=1forall`2L.3Let`beaxedlabeland Letc>0bearealnumbersuchthatP(s;t)>0impliesP(s;t) Prob(pFair(L;l)(s))=1:
fulpathswhere`isenabledinnitelyoftenandwhichtotallyignore`-steps,i.e. bethesetofall c.Itsuces
3NotethatProb(i)=1impliesProb(Tii)=1whichholdsineachprobabilisticspace.
=f2Pathful:j=23enabled(`)^2:taken(`)g

8.1.P-FAIRNESSFORFULLYPROBABILISTICSYSTEMS If isanitepathwithlast()=sthenwebrieywrite (s)todenotetheset 197
f :2(s)g.LetPathtnbethesetofallnitepathsendingintand
asacountableunionofsetsoftheform Weshowthat,foralls2S,Prob((s))=0andthatPathful(s)npFair`(s)canbewritten T=ft2S:tj=enabled(`)g:
Claim1:Prob((s))=0foralls2S. Proof:Wedene tobethesetofnitepaths2Pathnsuchthatjj (t)where2Pathtnandt2T.
t2Tands2S, (i)62T,i=1;:::;jj�1,andlast()2T.Fort2T,lett= t(s)=f2 :rst()=s;last()=tg: \Pathtn.Then,for 1,`=2l(s;(1)),
(s)iscountableand(s)=St2Tt(s)wheret(s)\t0(s)=;ift6=t0.Thus,
Wehave (1) X2(s)P()=Xt2TX
(s)=[ 2t(s)P():
Prob( As (t)\0 (t0)=;if(;t)6=(0;t0),andas t2T[ 2t(s) (t)foralls2S.
(2) (t))=P()Prob((t))weobtain: Prob((s))=Xt2T X (t)isameasurablesetwith
Lett2T.Astj=enabled(`)thereissomest2Swith`2l(t;st).SinceP(t;st) 2t(s)P()Prob((t)) foralls2S.
obtain:(3) X2(t)P() Xs6=stP(t;s) 1�P(t;st) 1�cforallt2T. cwe
hypothesiswegetforallt2T: induction(k=0)thereisnothingtoshow.Intheinductionstep(k=)k+1)we supposethatProb((t)) WeshowbyinductiononkthatProb((t)) (1�c)kforallt2T.By(1),(2),(3)andtheinduction (1�c)kforallt2T.Inthebasisof
Prob((t))=Xu2TX =(1�c)kX2(t)P() 2u(t)P()Prob((u)) (1�c)k+1: (1�c)kXu2TX 2u(t)P()
Claim2:Prob(pFair`(s))=1foralls2S. WeconcludeProb((t))=0forallt2T.Thus,Prob((s))=0foralls2S(by(2)).c Proof:Itisclearthat Pathful(s)npFair`(s)=[ t2T 2Pathtn(s) [ (t):

198 NotethatPathtniscountable.Claim1yields CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE
forallt2T.Hence, Prob( (t))=P()Prob((t))=0
andProb(pFair`(s))=1.c Prob(Pathful(s)npFair`(s)) Xt2T2Pathtn(s)Prob( X (t))=0
Remark8.1.6Ifwedroptheassumptionthat(S;P)isboundedthentheprobabilityof 8.1,i.e.thesystem(S;P;L;l)whereS=ftg[fs0;s1;:::g,L=f`gand thefairpathsmightbelessthan1.Asacounter-exampleconsiderthesystemofFigure
P(si;v)=8>:2�ri 1�2�ri:ifv=t 0 :ifv=si+1
andP(t;si)=0,P(t;t)=1,l(t;t)=;.Here,(ri)i0isasequenceofpositiverealswhere :otherwise l(si;v)=(; f`g:ifv=t :ifv=si+1
Pi0riisconvergent. =s0!s1!s2!:::isnotp-fairas`iscontinuouslyenabled
`s0 l2�r0 s1 l2�r1 s2 l2�r2 s3 l :::
tl
`- `- ` - -
? ��) ����
butnevertakenin.Anyotherfulpathisniteandhencep-fair.Hence, Figure8.1:
Prob(pFair(s0))=1�lim =1�lim k!12�(r0+r1+:::+rk�1)=1�2�r

8.2.P-FAIRNESSFORCONCURRENTPROBABILISTICSYSTEMS Ifj='forall2pFair(L;l)(s)thensis'-valid. 199
process,itsucestoshowthatallp-fairfulpathssatisfy'forsomeinstanceofourgeneral Hence,inordertoestablisha(qualitative)lineartimeproperty'foraprobabilistic Proof: followsimmediatelyfromTheorem8.1.5(page196).
conditionon(S;P),s2Sand Corollary8.1.8Let(S;P)beaboundedfullyprobabilisticsystem,(L;l)ap-fairness p-fairnessnotion(whichcanbeachievedwithwell-knownnon-probabilisticmethods).
Prob (s)\pFair(L;l)=Prob((s)): asubsetofPathfulsuchthat(s)ismeasurable.Then:
Proof: Inparticular,whenever'isalineartimeformulathentheprobabilityofthesetof fulpathsfullling'equalstheprobabilityofthesetofp-fairfulpathsfullling'.In followsimmediatelyfromTheorem8.1.5(page196).
otherwords,whetherornota(qualitativeorquantitative)lineartimepropertyholdsfor toprobabilisticchoiceisirrelevant.5 choiceisrequired.Hence,fromapurelydescriptivepointofview,fairnesswithrespect aprobabilisticprocessdoesnotdependonwhetherfairnesswithrespecttoprobabilistic
Inthissection,wedenep-fairnessforconcurrentprobabilisticsystemsandshowthat 8.2 thesoundnessresultofthep-fairnessapproachforestablishingqualitativelineartime P-fairnessforconcurrentprobabilisticsystems
casesoftheresultspresentedhere.Wecannotexpectageneralcompletenessresult(in fairnessofPnueli&Zuck[Pnue83,PnZu86a,PnZu93]arespecialinstancesofourgeneral p-fairnesnotion.Hence,thesoundnessresultsestablishedin[Pnue83,PnZu93]arespecial propertiescarriesovertotheconcurrentcase.Moreover,weshowthattheextremeand-
incomplete.However,weareabletoshowthat{insomesense{-fairness(showntobe completein[PnZu93])istheonlyp-fairnessnotionthatiscompleteforprovingvalidity 'holdsonallp-fairexecutionsequences)asin[Pnue83]extremefairnessisshowntobe thesensethat,ifalineartimeproperty'holdswithprobability1inalladversariesthen
ofqualitativelineartimeproperties(Lemma8.2.11,page203).
\enabled"inastatesonlydependsonthechosennon-deterministicalternativesandthe withcertainlabels.P-fairnessinconcurrentsystemsensuresthatwheneveralabel`is enabledinnitelyoftenthen`istakeninnitelyoftenwheretheunderlyingdenitionof Asinfullyprobabilisticcase,weassumethattheprobabilisticalternativesareassociated
associateddistribution2Steps(s)(butnotontheothernon-deterministicalternatives
knowledgethatcertainlivenesspropertiescannotbeestablishedwithoutsuitablefairnessassumptions. Itisworthnotingthat'-validityofastatesinaprobabilistictransitionsystemisweakerthan'-validity 2Steps(s)nfg).
inthecorrespondingnon-probabilistictransitionsystem.Recallthat,inthenon-probabilisticcase,a 5Onemightwonderwhysucharesultispossible,sinceinthenon-probabilisticcaseitisfolklore statesofatransitionsystemissaidtobe'-validiallfulpathsstartinginssatisfy',whereasinthe probabilisticcase,'-validityrequiresthat'holdsforalmostallfulpathsstartingins.

200 Denition8.2.1[p-fairnessforconcurrentsystems]LetS=(S;Steps)beacon- CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE
nonemptycountablesetLoflabelsandafunction currentprobabilisticsystem.Ap-fairnessconditiononSisapair(L;l)consistingofa
If isafulpathinSand`2Lthenwesay l:f(;;t):2Pathn;2Steps(last());t2Supp()g�!2L:
`isenabledinthei-thstepof`2l((i);step(;i);s) i
If`2Lthen `istakeninthei-thstepof forsomes2Supp(step(;i)),
manytimesiniscalledp-fairwithrespectto(L;l;`)ieither`isenabledonlynitely or`istakeninnitelymanytimesin. i`2l((i);step(;i);(i+1)).
to(L;l)(or(L;l)-fair)i,foreachlabel`2L, If(L;l)areunderstoodfromthecontextthenwebrieyspeakaboutp-fairnesswith isp-fairwithrespectto(L;l;`). iscalledp-fairwithrespect
respecttoalabel`2L(ratherthanp-fairnesswithrespectto(L;l;`))andp-fairness
foraconcurrentprobabilisticsystem(S;Steps).pFair(L;l;`)(orbrieypFair`)denotesthe Notation8.2.2[ThesetspFair`andpFair(L;l)]Let(L;l;`)beap-fairnesscondition (ratherthan(L;l)-fairness).
setoffulpaths Theorem8.2.3Let(S;Steps)beaniteconcurrentprobabilisticsystem,(L;l)ap- whichare(L;l)-fair. whichare(L;l)-fairwithrespectto`,andpFair(L;l)thesetoffulpaths
fairnessconditionon(S;Steps)andAanadversaryof(S;Steps).Then,
foralls2S.Moreover,if isasubsetofPathAfulwhere(s)ismeasurablethen Prob(pFairA(L;l)(s))=1
Proof: Itiseasytoseethat,forAtobeanadversaryof(S;Steps),afulpath Prob((s)\pFair(L;l))=Prob((s)):
systemSA.6As(S;Steps)isnite,foreachadversaryA,theassociatedfullyprobabilistic systemSAisbounded.Thus,theclaimfollowsbyTheorem8.1.5(page196)andCorollary 8.1.8(page199). 2PathAis(L;l)-fairifandonlyif is(L;l)-fairasapathinthefullyprobabilistic
Asbefore,wesupposea(lineartime)logicLandasatisfactionrelationj= suchthat,foreachs2S,eachadversaryAandeachformula'ofL,thesetf2 PathAful(s):j='gismeasurable.Wethenobtain: PathfulL
SeeChapter3,page42.
6Recallthatweidentifyeachpathin(S;Steps)withthepath=(0)!(1)!(2)!:::inSA.

8.2.P-FAIRNESSFORCONCURRENTPROBABILISTICSYSTEMS Corollary8.2.4If(L;l)isap-fairnessconditionforaniteconcurrentprobabilistic 201
system(S;Steps)and'aformulaofLthen
foralladversariesA. Probf2pFairA(L;l)(s):j='g=Probf2PathAful(s):j='g
Wecallastates'-validiProbf2PathAful(s): Proof: followsimmediatelyfromTheorem8.2.3(page200).
fairnessfollows.Furthermore,thesoundnessofprovingthevalidityoflineartimeformulasunder(L;l)- j='g=1foralladversariesA.
Corollary8.2.5Whenever(L;l)isap-fairnessconditionforaniteconcurrentprobabilisticsystem(S;Steps),'isaformulaofLands2S.Then: Proof: followsimmediatelyfromCorollary8.2.4(page201). Ifj='forallfulpaths2pFair(L;l)(s)thensis'-valid.
Extremeand-fairnessalaPnueli&Zuck:In[Pnue83]and[PnZu93]notionsof systems.Thedenitionofextremefairness[Pnue83]employsacollectionstatepredicates (describedbyrstorderformulas),whereas-fairness[PnZu93]usessomekindoflinear timelogicwithpastoperators.Wenowadaptthenotionsextremeand-fairnessforour extremefairnessand-fairnessareintroducedfor(avariantof)concurrentprobabilistic
conditionsasdenedabove.7 forourlessgeneralmodelofconcurrentprobabilisticsystems)areinstancesofp-fairness modelofconcurrentprobabilisticsystemsandshowthatextremeand-fairness(adapted
ForthedenitionofextremefairnesswesupposeasetStatePred Denition8.2.6[Extremefairness,cf.[Pnue83,PnZu86a]]Let 2StatePredrepresentsastatepredicate). 2S(whereeachelement
manyindicesi S. wheneverstep(;i)= iscalledextremelyfairi,foreach 0with(i)2,step(;i)=and(i+1)=s. forinnitelymanyi2StatePred,eachs2Sand 0with(i)2 thenthereareinnitely beafulpathin 2Steps(s),
whereweassumethateachelement lineartimelogic[LPZ85].Notethat,fortobeapastformula,canbeidentiedwith thesetofallnitepaths Todene-fairnesswesupposePastFormtobeasetconsistingofsubsetsofPathn suchthateachfulpath2"fullls. ofPastFormrepresentsapastformulasofsome
Denition8.2.7[-fairness,cf.[PnZu93]]Afulpath with(i)2 step(;j)=and(j+1)=s. 2PastForm,s2Sand andstep(;i)= 2Steps(s),wheneverthereareinnitelymanyindicesi thenthereareinnitelymanyindicesjwith(j)2, iscalled-fairi,foreach
inoursense: Thenextlemmashowsthatextremeand-fairnessareinstancesofp-fairnessconditions 7SeeSection3.6,page63forthepreciseconnectionbetweenthemodelalaPnueli&Zuckandours.

202 Lemma8.2.8Let(L;l)beap-fairnessconditionforaconcurrentprobabilisticsystem CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE
(a) (S;Steps)and isextremelyfairifandonlyif Lefair=f(;;s):2StatePred;s2S;2Steps(s)g, beafulpathin(S;Steps).Then:
lefair(;;s)=f(;;s)2Lefair:last()2g. is(Lefair;lefair)-fairwhere
(b) is-fairifandonlyif lfair(;;s)=f(;;s)2Lfair:2g. Lfair=f(;;s):2PastForm;s2S;2Steps(s)g, is(Lfair;lfair)-fairwhere
Proof: andlinsteadofLefairandlefairrespectively.Letbeafulpathin(S;Steps). \onlyif":Let Weonlyshow(a)as(b)canbeshownsimilarly.Forsimplicity,wewriteL
enabledin.LetIbethesetofindicesi beextremelyfairandlet`=(;;s)2Lsuchthat`isinnitelyoften
j2J,i.e.`istakeninnitelyoftenin. innitesubsetJofIsuchthat(j+1)=sforallj2J.Hence,`2l((j);;s)forall .Then,(i)2 andstep(;i)=foralli2I.As 0suchthat`isenabledinthei-thstateof isextremelyfairthereexistsan
in.Hence,`istakeninnitelyoftenin,i.e.thereareinnitelymanyindicesjwith `2l((j);(j+1)).Foreachsuchindexj,(j)2,=step(;j)and(j+1)=s.Thus, \if":Wesuppose (i)2.Letsbeamodeof tobe(L;l)-fairandstep(;i)= andlet`=(;;s).Then,`isenabledinnitelyoften forinnitelymanyindicesiwith
page201)isageneralizationoftheresultof[Pnue83]whichstatesthesoundnessofproving Frompart(a)ofLemma8.2.8wecandeducethatoursoundnessresult(Corollary8.2.5, isextremelyfair.
qualitativepropertiesunderextremefairness.In[PnZu93]itisshownthat,foreachstate
The\if"-partisaninstanceofCorollary8.2.5(page201),whereasthe\only-if"-part sandeachlineartimeformula',
(thecompletenessofthe-fairnessapproach)isnot.Thereasonforthisisthatageneral sis'-validi j='holdsforall-fairfulpaths2Pathful(s).
completenessresultcannotbeestablished,asitisshownin[Pnue83]thatextremefairness Intheremainderofthissection,weshowthat-fairnessistheonlyp-fairnessnotion isnotanecessaryconditionforthevalidityoflineartimeformulas. whichiscompleteforverifyingqualitativepropertiesexpressedbylineartimeformulas thetruthvaluesttand,atomicpropositions,theusualbooleanconnectives,andthe temporaloperatorsU(\until"),U�1(\since"),X�1(\previousstep")andlabellednext- withpastoperators.WesupposethatformulasofthelineartimelogicLarebuiltfrom
ofpastformulasofL,i.e.formulaswhicharebuiltfromatomicpropositions,theboolean fromthelabellednext-stepoperatorsbyputtingX'=WX'.Lpastdenotestheset connectivesandtheoperatorsU�1andX�1. stepoperatorsX, 2SsSteps(s).Theusualnext-stepoperatorXcanbederived
Wexaconcurrentprobabilisticsystem(S;Steps)togetherwithasatisfactionrelation way(seee.g.[MaPn92]).Thesatisfactionrelationj= j= istep(;j)=and(;j+1)j='.Theremainingoperatorsareinterpretedintheusual Pathful IN L(whereINisthesetofnon-negativeintegers)with(;j)j=X' Pathful L,asusedearlier,is

8.2.P-FAIRNESSFORCONCURRENTPROBABILISTICSYSTEMS givenbyj='i(;0)j='.Let 203
Then,siscalled'-validiProb(A'(s))=1foralladversariesA.Forapastformula andanitepathwithjj=j,wedene '=f2Pathful:j='g:
(orequivalently,i(;j)j= j= i(;j)j= forsomefulpath forallfulpathswith(j)=
part(b)ofLemma8.2.8(page202).WewriteFairinsteadofpFair(Lfair;lfair). nitepaths with j= andPastForm=f : with(j)=).Let 2Lpastg.Let(Lfair;lfair)beasin bethesetof
Denition8.2.9[Completenessofp-fairnessconditions]Let(L;l)beap-fairness before.(L;l)iscalledcomplete(forverifyingqualitativepropertiesexpressedasformulas ofL)ithefollowingholds: conditionforaconcurrentprobabilisticsystem(S;Steps)andLalineartimelogicas
forallformulas'ofLandallstatess2S. Itiseasytoseethatthecompletenessresultof[PnZu93](wherelabellednext-stepop- ifsis'-validthenj='forall'2pFair(L;l)
eratorsarenotused)carriesovertoL,i.e.ifsis'-validthenFair(s) (Lfair;lfair)iscomplete. Denition8.2.10[ExpressivenessofLforap-fairnesscondition]Let(L;l)bea '(s).Thus,
p-fairnessconditionforaconcurrentprobabilisticsystem(S;Steps)andLalineartime logicasbefore.Liscalledexpressivefor(L;l)iforeach`2Lthereexistsaformula' ofLwith'=pFair(L;l;`). Wemayassumethatforeachstates2Sthereisanatomicpropositionaswith(;j)j=as
whereenabled(`)= i (j)=s.Then,Lisexpressivefor(Lfair;lfair)as,for`=( ^Xtt,wehavethat '`=23enabled(`)!23( ^Xas) ;;s)and
Thenextlemmashowsthat{insomesense{-fairnessistheonlyp-fairnessnotion whichiscompleteforverifyingqualitativelineartimeproperties. j='`i is(Lfair;lfair)-fairwithrespectto`.
Proof: Lemma8.2.11Let(S;Steps),Land(L;l)beasbefore.IfLisexpressivefor(L;l)then (L;l)iscompleteipFair(L;l)=Fair. Lisexpressivefor(L;l), (L0;l0)iscomplete Itsucestoshowthatif(L;l),(L0;l0)arep-fairnessconditionssuchthat
thereisaformula'with'=pFair(L;l;`)where'=f2Pathful:j='g.Since thenpFair(L0;l0)(s) pFair(L;l;`)(s)foralls2Sand`2L.SinceLisexpressivefor(L;l)
thecompletenessof(L0;l0).Thus,pFair(L0;l0)(s) foralladversariesAweobtain'-validityofs.Hence,pFair(L0;l0)(s) Prob(A'(s))=Prob(pFairA(L;l;`)(s))=1 pFair(L;l)(s).
pFair(L;l;`)(s)by

204 CHAPTER8.FAIRNESSOFPROBABILISTICCHOICE

Chapter9
properties Verifyingquantitativetemporal
Themaingoalofthischapteristopresentthebasicconceptsofthealgorithmicmethods forverifyingquantitativepropertiesspeciedinthetemporallogicalframework.1We considerbothfullyprobabilisticandconcurrentprobabilisticsystems.Forthehandling offullyprobabilisticsystems,werecalltechniquesproposedintheliterature(mainlythe methodsofHansson&Jonsson[HaJo94]).2Forthelatter(concurrent)case,wemainly concentrateonmethodsthatinvolvefairness.Theunderlyingfairnessnotionsarethose of[HSP83,Vard85](seeSection3.2.3,page45).3Forthis,werstrecalltheapproachof
Probabilisticcomputationtreelogic:Combiningseveralaspectsofthelogicscon- probabilisticsystemswhenfairnessassumptionsabouttheenvironmentaremade. Bianco&deAlfaro[BidAl95,dAlf97a,dAlf97b]andthenshowhowtohandleconcurrent
sideredin[HaJo89,Hans91,HaJo94,SeLy94,BidAl95,IyNa96,dAlf97a,dAlf97b]weviewedastheprobabilisticcounterparttothelogicCTL[EmHa86]thatcombinescom-
willbedeliveredwithininnextthreestepswithprobabilityatleast23".PCTLcanbe introducealogic,calledPCTL,forspecifyingquantitativepropertiesforprobabilistic
putationtreelogicCTL[ClEm81]and(propositional)lineartimelogicLTL.AsinCTL, systemssuchas\thesystemterminateswithprobabilityatleast0:75"or\themessage
lineartimepropertiesthatmakestatementsabouttheexecutions(fulpaths)whereasthe PCTLdistinguishesbetweenstateandpathformulaswherethepathformulasstandfor
existsanexecution",alsooftendenotedbytheletterE)combinedwithapathformula'.4 thequantiers8(\forallexecutions",alsooftendenotedbytheletterA)and9(\there stateformulasexpressbranchingtimepropertiesthatassertsomethingaboutthepossible
Inaprobabilisticscenario,wealsowanttoreasonaboutthe\quantity"oftheexecutions behavioursinthestates.Toreasonaboutthepossiblebehavioursinthestates,CTLuses
aresketchedintheintroduction.SeeSection1.1.3(page16)andSection1.2.3,(page24). 1Thebasicideasbehindtheuseoftemporallogicasspecicationformalismforprobabilisticsystems
ingvericationmethods.Therelationtoourapproachisalsodiscussedin[dAlf97a]. inouralgorithm.Second,oursymbolicmodelcheckerofChapter10makeuseofthem. 3Inhisthesis,LucadeAlfaro[dAlf97a]proposesadierentnotionoffairnessandpresentscorrespond- 4TheCTLformula8'assertsthatthelineartimeproperty'holdsforallexecutionswhile9'states
2Thereasonwhywerecalltheresultsherearetwofolds.First,theunderlyingbasicideasarealsoused
theexistenceofacomputationthatfullls'. 205

206 thatsatisfyacertainlineartimeformula'.Forthis,PCTLreplacesthequantiers8 CHAPTER9.VERIFYINGTEMPORALPROPERTIES
theprobabilitythat'holdsisatleastp. speciesanintervalof\acceptable"probabilities.Forexample,Probp(')assertsthat and9byaprobabilisticoperatorandusesstateformulasoftheformProb./p(')rather than8'or9'.Here,thesubscript./p(where./isacomparisonoperator,e.g. or

9.1.THELOGICPCTL 207
'::= ::=tt X' a 1^2 '1U'2: '1Uk'2 Prob./p(')
Figure9.1:SyntaxofPCTL'1^'2
:'
sentedSections9.2,9.3and9.4wherewebrieysketchhowthemethodsoftheliteratureprobabilisticsystems.ModelcheckingalgorithmsforPCTL,PCTLandLTLarepre- Organizationofthatchapter:Section9.1explainsthesyntaxofPCTL(andthe
workandshowhowtodealwithsatisfactionrelationswherefairnessisinvolved.Thethe- sublogicsPCTLandLTL)andtheinterpretationsoverfullyprobabilisticandconcurrent
oreticalfoundationsofthemodelcheckingalgorithmsforPCTLandLTLareformulated intheoremswhoseproofsaregiveninSection9.5.
automatonandtheconnectionbetweenthem.Seee.g.thesurveypapers[Thom90, Thom96,Vard96]forthe!-automatonapproachand[Emer90,MaPn92,MaPn95]for [BaKw98].6Inthischapter,weassumesomefamiliaritywithtemporallogicsand!- TheresultsofthischapteraremainlybasedonthejointworkwithMartaKwiatkowska
temporallogics.
Inthissection,weexplainthesyntaxofPCTL(andthesublogicsPCTLandLTL)and 9.1 ThelogicPCTL
presentseveralsemanticsforPCTL.Theinterpretationoverfullyprobabilisticsystems isinthestyleof[HaJo94,ASB+95,IyNa96].Fortheinterpretationoverconcurrent aclassAofadversaries.Intuitively,thechosentypeAofadversariesformalizesthe assumptionsthataremadeaboutthe\environment"(theinstancethatresolvesthenondeterministicchoices).InthecasewhereA=Adv(thecollectionofalladversaries)we probabilisticsystems,weintroducesatisfactionrelationsj=Athatareparametrizedby
obtainthestandardinterpretationof[BidAl95].
letters'; (denotedbycapitalgreekletters;;:::)andPCTLpathformulas(denotedbygreek SyntaxofPCTL:WexanitesetAPofatomicpropositions.PCTLstateformulas
derivedconstantsandbooleanoperators(forbothstateandpathformulas)are Here,a2AP,p2[0;1],./2f;gandkisanaturalnumber.Theusual ;:::)overAParegivenbythegrammarshowninFigure9.1(page207).
booleanconnectivesandthestandardtemporaloperatorsX,UandUk.Themeanings ofthetemporaloperatorsX(\nextstep"),U(\until")andUk(\boundeduntil"or 1_2=:(:1^:2),1!'2=:1_2.Thepathformulasarebuiltfromthe =:tt,
\withinthenextksteps")areasinthenon-probabilisticcase.Asusual,operatorsfor bereformulatedresultinginasimpleralgorithm.ThissimplicationispresentedinSection9.3.
6WhenwritingdownthisthesistheauthordetectedthatthePCTLmodelcheckerof[BaKw98]can

208 modelling\eventually"3,\sometimeswithinthenextksteps"3k,\always"2and CHAPTER9.VERIFYINGTEMPORALPROPERTIES
\alwayswithinthenextksteps"2kcanbederived. Forinstance,iferrorisanatomicpropositionthatcharacterizesallstateswhereasystemerrorhashappenedthenProb

9.1.THELOGICPCTL 209
(;j)j='1^'2i(;j)j='i,i=1;2 (;j)j=:'i(;j)6j=' (;j)j= ij jjandj=
(;j)j=X'ij

210 Example9.1.4[Simplecommunicationprotocol]Forthesimplecommmunication CHAPTER9.VERIFYINGTEMPORALPROPERTIES
protocolofExample1.2.1(page19)equippedwiththeatomicpropositionsinitandwait andthelabellingfunctionLwitha2L(s)ia=wehave
whichassertsthat,withprobabilityatleast0:9999,ifthesenderisinitsinitialstate (whereitproducesamessage),thenthemessagewillbeeventuallydeliveredwithinthe sinitj=Prob0:9999(34wait)
nextfoursteps.Thiscanbeseenasfollows.Letps(')denotetheprobabilitymeasureof allfulpaths2Pathful(s)where'holds.Then,wehave
=99 psinit(34wait)=psdel(33wait) =99 100+1 100pslost(32wait)
Here,weusethefactthatps(3ka)=1ifa2L(s)and,fora=2L(s), =99 100+1 100psdel(31wait) 10099 100=9999
ps(3k+1a)=Xt2SP(s;t)pt(3ka) 10000.
andps(30a)=0.(SeeSection9.3,page217). 9.1.2 IfS=(S;Steps;AP;L)osaconcurrentprobabilisticsystemandA Interpretationoverconcurrentprobabilisticsystems
sj=AProb./p(')iProbn2PathAful(s):j=A'o./pforallA2A. Advthenwedene
Notation9.1.5[ThesetSatA()]LetSatA()=fs2S:sj=Ag: ForaconcurrentprobabilisticprocessP,wewritePj=A toSatA().Intheremainderofthatthesis,weshrinkourattentiontothefollowingfour classesofadversaries: itheinitialstateofPbelongs
Advfair(thesetoffairadversariesinthesenseofDenition3.2.17,page46), Advsfair(thesetofstrictlyfairadversariesinthesenseofDenition3.2.17,page46), Adv(thesetofalladversaries)
writej=insteadofj=Adv.Forthesatisfactionrelationsj=Advfair,j=Advsfairandj=AdvWfair,we Thesatisfactionrelationj=Advyieldsthestandardinterpretationala[BidAl95].Webriey AdvWfair(thesetofW-fairadversariesinthesenseofDenition3.2.20,page47).
alsowritej=fair,j=sfairandj=Wfair.Similarly,weoftenwriteSat(),Satfair(),Satsfair() andSatWfair()ratherthanSatAdv(),SatAdvfair(),SatAdvsfair()andSatAdvWfair() respectively.
mightbeessentialforestablishingcertain(quantitativeorqualitative)properties.
dependsonthechosenA.Inparticular,thebelowexampleshowsthat{asinthenonprobabilisticcase{fairnessassumptions(withrespecttothenon-deterministicchoices) Thefollowingexampledemonstratesthatthesatisfactionrelationintheconcurrentcase

9.1.THELOGICPCTL Example9.1.6[Rouletteplayer]WeconsidertherouletteplayerofExample1.2.3on 211
page22(seeFigure1.3onpage22).Weusetheatomicpropositionsplay,happyandwon andthelabellingfunctionLwherea2L(s)ia=.First,weregardtheformula
ForeachadversaryA,Probn2PathAful(sinit):j='o=1:Thus,sinitj=Prob1(') withrespecttothestandardsatisfactionrelationj=wherewerangeoveralladversaries. '=2(play!3won):
playerstartsplayingthenhewilleventuallywinagamewithprobability1.Nextweregard thePCTLstateformula=Prob0:5(
whichensuresthat{independentontheenvironment(adversary){whenevertheroulette
Intuitively, thecasinowhilewinningthelastgame.Thetruthvalueoftheformula statesthat,thereisatleasta50%chancefortherouletteplayertoleave )where =3happy.
pAsinit( theenvironment(thechosenadversarytypeA).LetpAs( ofn2PathAful(s):j= )=0becauseAforcestherouletteplayertostayforeverinthecasino.Thus, o.ForthesimpleadversaryAwithA(swon)=1splaywehave )betheprobabilitymeasure dependson
whenwedealwiththestandardsatisfactionrelationj=thatdoesnotinvolvefairness. Dealingwithasatisfactionrelationwherefairnessinthestateswonisassumed,theformula sinit6j=
eachotheradversaryB,wehavepBsinit( holdsintheinitialstate.ThisisbecauseAbehaveunfairinthestateswonand,for sinitj=fair ;sinitj=sfair )=1=2(cf.Example3.2.13onpage44).Hence,
providedthatWcontainsswon.WhenweuseasetWthatdoesnotcontainswon,then theaboveadversaryAisW-fairwhichyieldssinit6j=Wfair ;sinitj=Wfair
property Remark9.1.7[TheCTLquantiers8and9]Asin[Hans91,SeLy94,BaKw98], cannotbeestablishedunlessappropriatefairnessassumptionsaremade. .Thus,thequantitative
for'iswpwhichcorrespondstothemeaningofProbwp(').PCTLstateformulaswith [9']wp.9Then,[8']wpstatesthatunderalladversaries(ofthechosentype)theprobability probabilisticoperatorProb./p(')wemightusestateformulasoftheform[8']wpand fortheuseofPCTLasspecicationlanguageforconcurrentsystems,insteadofthe
eitherby[8:']w1�p(whichisequivalenttoProbw1�p(:'))orwiththehelpofexistential quantication.Forinstance,Probp(')correspondsto:[9']>p. anupperboundfortheprobabilities(i.e.formulasoftheformProbvp('))canbeexpressed
PCTLisacombinationofPCTL(probabilisticcomputationtreelogic)andLTL(propo- 9.1.3 sitionallineartimelogic).InPCTL,arbitrarycombinationsofstateformulasarepossible ThesublogicsPCTLandLTL
non-probabilisticcaseandexecutiontreesintheprobabilisticcase.
8and9rangeoverallpossibleresolutionsofthenon-deterministicchoicesyieldingexecutionsinthe 9Here,weusewtodenoteoneofthecomparisonoperators or>.AsinCTL,thequantiers

212 butonlypathformulasoftheformX,1U2and1Uk2(where,1and2 CHAPTER9.VERIFYINGTEMPORALPROPERTIES
formulasareallowed. ofPCTLwherearbitrarycombinationsofpathformulasbutonlypropositionalstate arestateformulas)areallowed.LineartimelogicLTListheother\extreme"fragment
ProbabilisticcomputationtreelogicPCTL:InPCTL,only\simple"pathformulas builtfromthetemporaloperatorsX,UkorUandstateformulasareallowed.Formally, PCTListhosesublogicofPCTLwhosestateandpathformulasarebuiltfromthe productionsystemshowninFigure9.3(page212).Inwhatfollows,webrieyspeak
'::=X ::=tt a1U2 1^2 1Uk2 : Prob./p(')
aboutPCTLformulasratherthanPCTLstateformulas.InPCTL,thetemporaloperators \eventually"or\sometimeswithinthenextksteps"areobtainedasinthecaseofPCTL: Figure9.3:SyntaxofPCTL
Formodellingthetemporaloperators\always"and\alwayswithinthenextksteps"in PCTL,weusethefactthat,foranyPCTLpathformula',theformulasProb./p(')and Prob./p(3)=Prob./p(ttU), Prob./p(3k)=Prob./p(ttUk).
Prob./1�p(:')areequivalentwhere and\alwayswithinthenextksteps"canbeobtainedinPCTLby: Prob./p(2)=Prob./1�p(3:),Prob./p(2k)=Prob./1�p(3k:) =,, =and>=

9.1.THELOGICPCTL 213
'::=tt a :' Figure9.4:SyntaxofLTL '1^'2 X' '1U'2 '1Uk'2
Notation9.1.8[QuantitativeLTLspecications]AquantitativeLTLspecication isapairh';IiconsistingofaLTLformula'andanintervalIoftheform[0;p],[0;p[, [p;1]or]p;1]forsomep2[0;1]. Astatesofafullyprobabilisticprobabilisticsystemisviewedtobecorrectwithrespect toaLTLspecicationh';Iiifthe\truthvalue"ofthatformula'liesintheintervalI ofallfulpathsstartinginsandsatisfying'. Notation9.1.9[ThesetSat(h';Ii)(fullyprobabilisticcase)]LetSat(h';Ii)bethe of\acceptable"probabilities.Here,the\truthvalue"isgivenbytheprobabilitymeasure
ment,theprobabilityfor'liesintheintervalI.Asbefore,thepossibleenvironmentsare setofstatess2SwhereProbf2Pathful(s):j='g2I:
formalizedbyanadversarytypeA Intheconcurrentcase,aLTLspecicationh';Iiassertsthat,foranypossibleenviron-
setofstatess2Ssuchthat,forallA2A, Notation9.1.10[ThesetsSatA(h';Ii)(concurrentcase)]LetSatA(h';Ii)bethe Adv.
ForA2fAdv;Advfair;Advsfair;AdvWfairg,weoftenwriteSat(h';Ii),Satfair(h';Ii), Probn2PathAful(s):j=A'o2I:
Satsfair(h';Ii)orSatWfair(h';Ii)ratherthanSatA(h';Ii). VaWo86,CoYa95,PnZu93],dealwithLTL(orsimilarlogics)asaformalismforspeci- Remark9.1.11[QualitativeLTLspecications]Variousauthors,forexample[Vard85, fyingqualitative(lineartime)propertiesthatassertthatacertainLTLformula'holds foralmostallfulpaths(resp.almostallfulpathsofanadversaryofthechosentypeA).
Clearly,inthefullyprobabilisticandconcurrentcases,wehavetheequivalenceofthe SuchqualitativepropertiescanbeformalizedbyquantitiveLTLspecicationsoftheform
quantitativeLTLspecicationh';I./piandthePCTLstateformulaProb./p(')inthe h';[1;1]i.
9.1.4 sensethatSat(Prob./p('))=Sat(h';Ii)whereI./p=fq2[0;1]:q./pg.
WementionedbeforethatourlogicPCTLisbasedonexistinglogicsproposedinthe literature.Webrieysketchtheconnectionsanddierences.
Relatedlogics

214 Fullyprobabilisticcase:OurlogicPCTLagreeswiththelogic(alsocalledPCTL) CHAPTER9.VERIFYINGTEMPORALPROPERTIES
introducedbyHansson&Jonsson[HaJo94];thefulllogicPCTLwiththelogicconsidered byAzizetal[ASB+95](andlaterconsiderede.g.byIyer&Narasimha[IyNa96]).11 Concurrentcase:Dealingwiththestandardinterpretationj=ourlogicPCTL(resp.the
[SeLy94])isthatthelatterdealswithactionlabelswhilewelabelthestateswithatomic logic(alsocalledPCTL)ofHansson[Hans91](andlaterconsideredbySegala&Lynch sublogicPCTL)essentiallyagreeswiththelogicsconsideredin[HaJo89,Hans91,SeLy94,
propositions.12ThelogicpCTLofBianco&deAlfaro[BidAl95]agreeswithourlogic BidAl95,dAlf97a,dAlf97b].ThemaindierencebetweenourlogicPCTLandthe
operatortoexpressboundsontheaveragetimebetweeneventswhichdoesnothavea PCTL.LucadeAlfaro[dAlf97a,dAlf97b]usesanextensionofpCTLthatcontainsan counterpartinPCTL.13
equivalence)isthesameasbisimulationequivalence.TheconnectionbetweenPCTL Asshownin[ASB+95],forfullyprobabilisticsystems,PCTLequivalence(andalsoPCTL 9.1.5 PCTLequivalenceandbisimulationequivalence
equivalenceandbisimulationequivalenceforaction-labelledconcurrentsystemsisdisnothold.14Toseewhy(intheconcurrentcase)PCTLequivalence(orevenPCTLequiv-
caseandclaimthat,forconcurrentprobabilisticsystems,bisimulationequivalenceimplies PCTLequivalence(withrespecttothestandardinterpretationj=)whiletheconversedoes cussedin[SeLy94].Weconjecturethattheseresultscarryovertotheproposition-labelledalence)doesnotimplybisimulationequivalenceconsiderthesystemshowninFigure9.5
(page215).Thestatessands0arePCTLequivalentbutnotbisimulationequivalent.15 Notethatthisstandsincontrasttothenon-probabilisticcasewhereCTLequivalence
9.2 andbisimulationequivalencecoincide[BCG88].
Inthissection,weconsidermodelcheckingalgorithmsforPCTLandthesublogics PCTLandLTL.AmodelcheckingalgorithmforPCTLmeansamethodthattakes ModelcheckingalgorithmsforPCTL
asitsinputaPCTLstateformula asafullyprobabilisticsystemwithintervalsoftransitionprobabilities). [ASB+95]extendstheinterpretationtothestatesofageneralizedMarkovchain(whichcanbeviewed 11Theonlydierenceisthat[ASB+95,IyNa96]donotusetheboundeduntiloperatorUk.Moreover, overacertainsetAPofatomicpropositions
abilisticoperatorProb./anddealwithstateformulasoftheform[8']wpand[9']wpasexplainedin Remark9.1.7(page211).[Hans91]mainlyconcentratesonthespecicationofsoftdeadlines.Forthese, theunboundeduntiloperatorUisnotneeded.However,unboundeduntilUcouldbeaddedaswell. 12Moreover,therearesomeminordierences.[Hans91,SeLy94]avoidthe(explicit)useoftheprob-
XandtheboundeduntiloperatorUk,whereaspCTLdoesnot(buttheseoperatorscouldeasilybe added).Viceversa,pCTLcontainstheusualCTLquantiers8and9(denotedAandEintheapproach byBianco&deAlfaro)thatrangeoverallpaths:8meaning\forallfulpaths"and9\thereisafulpath". 13MoreminordierencesbetweenpCTLandPCTLarethatPCTLcontainsthenextstepoperator
proposition-labelledconcurrentcase(inthestyleof[JoLa91,ASB+95]). 14Forthis,weassumeasuitableadaptionofthedenitionofbisimulationequivalenceforthe 15Here,weassumealabellingfunctionLwithL(s)=L(s0).

