Stuttering for Abstract Probabilistic Automata

Similar documents
Bisimulation. R.J. van Glabbeek

Summer School Verification Technology, Systems & Applications

Refined interfaces for compositional verification

Strong Bisimulation. Overview. References. Actions Labeled transition system Transition semantics Simulation Bisimulation

Handout: Natural deduction for first order logic

Hennessy-Milner Logic 1.

Global Types for Dynamic Checking of Protocol Conformance of Multi-Agent Systems

Finite Automata. Informatics 2A: Lecture 3. John Longley. 22 September School of Informatics University of Edinburgh

Lecture 9: LTL and Büchi Automata

THE EXISTENCE-UNIQUENESS THEOREM FOR FIRST-ORDER DIFFERENTIAL EQUATIONS.

Advanced Calculus: MATH 410 Notes on Integrals and Integrability Professor David Levermore 17 October 2004

Coalgebra, Lecture 15: Equations for Deterministic Automata

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

KNOWLEDGE-BASED AGENTS INFERENCE

Designing finite automata II

Bernoulli Numbers Jeff Morton

Anatomy of a Deterministic Finite Automaton. Deterministic Finite Automata. A machine so simple that you can understand it in less than one minute

Global Session Types for Dynamic Checking of Protocol Conformance of Multi-Agent Systems

Theory of Computation Regular Languages. (NTU EE) Regular Languages Fall / 38

p-adic Egyptian Fractions

Finite Automata. Informatics 2A: Lecture 3. Mary Cryan. 21 September School of Informatics University of Edinburgh

63. Representation of functions as power series Consider a power series. ( 1) n x 2n for all 1 < x < 1

CS 267: Automated Verification. Lecture 8: Automata Theoretic Model Checking. Instructor: Tevfik Bultan

Lecture 08: Feb. 08, 2019

Theory of Computation Regular Languages

A Survey of Modal Logics Characterising Behavioural Equivalences for Non-deterministic and Stochastic Systems

Reinforcement learning II

Chapter 2 Finite Automata

CMSC 330: Organization of Programming Languages. DFAs, and NFAs, and Regexps (Oh my!)

7.2 The Definite Integral

New Expansion and Infinite Series

1 Nondeterministic Finite Automata

Conjunction on processes: Full abstraction via ready-tree semantics

A Compositional Approach on Modal Specifications for Timed Systems

Jim Lambers MAT 169 Fall Semester Lecture 4 Notes

Duality # Second iteration for HW problem. Recall our LP example problem we have been working on, in equality form, is given below.

The Regulated and Riemann Integrals

Supervisory Control (4CM30)

Intuitionistic Fuzzy Lattices and Intuitionistic Fuzzy Boolean Algebras

CS:4330 Theory of Computation Spring Regular Languages. Equivalences between Finite automata and REs. Haniel Barbosa

20 MATHEMATICS POLYNOMIALS

Chapter 4 Contravariance, Covariance, and Spacetime Diagrams

Process Algebra Having Inherent Choice: Revised Semantics for Concurrent Systems 1

Concepts of Concurrent Computation Spring 2015 Lecture 9: Petri Nets

Frobenius numbers of generalized Fibonacci semigroups

Reinforcement Learning

1 Online Learning and Regret Minimization

CS 275 Automata and Formal Language Theory

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. Comparing DFAs and NFAs (cont.) Finite Automata 2

Playing Games with Timed Games,

Acceptance Sampling by Attributes

Chapter 0. What is the Lebesgue integral about?

CS 188 Introduction to Artificial Intelligence Fall 2018 Note 7

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2016

Math Lecture 23

Non Deterministic Automata. Linz: Nondeterministic Finite Accepters, page 51

CMSC 330: Organization of Programming Languages

N 0 completions on partial matrices

CS 330 Formal Methods and Models

Model Reduction of Finite State Machines by Contraction

CSCI 340: Computational Models. Kleene s Theorem. Department of Computer Science

CS 275 Automata and Formal Language Theory

Modal Transition Systems with Weight Intervals

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. NFA for (a b)*abb.

CSC 473 Automata, Grammars & Languages 11/9/10

AUTOMATA AND LANGUAGES. Definition 1.5: Finite Automaton

A BRIEF INTRODUCTION TO UNIFORM CONVERGENCE. In the study of Fourier series, several questions arise naturally, such as: c n e int

Equality and Inequality in the Dataflow Algebra. A. J. Cowling

Convert the NFA into DFA

MAA 4212 Improper Integrals

Chapter 3. Vector Spaces

Chapter Five: Nondeterministic Finite Automata. Formal Language, chapter 5, slide 1

How to simulate Turing machines by invertible one-dimensional cellular automata

Nondeterminism and Nodeterministic Automata

Intermediate Math Circles Wednesday, November 14, 2018 Finite Automata II. Nickolas Rollick a b b. a b 4

1 From NFA to regular expression

A Compositional Approach on Modal Specifications for Timed Systems

Finite Automata-cont d

This lecture covers Chapter 8 of HMU: Properties of CFLs

Exercises with (Some) Solutions

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2014

Disjunctive Probabilistic Modal Logic is Enough for Bisimilarity on Reactive Probabilistic Systems

Minimal DFA. minimal DFA for L starting from any other

Goals: Determine how to calculate the area described by a function. Define the definite integral. Explore the relationship between the definite

CMPSCI 250: Introduction to Computation. Lecture #31: What DFA s Can and Can t Do David Mix Barrington 9 April 2014

Appendix to Notes 8 (a)

Section 6.1 INTRO to LAPLACE TRANSFORMS

Here we study square linear systems and properties of their coefficient matrices as they relate to the solution set of the linear system.

Semantic reachability for simple process algebras. Richard Mayr. Abstract

Formal Methods in Software Engineering

arxiv: v2 [cs.lo] 10 Jun 2014

19 Optimal behavior: Game theory

Foundations for Timed Systems

Software Engineering using Formal Methods

Learning Moore Machines from Input-Output Traces

Is there an easy way to find examples of such triples? Why yes! Just look at an ordinary multiplication table to find them!

UNIFORM CONVERGENCE. Contents 1. Uniform Convergence 1 2. Properties of uniform convergence 3

More on automata. Michael George. March 24 April 7, 2014

Math 1B, lecture 4: Error bounds for numerical methods

Transcription:

Stuttering for Abstrct Probbilistic Automt Benoît Delhye 1, Kim G. Lrsen 2, nd Axel Legy 1 1 INRIA/IRISA, Frnce, {benoit.delhye,xel.legy}@inri.fr 2 Alborg University, Denmrk, kgl@cs.u.dk Abstrct. Probbilistic Automt (PAs) re widely-recognized mthemticl frmework for the specifiction nd nlysis of systems with non-deterministic nd stochstic behviors. In series of recent ppers, we proposed Abstrct Probbilistic Automt (APAs), new bstrction frmework for representing possibly infinite sets of PAs. We hve developed complete bstrction theory for APAs, nd lso proposed the first specifiction theory for them. APAs support both stisfction nd refinement opertors, together with clssicl stepwise design opertors. One of the mjor drwbcks of APAs is tht the formlism cnnot cpture PAs with hidden ctions such ctions re however necessry to describe behviors tht shll not be visible to third prty. In this pper, we revisit nd extend the theory of APAs to such context. Our first min result tkes the form of proposl for new probbilistic stisfction reltion tht cptures severl definitions of PAs with hidden ctions. Our second min contribution is to revisit ll the opertions nd properties defined on APAs for such notions of PAs. Finlly, we lso estblish the first link between stochstic modl logic nd APAs, hence linking n utomt-bsed specifiction theory to logicl one. 1 Introduction Nowdys, systems re tremendously big nd complex nd mostly result from the ssembling of severl components. These components re usully designed by tems working independently but with common greement on wht the interfce of ech component should be. These interfces, lso clled specifictions, precise the behviors expected from ech component s well s the environment in which they cn be used, but do not impose ny constrint on how the components re implemented. Insted of relying on Word/Excel text documents or modeling lnguges such s UM- L/XML, s is usully done in prctice, series of recent works recommend relying most possibly on mthemticlly sound formlisms. Mthemticl foundtions tht llow to reson t the bstrct level of interfces, in order to infer properties of the globl implementtion, nd to design or to dvisedly (re)use components is very ctive reserch re, known s compositionl resoning [17]. Any good specifiction theory shll be equipped with stisfction reltion (to decide whether n implementtion stisfies specifiction), refinement reltion (to compre sets of implementtions), logicl conjunction (to compute intersection of sets of implementtions), nd structurl composition (to combine specifictions). Additionlly, properties such s precongruence of composition with respect to refinement [17] shll lso be stisfied. Building good specifiction theories hs been the subject of intensive studies mong which one finds clssicl logicl specifictions, vrious process lgebre such s CSP, or Input/Output utomt/interfces (see [18, 7, 23]). Recently, new series of works hs concentrted on modl specifictions [19], lnguge theoretic ccount of frgment of the

r, 1 r, ϕ r, ϕ r r c,.6 c, ϕ c i C I {redy} c,.4 b {, {te}} {{redy}} {te} ϕ r µ(i) = 1 ϕ c µ(c) = 1 Fig. 1: Implementtion PA (left) nd specifiction APA (right) of coffee mchine modl mu-clculus logic which is known to dmit more flexible nd esy-to-use compositionl refinement method thn those crried out in CSP [19, 28, 3]. As soon s systems include rndomized lgorithms, probbilistic protocols, or interct with physicl environment, probbilistic models re required to reson bout them. This is excerbted by requirements for fult tolernce, when systems need to be nlyzed quntittively for the mount of filure they cn tolerte, or for the delys tht my pper. As enzinger nd Sifkis [17] point out, introducing probbilities into design theories llows ssessing dependbility of IT systems in the sme mnner s commonly prcticed in other engineering disciplines. In recent works [5, 10, 6], we proposed Constrint Mrkov Chins (CMCs), complete specifiction theory for pure stochstic systems, nmely Mrkov Chins (MCs). Roughly speking, CMC is MC equipped with constrint on the next-stte probbilities from ny stte. An implementtion for CMC is thus MC, whose next-stte probbility distribution stisfies the constrint ssocited with ech stte. Contrry to Intervl Mrkov Chins where sets of distributions re represented by intervls, CMCs re closed under both composition nd conjunction. Lter, in [8], the CMC pproch ws extended to hndle those systems tht combine both stochstic nd non-deterministic behviors, i.e., Probbilistic Automt (PA). APAs, whose theory is implemented in the APAC toolset [9], is the result of combining Modl Automt nd CMCs the bstrctions for lbelled trnsition systems nd Mrkov Chins, respectively. Like other modl-bsed specifiction theories, our formlism cn be used in vrious res, including bstrct model checking nd compositionl resoning. The specifiction theory induced by APAs is more expressive thn ny clssicl specifiction theories where both implementtions nd specifictions re represented by the sme object. As n exmple, Segl s theory ssumes tht both specifictions nd implementtions re represented with PAs [30, 25]. Such n pproch does not permit to represent n infinite set of non-deterministic behviors in finite wy. On the other hnd, while stisfction reltion between PAs[24] cn be expressed with clssicl notions of (stochstic) simultions [30], ours requires the use of rther more complex definition of equivlence reltion. Consider the implementtion (left) nd specifiction (right) of coffee mchine given in Figure 1. The specifiction specifies tht there re two possible trnsitions from initil stte I: my trnsition lbeled with ction r (reset) nd must trnsition lbeled with ction c (coin). My trnsitions, which my not be implemented, re represented with dshed rrows. Must trnsitions, which shll be present in ny implementtion of the specifiction, re represented with plin rrows. The probbility distributions ssocited with these ctions re specified by the constrints ϕ r nd ϕ c, respectively. One cn see tht the implementtion gives more precise behvior of the coffee mchine: ction r loops bck to initil stte i with probbility 1, while coin leds to stte (coffee) with probbility.6 nd to stte b (te) with probbility.4. Stisfction between implementtion nd specifiction lifts the clssicl notion of simultion for PAs to APAs s follows: (1) ll must trnsitions of the specifiction must be mtched 2

with trnsitions in the implementtions, nd (2) ll trnsitions in the implementtion must be mtched with my trnsitions in the specifiction. Additionlly, we hve to check tht the probbility distributions in the implementtion re mtched with probbility distributions in the specifiction tht stisfy the given constrints. Contribution. In the process of incrementl design (s well s for other pplictions), it my be necessry to incrementlly widen the scope of implementtions. Usully, the ltter is done by permitting the ddition of hidden ctions lso clled stutter steps [30, 4] in the implementtion. Introducing such ctions is known to complicte the definition nd the computtion of opertions such s bisimultion/simultion [30]. Moreover, it my brek up some properties such s precongruence of refinement with respect to composition [30]. The objective of this pper is to extend the APA specifiction theory by considering implementtions with stuttering steps. Our first contribution is the definition of new stochstic stisfction reltion for APAs. This reltion generlizes stochstic simultion to the APA level. We then study vrious notions of stuttering nd compre their expressivity. We lso study the impct of dding stuttering on vrious properties such s precongruence of refinement with respect to composition. Finlly, we define nd study ML-(A)PA tht is new modl logic for APAs nd stuttering PAs. ML-(A)PA generlizes the PML logic [21, 20] of Lrsen et l. from PAs to APAs nd stuttering PAs. Relted work. A wide spectrum of different pproches study stuttering for non stochstic systems [31] nd stochstic ones [27, 1, 2]. In [2], the uthors define wek bisimultion for fully probbilistic processes. This is in contrst with our model tht combines both probbilistic nd non-deterministic spects. In [27, 1], wek bisimultion is extended to strictly lternting systems tht combine both non-determinism nd probbilities. Although such systems re similr to PAs, it is known tht wek (brnching) bisimultion for lternting systems is incomprble to wek bisimultion for non-lternting systems [29]. Moreover, it is worth mentioning tht bove mentioned works report on computing nd checking wek bisimultion between probbilistic systems, while our im is to propose notion of wek simultion (stisfction) between probbilistic system nd probbilistic specifiction tht represents possibly infinite set of implementtions. In [13], the uthor defines notion of constrints on sttes to represent sets of probbility distributions. Although this formlism resembles the one of constrints used in APAs, the constrints in [13] re used in different context. Indeed, while we use constrints to represent sets of probbilistic trnsitions, [13] uses them to replce the non-deterministic choice between internl trnsitions by probbility distributions. Finlly we mention tht the problem of defining compositionlity in the probbilistic setting with hidden steps hs lso been ddressed in vrious settings [29, 26, 22, 14, 13, 15]. In prticulr [14] defines generl prllel composition opertor for CSP tht dels with hidden steps, nd [15] suggests the removl of hidden steps through trnsformtion of CSP models. In both ppers, the systems considered re strictly lternting nd results re obtined with respect to redy-trce notion of equivlence on processes, which mkes it incomprble to our notion of stuttering stisfction between specifictions nd implementtions. 2 A Probbilistic Stisfction for Abstrct Probbilistic Automt 2.1 Abstrct Probbilistic Automt Let Dist(S) denote set of ll discrete probbility distributions over finite set S nd B 2 = {, }. 3

