Proof techniques for Nondeterministic and Probabilistic Processes - PowerPoint PPT Presentation

Induction Coinduction A-simulations Inequivalences Example simulation d . ( a 2 ⊕ b ) ⊳ S d . (( a 2 ⊕ b ) 2 ⊕ ( a + b )) because 1 1 1 a 2 ⊕ b lift( ⊳ S ) ( a 2 ⊕ b ) 2 ⊕ ( a + b ) 1 1 1 1 2 · a + 1 4 · a + 1 1 2 · ( a + b ) + 1 2 · b lift( ⊳ S ) 4 · b Because: 1 2 · a + 1 ◮ a ⊳ S 2 · ( a + b ) 1 2 · b + 1 ◮ b ⊳ S 2 · ( a + b ) ◮ 1 2 · a + 1 1 2 · ( 1 2 · a + 1 2 · ( a + b )) + 1 2 · ( 1 2 · b + 1 2 · b lift( ⊳ S ) 2 · ( a + b )) Moral: ◮ ⊳ S must have type S × D ( S ) sfi ◮ NOT type S × S 13/38

Induction Coinduction A-simulations Inequivalences Example simulation d . ( a 2 ⊕ b ) ⊳ S d . (( a 2 ⊕ b ) 2 ⊕ ( a + b )) because 1 1 1 a 2 ⊕ b lift( ⊳ S ) ( a 2 ⊕ b ) 2 ⊕ ( a + b ) 1 1 1 1 2 · a + 1 4 · a + 1 1 2 · ( a + b ) + 1 2 · b lift( ⊳ S ) 4 · b Because: 1 2 · a + 1 ◮ a ⊳ S 2 · ( a + b ) 1 2 · b + 1 ◮ b ⊳ S 2 · ( a + b ) ◮ 1 2 · a + 1 1 2 · ( 1 2 · a + 1 2 · ( a + b )) + 1 2 · ( 1 2 · b + 1 2 · b lift( ⊳ S ) 2 · ( a + b )) Moral: ◮ ⊳ S must have type S × D ( S ) sfi ◮ NOT type S × S 13/38

Induction Coinduction A-simulations Inequivalences Example simulation d . ( a 2 ⊕ b ) ⊳ S d . (( a 2 ⊕ b ) 2 ⊕ ( a + b )) because 1 1 1 a 2 ⊕ b lift( ⊳ S ) ( a 2 ⊕ b ) 2 ⊕ ( a + b ) 1 1 1 1 2 · a + 1 4 · a + 1 1 2 · ( a + b ) + 1 2 · b lift( ⊳ S ) 4 · b Because: 1 2 · a + 1 ◮ a ⊳ S 2 · ( a + b ) 1 2 · b + 1 ◮ b ⊳ S 2 · ( a + b ) ◮ 1 2 · a + 1 1 2 · ( 1 2 · a + 1 2 · ( a + b )) + 1 2 · ( 1 2 · b + 1 2 · b lift( ⊳ S ) 2 · ( a + b )) Moral: ◮ ⊳ S must have type S × D ( S ) sfi ◮ NOT type S × S 13/38

Induction Coinduction A-simulations Inequivalences Example simulation d . ( a 2 ⊕ b ) ⊳ S d . (( a 2 ⊕ b ) 2 ⊕ ( a + b )) because 1 1 1 a 2 ⊕ b lift( ⊳ S ) ( a 2 ⊕ b ) 2 ⊕ ( a + b ) 1 1 1 1 2 · a + 1 4 · a + 1 1 2 · ( a + b ) + 1 2 · b lift( ⊳ S ) 4 · b Because: 1 2 · a + 1 ◮ a ⊳ S 2 · ( a + b ) 1 2 · b + 1 ◮ b ⊳ S 2 · ( a + b ) ◮ 1 2 · a + 1 1 2 · ( 1 2 · a + 1 2 · ( a + b )) + 1 2 · ( 1 2 · b + 1 2 · b lift( ⊳ S ) 2 · ( a + b )) Moral: ◮ ⊳ S must have type S × D ( S ) sfi ◮ NOT type S × S 13/38