9.2.MODELCHECKINGALGORITHMSFORPCTL 215
u1u s
v1 u2u v2 u3u fag 12 AAAU; 12 fag 13 ?HHHHHHHj AAAU AAAU ; 23 fag 14 v3 ; 34 u01 u s0
v01 u03 u
fag 12 AAAU ���� ; 12
@@@RAAAU
fag 14 v03 ; 34
andanite(fullyorconcurrent)probabilisticsystemSwithpropositionlabelsinAP Figure9.5:sands0arePCTLequivalentbuts6s0
andcomputesthesetSat()ofstatessinSwhere LTL)modelcheckingmeansaproceduretocomputeSat()(orSat(h';Ii))foragiven Clearly,anyPCTLmodelcheckingalgorithmsubsumesPCTLandLTLmodelchecking niteprobabilisticsystemandPCTLformula(orquantitativeLTLspecicationh';Ii). holds.16Similarly,PCTL(or
algorithmsandyieldsanautomaticproceduretoverifyprobabilisticprocessesagainst quantitativetemporallogicalspecications,providedthattheprocesscanbedescribed byanitesystemSwithinitialstatesinitandthatthespecicationcanbeexpressedby andconcurrentprobabilisticsystemswithrespecttothestandardsatisfactionrelationj= aPCTLstateformula.ModelcheckingalgorithmsforPCTL,LTLandPCTLare presentedforfullyprobabilisticsystemsin[CoYa88,HaJo94,ASB+95,CoYa95,IyNa96] in[BidAl95,dAlf97a,dAlf97b].Thesemethodsarebasedonthefollowingcommonideas. (1)ThePCTLmodelcheckingalgorithmisbasedonarecursiveprocedurethatsuccessivelycomputesthesetsSat()forallstatesubformulas formula.Forthehandlingofsubformulasoftheform pathformula'istranslatedintoaLTLformula'0suchthatSat()canbederived fromSat(h'0;I./pi)wherethelatteriscomputedwithamodelcheckingalgorithm =Prob./p('),thePCTL ofthegivenPCTL
(2)ThemethodforLTLusesthePCTLmodelcheckerforthehandlingoftheuntil forLTL. operator.Forthis,theunderlyingLTLformula'1U'2isreplacedbyaPCTLpath
Thus,PCTLmodelcheckingcanbereducedtoLTLmodelchecking;LTLmodelchecking formulaoftheformaUbforatomicpropositionsaandb,thesystemSbyamore
toPCTLmodelchecking.Itisworthnotingthatthesereductionscanbeseenasthe complexsystemS0.
&Hamaguchi[CGH94](whereitisshownthatLTLmodelcheckingcanbereducedto probabilisticcounterpartstotheresults(fornon-probabilisticsystems)byEmerson&Lei
CTLmodelcheckingwithfairnessassumptions). [EmLei85](whereitisshownthatanymodelcheckingalgorithmforLTLcanbemodied foraCTLmodelcheckingalgorithmwiththesamecomplexity)andClarke,Grumberg
WenowexplainhowagivenmodelcheckingalgorithmforLTLcanbeappliedtoobtain aPCTLmodelcheckingalgorithm.ThismethodgoesbacktoBianco&deAlfaro
axedclassAofadversariesanddealwithSat()=SatA().
[BidAl95]whereconcurrentsystemsandthesatisfactionrelationj=areconsidered.Itis 16Asbefore,Sat()denotesSat()forfullyprobabilisticsystems.Intheconcurrentcase,weassume

216 alsoapplicableforfullyprobabilisticsystemsorconcurrentsystemswithothersatisfaction CHAPTER9.VERIFYINGTEMPORALPROPERTIES
ModelcheckingforPCTL:TheinputisaPCTLstateformula relations,e.g.j=fair,j=sfairorj=Wfair.Similarideasareusedin[ASB+95,IyNa96]that considerPCTLwiththeinterpretationoverfullyprobabilisticsystems.
algorithmisbasedonarecursiveprocedurethatsuccessivelycomputesthesetsSat() forallstatesubformulas niteprobabilisticsystemwithstatespaceSandlabellingfunctionL:S!2AP.The of.Thecaseswhere istt,anatomicpropositionorofthe overAPanda
form:0or1^2areclearsincewehave
Theinterestingcaseiswheretheoutermostoperatorof Sat(tt)=S, Sat(a)=fs2S:a2L(s)g, Sat(:0)=SnSat(0),
Prob./p.Forthis,weapplyamodelcheckingalgorithmforLTL.Let Sat(1^2)=Sat(1)\Sat(2). istheprobabilisticoperator
subformulas1;:::;kby\fresh"atomicpropositionsa1;:::;akandextendthelabelling let1;:::;kbethemaximalstatesubformulasof'.Weapplythedescribedmethod recursivelyto1;:::;kandobtainthesetsSat(i),i=:::;k.Then,wereplacethe =Prob./p(')and
LTLformulaoverAP[fa1;:::;akg.Thus,wemayapplythegivenLTLmodelchecking functionLbyinsertingaiintoL(s)is2Sat(i).Thesoobtainedpathformula'0isa algorithmtotheLTLspecicationh'0;I./piandobtainSat()=Sat(h';I./pi)where I./p=fq2[0;1]:q./pg.
caseandtheconcurrentcasewiththestandardinterpretationj=areconsidered)and modelchecker.Webrieyrecalltheresultsoftheliterature(wherethefullyprobabilistic LTL(Section9.4).Asdescribedabove,themethodforLTLcanbemodiedforaPCTL Inthenexttwosection,weconsidermodelcheckingalgorithmsforPCTL(Section9.3)and
Wewillseethattheresultof[dAlf97b]statingthatPCTLmodelcheckingwithrespect non-deterministicchoices.Moreprecisely,wedealwiththesatisfactionrelationsj=fair, j=sfairandj=Wfairthatrangeoverallfair,strictlyfairandW-fairadversariesrespectively. presentmethodstodealwithaninterpretationthatassumesfairnesswithrespecttothe
inthesizeoftheformulacarriesovertotheabovesatisfactionrelationswherefairnessis involved.Thus(bytheresultsofthefollowingtwosections): toj=canbedoneintimepolynomialinthesizeofthesystemanddoubleexponential
computedintimepolynomialinthesizeofSanddoubleexponentialinthesizeof. Theorem9.2.1Let WasubsetofthestatespaceofS.Then,Satfair(),Satsfair()andSatWfair()canbe aPCTLformula,Saniteconcurrentprobabilisticsystemand
Bytheresultsof[CoYa95],thistimecomplexityisoptimal.Inthefullyprobabilisticcase, theLTLmodelcheckingalgorithmof[CoYa88,CoYa95]yieldsaPCTLmodelchecking thatrunsintimepolynomialinthesizeofthesystemandsingleexponentialinthesize oftheformula.Analternativealgorithmwiththesametimecomplexity(basedonthe !-automatonapproach)ispresentedin[IyNa96].
systemsandby[BidAl95]forconcurrentprobabilisticsystemswithrespecttothestan-
ModelcheckingalgorithmsforPCTLarepresentedby[HaJo94]forfullyprobabilistic 9.3 ModelcheckingforPCTL

dardsatisfactionrelationj=.Bothalgorithmsarebasedonarecursiveprocedurethat 9.3.MODELCHECKINGFORPCTL 217
thehandlingoftheuntiloperator,[HaJo94]useslinearequationsystems,[BidAl95]linear successivelycomputesthesetsSat()forallsubformulas cases,thetimecomplexityispolynomialinthesizeofthesystemandlinearinthesize optimizationproblems(cf.Remark3.1.8,page36,andRemark3.2.12,page43).Inboth ofthegivenformula.For
oftheformula.
caseandSatA()intheconcurrentcase(whereAisthechosentypeofadversaries). j=Wfair.Asbefore,wewriteSat()todenotethesetSat()inthefullyprobabilistic Inthissection,webrieysketchthemethodsof[HaJo94,BidAl95]andpresentmodel checkingalgorithmsforPCTLwithrespecttothesatisfactionrelationsj=fair,j=sfairand
Themainprocedureisthesameforfullyprobabilisticandconcurrentprobabilisticsystems systemSwithstatespaceSandalabellingfunctionL:S!2AP.First,itbuildsthe parsetreeofwhosenodesstandforsubformulasof.Therootrepresentstheformula. andusestheideasofthemodelcheckingalgorithmforCTLalaClarke,Emerson&Sistla
Theleavesarelabelledbythebooleanconstantttoranatomicproposition.Theinternal [CES83].ThestartingpointisaPCTLformula overAPandaniteprobabilistic
nodesarelabelledbyoneoftheoperators^,:,Prob./p(X)Prob./p(U)orProb./p(Uk). theargumentofthenegation,resp.nextstepoperator,inthecorrespondingsubformula. Nodeslabelledby^oranuntiloperatorProb./p(U)orProb./p(Uk)haveexactlytwo sons(theirarguments).Ifvisanodethenletvdenotetheformularepresentedbyv. Nodeslabelledby:oranext-stepoperatorProb./p(X)haveexactlyoneson,representing
formulaisttoranatomicproposition)weusethefactthatSat(tt)=SandSat(a)= fs2S:a2L(s)g.Forthecomputationofvforaninternalnodev,wemight Inabottom-upmanner,wecalculatethesetsSat(v)ofstateswherethecorresponding
assumethatthesetsSat(w)forthesonswofvarealreadycomputed.Thus,wecan subformulavholds.Forthehandlingoftheleaves(nodeswherethecorresponding
treattheproperstatesubformulasofvasatomicpropositions.Thecaseswherethe outermostoperatorofvisoneofthebooleanconnectives:or^isclearaswehave:
Fullyprobabilisticcase:WebrieyrecalltheresultsofHansson&Jonsson[HaJo94] casewherevisoftheformProb./p('). Sat(:)=SnSat()andSat(1^2)=Sat(1)\Sat(2).Nowweconsiderthe
forthefullyprobabilisticcase.Asbefore,letP:S probabilitymatrixinS(i.e.S=(S;P;AP;L)).Wecompute ps(')=Probf2Pathful(s):j='g S![0;1]denotethetransition
canbecomputedasfollows.Thehandlingwiththenextstepoperatorisbasedonthe observationthat forallstates2SandthenputSat(v)=fs2S:ps(')./pg.Theprobabilitiesps(')
Forthecomputationofps(1Uk2),[HaJo94]proposestwomethods.Oneusesiterative ps(X)=P(s;Sat())= t2Sat()P(s;t): X
matrixmultiplication;theotherisbasedonthefactthat ps(1Uk2)=1ifs2Sat(2), ps(1Uk2)=0ifs2Sn(Sat(1)[Sat(2)),

218ps(1U02)=0ifs2Sat(1)nSat(2) CHAPTER9.VERIFYINGTEMPORALPROPERTIES
and,fors2Sat(1)nSat(2)andk ps(1Uk2)=Xt2SP(s;t)pt(1Uk�12): 1,
Fortheuntiloperator,theprobabilitiesps(1U2)canbeobtainedbysolvingaregular
operatoronthefunctionspaceS![0;1]).17SeeRemark3.1.8(page36). ps(1U2)=0g).Alternatively,onecanuseaniterativemethodthatcomputesan approximationofthefunctions7!ps(1U2)(viewedastheleastxedpointofan linearequationsystem(preceededbyagraphanalysiswhichyieldsthesetfs2S:
Concurrentcase:Intheremainderofthatsection,wedealwiththeconcurrentcase andshowhowtocomputethesetSatA(Prob./p('))whereAisoneoftheadversarytypes
tobenite,i.e.thestatespaceSisniteand,foranystates,thesetSteps(s)isnite. Asbefore,letS=(S;Steps;AP;L)betheunderlyingsystem.RecallthatweassumeS Adv,Advfair,AdvsfairorAdvWfair.ThemethodforA=Advisthoseof[BidAl95].
meansofthesetsSatA()orSatA(i),i=1;2.SinceweassumethatthesetsSatA(), SatA(i),i=1;2,arealreadycomputedthesecriteriasyieldamethodforcomputing cases'=X,'=1U2and'=1Uk2andpresentcriteriasforsj=AProb./p(')by Forthesatisfactionrelationj=Wfair,wedealwithaxedsubsetWofS.Weconsiderthe
SatA(Prob./p(')). Notation9.3.1[Thecomparisonoperatorswandv]Wewritewtodenoteoneof thecomparisonoperators Clearly,forformulasoftheformProbwp(')weneedthe\minimal"probabilitiesfor' underalladversariesA2A,whiletheconstraintvprequirestolookforthe\maximal" or>.Similarly,vstandsfor or

Proof: 9.3.MODELCHECKINGFORPCTL easyverication. 219
9.3.2 E.g.SatA(Probwp(X))isthesetofstatess2Swheremin2Steps(s) Boundeduntil [SatA()]./p.
recursivelycalculatingtheprobabilities Thebelowcharacterizationinducesthecomputationofe.g.SatA(Probwp(1Uk2))by
wherepAs(1Ul2)istheprobabilitymeasureofallfulpaths A2AdvpAs(1Ul2);l=0;:::;k; min
onpage217. 1Ul2.Thismethodisjustanadaptionofthemethodproposedby[HaJo94]sketched 2PathAful(s)with j=A
Lemma9.3.3Foralls2S:
Here,thevaluesqmax sj=AProbwp(1Uk2)i sj=AProbvp(1Uk2)i qmin qmax s;kwp;
Ifsj=A:1^:2thenqmax s;landqmin s;l,s2S,l=0;1;:::;k,aredenedasfollows. s;l=qmin s;l=0foralll 0. s;kvp:
Ifsj=A1thenqmax Ifsj=A2thenqmax
qmax s;l+1= s;0=qmin s;l=qmin
maxs;0=0and
s;l=1foralll 0.
Proof: ForA2A,letqAs;l=Probn2PathAful(s):j=A1Ul2o.Byinductionon 2Steps(s)Xt2S(t)qmax t;l;qmin s;l+1= 2Steps(s)Xt2S(t)qmin min t;l:
l,wegetqmax Prob13(aU3b):UsingthenotationsofLemma9.3.3(page219),wehaveqmax Example9.3.4WeconsiderthesystemofFigure9.6(page219)andthePCTLformula s;l =maxA2AqAs;landqmin s;l=minA2AqAs;lwhichyieldstheclaim.
fag vw
v;3=qmax z;3=1,
z s ;
tfag u;
fbg
fbg m mm m t m t m
t 12 1434 12 ����
�12���@@@@R12 ' &- @I @@@@R @ -
@@
-
qmax w;3=qmax u;3=0andtherecursiveformulas
Figure9.6:t6j=AProb13(aU3b)andsj=AProb13(aU3b)

220 CHAPTER9.VERIFYINGTEMPORALPROPERTIES
qmax
s;i+1=maxn12qmax
t;i;14o, qmax
t;i+1=12+12qmax
s;i
whereqmax
s;0=qmax
t;0=0.Weobtainqmax
s;1=1=4,qmax
t;1=1=2,qmax
s;2=1=4,qmax
t;2=5=8,
qmax
s;3=5
16and qmax
t;3=21
32.
Hence,t6j=AProb13(aU3b)andsj=AProb13(aU3b).
9.3.3 Unboundeduntil
Thissectionisconcernedwiththeunboundeduntiloperator,i.e.formulasoftheform
Prob./p(1U2)andthesatisfactionrelationsj=,j=fair,j=sfairandj=Wfair.
Simpliednotations:Fortherestofthissection,wextwoPCTLformulas1,2over
AP.Wesupposethatthesetsofstatess2Swithsj=Aiarealreadycomputed.We
maysupposethat1,2areatomicpropositionswithi2L(si)ifandonlyifsj=Ai,
i=1;2.Thissimplifyingassumptionallowsustousethesamenotationforallfour
interpretations(sincesj=Aaisj=aforallatomicpropositionsa),andismadeforthis
reasonalone.WesimplywriteSat(i)ratherthanSatA(i),i=1;2.
Notation9.3.5[Theprobabilitiesps(1U2)]ForA2Advands2S,let
pAs(1U2)=Probn2PathAful(s):j= 1U2o,
pmax
s(1U2)=supnpAs(1U2):A2Advo,
pmin
s(1U2)=infnpAs(1U2):A2Advo.
Bytheresultsof[CoYa90,BidAl95](moreprecisely,byCorollary20(part1)of[BidAl95],
whichusestheresultsof[CoYa90]):
pmax
s(1U2)=maxnpAs(1U2):A2Advsimpleo,
pmin
s(1U2)=minnpAs(1U2):A2Advsimpleo.
ObservethatAdvsimpleisnite(thus,minA2AdvsimpleandmaxA2Advsimpleexist).Inpartic-
ular,thisyieldsthatpmax
s(1U2)=maxnpAs(1U2):A2Advoandpmin
s(1U2)=
minnpAs(1U2):A2Advo;thus,alsomaxA2AdvandminA2Advexist.Immediatelyby
thedenitionofpmin
s()andpmax
s()weget:
(i)sj=Probvp(1U2)ipmax
s(1U2)vp.
(ii)sj=Probwp(1U2)ipmin
s(1U2)wp.
ThisfactisusedinthePCTLmodelcheckerof[BidAl95].Havingobtainedthesets
SatAdv(i),i=1;2,onecomputesthevaluespmax
s(1U2)andpmin
s(1U2)whichyield
SatAdv(Probvp(1U2))=fs2S:pmax
s(1U2)vpg;
SatAdv(Probwp(1U2))=ns2S:pmin
s(1U2)wpo:
[BidAl95]proposetocomputethevaluespmax
s(1U2)andpmin
s(1U2)bysolvingcer-
tainlinearoptimizationproblems.Alternatively,onecanusethecharacterizationofthe

functionss7!pmax 9.3.MODELCHECKINGFORPCTL s(1U2)ands7!pmin s(1U2)asleastxedpointsofcertainopera- 221
torsonfunctionspaceS![0;1]andcompute(approximationsfor)themwithiterative Wenowturntothequestionhowtodealwiththesatisfactionrelationthatinvolvefairness methods.19SeeRemark3.2.12(page43). (namely,thesatisfactionrelationsj=fair,j=sfairandj=Wfair).Forthis,wepresentaseries oftechnicalresultsthatcharacterizesthestateswhereProb./p(1U2)holdswithrespect
informalexplanations. tooneoftheabovesatisfactionrelations.Forreaders'conveniencewestatethemain Instead,weincludejusticationforthetechnicalresultsintheformofexamplesand theoremsinthissectionwithoutproof(thoseareincludedinSection9.5,page241).
First,weobservethattheresultsbyEmerson&Lei[EmLei85]statingthatCTLmodel checkingunderfairnessassumptionscanbereducedtoCTLmodelcheckingcannot beadaptedfortheprobabilisticcase(forthelogicsPCTLandPCTL).Inthenonprobabilisticcase(i.e.whenusingCTL),fairnessoffulpathscanbeexpressedbypath formulasofCTL.Typically,thisisachievedbymeansofformulasoftheform
whereafulpath issaidtobefairif 'fair=_i^j(32'i;j_23 j='fair.ThemodelcheckingforCTLunder i;j)
equivalenceoftheform fairnessassumptions(i.e.withrespecttothesatisfactionrelationj=fairwheretheCTL pathquantiers8and9rangeoverallfairfulpaths)canbereducedtothemodelchecking problemforCTLwithrespecttothestandardsatisfactionrelationj=sinceonehasan
Unfortunately,thisequivalencedoesnotholdintheprobabilisticcase.Theproblemisthat formulasoftheformProb./p('fair!')interpretedoverj=statethat,inalladversaries sj=fair8'i sj=8('fair!').
(whetherfairorunfair),themeasureofallfairfulpathsthatsatisfy'is./p,i.e.
whereastheinterpretationwithrespecttoj=fairquantiesoverthefairadversaries;thus, Prob./p(')interpretedoverj=fairassertsthat Probn2PathAful(s):isfairandj='o./pforallA2Adv
Hence,themodelcheckingalgorithmsforPCTLcannotbeusedtohandlefairness(at leastnotinastraightforwardmanner). Probn2PathFful(s):j='o./pforallF2Advfair:
ontheprobabilitiesunderthesimpleadversaries.Nowwewillseethatitem(i)carriesover tothesatisfactionrelationsj=fairandj=Wfair(Theorem9.3.6,page222,andTheorem9.3.7, Recalltheabovementionedresultof[CoYa90,BidAl95]((i)and(ii)onpage220)which assertsthatsatisfactionwithrespecttoj=(thatrangesoveralladversaries)onlydepends
systemswemakeuseoftheiterativemethod.
page222),while(ii)doesnot(cf.Example9.3.20,page226).Inparticular,themaximal 19InChapter10wherewedescribeaMTBDD-basedPCTLmodelcheckingalgorithmforstratied

222 probabilitiesunderallfairadversariesaregivenbythemaximalprobabilitiesunderall CHAPTER9.VERIFYINGTEMPORALPROPERTIES
simpleadversaries.Eventhough(ii)doesnotholdforj=fairorj=Wfairwewillseethatalso theminimalprobabilitiesunderallfairadversariescanbederivedbyaninvestigationof thesimpleadversaries.Moreprecisely,theminimalprobabilityforaPCTLpathformula
simpleadversaries.Inouropinion,thisisasurprisingresultsincethesimpleadversaries anotherPCTLpathformulaa1Ua2underallsimpleadversaries.Thus,boththeminimal andmaximalprobabilitiesunderallfairadversariescanbeexpressedbymeansofthe 1U2underallfairadversariescanbedescribedintermsofthemaximalprobabilityfor
are\extremelyunfair".
abilitiesunderallfair(strictlyfairorW-fair)adversaries.First,wedealwiththesatWeconsiderformulasoftheformProbvp(1U2)forwhichweneedthe\maximal"prob- FormulasoftheformProbvp(1U2)
last()j=2(cf.Lemma9.5.15,page243).Thus,ifwetakeAtobeasimpleadversary Viceversa,foreachsimpleadversaryA,thereisafairadversaryFAwherePathFAncontainsallnitepathsisfactionrelationj=fair.Clearly,pmax 2PathAnsuchthat(i)j=1^:2,i=0;1;:::;jj�1,and s(1U2) pFs(1U2)forallfairadversariesF.
wherepAs(1U2)=pmax wegetpFA s(1U2) s(1U2)(whichexistsbytheresultsof[CoYa90,BidAl95])then
andweobtainthefollowingtheorem. (*)pmax s(1U2)=maxnpFs(1U2):F2Advfairo pAs(1U2)=pmax s(1U2).Thisyields
Proof: Theorem9.3.6Foralls2S:
AseachfairadversaryAisW-fair,(*)yields seeSection9.5.2,Theorem9.5.19(page245). sj=fairProbvp(1U2)i pmax s(1U2)vp.
Thus,Theorem9.3.6carriesovertothesatisfactionrelationj=Wfair: Theorem9.3.7Foralls2S: pmax s(1U2)=maxnpFs(1U2):F2AdvWfairo:
Proof: Itturnsoutthatthesatisfactionrelationj=sfairdiersfromj=fairandj=inthatonlya seeSection9.5.2,Theorem9.5.19(page245). sj=WfairProbvp(1U2)i pmax s(1U2)vp.
Theorem9.3.8Foralls2S: strongerstatementforformulasoftheformProbp(1U2)canbeshown.
Proof: Thefollowingexampleshowsthattheinequality\ seeSection9.5.2,Theorem9.5.21(page245). sj=sfairProbp(1U2)i pmax s(1U2) p"inTheorem9.3.8cannotbe p.
replacedby\

9.3.MODELCHECKINGFORPCTL 223
s v
tm um
m mt '-fag
;
fag � 12���@@@@R ? -
12 Figure9.7:sj=sfairProb

224 of2Steps(s)suchthatpmax
CHAPTER9.VERIFYINGTEMPORALPROPERTIES
WedeneasetTmax(1;2)forwhichweshow(inSection9.5.2,page246)that s(1U2)=Xt2S(t)pmax t(1U2):
Advsfair. Notation9.3.14[ThesetTmax(1;2)]Wedene itcontainsexactlythosestatesssuchthatpmax s(1U2)=pFs(1U2)forsomeF2
whereTmax 0(1;2)=Sat(2)[(SnS+(1;2))and Tmax(1;2)=[i0Tmax i (1;2)
Here, Tmax Tmax
j;1(1;2)consistsofallstatest2SnSi

9.3.MODELCHECKINGFORPCTL 225
s1
s2 s4
s3
s6 t6
u6 u06
fag u1 u3
s5 t5
fag fag u5
fag
fag 18 7 fbg
; ;;
; fbg
fag ;
19 12 ����
@@@@ �������� -
@@@@R 1323 1434 25
13 23 12
����35 12
-
t
t -t
? t - t ' ? 1@@@@R
-
12
2
���� @@@@R ���� @@@@R
@I@@@@@@@R ����
% @@@@R t����
Tmax 3;1=fs1gFigure9.8:s6j=sfairProb

226 andlast()=s1,wehavepFt(aUb)=pmax CHAPTER9.VERIFYINGTEMPORALPROPERTIES
F2Advsfair.Theseobservationsleadtothefollowingtheorem. nofairfulpathwheres3occursinnitelyoften.Thus,pFs3(aUb)=1=3=pmax t(aUb)forallt2Tmax(a;b).Notethatthereis
Theorem9.3.16Foralls2S: s3(aUb)forall
sj=sfairProb

Then,pAs(aUb)=0forthesimpleadversaryAwithA(s)=1s,whereaspFs(aUb)=1for 9.3.MODELCHECKINGFORPCTL 227
eachfairadversaryF.Hence,sj=fairProb1(aUb)butpmin beestablishedunlessfairnessisrequired.The\problem"withthesimpleadversaryA TheabovesimpleexampledemonstratesthattheprogresspropertyProb1(aUb)cannot s(aUb)=0.
innitelyoften(seeLemma9.5.10onpage242andLemma9.5.12onpage243).This 1,allstatesthatarereachablefromastatethatisvisitedinnitelyoftenarealsovisited fromwhicha\successful"state(t)canbereached.Infairadversaries,withprobability whereA(s)=1sisthatitforcesthesystemtostayforeverina\non-successful"state(s)
explainswhypAs(aUb)cannotbe\approximated"byfairadversaries.Moreover,wewill
respecttotheadversaryF)forstoreachastateinSnS+(1;2)viaanitepaththat thatisnotcontainedinS+(1;2)is1.Thus,1�pFs(1U2)istheprobability(with ofthefulpaths2PathFful(s)whereeither1U2holdsorthateventuallyreachastate see(inCorollary9.5.23,page246)that,foreachfairadversaryFandstates,themeasure
onlypassesstatesinS+(1;2)nSat(2).
9.3.5,page231)wemayextendAPby\fresh"atomicpropositionsthatcharacterize HavingcomputedthesetsS+(1;2)andS?(1;2)(whichwillbeexplainedinSection Notation9.3.21[ThesetS?(1;2)]LetS?(1;2)=S+(1;2)nSat(2):
thesetsS+(1;2)andS?(1;2). Notation9.3.22[Theatomicpropositionsa+anda?]Inthesequel,wesupposea+,
respecttoj=fairitsucestocomputethevaluespmax ThefollowingtheoremstatesthattohandleformulasofthetypeProbwp(1U2)with a?2APwitha+2L(s)is2S+(1;2)anda?2L(s)ia?2S?(1;2).
Theorem9.3.23Foralls2S: sj=fairProbwp(1U2)i 1�pmax s(a?U:a+).
Proof: IfReach1^:2(s) seeSection9.5.2,Theorem9.5.25(page246). S+(1;2)ands2Sat(1)thenpmax s(a?U:a+)wp.
any(fair)adversaryFwith2PathFn(s),wehavepFs(1U2) Prob1(1U2).Viceversa,ifReach1^:2(s)6 2Pathn(s)with(i)j=1^:2,i=0;1;:::;jj�1,andlast()=2S+(1;2).For S+(1;2)thenthereisanitepath s(a?U:a+)=0.Hence,sj=fair
s6j=fairProb1(1U2).Thisleadstothefollowingcorollary. Corollary9.3.24Foralls2S: 1�P()

228 CHAPTER9.VERIFYINGTEMPORALPROPERTIES
s v
tm um
m mt '-fag
fbg
fag � 12���@@@@R ? -
12 Figure9.9:pmax s(a?U:a+)=1butpFs(aUb)>0forallF2Advsfair ;
observationforfullyprobabilisticsystemsismadeinSection3.1(Lemma3.1.10,page 37). \topology"ofthesystemsuces.Thisresultwasrstestablishedin[HSP83].Asimilar Thus,forverifyingqualitativeprogresspropertiesasexplainedabove,ananalysisofthe
Theorem9.3.26Foralls2S: Example9.3.25ForthesystemofExample9.3.20(page226),wehaveReach(s)=fs;tg andSat(b)=ftg.Hence,sj=fairProb1(3b).
Proof: seeSection9.5.2,Theorem9.5.27(page246). sj=sfairProbp(1U2)i 1�pmax s(a?U:a+) p:
AstrongerversionofTheorem9.3.26statingthatsj=sfairProb>p(1U2)i1� pmax ampleagaindemonstratesthedierencebetweenj=sfairandj=fair.) Example9.3.27WeconsiderthesystemshowninFigure9.9(page228).Clearly,uis s(a?U:a+)>pisincorrect,ascanbeseenfromExample9.3.27below.(Thisex-
pAs(a?U:a+)=1.Thisyieldspmax Hence,sj=sfairProb>0(aUb)whilepmax theonlystatethatsatises:a+.Thus,forthesimpleadversaryAwithA(s)=wehave
ThenextresultisananalogueofTheorem9.3.16(page226),inwhichweshowhowto s(a?U:a+)=1butpFs(aUb)>0forallF2Advsfair.
dealwithformulasProb>p(1U2)withrespecttothesatisfactionrelationj=sfair. s(a?U:a+)=1.
Theorem9.3.28Foralls2S:
Proof: sj=sfairProb>p(1U2)()(1�pmax
seeSection9.5.2,Theorem9.5.36(page250). 1�pmax s(a?U:a+) s(a?U:a+)>p:ifs2Tmax(a?;:a+) p:otherwise.
Example9.3.30InExample9.3.27(page228)wehaveTmax(a?;:a+)=fu;vg.Hence, Corollary9.3.29Ifs=2Tmax(a?;:a+)thensj=sfairProb>0(1U2). sj=sfairProb>0(aUb)sinces=2Tmax(a?;:a+).

NextweconsiderformulasoftheformProbwp(1U2)andthesatisfactionrelationj=Wfair. 9.3.MODELCHECKINGFORPCTL 229
First,weobservethatTheorem9.3.23(page227)doesnotcarryovertoj=Wfairsince
ispossible.Forthis,considerthesimplesystemofFigure9.10andthesimpleadversaryA infnpFt(1U2):F2AdvWfairo

230 Theorem9.3.33Foralls2S: CHAPTER9.VERIFYINGTEMPORALPROPERTIES
sj=WfairProbwp(1U2)i 1�pmax
Example9.3.34ConsiderthepathformulaaUbandthesystemofFigure9.11(page Proof: seeSection9.5.2,Theorem9.5.40(page252). s(a?Ua0W)wp.
LetTi;1,Ti;2beasinNotation9.3.31(page229).Then,weget: 230)whereW=fw1;w2g.ThesetS0W(a;b)isobtainedasfollows.WehaveS+(a;b)=S. T0=SnS+(a;b)=;whichyieldsT1;1=; T1;2=fv1g(considerthedistributionv1=1v12Steps(v1))
andTi;1=Ti;2=;foralli T2;1=fw1g(considerthedistributionw1=1v12Steps(w1))
Hence, T2;2=fw2;v2g
tj=WfairProb0:2(aUb)whilet6j=WfairProb0:5(aUb). 3.Thus,S0W(a;b)=fv1;v2;w1;w2gandpmax t(a?Ua0W)=45:
Ontheotherhand,t6j=fairProb0:5(aUb)sincepmax
fag t(a?U:a+)=0(asSat(:a+)=;).
t@@@@R
w2
s0
t ' t1323
fbg w1 v2 fag -t1212
15 45fag ? HHHHHHHj
fag
'6 fag v1 -s1fbg
%
*
���
HHHHj
?
� @@@@R %
9.3.4 Theconnectionbetweenj=,j=fair,j=sfairandj=Wfair
Figure9.11:S0W(a;b)=fv1;v2;w1;w2gforW=fw1;w2g
Fromtheresultsoftheprevioussectionswegetthatthefoursatisfactionrelationsonly dierforPCTLformulaswhoseoutermostoperatoristheuntiloperator(i.e.formulas ofthetypeProb./(1U2)).Thedierencebetweenthestandardsatisfactionrelationj=
cidewhendealingwithformulasofthetypeProbvp(1U2)(providedthat1,2cannotcertainlivenessproperties.However,thesatisfactionrelationsj=,j=fairandj=Wfaircoin- well-knownfactthatappropriatefairnessassumptionsmightbeessentialforestablishing andthesatisfactionrelationswithfairness(seee.g.Example9.1.6,page211)isduetothe
bedistinguishedbyj=,j=fairandj=Wfair).Thus,weget:

Theorem9.3.35Let 9.3.MODELCHECKINGFORPCTL beaPCTLformulathatdoesnotcontainsubformulasofthe 231
formProbwp(1U2)then,forallstatess, Proof: Fromtheresultsoftheprevioussection,wegetthatthedierencebetweentheinterpreta- by(i)(page220),Theorem9.3.6(page222),Theorem9.3.7(page222). sj= i sj=fair i sj=Wfair.
in[HSP83]thateachstrictlyfairschedulercanbe\approximated"byfairschedulers. Thepreciseconnectionbetweenj=fairandj=sfairisasfollows. tionsj=fairandj=sfairisonlymarginal.Thisresultisnotsurprisingasitisalreadyshown
formProb

232 Dealingwithj=fair,j=sfairorj=WfairandformulasoftheformProb./p(1U2)wepro- CHAPTER9.VERIFYINGTEMPORALPROPERTIES
linearprogramming,themaximalprobabilitiespmax posethefollowingprocedure.Asbefore,weassumethatthesetsSatA(i)arealready known.WerstcomputethesetS+(1;2)fromwhichwederivethesetsSat(:a+)= SnS+(1;2),Sat(a?)=S?(1;2)andS0W(1;2).Usingwell-knownmethodsof computedintimepolynomialinnandm(cf.Remark3.2.12,page43).Here, s(a1Ua2)underalladversariescanbe
(a1;a2)=8>:(1;2) (a?;a0W) (a?;:a+):if./2f;>ganddealingwithj=fairorj=sfair :if./2f;>ganddealingwithj=Wfair. :if./2f;0forsome ComputationofS+(1;2):LetG+(1;2)bethedirectedgraph(S;E)where(s;t)2
O(nm)forthecomputationofS+(1;2).22 canbederivedbyadepth-rstsearchinG+(1;2).Thisyieldsthetimecomplexity stateswhicharereachableinG+(1;2)fromastates2Sat(2).Hence,S+(1;2) 2Steps(t).Then,S+(1;2)isthesetof
ComputationofTmax(a1;a2):Inwhatfollows,wesimplywriteMaxSteps(s)rather thanMaxSteps(s;a1;a2).First,wecomputeMaxSteps(s)foralls2Sandthesets
where(s;t)2Ei Wecomputethestronglyconnectedcomponentsinthedirectedgraph(Sn(T0[U);E) T0=Sat(a2)[(SnS+(a1;a2)),U=fv2SnT0:MaxSteps(s)6=Steps(s)g.
anenumerationofthestronglyconnectedcomponentswhichsatises:ifs2Cj,s02Cl with(s;s0)2Ethenl suchthat(w)>0forsome (t)>0forsome j.Fori=1;:::;kwecomputethesetSiofstatesw2SnT0 2Steps(s)ands2Ci.LetZbethesetofpairs(v;V) 2MaxSteps(s)=Steps(s).LetC1;:::;Ckbe
z2Z,wedenotetherstcomponentofzbyz:state,thesecondcomponentbyz:next andwedenejzj=jz:nextj.LetS0bethesetofstatess2SnT0withs=z:statefor somez2Zwithjzj=0.Initially,wedeneT=T0.WesuccessivelymodifyS0,Tand suchthatv2SnT0,;6=V SnT0andV=Supp()nT0forsome2Steps(v).For
jzjbythefollowingprocedure: Fori=1;2;:::;k+1do: (1)WhileS06=;do: (1.2)S0:=S0nfsg,T:=T[fsg (1.1)choosesomes2S0 (1.3)Forallz2Zdo:
(2)Ifi (1.3.2)Ifjzj=0thenS0:=S0[fz:stateg. (1.3.1)Ifs2z:nextthenjzj:=jzj�1.
Then,Tmax(a1;a2)=T. 22TheconstructionofG+(1;2)needsO(nm)steps.Thetimeforperformingadepth-rstsearchin kandSi Ci[TthenS0:=S0[CinT.
adirectedgraphGislinearinthenumberofnodesandedges.AsthenumberofedgesinG+(1;2)is boundedbyminfn2;nmgwegetthetimecomplexityO(nm)forthecomputationofS+(1;2).