Definition 1. A PA[30] is tuple (S, A, L, AP, V, s 0 ), where S is finite set of sttes with the initil stte s 0 S, A is finite set of ctions, L: S A Dist(S) B 2 is (twovlued trnsition) function, AP is finite set of tomic propositions nd V : S 2 AP is stte-lbeling function. Consider stte s, n ction, nd probbility distribution µ. The vlue of L(s,, µ) is set to in cse there exists trnsition from s under ction to distribution µ on successor sttes. In other cses, we hve L(s,, µ) =. We now switch to Abstrct Probbilistic Automt (APA)[8], tht is specifiction theory for PAs. Let S be finite set. We define C(S) to be the set of constrints defined over discrete probbility distributions on S. Ech element ϕ C(S) describes set of distributions: St(ϕ) Dist(S). Let B 3 = {,?, }. APAs re formlly defined s follows. Definition 2. An APA[8] is tuple (S, A, L, AP, V, s 0 ), where S is finite set of sttes, s 0 S, A is finite set of ctions, nd AP is finite set of tomic propositions. L : S A C(S) B 3 is three-vlued distribution-constrint function, nd V : S 2 2AP mps ech stte in S to set of dmissible lbelings. APAs ply the role of specifictions in our frmework. An APA trnsition bstrcts trnsitions of certin unknown PA, clled its implementtion. Given stte s, n ction, nd constrint ϕ, the vlue of L(s,, ϕ) gives the modlity of the trnsition. More precisely the vlue mens tht trnsitions under must exist in the PA to some distribution in St(ϕ);? mens tht these trnsitions re llowed to exist; mens tht such trnsitions must not exist. Agin L my be prtil. A lck of vlue for given rgument is equivlent to the vlue, so we will sometimes void defining -vlue rules in constructions to void clutter, nd occsionlly will sy tht something pplies if L tkes the vlue of, mening tht it is either tking this vlue or it is undefined. The function V lbels ech stte with subset of the powerset of AP, which models disjunctive choice of possible combintions of tomic propositions. 2.2 A Probbilistic Stisfction for APA We now study the notion of stisfction tht reltes probbilistic utomt P = (S P, A, L P, AP, V P, s P 0 ) to its corresponding APA specifiction N = (S, A, L, AP, V, s 0 ), The notion of stisfction proposed in [8] directly reltes distributions in P to distributions in N. As in the notion of probbilistic forwrd simultion presented in [24], we now extend this notion to ccount for liner combintions of distributions in N, hence generlizing results in [8]. Definition 3. Let S nd S be non-empty sets, nd µ, µ be distributions; µ Dist(S) nd µ Dist(S ). We sy tht µ is simulted by µ with respect to reltion R S S nd correspondence function δ : S (S [0, 1]) iff 1. for ll s S, δ(s) is distribution on S if µ(s) > 0, 2. for ll s S, s S µ(s) δ(s)(s ) = µ (s ), nd 3. whenever δ(s)(s ) > 0 then (s, s ) R. We write µ δ R µ mening tht µ is simulted by µ with respect to R nd δ, nd we write µ R µ iff there exists function δ such tht µ δ R µ. 4

We then define probbilistic stisfction s follows. Definition 4 (Probbilistic Stisfction). Let P = (S P, A, L P, AP, V P, s P 0 ) be PA nd N = (S, A, L, AP, V, s 0 ) be n APA. A binry reltion R S P S is probbilistic stisfction reltion iff, for ny (s, s ) R, the following conditions hold: for ll A nd ϕ C(S) such tht L(s,, ϕ ) =, there exists distribution µ P Dist(S P ) such tht L P (s,, µ P ) = nd there exists µ St(ϕ ) such tht µ P R µ, for ll A nd µ P Dist(S P ) such tht L P (s,, µ P ) =, there exists ϕ 1,... ϕ n C(S) such tht for ll i, L(s,, ϕ i ) nd there exists µ i St(ϕ i ) nd ρ i [0, 1] such tht i ρ i = 1 nd µ P R ( i ρ iµ i ), nd V P (s) V (s ). We sy tht P probbilisticlly stisfies N, written P = P N iff there exists probbilistic stisfction reltion R such tht s P 0 R s 0. The set of probbilistic implementtions of APA N is defined by [N ] P = {P P = P N}. It is esy to see tht this extension of stisfction is conservtive with respect to ll the good properties presented in [8]. In the rest of this pper, we study the impct of dding stuttering to the specifiction theory. 3 Stuttering for Abstrct Probbilistic Automt We now study n extension of the APAs specifiction theory where implementtions my hve stutter steps. In the rest of this section, we first introduce vrious notions of stuttering for PAs nd then we extend the stisfction reltion to them. Lter, we shll study the impct of stuttering on refinement nd structurl/logicl composition. 3.1 Introducing Stutter Actions Consider PA P = (S P, A, L P, AP, V P, s P 0 ). We must ssume tht ny stte s tht cn be reched from stte s by following sequence of hidden ctions A P cnnot be distinguished from s, i.e., hve the sme vlution s s. Definition 5 (Consistent set of hidden ctions). Let P = (S P, A P, L P, AP, V P, s P 0 ) nd let A P. We sy tht is consistent set of hidden ctions regrding P if s S P nd, if there exists µ Dist(S P ) such tht L P (s,, µ) =, then s S, we hve µ(s ) > 0 V P (s ) = V P (s). The following exmple shows tht, s it is the cse for other specifictions theories (see e.g. [12]), there re vrious wys to formlly define stuttering trnsition. Exmple 1. Consider the stuttering PA P given in Figure 2, nd whose set of consistent hidden ction is given by {m, e}. P represents coffee mchine tht hs two modes. Action m llows choosing between the two modes. In mode A, represented by stte 2 nd its successors, the ction c leds to sttes lbeled with te nd coffee with probbility.5 ech. From sttes 4 nd 5, either the coffee mchine cn be reset with ction r, but will sty in the sme mode, or cn suffer n error (ction e) tht leds to dedlock sttes 8 nd 9. In mode B, one 5