Induction Coinduction A-simulations Inequivalences Second problem a . B a B a . b � ⊳ S a . B τ τ because a . B � a 3 1 = ⇒ b because 4 4 → ∗ b → ∗ � a a . B − τ − → τ − s 1 s 2 b Moral: weak internal actions must include limiting behaviour B reaches state s 2 with probability 1 sfi 14/38

Induction Coinduction A-simulations Inequivalences Second problem a . B a B a . b � ⊳ S a . B τ τ because a . B � a 3 1 = ⇒ b because 4 4 → ∗ b → ∗ � a a . B − τ − → τ − s 1 s 2 b Moral: weak internal actions must include limiting behaviour B reaches state s 2 with probability 1 sfi 14/38

Induction Coinduction A-simulations Inequivalences Second problem a . B a B a . b � ⊳ S a . B τ τ because a . B � a 3 1 = ⇒ b because 4 4 → ∗ b → ∗ � a a . B − τ − → τ − s 1 s 2 b Moral: weak internal actions must include limiting behaviour B reaches state s 2 with probability 1 sfi 14/38

Induction Coinduction A-simulations Inequivalences Second problem a . B a B a . b � ⊳ S a . B τ τ because a . B � a 3 1 = ⇒ b because 4 4 → ∗ b → ∗ � a a . B − τ − → τ − s 1 s 2 b Moral: weak internal actions must include limiting behaviour B reaches state s 2 with probability 1 sfi 14/38

Induction Coinduction A-simulations Inequivalences Weak internal actions in a pLTS ∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ go ∆ stay ∆ = 0 + 0 ∆ go ∆ go ∆ stay − τ → 0 + 0 1 ∆ stay : any subdistribution . . . . . . ∆ go ∆ go ∆ stay − τ → ( k +1) + k ( k +1) . . . . . . ∆ go : any subdistribution . . . . . . which can perform τ k =0 ∆ stay Θ = � ∞ Total: k Note: use of subdistributions sfi 15/38

Induction Coinduction A-simulations Inequivalences Weak internal actions in a pLTS ∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ go ∆ stay ∆ = 0 + 0 ∆ go ∆ go ∆ stay − τ → 0 + 0 1 ∆ stay : any subdistribution . . . . . . ∆ go ∆ go ∆ stay − τ → ( k +1) + k ( k +1) . . . . . . ∆ go : any subdistribution . . . . . . which can perform τ k =0 ∆ stay Θ = � ∞ Total: k Note: use of subdistributions sfi 15/38

Induction Coinduction A-simulations Inequivalences Weak internal actions in a pLTS ∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ go ∆ stay ∆ = 0 + 0 ∆ go ∆ go ∆ stay − τ → 0 + 0 1 ∆ stay : any subdistribution . . . . . . ∆ go ∆ go ∆ stay − τ → ( k +1) + k ( k +1) . . . . . . ∆ go : any subdistribution . . . . . . which can perform τ k =0 ∆ stay Θ = � ∞ Total: k Note: use of subdistributions sfi 15/38

Induction Coinduction A-simulations Inequivalences Weak internal actions in a pLTS ∆ = ⇒ Θ Idea: internal computation is a partial execution ∆ go ∆ stay ∆ = 0 + 0 ∆ go ∆ go ∆ stay − τ → 0 + 0 1 ∆ stay : any subdistribution . . . . . . ∆ go ∆ go ∆ stay − τ → ( k +1) + k ( k +1) . . . . . . ∆ go : any subdistribution . . . . . . which can perform τ k =0 ∆ stay Θ = � ∞ Total: k Note: use of subdistributions sfi 15/38