9.3.MODELCHECKINGFORPCTL 233
s1 s2 s4
s3 k-��� k k-s5 k
@@@R Figure9.12: k
componentsofthedirectedgraphshowninFigure9.12(page233)andobtain obtainU=fs6gandT0=Snfs1;:::;s6g.Werstcomputethestronglyconnected dealwitha1=a,a2=b.Then,1,22MaxSteps(s1)andMaxSteps(s6)=f1g.We Example9.3.38WeconsiderthesystemofExample9.3.15(Figure9.8,page225)and
Initially,thesetZconsistsofthepairs C1=fs5g,C2=fs3;s4g,C3=fs2g,C4=fs1g, S1=;,S2=fs3;s4;s5g,S3=fs3;s4g,S4=fs2;s6g.
obtainS0=fs3gands52T0.Then,weremoves3fromS0andobtainS0=;,s32T0. ThisyieldsS0=fs5g.Intherstiterationstep(i=1),werstremoves5fromS0and (s5;;);(s3;fs5g);(s3;fs4g);(s4;fs3;s4g);(s2;fs3;s4g);(s1;fs2g);(s1;fs6g);(s6;fs6g):
step(2)wehaveS2=fs3;s4;s5g Thus,intheseconditerationstep(i=2),step(1)isnotapplicable(sinceS0=;).In
s12T0.Intheiterationstepsi=4;5,onlystep(2)isapplicablethatyieldsS0=;.The S0andobtainS0=fs1g,s22T0.Finally,weremoves1fromS0andgetS0=;and step(i=3)removess4fromS0andyieldsS0=fs2g,s42T0.Then,weremoves2from C2[T0andobtainS0=fs4g.Thethirditeration
algorithmreturnsTmax(a;b)=Snfs6g.
andthateachofthesetsZ,S0;S1;:::;Skisrepresentedasalistconsistingofpointersto z:nextforz2Ztoberepresentedasbooleanvectors(onebitforeachstates2SnT0) Zandthefunctionjj,weneedO(nm)time.23WesupposethesetsT,C1;:::;Ckand ForthecomputationofMaxSteps(),U,thecomponentsC1;:::;Ck,thesetsS1;:::;Sk,
theirelements.Then,thetestin(1)andsteps(1.1),(1.2)canbeperformedinconstant
i2f1;2;:::;k+1gandallexecutionsofthewhileloopweneedO(nm)timetoperform time.Step(1.3)canbeperformedintimelinearinthesizeofZ.AsjZj timecomplexityO(m)forstep(1.3).Aseachstates2SnT0canonlybechosenonce instep(1.1)thewhile-loopcanbeperformedatmostn-times.Hence,rangingoverall mwegetthe
steps(1.1),(1.2)and(1.3).Rangingoveralli2f1;2;:::;kgweneed
23NotethatforthecomputationofMaxSteps(s)wehavetocalculatePt2S(t)pmax =1O(jSij)=O(kjSn(T0[U)j)=O(n2) kXi each2Steps(s).AsGhasatmostminfn2;nmgedgesandasthestronglyconnectedcomponentsofa directedgraphcanalwaysbecomputedintimelinearinthenumberofstatesandedges,thecomputation ofC1;:::;CktakesO(nm)time.
s(a1Ua2)for

234 timeforstep(2).WeconcludethatthetimecomplexityofcomputingTmax(a1;a2)by CHAPTER9.VERIFYINGTEMPORALPROPERTIES
obtainedTmax(a1;a2).Thus,alsothecomputationofS0W(1;2)needsO(nm)time. themethoddescribedaboveisO(nm).(Recallthatweassumem ComputationofS0W(1;2):S0W(1;2)canbecomputedinasimilarwayaswe n.)
thecostfunctionforthetimeforcomputingthevaluespmax a1,a2.Summingupoverallnodesintheparsetreeweobtainthetimecomplexity ComplexityofPCTLmodelchecking:Letp(n;m)beapolynomialthatstandsfor
Ojjk nm+p(n;m) s(a1;a2)foratomicpropositions
Here,kiseither1(inthecasewhere themaximalvalueksuchthat containsasubformulaoftheformProb./p doesnotcontaintheboundeduntiloperator)or :
I.e.,thetimecomplexityispolynomialinthesizeofthestructureandlinearinthesize oftheformula.ThespacecomplexityisO(n(jj+m)).Thiscanbeseenasfollows. TherepresentationofthesetassociatedwitheachnodevoftheparsetreerequiresO(n) 1Uk2.
S0W(1;2)needsO(nm)space.(Notethatn thespaceneededfortherepresentationofthelabellingfunctionL).Forthecomputation ofpmax space.Forthesystem(S;steps;AP;L)itself,weneedO(nm)space(whereweneglect
Theorem9.3.39LetSaniteconcurrentprobabilisticsystem, s(a1Ua2),weneedO(n2)spacewhilethecomputationofthesetsTmax(a1;a2)or m.)Wesummarize:
typesAdv,Advfair,AdvsfairorAdvWfair. WasubsetofthestatespaceofS.Then,SatA()canbecomputedintimeandspace polynomialinthethesizeofSandlinearinthesizeof whereAisoneoftheadversary aPCTLformulaand
9.4 Intheliterature,severalmethodsareproposedtoverifyaprobabilisticsystemagainst LTLformulasorsimilarspecicationformalisms.Awiderangeofthesemethodsis ModelcheckingforLTL
basedonthedeductiveapproachand/ordealwithqualitativepropertiesstatingthata VaWo86,CoYa88,ACD91a]wheremethodsforfullyprobabilisticsystemsareproposed and[HSP83,Pnue83,Vard85,PnZu86a,PnZu86b,VaWo86,PnZu93,CoYa95]where methodsforconcurrentprobabilisticsystemsarepresented. lineartimeformulaholdswithprobability0or1.Seee.g.[LeSh82,HaSh84,Vard85,
Followingthe!-automataapproachproposedbyVardi&Wolper[Vard85,VaWo86]for verifyingqualitativelineartimeproperties,algorithmstoestablishquantitativelineartime severalauthors(see[CoYa95,IyNa96]forthefullyprobabilisticcaseand[dAlf97b]where concurrentprobabilisticsystemsandthestandardinterpretationj=areconsidered).The properties(andderivedmodelcheckingalgorithmsforPCTL)havebeendevelopedby
theformula'(i.e.an!-automataoverthealphabet2APthatacceptsexactlythosewords knownmethods[WVS83,SVW85,Safr88,VaWo94],oneconstructsan!-automataAfor basicideabehindthe!-automatatheoreticapproachcanbesketchedasfollows.The
over2APforwhichtheformula'holds).Then,onedenesanewprobabilisticsystem startingpointisaprobabilisticsystemSandaLTLformula'overAP.Usingwell-
S AwhichcanbeviewedastheproductofSandAand,forwhich,thereisanatural

9.4.MODELCHECKINGFORLTL \embedding"s7!sAofthestatessofSintothethestatespaceoftheproductsystem 235
toreachastateinU0.24 Ssuchthatthe\probability"that'holdsinstatesagreeswiththe\probability"forsA A.FromtheacceptanceconditionofA,asetU0ofstatesinS Acanbederived
automaton),thetimecomplexityofthe!-automata-basedmethodis(single)exponential inthesizeofthesystemandlinearinthesizeofthesystem,see[CoYa95,IyNa96]. Analternativealgorithm(withthesametimecomplexity)tocomputetheprobabilities Inthefullyprobabilisticcase(whereitispossibletodealwithanon-deterministic!removethetemporaloperatorsfromthegivenformula'(nallyresultinginapropositionalformula'0)whereatthesametimethefullyprobabilisticsystemsismodied.As
ps(')=Probf2Pathful(s): Courcoubetis&Yannakakis[CoYa88].Themainideaofthismethodissuccessivelyto j='ginanitefullyprobabilisticsystemisgivenby
Fortheconcurrentcase,theabovementionedrelationbetweentheoriginalsystemS withthesametimecomplexity. describedinSection9.2,bothmethodscanbeusedforaPCTLmodelcheckingalgorithm
\deterministicinlimit"[VaWo86,CoYa95]).Thetimecomplexityoftheresultingmethod forverifyingconcurrentprobabilisticsystemsagainstquantitativeLTLspecications(and andtheproductS thederivedPCTLmodelcheckingalgorithm)withrespecttothestandardsatisfaction Arequiresthatthe!-automatonAisdeterministic(oratleast
relationj=isdoubleexponentialinthesizeoftheformulaandlinearinthesizeofthe system.Bytheresultsof[CoYa95],thismeetsthelowerboundforverifyingconcurrent probabilisticsystemsagainstlineartimespecications.
explainthe!-automatonapproachcanbeappliedforLTLmodelcheckingwithrespect tothesatisfactionrelationsj=fair,j=sfairandj=Wfair.Themethodwepresenthereis Inthissection,wepresentmethodsforverifyingconcurrentprobabilisticsystemsagainst quantitativeLTLspecifationswhenfairnessassumptionsaremade.Moreprecisely,we anadaptionoftheonedeveloppedbydeAlfaro[dAlf97b]foraPCTLmodelchecking Remark9.4.1[Avoidingterminalstates]Thepresentedmethodassumesanite concurrentprobabilisticsystemwithoutterminalstates.Thisisaharmlessrestriction algorithmwithrespecttothestandardsatisfactionrelationj=.
GivenasystemS=(S;Steps;AP;L)withterminalstates,weinsertaspecialstate0 sinceanysystemcanbetransformedintoan\equivalent"systemwithoutterminalstates. withaself-loopandtransitionsfromanyterminalstateinSto0.25GivenaLTLformula ',wereplaceeachsubformulaX overS0.Hence,wemayassumew.l.o.g.thatthesystemdoesnothaveterminalstates. iseasytoseethattheinterpretationof'overScorrespondstotheinterpretationof'0 subformula'1U'2by'1U('2^:a0).Let'0betheresultingLTLformulaoverAP0.It byX( ^:a0),'1Uk'2by'1Uk('2^:a0)andeach
theconcurrentcase,\probability"standsfortheminimalormaximalprobabilityunderacertainkindof adversaries. Verifying!-automatonspecications:AssuggestedbyLucadeAlfaro,weconsider
25Formally,weconsiderthesystemS0=(S0;Steps;AP0;L0)whereS0=S]f0gandAP0=AP]fa0g, 24Here,inthefullyprobabilisticcase,\probability"standsfortheusualprobabilitymeasure;whilein L0(s)=L(s)ifs2SandL0(0)=fa0g.Ifs2SisnonterminalthenSteps0(s)=Steps(s).Ifs2Sis terminalthenSteps0(s)=f10g.Theself-loopattheauxiliarystate0ismodelledbySteps0(0)=f10g.

236 !-automatonwiththeRabinacceptancecondition.Webrieyrecallthedenition.A CHAPTER9.VERIFYINGTEMPORALPROPERTIES
deterministicRabinautomatonisatupleA=(Q;q0;Alph;d;AccCond)where q02Qtheinitialstate, Alphanonemptynitealphabet, Qisanitesetofstates,
asetconsistingofsubsetsHj,KjofQ. AccCondthe(Rabin)acceptancecondition,i.e.AccCond=f(Hj;Kj):j=1;:::;rgis d:QAlph!Qthetransitionfunction,
Alph.Eachworda=a0a1:::overAlphiaassociatedwiththerun i=0;1;2;:::.Inwhatfollows,werefertoaninnitesequenceoverAlphasawordover ArunoverAisa\sequence"p0a0!p1a1 !p2a2 !:::suchthatp0=q0andpi+1=d(pi;ai),
sequenceof(automata)states.ThesetAccWords(A)ofacceptedwordsoverAlphisthe wherep0=q0andpi=d(pi�1;ai�1),i=1;2;:::.Letqa=p0p1p2:::betheassociated run(a)=p0a0!p1a1 !p2a2!:::
setofwordsaoverAlphsuchthat,fortheinducedwordqa=q0q1:::overQ,
follows,wexaconcurrentprobabilisticsystemS=(S;Steps;AP;L)withoutterminal Here,inf(q)denotesthesetofstatesq2Qthatoccurinnitelyofteninq.Inwhat inf(q) Hjandinf(q)\Kj6=;forsomej2f1;:::;rg.
Alph=2AP.LetAccCond=f(Hj;Kj):j=1;:::;rg. Notation9.4.2[Acceptedfulpaths]If statesandadeterministicRabinautomataA=(Q;q0;2AP;d;AccCond)overthealphabet
word()=L((0))L((1))L((2))::: isafulpathinSthen
denotestheinducedwordoverAlph=2AP.Thesetofacceptedfulpathsisdenedby
ForA2Adv,s2S,weputAccPathA(s)=AccPath\PathAful(s):LetI intervaloftheformI=I./p=fq2[0;1]:q./pg.Asbefore,Adenotesacertaintypeof AccPath=f2Pathful:word()2AccWords(A)g:
adversaries,e.g.A=AdvorA=Advfair.Weaimatamethodforcomputing[0;1]bean
DeAlfaro[dAlf97a,dAlf97b]describesamethodforthecaseA=Adv.Wenowpresent amodicationofthismethodforthecasesA2fAdvfair;Advsfair;AdvWfairg.Asin SatA(hA;I./pi)=ns2S:Prob(AccPathA(s))./pforallA2Ao:
Notation9.4.3[Thedistributionsq]For2Distr(S),q2Q,weput [dAlf97a,dAlf97b],webuilttheproductofSandA,thusobtaininganewpropositionlabelledconcurrentprobabilisticsystemS A.
q(ht;pi)=((t):ifp=d(q;L(t)) 0 :otherwise.

9.4.MODELCHECKINGFORLTL Thestepsintheproductsystemaregivenbythese\lifted"distributionsq2Distr(SQ). 237
Notation9.4.4[TheproductsystemS S A=(SA;StepsA;AP;LA) A]Theproductsystem
isgivenbySA=S Clearly,S systemScanbe\embedded"intotheproductsystembyaddingtoeachstates2S Aisaproposition-labelledconcurrentprobabilisticsystem.Theoriginal Q,LA(hs;qi)=L(s)andStepsA(hs;qi)=fq:2Steps(s)g:
thoseautomatastateqthatisreachedfromtheinitialautomatastateq0bytheL(s)labelledtransition. spaceoftheproductcanbeextendedtoanembeddingofthepaths.Forthis,weliftany Theresultingembeddings7!sAofthestatespaceSoftheoriginalsystemintothestate Notation9.4.5[ThestatesA]Fors2S,letsA=hs;d(q0;L(s))i:
Notation9.4.6[ThepathsA]Let=s01 pathinStoapathAinS S.WedeneAtobethefollowingpathinSA. Aasfollows.
hs0;p0i1!hs1;p1i2 !hs2;p2i3!::: !s12 !:::bea(niteorinnite)pathin
Notation9.4.7[ThesetsA]Let wheresi=(i),p0=d(q0;L(s0)),pi+1=d(pi;L(si+1)andi=pi�1 PathSful.Then,A=fA:2g: i.
PathSA (fair)adversariesofSandS Thefunction andsA.Clearly,2FairSi ful(sA)betweenthenitepathsstartinginsandsAandthefulpathsstartingins 7!AyieldsbijectionsPathSn(s)!PathSA A2FairSA.Thisalsoinducesaconnectionbetweenthe A.AnyadversaryAforSinducesasetofadversariesin n(sA)andPathSful(s)!
Notation9.4.8[TheadversarysetAA]LetA2AdvS.Then,AAdenotesthesetof offsA:s2Sg.26 SA.Theadversariesofthissetonlydierinthosepaths0thatdonotstartinastate
adversariesA02AdvSAsuchthat,foranynitepath2PathSn, Clearly,thefunctionA7!AAisinjectiveand,foreachA02AdvSA,thereisa(unique) adversaryAwithA02AA.Itiseasytoseethat,foranyA2AdvSandA02AA,the ifA()=andlast(A)=hs;qithenA0(A)=q.
functionsPathAn(s)7!PathA0n(sA), arebijections.Moreover,wehaveP()=P(A)foranynitepath.Thisyieldsan isomorphismbetweentheinducedprobabilityspacesonPathAful(s)andPathA0 precisely:LetA2AdvS,A02AAand7!A,andPathAful(s)7!PathA0 Pathful.Then, A(s)ismeasurablei ful(sA), ful(sA).More 7!A,
A(sA)ismeasurable;inwhichcase,theprobabilitymeasuresofA(s)andA0 A0
pathsinSAthatdonotstartinastatesAdonothaveacounterpartinS.
thesame.Moreover, 26Ofcourse,wedonothaveaone-to-onecorrespondencebetweentheadversariesofSandSAsince A(sA)are

238Fisa(strictly)fairadversaryforSithereisa(strictly)fairadversaryF02FA, CHAPTER9.VERIFYINGTEMPORALPROPERTIES
Ifwetake Notation9.4.9[ThesetAccPath]LetAccPathbethesetoffulpathsAinSAwhere FisW-fairithereis(W =AccPaththentheseobservationsleadtothefollowinglemma. Q)-fairadversaryF0inFA.
Lemma9.4.10Letp2[0;1]and./2f;>;;

9.4.MODELCHECKINGFORLTL 239
s1 ; -fbg s2 ? -r1212
1fag
s3 s4 ; PPPq1 Figure9.13:ThesystemS PPPPq s5fbg
computingU0,onemightapplygraphtheoreticalmethodstoobtainthesetsU0j.AlternauctSA,computingthesetU0andthenapplyingthePCTLmodelcheckingalgorithmof Section9.3tocomputethesetsSatfair(Prob./p(3aU0))andSatsfair(Prob./p(3aU0)).For Thus,thesetsSatfair(hA;I./pi)andSatsfair(hA;I./pi)canbeobtainedbybuildingtheprodtively,thesetU0jcanbedescribedasgreatestxedpointoftheoperatorFj:2SQ!2SQ,
W-fairness,similarideascanbeapplied.TheonlydierenceisthatthesetU0hastobe andcomputedbytheiterationV0=S Fj(V0)=nv02H0j:ReachSA(v0) Q,V0 V0^ReachSA(v0)\K0j6=;o;
replacedbythefollowingsetU0W.WedeneW0=W i+1=Fj(V0 QandU0=S1jrU0jwhere i),i=0;1;:::.Dealingwith
U0j=[
t02T0nW0,thereissomet02StepsA(t0)wherethefollowingconditionsaresatised: andwhereTjisdenedasfollows.TjconsistsofallsubsetsT0ofH0jsuchthat,foreach T02TjT0
(3)Eachstatet02T0canreachastatev02K0jinthesystem(T0;Steps0)where (1)Ift02T0\W0and2StepsA(t0),thenSupp() (2)Ift02T0nW0thenSupp(t0) T0. T0.
Westate(withoutproof)that Steps0(t0)=(StepsA(t0):ift02T0\W0, ft0g :ift02T0nW0.
S=(S;Steps;AP;L)withoutterminalstates.Leth';IibeaquantitativeLTLspecica- ModelcheckingforLTL:Asbefore,wexaniteconcurrentprobabilisticsystem SatWfair(hA;I./pi)=ns2S:sAj=W0fairProb./p3aU0Wo:
tion.Usingwell-knownmethods[WVS83,SVW85,Safr88,VaWo94],wecanconstructa deterministicRabinautomataA'overthealphabetAlph=2APsuchthatAccWords(A') isthesetofinnitewordsover2APforwhich'holds.27Forthis,weneeddoubleexpo- methodexplainedbefore.ThetimecomplexityispolynomialinthesizeofSanddouble exponentialinthesizeof'.(Thus,themethodisoptimalbytheresultsof[CoYa95]). nentialtimeinthesizeof'.Then,weobtainSatA(h';Ii)=SatA(hA';Ii)withtheisticRabinautomatonA=A3(a^Xb)isshowninFigure9.14(page240)wherewedeal9.13(page239)andthequantitativeLTLspecicationh3(a^Xb);I0:5i.Thedetermin-
Example9.4.12WeapplythemethoddescribedabovetothesystemshowninFigure

240 CHAPTER9.VERIFYINGTEMPORALPROPERTIES
@R6 q0 ' l fag,fa;bg
;,fbg ; fag q1 $? 6l fbg,fa;bg -q2
6l
withtheacceptanceconditionAccCond=f(Q;fq2g)g.28ThesystemS Figure9.14:RabinautomataAfor3(a^Xb)
omitted.WegetH0=SQandK0=f(si;q2):i=1;:::;5g.Thus,U0containshs3;q0i, Figure9.15onpage240wherestatesthatarenotreachablefromthestatehs1;q0iare Aisshownin
s1;q0 -s2;q0 ? -s1212 s3;q0 -s5;q1 -s5;q2?
- @@@@R ����
s4;q0 -s5;q0?
hs5;q1iandhs5;q2ibutnoneoftheotherstatesshowninFigure9.15.Clearly, Figure9.15:TheproductsystemS A
foreachfairadversaryF0ofS yieldss12Satfair(h3(a^Xb);I0:5i). Probn02PathF0 A.Hence,hs1;q0ij=fairProb0:5(3(a^Xb))which ful(hs1;q0i):0j=3aU0o=12
bilitiesforPCTLpathformulasunderalladversariesagreewiththeminimalormaximal probabilitiesunderallsimpleadversaries(seeitems(i)and(ii)onpage220).Thisresult doesnotlongerholdwhendealingwithgeneralLTLformulasratherthanPCTLpath Remark9.4.13Bytheresultsof[CoYa90,BidAl95],theminimalandmaximalproba-
formulas.WeconsidertheLTLformula'=Xb!2aandthesystemshowninFigure fa;bgtk6 fag sk? -uk;
9.16(page240).Then,pAs(')=Probn2PathAful(s):j='o=1forallsimpleadver- Figure9.16:pAs(Xb!2a)=1forallA2Advsimple sariesA,whilepFs(')=Probn2PathFful(s):j='o=0forthefairadversariesFwith 28This!-automatacanbeviewedasadeterministicBuchiautomatawheretheacceptancesetisfq2g.
27Here,theunderlyingsatisfactionrelationj= 2APINLTLisdenedintheobviousway.

9.5.PROOFS F(s)=1tandF()=1uforallpaths withlast()=sandjj 1.Thisexample 241
supnpFs('):F2AdvfairoandsupnpAs('):A2Advocannotbeestablished. alsoshowsthat,unlikeinTheorem9.3.6(page222),aresultstatingthattheequalityof
9.4whichwehaveusedtoderivethemodelcheckingprocedureforPCTL. 9.5 ThissectionincludestheproofsofthetheoremsestablishedinSection9.3andSection Proofs
p-fairness(seeChapter8,page193)whichisdenedinthefullyprobabilisticand Inthissectionweintroducestateandtotalfairness.Statefairnessisaninstanceof 9.5.1 Stateandtotalfairness
concurrentcase.Totalfairnessforconcurrentprobabilisticsystemsrequiresbothfairness areintroducedfortechnicalreasonsonly;theyyieldasimpleprooftechniqueforshowing ofadversaries(seeSection3.2.3,page45)andstatefairness.Stateandtotalfairness
graph-theoreticalcriteriaforestablishing\qualitativeprogressproperties". fullyprobabilisticsystemsyieldsasimpleproofforLemma3.1.10(page37)thatgivesa theequalityoftheprobabilitymeasuresofcertainevents.Forinstance,statefairnessin
Denition9.5.1[Statefairness(fullyprobabilisticcase)]LetS=(S;P)beafully probabilisticsystemand P(s;t)>0thenthereareinnitelymanyindicesjwith(j)=sand(j+1)=t. Clearly,statefairnessisaspecialinstanceofp-fairness(cf.Denition8.1.1,page194). 2PathSful. iscalledstatefairi,foreachs2inf(),if
(L;l)-fair. Lemma9.5.2LetS=(S;P)beanitefullyprobabilisticsystemand WetakeL=S Sandl(s;t)=f(s;t)g.Then,foreachfulpath, isstatefairi astatefair is
fulpathinS.Then,inf()=Reach(s)forallstatess2inf(). Proof: bethelengthofashortestpathfromstot.Byinductiononkitiseasytoseethat,if dist(s;t)=kthent2inf(). Lets2inf().Clearly,inf() Reach(s).Fort2Reach(s),letdist(s;t)
Lemma9.5.4Let(S;P)beaboundedfullyprobabilisticsystem.Then,foralls2S, ofstatefairfulpathsinS. Notation9.5.3[ThesetStateFair]StateFairS(orshortlyStateFair)denotestheset
Inparticular,whenever Pathfulsuchthat(s)ismeasurablethen Prob(StateFair(s))=1:
Proof: followsimmediatelyfromTheorem8.1.5(page196).
Prob((s))=Prob(StateFair\(s)):

242 Corollary9.5.5(cf.Lemma3.1.10,page37)Let(S;P)beanitefullyprobabilistic CHAPTER9.VERIFYINGTEMPORALPROPERTIES
system.LetUbeasubsetofSand i=0;1;:::;jj�1,andlast()2U.Let Pathn(s);=2 "ng.Then,wehave: thesetofnitepaths = ".Lets2SandT=flast(): where(i)2SnU,
(t)6=;forallstatest2TiProb((s))=1. 2
Proof: statest2T.UsingLemma9.5.2(page241)itiseasytoseethatStateFair(s) The\if"partisclear.Forthe\onlyif"part,weassumethat(t)6=;forall
Thedenitionofstatefairnessintheconcurrentcaseisasfollows. Thus,Lemma9.5.4(page241)yieldstheclaim. (s):
Denition9.5.6[Statefairness(concurrentcase)]LetS=(S;Steps)beaconcurrentprobabilisticsystemandafulpathinS. thereareinnitelymanyindicesjwith(j)=s,step(;j)=and(j+1)=t. 2Steps(s)suchthat(i)=s,step(;i)=forinnitelymanyiandeacht2Supp(), iscalledstatefairi,foreachs2Sand
foreachfulpath, StateFairS(orshortlyStateFair)denotesthesetofstatefairfulpathsinS. Notethatstatefairnessisaspecialinstanceofp-fairness(cf.Denition8.2.1,page200). LetL=f(s;;t):s2S;2Steps(s);t2Supp()gandl(s;;t)=f(s;;t)g.Then,
Lemma9.5.7LetS=(S;Steps)beaniteconcurrentprobabilisticsystem,Aasimple isstatefairi is(L;l)-fair.Asinthefullyprobabilisticcase,
Proof: probabilisticsystemSAinducedbythesimpleadversaryA. adversaryforS.Then,foreach2StateFairA,ReachA(s)=inf()foralls2inf().
Lemma9.5.8Let(S;Steps)beaniteconcurrentprobabilisticsystem.Then: followsimmediatelybyLemma9.5.2(page241)appliedtothenitefully
measurablethenProb foralladversariesAands2S.Inparticular,whenever ProbStateFairA(s)=1
Proof: followsimmediatelyfromTheorem8.2.3(page200). A(s)=ProbStateFair\A(s): PathfulsuchthatA(s)is
Wedenetotalfairnessasthecombinationofstatefairnessandfairnesswithrespectto thenon-deterministicchoices(inthesenseofDenition3.2.14,page45).
Lemma9.5.10LetS=(S;Steps)beaniteconcurrentprobabilisticsystem.Then,for Denition9.5.9[Totalfairness]LetS=(S;Steps)beaconcurrentprobabilisticsys-
eachtotalfairfulpath temand afulpathinS. inS,Reach(s)=inf()foralls2inf(). iscalledtotalfairi isfairandstatefair.
Proof: theproofofLemma9.5.2(page241). Notation9.5.11[ThesetTotalFair]TotalFairS(orshortlyTotalFair)denotestheset easyverication.Usesinductiononthe\distance"betweentwostatesasin
oftotalfairfulpaths.

9.5.PROOFS Lemma9.5.12Let(S;Steps)beaniteconcurrentprobabilisticsystem.Then: 243
forallfairadversariesFands2S.Inparticular,if measurablethenProb F(s)=ProbTotalFair\F(s): ProbTotalFairF(s)=1 Pathfulsuchthat F(s)is
9.5.2 Proof: CorrectnessofthePCTLmodelcheckingalgorithm followsimmediatelyfromLemma9.5.8(page242).
subsetWofSandtwoPCTLformulas1and2whichwetreatasatomicpropositions (i.e.weassumethat1,22AP).Moreover,weassumeatomicpropositionsa?,a+ Wexaproposition-labelledconcurrentprobabilisticsystemS=(S;Steps;AP;L),a
thefollowinglemmawhichfollowsfromtheresultsof[BidAl95](Corollary20,part1,in anda0WasinNotation9.3.22(page227)andNotation9.3.32(page229).Weoftenuse [BidAl95]),cf.item(i)and(ii)onpage220. Lemma9.5.13(cf.[BidAl95])ThereexistAmax,Amin2Advsimplewith
forallstatess2SandalladversariesB.Inparticular, pAmax s (1U2) pBs(1U2) pAmin s (1U2)
Maximalprobabilitiesunderallfairadversaries:WegivetheproofofTheorem 9.3.6(page222)andTheorem9.3.8(page222). pAmax s (1U2)=pmax s(1U2);pAmin s (1U2)=pmin s(1U2):
Lemma9.5.14Let(S;Steps)beaniteconcurrentprobabilisticsystemandS1,S2 LetAbeasimpleadversaryforSand (i)2S1nS2,i=0;1;:::;jj�1,andlast()2S2.Then,wehave: PathAnbethesetofallfulpaths suchthat S.
Proof: If2StateFairthenthereareonlynitelymanyindicesisuchthat(i)2 Weassumethatthereisafulpath 2StateFairsuchthat(i)2 #.
ByLemma9.5.7(page242), innitelymanyi.Then,(i)2 #foralli.Hence, 2PathAful.Thus, 2StateFairA. #for
andReachA((i))\S26=;foralli.Thiscontradicts(*).Thus,wegettheclaim. Bydenitionof (*)inf()=ReachA(s).
Lemma9.5.15Let(S;Steps)beaniteconcurrentprobabilisticsystemandS1,S2 andsince(i)2 #forinnitelymany(all)i,wehave(i)2S1nS2
andlast()2S2.Then: Let Pathnbethesetofallfulpaths suchthat(i)2S1nS2,i=0;1;:::;jj�1, S.
ForeachsimpleadversaryA,thereexistsafairadversaryFwithA PathFn.

244 Inparticular,A FandProb
CHAPTER9.VERIFYINGTEMPORALPROPERTIES
forallstatess2S.Moreover,thereisasequence(Fk)k0ofstrictlyfairadversariessuch that A(s)" Prob F(s)"
forallstatess2S. Prob A(s)" sup k0Prob Fk(s)"
F�asfollows.Foreachstates2S,wechooseanenumerations0;:::;sms�1ofSteps(s). Proof: If2Pathnisaproperprexofsome2�,i.e.if=(i)forsome2�andsome LetAbeasimpleadversary.Let�asubsetofA.Wedeneanadversary
s=last(),j=rmodmsandrthenumberofindicesi

9.5.PROOFS 245
s v
tm um
m mt
fag 12 12 fbg ; '-fag � ���@@@@R
? -
showninFigure9.17(page245)andthesimpleadversaryAwithA(s)=.Then,with Figure9.17:
S1=Sat(a)=fs;tg,S2=Sat(b)=fug,wehave:
Then,foreachadversaryFwithA A=f2PathAn:last()=u;(i)6=u;i=0;1;:::jj�1g: containstheunfairfulpaths�!ts Lemma9.5.17ForeachA2Advsimplethereexist �!s�!ts PathFn:iflast()=sthenF()=.Hence,F �!:::;i.e.Fcannotbestrictlyfair.
(a)F2AdvfairwithpAs(1U2) (b)asequence(Fk)k1inAdvsfairsuchthat,foralls2S, pAs(1U2) pFs(1U2)foralls2S
Proof: followsimmediatelybyLemma9.5.15(page243). sup k1pFk s(1U2):
Corollary9.5.18Foralls2S:
Proof: maxnpFs(1U2):F2Advfairo=maxnpFs(1U2):F2AdvWfairo=pmax
(page245)andthefactthatAdvfair followsimmediatelybyLemma9.5.13(page243),part(a)ofLemma9.5.17 AdvWfair. s(1U2):
Proof: Theorem9.5.19(cf.Theorem9.3.6,page222,andTheorem9.3.7,page222) sj=fairProbvp(1U2)i followsimmediatelybyCorollary9.5.18(page245). sj=WfairProbvp(1U2)i pmax s(1U2)vp.
Corollary9.5.20Foralls2S:supnpFs(1U2):F2Advsfairo=pmax Proof: byLemma9.5.13(page243)andpart(b)ofLemma9.5.17(page245). s(1U2):
Theorem9.5.21(cf.Theorem9.3.8,page222)Foralls2S: sj=sfairProbp(1U2)i pmax s(1U2) p.

246 Proof: followsbyCorollary9.5.20(page245). CHAPTER9.VERIFYINGTEMPORALPROPERTIES
9.3.23(page227)andTheorem9.3.26(page228). Minimalprobabilitiesunderallfairadversaries:WegivetheproofofTheorem
Proof: Lemma9.5.22Let Clearly,ifj=1U2then6j=a?U:a+.Let6j=a?U:a+.Then, beatotalfairfulpath.Then,j=1U2i 6j=a?U:a+.
Hence,inf() inf():BydenitionofS+(1;2)(andsinces2S+(1;2)),Reach(s)\Sat(2)6=;: (*)(i)2S+(1;2) S+(1;2).Lets2inf().ByLemma9.5.10(page242),Reach(s) Sat(1)foralli 0.
Thus,Sat(2)\inf()6=;.Fromthisand(*),wegetj=1U2.
Proof: Corollary9.5.23ForallF2Advfair,s2S:pFs(1U2)=1�pFs(a?U:a+):
Corollary9.5.24Foralls2S: followsfromLemma9.5.22(page246)andLemma9.5.12(page243).
minnpFs(1U2):F2Advfairo=1�pmax
(byCorollary9.5.23).ByCorollary9.5.18(page245),pFs(a?U:a+)=pmax Proof: IfF2AdvfairthenpFs(1U2)=1�pFs(a?U:a+) s(a?U:a+):
someF2Advfair.ForthisadversaryF,weget(againbyCorollary9.5.23), 1�pmax s(a?U:a+)for s(a?U:a+)
Thisyieldstheclaim. pFs(1U2)=1�pFs(a?U:a+)=1�pmax s(a?U:a+):
Theorem9.5.25(cf.Theorem9.3.23,page227)Foralls2S:
Proof: followsimmediatelybyCorollary9.5.24(page246). sj=fairProbwp(1U2)i 1�pmax s(a?U:a+)wp.
Corollary9.5.26Foralls2S:
Proof: followsbyCorollary9.5.23(page246)andCorollary9.5.18(page245). infnpFs(1U2):F2Advsfairo=1�pmax s(a?U:a+):
Theorem9.5.27(cf.Theorem9.3.26,page228)Foralls2S:
Proof: followsimmediatelybyCorollary9.5.26(page246). sj=sfairProbp(1U2)i 1�pmax s(a?U:a+) p:
givetheproofofTheorem9.3.16(page226)andTheorem9.3.28(page228).
Maximalandminimalprobabilitiesunderallstrictlyfairadversaries:Wenow

9.5.PROOFS Lemma9.5.28LetF2Advfair, =f2PathFful:j=1U2gandk=S2k"F 247
wherek=n(k):2oThen,foralls2S: pFs(1U2)=lim
and0(s) Proof: Wehave0 1 ::: .Let0=Tk1k.Then, k!1Prob(k(s))
pFs(1U2)=Prob((s)) (s).Hence, Prob(0(s))=lim 0(s)ismeasurable
Lemma9.5.12(page243): UsingLemma9.5.10(page242)itcanbeshownthatTotalFair\0(s) k!1Prob(k(s)):
Prob(0(s))=Prob(TotalFairF(s)\0(s)) Prob((s))=pFs(1U2): (s).By
Hence,pFs(1U2)=Prob(0(s))=limProb(k(s)). Notation9.5.29[TheprobabilitiespA(1U2)]LetA2Adv,2PathAn.Then,
whereA0isanadversarywithA0()=A( pA(1U2)=pA0(1U2)
Lemma9.5.30LetF2Advsfair,s2Sand 0;1;:::;jjg.Thefollowingareequivalent: )foreach2Pathn(last()).
(i)F()2MaxSteps(last();1;2)forall2. =f2PathAn(s):(i)j= 1^:2;i=
Proof: (iii)pmax (ii)pmax s(1U2)=pFs(1U2): last()(1U2)=pF(1U2)forall2.
(ii)=)(iii):WesupposepF0pF0: :jj=kg.Letkthesetofpaths2PathFn(s)with andA(0 )=B()iflast(0)=rst().Then,
jj last()j= (l)j=1^:2,l=0;1;:::;jj�1, k,
Clearly,k,k Since02kweobtainby(*): PathAn(s).Moreover,bydenitionofA,pA=pFforall2knf0g. 2.
pFs=X2kP()pF+X2kP()

248 Contradiction. CHAPTER9.VERIFYINGTEMPORALPROPERTIES
(iii)=)(i):If2,s=last()and=F()then
wheretisthepath!t.Hence,2MaxSteps(s;1;2). pmax s =pF=Xt2S(t)pFt=Xt2S(t)pmax t
(i)=)(iii):Wedene setoffulpaths2Pathful(last())where k()=n(k):2()o; =f2PathFful:j=1U2gandLet2 2Fand ()=[ and()bethe
Lemma9.5.28(page247)appliedtothefairadversaryF0withF0()=F( rst()=last()yieldspF=lim
k0k():
k!1pk wherepk= X )if
Byinductiononkitcanbeshownthatpk forall2.Hence,pF=pmax pmax last()forall2.ThisyieldspF 2k()P():
Lemma9.5.31ThereexistsF2AdvsfairwithpFs(1U2)=pmax last()forall2. s(1U2)foralls2 pmax last()
Tmax(1;2). Tmax,Tmax Proof: j WesimplifythenotationsintroducedinNotation9.3.14(page224)andwrite andTmax j;lratherthanTmax(1;2),Tmax T=[ j1Tmax j;1: j(1;2)andTmax j;l(1;2).Let
Foreachj 1,t2Tmax j;1wechoosesomet2MaxSteps(t;1;2)with
WedeneanadversaryFasfollows.Foreachs2S,lets0;:::;sms�1beanenumeration Supp(t) [i

9.5.PROOFS ByLemma9.5.30(page247),wegetpFt(1U2)=pmax t(1U2)forallt2Tmax. 249
Corollary9.5.32ThereexistsF2AdvsfairwithpFs(1U2)=1�pmax alls2Tmax(a?U:a+). Proof: followsfromLemma9.5.31(page248)andCorollary9.5.26(page246). s(a?U:a+)for
ilarly,wesimplywriteTmax,Tmax Proof: Lemma9.5.33IfF2Advsfair,s=2Tmax(1;2)thenpFs(1U2)

250 Proof:Foreach 2 withlast()2SnTmax,wechoosesome CHAPTER9.VERIFYINGTEMPORALPROPERTIES
Then,theuniquefulpathwithi

9.5.PROOFS Proof: Let =f2PathFful: 6j=1U2gandlet�bethesetoffulpaths 251
W-fairnessofF,Prob(�(s))=1andProb((s))=Prob((s)\�):ByLemma9.5.37 (page250), 2PathFfulthatareW-fairandstatefair.Then,byLemma9.5.8(page242)andthe
Thus,Prob((s)\�) (s)\� pFs(a?Ua0W) n2PathFful(s):j=a?Ua0Wo: 1�pFs(1U2)=Prob((s))=Prob((s)\�) pmax s(a?Ua0W).Weconcludepmax
Lemma9.5.39ThereexistsF2AdvWfairwithpFs(1U2)=1�pmax whichyieldspFs(1U2) 1�pmax s(a?Ua0W). s(a?Ua0W)
s2S. Proof: LetAbeasimpleadversarywithpAs(a?Ua0W)=pmax s(a?Ua0W)(whichexists s(a?Ua0W)forall
byLemma9.5.13,page243)and
Let WedeneaW-fairadversaryFsuchthatA bethesetofnitepaths =f2Pathn:(i)j=a?^:a0W;i=0;1;:::;jj�1;last()j=a0Wg: 2PathAnsuchthat FandpFs(1U2)=0foralls2S0W.
Then,S0W=Si0Ti,T0=SnS+andTi=Ti;1[Ti;2.Let Ti,Ti;1,Ti;2beasinthedenitionofS0W=S0W(1;2)(seeNotation9.3.31,page229).