r, 1 1 {redy} 1 {redy} {redy} {redy} 2 3 r, 1 r, 1 c,.5 c,.5 c,.5 2 {redy} µ {redy} 3 c,.5 {te} 4 5 {redy} 6 7 {redy} e, 1 e, 1 c,.8 c,.2 c,.2 c,.8 {te} 4 5 {redy} 6 7 {redy} e, 1 e, 1 c,.8 c,.2 c,.2 c,.8 {te} 8 9 {te} 10 11 {te} 8 9 {te} 10 11 () Stuttering PA P with m nd e s hidden ctions (b) Stuttering trnsition 1 µ in P where stuttering hppens both before nd fter visible ction c. Fig. 2: Exmple of stuttering PA P with m nd e s hidden ctions, nd stuttering trnsitions in P. cn gin choose sub-mode with ction m, leding to sttes 6 nd 7 tht deliver te nd coffee with different probbilities. Considering different notions of stuttering will led to different sets of executions for the PA P. As n exmple, stuttering could be restricted to hppen only before visible ctions. The execution presented in Figure 3 represents stuttering execution 1 c µ 0 (informlly, one cn rech distribution µ 0 from stte 1 by following ction c interleved with hidden ctions), where the internl ction m hppens before the visible ction c, leding to distribution µ 0. Remrk tht such n execution could not be considered if we restricted stuttering to hppen only fter visible ction. The unfolding of P given in Figure 3b presents two stuttering r executions 1 µ c 1 nd 2 µ 2 where in both cses stuttering only hppens fter the visible ction. Agin, such executions could not be considered if we restricted stuttering to hppen only before visible ction. Finlly, the execution presented in Figure 2b represents stuttering trnsition 1 c µ in P where stuttering hppens both before nd fter the visible ction c. As illustrted in the exmple bove, the choice mde in the definition of stuttering will hve strong impct on the executions llowed in PAs. In order to be s generl s possible, we choose to llow stuttering to hppen both before nd fter visible ctions. The only restriction we mke is tht stuttering cnnot hppen independently of visible ctions, tht is, for ech stuttering trnsition, visible ction must be tken. This leds to the following definition. Definition 6 (Stuttering trnsitions for PAs). Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA, nd let A P be consistent set of hidden ctions. We define the notion of -stuttering recursively s follows: Bse cse: For ll s S P, A P L(s,, µ) =. As shortcut, we write s nd µ Dist(S P ), we sy tht s τ 1 µ iff 1 µ if there exists b such tht s b 1 µ. 6

1 {redy} 1 r, 1 {redy} 1 {redy} {redy} {redy} 2 µ 0 3 µ 1 {redy} {redy} 2 3 c,.5 c,.5 c,.5 c,.5 {te} {te} e, 1 4 5 {redy} 6 7 8 9 e, 1 {te} c,.8 c,.2 c,.2 10 11 c,.8 () Stuttering trnsition 1 µ 0 in PA P of Figure 2 where stuttering hppens before visible ction c. {redy} {te} {te} e, 1 4 5 {redy} 6 7 µ 2 e, 1 c,.8 c,.2 c,.2 8 9 {te} 10 11 c,.8 (b) Stuttering trnsitions 1 µ 1 nd 2 µ 2 in PA P of Figure 2 where stuttering hppens fter visible ctions r nd c. {redy} Fig. 3: Exmple of stuttering trnsitions in PA P of Figure 2. Recursion: For ll s S P, k > 1, A P nd µ Dist(S P ), we sy tht s iff 1. either / nd there exists µ 1 Dist(S P ) nd b such tht L(s, b, µ 1 ) = nd the following conditions hold: for ll sttes r S P such tht µ 1 (r) > 0, there exists k < k nd µ r Dist(S P ) such tht r k µ r, nd for ll s S P, µ (s ) = µ 1 (r)µ r (s ) r S P 2. or there exists µ 1 Dist(S P ) such tht L(s,, µ 1 ) = nd subset R S P such tht the following conditions hold: for ll sttes r R, we hve µ 1 (r) > 0 nd there exists k < k nd µ r Dist(S P ) such tht r τ k µ r, nd for ll s S P, { µ (s r R ) = µ 1(r)µ r (s ) if s R µ 1 (s ) + r R µ 1(r)µ r (s ) otherwise. We sy tht s µ if there exists k > 0 such tht s Informlly stuttering cn hppen either before (cse 1) or fter (cse 2) tking the visible ction. Remrk tht both cses re not exclusive nd cn interleve. If stuttering occurs before ction, then ll successor sttes r must dmit stuttering trnsition involving. In such cse, the overll probbility of reching stte s is the sum through ll stuttering pths. k µ. k µ 7

If stuttering occurs fter ction, then we denote by R the set of successor sttes from which we stutter, nd by S P \ R the set of sttes in which we stop. Remrk tht the set R is dynmic in the sense tht different set R my be chosen for ech step of stuttering trnsition. In this cse the overll probbility of going to stte s R is the sum through ll stuttering pths, while the overll probbility of going to stte s / R is the ddition of the probbilities of going to s directly (without stutter) with the the sum through ll stuttering pths. In the rest of the pper, we denote by A (resp. B ) stuttering trnsitions where stuttering only hppens fter (resp. before) the visible ction, obtined by removing item 1. (resp. 2.) from the recursive prt of Definition 6. Exmple 2. Consider the PA P = (S P, A P, L P, AP, V P, 1) given in Figure 2, nd distribution µ such tht µ (5) = µ (8) = µ (10) = µ (11) =.25. c The sitution is represented in Figure 2b. Let us see how to derive tht 1 3 µ. We {e, m} follow the following description. c 3 µ ]., we hve c / {e, m} nd L {e, m} P (1, m, µ 1 ) = with m {e, m} (cse 1). sttes 2 nd 3 re the only sttes for which µ 1 gives non-zero probbility, nd 1. for [1 2 c {e, m} 2 µ 2 nd 3 c {e, m} 2 µ 3, with µ (s ) = µ 1 (2)µ 2 (s ) + µ 1 (3)µ 3 (s ). c 2. for [2 2 µ {e, m} 2 ]., we hve L P (2, c, µ 2) = (cse 2) nd there exists R = {4} S P such tht µ τ 2(4) > 0 nd 4 1 µ {e, m} 4. In ddition, we obtin fter simplifictions: µ 2 : { 8 µ 2(4)µ 4 (8) =.5 5 µ 2(5) + 0 =.5 τ We observe tht [4 1 µ {e, m} 4 ] is bse cse. c 3. [3 2 µ {e, m} 3 ]. We hve c / {e, m} nd L P (3, m, µ 3) = with m {e, m} (cse 1). sttes 6 nd 7 re the only sttes for which µ c 3 gives non-zero probbility, nd 6 {e, m}1 µ 6 c nd 7 1 µ {e, m} 7 with µ 3 (s ) = µ 3(6)µ 6 (s ) + µ 3(7)µ 7 (s c ). We observe tht [6 1 µ {e, m} 6 ] c nd [7 1 µ {e, m} 7 ] re bse cses. Finlly, we obtin the following result: µ (5) = µ 1(2)(µ 2(5)) =.25 µ (10) = µ 1(3)(µ 3(6)µ 6(10) + µ 3(7)µ 7(10)) =.25 µ (8) = µ 1(2)(µ 2(4)µ 4(8)) =.25 µ (11) = µ 1(3)(µ 3(6)µ 6(11) + µ 3(7)µ 7(11)) =.25 3.2 On Stutter Stisfction We now introduce the notion of stutter stisfction, tht is n extension of Definition 4 for stuttering PAs. Definition 7 (Stutter Stisfction). Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA, let N = (S, A, L, AP, V, s 0 ) be n APA such tht A A P nd = A P \ A is consistent set of hidden ctions for P. A binry reltion R S P S is stutter stisfction reltion iff, for ny (s, s ) R, the following conditions hold: 8