Induction Coinduction A-simulations Inequivalences Example a . B a go stay B B = B + empDist 3 1 B − → τ 4 · s 1 + 4 · s 2 3 3 τ 4 · s 2 − → τ 4 · B + empDist τ 4 ) 2 · s 1 + 3 ( 3 ( 3 4 ) 1 4 · B − → τ 4 · s 2 3 1 . . . . . . 4 4 ( 3 4 ) k · B ( 3 4 ) ( k +1) · B + ( 3 4 ) k 1 − → τ 4 · s 2 . . . . . . . . . . . . s 1 s 2 k =0 ( 3 4 ) k 1 Total: s 2 = P ∞ 4 · s 2 b B = ⇒ s 2 sfi 16/38

Induction Coinduction A-simulations Inequivalences Example a . B a go stay B B = B + empDist 3 1 B − → τ 4 · s 1 + 4 · s 2 3 3 τ 4 · s 2 − → τ 4 · B + empDist τ 4 ) 2 · s 1 + 3 ( 3 ( 3 4 ) 1 4 · B − → τ 4 · s 2 3 1 . . . . . . 4 4 ( 3 4 ) k · B ( 3 4 ) ( k +1) · B + ( 3 4 ) k 1 − → τ 4 · s 2 . . . . . . . . . . . . s 1 s 2 k =0 ( 3 4 ) k 1 Total: s 2 = P ∞ 4 · s 2 b B = ⇒ s 2 sfi 16/38

Induction Coinduction A-simulations Inequivalences The empty (sub)Distribution: empDist A feature: empDist − µ → empDist for every action µ Consequence: ◮ ∆ − → Θ implies ∆ = τ ⇒ Θ ◮ ∆ − → τ τ − → Θ implies ∆ = ⇒ Θ ◮ . . . Sanity check: → ∗ Θ implies ∆ = ∆ − τ ⇒ Θ sfi 17/38

Induction Coinduction A-simulations Inequivalences The empty (sub)Distribution: empDist A feature: empDist − µ → empDist for every action µ Consequence: ◮ ∆ − → Θ implies ∆ = τ ⇒ Θ ◮ ∆ − → τ τ − → Θ implies ∆ = ⇒ Θ ◮ . . . Sanity check: → ∗ Θ implies ∆ = ∆ − τ ⇒ Θ sfi 17/38

Induction Coinduction A-simulations Inequivalences The empty (sub)Distribution: empDist A feature: empDist − µ → empDist for every action µ Consequence: ◮ ∆ − → Θ implies ∆ = τ ⇒ Θ ◮ ∆ − → τ τ − → Θ implies ∆ = ⇒ Θ ◮ . . . Sanity check: → ∗ Θ implies ∆ = ∆ − τ ⇒ Θ sfi 17/38

Induction Coinduction A-simulations Inequivalences The empty (sub)Distribution: empDist A feature: empDist − µ → empDist for every action µ Consequence: ◮ ∆ − → Θ implies ∆ = τ ⇒ Θ ◮ ∆ − → τ τ − → Θ implies ∆ = ⇒ Θ ◮ . . . Sanity check: → ∗ Θ implies ∆ = ∆ − τ ⇒ Θ sfi 17/38

Induction Coinduction A-simulations Inequivalences The empty (sub)Distribution: empDist A feature: empDist − µ → empDist for every action µ Consequence: ◮ ∆ − → Θ implies ∆ = τ ⇒ Θ ◮ ∆ − → τ τ − → Θ implies ∆ = ⇒ Θ ◮ . . . Sanity check: → ∗ Θ implies ∆ = ∆ − τ ⇒ Θ sfi 17/38

Induction Coinduction A-simulations Inequivalences Lost in divergence s 2 s 3 s 4 s 5 s 6 τ τ τ τ τ 1 1 1 1 1 22 32 42 52 62 a a a a a Total probability of reaching a from s 2 : 1 1 1 1 1 4 + 12 + 24 + 40 . . . . . . = 2 ⇒ 1 s 2 = 2 · a 1 Remainder of mass 2 is lost in divergence sfi 18/38