252whenever2PathFfulwith(i)2S0Wforsomeithen(j)2S0Wforallj CHAPTER9.VERIFYINGTEMPORALPROPERTIES
Inparticular,if2PathFfulandj=a?Ua0Wthen6j=1U2.Fromthis, (4)pmax s(a?Ua0W)=pFs(a?Ua0W) 1�pFs(1U2)foralls2S. i.
ByLemma9.5.38(page250)and(4),pFs(1U2)=1�pmax Theorem9.5.40(cf.Theorem9.3.33,page230)Foralls2S: sj=WfairProbwp(1U2)i 1�pmax s(a?Ua0W)wp. s(a?Ua0W)foralls2S.
Proof: Theconnectionbetweenj=fairandj=Sfair:WegivetheproofofTheorem9.3.37(page 231)whichstatesthat,whendealingwithW=S,thesatisfactionrelationsj=fairand followsbyLemma9.5.38(page250)andLemma9.5.39(page251).
j=Wfaircoincide. Theorem9.5.41(cf.Theorem9.3.37,page231)IfW=Sthenforallstatessand PCTLformulas: Proof: orem9.5.40(page252)itsucestoshowthatpmaxBecauseofTheorem9.5.19(page245),Theorem9.5.25(page246)andThe- sj=fair i sj=Wfair:
soobtainedadversaryFisfair.UsingLemma9.5.10(page242)itiseasytoseethat,for bedenedasintheproofofLemma9.5.39(page251).SincewedealwithW=S,the s2S.SinceSnS+(1;2) S0S(1;2)wehavepmax s(a?U:a+)=pmax s(a?U:a+) pmax s(a?Ua0S):LetF s(a?Ua0S)forall
ByLemma9.5.12(page243),pFs(a?U:a+)=pFs(a?Ua0S)foralls2S.Fromthis,weget each2TotalFairF,
pmax j=a?Ua0Si j=a?U:a+.
foralls2S.Hence,pmax s(a?U:a+) s(a?U:a+)=pmax pFs(a?U:a+)=pFs(a?Ua0S)=pmax s(a?U:a0S)foralls2S. s(a?Ua0S)
9.5.3 WenowshowthecorrectnessofourLTLmodelcheckingalgorithm(Section9.4,page234 ).Recallthatouralgorithmisbasedonamethodforverifyingconcurrentprobabilistic CorrectnessoftheLTLmodelcheckingalgorithm
systemssystemsagainst!-automataspecications.Forthis,weneededthefactthat,for anyfairadversaryoftheproductsystemS andadeterministicRabinautomataA),theprobabilityofacceptingpathsagreeswith theprobabilityeventuallytoreachthesetU0(denedasinNotation9.4.11,page238). Thisfactcanbederivedfromthefollowingobservationwhoseproofusestotalfairness A(ofaconcurrentprobabilisticsystemS
bilisticsystemthatdoesnotcontainterminalstates.Leta1,a22APandletUbetheLemma9.5.42Let(S;Steps;AP;L)beaniteproposition-labelledconcurrentproba- (seeSection9.5.1,page241).
largestsubsetofSat(a1)suchthat,forallu2U,

9.5.PROOFS Reach(u) UandReach(u)\Sat(a2)6=;. 253
Then,forall2TotalFair:j=32(a1^3a2)i whereaU2APsuchthatSat(aU)=U. j=3aU
totalfairandj=3aU.Leti denitionofU,wegetinf() Proof: If j=32(a1^3a2)theninf() U;inparticular, Sat(a1)andinf() j=3aU.Nowweassumethat Sat(a2).By
(1)inf() Reach((i)) 0beanintegerwith(i)2U.Then, U Sat(a1). is
Letu2inf().BydenitionofU,wehaveReach(u)\Sat(a2)6=;.ByLemma9.5.10 (page242),inf()=Reach(u).Hence, (1)and(2)yieldj=32(a1^3a2). (2)inf()\Sat(a2)6=;.
Lemma9.5.43InthenotationsofSection9.4(page236),wehave:
forallstatess2SandfairadversariesF0ofS Prob(AccPathF0(sA))=Probn02PathF0 A. ful(sA):0j=3aU0o:
Proof: fairfulpath02PathSA BecauseofLemma9.5.12(page243),itsucestoshowthat,foranytotal
Weassumeatomicpropositionsaj;1;aj;2;bj2APsuchthataj;12LA(s0)is02H0j, (*)0j=3aU0i 02AccPath(sA). ful(sA):
aj;22LA(s0)is02K0jandbj2LA(s0)is02U0j.Clearly,
andf0:0j=3aU0g=f0:0j=W1jrbjg.Then,byLemma9.5.42(page252),if0 AccPath(sA)=8

254 CHAPTER9.VERIFYINGTEMPORALPROPERTIES

Chapter10
Symbolicmodelchecking
Asinthenon-probabilisticcase,thevericationmethodsforprobabilisticsystemsthat assumeanexplicitrepresentationofthestatespacesuerfromthestateexplosionproblem andmightfailforsystemsofindustrialsize.Inthelastdecade,twogeneraltechniques havebeendevelopedtoattackthestateexplosionproblemfor(non-probabilistic)parallel systems: thesymbolicmethodsthatarebasedonanimplicitrepresentationofthestatespace
tigateonlycertainpartsofthestatespace[Pele93,Valm94,Gode94]andtechniques byorderedbinarydecisiondiagrams[BCM+90,McMil92]
thatworkwithnetunfoldings[McMil92a,Espa94]. thepartialordermethodswhichcanbeclassiedintoreductiontechniquesthatinves-
Bothtechniqueshavebeenimplementedintoolsandsuccessfulappliedtorealistic(very
investigated.Theresearchonsymbolicvericationmethodsforprobabilisticsystemshas large)systems.Intheliterature,onlyafewworkhasbeendoneonhowtoavoidthe
startedsofar.ClarkeproposedanextensionofBryant'sorderedBDDstomultiterminal stateexplosionproblemforprobabilisticsystems.Tothebestoftheauthor'sknowledge,
BDDs(MTBDDs)[CFM+93]andtheiruseforthesymbolicrepresentationofMarkov theadaptionofthepartialorderapproachforprobabilisticsystemshasnotyetbeen
chains.ThisideahasbeenfurtherdevelopedbyHachteletal[HMP+94]andHartonas- Garmhausen[HarG98].[HMP+94]presentsMTBDD-basedalgorithmstocomputethe resultsforsystemswithmorethan1027states.Inherthesis,VickyHartonas-Garmhausen steady-stateprobabilitiesforverylargenitestatemachinesandreportsonexperimental specications[HarG98].1Theprobabilisticsystemsin[HarG98]arisethroughthe(lazy) synchronousparallelcompositionofseveralsequentialcomponents.Theuseofa(lazy) hasimplementedaMTBDD-basedtoolforverifyingprobabilisticsystemsagainstPCTL synchronousparallelcompositionallowsforarepresentationbyafullyprobabilisticsystem
InthischapterwepresentMTBDD-basedalgorithmsforverifyingfullyprobabilistic whosetransitionprobabilityfunctionisdescribedbyMTBDD.Asfarastheauthorknows,
andconcurrentprobabilisticsystemsagainstseveraltypesofspecicationformalisms. symbolicmethodsforconcurrentprobabilisticsystemsarenotyetinvestigated.
[BCH+97]. 1ThetheoreticalfoundationsoftheunderlyingsymbolicPCTLmodelcheckercanbefoundin
255

256 Moreprecisely,wewilldescribeMTBDD-basedPCTLmodelcheckingalgorithmsfor CHAPTER10.SYMBOLICMODELCHECKING
fullyprobabilisticsystemsandstratiedsystems2andthesatisfactionrelationsj=and j=fair(andbrieysketchhowtodealwithj=sfairandj=Wfair).Moreover,wewillexplain howtheMTBDD-basedapproachcanbeappliedfordecidingstrongorweakbisimulationequivalence.3TheresultsofthischapterarebasedonthejointworkwithEd Clarke[BaCl98]andusesresultsfromthejointworkwithEdClarke,VickyHartonas- Inwhatfollows,thereaderissupposedtobefamiliarwithorderedbinarydecisiondiagrams(OBDDsorBDDsforshort)[Brya86]andthemainideasbehindtheBDD-approach Garmhausen,MartaKwiatkowskaandMarkRyan[BCH+97].
relatednotationsaresummarizedintheappendix(Section12.3,page315).InSection forverifyingparallelsystems,seee.g.[BCM+90,McMil92,CGL93].Thedenitionof
thelogicPCTLandPCTLmodelchecking(seeSection9.3,page216),strongbisimu- multi-terminalBDDs(MTBDDsforshort)asintroducedbyClarkeetal[CFM+93]and 10.4(page295)andtheremainderofthisintroduction,weassumefamiliaritywith lation(seeSection3.4.1,page54)andweakbisimulation(seeSection7.1.1,page161).
therepresentationofthesystembya(real-valued)MTBDD.Usinganencodingofthe Throughoutthischapter,weassumenitesystems.
statespaceinf0;1gkforsomek,thetransitionprobabilitymatrixofafullyprobabilistic orstratiedsystemcanbeviewedasafunctionfrombitvectorsintotheunitinterval ThebasicideabehindtheMTBDD-basedapproachforverifyingprobabilisticsystemsis
byoperatorsonMTBDDs.Themainoperatorsthatareusedinalmostallverication andrepresentedbyaMTBDD.ToobtainsymbolicMTBDD-basedvericationmethods theoperatorsusedinthevericationalgorithmsoftheliteraturehavetobereplaced algorithmsforprobabilisticsystemsarethefollowing. (1)Thecomputationoftheprobabilitiesofcertaineventsrequiresarithmeticoperators pointsofcertainself-mappingsofthefunctionspaceS![0;1].Forinstance,for PCTLmodelcheckingforfullyprobabilisticsystems,theprobabilities (likesummation+ormultiplication,minimumandmaximum)andleastxed
Thefunctions7!ps(1U2)canbecharacterizedastheleastxedpointofthe areneededtocomputethesetofstateswheretheformulaProb./p(1U2)holds. ps(1U2)=Probf2Pathful(s):j=1U2g
operatorF:(S![0;1])!(S![0;1]), F(f)(s)=8>:1 0 Pt2SP(s;t)f(t):ifsj=1^:2 :otherwise :ifsj=2
3.1.6,page36,andRemark3.1.8,page36).Dealingwithconcurrentprobabilistic andcomputedeitherbysolvingalinearequationsystemoriteration(seeTheorem
willbeexplainedonpage297. 2Thereasonwhywedealwithstratiedsystemsratherthan(general)concurrentprobabilisticsystems 3Wedealwithfullyprobabilisticorreactivesystemsinthecaseofstrongbisimulationandfully systems,thecorrespondingoperatorFinvolvesminimumormaximumoperations.
probabilisticsystemsinthecaseofweakbisimulation.

E.g.themaximalprobabilities 257
inastratiedsystemaregivenbytheleastxedpointoftheoperatorF:(S! [0;1])!(S![0;1])whichisdenedby:F(f)(s)=1ifsj=2,F(f)(s)=0if pmax s(1U2)=sup A2AdvProbn2PathAful(s):j=1U2o
s6j=1_2and,forsj=1^:2,
andcanbecalculatedbysolvingalinearoptimizationproblemoriteration(see F(f)(s)=(Pt2SP(s;t)f(t) maxt2SP(s;t)f(t):ifsisnon-probabilistic :ifsisaprobabilisticstate
(2)Forsomespecicationformalisms,comparisonoperators(like,

258 Here,./isacomparsionoperatorlike,

10.1.THEALGEBRAICMU-CALCULUS j=fairasintroducedinChapter9)andcanexpressbisimulationequivalencealaLarsen& 259
Skou[LaSk89]orweakbisimulationinthesenseofChapter7.Intheseapplications,the algebraicmu-calculustogetherwithitsMTBDD-based\compiler"specializestoasym-
numericalmethodsinlinearalgebra(suchassolvinglinearequationsystemsorcomputing othertypesof)programs,thealgebraicmu-calculusisapplicableinothercontexts,e.g.for solvinggraph-theoreticalproblems(suchasshortestpathproblems)orforMTBDD-based bolicmodelcheckerforprobabilisticsystems.Besidethevericationofprobabilistic(or
ispresentedinSection10.1.Section10.2showsthatthealgebraicmu-calculussubsumes eigenvalues). Organizationofthatchapter:Thesyntaxandsemanticsofthealgebraicmu-calculus severaltemporalormodallogics(andhence,canserveitselfasspecicationlanguagefor severaltypesofparallelsystems).InSection10.3wedescribetheMTBDD-basedalgorithmforcomputingthesemanticsofthealgebraicmu-calculus.Section10.4explainshow thealgebraicmu-calculuscanbeappliedtoobtainsymbolicmodelcheckingalgorithms
10.1
forverifyingprobabilisticsystems.
Thissectionpresentsthesyntaxandsemanticsofthealgebraicmu-calculus.Thealgebraic mu-calculuscanbeviewedasanextensionofPark'srelationalmu-calculus[Park74]. Thealgebraicmu-calculus
Whiletherelationalmu-calculuscontainsformulas(interpretedbytheusualtruthvalues 0and1)andrelationalterms(interpretedbyrelationsthat{whenidentiedwiththeir characteristicfunction{canbeviewedasboolean-valuedfunctions),thealgebraicmucalculusdealswithalgebraicexpressions(interpretedbyrealnumbers)andalgebraicterms (interpretedbyreal-valuedfunctions).Therelationaltermsaremainlybuiltbypredicate
maintained.Thexedpointoperatorsoftherelationalmu-calculusarepartialoperators thepredicatesymbolsarereplacedbyfunctionsymbols;theconceptof-abstractionis symbols,-abstractionfromtheformulasandaleastorgreatestxedpointoperator.
thatcanonlybeappliedtothoserelationaltermswheretheinducedsemanticoperator Foraninterpretationbyreal-valuedfunctions(ratherthanboolean-valuedfunctions),
isthenensuredbyTarski'sxedpointtheorem.Dealingwithreal-valuedfunctionsrather yieldsamonotonicset-valuedfunction.Theexistenceoftheleastorgreatestxedpoint
thisreason,wereplacetheleast/greatestxedpointoperatorsbyalimitoperator.The exist,onemightbeinterestedinotherxedpointsthantheleastorgreatestones.For point(orevenxedpointsatall)ofmonotonicoperatorsmightnotexist;or,ifthey thanboolean-valuedfunctions(sets)leadstotheproblemthatleastorgreatestxed
intendedmeaningofthislimitoperatoristhelimitoffunctionsequencesoftheform f;F(f);F(F(f));F(F(F(f)));:::forsomefunctionfandsomehigher-orderoperatorF. InthecasewhereFcanberestricedtoamonotonicoperatoronboolean-valuedfunctions (resp.1),i.e.frepresentstheemptyset(resp.thesetD),theabovesequenceconverges (sets),i.e.anoperator(D!f0;1g)!(D!f0;1g),orequivalently,2D!2Dforsome totheleast(resp.greatest)xedpointofF(asanoperator2D!2Donsets).Thus,our limitoperatorgeneralizestheleastandgreatestxedpointoperatorsoftherelationalmu- nitesetD,andwherefisthebooleanfunctionthatalwaysreturnsthetruthvalue0
calculus.Clearly,forarbitraryfandF,theabovefunctionsequencedoesnotconverge.

260 CHAPTER10.SYMBOLICMODELCHECKING
expr::=q minexpr1opexpr2
term(z1;:::;zn) Xz[expr]
term::=fct z[expr] Z z1;:::;zn[expr] max z[expr]
iterateZ[term"kterm0] limZ[term"term0]
Forthisreason,themeaningsofthealgebraictermsarepartialreal-valuedfunctions. Figure10.1:Syntaxofthealgebraicmu-calculus
Thesemanticsofthelimitoperatorreturnsapartialfunctionthatisundenedforthose
10.1.1 argumentsdwherethesequencef(d);F(f)(d);F(F(f))(d);:::doesnotconverge.
Thesyntaxofthealgebraicmu-calculusarisesfromPark'srelationalmu-calculus[Park74] byusingarbitaryarithmeticoperators(e.g.summation+ormultiplication)insteadof Syntaxofthealgebraicmu-calculus
Moreover,weaddaboundediterationoperator(thatcouldbeaddedtotherelational mu-calculusaswell)whoseintendedmeaningisthefunctionfkobtainedbyaniteration thebooleanconnectives_and^,replacingthequantiers9zand8zbyarithmeticones Pz,minzandmaxzandtheleast/greatestxedpointoperatorsbyalimitoperator.
setoftermvariablesandFctasetoffunctionsymbols.Thetermvariablesandfunction Thealgebraicmu-calculus:LetIndVarbeasetofofindividualvariables,TermVara oftheformf0=ffi+1=F(fi)foracertainfunctionfandahigher-orderoperatorF.
symbolsareassociatedwithanarity(anaturalnumber thesetofn-arytermvariablesresp.n-aryfunctionsymbols.LetOpbeasetofbinary arithmeticoperatorsontherealsincludingsummation+,minus�,multiplication,the binaryminimumandmaximumoperatorsopminandopmax(wheree.g.q1opminq2= 1).TermVarnandFctndenote
minfq1;q2g)andthecomparisonoperatorsop./where./2f;;=;6=gand
Opmightalsocontainpartialoperatorssuchasdivision%whichisundenedifthe secondargumentis0.Expressionsandn-arytermsofthealgebraicmu-calculus(called q1op./q2=(1:ifq1./q2 0:otherwise.
variablessuchthatz1;:::;znarepairwisedistinct,fctisann-aryfunctionsymbol,Zis ann-arytermvariableandkanaturalnumber.ForthetermslimZ[term"term0] algebraicexpressionsandalgebraicterms)arebuiltfromtheproductionsystemshownin
anditerateZ[term"kterm0],werequirethatZisatermvariableandtermandterm0 Figure10.1onpage260.Here,qisarealnumber,op2Op,z,z1;:::;znareindividual
arealgebraictermssuchthatZ,termandterm0havethesamearity.Asusual,wedene

10.1.THEALGEBRAICMU-CALCULUS theboundednessofoccurrencesofvariablesinalgebraicexpressionsoralgebraicterms. 261
TheindividualvariablescanbeboundedbytheoperatorsP,min,maxand-abstraction occurrenceofanindividualvariableoratermvariableinanalgebraicexpressionorterm whilethetermvariablescanbeboundedbythelimitorboundediterationoperator.An
term.Inwhatfollows,wewrite itdoesnotcontainfreeoccurrencesoftermandindividualvariables.Fortheexpressions issaidtobefreeifitisnotbounded.Analgebraicexpressionortermiscalledclosedif term(z1;:::;zn),werequirethatnoneoftheindividualvariablesz1;:::;znoccursfreein
maxfexpr1;expr2gratherthanexpr1opmaxexpr2, �exprratherthan0�expr,
jexprjratherthanmaxfexpr;�exprg. minfexpr1;expr2gratherthanexpr1opminexpr2,
Moreover,weoftenwrite
Thenotationsminz1;:::;zn[expr]andmaxz1;:::;zn[expr]areusedwithcorrespondingmean- z1;:::;zn[expr]ratherthanXz1"Xz2":::Xzn[expr]:::##: X
whereterm0;term1;:::aredenedasbefore. syntacticreplacement.TheintendedmeaningofiterateZ[term"kterm0]istermk ings.Intuitively,limZ[term"term0]standsforthe\limit"ofthesequence(termi)i0 wheretermi+1=termfZ termig,i=0;1;2;:::andwherethebracketsf:::gdenote
Thebooleanmu-calculus:Thebooleanmu-calculusisasubcalculusofthealgebraic mu-calculuswhereonlythoseoperatorsopareallowedthatareclosedundertheboolean values0and1(i.e.thatcanberestrictedtooperatorsf0;1g2!f0;1g).Formally, expressionsandtermsofthebooleanmu-calculusarebuiltfromtheproductionsystem showninFigure10.2(page261).Here,expr1,expr2arearbitraryalgebraicexpressions
bexpr::=0expr1op./expr2 1 bexpr1^bexpr2 bterm(z1;:::;zn) bexpr1_bexpr2 8z[bexpr] :bexpr
bterm::=fct z1;:::;zn[bexpr] Z lfpZ[bterm] gfpZ[bterm] 9z[bexpr]
iterateZ[bterm"kbterm0]
and^=opmin,_=opmax,:bexpr=1�bexprand Figure10.2:Syntaxofthebooleanmu-calculus
8z[bexpr]=min z[bexpr];9z[bexpr]=max z[bexpr]:

262 TheleastandgreatestxedpointoperatorslfpZ[:::]andgfpZ[:::]aregivenby:5 CHAPTER10.SYMBOLICMODELCHECKING
Here,weassumethatnisthearityofZandbterm.Asusual,otherbooleanconnectives, gfpZ[bterm]=limZ[bterm"z1;:::;zn[1]]: lfpZ[bterm]=limZ[bterm"z1;:::;zn[0]],
suchas\implication"!or\equivalence"$,canbederivedfrom^,_and:.Inthe termsandexpressionsofthebooleanmu-calculusasbooleantermsorbooleanexpressions. Therelationalmu-calculusalaParkcanbeviewedasasubcalculusofthebooleanmu- booleansubcalculus,wewriteexpr1./expr2ratherthanexpr1op./expr2.Werefertothe
calculus.Moreprecisely,formulas(resp.terms)oftherelationalmu-calculusarethose expressions(resp.terms)ofthebooleanmu-calculusthatdonotcontainsubexpressions oftheformexpr1./expr2andtheboundediterationoperator.InSection10.2.1(see page275)weshowthatthestandardsemanticsfortherelationalmu-calculusalaPark coincideswiththeinducedsemanticsoftherelationalmu-calculusasasublanguageof
10.1.2 thealgebraicmu-calculus.
Intuitively,algebraicexpressionsareinterpretedbyrealnumbers,algebraictermsbyrealvaluedfunctions.6Tohandlenon-convergingbehaviourinthecaseofthelimitoperator Semanticsofthealgebraicmu-calculus
limZ[:::],weextendthereallinebyaspecialsymbol?whichcanbeinterpretedas
Denition10.1.1[Extendedreals]LetIRbethesetofrealnumbersand?=2IR. functionsthatareundenedforthoseargumentswherethevalue?isreturned. \undened"or\divergence".FunctionswithrangeIR[f?gcanbeviewedaspartial
Then,IR=IR[f?giscalledthedomainofextendedreals. Inthesequel,weusesubscriptstodenotecertainsubsetsofrealsorextendedreals.For instance,IR>0denotesthesetofpositiverealsandIR1=fq2IR:q Thelimitoperatorforconvergingsequencesofrealsisextendedtoanoperatorlimon arbitrarysequencesofextendedreals. 1g[f?g.
Notation10.1.2[Theoperatorlim]Letq0;q1;q2;:::beaninnitesequenceinIR. Ifqn2IRforalmostalln,e.g.qn2IRforalln lim(q0;q1;q2;:::)=(? limqn:if(qn)nn0convergesinIR. :if(qn)nn0doesnotconvergeinIR n0,then
distributions.Ofcourse,insteadoftheleastandgreatestxedpointoperators,themoregenerallimit xedpointoperatorsisthat,intheotherchaptersofthatthesis,thegreeklettersandrangeover 5ThereasonnottousethestandardnotationsZ[:::]andZ[:::]todenotetheleastandgreatest Here,limqndenotestheusuallimitof(qn)nn0inIR.
operatorlimZ[bterm"bterm0]couldbeaddedtothebooleanmu-calculus.However,fortheapplications ofthebooleanmu-calculusthatareconsideredinthatthesis,onlytheleastandgreatestxedpoint booleantermsaninterpretationbyboolean-valuedfunctionsinmind.
operatorsareneeded. 6Forthebooleanexpressions,wehaveaninterpretationbytheusualtruthvalues0or1andforthe

10.1.THEALGEBRAICMU-CALCULUS Ifqn=?forinnitelymanynthenlim(q0;q1;q2;:::)=?. 263
denotesthefunctionX!IR,x7!lim(f0(x);f1(x);f2(x);:::). IfXisasetand(fj)j0isasequenceoffunctionsfj:X!IRthenlim(f0;f1;f2;:::)
n-aryfunctionsintotheextendedrealswheretheinterpretationfortheindividualand termvariablesandthefunctionsymbolsisgivenbyamodelforthealgebraicmu-calculus. Algebraicexpressionsareinterpretedbyextendedrealnumbers,n-aryalgebraictermsby
mu-calculusisapairM=(D;I)consistingofanonemptynitesetD(calledthedomain) Denition10.1.3[Modelsforthealgebraicmu-calculus]Amodelforthealgebraic i.e.afunctionIwhichassigns andaninterpretationIfortheindividualandtermvariablesandthefunctionsymbols,
toeachn-arytermvariableZafunctionI(Z):Dn!IR, toeachindividualvariablezanelementI(z)2D,
Remark10.1.4Fromapurelymathemeticalpointofview,theconceptoffunctionsymbolscanberemovedfromthealgebraicmu-calculussincefunctionsymbolscanbecon toeachn-aryfunctionsymbolfctafunctionI(fct):Dn!IR.
limitorboundediterationoperator).However,theuseofbothfunctionsymbolsand termvariablesismotivatedbytheconventionthatfunctionsymbolsrepresentfunctions forwhichwehaveaxedmeaninginmind(e.g.thetransitionprobabilityfunctionofa sideredasspecialtermvariables(namely,termvariablesthatcannotbeboundedbythe
auxiliarysymbolsthatareneededfortechnicalreasonsonlywhilethefunctionsymbols fullyprobabilisticsystem)whilethetermvariablesareusedinthescopeofthelimitor boundediterationoperatorlimZ[:::]oriterateZ[:::].Thus,thetermvariablesare standforobjectsofthe\realworld".
termvariableswherethearityofZjiskjanddi2D,fj:Dkj!IRthen z1;:::;znarepairwisedistinctindividualvariablesandZ1;:::;Zmarepairwisedistinct Notation10.1.5[ThemodelsM[:::]]LetM=(D;I)beamodel.Ifn,m 0and
denotesthemodel(D;I[z1:=d1;:::;zn:=dn;Z1:=f1;:::;Zm:=fm])where M[z1:=d1;:::;zn:=dn;Z1:=f1;:::;Zm:=fm]
suchthatJ(fct)=I(fct)forallfunctionsymbolsfctandJ(zi)=di,i=1;:::;n,J(Zj)= isthoseinterpretationJfortheindividualandtermvariablesandthefunctionsymbols I[z1:=d1;:::;zn:=dn;Z1:=f1;:::;Zm:=fm]
fj,j=1;:::;m,andJ(z)=I(z),J(Z)=I(Z)inallothercases. LetM=(D;I)beamodel.Foreachalgebraicexpressionexprandalgebraictermterm, instance,thepartialdivisionoperator%ontherealsisextendedtoatotaloperatoron Here,weassumethatalloperatorsop2OpareextendedtototaloperatorsonIR.For IRbyq1%q2=?ifq2=0or?2fq1;q2g.
[expr]M2IRand[term]M:Dn!IRaredenedasshowninFigure10.3onpage264.

264 CHAPTER10.SYMBOLICMODELCHECKING
[expr1opexpr2]M=[expr1]Mop[expr2]M [q]M=q
[Pz[expr]]M=Pd2D[expr]M[z:=d] [term(z1;:::;zn)]M=[term]M(I(z1);:::;I(zn))
[maxz[expr]]M=maxn[expr]M[z:=d]:d2Do [minz[expr]]M=minn[expr]M[z:=d]:d2Do
[fct]M=I(fct), [z1;:::;zn[expr]]M(d1;:::;dn)=[expr]M[z1:=d1;:::;zn:=dn] [Z]M=I(Z)
[iterateZ[term"kterm0]]M=fk [limZ[term"term0]]M=lim(f0;f1;f2;:::)
Figure10.3:Semanticsofthealgebraicmu-calculus wheref0=[term0]M,fi+1=[term]M[Z:=fi].
costcost(v;w)forpassingtheedgefromvtow.Letmincost:VV!IRbethefunction Example10.1.6[Computingshortestpaths]LetG=(V;E;cost)beanitedi- setofdirectededgesandcost:E!IR>0afunctionthatassignstoeachedge(v;w)the thatreturnsforanypair(v;w)ofnodesinGthelengthofashortestpathfromvtow. rectedgraphwithapositivecostfunction,i.e.Visanitesetofvertices,E V Va
(Weputmincost(v;w)=?ifthereisnopathfromvtow.)Itiseasytoseethatthe functionmincostisthelimitofthesequence(fi)i0wherethefunctionsfi:V aregivenby f0(v;w)=(0:ifv=w ?:otherwise V!IR
and wherethelimitistakeninIR(cf.Notation10.1.2,page262).7Weusebinaryfunction symbolscostandidandthemodelM=(V;I)wheretheunderlyingdomainisthevertex fi+1(v;w)=minffi(v;w);minffi(v;u)+cost(u;w):(u;w)2Egg
setVandtheinterpretationIisgivenbyI(id)=f0and
(ThisyieldsminQ=min(Qnf?g)if;6=QIR,Q6=f?g.)Fortheextensionof+toanoperatoron 7Here,weassumethatthenaturalorderonthereallineisextendedbyq

10.1.THEALGEBRAICMU-CALCULUS Then,thesemanticsofthealgebraictermlimZ[term"id]isthefunctionmincost 265
Thiscanbeseenasfollows.Wehavef0=[id]M.Byinductiononi,wegetthat where term= v;w min Z(v;w);min u[Z(v;u)+cost(u;w)] :
term Thus,[limZ[term"id]]M=lim(f0;f1;f2;:::)=mincost.Thesemanticsofthe fi+1=[term]M[Z:=fi],i=0;1;2;:::.
withrespecttoMisthefunctionfk.Thevaluefk(v;w)isthecostofashortestpath v=v0;v1;:::;vl=wwherel iterateZ v;wk. min u[Z(v;u)+cost(u;w)] "kid
ofBinthej-throwandk-thcolumnisdenotedbyB(j;k).Thefollowingalgebraicterms describesthematrixproductAB. Example10.1.7[Matrixmultiplication]LetAbeanm-matrix,Baml-matrix. A(i;j)denotestheelementofAinthei-throwandj-thcolumn;similarly,theelement
whereAandBarebinaryfunctionsymbolsthatrepresentthematricesAandBrespec- term= i;k24Xj[A(i;j)B(j;k)]35
tively.Moreprecisely,ifN=maxfn;m;lgandM=(f1;:::;Ng;I)where
I(B)(j;k)=(B(j;k):if1 I(A)(i;j)=(A(i;j):if1 ? :otherwise ijnand1 mand1jkm then[term]MrepresentsABinthesensethat[term]M(i;k)istheelementofABin ? :otherwise l
thei-throwandk-thcolumn(providedthat1 Example10.1.8[Iterativesquaring]Incertainapplications,onehastocomputeAK foraquadraticmatrixAandsomelargeK.9Forsimplicity,weassumethatK=2k. i nand1 k l).8
useiterativesquaringwhichisbasedontheiterationA2i+1=A2iA2i,i=0;1;:::;k�1. Thiscanbedescribedbythealgebraicterm InsteadofcomputingAKbytheiterationAi+1=AiA,i=2;:::;K�1,itisbetterto
whereAisabinaryfunctionsymbolthatrepresentsA. iterateZ24i;k24Xj[Z(i;j)Z(j;k)]35"k�1A35
PCTLmodelcheckingalgorithmof[HaJo94]isbasedonthecomputationofAKforsomematrixA.
9Forexample,oneofthetwomethodsforthehandlingoftheboundeduntiloperatorUKinthe 8Here,weassumethat?q=q?=?+q=q+?=0ifq2IRand??=?+?=?.

266 Intheliteratureaboutnumericalanalysis,avarietyofiterativemethodsformatrixop- CHAPTER10.SYMBOLICMODELCHECKING
canbedescribedastermsofthealgebraicmu-calculus.InExample10.1.9,weconsider erationsareproposed;seee.g.[Varg62,YoGr73].Usingthelimitoperator,mostofthem the\naive"methodforsolvinglinearequationsystemsofthetypez=q+Azthat isbasedontheiterationzk+1=q+Azk.Thismethodcanbeviewedasthebasisof severaliterativemethods,e.g.themethodsbyJacobiorGauss-Seidelortherelaxation methods.Anotherpossibleapplicationofthealgebraicmu-calculusintheeldofmatrix operationsisthecomputationofeigenvaluesbywell-knowniterativemethods,e.g.the methodsbyMisesorWielandt(seeExample10.1.10,page266). Example10.1.9[Solvinglinearequationsystems]LetAbearealn Ithen Then,I�Aisregularand,foreachvectorq2IRn,thesequence(zk)k0convergesto theuniquesolutionoftheequationsystem(I�A)z=qwherez0isanarbitraryreal n-identitymatrix.WeassumethatkI�Ak

10.1.THEALGEBRAICMU-CALCULUS Undercertainconditionsaboutz0,thesequence(zk)k0convergestoaneigenvectorof 267
z0(thatrepresentsthestartingvectorz0)thisiterativemethodcanbedescribedinthe algebraicmu-calculusbythetermlimZ[term"z0]where A.UsingabinaryfunctionsymbolA(thatrepresentsA)anda1-aryfunctionsymbol
Theunderlyingvectornormthatweusehereisthemaximumnormkyk1=maxfjyij: term=i24Xj[A(i;j)Z(j)]%max j [jA(i;j)Z(j)j]35:
i=1;:::;ngify=(yi)1in. HavingaxedmodelM=(D;I)inmind,itisoftenusefultoextendthesyntaxof
fz1;:::;zkg=IndVar\f1;:::;ng, Then,term(1;:::;n)standsshortforthealgebraicexpressionterm0(z1;:::;zk)where thealgebraicmu-calculusbyexpressionsoftheformterm(1;:::;n)whereiareeither individualvariablesthatdodooccurfreeintermorvaluesoftheunderlyingdomainD.
and term0=z1;:::;zk24X
bexpr=^ 1;:::;n[term(1;:::;n)bexpr]35
d2D^ 1in i=dEd(i)^^ 1jk^ 1in
are1-aryfunctionsymbols(thatstandforthesingletonsetfdg).Theintendedmeanings interm.Eisabinaryfunctionsymbol(thatrepresentstheequalitypredicateonD),Ed Here,1;:::;nare\fresh"pairwisedistinctindividualvariablesthatdonotoccurfree i=zjE(i;zj):
ofEandEdareformalizedbytherequirementthattheinterpretationsforEandEdare givenby:
Forexample,term(d;z;z)standsshortforterm0(z)where I(E)(d1;d2)=(1:ifd1=d2 0:otherwise I(Ed)(d0)=(1:ifd=d0 0:otherwise.
andbexpr=(1=d)^(2=z)^(3=z)wherewewrite1=dratherthanEd(1) term0= z24X
andi=zratherthanE(i;z),i=2;3. 1;2;3[term(1;2;3)bexpr]35
Example10.1.11[ComputingtheprobabilitiesProb(s;;C)]LetS=(S;Act;P)
ThefunctionS describedbyatermofthealgebraicmu-calculus.10Forthis,weusethefollowingfact. S.WeshowhowtheprobabilitiesProb(s;;C)(wheres2SandC2S=R)canbe beaniteaction-labelledfullyprobabilisticsystemandRanequivalencerelationon
page50.
10RecallthatProb(s;;C)denotestheprobabilityforstoreachaC-stateviainternalactions,see S![0;1],(s;t)7!Prob(s;;[t]R),istheleastxedpointofthe

268 operatorF:(S S![0;1])!(S CHAPTER10.SYMBOLICMODELCHECKING
(s;t)2Rand,if(s;t)=2R, F(f)(s;t)=P(s;;[t]R)+ S![0;1])thatisgivenbyF(f)(s;t)=1if
(cf.Proposition3.3.4,page49).Here,[t]R=ft02S:(t;t0)2Rg.ByTarski'sxedpoint u2Sn[t]RP(s;;u)f(u;t) X
theorem,theleastxedpointisobtainedaslimitofthefunctionsequence(Fi(f0))i0 wheref0(s;t)=0foralls;t2S.Thisiterationcanbedescribedbyanalgebraicterm oftheformlimZ[:::"s;t[0]]:Forthis,werewritethedenitionofF.LetfRbethe characteristicfunctionofR.Then,
whereG(f)(s;t)=Xt02SP(s;;t0)fR(t;t0)+Xu2SP(s;;u)(1�fR(t;u))f(u;t):
F(f)(s;t)=maxffR(s;t);(1�fR(s;t))G(f)(s;t)g
WeuseaternaryfunctionsymbolP(thatrepresentsP)andabinaryfunctionsymbolR (thatrepresentsR).WeconsiderthemodelM=(D;I)whereD=S]Actand
I(R)(s;t) I(P)(s;a;t)=(P(s;a;t):ifs,t2Sanda2Act =(1:ifs,t2Sand(s;t)2R 0:otherwise. 0 :otherwise
Weuses,t,t0anduasindividualvariablesanddene
whereexpr=Xt0[P(s;;t0)R(t;t0)]+Xu[P(s;;u)(1�R(t;u))Z(u;t)]:
term=limZ[s;t[maxfR(s;t);(1�R(s;t))exprg]"s;t[0]]
D2!IRwhichisgivenby[term]M(s;t)=Prob(s;;[t]R)ifs,t2S. Here,intheexpressionsP(s;;t0)andP(s;;u),weusethenotationterm(1;:::;n) explainedonpage267.11ThemeaningoftermwithrespecttoMisthefunction[term]M:
mightbeusefulincertainapplications. Remark10.1.12Thereareseveralpossibleextensionsofthealgebraicmu-calculusthat
operatorssuchassquarerootpexpr,logarithms(suchaslog2(expr))orexponentiation Thealgebraicmu-calculuscouldbeextendedby(totalorpartial)1-aryarithmetic (suchas2expr)togetherwithanappropriatesemantics,e.g.inthecaseofsquareroot
11NotethatisanelementofthedomainD.
[pexpr]M=(q[expr]M:if[expr]M2IR0 ? :otherwise.