1. for ll A nd ϕ C(S), if L(s,, ϕ ) =, then there exists distribution µ Dist(S P ) such tht s µ nd there exists µ St(ϕ ) such tht µ R µ, 2. for ll µ Dist(S P ) nd A such tht s µ, there exist constrints ϕ 1,... ϕ n C(S) such tht for ll i, L(s,, ϕ i ) nd there exist ρ i [0, 1] nd µ i St(ϕ i ) such tht i ρ i = 1 nd µ R ( i ρ iµ i ), nd 3. V P (s) V (s ). We sy tht P = (S P, A P, L P, AP, V P, s P 0 ) stutter-stisfies N = (S, A, L, AP, V, s 0 ), written P = N, iff A A P, = A P \ A is consistent set of hidden ctions for P, nd there exists stutter stisfction reltion R such tht s P 0 R s 0. The set of stuttering implementtions of APA N is given by [N ] = {P P = N}. Algorithms to decide such stisfction reltion cn be obtined directly from those proposed in [10, 11] for the cse where there exists no stuttering loops. Otherwise, the problem is still open. Exmple 3. The PA P given in Figure 2 stisfies the specifiction of the coffee mchine of Figure 1 with the notion of stuttering stisfction given bove. The stuttering stisfction reltion R is s follows: R = {({1, 2, 3, 6, 7}, I), ({4, 5, 8, 9, 10, 11}, C)}. We show how stte 1 of P stisfies stte I of the specifiction nd leve it to the reder to verify tht the rest of the reltion R stisfies the xioms of Definition 7 bove. In the specifiction, we hve L(I, c, ϕ c ) =. There exists mtching distribution in P : c we hve 1 3 µ, with µ defined in Exmple 2, nd µ R µ c with µ c : C 1 {e, m} St(ϕ c ), in the implementtion, we cn verify tht for ll {r, c} nd µ P such tht 1 µ {e, m} P, we hve mtching constrint nd distribution in the specifiction: either ϕ r or ϕ c, nd V P (1) = {redy} V (I) = {{redy}}. Remrk tht the choice we mde on the definition of stutter trnsitions by llowing stuttering to hppen both before nd fter the visible ction strongly influences the notion of stuttering stisfction. We denote by = A (resp. = B ) the notion of stisfction obtined by replcing the generl notion of stutter trnsition with the restricted notion A (resp. B ). The following theorem sttes tht the different notions of stutter stisfction =, = A nd = B cnnot be compred in generl. Theorem 1. There exists PAs P, P A nd P B nd n APA N such tht: P = A N P = B N P = N P A = A N P A = B N P A = N P B = A N P B = B N P B = N Refinement. We now consider Refinement tht is reltion tht llows us to compre APAs in terms of sets of implementtions. In Segl s theory, refinement boils down to (stochstic) simultion. In the context of APAs, refinement usully extends the definition of stisfction. Extending Definition 7 would require to consider stuttering in the specifiction itself, which is not the topic of this pper. For this reson, we use the refinement reltion proposed in [11]. 9

Definition 8 (Refinement([11])). Let N = (S, A, L, AP, V, s 0 ) nd N = (S, A, L, AP, V, s 0) be APAs. R S S is refinement reltion if nd only if, for ll (s, s ) R, the following conditions hold: 1. A, ϕ C(S ), if L (s,, ϕ ) =, then ϕ C(S) : L(s,, ϕ) = nd µ St(ϕ), µ St(ϕ ) such tht µ R µ, 2. A, ϕ C(S), if L(s,, ϕ), then µ St(ϕ), ϕ C(S ) : L (s,, ϕ ) nd µ St(ϕ ) such tht µ R µ, nd 3. V (s) V (s ). We sy tht N refines N, denoted N W N, if nd only if there exists refinement reltion relting s 0 nd s 0. In [11], it is shown tht for two given APAs N 1 nd N 2, we hve N 1 W N 2 [N 1 ] [N 2 ], where [N i ] represent PAs without stuttering steps. The following theorem extends this result to the cse of PAs with stuttering steps. Theorem 2. Let P be PA nd let N nd N be APAs. If P = N nd N W P = N. N, then Conjunction. We now turn our ttention to the interction between stuttering nd conjunction. Due to spce limittions, the definition of conjunction is given in Appendix A. As proven in [11], conjunction is the gretest lower bound with respect to refinement [11], i.e. for ll APAs N 1, N 2 nd N 3, (N 1 W N 2 ) (N 1 W N 3 ) N 1 W (N 2 N 3 ). Furthermore, it coincides with the intersection of sets of (non-stuttering) implementtions: for ll N 1 nd N 2, [N 1 ] [N 2 ] = [[N 1 N 2 ]. In the following, we show tht this result is preserved with the new notion of stuttering implementtion. Theorem 3. Given two APAs N 1 nd N 2, it holds tht [N 1 ] [N 2 ] = [N 1 N 2 ]. 4 Logicl chrcteriztion We now turn our ttention to proposing modl logic ML-(A)PA for PAs nd APAs. This logic resembles the Probbilistic Modl Logic PML [21, 20]. The min differences between PML nd ML-(A)PA re tht (1) ML-(A)PA is designed to specify properties for both PAs nd APAs, while PML is restricted to PAs, (2) The semntics of ML-(A)PA for PAs considers stuttering trnsitions, while PML does not, nd finlly (3) unlike PML, ML-(A)PA is disjunction nd negtion-free. We first give the syntx of ML-(A)PA nd semntics for PAs nd APAs, then we study its soundness nd completeness. ψ ::= V vl ψ 1 ψ 2 p ψ [] p ψ, where V vl 2 2AP, A, {, >}, nd p [0, 1]. Let F (A, AP ) be the set of formuls over A nd AP. We define the semntics of ML-(A)PA for both PAs nd APAs. Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA nd let N = (S, A, L, AP, V, s 0 ) be n APA. Assume tht A A P is set of ctions such tht = A P \ A is consistent set of hidden ctions for P. We define the stisfction reltion between sttes of P (resp. N) nd formuls in F (A, AP ) by induction s in Figure 4. We sy tht P stisfies ψ, written P [ = ψ iff A P \ A is consistent set of hidden ctions for P nd s P 0 [ = ψ. We sy tht N stisfies ψ, written N[ = ψ iff s 0 [ = ψ. The logic ML-(A)PA nd its reltion to PAs/APAs is illustrted in the following exmple. 10

PA Semntics APA Semntics ψ s[ = ψ s[ = ψ V vl V P (s) V vl V (s) V vl ψ 1 ψ 2 s[ = ψ 1 nd s[ = ψ 2 s[ = ψ 1 nd s[ = ψ 2 µ Dist(S P ) s.t. s µ nd pψ P {s s [ = ψ } µ (s ) p µ Dist(S P ), if s µ, then [] pψ P {s s [ = ψ } µ (s ) p ϕ C(S) s.t. L(s,, ϕ) = nd µ St(ϕ) : P {s s [ =ψ } µ(s ) p ϕ C(S), if L(s,, ϕ), then µ St(ϕ) : P {s s [ =ψ } µ(s ) p Fig. 4: Semntics of ML-(A)PA for PAs nd APAs Exmple 4. Consider the specifiction of coffee mchine N given in Figure 1 nd the implementtion P of the coffee mchine given in Figure 2. Let A = {r, c} nd AP = {redy, te, coffee} nd consider the following formuls in F (A, AP ): ψ 1 ::=[c] 1 {, {te}} ψ 2 ::=[r] 1 ([c] 1 {, {te}}) ψ 3 ::= c.5 {} ψ 4 ::={{redy}} c 1 ([r] 1 {{redy}}) One cn verify tht N[ = ψ 1, N[ = ψ 2 nd N[ = ψ 4 nd tht N does not stisfy ψ 3. Indeed, stte C of N does not stisfy the formul {}. owever, one cn verify tht P [ = ψ 1 ψ 2 ψ 3 ψ 4. In prticulr, the stisfction of ψ 3 is ensured by the existence of distribution µ given in Figure 2b such tht 1 c {e, m} µ in P nd µ () =.5. We now show tht ML-(A)PA is sound nd complete with respect to stutter stisfction. We strt with soundness. Theorem 4 (Soundness). Let N = (S, A, L, AP, V, s 0 ) be n APA nd ψ F (A, AP ) be formul. If N[ = ψ, then for ll PA P = (S P, A P, L P, AP, V P, s P 0 ) such tht P = N, it holds tht P [ = ψ. It is worth mentioning tht soundness would not hold if ML-(A)PA ws equipped with negtion or with the comprison opertors {<, }. This is illustrted in the following exmple. Exmple 5. Assume tht ML-(A)PA is equiped with the dul comprison opertor. Consider the formul ψ 5 ::= [].5 {{α}}. Consider APA N given in Figure 5. Since {{α}, {β}} {{α}}, we hve tht stte C of N does not stisfy {{α}}. It thus follows tht N [ = ψ 5. Now consider PA P given in Figure 5b. One cn verify tht P = N. owever, since stte 2 of P stisfies {{α}}, we hve tht P [ = ψ 5. A similr exmple cn be produced to prove tht ML-(A)PA would not be sound if equiped with negtion. We now show tht ML-(A)PA is complete with respect to stutter stisfction. 11