Induction Coinduction A-simulations Inequivalences Lost in divergence s 2 s 3 s 4 s 5 s 6 τ τ τ τ τ 1 1 1 1 1 22 32 42 52 62 a a a a a Total probability of reaching a from s 2 : 1 1 1 1 1 4 + 12 + 24 + 40 . . . . . . = 2 ⇒ 1 s 2 = 2 · a 1 Remainder of mass 2 is lost in divergence sfi 18/38

Induction Coinduction A-simulations Inequivalences Lost in divergence s 2 s 3 s 4 s 5 s 6 τ τ τ τ τ 1 1 1 1 1 22 32 42 52 62 a a a a a Total probability of reaching a from s 2 : 1 1 1 1 1 4 + 12 + 24 + 40 . . . . . . = 2 ⇒ 1 s 2 = 2 · a 1 Remainder of mass 2 is lost in divergence sfi 18/38

Induction Coinduction A-simulations Inequivalences Lost in divergence s 2 s 3 s 4 s 5 s 6 τ τ τ τ τ 1 1 1 1 1 22 32 42 52 62 a a a a a Total probability of reaching a from s 2 : 1 1 1 1 1 4 + 12 + 24 + 40 . . . . . . = 2 ⇒ 1 s 2 = 2 · a 1 Remainder of mass 2 is lost in divergence sfi 18/38

Induction Coinduction A-simulations Inequivalences Lost in divergence s 2 s 3 s 4 s 5 s 6 τ τ τ τ τ 1 1 1 1 1 22 32 42 52 62 a a a a a Total probability of reaching a from s 2 : 1 1 1 1 1 4 + 12 + 24 + 40 . . . . . . = 2 ⇒ 1 s 2 = 2 · a 1 Remainder of mass 2 is lost in divergence sfi 18/38

Induction Coinduction A-simulations Inequivalences Simulations in a pLTS finally Largest relation ⊳ S ⊆ S × D ( S ) satisfying: s Θ s Θ ⊳ S ⊳ S µ µ µ implies Θ ′ ∆ ∆ lift( ⊳ S ) a a ◮ Θ ⇒ Θ ′ : now means Θ = = ⇒ Θ 1 − → Θ 2 = ⇒ Θ ◮ Θ τ ⇒ Θ ′ : now means Θ = ⇒ Θ ′ = sfi 19/38

Induction Coinduction A-simulations Inequivalences Simulations in a pLTS finally Largest relation ⊳ S ⊆ S × D ( S ) satisfying: s Θ s Θ ⊳ S ⊳ S µ µ µ implies Θ ′ ∆ ∆ lift( ⊳ S ) a a ◮ Θ ⇒ Θ ′ : now means Θ = = ⇒ Θ 1 − → Θ 2 = ⇒ Θ ◮ Θ τ ⇒ Θ ′ : now means Θ = ⇒ Θ ′ = sfi 19/38

Induction Coinduction A-simulations Inequivalences Example simulation a . B a B τ a . b ⊳ S a . B τ 3 1 a 4 4 because a . B = ⇒ b s 1 s 2 b Also: a . B ⊳ S a . b sfi 20/38

Induction Coinduction A-simulations Inequivalences Example simulation a . B a B τ a . b ⊳ S a . B τ 3 1 a 4 4 because a . B = ⇒ b s 1 s 2 b Also: a . B ⊳ S a . b sfi 20/38

Induction Coinduction A-simulations Inequivalences Simulations and testing Soundness: s ⊳ S Θ implies s ⊑ pmay Θ proof is straightforward Completeness: In a finitary pLTS s ⊑ pmay Θ implies s ⊳ S Θ difficult proof sfi 21/38

Induction Coinduction A-simulations Inequivalences Simulations and testing Soundness: s ⊳ S Θ implies s ⊑ pmay Θ proof is straightforward Completeness: In a finitary pLTS s ⊑ pmay Θ implies s ⊳ S Θ difficult proof sfi 21/38