10.1.THEALGEBRAICMU-CALCULUS Anotherpossibleextensionistodealwithtuplesoftermvariablesinthelimitor 269
boundediterationoperator;i.e.todealwithanoperator
where,forsomenaturalnumberl limjZ[term"term0]
thesame,h=1;:::;l.Thesemanticsofthislimitoperatorwithindexjisgivenby ables,term=(term1;:::;terml)andterm0=(term1;0;:::;terml;0)arel-tuplesof algebraictermsandj2f1;:::;lgsuchthatthearityofZh,termhandtermh;0is 1,Z=(Z1;:::;Zl)isal-tupleoftermvari-
lim(fj;0;fj;1;fj;2;:::)wherefh;0=[termh;0]Mand
Similarly,theboundediterationoperatorcouldbeextendedfortuplesoftermvariables. Insteadofjustusingthesymbol?{thatweusetohandleallkindsofnon-converging fh;i+1=[termh]M[Z1:=f1;i;:::;Zl:=fl;i];h=1;:::;landi=0;1;2;:::.
+1or�1norconvergetoarealnumber(e.g.�1;1;�1;1;:::). sequencesthatdivergeto+1(e.g.1;2;3;:::)andsequencesthatneitherdivergeto sequences{onemightextendthereallinebythreesymbols�1,+1and?.This allowsthedistinctionbetweensequencesthatdivergeto�1(e.g.�1;�2;�3;:::)and
M=(D;I)amodel.Then, Notation10.1.13[TherangeRangeM(term)]Lettermbeann-aryalgebraictermand
denotestherangeof(thesemanticsof)termwithrespecttoM. RangeM(term)=n[term]M(d):d2Dno
Denition10.1.14[

270 10.1.3 Fixedpointoperators CHAPTER10.SYMBOLICMODELCHECKING
ThissectionshowsthatundercertainconditionsthelimitoperatorlimZ[term"term0]
operatorsthatdescribeuniqueorleastorgreatestxedpoints.13ToapplyBanach's thatwepresentherearebasedonBanach'sorTarski'sxedpointtheoremwhichyield isacertainxedpointofthehigher-orderfunctionf7![term]M[Z:=f].Theconditions specializestoaxedpointoperatorinthesensethatthesemanticsoflimZ[term"term0]
orTarski'sxedpointtheoremwehavetoensurethatthehigher-orderoperatorf7!
compactsubsetofIR,namelyeitherarealinterval[a;b]oranitenonemptysetofreals. cases,wedealwithfunctionspacesoftheformDn!

10.1.THEALGEBRAICMU-CALCULUS notpreservesupremaandinma.Inwhatfollows,weshrinkourattentiontothecompact 271
interval

272 CHAPTER10.SYMBOLICMODELCHECKING
expr::=q ifbfct(z1;:::;zn)thenexpr1elseexpr2 expr1opexpr2 1�expr term(z1;:::;zn)
term::=fctjZ zi1;:::;zik[wfct(z1;:::;zn)expr] X z1;:::;zn[expr] lfpZ[term] min z[expr] max gfpZ[term] z[expr]
iterateZhterm"kterm0i
forallwfct2WFctn(i1;:::;ik)anddi2D,i2f1;:::;ngnfi1;:::;ikg, Figure10.4:Syntaxofthealgebraic[0;1]-mu-calculus
Example10.1.18TheterminExample10.1.11(page267)thatdescribesthefunction di1;:::;dik2DI(wfct)(d1;:::;dn) X 1:
whichisatermofthealgebraic[0,1]-mu-calculusprovidedthatP2WFct3(2;3)and S S![0;1],(s;t)7!Prob(s;;[t]R)canberewrittenas
R2BFct2.ThemodelM=(D;I)consideredinExample10.1.11isamodelforthe lfpZ[s;t[ifR(s;t)then1elseexpr]]:
algebraic[0,1]-mu-calculus.
termisatermofthealgeraic[0;1]-mu-calculusthenRangeM(term) modelMforthealgebraic[0;1]-mu-calculus.Wenowpresentconditionsthatensurethat Itiseasytoseethat,foranyexpressionexprofthealgebraic[0;1]-mu-calculusand
thesemanticsreturnsvaluesin[0;1]ratherthantheauxiliarysymbol?.Forthis,we anymodelMforthealgebraic[0;1]-mu-calculus,[expr]M2[0;1][f?g.Similarly,if
makesomesyntacticrequirementsabouttheoccurrencesofthetermvariableZwithin [0;1][f?gforany
subtermslfpZ[term]andgfpZ[term].Therstcondition(\formalmonotonicity") istakenfromtherelationalmu-calculuswhere,fortheleastandgreatestxedpoint operatorslfpZ[bterm]andgfpZ[bterm],themonotonicityoftheinducedoperator fallunderanevennumberofthenegationoperator:bexpr. Denition10.1.19[Formalmonotonicity]Lettermbeanalgebraicterm,expran f7![bterm]M[Z:=f]isensuredbytherequirementthatallfreeoccurrencesofZinbterm
expr)iallfreeoccurrencesofZinterm(resp.expr)fallunderanevennumberofminus operations.15 algebraicexpressionandZann-arytermvariable.Zisformallymonotoneinterm(or
ortermisgivenbythenumberofsubexpressions1�exprofthatexpressionortermwheretheoccurence ofZiscontainedinexpr.
15ThenumberofminusoperationsunderwhichanoccurrenceofatermvariableZfallsinanexpression

10.1.THEALGEBRAICMU-CALCULUS Example10.1.20LetZbea1-arytermvariable,fcta1-aryfunctionsymbolandz,y 273
individualvariables.Zisformallymonotoneintheexpressions13Z(z)(1�fct(y))and
(whichyieldsthatZisnotformallymonotonein(1�Z(z))Z(z))whilethesecond (1�Z(z))Z(z),therstoccurrenceofZfallsunderanoddnumberofminusoperations bothoccurrencesofZfallunderanoddnumberofminusoperations.Intheexpression Z(z)(1�(1�Z(z)))whileitisnotin(1�Z(z))(1�Z(z)).Inthethirdexpression,
occurrencefallsunderanevennumberofminusoperations. Remark10.1.21Formalmonotonicityoftermvariablesintermsorexpressionsofthe relationalmu-calculus(asasubcalculusofthealgebraicmu-calculus)inthesenseof Denition10.1.19isthesameasformalmonotonicityalaPark[Park74].
Toformalizethiscondition,wedenetheoperatorsetsOp[0;1] freeinexprithentheoperatoroppreservessupremaandinmainthei-thargument. servessupremaandinmaisthat,foreachsubexpressionexpr1opexpr2,ifZoccursThesecondconditionthatweneedtoensurethatthefunctionf7![term]M[Z:=f]pre- anonemptysubsetof[0;1]withq+=supQandq�=infQandq22[0;1]then (q1;q2)7!q1opq2,preservessupremaandinmainitsrstargument,i.e.wheneverQis Op[0;1] 1 beasetofoperatorsop2Op[0;1]suchthatthefunction[0;1] 1 andOp[0;1] 2 asfollows.Let [0;1]![0;1],
[0;1],(q1;q2)7!q1opq2,preservessupremaandinmainitssecondargument.Clearly, Similarly,Op[0;1] supfq1opq2:q12Qg=q+opq2;inffq1opq2:q12Qg=q�opq2:
anyoperatorop2Op[0;1] 2 denotesasetofoperatorsop2Op[0;1]wherethefunction[0;1][0;1]!
(q1;q2)7!q1=(1+q2)iscontainedinOp[0;1] Thecomparisonoperatorsop./arenotcontainedinOp[0;1] ,minimumopminandmaximumopmaxbelongtoOp[0;1] i ismonotonicinthei-thargument.Forinstance,multiplication 1nOp[0;1] 2 (providedthatitbelongstoOp[0;1]). 11 orOp[0;1] \Op[0;1] 2.16 2 whiletheoperator
freeoccurrenceofZinthattermorexpressionwithinasubexpressionexpr1opexpr2: Denition10.1.22[Formalcontinuity]LetZbeann-arytermvariable.Ziscalled formallycontinuousinatermorexpressionofthealgebraic[0;1]-mu-calculusi,forany
Example10.1.23LetZ,Ybe1-arytermvariables.Zisformallycontinuousinthe expressions12(1�Z(z))and IfZoccursfreeinexprithenop2Op[0;1] i.
whileitisnotinZ(z)op

274 laPark(thebooleanmu-calculuswithoutthecomparisonoperatorsop./andthebounded CHAPTER10.SYMBOLICMODELCHECKING
iterationoperator),allexpressionsandtermsareformallycontinuous. braic[0;1]-mu-calculusiscalledformallydivergencefreei,foreachsubtermlfpZ[term]Denition10.1.25[Formaldivergencefreedom]Atermorexpressionofthealge- orgfpZ[term],Zisformallymonotoneandformallycontinuousinterm. Example10.1.26TheterminExample10.1.11(page267)thatdescribesthefunction
Theorem10.1.27Lettermbeann-arytermofthealgebraic[0;1]-mu-calculusthatis SP2WFct3(2;3)andR2BFct2. S![0;1],(s;t)7!Prob(s;;[t]R)isformallydivergencefreewhenwedealwith
andZann-arytermvariable.Then,thefunction formallydivergencefree.LetM=(D;I)beamodelforthealgebraic[0;1]-mu-calculus
iswell-dened.Moreover,ifZisformallymonotoneandformallycontinuousinterm thenFpreservessupremaandinmaandwehavethefollowing. F:(Dn![0;1])!(Dn![0;1]),F(f)=[term]M[Z:=f],
Proof: (a)[lfpZ[term]]M=lfp(F)istheleastxedpointofF, (b)[gfpZ[term]]M=gfp(F)isthegreatestxedpointofF.
l+m formallymonotonein1�expr.Ziscalledformallyantitoneinak-arytermtermiZ isformallyantitoneintheexpressionterm(z1;:::;zk).Letl,mbenaturalnumberswith 1.Wesaythatafunction Wesaythatann-arytermvariableZisformallyantitoneinexpriZis
is(l;m)-continuousi,forallnonemptysubsetsioffunctionsfi:Dni![0;1], Ff+1;:::;f+ l;f� l+1;:::;f� F:(Dn1![0;1]):::(Dnl+m![0;1])![0;1]
Here,f+i=supf2ifandf�i Ff�1;:::;f� l;f+ l+1;:::;f+ l+m =inffF(f1;:::;fl+m):fi2i;i=1;:::;l+mg: =supfF(f1;:::;fl+m):fi2i;i=1;:::;l+mg;
Bystructuralinductionontheexpressionsandtermsofthealgebraic[0;1]-mu-calculus functions F:(Dn1![0;1]):::(Dnl+m![0;1])!(Dn![0;1]): =inff2if.Similarly,wedene(l;m)-continuityfor
analgebraicexpressionortermsuchthataisformallydivergencefreeand wegetthefollowing.WheneverZ1;:::;Zl+marepairwisedistincttermvariablesandais
Z1;:::;Zlareformallymonotoneina, Zl+1;:::;Zl+mareformallyantitoneina Z1;:::;Zl+mareformallycontinuousisa,
Witha=term,l=1,m=0,Z1=ZwegetthattheoperatorF=Fapreservessuprema thenthefunctionFais(l;m)-continuous.Here,Faisgivenby
andinma.Parts(a),(b)canbederivedfromProposition10.1.17(b)(page270).
Fa(f1;:::;fl+m)=[a]M[Z1:=f1;:::;Zl+m:=fl+m]:

10.2.THEALGEBRAICMU-CALCULUSASASPECIFICATIONLANGUAGE275 10.2 guageThealgebraicmu-calculusasaspecicationlan- logicsthatcanserveasspecicationlanguagesfor(severaltypesof)parallelsystems.The Inthissectionweshowthatthealgebraicmu-calculussubsumesseveraltemporalormodal relationalmu-calculuswithitsstandardsemanticsalaPark[Park74]andKozen'smodal mu-calculus[Koze83]canbeviewedassubcalculiofthebooleanmu-calculus(seeSections 10.2.1and10.2.2).Inparticular,thebooleanmu-calculus(andhence,thealgebraicmucalculus)hastheexpressivenessofallformalisms{e.g.automataoninnitewordsand severalkindsoftemporallogicssuchasCTLorLTL{thatarecontainedintherelational ormodalmu-calculus;seee.g.[StEm84,EmLei86,Niwi88,BCM+90,EmJu91,Dam94]. Moreover,thealgebraicmu-calculuscontainsseveraltemporalandmodallogicsforreasoningaboutquantitativepropertiesofconcurrentsystems.Forinstance,thealgebraic mu-calculussubsumestheextensionsofEmerson[Emer92]andSeidl[Seidl96]ofKozen's modalmu-calculusforspecifying(certainkindof)realtimepropertiesandseverallogics toreasonaboutprobabilisticsystemssuchastheprobabilisticmu-calculusala[HuKw97, HuKw98]orPCTL[HaJo94,BidAl95];seeSections10.2.2and10.2.3.Moreover,thealgebraicmu-calculuscanserveasspecicationlanguageforarithmeticcircuitsasitsubsumes \equivalent"algebraictermterm'.Here,\equivalence"isinthefollowingsense:Forany thetemporallogicWordLevelCTL[CCH+96,CKZ96,Zhao96];seeSection10.2.4.In
modelNforL,thereisamodelMforthealgebraicmu-calculuswith allthesecases,wehaveanembeddingoftherespective(temporalormodal)logicLinto thealgebraicmu-calculusofthefollowingform.Foreachformula'ofL,thereisan
thealgebraicmu-calculus.Moreover,thedenitionofterm'isbystructuralinduction Hence,allpropertiesthatcanbespeciedbyaformulaofLcanalsobeexpressedin (*) [term']M=[']N:
modelcheckerforL. automaticallycomputesthesemanticsofthetermsofthealgebraicmu-calculusyieldsa onthesyntaxof';i.e.thedenitionofterm'isconstructive.Thus,anymethodthat
(seepage261)byremovingtheexpressionsbuiltfromthecomparisonoperatorsop./and 10.2.1 ThesyntaxofPark'srelationalmu-calculusisobtainedfromthebooleanmu-calculus Therelationalmu-calculus
wherethesemanticsoftheleastandgreatestxedpointoperatorsaredenedaslimits oftherelationalmu-calculus(asasubcalculusofthealgebraicorbooleanmu-calculus ofcertainfunctionsequences)agreeswiththestandardsemanticsalaPark[Park74].In theboundediterationoperatoriterateZ[:::"k:::].Wenowshowthatthesemantics
gfpZ[bterm]operatorsisrestrictedtothoserelationaltermsbtermandtermvariablesZ whereZisformallymonotoneinbterm.17ThemeaningsoflfpZ[bterm]andgfpZ[bterm] withrespecttoaf0;1g-modelM=(D;I)(whichcanbeviewedasamodelforthe theapproachofPark,theuseoftheleastandgreatestxedpointlfpZ[bterm]and
occurrencesofZinbtermfallunderanevennumberofthenegationoperator:bexpr.
17RecallthatformalmonotonicityofatermvariableZinarelationaltermbtermmeansthatallfree

276 relationalmu-calculusinthesenseofPark)aredenedastheleastandgreatestxed CHAPTER10.SYMBOLICMODELCHECKING
pointsofthehigher-orderoperatorf7![bterm]M[Z:=f]onthefunctionspaceDn! f0;1g.ToseethattheoperatorslfpZ[bterm]andgfpZ[bterm]ofthebooleanmucalculusareindeedleastandgreatestxedpointoperatorsweapplyTheorem10.1.27 divergencefree.LetZbeann-arytermvariablethatisformallymonotoneandformally (page274).18
continuousinbterm.Then,foranyf0;1g-modelM: Theorem10.2.1Letbtermbean-arytermofthebooleanmu-calculusthatisformally
whereF:(Dn!f0;1g)!(Dn!f0;1g)isgivenbyF(f)=[bterm]M[Z:=f]. (a)[lfpZ[bterm]]M=lfp(F)istheleastxedpointofF (b)[gfpZ[bterm]]M=gfp(F)isthegreatestxedpointofF
satised(seeRemark10.1.24,page273),Theorem10.2.1yieldsthatthestandardseman- Sinceformalcontinuityinexpressionsandtermsoftherelationalmu-calculusisalways Proof: followsimmediatelybyTheorem10.1.27(page274).19
ticsfortherelationalmu-calculusalaParkagreeswiththesemanticsoftherelationaltionalmu-calculuscanbeviewedasasubcalculusofthealgebraicmu-calculus.mu-calculuswhenviewedasasublanguageofthealgebraicmu-calculus.Thus,therela- 10.2.2 Themodalmu-calculuswasintroducedbyKozen[Koze83]asalanguageforanalyzing thebehaviourofpossiblyinnitecomputations.Formulasofthemodalmu-calculusare Themodalmu-calculus
e.g.safetyorlivenessproperties.Themodalnextstepoperatorhicanbeviewedasthe builtfromthebooleanconnectives^,_,:,modalnextstepoperatorshiand[](where interpretedbysetsofstatesofaniteaction-labelledtransitionsystemandmightexpress modalcounterparttothebooleanquantier9xandstatesthat\thereisan-labelled rangesovercertainactions)andleastorgreatestxedpointoperators.Theyare
symbolsR{whereRrepresentsthecharacteristicfunctionofthetransitionrelation transition"while[]isitsdual(\forall-labelledtransitions").Using2-aryfunction fortheactionlabel valuedfunctionwhereI(R)(s;t)istrueis�!t){eachmodalmu-formula'canbe translatedintoan\equivalent"1-arybooleantermbterm'.Forinstance,formu-formulas withmodalnextstephiorleastxedpoints, (i.e.weassumeaninterpretationIsuchthatI(R)isaboolean-
btermhi'=z[9z0[R(z;z0)^bterm'(z0)]];btermlfpZ[']=lfpZ[bterm']:
1�bexpr. NotethatthesummationquantierPzisnotcontainedinthebooleanmu-calculus,onlytheoperators ^=opmin,_=opmaxandop./areallowedandthebooleannegationoperator:bexprismodelledby 19Forthis,weusethefollowingsimplefact.IfF:(Dn![0;1])!(Dn![0;1])isanoperatorthat
18Itshouldbeobservedthatthebooleanmu-calculusisasubcalculusofthealgebraic[0;1]-mu-calculus.
andd1;:::;dn2DthentheleastandgreatestxedpointsofFarefunctionswithrangef0;1g.
preservessupremaandinmaandsuchthatF(f)(d1;:::;dn)2f0;1gforanyfunctionf:Dn!f0;1g

10.2.THEALGEBRAICMU-CALCULUSASASPECIFICATIONLANGUAGE277
mu-calculuscanbeviewedasasublanguageofthebooleanmu-calculus. Here,\equivalence"isinthesenseofcondition(*)onpage275.Thus,Kozen'smodal Intheliterature,Kozen'smodalmu-calculushasbeenextendedtoreasonaboutquantitaivepropertiesoftimedsystems[Emer92,Seidl96]orprobabilisticsystems[HuKw97, oversetsofstatesofalabelledtransitionsystemwhile[Seidl96,HuKw97,MoMcI97, HuKw98,McIv98]dealwithaninterpretationbyfunctionsfromthestatesintothereals. Emerson[Emer92]extendsthemodalmu-calculusbyboundediterationoperatorsthat MoMcI97,HuKw98,McIv98].Intheapproachof[Emer92],formulasarestillinterpreted
wherewedescribeEmerson'sboundediterationoperatorwiththehelpofourbounded areusedtoformulaterealtimepropertiessuchas\theprocesswillterminatewithinthe nextktimeunits".TheabovementionedembeddingofKozen'smodalmu-calculusinthe booleanmu-calculuscanbeextendedtoanembeddingofEmerson'smodalmu-calculus
(reactive)systemscanbeembeddedintothealgebraicmu-calculus. explainhowthemodalmu-calculuswiththeinterpretationsbySeidl[Seidl96]overdurationaltransitionsystemsandHuth&Kwiatkowska[HuKw97,HuKw98]overprobabilistic iterationoperatoriterateZ[:::"k:::].Intheremainderofthissection,webriey
Thedurationalmu-calculusalaSeidl:[Seidl96]dealswithaninterpretationof
oftheformulasgivesameasureforthetimeofhowlongacertainpropertyholds. adiscretetimedomainTime.Thetransitionsareendowedwithanduration(i.e.the formulasbyfunctionsfromthestatesofaniteaction-labelledtransitionsysteminto
ThetimedomainTimeisasubintervalofthenon-negativeintegersextendedby?that amountoftimethatisneededtoperformthetransitions).Insomesense,thesemantics
wetreatas1.20Moreover,TimeisequippedwithasetOpofbinaryoperatorssuchas maximimopmax,minimumopmin,addition+andasequenceoperator(x;y)7!x;y=y. Formulasaregivenbythefollowinggrammar wherebtaisabasictimeassignment, isaxednitesetofactions.Formulasareinterpretedoverthestatesofadurational '::=btajZ '1op'2 2Act,Zavariableandop2Op.Here,Act []' hi' lfpZ['] gfpZ[']
S=(S;!;dur)andaninterpretationJforthevariablesandbasictimeassignments SActSatransitionrelationanddurafunctionthatassignstoeachtransitions!t itsdurationdur(s;;t).AmodelN=(S;J)consistsofadurationaltransitionsystem transitionsystem,i.e.atupleS=(S;!;dur)whereSisanitesetofstates,!
byfunctionsS!Time.Themeaning[']N:S!TimeisdenedasshowninFigure
transitions(i.e.Rstandsforaboolean-valuedfunctionS usebinaryfunctionsymbolsRanddur.Intuitively,Rrepresentsthethe-labelled basictimeassignmentbtaisviewedasa1-aryfunctionsymbol.Foreachaction,we 10.5(page278).Weassociatewitheachformula'an1-arytermterm'asfollows.Each
istrueis�!t)whiledurstandsforthedurationofthe-labelledtransitions(i.e.dur representsthepartialfunctionS variablesZofthedurationalmu-calculusareviewedas1-arytermvariables. S!IRwhere(s;t)7!dur(s;;t)ifs�!t).The S!f0;1gwhere(s;t)7!1
with�1.
thereallinebythethreesymbols1and?ratherthanjustthesinglesymbol?,wecouldalsodeal 20Tobeprecisely,[Seidl96]alsousesthesymbol�1toexpressunaccessibility.Usinganextensionof termZ=Z,termbta=bta,term'1op'2=s[term'1(s)opterm'2(s)],

278 CHAPTER10.SYMBOLICMODELCHECKING
[hi']N(s)=maxndur(s;;t)+[']N(t):s!to [[]']N(s)=minndur(s;;t)+[']N(t):s!to [Z]N=J(Z), [bta]N=J(bta), ['1op'2]N(s)=['1]N(s)op['2]N(s)
[lfpZ[']]N=leastxedpointof(S!Time)!(S!Time),f7![']N[Z:=f] [gfpZ[']]N=greatestxedpointof(S!Time)!(S!Time),f7![']N[Z:=f]
term[]'=s[mint[R(s;t)(dur(s;t)+term'(t))]], Figure10.5:Semanticsofthedurationalmu-calculusala[Seidl96]
termhi'=s[maxt[R(s;t)(dur(s;t)+term'(t))]], termlfpZ[']=limZ[term'"s[timemin]],
N=(S;J)whereSisasbefore,wedeneamodelM=(S;I)forthealgebraicmu- Here,timemin=minft:t2Timegandtimemax=maxft:t2Timeg.Givenamodel termgfpZ[']=limZ[term'"s[timemax]].
calculusbyI(bta)=J(bta),
andI(Z)=J(Z)forallvariablesZ.Bystructuralinductionon',weget[']N= [term']M. I(R)(s;t)=(1:ifs!t 0:otherwise I(dur)(s;t)=(dur(s;;t):ifs!t ? :otherwise
Theprobabilisticmu-calculusalaHuth&Kwiatkowska:Intheprobabilistic mu-calculusof[HuKw97,HuKw98],formulasaregivenbythegrammar
whereapisanatomicproposition, interpretedwithrespecttoamodelN=(S;J)consistingofareactivesystemS= '::=apjZ '1^'2 :' 2ActanactionandZavariable.Formulasare '1_'2 []' hi' lfpZ['] gfpZ[']
Themeaning[']N:S![0;1]ofaformula'isdenedasshowninFigure10.6(page interpretationJfortheatomicpropositionsapandthevariablesZbyfunctionsS![0;1]. 279).Fordisjunction_andconjunction^,severalinterpretationsbybinaryoperators (S;Act;P)(cf.Denition3.3.10onpage51andNotation3.3.11onpage52)andan
alternatingdepth arepossible.Toguaranteetheexistenceofleast/greatestxedpointsforformulaswith op_isopmaxoroneoftheoperators(q1;q2)7!q1+q2�q1q2,(q1;q2)7!minf1;q1+q2g op^isopmin,ortheoperator(q1;q2)7!maxfq1+q2�1;0g. 1thefollowingoperatorsop_andop^canbeused.21
Similarlytothewayinwhichwedescribeeachformula'ofSeidl'sdurationalmu-calculus
andthattheycanbecomputedbythestandarditerations.SeeProposition1and2in[HuKw98].
occursfreein byan\equivalent"algebraictermterm',weobtainatransformationfromthepositive 21Alternatingdepth .Thisensurestheexistenceofleastandgreatestxedpointsoftheassociatedoperator 1meansthat,foranysubformulalfpZ[ ]orlfpZ[ ],atmostthevariableZ

10.2.THEALGEBRAICMU-CALCULUSASASPECIFICATIONLANGUAGE279
['1_'2]N=['1]Nop_['2]N,['1^'2]N=['1]Nop^['2]N, [Z]N=J(Z), [hi']N(s)=Pt2SP(s;;t)[']N(t), [ap]N=J(ap), [:']N(s)=1�[']N(s),
[lfpZ[']]N=leastxedpointof(S![0;1])!(S![0;1]),f7![']N[Z:=f], [[]']N(s)=1�Pt2SP(s;;t)(1�[']N(t)), [gfpZ[']]N=greatestxedpointof(S![0;1])!(S![0;1]),f7![']N[Z:=f].
modalmu-calculuswiththeFuzzyinterpretationsof[HuKw97,HuKw98]tothealgebraic Figure10.6:Semanticsoftheprobabilisticmu-calculusala[HuKw97]
mu-calculus.Foreachformula',wedenean1-aryalgebraictermterm'bystructural induction.Theatomicpropositionsapareviewedas1-aryfunctionsymbols.Foreach action,weuseabinaryfunctionsymbolsP.Intuitively,P(s;t)standsfortheprob-
termap=ap,term:'=1�term'and viewedas1-arytermvariables.Wesupposethatop_,op^2OpanddenetermZ=Z, abilityforstomovetotviaan-labelledtransition,i.e.Prepresentsthefunction S S![0;1],(s;t)7!P(s;;t).ThevariablesZofthepositivemodalmu-calculusare
term'1_'2=s[term'1(s)op_term'2(s)], term'1^'2=s[term'1(s)op^term'2(s)],
termlfpZ[']=limZ[term'"s[0]],termgfpZ[']=limZ[term'"s[1]], term[]'=s[1�Pt[P(s;t)(1�term'(t))]], termhi'=s[Pt[P(s;t)term'(t)]],
wedeneI(P)(s;t)=P(s;;t).Bystructuralinductionon'itcanbeshownthat GivenamodelN=(S;J)whereS=(S;Act;P),wedeneamodelM=(S;I)forthe I(ap)=J(ap)forallatomicpropositionsap.ForthebinaryfunctionsymbolsP, algebraicmu-calculusasfollows.ForeachvariableZ,wedeneI(Z)=J(Z);similarly,
10.2.3 [']N=[term']M.Here,weassumethat'isaformulaofalternatingdepth ThelogicPCTL 1.
theexpressionsandtermsofthealgebraicmu-calculus(presentedinSection10.3,page Thus,themethoddescribedinSection10.4focussesonaxeddatastructure(namely 285)canbeappliedtoobtainsymbolicvericationmethodsforprobabilisticsystems. InSection10.4(page295)wedescribehowtheMTBDD-basedalgorithmtoevaluate
MTBDDs)forrepresentingprobabilisticsystems.Here,weexplainhow{fromapurely abilisticandconcurrentprobabilisticsystems)canbereformulatedasbooleanterms.mathematicalpointofview{PCTLformulas(withtheinterpretationsoverfullyprobHence,anymethodthatautomaticallyevaluatestheexpressionsandtermsofthealgebraicmu-calculus,canbeusedasbasisforamodelcheckerforPCTL,independentofthe chosendatastructureofanimplementation.

280 RecallthesyntaxandsemanticsofPCTLthatisexplainedinChapter9(page212). CHAPTER10.SYMBOLICMODELCHECKING
page39)andconsiderthestandardinterpretationj=ala[BidAl95]andthesatisfaction relationj=fairthatinvolvesfairnesswithrespecttothenon-deterministicchoices. Intheconcurrentcase,weshrinkourattentiontostratiedsystems(seeDenition3.2.3,
a2AP,weusean1-arybooleanfunctionsymbolSatathatrepresentsthe(characteristic functionofthe)setSat(a)ofstateswhereaholds.Moreover,weuseabinaryterm termbterm.Forthis,weusethefollowingfunctionsymbols.Foreachatomicproposition WenowexplainhowanyPCTLformulacanbetranslatedintoan\equivalent"boolean
variablePthatstandsforthetransitionprobabilitymatrixofafullyprobabilisticsystem orastratiedsystem.Inaddition,intheconcurrent(stratied)case,weassumean1-ary booleanfunctionsymbolSprobthatstandsforthe(characteristicfunctionofthe)setof Thebooleantermsbtermaredenedbystructuralinduction.Wedenebtermtt= probabilisticstates.
Thedenitionofthebooleantermsforformulasbuiltfromtheprobabilisticoperator s[1],bterma=Sataand,forformulaswhoseoutermostoperatoris:or^,
Prob./pdependsonwhetherweassumeaninterpretationoverfullyprobabilisticorstrat- bterm:=s[:bterm(s)], bterm1^2=s[bterm1(s)^bterm2(s)].
+(1�bexpr)expr2. iedsystems.Inwhatfollows,webrieywritelfpZ[:::]ratherthanlimZ[:::"s[0]]
Fullyprobabilisticcase:Forformulaswhoseoutermostoperatoristheprobabilistic anduseexpressionsoftheformifbexprthenexpr1elseexpr2insteadofbexprexpr1 operatorProb./pwedenebtermProb./p(')=s[term'(s)./p]wherethealgebraicterms term'forthepathformulasaredenedasfollows. term1Uk2=iterateZhs[expr]"ks[0]i term1U2=lfpZ[s[expr]] termX=s[Pt[P(s;t)bterm(t)]]
withexpr=ifbterm2(s)then1elsebterm1(s) LetS=(S;P;AP;L)beaproposition-labelledfullyprobabilisticsystem.Wedene Xt[P(s;t)Z(t)]!:
Then,[bterm]MisthecharacteristicfunctionofSat()=fs2S:sj=gwhile M=(S;I)whereI(P)=PandI(Sata)(s)=1ifa2L(s),I(Sata)(s)=0otherwise. [term']MagreeswiththefunctionS![0;1],s7!ps(1U2)where
s7!ps(1U2),istheleastxedpointoftheoperatorF:(S![0;1])!(S! Thiscanbeseenasfollows.Theorem3.1.6(page36)yieldsthatthefunctionS![0;1], ps(1U2)=Probf2Pathful(s):j=1U2g:
F(f)(s)=Pt2S1[S2P(s;t)f(t)ifsj=1^:2.Usingstructuralinductionand
[0;1])whichisgivenby:F(f)(s)=1ifsj=2,F(f)(s)=0ifs6j=1_2and

10.2.THEALGEBRAICMU-CALCULUSASASPECIFICATIONLANGUAGE281 Theorem10.1.27(page274)weobtainthat,forallstatess,sj= andps(')=[term']M(s).22Thus, term1U2=lfpZ[s[expr]]and[term1U2]M(s)=lfp(F)(s)=ps(1U2): i[bterm]M(s)=1
fair)adversaries.Forbothsatisfactionrelationsj=andj=fair,thebooleantermsforthe Concurrentcase:Dependingonthecomparisonoperator./anddependingonthe satisfactionrelationweneedtheminimalormaximalprobabilitiesunderall(orunderall formulasinvolvingtheprobabilityoperatorProbvparedenedasfollows.
wherev2f

282 Nextweconsidertheuntiloperator,i.e.formulasoftheformProbwp(1U2).Wedene CHAPTER10.SYMBOLICMODELCHECKING
wherethedenitionoftermmin withthestandardinterpretationj=,wedene btermProbwp(1U2)=shtermmin 1U2dependsonwhetherwedealwithj=orj=fair.Dealing 1U2(s)wpi
whereexprmin factionrelationj=fairweusetheresultofTheorem9.3.23(page227)statingthat1U2isasinthecaseoftheboundeduntiloperator.Dealingwiththesatis- termmin 1U2=lfpZhshexprmin 1U2ii
S?(1;2)=Sat(1)nS+(1;2).RecallthatS+(1;2)isthesetofallstatess2S wherea+anda?arefreshatomicpropositionsrepresentingthesetsS+(1;2)and sj=fairProbwp(1U2)i 1�pmax s(a?U:a+)wp
thatcanreacha2-stateviaapaththrough1-states(Notation9.3.11,page223).Thus, S+(1;2)=lfp(F)wherethemonotonicoperatorF:2S!2Sisgivenby
Thedenitionofthetermtermmin F(Z)=Sat(2)[fs2Sat(1):9t2S[(P(s;t)>0)^t2Z]g:
Thealgebraictermtermmax follows.Weput termmin 1U2=s[1�termmax 1U2withrespecttothesatisfactionrelationj=fairisas
wedealwiththebooleantermsbterm?= a?U:a+isdenedasdescribedabovewiththeonlydierencethat shbterm1(s)^:bterm+(s)iandbterm+ a?U:a+(s)]:
ratherthanthefunctionsymbolsSata?andSata+.Here,bterm+isgivenby
Asinthefullyprobabilisticcase(andusingTheorem10.1.27(page274),Theorem3.2.11 (page43)andtheresultsofSection9.3)weobtainthefollowing.LetS=(S;P;AP;L) lfpZ[s[bterm2(s)_(bterm1(s)^9t[(P(s;t)>0)^Z(t)])]]:
beaniteproposition-labelledstratiedsystem.LetM=(S;I)whereI(Sata)and I(Sprob)aretheboolean-valuedfunctionsS!f0;1gwithI(Sata)(s)=1ia2L(s) andI(Sprob)(s)=1isisaprobabilisticstate.TheinterpretationI(P)forthebinary 3.2.4,page40);moreprecisely,wedealwith functionsymbolPisgiventhetransitionprobabilityfunctionP(denedasinNotation
Then,forallstatess2S,sj=A I(P)(s;t)=8>:P(s;t):ifs2Sprob
i[bterm]M(s)=1and ? 1 :otherwise. :ifs=2Sprobands�!t
[termmax [termmin ']M(s)=sup ']M(s)=inf A2AProbn2PathAful(s):j=A'o; A2AProbn2PathAful(s):j=A'o

10.2.THEALGEBRAICMU-CALCULUSASASPECIFICATIONLANGUAGE283
asimilarway,wecandealwiththesatisfactionrelationsj=sfair(wherestrictfairnessis supposed)orj=Wfair(wherefairnessintheW-statesissupposed).Forthedenitionofthe booleantermsbtermProb./p(1U2)forformulasinvolvingtheunboundeduntiloperator,one whereAstandsforAdvorAdvfair(dependingonwhetherwedealwithj=orj=fair).23In
hastodescribethesetTmax(1;2)(seeNotation9.3.14,page224)resp.thesetS0W(see termisoftheformlfpZ[bterm].Forinstance,forthesetTmax(1;2),thedenitionof btermisgivenby Notation9.3.31,page229)byabooleanterm.Inbothcases,thecorrespondingboolean
s[:bterm+(s)_bterm2(s)_(Sprob(s)^8t[(P(s;t)>0)!Z(t)])
10.2.4 _(:Sprob(s)^9t[(P(s;t)>0)^(termmax WordlevelCTL 1U2(s)=termmax 1U2(t))])]:
WordLevelCTL[CCH+96,CKZ96,Zhao96]isanextensionofCTLtoreasonabout propertiesinvolvingtherelationshipsamongdatawords.Suchpropertiesareneededfor thevericationofarithmeticcircuits.WordLevelCTLdistinguishesbetweenseveral
bystaticformulas,thebooleanconnectivesandtheCTLpathquantierscombinedwith equationsorinequalitiesforexpressions,staticformulasSFthatarebuiltfromatomic formulasandthebooleanconnectives^and:andtemporalformulasTFthataregiven typesofformulas:atomicformulasAFthatarebuiltfromatomicpropositionsand
thetemporaloperatorsXandU. AF::=a TF::= SF::= AF SF8(e1./e2) TF 1^TF SF 1^SF 2 9(e1./e2) :SF
wherea2APand./2f=;;g.Thewordsaretuplesofpropositionalformulas, i.e.theyareoftheformword=hPF 1;:::;PF :TF
niwherethepropositionalformulasPF 8XTF 9(TF 1UTF 2) 92TF
arebuiltfromtheatomicpropositionsa2APandtheboolenconnectives^and:.The expressionsaregivenby:
Formulas,expressionsandwordsareinterpretedoverniteproposition-labelledtransition systems(S;R;AP;L)whereSisasetofstates,R e::=const word next(word) e1ope2SifSFthene1elsee2 L:S!2APthelabellingfunctionforthestatesbyatomicpropositions.Propositional, atomic,staticandtemporalformulasareinterpretedbysetsofthestates: Sthetransitionrelationand
[9(e1./e2)]=fs2S:9s02S[R(s;s0)./[e2](s;s0)]g, [8(e1./e2)]=fs2S:8s02S[R(s;s0)./[e2](s;s0)]g, [a]=fs2S:a2L(s)g,[1^2]=[1]\[2],[:]=Sn[],
qop./?=?op./q=1,minQ=min(Qnfg),maxQ=max(Qnfg)andminf?g=maxf?g=?.
operatorsop./ontheextendedreals,weassumethat,ifq2IRand;6=QIRthenq?=?q=?, 23Here,fortheextensionofmultiplication*,theminimum/maximumoperatorsandthecomparison

284[8XTF]=fs2S:8s02S[R(s;s0)!s02[TF]]g CHAPTER10.SYMBOLICMODELCHECKING
[92TF]=fs2S:9s0;s1;s2:::2S[(s0=s) [9(TF 1UTF 2)]=fs2S:9k ^sk2[TF 2]^V0i