A, ϕ, {{α}}, 1 1 {α} {{α}} B C µ St(ϕ) (µ(b) =.5) (µ(c) =.5) {{α}, {β}} 2 {α} () APA N (b) PA P Fig. 5: PA P nd APA N such tht N [ = ψ 5, P = N nd P [ = ψ 5. Theorem 5 (Completeness). Let N = (S, A, L, AP, V, s 0 ) be consistent APA nd let ψ F (A, AP ). It holds tht ( P [N ], P [ = ψ) = N[ = ψ. This theorem is proved using n induction technique on the structure of the formul. Due to spce limittions, the proof is reported to Appendix G. It is worth mentioning tht completeness would not hold if ML-(A)PA ws equiped with disjunction. This is illustrted in the following exmple, dpted from [3]. Exmple 6. Let N = ({A, B}, {}, L, {α, β}, V, A) be n APA such tht V (A) = V (B) = {{α}} nd L(A,, ϕ) =? with µ St(ϕ) iff µ(b) = 1. Assume tht ML-(A)PA is extended with disjunction nd consider the formul ψ 6 ::= 1 {{α}} [] 1 {{β}}. Since stte A does not hve ny must trnsition, we hve tht N [ = 1 {{α}}. Moreover, since V (B) {{β}}, we hve tht N [ = [] 1 {{β}}. As consequence, N [ = ψ 6. owever, ny implementtion of N either contins no trnsition t ll, thus stisfying [] 1 {{β}}, or it contins trnsition leding to {α} with probbility 1, thus stisfying 1 {{α}}. As consequence, P [N ], P [ = ψ 6. In ddition to being sound nd complete with respect to stutter stisfction, ML-(A)PA lso mtches the notion of conjunction of APAs, s shown in the following theorem. Theorem 6. Let N 1 nd N 2 be two APAs nd let ψ 1 nd ψ 2 be two formuls. If N 1 [ = ψ 1 nd N 2 [ = ψ 2 then (N 1 N 2 )[ = (ψ 1 ψ 2 ). 5 On composition of APAs nd Stuttering We now show tht the notion of structurl composition tht llows to combine APAs does not preserve precongruence of refinement. Consider the clssicl notion of composition between PAs, originlly proposed by Segl [30] nd extended to the setting of APAs [8]. This notion of composition llows to synchronize on common set of ctions Ā while llowing independent progress on the complement of Ā. When composing APAs, the resulting constrint represents products of distributions stisfying the originl constrints. Due to spce limittions, the forml definition is given in Appendix B. Unfortuntely, the notion of stuttering stisfction s presented in Section 3 is not comptible with composition. This is formlized in the following theorem. Theorem 7. There exists two comptible (in the sense of composition) PAs P 1 nd P 2 nd two comptible (in the sense of composition) APAs N 1 nd N 2 such tht P 1 = N 1, P 2 = N 2 nd P 1 Ā P 2 = N 1 Ā N 2. 12

A {{i}} 1 {i} A {{i }} 1 {i }, 1, e, 1 b, ϕ,? f,.5 f,.5 {{α}} B {i} 2 {{β}} B C {{γ}} {i } 2 3 {i }, 1 µ St(ϕ) (µ(b ) > 0) (µ(c ) > 0) b, 1 b, 1 {α} 3 {β} 4 5 {γ} () APA N 1. (b) Stuttering PA P 1 such tht P 1 = N 1. Internl ction is e. (c) APA N 2. (d) Stuttering PA P 2 such tht P 2 = N 2. Internl ction is f. Fig. 6: APA specifictions nd stuttering PA implementtions showing tht (P 1 P 2) = (N 1 N 2) Proof. Consider PAs P 1 nd P 2 nd APAs N 1 nd N 2 given in Figure 6. We hve tht P 1 = N 1 nd P 2 = N 2. Let Ā = be the synchroniztion set. The composition of the specifictions N = N 1 N 2 is given in Figure 7. The composition of implementtions P = P 1 P 2 is prtly sketched in Figure 7b. Let µ be the distribution in P 1 P 2 such tht µ (3, 2 ) = µ (3, 3 ) =.5. The stuttering trnsition (1, 1 ) {e, f} µ in P is shown in Figure 7b. Sttes (3, 2 ) nd (3, 3 ) of P cnnot stisfy stte (B, A ) of N. Indeed, the outgoing trnsitions of sttes (3, 2 ) nd (3, 3 ) cnnot be redistributed to stisfy constrint ϕ 2. As consequence, the trnsition (1, 1 ) {e, f} in N. Thus (P 1 P 2 ) = (N 1 N 2 ). µ in P cnnot mtch the trnsition (A, A ),1 (B, A ) The reson for this setbck is the well known problem of distributed scheduling [16]. When composing two stuttering PAs, one llows interleving of tomic stuttering steps from both sides, which genertes extr behviors. Our solution is to trnsform PA P with consistent set of hidden ctions into non-stuttering PA P tht stisfies the sme APA specifictions s P. This trnsformtion removes stuttering by computing ll the distributions tht cn be reched with stuttering in P nd inserting them in the trnsition function of P. Definition 9. Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA nd let be consistent set of hidden ctions for P. Define the PA P = (S P, A P \, L P, AP, V P, s P 0 ) such tht s S, A P \, µ Dist(S), L P (s,, µ) = s µ in P. By construction, P is such tht for ll APA N = (S, A P \, L, AP, V, s 0 ), we hve We hve the following theorem. P = N P = N. Theorem 8. Let P 1 = (SP 1, A1 P, L1 P, AP 1, VP 1, sp1 0 ) nd P 2 = (SP 2, A2 P, L2 P, AP 2, VP 2, s P2 0 ) be two PAs such tht AP 1 AP 2 =. Let N 1 = (S 1, A 1, L 1, AP 1, V 1, s 1 0) nd N 2 = (S 2, A 2, L 2, AP 2, V 2, s 2 0) be APAs such tht 1 = A 1 P \ A 1 nd 2 = A 2 P \ A 2 re 13