Induction Coinduction A-simulations Inequivalences Simulations and testing Soundness: s ⊳ S Θ implies s ⊑ pmay Θ proof is straightforward Completeness: In a finitary pLTS s ⊑ pmay Θ implies s ⊳ S Θ difficult proof sfi 21/38

Induction Coinduction A-simulations Inequivalences Weak transfer property: WTP R satisfies the weak transfer property if s R t s R t µ µ µ implies ∆ ∆ lift( R ) Θ In LTSs: The simulation preorder ⊳ S satisfies the WTP In pLTSs: The simulation preorder ⊳ S does NOT satisfy the WTP In finitary pLTSs: The simulation preorder ⊳ S satisfies the WTP sfi 22/38

Induction Coinduction A-simulations Inequivalences Weak transfer property: WTP R satisfies the weak transfer property if s R t s R t µ µ µ implies ∆ ∆ lift( R ) Θ In LTSs: The simulation preorder ⊳ S satisfies the WTP In pLTSs: The simulation preorder ⊳ S does NOT satisfy the WTP In finitary pLTSs: The simulation preorder ⊳ S satisfies the WTP sfi 22/38

Induction Coinduction A-simulations Inequivalences Weak transfer property: WTP R satisfies the weak transfer property if s R t s R t µ µ µ implies ∆ ∆ lift( R ) Θ In LTSs: The simulation preorder ⊳ S satisfies the WTP In pLTSs: The simulation preorder ⊳ S does NOT satisfy the WTP In finitary pLTSs: The simulation preorder ⊳ S satisfies the WTP sfi 22/38

Induction Coinduction A-simulations Inequivalences Weak transfer property: WTP R satisfies the weak transfer property if s R t s R t µ µ µ implies ∆ ∆ lift( R ) Θ In LTSs: The simulation preorder ⊳ S satisfies the WTP In pLTSs: The simulation preorder ⊳ S does NOT satisfy the WTP In finitary pLTSs: The simulation preorder ⊳ S satisfies the WTP sfi 22/38

Induction Coinduction A-simulations Inequivalences The simulation preorder via induction Using coinduction: ⊆ S × D ( S ) is the largest solution to = S im ( ⊳ S ) ⊳ S ⊳ S Using induction: 0 = S × D ( S ) ⊳ S 1 = S im ( ⊳ S 0 ) ⊳ S . . . = . . . ( k +1) = S im ( ⊳ S k ) ⊳ S . . . = . . . ∞ = k ∩ k ≥ 0 ⊳ S ⊳ S In general ∞ Θ s ⊳ S Θ implies s ⊳ S sfi 23/38

Induction Coinduction A-simulations Inequivalences The simulation preorder via induction Using coinduction: ⊆ S × D ( S ) is the largest solution to = S im ( ⊳ S ) ⊳ S ⊳ S Using induction: 0 = S × D ( S ) ⊳ S 1 = S im ( ⊳ S 0 ) ⊳ S . . . = . . . ( k +1) = S im ( ⊳ S k ) ⊳ S . . . = . . . ∞ = k ∩ k ≥ 0 ⊳ S ⊳ S In general ∞ Θ s ⊳ S Θ implies s ⊳ S sfi 23/38

Induction Coinduction A-simulations Inequivalences The simulation preorder via induction Using coinduction: ⊆ S × D ( S ) is the largest solution to = S im ( ⊳ S ) ⊳ S ⊳ S Using induction: 0 = S × D ( S ) ⊳ S 1 = S im ( ⊳ S 0 ) ⊳ S . . . = . . . ( k +1) = S im ( ⊳ S k ) ⊳ S . . . = . . . ∞ = k ∩ k ≥ 0 ⊳ S ⊳ S In general ∞ Θ s ⊳ S Θ implies s ⊳ S sfi 23/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences The simulation preorder: coinduction v. induction ∞ Θ does NOT imply s ⊳ S Θ ◮ In an LTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finite state LTS: s ⊳ S ∞ Θ does NOT imply s ⊳ S Θ ◮ In a pLTS: s ⊳ S ∞ Θ implies s ⊳ S Θ ◮ In a finitary pLTS: s ⊳ S Key property of finitary pLTS: { ∆ | s = ⇒ ∆ } is finitely generable IE: There exists finite ∆ 1 . . . ∆ k such that ◮ s = ⇒ ∆ i � p i ≤ 1 ◮ s = ⇒ ∆ only if ∆ = p 1 · ∆ 1 + . . . p n · ∆ k sfi 24/38