10.3.A\COMPILER"FORTHEALGEBRAICMU-CALCULUS bterm8XTF=s[8s0[R(s;s0)!btermTF(s0)]] 285
bterm9(TF =lfpZhshbtermTF 1UTF 2) 2(s)_ btermTF
TheconnectionbetweenthewordlevelCTLformulasandtheassociatedalgebraicterms bterm92TF=lfpZ[s[btermTF(s)^(9s0[R(s;s0)^Z(s0)])]] 1(s)^9s0[R(s;s0)^Z(s0)]ii
isasfollows.LetM=(S;I)whereI(R)=Rand
UsingstructuralinductionandTheorem10.2.1(page276)weobtain:[termWword]M= I(Sata)(s)=(1:ifa2L(s)
[word],[termEe]M=[e]and 0:otherwise.
forallformulas,wordswordandexpressionse. [bterm]M(s)=(1:ifs2[] 0:otherwise
Thealgebraicmu-calculuscanbeviewedasalanguageformanipulatingreal-valuedfunctions.Anyclosedalgebraictermtermyieldsanoperator 10.3 A\compiler"forthealgebraicmu-calculus
interpretationsfi=I(fcti)forthefunctionsymbolsasitsinputanddescribeshowto combinethesefunctionsf1;:::;fkviaarithmeticoperatorsanditeration.Thesemantics [term]M(whereM=(D;I))standsforthecomposedfunction.Forinstance,inthe (f1;:::;fk)thattakesthe
method(Example10.1.9,page266),theterm exampleforsolvinglinearequationsystemsofthetypez=q+Azwiththe\naive"
canbeviewedastheoperatorthattakesasitsargumentsthefunctionsI(A)forthe term=limZ24i24q(i)+Xj[A(i;j)Z(j)]35"z035
matrixA,I(q)forthevectorqandI(z0)forthestartingvectorz0and\returns"the Inthissection,weturntothequestionhowtheterms(andexpressions)canbeevaluated functionthatrepresentstheuniquesolutionz.
expression)withrespecttoM.Insomesense,thisalgorithmcanbeviewedasacompiler expression)andamodelM=(D;I)andreturnsthesemantics[:::]Mofthatterm(or forthealgebraicmu-calculus.Suchanalgorithmrequiresanadequatedatastructurefor automaticallyandpresentanalgorithmthattakesasitsinputanalgebraicterm(or
thefunctionsDn!IR.Ofcourse,\adequacy"ofthechosendatastructuredepends structuresinceMTBDDsareknowntobeecientforrepresentingprobabilisticsystems
ontheconcreteapplication.Inthatthesiswhereweconcentrateonthevericationof probabilisticsystemsweshrinkourattentiontotheuseofMTBDDsaschosendata

286 [HMP+94,HarG98].24Clearly,inotherapplications,theuseofMTBDDsmightbenot CHAPTER10.SYMBOLICMODELCHECKING
ecient.Forinstance,inSection10.2.4(page283),wesawthatthealgebraicmucalculuscanalsoserveasspecicationlanguageforarithmeticcircuits.Inthatcase,it isknownthattheuseofMTBDDsisnotecient(theresultingMTBDDsmighthave exponentialsize)andtheuseofotherdecisiondiagramslikeHDDsispreferable.See [CCH+96,CKZ96,Zhao96]. Inarststep,weintroducethemixedcalculuswhichisavariantofthealgebraicmucalculusthatisbasedonaxedinterpretationforthefunctionsymbols.Forthis,we assumethedomainD=f0;1goftheunderlyingmodelM=(D;I)andarepresentation
whosenonterminalverticesarelabelledbyindividualvariables.25Forthemixedcalculus, theindividualvariablesintothereals.ThesefunctionsarerepresentedbyMTBDDs expressionsandtermsofthemixedcalculusareinterpretedbypartialfunctionsfrom ofthefunctionsI(fct):f0;1gn!IRforthen-aryfunctionsymbolsbyMTBDDs.The
wedescribeanalgorithmthattakesatermorexpressionofthemixedcalculusasits inputandgeneratesthecorrespondingMTBDD.GivenamodelM=(D;I)forthe algebraicmu-calculus,weuseanencodingofthedomainDinf0;1gkandtransformthe
algorithmfromthealgebraictothemixedcalculusandthealgorithmforcomputing calculus.TheMTBDDforthatexpressionortermofthemixedcalculuscanbeviewedas arepresentationforthesemantics[:::]MwithrespecttoM.26Thus,thetransformation algebraicexpressionsandtermsinto\equivalent"expressionsandtermsofthemixed
terms.Ontheotherhand,themixedcalculusinitsowncanbeviewedasalanguage formanipulatingMTBDDswhereouralgorithmactsasacompilerthatautomatically amethodthatautomaticallycomputesthesemanticsofthealgebraicexpressionsand theMTBDDsfortheexpressionsandtermsofthemixedcalculuscanbecomposedto
10.3.1 generatestheMTBDDdescribedbyanexpressionortermofthemixedcalculus.
Wepresentthesyntaxandsemanticsofthemixedcalculus.Inessential,thesyntaxof themixedcalculusarisesfromthesyntaxofthealgebraicmu-calculuswherethefunction Themixedcalculus
symbolsarereplacedbyMTBDDs.Theexpressionsofthemixedcalculusareinterpreted bypartialfunctionsfromtheindividualvariablesintothereals;thesemanticsofthen-ary
Syntaxofthemixedcalculus:WexsetsIndVarofindividualvariables,TermVarof n-bitvector. termsarepartialfunctionsthattakeastheirargumentstheindividualvariablesandan
termvariableswhereeachtermvariableZisassociatedwithanarity(anaturalnumber binaryoperatorsontheextendedreals.Thesyntaxofmixedexpressionsandn-aryterms isgivenbytheproductionsystemshowninFigure10.7onpage287.Here,q2IRand 24ThereadernotfamiliarwithMTBDDsshouldrecallthedenitionofMTBDDswhichispresented
1)andasetf#1;#2;:::gofdummyvariables.Asbefore,Opdenotesasetoftotal
inSection12.3(page315). containnonterminalverticeslabelledbyothervariables. 25Tobeprecisely,then-arytermsalsotakean-bitvectorasinput.Thus,theMTBDDsforthemalso f0;1gn!IR.
andconsider[expr]Masafunction(IndVar!D)!IRand[term]Masafunction(IndVar!D) 26Forthis,wesurpresstheinterpretationI(z)fortheindividualvariablesofthealgebraicmu-calculus

10.3.A\COMPILER"FORTHEALGEBRAICMU-CALCULUS 287
expr::=q Xz[expr] z expr1opexpr2 min z[expr] max term(z1;:::;zn)
term::=Q Zjz1;:::;zn[expr] z[expr]
iterateZ[term"kterm0] limZ[term"term0]
op2Op.QisaMTBDDover(#1;:::;#n).z,z1;:::;zn2IndVarsuchthatz1;:::;znare Figure10.7:Syntaxofthemixedcalculus
pairwisedistinct.Z2TermVarisann-arytermvariable.Freeandboundedoccurrences ofindividualortermvariablesinmixedexpressionsortermsaredenedintheobvious way.Fortheexpressionsterm(z1;:::;zn),werequirethattherearenofreeoccurrences oftheindividualvariablesziinterm.Amixedexpressionortermiscalledclosediit doesnotcontainfreeoccurrencesofindividualortermvariables.Forz=(z1;:::;zn), webrieywritePzorPz1;:::;znratherthanPz1:::Pzn.Similarly,minz,maxzorzhave theobviousmeanings.Themixedbooleancalculusisdenedinanalogytotheboolean mu-calculus(seepage261). Semanticsofthemixedcalculus:Intuitively,themixedexpressionsandtermsare interpretedbyfunctionswithvaluesintheextendedrealsandwhoseargumentsarethe thesemanticsofthemixedcalculusisdenedwithrespecttoaninterpretationJforthe n-arytermvariablesbyfunctionsf0;1gn!IR.Thesemantics n-bitvector(thatrepresentsthevaluesofthedummyvariables#1;:::;#n).Formally, individualvariables.Moreover,thefunctionsforthen-arymixedtermsdependonan
ofthemixedexpressionsandtermswithrespecttoJisdenedbystructuralinductionas showninFigure10.8(page288).Here,isafunctionIndVar!f0;1gandhb1;:::;bni2 [expr]J:(IndVar!f0;1g)!IR;[term]J:(IndVar!f0;1g)f0;1gn!IR
f0;1gn.[z1:=c1;:::;zk:=ck]denotesthosefunctionIndVar!f0;1gthatagreeswith onallindividualvariablesz2IndVarnfz1;:::;zkgandreturnsthevalueciforthevariable zi.27TheinterpretationJ[Z:=f]isdenedintheobviousway. 10.3.2 Givenanexpressionortermofthealgebraicmu-calculusandamodelM=(D;I)for thealgebraicmu-calculus,wedenean\equivalent"mixedexpressionorterm.This Inferencefromthealgebraictothemixedcalculus
calculusarereplacedbyk-tuples(zz1;:::;zzk)ofindividualvariablesofthemixedcalculus.oftheelementsofDbyk-bitvectors.Theindividualvariableszofthealgebraicmu- inferencefromthealgebraicmu-calculustothemixedcalculusisbasedonanencoding 27Here,weassumethatz1;:::;zk2IndVararepairwisedistinctandthatc1;:::;ck2f0;1g.

288 CHAPTER10.SYMBOLICMODELCHECKING
[q]J()=q [expr1opexpr2]J()=[expr1]J()op[expr2]J() [z]J()=(z)
[Pz[expr]]J()=[expr]J([z:=0])+[expr]J([z:=1]) [term(z1;:::;zn)]J()=[term]J(;h(z1);:::;(zn)i)
[maxz[expr]]J()=maxn[expr]J([z:=0]);[expr]J([z:=1])o [minz[expr]]J()=minn[expr]J([z:=0]);[expr]J([z:=1])o
[z1;:::;zn[expr]]J(;hb1;:::;bni)=[expr]J([z1:=b1;:::;zn:=bn]) [Q]J(;hb1;:::;bni)=fQ(b1;:::;bn) [Z]J=J(Z)
[iterateZ[term"kterm0]]J=fk [limZ[term"term0]]J=lim(f0;f1;f2;:::)
Figure10.8:Semanticsofthemixedcalculus wheref0=[term0]J,fi+1=[term]J[Z:=fi].
Whiletheindividualvariablezofthealgebraicmu-calculusisinterpretedbyanelement
bythecorrespondingMTBDD.Thus,n-aryalgebraictermsaretranslatedinto(nk)-ary I(z)ofthedomainD,theindividualvariablezziofthemixedcalculusstandsforthei-th
mixedterms. componentofthebitvectorthatencodesI(z).Moreover,werepresenttheinterpretations I(fct):Dn!IRforthen-aryfunctionsymbolsbyfunctionsf0;1gnk!IRandreplacefct
functionsymbolfct,weassumearepresentationofthefunctionI(fct):Dn!IRbya functiond inf0;1gk,i.e.aninjectioncode:D!f0;1gk(wherek=dlogjDje).Foreachn-ary WexamodelM=(D;I)forthealgebraicmu-calculusandchooseanencodingofD I(fct):f0;1gnk!IR.Forinstance,wemayput
foralld1;:::;dn2D.Ifbi2f0;1gk,i=1;:::;n,suchthatatleastonek-bittupebi I(fct)(code(d1);:::;code(dn))=I(fct)(d1;:::;dn) d
ann-aryfunctionsymbolinthealgebraicmu-calculusthenweassociatewithfctthose isnotoftheformcode(d)forsomed2Dthenweputd MTBDDQfctover(#1;:::;#nk)wheretheinducedfunctionfQfctisd theindividualvariablesusedinthealgebraicmu-calculus.Then,inthemixedcalculus I(fct)(b1;:::;bn)=?.28Iffctis
28NotethatalsootherrepresentationsofI(fct)byafunctionf0;1gnk!IRarepossible.E.g.ifn=2 I(fct).LetIndVarbe
thend hc1;:::;cki=code(d2).
I(fct)mightbedenedbyd I(fct)(b1;c1;:::;bk;ck)=f(d1;d2)wherehb1;:::;bki=code(d1)and

10.3.A\COMPILER"FORTHEALGEBRAICMU-CALCULUS weusetheindividualvariables 289
Eachn-arytermvariableZofthealgebraicmu-calculusisviewedas(nk)-aryterm variableofthemixedcalculus.I.e.,inthemixedcalculus,wedealwithsetTermVar= IndVar=fzzi:z2IndVar;i=1;:::;kg:
calculusismultipliedbythefactork.Foreachalgebraicexpressionexpr(ortermterm), letmixed(expr)(resp.mixed(term))bethosemixedexpression(orterm)thatresultsfrom expr(orterm)byreplacing TermVaroftermvariableswherethearityofeachtermvariableofthealgebraicmu-
Wegetthe\equivalence"ofthealgebraicexpressions/termsandtheresultingmixed eachfunctionsymbolfctbytheMTBDDQfct. eachindividualvariablez2IndVarbytheindividualvariableszz1;:::;zzk,29
expressions/termsinthefollowingsense.Let:IndVar!f0;1gbegivenby
I(Z).Here,asfortheinterpretationofthefunctionvariables,weassumeasuitable TheinterpretationJforthetermvariablesofthemixedcalculusisgivenbyJ(Z)= d (zzi)=i-thcomponentofcode(I(z)).
representationofthefunctionI(Z):Dn!IRbyafunctiond [expr]M=[mixed(expr)]J() I(Z):f0;1gnk!IR.Then,
foranyalgebraicexpressionexpr.Foranyn-aryalgebraictermterm,wehave
ItisknownthattheeciencyoftheMTBDD-basedapproachcruciallydependsonthe chosenvariableordering.HavingobtainedaMTBDDrepresentationforf=I(fct): [term]M(d1;:::;dn)=[mixed(term)]J(;hcode(d1);:::;code(dn)i):
Dn!IR(resp.theassociatedfunctionbf:f0;1gnk!IR),well-knowntechniques (e.g.Rudell'ssiftingalgorithm[Rude93])canbeappliedtoimprovetherepresentation. ChangingthevariableorderingintheMTBDDcorrespondstoapermutationofthearExample10.3.1InExample10.1.9(page266)wepresentedanalgebraictermthatdegumentsofthefunctionbf:f0;1gnk!IR.InthenalMTBDD,thevariableshavetobescribesthe\naive"iterationforsolvinglinearequationsystemsoftheformz=q+Az.
renamedresultinginaMTBDDover(#1;:::;#nk).
Thereformulationofthatalgebraictermasamixedtermisobtainedasfollows.For
tion.Similarly,thevectorsq,z02IRncanbedescribedbyfunctionsf0;1gk!IRand simplicity,weassumethatAisan theindicesoftherowsandcolumnsofthematrixAbyk-bitvectorsanddescribeA byafunctionf0;1g2k!IR.LetAbetheMTBDDover(#1;:::;#2k)forthatfunc- n-matrixwheren=2k.Weuseanencodingfor
representationsofA,qandz0dependsonthewayinwhichwerepresentA,qandz0 byfunctionsfrombitvectorsintothereals.Oftenthestandardencodingofintegers representedbyMTBDDsq,z0over(#1;:::;#k).ThesizeofthesoobtainedMTBDD
Pzz1:::Pzzk.
themixedcalculus,e.g.thesummationquantierPzinthealgebraicmu-calculushastobereplacedby 29Thereplacementofanindividualvariablezinaquantierrequiresmultipleuseofthatquantierin

290 i2f1;:::;ngbyk-bitvectorshb1;:::;bki2f0;1gkorderedmostsignicanttoleastsig- CHAPTER10.SYMBOLICMODELCHECKING
columnsofquadraticmatricesisusedwhichleadstoarepresentationofAbyafunction nicant(i.e.i=1+Pkl=1bl2k�l)andaninterleavingoftheencodingsfortherowsand
thestandardencodingforj(theindexforthecolumns).30Thevectorsqandz0mightbe wherehb1;:::;bkiisthestandardencodingofi(theindexfortherows)andhc1;:::;cki f:f0;1g2k!IR;f(b1;c1;:::;bk;ck)=A(i;j)
representedbyfunctionsf0;1gk!IRwherehb1;:::;bkiismappedtothei-thcomponent tationsofA,qandz0,thealgebraictermtermofExample10.1.9(page266)corresponds tothemixedtermlimZ[term"z0]where ofqresp.z0(ifhb1;:::;bkiisthestandardencodingofi).UsingtheseMTBDDrepresen-
NotethatotherrepresentationsofA,q,z0byfunctionsfrombitvectorstotherealslead term= i1;:::;ik24q(i1;:::;ik)+X
todierentMTBDDrepresentations,inwhichcasetheindividualvariablesil,jhinthe j1;:::;jk[A(i1;j1;:::;ik;jk)Z(j1;:::;jk)]35:
abovemixedtermhavetobepermutated.Forinstance,ifwerepresentAbythefunction f0:f0;1g2k!IR,
(wheretherstkargumentsoff0standfortherowwhilethelastkargumentsstandfor f0(b1;:::;bk;c1;:::;ck)=A(i;j)wherei=1+kXl=1bl2k�l;j=1+kXl=1cl2k�l
isthemixedterm thecolumn)thenwehavetodealwiththemixedtermlimZ[term0"z0]whereterm0
i1;:::;ik24q(i1;:::;ik)+X
above. Here,qandz0areasbefore.A0istheMTBDDover(#1;:::;#2k)forthefunctionf0of j1;:::;jk[A0(i1;:::;ik;j1;:::;jk)Z(j1;:::;jk)]35:
termswhereweuseMTBDDsasdatastructureforthefunctionsassociatedwiththe Wepresentanalgorithmtocomputethesemantics[:::]Jofthemixedexpressionsand 10.3.3 Computingthesemanticsofthemixedcalculus
(i.e.aslabellingsforthenonterminalnodes)intheMTBDDs. tionalmu-calculus.Theindividualvariablesandthedummyvariablesserveasvariables mixedexpressionsandterms.31Inessential,thealgorithmworkssimilartothealgorithm of[BCM+90]tocomputetheBDDrepresentationsfortheformulasandtermsoftherela-
limitoperator.Animplementationofourmethodmightsuerfromroundingerrors.Thus,theresulting forallstandardmatrixoperationsarederived[CFM+93]. 30Thisconventionimposesarecursivestructureonthematrixfromwhichecientrecursivealgorithms MTBDDforamixedexpressionortermcanbeviewedasanapproximationforthefunction[:::]J.
31Clearly,thecorrectnessofourmethodisuptotheerrorsthatarisefromtheapproximationsforthe

292 CHAPTER10.SYMBOLICMODELCHECKING
MtbddJ[z]denotestheBDD MtbddJ[q]denotestheMTBDDthatconsistsofaterminalvertexlabelledbyq.
00�� �#1@@R
MtbddJ[expr1opexpr2]=ApplyMtbddJ[expr1];MtbddJ[expr2];op 11
MtbddJ[Pz[expr]]=ApplyMtbddJ[expr]jz=0;MtbddJ[expr]jz=1;+ MtbddJ[term(z1;:::;zn)]=MtbddJ[term]f#1 z1;:::;#n zng
MtbddJ[maxz[expr]]=ApplyMtbddJ[expr]jz=0;MtbddJ[expr]jz=1;opmax MtbddJ[minz[expr]]=ApplyMtbddJ[expr]jz=0;MtbddJ[expr]jz=1;opmin
MtbddJ[z1;:::;zn[expr]]=MtbddJ[expr]fz1 MtbddJ[Z]=J(Z)
MtbddJ[limZ[term"term0]]denotestheMTBDDthatisreturnedby #1;:::;zn #ng
MtbddJ[iterateZ[term"kterm0]]denotestheMTBDDthatisreturnedby Iterate(imax;Z;term;term0).
Figure10.9:ComputingtheMTBDDsforthemixedexpressionsandterms Iterate(k;Z;term;term0).
algebraictermtermwithaMTBDDMtbddJ[term]overhIndVar[f#1;:::;#ng;

10.3.A\COMPILER"FORTHEALGEBRAICMU-CALCULUS 293
i:=0;Q0:=MtbddJ[term0]; Repeat
untili=imaxorB=z[1]; B:=MtbddJ[z[jQi�1(z)�Qi(z)j0andsomenaturalnumberimax(themaximalnumber ofiterations).TheprocedureIterate(imax;Z;term;term0)(showninFigure10.10on
Here,wesupposeanextensionof+and ?q=q?=?forallq2IRnf0g,0?=?0=0and?+q=q+?=?forall Q0=MtbddJ[term0],Qi=MtbddJ[Z:=Qi�1][term],i=1;2;:::.
q2IR.Theiterationterminatesifthemaximaldierencebetweenthefunctionvalues offQiandfQi�1islessthan,i.e.ifjfQi�1(b)�fQi(b)j< tooperatorsontheextendedrealswhere
conditionisnotsatisedafterimaxiterationsthen, forthosebitvectorsbwherejfQi�1(b)�fQi(b)j :convergenceofthesequence forallb2f0;1gn.Ifthis
(fQi(b))i0isnot\detected"andweassumethatthelimitoperatorontheextended realsreturns?,
NotethattheBDDBrepresentsthe(characteristicfunctionofthe)set sequence(fQi(b))i0andreturnfQimax(b)asanapproximationforlimfQi(b). forthosebitvectorsbwherejfQi�1(b)�fQi(b)j

294 Thus,thecondition\B=z[1]"isfulllediB=f0;1gnijfQi�1(b)�fQi(b)j

10.4 10.4.SYMBOLICMODELCHECKINGFORPROBABILISTICPROCESSES Symbolicmodelcheckingforprobabilisticpro- 295
Attheendoftheprevioussection,wementionedthatthealgebraicmu-calculus(withthe MTBDD-basedmethodforcomputingthesemantics)yieldsasymbolicmodelchecker cesses
foralllogicsthatarecontainedinthealgebraicmu-calculus;inparticular,weobtain asymbolicmodelcheckerforPCTL.Inthissectionwehaveamoredetailedlookof
beappliedforasymbolicmethodtodecidestrongorweakbisimulationequivalencefor vericationmethodsforprobabilisticprocesses.Section10.4.2isconcernedwithPCTL modelchecking.InSection10.4.3webrieysketchhowtheMTBDD-basedapproachcan howtousethealgebraicmu-calculus(orthemixedcalculus)toobtainMTBDD-based
fullyprobabilisticprocesses. 10.4.1 ThebasicideabehindtheMTBDD-approachistheuseasymbolicrepresentationof aprobabilisticsystembyMTBDDsasin[HarG98](seealso[BCH+97]).Inthefully RepresentingprobabilisticsystemsbyMTBDDs
bybitvectorsoflengthk,thetransitionprobabilityfunctionP:S probabilisticcase,theideasofthenon-probabilisticcase[BCM+90,McMil92,CGL93] wheretransitionsystemsaredescribedintermsofBDDsthatrepresentbooleanfunctions
oftheMTBDDrepresentationofthesystemdependsontheencodingofthestatesand viewedasafunctionf0;1g2k![0;1]anddescribedbyaMTBDD.Ofcourse,thesize (i.e.functionsfrombitvectorsintof0;1g)canbeadapted.Usinganencodingofthestates
thechosenorderingofthevariablesintheMTBDD.Inmostcases,aninterleavingofthe S![0;1]canbe
componentsofthebitvectorsforthestartingstateandtheendstateofthetransitions yieldsanecientrepresentation.Thiscorrespondstothereplacementofthetransition probabilityfunctionPbythefunctionbP:f0;1g2k![0;1],
wherehb1;:::;bkiistheencodingofstatesandhc1;:::;ckitheencodingofstatet. TheresultingMTBDDrepresentationcanbeimprovedusingwell-knowntechniqueslike bP(b1;c1;:::;bk;ck)=P(s;t)
Rudell'ssiftingalgorithm[Rude93]orotherheuristics,seee.g.[FMK91,MKR92,BMS95].
tothereceiver.Withprobability1 consideravariantofthesimplecommunicationprotocolofExample1.2.1(page19). Thesendersendsamessagetothemedium,whichinturntriestodeliverthemessage Example10.4.1[MTBDDrepresentationofthecommunicationprotocol]We
triesagaintodeliverthemessage.Withprobability1 100,themessagesgetlost,inwhichcasethemedium
simplicity,weassumethattheacknowledgementcannotbecorruptedorlost.Wedescribe orfaulty)messageisdeliveredthereceiveracknowledgesthereceiptofthemessage.For delivered);withprobability98 100,thecorrectmessageisdelivered.Whenthe(correct 100,themessageiscorrupted(but
thesysteminasimpliedwaywhereweomitallirrelevantstates(e.g.thestatewhere states: thereceiveracknowledgesthereceiptofthecorrectmessage).Weusethefollowingfour sinit:thestateinwhichthesenderpassesthemessagetothemedium,

296 '- CHAPTER10.SYMBOLICMODELCHECKING
sinit 00
1 11stry1
0:98
serror 10 0:010:011 ? $
����JHHj
HYJHJJJJ
%
Figure10.12:Thesimplecommunicationprotocol slost 01
serror:thestatereachedwhenthemessageiscorrupted slost:thestatereachedwhenthemessageislost, stry:thestateinwhichthemediumtriestodeliverthemessage,
andtheencodingcode(sinit)=00,code(stry)=11,code(slost)=01,code(serror)=10. Then,theassociatedfunctionbP:f0;1g4![0;1]isgivenby: (b1;c1;b2;c2)7!8>: 1 0 100:ifb1c1b2c22f1011;1110g 100:ifb1c1b2c2=1010 98 1 :ifb1c1b2c22f0101;0111;1000g
ThesystemandtheencodingsareshowninFigure10.12(page296);theMTBDDrepresentationinFigure10.13(page296).Thethicklinesstandforthe\right"edges,thethin :otherwise.
#2 nJJJJ^
9 #1 nXXXXXXXXz#2 n
#4 n #3 #4 n n= ZZZZZZ~ AAAAAU ? QQQQs#4
n #4 n#3
n
�� �
&-0 &- 1 0:98 @@R % 0:01%
%
� ��
linesforthe\left"edges. Figure10.13:TheMTBDDrepresentationofthesimplecommunicationprotocol
beaniteaction-labelledfullyprobabilisticsystem.Weuseanencodingoftheactions
Similarly,wecandealwithaction-labelledfullyprobabilisticsystems.Let(S;P;Act)

inf0;1gh(whereh=dlogjActje)andstatesinf0;1gkandreplacePbyafunction 10.4.SYMBOLICMODELCHECKINGFORPROBABILISTICPROCESSES 297
DealingwithaconcurrentprobabilisticsystemS=(S;Steps),thesituationismore complicatesincetheoutgoingtransitionsofastatesaregivenbySteps(s)whichisaset bP:f0;1g2k+h![0;1]thatwerepresentbyaMTBDD.
extendthei-thtransitionofsbyits\identicationnumber"ianddealwithatransition probabilityfunction ofdistributionsonthestatespaceS.OnepossibilitytogetaMTBDD-representation ofSistoxanenumerations1;s2;:::;smsoftheoutgoingtransitionsofs.Then,we
mmax=maxs2SjSteps(s)j)andsiisthei-thdistributioninSteps(s)accordingtothe whereId#standsforthesetofidenticationnumbers(e.g.Id#=f1;:::;mmaxgwhere S Id#S![0;1],(s;i;t)7!si(t)
representedbyaMTBDD.Asfarastheauthorknows,whetherornotsuchaMTBDD- Then,usinganencodingforthestatesandidenticationnumbersbybitvectors,theabove functionSId#S![0;1]canbeviewedasafunctionfrombitvectorsintotherealsand xedenumerationofSteps(s).(Here,weputsi(t)=0forallt2Sifi>jSteps(s)j.)
(orP:SActS![0;1]intheaction-labelledcase)inamorenaturalway.Thisisthe probabilisticsystemwhosetransitionscanbedescribedbyafunctionP:S isnotyetinvestigated.34However,itseemstobemuchsimplertorequireaconcurrent representationofaconcurrentprobabilisticsystemisecientforvericationpurposes
3.3.11,page52).35Inthatcase,wecanusethesameideasasfornon-probabilisticorfully caseforstratiedsystems(cf.Notation3.2.4,page40)orreactivesystems(cf.Notation S![0;1]
probabilisticsystemsanddealwithanencodingofthestates(andactions)bybitvectors whichturnstheabovetransitionprobabilityfunctionPintoafunctionfrombitvectors intotherealsandallowsforanaturalsymbolicrepresentationbyaMTBDD.
an\equivalent"booleantermbterm.Forthistransformation,weused1-aryfunction 10.4.2 InSection10.2.3(page279)wesawthatanyPCTLformula SymbolicmodelcheckingforPCTL
symbolsSata(thatrepresentthesetsSat(a)=fs2S:a2L(s)g)andabinaryfunction symbolP(thatrepresentsthetransitionprobabilitymatrixP).Toobtainasymbolic canbetransformedinto
modelcheckingalgorithmforPCTL,wetranslatebtermintothemixedcalculusand applythealgorithmtocomputetheBDDrepresentationformixed(bterm).Forthis,we
stratiedsystems,wealsoneedaBDDSprobthatrepresentsthesetSprobofprobabilistic forthe(characteristicfunctionsof)thesetSat(a)=fs2S:a2L(s)g.Dealingwith above.Moreover,foreachatomicpropositiona,weneedaBDDrepresentationSata needtheMTBDDrepresentationPforthetransitionprobabilitymatrixPasdescribed
states.Then,themixedtermmixed(bterm)isobtainedfrombtermbyreplacingthe theindividualvariabless,t(thatweusedinthealgebraictermstorangeoverthestates) functionsymbolsSata,SprobandPbythecorresponding(MT)BDDsSata,SprobandP;
seemtobequitecomplicatebecauseoftheauxiliary(meaningless)componentsfortheidentication numbers. 34Theauthordoubtswhetheritis.TheoperatorsontheseMTBDDsthatwewouldhavetoperform asconcurrentprobabilisticsystems.
35RecallthatinSection3.2,page40,wearguedthatstratiedsystemshavethesameexpressiveness

298 byk-tuples(s1;:::;sk),(t1;:::;tk)ofindividualvariables(wheree.g.sistandsforthei-th CHAPTER10.SYMBOLICMODELCHECKING
basedonadescriptionofPbythefunctionbPthatinterleavesthebitsforthestartingand endstateofthetransitionsthenanysubexpressionP(s;t)ofbtermhastobereplacedby componentoftheencodingofstates).Forexample,iftheMTBDDrepresentationPis P(s1;t1;:::;sk;tk).Weobtainaclosedmixedtermmixed(bterm)wheretheassociated
Example10.4.2WeconsiderthesysteminExample10.4.1(page295).Weusetwo BDD{thatwegetbyapplyingthealgorithmforcomputingthesemanticsofthemixed
atomicpropositionsa1,a2andthelabellingfunction calculus{representsthecharacteristicfunctionofSat()=fs2S:sj=g.36
WeregardthePCTLformula error=a1^:a2(i.e.Sat(error)=fserrorg), L(sinit)=;,L(stry)=fa1;a2g,L(slost)=fa2g,L(serror)=fa1g.
del=:a1^:a2(i.e.Sat(del)=fsinitg). =Prob>0:989898(')where'=:errorUdeland
>0:989898wheninterpretedoverthestatestry.Wedescribehowourmethodworksto gettheBDDforthePCTLformula.Forthis,werstconstructtheMTBDDforthe pathformula'.Thealgebraictermterm'is(moreprecisely,canbereformulatedto) Intuitively, statesthatthemessagewilleventuallybedeliveredwithsomeprobability
Hence,wegetthemixedtermlfpZ[s1;s2[expr]]whereexpris lfpZ"s"max(Satdel(s);(1�Saterror(s)) Xt[P(s;t)Z(t)]!)##
Then,ouralgorithmappliedtothatmixedtermusestheprocedureIterate()(see Figure10.10,page293)whichsuccessivelycomputestheMTBDDsQ0;Q1;Q2;:::forthe max8

10.4.SYMBOLICMODELCHECKINGFORPROBABILISTICPROCESSES #1 299
0#21��1@@@R-0 ? ��
0 1 #20 #1
0 1 1
? � ��� @@@R-
1 0
Figure10.14:TheBDDsCandSatdel
#2 #1
0 �0��
��@@@R
11 1
1��� @@@R ����#2@@@R0
Figure10.15:TheMTBDDQ3forthemixedtermterm3 0:98 0
todenoteafunctionf:f0;1g2!IR.Notethat whereweusethevectornotation(f(0;0);f(0;1);f(1;0);f(1;1))(writtenasacolumn)
fQi+1(0;0)=1asfSatdel(0;0)=1, fQi+1(1;0)=0asfB(1;0)=0andfSatdel(1;0)=0, fQi+1(0;1)=fQi(1;1)asfB(0;1)=1,fSatdel(0;1)=0and
fQi+1(1;1)=98 fP(0;c1;1;c2)=(1:ifc1c2=11
asfB(1;1)=1,fSatdel(1;1)=0and 100fQi(0;0)+1 100fQi(0;1)+1 0:otherwise 100fQi(1;0)
fP(1;c1;1;c2)=8>:98 0 100:ifc1c2=00 100:ifc1c22f01;10g 1
someMTBDDQiasanapproximationforthefunctions7!ps(')whichisgivenby Forinstance,theMTBDDQ3isshowninFigure10.15(page299).Ouralgorithmreturns :ifc1c2=11.
pslost(')=pstry(')=98
plainedabove)andthenevaluatesthemixedterm ForthePCTLformula algorithmcomputestheMTBDDQfor'(asex- =Prob>0:989898('),our 99,pserror(')=0andpsinit(')=1. #1
whichyieldstheBDDshownontheright. s1;s2[Q(s)>0:989898] 0@@@R� 1 1
1?
��� #2@@@R00

300 10.4.3 Decidingbisimulationequivalence CHAPTER10.SYMBOLICMODELCHECKING
systemcanbecharacterizedasthegreatestxedpointofamonotonicset-valuedoperator Inthenon-probabilisticcase,thesetofbisimulationequivalenceofalabelledtransition [Miln89].IfSisthestatespacethenthesetofbisimulationequivalenceclassesisthe greatestxedpointofF:2SS!2SSwhereF(Z)isthesetofpairs(s;s0)2Zsuch that,foralla2Act:
OnthebasisofTarski'sxedpointtheorem,thisobservationleadstoaniterativemethod (2)s0a (1)sa �!timpliess0a �!t0impliessa �!t0forsomet02Swith(t;t0)2Z
forcomputingthebisimulationequivalencerelation: �!tforsomet2Swith(t;t0)2Z.
Clearly,eachoftherelationsFi(S S,thesetF(Z)consistsofallpairs(s;s0)2Zsuchthat,foralla2Actandt2S: =gfp(F)=\i0Fi(S S)isanequivalence.ForZtobeanequivalenceon S):
Burchetal[BCM+90](seealso[EFT93])takeupthischaracterizationof bythefollowingtermoftherelationalmu-calculus sa �!t0forsomet02Swith(t;t0)2Zis0a �!t0forsomet02Swith(t;t0)2Z.
bterm=gfpZ[s;s0[8a8t[bexpr]]] anddescribe
yieldsasymbolicmethodforcomputingbisimulationequivalenceclasses. theBDD-basedmethodof[BCM+90]toevaluatethetermsoftherelationalmu-calculus wherebexpris9t0[Z(t;t0)^R(s;a;t0)] $ 9t0[Z(t;t0)^R(s0;a;t0)]:37Thus,
denitionofbisimulationequivalenceforprobabilisticsystems.38Weconsideranite action-labelledfullyprobabilisticorreactivesystemS=(S;Act;P)anduseaternary functionsymbolPtorepresentP.Asinthenon-probabilisticcase,bisimulationequiv- Wenowexplainhowthisideacanbeadaptedfortheprobabilisticcase.Recallthe
foralla2Actandt2S:Xt02S
theoperatorF:2SS!2SSwhereF(Z)isthesetofallpairs(s;s0)2Zsuchthat, alencecanbedescribedasthegreatestxedpointofanoperatoron2SS.Weconsider
First,weobservethat{incontrasttothenon-probabilisticcase{thisoperatorisnot monotonic.Forinstance,considerthesystemshowninFigure10.16(page301).LetZbe (t;t0)2ZP(s;a;t0)=Xt02S (t;t0)2ZP(s0;a;t0):
thesmallestequivalencerelationonSthatcontains(s;s0)andthatidentiesthestates andtheset v1,v2,v0andZ0=Z[f(v0;u0)g.Then,wehaveZ instance,(s;s0)2F(Z)nF(Z0).Toseewhy(s;s0)=2F(Z0)considerthestatet=v0 Z0whileF(Z)6F(Z0).For
�!SActS. 38SeeSection3.4.1,Denition3.4.1(page54)andDenition3.4.2(page54).
37Here,Risaternarypredicate(function)symbolthatrepresentstheunderlyingtransitionrelation T=ft02S:(t;t0)2Z0g=ft02S:(v0;t0)2Z0g=fv1;v2;v;u0g:

10.4.SYMBOLICMODELCHECKINGFORPROBABILISTICPROCESSES s 301
v1a,14 s0
������ v2 ? a,14 @@@@@R a,12u v0 a,12 JJJJJ^ a,12
Figure10.16: u0
booleanterm40gfpZ[s;s0[8a8t[bexpr]]]wherebexpris Then,P(s;a;T)=12

302 wecanusethealgebraicmu-calculustodescribe(avariantof)thealgorithmproposed CHAPTER10.SYMBOLICMODELCHECKING
inSection7.2(page164).TheresultingMTBDD-basedmethodjustusesiterationson boolean-valuedfunctionstocomputeleastxedpointsofmonotonicset-basedoperators (ratherthaniterationsonreal-valuedfunctions).42Forthis,weuseavariantoftheresults
deneamonotonicoperatorGontheequivalencerelationsonSasfollows.LetZbean andwhereanalternativecharacterizationofbranchingbisimulationisusedasbasisfor analgorithmtocomputethebranching(orweak)bisimulationequivalenceclasses.We presentedinChapter7whereweakandbranchingbisimulationareshowntobethesame
equivalencerelationonS.Then,
where(a;C)rangesoverallpairs(a;C)2Act G(Z)=\a;Cf(s;s0):sands0arecontainedinthesameblockofRene(S=Z;a;C)g
relationonSthatidentiesalldivergentstates(statesthatcannotreachastatewherea isdenedasinNotation7.2.13(page168).TheinitialrelationZinitisthoseequivalence visibleactioncanbeperformed)andallnon-divergentstates,i.e. S=ZandwheretheoperatorRene()
whereDivisthesetofdivergentstates(seeDenition7.2.14,page168).Then, Zinit G(Zinit) Zinit=Div G(G(Zinit)) Div[(SnDiv)(SnDiv)
Thus,theBDDrepresentationfor correspondingtothefollowingbooleanterm. canbeobtainedbyevaluatingthemixedterm :::and =Gi(Zinit)forsomei.
InitandGZarebooleantermsthatrepresentthesetsZinitandG(Z).Forthedenitionof InitandGZweusethenotations(i.e.expressionsoftheformterm(1;:::;n))explained limZ[s;s0[GZ(s;s0)"Init]]
ofInitweusethefollowingfact.SnDivistheleastsetY onpage267.Moreover,weuseexpressionslike\a6="(whereaisanindividualvariable Eisan1-aryfunctionsymbolthatrepresentsthesingletonsetfg.Forthedenition and2Actthesymbolfortheinternalaction)todenotethebooleanterm:E(a)where
(thesetofstateswhereavisibleactioncanbeperformed)and,whenevert2Y,a2Act Vis=fs2S:P(s;)>0forsome2Actnfgg Sthatcontains
whereVis=s[9a9t[(a6=)^(P(s;a;t)>0)]]and andP(s;a;t)>0thens2Y.WedeneInitby
Vis=lfpY[s[Vis(s)_9a9t[Y(t)^(P(s;a;t)>0)]]: Init=s;s0[Vis(s)$Vis(s0)]
ThedenitionofGZreliesonthefollowingobservation.43LetZbeanequivalencerelation onS.WedenePZ(s;a;t)=P(s;a;[t]Z)andSZ=fs2S:P(s;;[s]Z)

SplitZbethesetofpairs(s;s0)2Zwheres,s02SZand,foralla2Actandt2S:if 10.4.SYMBOLICMODELCHECKINGFORPROBABILISTICPROCESSES 303
a6=or(s;t)=2Zthen
AZdenotestherelationconsistingofthosepairs(s;t)2Zwhereeither(s;t)2SplitZor 1�PZ(s;;s)= PZ(s;a;t) 1�PZ(s0;;s0): PZ(s0;a;t)
i=0;:::;k�1and(sk;t)2SplitZ.Alternatively,AZcanbedescribedastheleastxed pointoftheoperatorH:2SS!2SS, thereexistsanitepath =s0!s1!:::!sksuchthatk 1,s0=s,si2SnSZ,
toseethat(s;t)2BZit2SZands,tbelongtothesameblockofRene(S=Z;a;C) BZisthesetofpairs(s;t)2AZsuchthat(s;t0)2AZimplies(t;t0)2SplitZ.Itiseasy H(X)=SplitZ[f(s;t):s=2SZ^9u2S[(P(s;;u)>0)^(u;t)2X]g:
forany(a;C)2Act t2Swith(s;t)2BZ,then G(Z)=f(s;s0)2Z:s;s02ResZ_9t[(s;t);(s0;t)2BZ]g: S=Z.Thus,ifResZisthesetofallstatess2Swherethereisno
Fromthis,wederivethedenitionofthealgebraictermGZ.Wedene
whereweusethefollowingauxiliaryalgebraic(orboolean)terms. GZ= s;s0[Z(s;s0)^((ResZ(s)^ResZ(s0))_9t[BZ(s;t)_BZ(s0;t)])]
P0Z=s;a;t[PZ(s;a;t)%(1�PZ(s;;s))], PZ=s;a;t[Pu[Z(t;u)P(s;a;u)]], SZ=s[PZ(s;;s)0)^X(u;t)]]], SplitZ=s;s0[Z(s;s0)^SZ(s)^SZ(s0)^
BZ=s;t[AZ(s;t)^8t0[AZ(s;t0)!SplitZ(t;t0)]], 8a8t[((a6=)_:Z(s;t))!(P0Z(s;a;t)=P0Z(s0;a;t))]],
ResZ=s[:9t[BZ(s;t)]].