, 1, A, A {i, i } b, ϕ 1,? e, 1 1, 1 {i, i } {{α, i }} B, A {{i, β}} A, B A, C {{i, γ}} b, ϕ, 1,, 1, 2,?, 1 2, 1 {i, i } 1, 2 1, 3 B, B B, C B, B B, C {{α, β}} {{α, γ}}{{α, β}} {{α, γ}} µ St( ϕ 1 ) (µ(a, B ) > 0) (µ(a, C ) > 0) (µ(a, B ) + µ(a, C ) = 1) µ St( ϕ 2 ) (µ(b, B ) > 0) (µ(b, C ) > 0) (µ(b, B ) + µ(b, C ) = 1) {α, i } 3, 1 2, 2 2, 3 f,.5 f,.5 µ {α, i } 3, 2 3, 3 {α, i }... b, 1 b, 1 {α, β} 3, 4 3, 5 {α, γ}......... () APA N = N 1 N 2. (b) Stuttering trnsition in P = P 1 P 2. Fig. 7: APA N 1 N 2 nd stuttering trnsition in P 1 P 2 preventing stisfction. consistent sets of hidden ctions for P 1 nd P 2 respectively, with 1 A 2 = 2 A 1 =. For ll Ā A 1 A 2, we hve the following: if P 1 = N 1 nd P 2 = N 2 then P 1 1 Ā P 2 2 = N 1 Ā N 2. 6 Future work In the future, we will study specifictions with stuttering. This is complex s one will hve to define notion of my/must stutter trnsition in the specifiction APAs. The min problem is the constrints on distributions: the recursive step in the stutter trnsitions will hve to tke into ccount nd propgte tht the stutter remins vlid for ny solution of the constrints. Finlly, ll the work should lso be implemented in APAC. References 1. Andov, S., Willemse, T. A. C.: Brnching bisimultion for probbilistic systems: Chrcteristics nd decidbility. Theor. Comput. Sci. 356 (2006) 325 355 2. Bier, C., ermnns,.: Wek bisimultion for fully probbilistic processes. In: CAV. LNCS, Vol. 1254. Springer (1997) 119 130 3. Buer, S. S., Juhl, L., Lrsen, K. G., Legy, A., Srb, J.: Extending modl trnsition systems with structured lbels. MSCS 22 (2012) 1 37 4. Buer, S. S., Myer, P., Schroeder, A., ennicker, R.: On wek modl comptibility, refinement, nd the mio workbench. In: TACAS. LNCS, Vol. 6015. Springer (2010) 175 189 5. Cillud, B., Delhye, B., Lrsen, K. G., Legy, A., Pedersen, M. L., Wąsowski, A.: Compositionl design methodology with constrint mrkov chins. In: QEST. IEEE Computer (2010) 14

6. Cillud, B., Delhye, B., Lrsen, K. G., Legy, A., Pedersen, M. L., Wsowski, A.: Constrint mrkov chins. Theor. Comput. Sci. 412 (2011) 4373 4404 7. de Alfro, L., enzinger, T. A.: Interfce utomt. In: FSE. ACM Press (2001) 109 120 8. Delhye, B., Ktoen, J.-P., Lrsen, K., Legy, A., Pedersen, M., Sher, F., Wąsowski, A.: Abstrct probbilistic utomt. In: VMCAI. LNCS. Springer (2011) 9. Delhye, B., Lrsen, K. G., Legy, A., Pedersen, M. L., Wąsowski, A.: APAC: tool for resoning bout Abstrct Probbilistic Automt. In: QEST. IEEE Computer (2011) 10. Delhye, B., Lrsen, K. G., Legy, A., Pedersen, M. L., Wąsowski, A.: New Results on Constrint Mrkov Chins. Performnce Evlution (2011) To pper. 11. Delhye, B., Ktoen, J.-P., Lrsen, K. G., Legy, A., Pedersen, M. L., Sher, F., Wsowski, A.: New Results on Abstrct Probbilistic Automt. In: ACSD. IEEE Computer (2011) 12. Fischbein, D., Brbermn, V. A., Uchitel, S.: A sound observtionl semntics for modl trnsition systems. In: ICTAC. LNCS, Vol. 5684. Springer (2009) 215 230 13. Georgievsk, S.: Probbility nd iding in Concurrent Processes. PhD thesis, Eindhoven University of Technology (2011) 14. Georgievsk, S., Andov, S.: Composing systems while preserving probbilities. In: EPEW. LNCS, Vol. 6342. Springer (2010) 268 283 15. Georgievsk, S., Andov, S.: Probbilistic csp: Preserving the lws vi restricted schedulers. In: MMB/DFT. LNCS, Vol. 7201. Springer (2012) 136 150 16. Giro, S., D Argenio, P. R., Fioriti, L. M. F.: Prtil order reduction for probbilistic systems: A revision for distributed schedulers. In: CONCUR. LNCS, Vol. 5710. Springer (2009) 338 353 17. enzinger, T. A., Sifkis, J.: The embedded systems design chllenge. In: FM. LNCS, Vol. 4085. Springer (2006) 1 15 18. ermnns,., erzog, U., Ktoen, J.: Process lgebr for performnce evlution. TCS 274 (2002) 43 87 19. Lrsen, K. G.: Modl specifictions. In: AVMS. LNCS, Vol. 407. (1989) 232 246 20. Lrsen, K. G., Skou, A.: Compositionl verifiction of probbilistic processes. In: CONCUR. LNCS, Vol. 630. Springer (1992) 456 471 21. Lrsen, K. G., Skou, A.: Bisimultion through probbilistic testing. In: POPL. (1989) 344 352 22. Lowe, G.: Representing nondeterministic nd probbilistic behviour in rective processes. Forml Asp. Comput. 3 (1993) 1 23. Lynch, N., Tuttle, M. R.: An introduction to Input/Output utomt. CWI-qurterly 2 (1989) 24. Lynch, N. A., Segl, R., Vndrger, F. W.: Compositionlity for probbilistic utomt. In: CONCUR. LNCS, Vol. 2761. Springer (2003) 204 222 25. Mitr, S., Lynch, N. A.: Proving pproximte implementtions for probbilistic i/o utomt. Electr. Notes Theor. Comput. Sci. 174 (2007) 71 93 26. Morgn, C., McIver, A., Seidel, K., Snders, J. W.: Refinement-oriented probbility for csp. Forml Asp. Comput. 8 (1996) 27. Philippou, A., Lee, I., Sokolsky, O.: Wek bisimultion for probbilistic systems. In: CONCUR. LNCS, Vol. 1877. Springer (2000) 334 349 28. Rclet, J.-B.: Quotient de spécifictions pour l réutilistion de composnts. PhD thesis, Université de Rennes I (2007) (In French). 29. Segl, R.: Modeling nd Verifiction of Rndomized Distributed Rel-time Systems. PhD thesis, MIT (1995) 30. Segl, R., Lynch, N. A.: Probbilistic simultions for probbilistic processes. NJC 2 (1995) 250 273 31. vn Glbbeek, R. J.: The liner time - brnching time spectrum ii. In: CONCUR. LNCS, Vol. 715. Springer (1993) 66 81 15