Induction Coinduction A-simulations Inequivalences Outline Inductive methods Coinductive methods A-simulations Proving inequivalences sfi 25/38

Induction Coinduction A-simulations Inequivalences Simulations for must testing Ingredients: ◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence ∆ − → . . . τ − → ∆ k τ − → . . . τ Alternatively: ∆ � = ⇒ EmpDist a ◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ = ⇒ Θ implies Θ = ⇒ for some a in ∆ sfi 26/38

Induction Coinduction A-simulations Inequivalences Simulations for must testing Ingredients: ◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence ∆ − → . . . τ − → ∆ k τ − → . . . τ Alternatively: ∆ � = ⇒ EmpDist a ◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ = ⇒ Θ implies Θ = ⇒ for some a in ∆ sfi 26/38

Induction Coinduction A-simulations Inequivalences Simulations for must testing Ingredients: ◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence ∆ − → . . . τ − → ∆ k τ − → . . . τ Alternatively: ∆ � = ⇒ EmpDist a ◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ = ⇒ Θ implies Θ = ⇒ for some a in ∆ sfi 26/38

Induction Coinduction A-simulations Inequivalences Simulations for must testing Ingredients: ◮ weak actions as usual ◮ divergence/convergence ◮ failures/acceptances ◮ Convergence: ∆ ⇓ if there is no infinite sequence ∆ − → . . . τ − → ∆ k τ − → . . . τ Alternatively: ∆ � = ⇒ EmpDist a ◮ Acceptances: ∆ acc A if ∆ ⇓ and ∆ τ = ⇒ Θ implies Θ = ⇒ for some a in ∆ sfi 26/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences A-simulations in a pLTS Largest relation ⊲ ⊆ D sub ( S ) × S satisfying: acc Θ ⊲ acc s implies: whenever Θ ⇓ , ◮ s ⇓ ◮ Θ acc A implies s acc A ◮ and Θ ⊲ s Θ ⊲ s acc acc µ µ µ implies Θ ′ ∆ lift( ⊲ acc ) ∆ Use of subdistributions D sub ( S ) facilitates the treatment of sfi divergence 27/38

Induction Coinduction A-simulations Inequivalences Simulations and must testing Soundness: In a finitary pLTS Θ ⊲ acc s implies Θ ⊑ pmust s difficult proof because of divergence Completeness: In a finitary pLTS Θ ⊑ pmust s implies Θ ⊳ S s difficult proof sfi 28/38

Induction Coinduction A-simulations Inequivalences Simulations and must testing Soundness: In a finitary pLTS Θ ⊲ acc s implies Θ ⊑ pmust s difficult proof because of divergence Completeness: In a finitary pLTS Θ ⊑ pmust s implies Θ ⊳ S s difficult proof sfi 28/38

Induction Coinduction A-simulations Inequivalences Simulations and must testing Soundness: In a finitary pLTS Θ ⊲ acc s implies Θ ⊑ pmust s difficult proof because of divergence Completeness: In a finitary pLTS Θ ⊑ pmust s implies Θ ⊳ S s difficult proof sfi 28/38

Induction Coinduction A-simulations Inequivalences Outline Inductive methods Coinductive methods A-simulations Proving inequivalences sfi 29/38