304 CHAPTER10.SYMBOLICMODELCHECKING

Chapter11
Concludingremarks
Insummary,whentheauthorstartedtoworkonprobabilisticsystemsintheendof1995, alotofexcellentresearchhadalreadybeendoneinthiseld.Inthisthesis,shetriedto thatarecloselyrelatedtothetopicsofthisthesiswementionjustafew. Onlyafewresearchhasbeendonesofarinthedevelopmentofalgorithmicmethodsfor llafewgapsbuttherearestillavarietyofinterestingopenquestions.Amongthose
systems(e.g.weakorbranchingbisimulationalaSegala&Lynch[SeLy94]).Thisismost establishinganimplementationrelationbetweentwosystems;inparticular,theliterature (still)lacksforalgorithmsthatcancheckaweakequivalenceforconcurrentprobabilistic importantforthemechaniseddesignandthesystemanalysissincetheweakrelationsare level"system(theimplementation)andthatplayacrucialroletoreducethestatespacethosethatareneededtocomparea\high-level"system(thespecication)anda\lowanalternativecharacterizationofweakbisimulationequivalencebymeansofthemini- byabstraction.RecentworkbyPhilippou,Sokolsky&Lee[PSS98]andbyStoelinga,
mal/maximalprobabilitiesofcertaineventsunderalladversaries.Stoelinga&Vaandrager Vaandragerandtheauthor[BSV98]arerstattemptsinthisdirection.[PSS98]present
[StVa98]proposetoadapttheconceptofnormedsimulations[GriVa98]fortheprobabilis- analgorithmfordecidingweakbisimulationequivalenceforstratiedsystemswhichuses
ticsettingthusyieldingaquitesimplecharacterizationofbranchingsimulations.Itseems tobethecasethatthischaracterizationcanserveasthebasisofanalgorithmforchecking whethertwoconcurrentprobabilisticsystemsarebranching(bi-)similar[BSV98]. Anopenproblemthatconcernsthedesignofprobabilisticsystemsisthequestionwhether satisabilityofPCTL(orthefulllogicPCTL)isdecidablewithrespecttoanyofthe
[EmCl82,MaWo84,AtEm89,PnRo89]). satisfactionrelations.Possibly,adecisionprocedureforsatisabilitymightserveasa basisforanautomaticsynthesisofprobabilisticprocessesfulllingagivenspecication
Eventhoughalgorithmicvericationforestablishingqualitativeorquantitiveproperties intheformofasatisablePCTLformula(asitisthecasefornon-probabilisticsystems
forconcurrentsystemsareknown,forrealisticapplications,thecompletenessfordouble exponentialtimeforLTLmodelcheckingintheconcurrentprobabilisticcase(shown methodisbasedonaGreedyalgorithmandrunsinsingleexponentialtimeandneeds byCourcoubetis&Yannakakis[CoYa95])seemstobefatal.In[BKN98],weproposea methodforcomputinglowerandupperboundsforthevaluespmax s(')andpmin s(').This
305

306 polynomialspace.Intheworstcase,theobtainedboundsmightbefarawayfromthe CHAPTER11.CONCLUDINGREMARKS
bedesirabletohaveecientmethods(PTASs)thatapproximatethevaluespmax ofthismethodhasstilltobeworkedoutonthebasisofexperimentalresults.Itwould precisevalues;e.g.itispossibletoobtain0aslowerand1asupperbound.Thequality
explosionproblemforprobabilisticsystemsconcernstheMTBDDapproach[CFM+93, pmin Mostresearchthathasbeendonesofarintheeldofmethodsthatattackthestate s('). s(')and
HMP+94,BCH+97,HarG98].Itwouldbeinterestingwhetherthepartialorderreduction techniques[Pele93,Valm94,Gode94]canbemodiedfor(concurrent)probabilisticsystems.RecentworkbyBiereetal[BCC+98]showsthat,fornon-probabilisticsystems, symbolicLTLmodelcheckingisalsopossiblewithoutBDDs,usingareductiontothe satisabilityproblemforpropositionallogic.Itwouldbeveryinterestingwhethersimilar ideas(e.g.usingarithmeticequationsratherthanpropositionalformulas)areapplicable
space.Firstattemptsinthisdirectionaretheinvestigationofprobabilisticlossychannel Anotherinterestingpointistheinvestigationofprobabilisticsystemswithaninnitestate forprobabilisticsystems.
systems(PLCSs);see[IyNa97]whereanappoximativemethodforverifyingquantitative propertiesisproposedand[BaEn98]whereitisshownthatqualitativeLTLmodelcheck- LCS(andissolvablewiththemethodsof[AbJo93]).
ingforPLCSscanbereducedtoareachabilityproblemintheunderlyingnon-probabilistic

Chapter12
Appendix
Inthischapterwerecallsomedenitionsandmethodsoftheliterature.Section12.1 summarizesthenecessarybackgroundthatweneedforthedenotationalsemanticsin
chapter. Chapter5.Section12.2brieyexplainsournotationsconcerningorderedbalancedtrees, Section12.3recallsthedenitionofMTBDDs.Thenotationsintroducedinoneofthe Sections12.1,12.2or12.3arenotusedwithoutareferencestotherelevantpartsofthis
12.1 models Mathematicalpreliminariesforthedenotational
InChapter5weusethestandardproceduretogivedenotationalsemanticsinthemetric
12.1.1,12.1.2and12.1.3.InSection12.1.4,webrieyrecallthenotionofan\evaluation" methodsforsolvingrecursivedomainequations.ThesearebrieysummarizedinSections needsomebasicnotionsofdomaintheory,thetheoryofmetricspacesandcategorical andpartialorderapproachandtheprobabilisticpowerdomainofevaluations.Here,we
12.1.1 onatopologicalspaceasintroducedbyJones&Plotkin[JoPl89,Jone90].
detailscanbefounde.g.in[GHK+80,AbJu94,SLG94]. Webrieyrecallsomebasicnotionsofdomaintheoryandexplainournotations.Further Basicnotionsofdomaintheory
Preordersandpartialorders:ApreorderonasetDisabinaryrelationonDwhich
byvDorshortlyv.ApointedposetisaposetDwhichhasabottomelement(denoted ordervonD(i.e.visanantisymmetricpreorderonD).WeoftenwriteDinsteadof (D;v).IfnothingelseissaidthentheunderlyingpartialorderofaposetDisdenoted isreexiveandtransitive.Aposetisapair(D;v)consistingofasetDandapartial
XisnonemptyandX#=X.Similarly,XiscalledrightclosedorupwardclosediXis putX#=Sx2Xx#andX"=Sx2Xx".Xiscalledleftclosedordownwardclosedi by?Dorshortly?),i.e.?vxforallx2D.IfDisaposetandx2Dthenweput x#=fy2D:yvxgandx"=fy2D:xvyg.LetXbeasubsetofaposetD.We
307

308 nonemptyandX"=X.Anelementx02DiscalledanupperboundofXixvx0 CHAPTER12.APPENDIX
forallx2X.x0iscalledtheleastupperboundofXix0isanupperboundofXsuch denotedbyFXorlub(X).XiscalleddirectedieverypairofelementsinXhasan thatx0vyforeachupperboundyofX.TheleastupperboundofX(ifitexists)is
calledadirected-completepartialorder(shortlydcpo).1A!-chaininadcpoDisan upperbound. Dcpo's:ApointedposetinwhicheachdirectedsubsetXhasaleastupperboundis innitemonotonesequenceinD,i.e.asequence(xn)n0inDsuchthatx0vx1v:::. For(xn)n0tobea!-chain,wewriteFn0xnorbrieyFxntodenotetheleastupper
calledmonotoneixvDyimpliesf(x)vD0f(y).fiscalledd-continuousi,foreach d-continuityandstrictness:LetD,D0bedcpo'sandf:D!D0afunction.fis boundoffxn:n 0g.
directedsubsetXofD,f(FX)=Ff(X).(Inparticular,iffisd-continuousthenfis monotone.)fiscalledstrictif(?D)=?D0. Tarski'sxedpointtheorem:2WheneverDisadcpoandf:D!Dad-continuous functionthenfhasaleastxedpointlfp(f).Moreover,lfp(f)=Ffn(?).
topologywhoseclosedsetsarethedownward-closedandlub-closedsubsetsofD.ForAtobeanonemptysubsetofD,AcldenotestheScott-closureofA,i.e.thesmallestScott- Scott-Topology:AsubsetAofadcpoDiscalledlub-closediforeverydirectedsubset XofAwehaveFX2A.WealwayssupposeadcpoDtobeequippedwiththeScottclosedsubsetcontainingA.Wedene;cl=f?g.Then,forAtobeniteandnonempty, Acl=A#.
Continuousdomains:Letx,ybeelementsofadcpoD.Wesayyapproximatesx Scott-closedsubsetsofDorderedbyinclusion. Hoarepowerdomain:IfDisadcpothenPowHoare(D)isthedcpoofnonemptyand
subsetBofDsuchthatforeachx2DthesetB\Approx(x)containsadirectedsubset withleastupperboundx.Acontinuousdomainisadcpowhichhasabasis. iforalldirectedsubsetsXofD,xvFXimpliesyvzforsomez2X.Approx(x) denotesthesetofelementsy2Dsuchthatyapproximatesx.AbasisofadcpoDisa
Functionspaces:IfXisasetandDadcpothenthefunctionspaceX!D(ofall functionsf:X!D)issupposedtobeequippedwiththepartialorderf1vf2i thefunctionX!D,x7!?Dandwhere,foreachdirectedsetoffunctionsf:X!D, f1(x)vDf2(x)forallx2D.NotethatX!Disagainadcpowhosebottomelementis theleastupperboundFisgivenby:(F)(x)=Fff(x):f2g.Inparticular,if (fn)isa!-chaininX!Dthen(Ffn)(x)=Ffn(x).
whichexistforallnonemptysubsetsof[a;b]orsequencesin[a;b].Weconsiderthefunction \inf"todenoteleastupperbounds(suprema)orgreatestlowerbounds(inma)in[a;b] ThefunctionspaceX![a;b]:Clearly,anycompactinterval[a;b]ofrealnumbers (wherea

12.1.PRELIMINARIESFORTHEDENOTATIONALMODELS spaceXequippedwiththeinducedorder, 309
supi2Ifiorbrieysupfi)denotesthefunctionX![a;b],x7!supf2f(x).Similarly, inff2f(orinfi2Ifiorbrieyinffi)denotesthefunctionX![a;b],x7!inff2f(x). alsodenotedby,asexplainedbefore,i.e.f =ffi:i2Igisanonemptyfamilyoffunctionsf:X![a;b]thensupf2f(or f0if(x) f0(x)forallx2[a;b].If
WesaythatafunctionF:(X![a;b])!(X![a;b])preservessupremai,forall nonemptysets offunctionsf:X![a;b],
Similarly,Fpreservesinmai,forallnonemptysets F sup f2f!=sup f2F(f):
Proposition12.1.1LetF:(X![a;b])!(X![a;b])beamonotoneoperator.Then, F(inff2f)=inff2F(f). offunctionsf:X![a;b],
Fhasagreatestxedpointgfp(F)andaleastxedpointlfp(F).gfp(F)andlfp(F)are givenby whereF=ff:X![a;b]:f preservesinmathen gfp(F)=sup f2Ff;lfp(F)=inf F(f)g,F=ff:X![a;b]:f f2Ff
gfp(F)=inf n0Fn(fb) F(f)g.IfF
wherefb(x)=bforallx2X.Similarly,ifFpreservessupremathenlfp(F)= Proof: supn0Fn(fa)wherefa(x)=aforallx2X.
Remark12.1.2Forhigher-orderoperatorswithmorethanone(function)arguments, e.g.operatorswhoseargumentsarepairshf;giwheref:X![a;b]andg:Y![c;d] easyverication.
arefunctions,monotonicityisnotasucientconditionfortheexistenceofleast/greatest holds.Formally,letk (resp.least)xedpointsexistsandananaloguetothesecondpartofProposition12.1.1 xedpoints.3Nevertheless,iftheoperatorpreservesinma(resp.suprema)thengreatest
isafunction.Thepartialorder numberssuchthatai

310 12.1.2 Metricspaces CHAPTER12.APPENDIX
seee.g.[Dugu66,Suth77,Enge89].Webrieyrecallthedenitionsthatweareusedin Basicnotionsconcerningmetricspacescanbefoundinanystandardbookabouttopology,
suchthat,forallx,y,z2M, thatthesisandexplainournotations. Metricandultrametricspaces:AmetriconasetMisafunctiond:MM![0;1]
An(ultra-)metricspaceisapair(M;d)consistingofasetMandan(ultra-)metricdon Ametricdiscalledanultrametrici,forallx,y,z2M,d(x;z) d(x;y)=d(y;x),d(x;y)=0ix=y,d(x;z) d(x;y)+d(y;z).
M.WeoftenwriteMratherthan(M;d)andrefertodasthedistanceonM.Wealways supposethattheunderlyingdistanceonametricspaceM{whichwealwaysdenoteby maxfd(x;y);d(y;z)g.
dMorshortlyd{satisesd Non-expansiveandcontractingfunctionsandembeddings:Letf:M!M0 beafunction.fiscallednon-expansiveidM0(f(x);f(y)) 1.Inwhatfollows,letM,M0bemetricspaces.
M.fiscalledcontractingithereexistsarealnumberCwith00thereexistsN N.If(xn)isasequenceinMandx2Mthenxiscalledthelimitof 0withd(xn;xm)
convergingor(xn)convergestox.AsubsetXofMiscalleddenseinMi,foreach x2X,thereisaconvergingsequence(xn)n0inXsuchthatx=limxn. foralln N.Asinstandardanalysis,iflimxnexiststhenwesay(xn)is 0with
andanembeddinge:M!M0suchthate(M)isdenseinM0.Ifeisunderstoodfrom thecontext(ornotofinterest)thenwebrieysaythatM0isacompletionofM. completionofametricspaceMisapair(M0;e)consistingofacompletemetricspaceM0 Completeness:MiscalledcompleteieachCauchysequenceinMhasalimit.A
Banach'sxedpointtheorem:Eachcontractingfunctionf:M!Monacomplete Cauchysequencewithx(f)=limfn(x). Functionspaces:IfXisasetandMcompletethenthefunctionspaceX!M metricspaceMhasauniquexedpointx(f).Moreover,foreachx2M,(fn(x))isa
equippedwiththedistanced(f1;f2)=sup x2MdM(f1(x);f2(x))

12.1.PRELIMINARIESFORTHEDENOTATIONALMODELS isalsoacompletemetricspace.ForeachCauchysequence(fn)inX!M,thelimit 311
limfn:X!Misgivenby(limfn)(x)=limfn(x). ThepowerdomainPowcomp(M):AsubsetXofMiscalledcompactieachinnite sequenceinXcontainsaconvergentsubsequencewhoselimitbelongstoX.Powcomp(M) denotesthecollectionofcompactsubsetsofM.IfMiscompletethenPowcomp(M) equippedwiththeHausdormetric
isacompletemetricspace(see[Kura56]). d(X;Y)=max(sup x2Xinf y2Yd(x;y);sup y2Yinf x2Xd(x;y))
12.1.3 WebrieyexplainthemethodsofRutten&Turi[RuTu93]andAbramsky&Jung [AbJu94]forsolvingrecursivedomainequationsformetricspacesordcpo's.Werefer Categoricalmethodsforsolvingdomainequations
theinterestedreaderto[SmPl82,MajC88,AmRu89,MajC89,MaZe91,EdSm92,Barr93] formoreinformationsabouthowtosolverecursivedomainequations.Forthedenitionof categoriesandfunctors(andotherrelatednotions)seee.g.[McLan71,AHS90,BaWe90]. Coalgebrasandxedpointsoffunctors:LetCatbeacategoryandF:Cat!Cata functor.AcoalgebraofFisapair(X;e)consistingofanobjectXofCatandamorphism
(X;e)ofFsuchthateisanisomorphisminCat.Axedpoint(X;e)ofFiscalled e:X!F(X)inCat.Acoalgebra(X;e)ofFiscallednaliitisanalobjectin morphismf:X0!XinCatwithF(f)e0=ef.AxedpointofFisacoalgebra thecategoryofallcoalgebras,i.e.iforeachcoalgebra(X0;e0)ofFthereexistsaunique
inCatwithF(f)e0=ef.FinalcoalgebrasofFarealwaysnalxedpoints(see e.g.[RuTu93]).Axedpoint(X;e)ofFiscalledinitialiforeachxedpoint(X0;e0) ofFthereexistsauniquemorphismf:X!X0inCatwithF(f)e=e0f.We naliforeachxedpoint(X0;e0)ofFthereexistsauniquemorphismf:X0!X
(X0;e0)ofFthereexistsauniqueisomorphismf:X!X0inCatwithF(f)e=e0f. ornotofinterestthenweshortlywriteXinsteadof(X;e). Iftheunderlying(iso-)morphismeofacoalgebraorxedpointisclearfromthecontext say(X;e)istheuniquexedpointofFi(X;e)isaxedofFandforeachxedpoint
Categoriesusedinthatthesis:
CONT?thecategoryofcontinuousdomainsandstrict,d-continuousfunctions. CUMthecategoryofcompleteultrametricspacesandnon-expansivefunctions, SETdenotescategoryofsetsandfunctions,
continuous.Here,D�!strict&dcontD0denotesthesetofstrictandd-continuousfunctions CONT?!CONT?iscalledlocallyd-continuousif,forallcontinuousdomainsD,D0, Categoricalmethodsforsolvingrecursivedomainequations:AfunctorF:
oflocallyd-continuousfunctorsCONT?!CONT?islocallyd-continuous.Asshownin fromDtoD0(i.e.thesetofCONT?-morphismfromDtoD0).Clearly,thecomposition thefunction(D�!strict&dcontD0)!(F(D)�!strict&dcontF(D0)),f7!F(f),isd-
point.
[AbJu94],eachlocallyd-continuousfunctorF:CONT?!CONT?hasaninitialxed

312 LetF:CUM!CUMbeafunctor.ForM,M0tobecompleteultrametricspaces, CHAPTER12.APPENDIX
completeultrametricspacesM,M0andallnon-expansivefunctionsfi:M!M0, numberCwith0 CUM-morphismfromMtoM0.Fiscalledlocallycontractingithereexistsareal M�!nexpM0denotesthesetofnon-expansivefunctionsM!M0,i.e.thesetof
i=1;2,i.e.ithefunction(M�!nexpM0)!(F(M)�!nexpF(M0)),f7!F(f),is contractingwithcontractingconstantC.Similarly,Fiscalledlocallynon-expansivei C

12.1.PRELIMINARIESFORTHEDENOTATIONALMODELS ItiseasytoseethatthefunctorsPowandFAarewell-denedandthatPowHoareand 313
contracting. Fcont A arelocallyd-continuous,Powcompislocallynon-expansivewhileFcum A islocally
12.1.4 WerecallthedenitionofevaluationsontopologicalspacesasintroducedbyJones& Plotkin[JoPl89,Jone90]. Evaluations
notesthesetofopensetsinX.AfunctionE:Opens(X)![0;1]iscalledanevaluation5Evaluations(cf.[JoPl89,Jone90]):ForXtobeatopologicalspace,Opens(X)de- ithefollowingthreeconditionsaresatised: 1.If(Ui)i2IisadirectedfamilyofopensetsUiinX(i.e.(Ui)i2IisafamilyinOpens(X) suchthatforalli,j2Ithereexistsk2IwithUi E [i2IUi!=sup i2IE(Ui): UkandUj Uk)then
2.E(U\U0)+E(U[U0)=E(U)+E(U0)
ofevaluationsonX.Clearly,foreachevaluationE2Eval(X),E(;)=0,and,whenever TheprobabilisticpowerdomainofevaluationsEval(X)ofatopologicalspaceXistheset 3.E(X)=1
ThefunctionEval(f):IfX,X0aretopologicalspacesandf:X!X0isacontinuous U,U02Opens(X)withU subsetsofXwhereweputE(A)=1�E(XnA)foreachclosedsubsetAofX. U0thenE(U) E(U0).Weextendevaluationstoclosed
functionthenEval(f):Eval(X)!Eval(X0)isdenedbyEval(f)(E)(U)=E(f�1(U)).
TheevaluationEforadistribution:If2Distr(X)then Thus,EvalcanbeconsideredasafunctorTOP!SETwhereTOPdenotesthecategory oftopologicalspacesandcontinuousfunctions.
isanevaluationonX.WhetherthefunctionDistr(X)!Eval(X),7!E,isinjective (andhencecanbeconsideredasanembedding)dependsontheunderlyingtopologyon E:Opens(X)![0;1],E(U)=[U].
X.Considerthetopologyf;;XgonasetXwhichcontainsatleasttwopoints;itis easytoseethatthisfunctionisnotinjective.Inourapplications{whereXisequipped withanultrametricoradirected-completepartialorder{Distr(X)canbeconsideredas asubspaceofEval(X)(cf.Theorem5.1.12,page95,andTheorem5.1.16,page97). Remark12.1.3LetevalX:Distr(X)!Eval(X)bethefunctionevalX()=E.Itis easytoseethatevalYDistr(f)=Eval(f)evalXforeveryfunctionf:X!Y.I.e.for eachdistribution2Distr(X),EDistr(f)()=Eval(f)(E): Plotkin[JoPl89].
5AnevaluationinoursenseisaprobabilisticcontinuousevaluationintheterminologyofJones&

314 Hence,evalisanaturaltransformationDistr!EvalwhereDistrisconsideredasa CHAPTER12.APPENDIX
Compositionofevaluations(cf.[Heck95]):IfXandYaretopologicalspacesand functorSET!TOP(whereDistr(X)issupposedtobeequippedwiththediscrete topology).
V2Opens(Y).Notethat,if spaceX EX2Eval(X),EY2Eval(Y)thenEXEYdenotestheuniqueevaluationontheproduct Ysuchthat(EXEY)(U 2Distr(X), V)=EX(U)EY(V)forallU2Opens(X)and
Theprobabilisticpowerdomainofevaluationsondcpo's:Recallthatwesuppose thedenitionof wasgivenonpage30). 2Distr(Y)thenE E=E (where
dcpowherethepartialordervonEval(D)isgivenby adcpoDtobeequippedwiththeScott-topology,i.e.Opens(D)consistsofallsubsetsU ofDwhereUisupward-closedandDnUislub-closed.IfDisadcpothenEval(D)isa
elementofD),i.e.itisgivenby?Eval(D)(U)=0ifU6=Dand?Eval(D)(D)=1.If(Ei)i2I (cf.[JoPl89]).Thebottomelement?Eval(D)ofEval(D)isE1?D(where?Disthebottom E1vE2iE1(U) E2(U)forallU2Opens(D)
isd-continuous. D,thecompositionoperator:Eval(D)Eval(D)!Eval(DD),(E1;E2)7!E1E2, isadirectedfamilyofevaluationsthentheleastupperboundE=FEiinEval(D)is givenbyE(U)=supi2IEi(U).ItisshownbyHeckmann[Heck95]that,foreverydcpo
TheevaluationfunctorEval:CONT?!CONT?:IfD,D0aredcpo'sandf:D!D0 isastrict,d-continuousfunctionthenEval(f)isstrictandd-continuous.Fromtheresults ofJones[Jone90],itcanbederivedthatEval(D)iscontinuousifDiscontinuous.Hence, EvalcanbeconsideredasafunctorCONT?!CONT?. Lemma12.1.4ThefunctorEval:CONT?!CONT?islocallyd-continuous. Proof: 12.2 Orderedbalancedtrees easyverication.
acertainbalancecriteria,suchasAVL,BB[]orRed-Blacktrees)forthecomputationof lence(Chapters6and7),weproposetheorderedbalancedtrees(binarysearchtreeswith certainequivalenceclasses.Thedenitionof(theseveraltypesof)orderedbalancedtrees Fortheimplementationofthealgorithmsfordecidingbisimulationandsimulationequiva-
justexplainournotations. LetIbeanonemptyandnitesetandpi,i2I,realnumbers.Byanorderedbalanced canbefoundinanystandardbookaboutdatastructures;seee.g.[Knut73,CLR96].We
[NiRe73])whicharisesbysuccessivelyinsertingtheelementspi,i2I,(inanyorder) treeforpi,i2I,wemeanabinarybalancedtree(e.g.anAVL-tree[AVL62]orBB[]-tree andperformingthenecessaryrebalancesteps.Eachnodevislabelledbyakey-value v:key2fpi:i2Igsuchthatvl:key

12.3.MULTITERMINALBINARYDECISIONDIAGRAMS O(jIjlog(r+1))timeandO(jIj)spacewhereristhecardinalityoffpi:i2Ig.Weoften 315
useadditionallabelsforthenodes,e.g.v:indices=fi2I:pi=v:keyg.Wedescribe theadditionallabelsbytheirnalvalue(i.e.thevalueinthenaltree).Forexample,let I=f1;:::;10gand
theorderinwhichtheelementspiareinserted.Forinstance,itispossibletoobtainthe Thenaltreedependsonthetypeoforderedtrees(AVL-,BB[]orwhatever)andon p1=p4=5,p2=p7=p8=7,p3=4,p5=3,p6=2,p9=p10=0.
followingnaltree.
v3 v1 v4
v0
��� @@R ��� @@Rv2@@R
v0:key=4v0:indices=f3g
v5
v1:key=2v1:indices=f6g v2:key=5v2:indices=f1;4g v3:key=0v3:indices=f9;10g v4:key=3v4:indices=f5g
f(x2)=5,f(x3)=6,f(x4)=7andtheadditionallabels Ifwedealwithafunctionf:X!f1;:::;10gwhereX=fx1;x2;x3;x4gandf(x1)= v5:key=7v5:indices=f2;7;8g
thenvi:elements=;,i=0;1;3;4,v4:elements=fx1;x2gandv5:elements=fx4g. v:elements=fx2X:f(x)2v:indicesg
12.3 Chapter10dealswithMTBDD-basedvericationmethods.Inthissection,webriey recallthedenitionofmulti-terminalbinarydecisiondiagrams(MTBDDs),alsocalled Multiterminalbinarydecisiondiagrams
algebraicdecisiondiagrams(ADDs).Forfurtherdetailsandpossibleapplicationssee
matrices.MTBDDsareanextensionofBryant'sorderedbinarydecisondiagrams(OB- e.g.[CFM+93,BFG+93,HMP+94,CFZ96,SaFu96,FMY97].
DDsorBDDsforshort)[Brya86].WhileBDDsareadatastructureforbooleanfunctions f:f0;1gn!f0;1g,MTBDDsrepresentfunctionsfrombitvectorsintoacertaindomain MTBDDswereintroducedbyClarkeetal[CFM+93]asanecientdatastructurefor
domain

316 ABDDisaf0;1g-valuedMTBDD,i.e.aMTBDDwhereallterminalverticesarelabelled CHAPTER12.APPENDIX
by0or1.7IfVar=fx1;:::;xngandx1

12.3.MULTITERMINALBINARYDECISIONDIAGRAMS Ifthevariables(x1;:::;xn)overwhichaMTBDDQisconsideredareclearfromthe 317
f:f0;1gn!

318 CHAPTER12.APPENDIX

Bibliography
[AbJo93] [AbLa88] P.Abdulla,B.Jonsson:VerifyingProgramswithUnreliableChannels, Proc.LICS'93.ThefullversionwiththesametitlehasappearedinInfor- M.Abadi,L.Lamport:TheExistenceofRenementMappings,Proc.
mationandComputation,Vol.127,No.2,pp91-101,1996. LICS'88,pp165-175,1988.
[Abra91] [AbJu94] S.Abramsky:ADomainEquationforBisimulation,Informationand Computation,Vol.92,pp161-218,1991.
[AHS90] andT.S.E.Maibaum(ed.),HandbookofLogicinComputerScience,Vol.3, ClarendonPress,pp1-168,1994. J.Adamek,H.Herrlich,G.Strecker:AbstractandConcreteCategories: S.Abramsky,A.Jung:DomainTheory,InS.Abramsky,D.M.Gabbay
[AVL62] G.Adel'son-Velshii,Y.Landis:AnAlgorithmfortheOrganizationof Information,Soviet.Math.Dokl.,Vol.3,pp1259-1262,1962. TheJoyofCats,JohnWiley&Sons,1990.
[AHU74] [dAlf97a] A.Aho,J.Hopcroft,J.Ullman:TheDesignandAnalysisofofComputer Algorithms,Addison-WesleyPublishingCompany,1974.
[dAlf97b] L.deAlfaro:FormalVericationofProbabilisticSystems,Ph.D.Thesis, StanfordUniversity,1997.
[AlSch84] L.deAlfaro:TemporalLogicsfortheSpecicationofPerformanceandReters,Vol.21,1985.
pp165-176,1997. B.Alpern,F.Schneider:DeningLiveness,InformationProcessingLetliability,Proc.STACS'97,LectureNotesinComputerScience,Vol.1200, [ACD91a] [ACD90] R.Alur,C.Courcoubetis,D.Dill:VerifyingAutomataSpecicationsof ProbabilisticReal-TimeSystems,Proc.REXWorkshop'91,LectureNotes Proc.LICS'90,pp414-425,1990. R.Alur,C.Courcoubetis,D.Dill:ModelCheckingforReal-TimeSystems,
[ACD91b] inComputerScience,Vol.600,pp27-44,1991.
[dAHK98] P.d'Argenio,H.Hermanns,J.Katoen:OnGenerativeParallelComposi- R.Alur,C.Courcoubetis,D.Dill:Model-CheckingforProbabilisticReal- TimeSystems,Proc.ICALP'91,LectureNotesinComputerScience,
ham,pp105-122,1998. Vol.510,pp115-127,1991. tion,Proc.PROBMIV'98,Techn.ReportCSR-98-4,UniversityBirming
319

320 [dAKB98] P.d'Argenio,J.Katoen,E.Brinksma:AnAlgebraicapproachtotheSpeci- BIBLIOGRAPHY
[AmRu89] ofCompleteMetricSpaces,JournalofComputerandSystemSciences, Chapman&Hall,1998. P.America,J.Rutten:SolvingRecursiveDomainEquationsinaCategory cationofStochasticSystems(extendedabstract),Proc.PROCOMET'98,
[AtEm89] Vol.39,No.3,pp343-375,1989.
[ASB+95] P.Attie,E.A.Emerson:SynthesisofConcurrentSystemswithManySimilarSequentialProcesses,Proc.POPL'89,pp191-201,1989. [BBS92] A.Aziz,V.Singhal,F.Balarin,R.Brayton,A.Sangiovanni-Vincentelli:It
ACPwithGenerativeProbabilities,Proc.CONCUR'92,LectureNotesin J.Baeten,J.Bergstra,S.Smolka:AxiomatizingProbabilisticProcesses: usuallyworks:TheTemporalLogicofStochasticSystems,Proc.CAV'95, LectureNotesinComputerScience,Vol.939,pp155-165,1995.
[BFG+93] sametitlehasappearedinInformationandComputation,Vol.122,pp 234-255,1995. I.Bahar,E.Frohm,C.Gaona,G.Hachtel,E.Macii,A.Padro,F.Somenzi: ComputerScience,Vol.630,pp472-485,1992.Thefullversionwiththe
[Bai96] AlgebraicDecisionDiagramsandtheirApplications,Proc.ICCAD'93,pp 188-191,1993.ThefullversionwiththesametitlehasappearedinFormal MethodsinSystemsDesign,Vol.10,No.2/3,pp171-206,1997. C.Baier:PolynomialTimeAlgorithmsforTestingProbabilisticBisimu-
[Bai97] lationandSimulation,Proc.CAV'96,LectureNotesinComputerScience,Vol.1102,pp38-49,1996.Arevisedversionwiththetitle\DecidingBisimilarityandSimilarity"issubmittedforpublication. [BaCl98] C.Baier:TreesandSemantics,TheoreticalComputerScience,Vol.179, pp217-250,1997.
[BCH+97] SymbolicModelCheckingforProbabilisticProcesses,Proc.ICALP'97, C.Baier,E.Clarke,V.Hartonas-Garmhausen,M.Kwiatkowska,M.Ryan: C.Baier,E.Clarke:TheAlgebraicMu-CalculusandMTBDDs,Proc.
LectureNotesinComputerScience,Vol.1256,pp430-440,1997. WoLLIC'98,pp27-38,1998.
[BCH98] [BaEn98] C.Baier,E.Clarke,V.Hartonas-Garmhausen:OntheSemanticFounda- 98-4,UniversityBirmingham,pp7-32,1998. tionsofProbabilisticVERUS,Proc.PROBMIV'98,Techn.ReportCSR-
[BaHe97] tion.C.Baier,H.Hermanns:WeakBisimulationforFullyProbabilisticProLossyChannelSystems:anAlgorithmicApproach,submittedforpublica- C.Baier,B.Engelen:EstablishingQualitativePropertiesforProbabilistic
[BaKw97] cesses,Proc.CAV'97,LectureNotesinComputerScience,Vol.1254,pp 119-130,1997.
UniversityBirmingham.
Vol.71997.ThefullversionisavailableasTechn.Report,CSR-97-7, C.Baier,M.Kwiatkowska:DomainEquationsforProbabilisticProcesses, Proc.EXPRESS'97,ElectronicNotesinTheoreticalComputerScience,

BIBLIOGRAPHY [BaKw98] C.Baier,M.Kwiatkowska:ModelCheckingforaProbabilisticBranch- 321
ingTimeLogicwithFairness,DistributedComputing,Vol.11,No.3,
[BaKw98a] 1998.Apreliminaryversionwiththetitle\AutomaticVericationofLive-
ProbabilisticProcessesunderFairnessConstraints,InformationProcessing C.Baier,M.Kwiatkowska:OntheVericationofQualitativePropertiesof nessPropertiesofRandomizedSystems"hasappearedinProc.PODC'97,
Letters,Vol.66,No.2,pp71-79,1998. ACMPress,1997.
[BKN98] C.Baier,M.Kwiatkowska,G.Norman:ComputingLowerandUpper
[BMC94] 91-104,1998. C.Baier,M.Majster-Cederbaum:DenotationalSemanticsintheCpoand Proc.PROBMIV'98,Techn.ReportCSR-98-4,UniversityBirmingham,pp BoundsforLTLFormulaeoverSequentialandConcurrentMarkovChains,
[BMC97] sistencyResultsforSemanticsofConcurrentProgrammingLanguages, 1994. C.Baier,M.Majster-Cederbaum:HowtoInterpretandEstablishCon- MetricApproach,TheoreticalComputerScience,Vol.135,pp171-220,
[BSV98] C.Baier,M.Stoelinga,F.Vaandrager:privatediscussiononthedecidabil- Draftinpreparation. ityofprobabilisticbranchingbisimulationandsimulation,October1998. FundamentaInformaticae,Vol.29,No.3,pp225-256,1997.
[dBaMe88] [dBdRR88] J.deBakker,J.Meyer:Metricsemanticsforconcurrency,ReportCS- R8803,CentreforMathematicsandComputerScience,Amsterdam,1988. J.deBakker,W.deRoever,G.Rozenberg(eds.):LinearTime,Branching TimeandPartialOrderinLogicsandModelsforConcurrency,Proc.REX
[dBaZu82] [dBdV96] Workshop'88,LectureNotesinComputerScience,Vol.354,1988.
Concurrency,InformationandControl,Vol.54,No.1/2,pp70-120,1982. J.deBakker,J.Zucker:ProcessesandtheDenotationalSemanticsof J.deBakker,E.deVink:ControlFlowSemantics,MITPress,1996.
[Barr93] [BaWe90] M.Barr:Terminalcoalgebrasinwell-foundedsettheory,TheoreticalComputerScience,Vol.114,pp299-315,1993. [BeKl84] M.Barr,C.Wells:CategoryTheoryforComputingScience,Prentice-Hall InternationalSeriesinComputerScience,PrenticeHall,1990.
[BMS95] J.Bergstra,J.Klop:ProcessAlgebraforSynchronousCommunication, InformationandComputation,Vol.60,pp109-137,1984.
[BeGor98] J.Bern,C.Meinel,A.Slobodova:GlobalRebuildingofOBDDsAvoiding MemoryRequirementMaxima,Proc.CAV'95,LectureNotesinComputer Science,Vol.939,pp4-15,1995.
[BeGon92] G.Berry,G.Gonthier:TheESTERELSynchronousProgrammingLanrentProcesseswithNondeterminism,Priorities,ProbabilitiesandTime. TheoreticalComputerScience,Vol.202,pp1-54,1998. M.Bernardo,R.Gorrieri:ATutorialonEMPA:aTheoryofConcurguage:Design,Semantics,Implementation,ScienceofComputerProgramming,Vol.19,1992.