Induction Coinduction A-simulations Inequivalences Are these distinguishable by any test ? Q P d d 1 1 1 1 2 2 2 2 b c a b a c a Q �⊑ pmay P Use test T = d . a .ω : ◮ sup of A pply ( T , Q ) = 1 ◮ sup of A pply ( T , P ) = 1 2 sfi 30/38

Induction Coinduction A-simulations Inequivalences Are these distinguishable by any test ? Q P d d 1 1 1 1 2 2 2 2 b c a b a c a Q �⊑ pmay P Use test T = d . a .ω : ◮ sup of A pply ( T , Q ) = 1 ◮ sup of A pply ( T , P ) = 1 2 sfi 30/38

Induction Coinduction A-simulations Inequivalences Is P ⊑ pmay Q ? Q P d d 1 1 1 1 2 2 2 2 b c a b a c a With T = d . ( τ. a . ( ω 1 2 ⊕ 0 ) + τ. ( b .ω 1 2 ⊕ c .ω )) ◮ sup of A pply ( T , P ) = 3 4 ◮ sup of A pply ( T , Q ) = 1 2 ◮ Distinguishing tests can be hard to find. sfi 31/38

Induction Coinduction A-simulations Inequivalences Is P ⊑ pmay Q ? Q P d d 1 1 1 1 2 2 2 2 b c a b a c a With T = d . ( τ. a . ( ω 1 2 ⊕ 0 ) + τ. ( b .ω 1 2 ⊕ c .ω )) ◮ sup of A pply ( T , P ) = 3 4 ◮ sup of A pply ( T , Q ) = 1 2 ◮ Distinguishing tests can be hard to find. sfi 31/38

Induction Coinduction A-simulations Inequivalences Is P ⊑ pmay Q ? Q P d d 1 1 1 1 2 2 2 2 b c a b a c a With T = d . ( τ. a . ( ω 1 2 ⊕ 0 ) + τ. ( b .ω 1 2 ⊕ c .ω )) ◮ sup of A pply ( T , P ) = 3 4 ◮ sup of A pply ( T , Q ) = 1 2 ◮ Distinguishing tests can be hard to find. sfi 31/38

Induction Coinduction A-simulations Inequivalences Characterising preorders using logical properties A set of properties Prop characterises ⊑ whenever ◮ P ⊑ Q implies for every φ in Prop Q satisfies φ whenever P satisfies φ ◮ P �⊑ Q whenever there is some φ in Prop such that ◮ P satisfies φ ◮ Q does not satisfy φ Consequence: To show P �⊑ Q it is sufficient to find some φ such that ◮ P satisfies φ ◮ Q does not satisfy φ sfi 32/38

Induction Coinduction A-simulations Inequivalences Characterising preorders using logical properties A set of properties Prop characterises ⊑ whenever ◮ P ⊑ Q implies for every φ in Prop Q satisfies φ whenever P satisfies φ ◮ P �⊑ Q whenever there is some φ in Prop such that ◮ P satisfies φ ◮ Q does not satisfy φ Consequence: To show P �⊑ Q it is sufficient to find some φ such that ◮ P satisfies φ ◮ Q does not satisfy φ sfi 32/38

Induction Coinduction A-simulations Inequivalences LTS: A modal logic for process properties tt | ff | φ ∧ φ ′ | φ ∨ φ ′ | φ ::= � µ � φ | [ µ ] φ | acc A Satisfaction: ◮ P | µ = � µ � φ if P = ⇒ Q and Q | = φ ◮ P | = [ µ ] φ if ◮ P ⇓ ◮ Q | µ = φ whenever P = ⇒ Q ◮ P | = acc A if ◮ P ⇓ a ◮ P τ = ⇒ Q implies Q = ⇒ for some a in A sfi 33/38

Induction Coinduction A-simulations Inequivalences LTS: A modal logic for process properties tt | ff | φ ∧ φ ′ | φ ∨ φ ′ | φ ::= � µ � φ | [ µ ] φ | acc A Satisfaction: ◮ P | µ = � µ � φ if P = ⇒ Q and Q | = φ ◮ P | = [ µ ] φ if ◮ P ⇓ ◮ Q | µ = φ whenever P = ⇒ Q ◮ P | = acc A if ◮ P ⇓ a ◮ P τ = ⇒ Q implies Q = ⇒ for some a in A sfi 33/38

Induction Coinduction A-simulations Inequivalences LTS: A modal logic for process properties tt | ff | φ ∧ φ ′ | φ ∨ φ ′ | φ ::= � µ � φ | [ µ ] φ | acc A Satisfaction: ◮ P | µ = � µ � φ if P = ⇒ Q and Q | = φ ◮ P | = [ µ ] φ if ◮ P ⇓ ◮ Q | µ = φ whenever P = ⇒ Q ◮ P | = acc A if ◮ P ⇓ a ◮ P τ = ⇒ Q implies Q = ⇒ for some a in A sfi 33/38

Induction Coinduction A-simulations Inequivalences LTS: A modal logic for process properties tt | ff | φ ∧ φ ′ | φ ∨ φ ′ | φ ::= � µ � φ | [ µ ] φ | acc A Satisfaction: ◮ P | µ = � µ � φ if P = ⇒ Q and Q | = φ ◮ P | = [ µ ] φ if ◮ P ⇓ ◮ Q | µ = φ whenever P = ⇒ Q ◮ P | = acc A if ◮ P ⇓ a ◮ P τ = ⇒ Q implies Q = ⇒ for some a in A sfi 33/38

Induction Coinduction A-simulations Inequivalences LTS: Property logics and testing May testing: ◮ ⊑ may characterised by L = { tt , � µ � , ∨ } Must testing: ◮ ⊑ must characterised by L = { ff , [ µ ] , ∧ , acc A } sfi 34/38

Induction Coinduction A-simulations Inequivalences pLTS: A modal logic for probabilistic process properties φ ::= . . . . . . � µ � ψ dist | [ µ ] ψ dist . . . ψ dist := φ | φ p ∧ ψ dist | φ p ∨ ψ dist Satisfaction: ∆ | = φ ◮ ∆ | µ = � µ � ψ dist if ∆ = ⇒ Θ and Θ | = ψ dist ◮ ∆ | = [ µ ] ψ dist if ◮ ∆ ⇓ ◮ Θ | µ = ψ dist whenever ∆ = ⇒ Θ ◮ ∆ | ◮ ∆ | = ψ 1 p ∧ ψ 2 if = ψ 1 p ∨ ψ 2 if ◮ ∆ = p · ∆ 1 + (1 − p ) · ∆ 2 ◮ ∆ = p · ∆ 1 + (1 − p ) · ∆ 2 ◮ ∆ 1 | ◮ ∆ 1 | = ψ 1 and ∆ 2 | = ψ 2 = ψ 1 or ∆ 2 | = ψ 2 sfi 35/38

Induction Coinduction A-simulations Inequivalences pLTS: A modal logic for probabilistic process properties φ ::= . . . . . . � µ � ψ dist | [ µ ] ψ dist . . . ψ dist := φ | φ p ∧ ψ dist | φ p ∨ ψ dist Satisfaction: ∆ | = φ ◮ ∆ | µ = � µ � ψ dist if ∆ = ⇒ Θ and Θ | = ψ dist ◮ ∆ | = [ µ ] ψ dist if ◮ ∆ ⇓ ◮ Θ | µ = ψ dist whenever ∆ = ⇒ Θ ◮ ∆ | ◮ ∆ | = ψ 1 p ∧ ψ 2 if = ψ 1 p ∨ ψ 2 if ◮ ∆ = p · ∆ 1 + (1 − p ) · ∆ 2 ◮ ∆ = p · ∆ 1 + (1 − p ) · ∆ 2 ◮ ∆ 1 | ◮ ∆ 1 | = ψ 1 and ∆ 2 | = ψ 2 = ψ 1 or ∆ 2 | = ψ 2 sfi 35/38