BIBLIOGRAPHY [Chri90a] I.Christo:TestingEquivalencesforProbabilisticProcesses,Ph.D.The- 323
[Chri90b] sis,DepartmentofComputerScience,UppsalaUniversity,1990.
[Chri93] I.Christo:TestingEquivalencesandFullyAbstractModelsforProbabilisticProcesses,Proc.CONCUR'90,LectureNotesinComputerScience,sity,1993.L.Christo:SpecicationandVericationMethodsforProbabilisticProcesses,Ph.D.Thesis,DepartmentofComputerScience,UppsalaUniver Vol.458,pp126-140,1990.
[ChCh91] [ChCh92] L.Christo,I.Christo:EcientAlgorithmsforVericationofEquivalencesforProbabilisticProcesses,Proc.CAV'91,LectureNotesinComputerScience,Vol.575,pp310-321,1991.tiesforProbabilisticProcesses,Proc.12thConferenceonFoundationsof SoftwareTechnologyandTheoreticalComputerScience,LectureNotesin L.Christo,I.Christo:ReasoningaboutSafetyandLivenessProper-
[ClEm81] ComputerScience,Vol.652,pp342-355,1992.
[CES83] E.Clarke,E.A.Emerson:DesignandSynthesisofSynchronizationSkele-
StateConcurrentSystemsUsingTemporalLogicSpecications:APratical tonsfromBranchingTimeTemporalLogic,Proc.WorkshoponLogicsof
Approach,Proc.POPL'83,1983.Thefullversionwiththesametitlehas E.M.Clarke,E.A.Emerson,A.P.Sistla:AutomaticVericationofFinite Programs,LectureNotesinComputerScience,Vol.131,pp52-71,1981.
[CFM+93] appearedinACMTrans.ProgrammingLanguagesandSystems,Vol.1(2), 1986. E.Clarke,M.Fujita,P.McGeer,J.Yang,X.Zhao:Multi-TerminalBi-
[CFZ96] naryDecisionDiagrams:AnEcientDataStructureforMatrixRepre
andHybridDecisionDiagrams,InRepresentationsofDiscreteFunctions, TahoeCity,1993. E.Clarke,M.Fujita,X.Zhao:Multi-TerminalBinaryDecisionDiagrams sentation,InProc.IWLS'93:InternationalWorkshoponLogicSynthesis,
[CGL93] T.SasaoandM.Fujita(eds.),KluwerAcademicPublishers,pp93-108, 1996.
[CGH94] currentPrograms,Proc.REXWorkshop'93,LectureNotesinComputerE.Clarke,O.Grumberg,D.Long:VercationToolsforFinite-StateCon- Science,Vol.803,pp124-175,1993.
[CKZ96] Checking,Proc.CAV'94,LectureNotesinComputerScience,Vol.818,pp 415-427,1994. E.Clarke,M.Khaira,X.Zhao:WordLevelSymbolicModelChecking{a E.Clarke,O.Grumberg,K.Hamaguchi:AnotherLookatLTLModel
[CPS90] DesignAutomationConference,IEEEComputerSocietyPress,1996. R.Cleaveland,J.Parrow,B.Steen:ASemanticBasedVericationTool NewApproachforVerifyingArithmeticCircuits,Proc.33rdACM/IEEE
[CSZ92] cationIX,ElsevierSciencePublishers,IFIP,pp287-302,1990.R.Cleaveland,S.Smolka,A.Zwarico:TestingPreordersforProbabilisticProcesses,Proc.ICALP1992,LectureNotesinComputerScience,forFiniteStateSystems,Proc.ProtocolSpecication,TestingandVeri- Vol.623,pp708-719,1992.

324 [CoWi87] D.Coppersmith,S.Winograd:MatrixMultiplicationviaArithmeticPro- BIBLIOGRAPHY
[CLR96] 1987. T.Cormen,C.Leiserson,R.Rivest:IntroductiontoAlgorithms,McGraw gressions,Proc.19thACMSymposiumonTheoryofComputing,pp1-6,
[CoYa88] Hill,1996.
[CoYa90] C.Courcoubetis,M.Yannakakis:VerifyingTemporalPropertiesofFinite- StateProbabilisticPrograms,Proc.29thAnnualSymp.onFoundationsof ComputerScience,pp338-345,1988.
[CoYa95] Events,Proc.ICALP'90,LectureNotesinComputerScience,Vol.443,pp 336-349,1990. C.Courcoubetis,M.Yannakakis:TheComplexityofProbabilisticVeri- C.Courcoubetis,M.Yannakakis:MarkovDecisionProcessesandRegular
[Dam94] M.Dam:CTLandECTLasFragmentsoftheModalMu-Calculus, cation,JournaloftheACM,Vol.42,No.4,pp857-907,1995.
[Derm70] TheoreticalComputerScience,Vol.126,pp77-96,1994.
[DEP98] C.Derman:Finite-StateMarkovianDecisionProcesses,AcademicPress, NewYork,1970.
[Dini70] J.Desharnais,A.Edalat,P.Panangaden:ALogicalCharacterizationof BisimulationforLabeledMarkovProcesses,Proc.LICS'98,1998.
[Dugu66] NetworkwithPowerEstimation,Soviet.Math.Dokl.,Vol.11,pp1277- E.Dinic:AlgorithmforSolutionofaProblemofMaximalFlowina
[EdSm92] 1280,1970. J.Dugundji:Topology,AllynandBacon,inc.,1966.
[Emer85] A.Edalat,M.Smyth:CompactMetricInformationSystems,Proc.REX Workshop'92,LectureNotesinComputerScience,Vol.666,pp154-173, 1992.
[Emer90] Programs",LectureNotesinComputerScience,Vol.193,pp79-87,1985. E.A.Emerson:Automata,TableauxandTemporalLogics,in\Logicof
[Emer92] pp995-1072,1990. E.A.Emerson:Real-TimeandtheMu-Calculus,Proc.REXWorkshop'92, E.A.Emerson:TemporalandModalLogic,VolumeBofHandbookofTheoreticalComputerScience,ElsevierSciencePublishers(North-Holland), [EmCl82] LectureNotesinComputerScience,Vol.666,pp176-194,1992.
[EmHa85] E.A.Emerson,E.M.Clarke:UsingBranchingTimeLogictoSynthesize SynchronizationSkeletons,Sci.Comput.Programming,Vol.2,pp241-266, 1982.
[EmHa86] E.A.Emerson,J.Halpern:DecisionProceduresandExpressivenessin theTemporalLogicofBranchingTime,JournalofComputerandSystem Science,Vol.30,pp1-24,1985. Vol.33,No.1,pp151-178,1986.
E.A.Emerson,J.Halpern:\Sometimes"and\NotNever"Revisited: onBranchingversusLinearTimeTemporalLogic,JournaloftheACM,

BIBLIOGRAPHY [EmJu88] E.A.Emerson,C.Jutla:TheComplexityofTreeAutomataandLogicsof 325
[EmJu91] Programs,Proc.FOCS'88,pp328-337,1988.
[EJS93] E.A.Emerson,C.Jutla,A.Sistla:OnModel-CheckingforFragments E.A.Emerson,C.Jutla:TreeAutomata,Mu-CalculusandDeterminacy, Proc.FOCS'91,pp368-377,1991.
[EmLei85] StrikesBack,Proc.POPL'85,pp84-96,1985. E.A.Emerson,C.Lei:ModalitiesforModelChecking:BranchingTime oftheMu-Calculus,Proc.CAV'93,LectureNotesinComputerScience, Vol.697,pp385-396,1993.
[EmLei86] [EFT93] PropositionalMu-Calculus,Proc.LICS'86,pp267-278,1986. E.A.Emerson,C.Lei:EcientModelCheckingforFragmentsofthe
[Enge89] checkinginCCS,DistributedComputing,Vol.6,pp155-164,1993. R.Engelking:GeneralTopology,SigmaSeriesinRureMathematics, Vol.6,HeldermannVerlagBerlin,1989. R.Enders,T.Filkorn,D.Taubner:GeneratingBDDsforSymbolicModel
[Even79] [Espa94] Programming,Vol.23,pp151-195,1994. J.Esparza:ModelCheckingUsingNetUnfoldings,ScienceofComputer
[FHZ93] S.Even:GraphAlgorithms,ComputerSciencePress,1979.
[Feld83] M.Fang,C.Ho-Stuart,H.Zedan:SpecicationofReal-TimeProbabilistic Behaviour,Proc.Protocol,Specication,TestingandVerication,IFIP, ElsevierSciencePublishers,pp143-157,1993.
[FeHa84] Y.Feldmann:ADecidablePropositionalDynamicLogic,Proc.15thACM Symp.onTheoryofComputing,pp298-309,1983.
[Fell68] W.Feller:AnIntroductiontoProbabilityTheoryanditsApplications, Y.Feldmann,D.Harel:APropositionalDynamicLogic,JournalofComputerandSystemScience,Vol.28,pp193-215,1984. [Fern89] Wiley,NeyYork,1968.
[FoFu62] 1989. J.C.Fernandez:AnImplementationofanEcientAlgorithmforBisimula-
1962. L.Ford,D.Fulkerson:FlowsinNetworks,PrincetonUniversityPress, tionEquivalence,ScienceofComputerProgramming,Vol.13,pp219-236,
[Fran88] [FMK91] N.Francez:Fairness,Springer-Verlag,NewYork,1988.
[FMY97] M.Fujita,Y.Matsunaga,T.Kakadu:OnVariableOrderingofBinary DecisionDiagramsfortheApplicationofMulti-ValuedLogicSynthesis, Proc.EDAC'91,pp50-53,1991.
[GPV+95] M.Fujita,P.McGeer,J.Yang:Multi-TerminalBinaryDecisionDiagrams: inSystemDesign,Vol.10,No.2/3,pp149-170,1997. AnEcientDataStructureforMatrixRepresentation,FormalMethods ofLinearTimeLogic,Proc.SymposiumonProtocolSpecication,Testing R.Gerth,D.Peled,M.Vardi,P.Wolper:SimpleOn-The-FlyVerication andVerication,pp3-18,1995.

328 [HHW97] T.Henzinger,P.Ho,H.Wang-Toi:HYTECH:aModelCheckerforHybrid BIBLIOGRAPHY
[Herm98] Systems,Proc.CAV'97,LectureNotesinComputerScience,Vol.1254,pp 460-463,1997.
[HHM98] Erlangen-Nurnberg,1998. H.Hermanns,U.Herzog,V.Mertsiotakis:StochasticProcessAlgebras: betweenLOTOSandMarkovChains,Comp.Netw.andISDNSyst., H.Hermanns:InteractiveMarkovChains,Ph.D.Thesis,Universitat
[Herz90] Framework,in\EntwurfundBetriebverteilterSysteme",InformatikFachberichte264,Springer,1990. U.Herzog:FormalDescription,TimeandPerformanceAnalysis{a Vol.9/10,pp901-924,1998.
[Hoar85] [Hill94] C.A.R.Hoare:CommunicatingSequentialProcesses,PrenticeHall,1985. J.Hillston:ACompositionalApproachtoPerformanecModelling, versityPress(1996).Ph.D.Thesis,UniversityEdinburgh,1994;publishedinCambridgeUni- [HuKw98] [HuKw97] M.Huth,M.Kwiatkowska:ComparingCTLandPCTLonLabelled MarkovChains,Proc.PROCOMET'98,Chapman&Hall,1998. Proc.LICS'97,IEEEComputerSocietyPress,1997. M.Huth,M.Kwiatkowska:QuantitativeAnalysisandModelChecking,
[Heck95] [HuTi92] Informatik,UniversitatdesSaarlandes. R.Heckmann:SpacesofValuations,TechnicalReportA09/95,FB14 T.Huynh,L.Tian:OnsomeEquivalenceRelationsforProbabilisticProcesses,FundamentaInformaticae,Vol.17,pp211-234,1992. [HoPe94] [IyNa96] G.Holzmann,D.Peled:AnImprovementinFormalVerication,Proc.7th InternationalConferenceonFormalDescriptionTechniques,pp177-194, 1994.
[IyNa97] P.Iyer,M.Narasimha:\AlmostAlways"and\DenitelySometime"are notenough:ProbabilisticQuantiersandProbabilisticModel-Checking, Techn.Report,TR-96-16,NorthCarolinaStateUniversity,1996.
[Jone90] C.Jones:ProbabilisticNon-Determinism,Ph.D.Thesis,UniversityofEdinburgh,1990. P.Iyer,M.Narasimha:ProbabilisticLossyChannelSystems,Proc.TAP- SOFT'97,LectureNotesinComputerScience,Vol.1214,pp667-681,1997.
[Jons91] [JoPl89] B.Jonsson:SimulationsbetweenSpecicationsofDistributedSystems, Proc.CONCUR'91,LectureNotesinComputerScience,Vol.527,pp346- C.Jones,G.D.Plotkin:AProbabilisticPowerdomainonEvaluations, Proc.LICS'89,pp186-195,1989.
[JHP89] ingAlgorithmbyAdaptingExistingAutomatedTools,Proc.Automatic VericationMethodsforFiniteStateSystems,LectureNotesinComputer 360,1991. B.Jonsson,C.HussainKhan,J.Parrow:ImplementingaModelCheck- Science,Vol.407,pp179-188,1989.

BIBLIOGRAPHY [JHY94] B.Jonsson,C.Ho-Stuart,W.Yi:TestingandRenementforNondeter- 329
[JoLa91] ministicandProbabilisticProcesses,Proc.FTRTFT'94,LectureNotesin ComputerScience,Vol.863,pp418-430,1994.
[JoYi95] B.Jonsson,K.G.Larsen:SpecicationandRenementofProbabilistic Processes,Proc.LICS'91,pp266-277,1991.
[JoSm90] B.Jonsson,W.Yi:CompositionalTestingPreordersforProbabilisticProcesses,Proc.LICS'95,pp431-443,1995. [KaSm83] zationsforProbabilisticProcesses,Proc.CONCUR'90,LectureNotesinC.Jou,S.Smolka:Equivalences,CongruencesandCompleteAxiomaticiplesofDistributedComputing,pp228-240,1983.Thefullversionwith ComputerScience,Vol.458,pp367-383,1990.
thesametitlehasappearedinInformationandComputation,Vol.86,pp 43-68,1990. P.Kannelakis,S.Smolka:CCSExpressions,FiniteStateProcessesand ThreeProblemsofEquivalence,Proc.2ndACMSymposiumonthePrin-
[Karp91] [Kato96] R.Karp:AnIntroductiontoRandomizedAlgorithms,DiscreteApplied Mathematics,Vol.34,pp191-201,1991.
[KLL94] J.Katoen:QuantitativeandQualitativeExtensionsofEventStructures, Ph.D.Thesis,UniversiteitTwente,1996. J.Katoen,R.Langerak,D.Latella:ModellingSystemsbyProbabilistic
[Kell76] TechniquesVI,Vol.C22ofIFIPTransactions,North-Holland,pp253- ProcessAlgebras:anEventStructureApproach,inFormalDescription 268,1994.
[Koze79] R.Keller:FormalVericationofParallelPrograms,Communicationsof D.Kozen:SemanticsforProbabilisticPrograms,Proc.20thIEEESym- theACM,Vol.7(19),pp561-572,1976.
[Koze83] thesametitlehasappearedinJournalofComputerandSystemScience, posiumonFoundationsofComputerScience,1979.Thefullversionwith Vol.22,pp328-350,1981.
[Koze85] D.Kozen:ResultsonthePropositionalMu-Calculus,TheoreticalComputerScience,Vol.27,No.3,pp333-354,1983. [Knut73] D.Kozen:AProbabilisticPDL,JournalofComputerandSystemSciences,Vol.30,1985. [Kura56] D.Knuth:SortingandSearching,Vol.3of\TheArtofComputerPro- K.Kuratowski:Surunemethodedemetrisationcompletedescertains gramming",Addison-Wesley,1973.
[KwNo96] espacesd'ensemblescompacts,FundamentaeMathematicae43,pp114- 138,1956.
[KwNo98a] M.Kwiatkowska,G.Norman:ProbabilisticMetricSemanticsforasimple LanguagewithRecursion,Proc.MFCS'96,LectureNotesinComputer Science,Vol.1113,pp419-430,1996. M.Kwiatkowska,G.Norman:ATestingEquivalenceforReactiveProbabilisticProcesses,Proc.EXPRESS'98,ElectronicNotesinTheoretical ComputerScience,Vol.16,1998.

330 [KwNo98b] M.Kwiatkowska,G.Norman:AFullyAbstractMetric-SpaceDenotational BIBLIOGRAPHY
[Kwia89] M.Kwiatkowska:SurveyofFairnessNotions,InformationandSoftware Technology,Vol.31,No.7,pp371-386,1989. SemanticsforReactiveProbabilisticProcesses,Proc.COMPROX'98,ElectronicNotesinTheoreticalComputerScience,Vol.13,1998. [LPV94] Y.Lai,M.Pedram,B.Vrudhula:Edge-ValuedBinaryDecisionDiagrams
[Lamp77] forIntegerLinearProgramming,SpectralTransformation,andFunction
TransactionsonSoftwareEngineering,Vol.3,pp125-143,1977. 1994. L.Lamport:ProvingtheCorrectnessofMultiprocessPrograms,IEEE Decomposition,IEEETransactionsonCAD,Vol.13,No.8,pp959-975,
[Lamp80] [Lamp94] L.Lamport:SometimesisSometimes\NotNever"{ontheTemporal LogicofPrograms,Proc.POPL'80,pp174-185,1980.
[LPY97] K.Larsen,P.Pettersson,W.Yi:UPPAAL:Status&Developments, L.Lamport:TheTemporalLogicofActions,ACMTransactionsonProgrammingLanguagesandSystems,Vol.16,No.3,pp872-923,1994. [LaSk89] Proc.CAV'97,LectureNotesinComputerScience,Vol.1254,pp456-459, 1997.
[LaSk92] POPL'89,1989.ThefullversionwiththesametitlehasappearedinInformationandComputation,Vol.94,pp1-28,1991. K.Larsen,A.Skou:CompositionalVericationofProbabilisticProcesses, K.Larsen,A.Skou:BisimulationthroughProbabilisticTesting,Proc.
[LNS82] Proc.CONCUR'92,LectureNotesinComputerScience,Vol.630,pp456- 471,1992.
[LSP81] J.Lassez,V.Nguyen,E.Sonenberg:FixedPointTheoremsandSemantics: 1982. D.Lehmann,A.Pnueli,J.Stavi:Impartiality,JusticeandFairness:The aFolfTale,InformationProcessingLetters,Vol.14,No.3,pp112-116,
[LeRa81] EthicsofConcurrentTermination,Proc.ICALP'81,LectureNotesinComputerScience,Vol.115,Springer,1981. [LeSh82] D.Lehmann,M.Rabin:OntheAdvantageofFreeChoice:aSymmetricandFullyDistributedSolutiontotheDiningPhilosophersProblem, Proc.POPL'81,pp133-138,1981.
[LiPn85] D.Lehmann,S.Shelah:ReasoningwithTimeandChance,Information andControl,Vol.53,pp165-198,1982.
[LPZ85] O.Lichtenstein,A.Pnueli:CheckingthatFiniteStateConcurrentPro- O.Lichtenstein,A.Pnueli,L.Zuck:TheGloryofthePast,in\Logics gramsSatisfyTheirLinearSpecication,Proc.POPL'85,pp97-107,1985.
[Lowe93a] 1985. G.Lowe:AProbabilisticModelofTimedCSP,Ph.D.Thesis,OxfordUniversity,1991. ofPrograms",LectureNotesinComputerScience,Vol.193,pp196-218,

BIBLIOGRAPHY [Lowe93b] G.Lowe:RepresentingNondeterminismandProbabilisticBehaviourin 331
[Lowe95] ReactiveProcesses,Techn.ReportPRG-TR-11-93,OxfordUniversity, 1993.
[Lync95] ComputerScience,Vol.138,pp315-352,1995. N.Lynch:DistributedAlgorithms,MorganKaufmannPublishers,inc., 1995. G.Lowe:ProbabilisticandPrioritizedModelsofTimedCSP,Theoretical
[LyVa91] [LSS94] N.Lynch,I.Saias,R.Segala:ProvingTimeBoundsforRandomizedDistributedAlgorithms,Proc.PODC'94,pp314-323,1994. [MajC88] N.Lynch,F.Vaandrager:ForwardandBackwardSimulationsforTiming- BasedSystems,Proc.REXWorkshop'91,LectureNotesinComputerScience,Vol.600,pp397-446,1991. [MajC89] M.Majster-Cederbaum:TheContractionPropertyisSucienttoGuartorsinaCategoryofCompleteMetricSpaces,InformationProcessing Letters,Vol.29,pp277-281,1988. M.Majster-Cederbaum:OntheUniquenessofFixedPointsofEndofunc-
[MaZe91] CompleteMetricSpaces,InformationProcessingLetters,Vol.33,pp15- 19,1988. M.Majster-Cederbaum,F.Zetzsche:TowardsaFoundationforSemantics anteetheUniquenessofFixedPointsofEndofunctorsinaCategoryof
[MPM78] pp217-243,1991. V.Malhotra,M.PramodhKumar,S.Maheshwari:AnO(jV3j)Algorithm inCompleteMetricSpaces,InformationandComputation,Vol.90,No.2,
[MaPn90] forFindingMaximumFlowsinNetworks,ComputerScienceProgram, IndianInstituteofTechnology,Kanpur208016,1978.
[MaPn92] Systems:Specication,Springer-Verlag,1992. Z.Manna,A.Pnueli:TheTemporalLogicofReactiveandConcurrent Z.Manna,A.Pnueli: Proc.PODC'90,pp377-408,1990. AHierarchyofTemporalProperties,
[MaPn95] [MaWo84] Z.Manna,A.Pnueli:TemporalVericationofReactiveSystems:Safety, Springer-Verlag,1995.
[McLan71] Z.Manna,P.Wolper:SynthesisofCommunicationProcessesfromTem- S.MacLane:CategoriesfortheWorkingMathematician,GraduateTexts poralLogicSpecications,ACMTrans.ProgrammingLanguagesandSystems,Vol.6(1),pp68-93,1984. [MBC84] inMathematics,Springer,1971.
[McMil92] M.AjmoneMarsan,G.Balbo,G.Conte:AClassofGeneralizedStocahstic
University,Pittsburgh,1992;publishedinKluwerAcademicPublishers K.McMillan:SymbolicModelChecking,Ph.D.Thesis,CarnegieMellon PetricNetsforthePerformanceEvaluationofMultiprocessorSystems,
(1993).
ACMTransactionsonComputerSystems,Vol.2,No.2,pp93-122,1984.

332 [McMil92a] K.McMillan:UsingUnfoldingstoAvoidtheStateExplosionProblemin BIBLIOGRAPHY
[McIv98] theVericationofAsynchronousCircuits,Proc.CAV'92,LectureNotesin ComputerScience,Vol.663,pp164-177,1992.
[MKR92] 45-58,1998. M.Mercer,R.Kapur,D.Ross:FunctionalApproachestoGeneratingOr- A.McIver:ReasoningaboutEciencywithinaProbabilisticMu-Calculus,
deringsforEcientSymbolicRepresentation,Proc.ACM/IEEEDAC'92, Proc.PROBMIV'98,Techn.ReportCSR-98-4,UniversityBirmingham,pp
[Moll82] pp614-619,1992.
[MoMcI97] pectations,Proc.FormalMethodsPacic'97;alsoavailableasTechnicalC.Morgan,A.McIver:AProbabilisticTemporalCalculusbasedonEx- Trans.onComputers,Vol.C-31(9),pp913-917,1982. K.Molloy:PerformanceAnalysisUsingStochasticPetriNets,IEEE
[MMS+94] ReportTR-13-97,UniversityofOxford,1997.
[MMS96] abilityforCSP,Techn.ReportTR-12-94,OxfordUniversity,toappearinC.Morgan,A.McIver,K.Seidel,J.Sanders:Renement-OrientedProb- FormalAspectsofComputing.
[MoRa95] pp325-353,1996. R.Motwani,P.Raghavan:RandomizedAlgorithms,CambridgeUniversity C.Morgan,A.McIver,K.Seidel:ProbabilisticPredicateTransformers,
Press,1995. ACMTransactionsonProgrammingLanguagesandSystems,Vol.8,No.3,
[Miln80] [Miln83] R.Milner:ACalculusofCommunicatingSystems,LectureNotesinComputerScience,Vol.92,1980. R.Milner:CalculiforSynchronyandAsynchrony,TheoreticalComputer
[NiRe73] [Miln89] Science,Vol.25,pp269-310,1983. R.Milner:CommunicationandConcurrency,PrenticeHall,1989.
[dNHe83] I.Nievergelt,E.Reinhold:BinarySearchTreesofBoundedBalance, SICOMP2,pp33-43,1973.
[dNVa90] R.deNicola,F.Vaandrager:ThreeLogicsforBranchingBisimulation, Proc.LICS'90,pp118-129,1990. R.deNicola,M.Hennessy:TestingEquivalencesforProcesses,Theoretical ComputerScience,Vol.34,pp83-133,1983.
[NRS+90] [Niva79] X.Nicollin,J.Richier,J.Sifakis,J.Voiron:ATP:anAlgebraofTimed Processes,Proc.IFIPTC2WorkingConferenceonProgrammingConcepts M.Nivat:InniteWords,InniteTrees,InniteComputations,Founda- andMethods,SeaofGallilea,1990. tionsofComputerScienceIII,MathematicalCentreTracts109,pages
[Norm97] [Niwi88] G.Norman:MetricSemanticsforReactiveProbabilisticProcesses,Ph.D. 3-52,1979. D.Niwinski:FixedPointsVs.InniteGeneration,Proc.LICS'88,1988. Thesis,UniversityBirmingham,1997.

BIBLIOGRAPHY [NudF95] M.Nu~nez,D.deFrutos:TestingSemanticsforProbabilisticLOTOS,in 333
[NdFL95] M.Nu~nez,D.deFrutos,L.Llana:AcceptanceTreesforProbabilisticProcesses,Proc.CONCUR'95,LectureNotesinComputerScience,Vol.962, pp249-263,1995. FormalDescriptionTechniquesVIII,pp365-380,Chapman&Hall,1995.
[OwLa82] [OwGr76] grams,ACMTransactionsonProgrammingLanguagesandSystems, I,ActaInformatica,Vol.6,pp319-340,1976. S.Owicki,L.Lamport:ProvingLivenessPropertiesofConcurrentPro- S.Owicki,D.Gries:AnAxiomaticProofTechniqueforParallelPrograms
[PaTa87] Vol.4(3),pp455-495,1982.
[Park74] R.Paige,R.Tarjan:ThreePartitionRenementAlgorithms,SIAMJournalofComputing,Vol.16,No.6,pp973-989,1987. [Park81] TheUniversityofWarwick,1974.PublishedinTheoreticalComputerScience,Vol.3(2),pp173-181,1976. D.Park:ConcurrencyandAutomataonInniteSequences,Proc.5th D.Park:FinitenessisMu-ineable,TheoryofComputationReportNo.3,
[Pele93] 1981. D.Peled:AllfromOne,OnefromAll:OnModelCheckingUsingRepresentatives,Proc.CAV'93,LectureNotesinComputerScience,Vol.697, GIConference,LectureNotesinComputerScience,Vol.104,pp167-183,
[PPH96] pp409-423,1993. D.Peled,V.Pratt,G.Holzmann(eds):Proc.DIMACSWorkshoponPar-
[PSS98] Society,SeriesinDiscreteMathematicsandTheoreticalComputerScience, Bd.29,1996. A.Philippou,O.Sokolsky,I.Lee:WeakBisimulationforProbabilistic tialOrderMethodsinVerication(POMIV'96),AmericalMathematical
[Plot81] Systems,submittedforpublication.
[Pnue77] portDAIMIFN-19,ComputerScienceDepartment,AarhusUniversity, 1981. A.Pnueli:TheTemporalLogicofPrograms,Proc.FOCS'77,pp46-57, G.Plotkin:AStructuralApproachtoOperationalSemantics,Techn.Re-
[Pnue83] 1977.
[PnRo89] Proc.15thACMSymposiumonTheoryofComputing,1983. A.Pnueli,R.Rosner: A.Pnueli:OntheExtremelyFairTreatmentofProbabilisticAlgorithms,
[PnZu86a] DistributedComputing,Vol.1,No.1,pp53-72,1986. A.Pnueli,L.Zuck:VericationofMultiprocessProbabilisticProtocols, Proc.POPL'89,pp191-201,1989. OntheSynthesisofaReactiveModule,
[PnZu86b] [PnZu93] tion,Vol.103,pp1-29,1993.
A.Pnueli,L.Zuck:ProbabilisticVericationbyTableaux,Proc.LICS'86, pp322-331,1986. A.Pnueli,L.Zuck:ProbabilisticVerication,InformationandComputa

334 [PoSe95] A.Pogosyants,R.Segala:FormalVericationofTimedPropertiesofRan- BIBLIOGRAPHY
[Prat76] V.Pratt: domizedDistributedAlgorithms,Proc.PODC'95,1995.
[Prat81] V.Pratt:ADecidableMu-Calculus,Proc.FOCS'81,pp421-427,1981. FOCS'76,pp109-121,1976. SemanticalConsiderationsofFloyd-HoareLogic,Proc.
[Pria96] [PuSu89] C.Priami:Stochastic-calculuswithgeneraldistributions,Proc.4th Int.WorkshoponProcessAlgebraandPerformanceModelling,pp41-57. C.L.U.T.Press,1996.
[Pute94] haviourinConcurrentSystems,IEEETransactiononSoftwareEngineerS.Purushothaman,P.Subrahmanyam:ReasoningaboutProbabilisticBe- [QuSi82] M.Puterman:MarkovDecisionProcesses,JohnWileyandSons,1994. ing,SE-13(6),1989.
[QuSi83] J.Queille,J.Sifakis:SpecicationandVericationofConcurrentSystems
tems{aTemporalLogictodealwithFairness,ActaInformatica,Vol.19,J.Queille,J.Sifakis:FairnessandRelatedPropertiesinTransitionSys- NotesinComputerScience,Vol.137,pp337-351,1982. inCESAR,Proc.5thInternationalSymposiumonProgramming,Lecture
[Rabi63] [Rabi76a] pp195-220,1983. M.Rabin:ProbabilisticAutomata,InformationandControl,Vol.6,1963.
[Rabi76b] 66-75,1976. M.Rabin:ProbabilisticAlgorithms,in\AlgorithmsandComplexity:Re- SharedVariables,JournalofComputerandSystemScience,Vol.25,pp M.Rabin:N-ProcessMutualExclusionwithBoundedWaitingby4logN
[Rabi80] centResultsandNewDirections"(J.Traub,ed.),AcademicPress,New York,pp21-40,1976.
[Ross83] M.Rabin:ProbabilisticAlgorithmsforTestingPrimality,J.NumberThe- S.Ross:IntroductiontoStochasticDynamicProgramming,Academic Press,NewYork,1983. ory,Vol.12,pp128-138,1980.
[Rude93] [Rudi66] R.Rudell:DynamicVariableOrderingforOrderedBinaryDecisionDia-
[RuTu93] grams,Proc.IEEEICCAD'93,pp42-47,1993. W.Rudin:RealComplexAnalysis,McGraw-Hill,1966.
[Safr88] J.J.M.M.Rutten,D.Turi:OntheFoundationsofFinalSemantics:Non-
1988. StandardSets,MetricSpacesandPartialOrders,Proc.REXWorkshop'92, S.Safra:OntheComplexityof!-Automata,Proc.FOCS'88,pp319-327, LectureNotesinComputerScience,Vol.666,pp477-530,1993.
[SaFu96] [Schr87] T.Sasao,M.Fujita:RepresentationsofDiscreteFunctions,KluwerAca- 1987.
demicPublishers,1996. A.Schrijver:TheoryofLinearandIntegerProgramming,J.Wiley&Sons,

BIBLIOGRAPHY [Seid92] K.Seidel:ProbabilisticCommunicatingProcesses,Ph.D.Thesis,Oxford 335
[Seid95] University,1992.
[Seidl96] K.Seidel:ProbabilisticCommunicatingProcesses,TheoreticalComputer Science,Vol.152,pp219-249,1995.
[Sega95a] R.Segala:ModelingandVericationofRandomizedDistributedReal- TimeSystems,Ph.D.Thesis,MassachusettsInstituteofTechnology,1995. H.Seidl:AModalMu-CalculusforDurationalTransitionSystems,Proc. LICS'96,pp128-137,1996.
[Sega96] [Sega95b] pp234-248,1995. R.Segala:TestingProbabilisticAutomata,Proc.CONCUR'96,Lecture R.Segala:ACompositionalTrace-BasedSemanticsforProbabilisticAutomata,Proc.CONCUR'95,LectureNotesinComputerScience,Vol.962, [SeLy94] R.Segala,N.Lynch:ProbabilisticSimulationsforProbabilisticProcesses, NotesinComputerScience,Vol.1119,pp299-314,1996.
[SiCl86] Proc.CONCUR'94,LectureNotesinComputerScience,Vol.836,pp481- 496,1994.ThefullversionwiththesametitlehasappearedinNordic JournalofComputing,Vol.2(2),pp250-273,1995.
[SVW85] A.Sistla,E.Clarke:ComplexityofPropositionalTemporalLogics,Journal oftheACM,Vol.32(3),pp733-749,1986.
[SCV92] A.Sistla,M.Vardi,P.Wolper:TheCompletionProblemforBuchiAutomatawithApplicationstoTemporalLogic,Proc.ICALP'85,LecturetributedComputingSystems,pp260-268,IEEEComp.Soc.Press,1992.R.Sisto,L.Ciminiera,A.Valenzo:ProbabilisticCharacterizationofAlgebraicProtocolSpecications,Proc.12thInternationalConferenceonDis NotesinComputerScience,Vol.194,pp465-474,1985.
[SmSt90] S.Smolka,B.Steen:PriorityasExtremalProbability,Proc.CON-
[SmPl82] Computing,Vol.8,pp585-606,1996. CUR'90,LectureNotesinComputerScience,Vol.458,pp456-466,1990. ThefullversionwiththesametitlehasappearedinFormalAspectsof
[StWa91] C.Stirling,D.Walker:LocalModelCheckingintheModalMu-Calculus, TheoreticalComputerScience,Vol.89,pp161-177,1991. M.Smyth,G.Plotkin:TheCategory-TheoreticSolutionofRecursive Equations,SIAMJ.Comput.,Vol.11,pp761-783,1982.
[StVa98] [StEm84] M.Stoelinga,F.Vaandrager:RootContentioninIEEE1394,submitted forpublication.
[SLG94] R.Street,E.A.Emerson:AnAutomataTheoreticDecisionProcedurefor PropositionalMu-Calculus,Proc.ICALP'84,LectureNotesinComputer Science,Vol.172,pp465-472,1984.
[Stoy77] grammingLanguageTheory.MITPress,Cambridge,1977.
Domains,CambridgeUniversityPress,1994. J.Stoy:DenotationalSemantics:TheScott-StracheyApproachtoPro- V.Stoltenberg-Hansen,I.Lindstrom,E.Grior:MathematicalTheoryof

336 [Suth77] W.Sutherland:IntroductiontoMetricandTopologicalSpaces,Oxford BIBLIOGRAPHY
[Thom90] UniversityPress,1977.
[Thom96] puterScience,Vol.B,ElsevierSciencePublishers,Amsterdam,pp135-191, 1990. W.Thomas:Languages,Automata,andLogic,Techn.Report9607,ChrisW.Thomas:AutomataonInniteObjects,HandbookofTheoreticalCom- [Toft90] C.Tofts:ASynchronousCalculusofRelativeFrequency,Proc.CON- tianAlbrechtsUniversitatKiel,1996.
[Toft94] C.Tofts:ProcesseswithProbabilities,PriorityandTime,FormalAspects ofComputing,Vol.6,No.5,1994. CUR'90,LectureNotesinComputerScience,Vol.458,pp467-480,1990.
[Vard85] [Valm94] Vol.46,pp6-14,1994. M.Vardi:AutomaticVericationofProbabilisticConcurrentFinite-State Programs,Proc.FOCS'85,pp327-338,1985. A.Valmari:StateoftheArtReport:StubbornSets,PetriNetNewsletters,
[Vard96] M.Vardi:AnAutomata-TheoreticApproachtoLinearTemporalLogic,
[VaWo86] in\LogicsforConcurrency{StructureversusAutomata"(F.Moller,G. Birtwistle,eds.),LectureNotesinComputerScience,Vol.1043,pp238- 265,1996.
[VaWo94] ProgramVerication,Proc.LICS'86,pp332-344,1986. M.Vardi,P.Wolper:ReasoningaboutInniteComputations,Information M.Vardi,P.Wolper:AnAutomata-TheoreticApproachtoAutomatic
[Varg62] andComputation,Vol.115(1),pp1-37,1994.
[dVin98] R.Varga:MatrixIterativeAnalysis,Prentice-Hall,Inc.,EnglewoodClis, NewJersey,1962.
[dViRu97] E.deVink:OnaFunctorforProbabilisticBisimulationandPreservation ofWeakPullbacks,Techn.Report,VrijeUniversiteitAmsterdam,1998.
[Wins84] ACoalgebraicApproach,Proc.ICALP'97,LectureNotesinComputer Science,Vol.1256,pp460-470,1997. G.Winskel:SynchronisationTrees,TheoreticalComputerScience,Vol.34, E.deVink,J.Rutten:BisimulationforProbabilisticTransitionSystems:
[WVS83] pp33-82,1984.
[WSS94] P.Wolper,M.Vardi,A.Sistla:ReasoningaboutInniteComputation S.Wu,S.Smolka,E.Stark:CompositionandBehavioursofProbabilistic I/O-Automata,Proc.CONCUR'94,LectureNotesinComputerScience, Paths,Proc.FOCS'83,pp185-194,1983.
[YCDS94] Vol.836,1994.ThefullversionwiththesametitlehasappearedinTheoreticalComputerScience,Vol.176,pp1-38,1997. [Yi91] W.Yi:ACalculusofRealTimeSystems,Ph.D.Thesis,ChalmersUniS.Yuen,R.Cleaveland,Z.Dayar,S.Smolka:FullyAbstractCharacterizationsofTestingPreordersforprobabilisticProcesses,Proc.CONCUR'94, LectureNotesinComputerScience,Vol.836,pp497-512,1994. versity,1991.