A Appendix for Section 3.2 We recll the forml definition of conjunction of APAs from [11]. Definition 10. Let N = (S, A, L, AP, V, s 0 ) nd N = (S, A, L, AP, V, s 0) be APAs shring ction nd proposition sets. Their conjunction N N is the APA (S S, A, L, AP, Ṽ, (s 0, s 0)) where Ṽ ((s, s )) = V (s) V (s ) nd (Must(s )\My(s)) (Must(s)\My(s )) L((s, s ),, flse) = (My(s)\My(s )) (My(s )\My(s)) L((s, s ),, ϕ) =, (1), (2) My(s) My(s ) L(s,, ϕ) L (s,, ϕ ) L((s, s ),, ϕ) =? where ϕ C(S S ) such tht µ St( ϕ) iff both distribution µ : t µ((t, t )) is in St(ϕ) nd t S distribution µ : t µ((t, t )) is in St(ϕ ). t S, (3) Must(s) L(s,, ϕ) = L((s, s ),, ϕ ) =, (4) where ϕ C(S S ) such tht µ St( ϕ) iff both the distribution µ : t µ((t, t )) is in St(ϕ), nd t S there exists ϕ C(S ) with L (s,, ϕ ) nd the distribution µ : t µ((t, t )) is t S in St(ϕ ). Must(s ) L (s,, ϕ ) = L((s, s ),, ϕ ) =, (5) where ϕ C(S S ) is such tht µ St( ϕ) iff both there exists ϕ C(S) such tht L(s,, ϕ) nd the distribution µ : t is in St(ϕ), nd the distribution µ : t t S µ((t, t )) is in St(ϕ ). t S µ((t, t )) B Appendix for Section 5 We recll the forml definition of composition of APAs from [8, 11]. 16

{redy} 1 1 {redy} e, 1 c, 1 {redy} 2 3 {redy} {redy} 2 3 c,.8 c,.2 c,.2 c,.8 {te} 4 5 c, 1 4 e, 1 () PA P B with internl ction m. (b) PA P A with internl ction e. Fig. 8: PAs P B nd P A illustrting the different notions of stuttering. Definition 11 (Prllel composition of APAs). Let N = (S, A, L, AP, V, s 0 ) nd N = (S, A, L, AP, V, s 0) be APAs nd ssume AP AP =. The prllel composition of N nd N w.r.t. synchroniztion set Ā A A, written s N Ā N, is given s N Ā N = (S S, A A, L, AP AP, Ṽ, (s 0, s 0)) where L is defined s follows: For ll (s, s ) S S, Ā, if there exists ϕ C(S) nd ϕ C(S ), such tht L(s,, ϕ) nd L (s,, ϕ ), define L((s, s ),, ϕ) = L(s,, ϕ) L (s,, ϕ ) with ϕ the new constrint in C(S S ) such tht µ St( ϕ) iff there exists µ St(ϕ) nd µ St(ϕ ) such tht µ(u, v) = µ(u) µ (v) for ll u S nd v S. If either for ll ϕ C(S), we hve L(s,, ϕ) =, or ϕ C(S ), we hve L (s,, ϕ ) = then for ll ϕ C(S S ), L((s, s ),, ϕ) =. For ll (s, s ) S S, A \ Ā, nd for ll ϕ C(S), define L((s, s ),, ϕ) = L(s,, ϕ) with ϕ the new constrint in C(S S ) such tht µ St( ϕ) iff for ll u S nd v s, µ(u, v) = 0 nd the distribution µ : t µ(t, s ) is in St(ϕ). For ll (s, s ) S S, A \ Ā, nd for ll ϕ C(S ), define L((s, s ),, ϕ ) = L (s,, ϕ ) with ϕ the new constrint in C(S S ) such tht µ St( ϕ ) iff for ll u s nd v S, µ (u, v) = 0 nd the distribution µ : t µ (s, t ) is in St(ϕ ). Ṽ is defined s follows: for ll (s, s ) S S, Ṽ ((s, s )) = { B = B B B V (s) nd B V (s )}. C Proof of Theorem 1 We prove tht there exists PAs P, P A nd P B nd n APA N such tht the following holds: P = A N P = B N P = N P A = A N P A = B N P A = N P B = A N P B = B N P B = N 17

Proof. Consider PAs P B nd P A given in Figure 8. Both represent different implementtions of coffee mchine with hidden ctions m nd e. One cn see tht PA P B cnnot stisfy the specifiction N of the coffee mchine given in Figure 1 if we only llow stutter to hppen fter visible ctions. Indeed, in this cse, there is no possible trnsition from the initil stte 1 in P B. On the contrry, if we llow stutter to hppen only before visible ctions, then P B stisfies N. If stuttering is llowed to hppen both before nd fter the visible ctions, then P B lso stisfies N. Thus, we hve the following: P B = A N, P B = B N, P B = N. Consider now PA P A given in Figure 8b. In P A, n error cn hppen from initil stte 1 using hidden ction e to led in bd stte 2. This stte is not conform to the specifiction nd prevents P A from stisfying N if stutter cn hppen before visible ctions. owever, if stuttering is only llowed to hppen fter visible ctions, then stte 2 is not rechble nymore in P A. Thus, we obtin the following: P A = A N, P A = B N, P B = N. Finlly, in the cse of PA P given in Figure 2, we hve tht P = A N, P = B N, P = N. D Proof of Theorem 2 Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA nd let N = (S, A, L, AP, V, s 0 ) nd N = (S, A, L, AP, V, s 0) be APAs. If P = N nd N W N, then P = N. Proof. Let P = (S P, A P, L P, AP, V P, s P 0 ) be PA nd let N = (S, A, L, AP, V, s 0 ) nd N = (S, A, L, AP, V, s 0) be APAs. Assume tht P = N nd N W N. Let = A P \ A be the set of hidden ctions in P. Let R nd R be the reltions such tht P = N nd N W N, respectively. Consider the reltion R S P S such tht s P R s iff there exists s S such tht s P R s nd s R s. We prove tht R is stutter stisfction reltion. Let s P S P nd s S such tht s P R s, nd let s S be the ssocited stte in N. 1. Let A nd ϕ C(S ) such tht L (s,, ϕ ) =. By R, there exists ϕ C(S) such tht L(s,, ϕ) = nd µ St(ϕ) µ St(ϕ ) : µ R µ. By R, there exists distribution µ Dist(S P ) such tht s P µ nd there exists µ St(ϕ) such tht µ R µ. Let δ : S P (S [0, 1]) be the correspondence function witnessing µ δ R µ. Let µ St(ϕ ) such tht µ R µ nd let δ : S (S [0, 1]) be the witnessing correspondence function. We show tht µ R µ. Consider the function δ : S P (S [0, 1]) such tht δ (s P )(s 1) = s δ 1 S (s P )(s 1)δ (s 1 )(s 1). We show tht δ is correspondence function such tht µ δ R. () Let s P S P. By construction, we hve tht s 1 S δ (s P )(s 1) = 1. 18

(b) Let s 1 S. s P S P µ (s P )δ (s P )(s 1) = s P S P = s 1 S s P S P µ (s P ) δ (s P )(s 1 )δ (s 1 )(s 1) s 1 S = δ (s 1 )(s 1) s 1 S µ (s P )δ (s P )(s 1 )δ (s 1 )(s 1) s P S P = µ(s 1 )δ (s 1 )(s 1) = µ (s 1). s 1 S µ (s P )δ (s P )(s 1 ) (c) Assume tht δ (s P )(s ) > 0. Then there exists s 1 S such tht δ (s P )(s 1) > 0 nd δ (s 1 )(s 1) > 0. Therefore s P R s 1 nd s 1 R s 1. Thus, by definition, s P R s 1. 2. Let A nd µ Dist(S P ) such tht s µ. By R, there exist ϕ 1,... ϕ n C(S) such tht, for ll i, L(s,, ϕ i ) nd there exists ρ i [0, 1] nd µ i St(ϕ i ) such tht i ρ i = 1 nd µ R ( i ρ iµ i ). Let δ be the ssocited correspondence function. By R, there exist ϕ 1,... ϕ n C(s ) such tht, for ll i, L (s,, ϕ i ) nd µ i St(ϕ i ) µ i St(ϕ i ) : µ i R µ i. Let δ i be the correspondence functions such tht µ i δi R µ i. For ll s S P, if µ (s ) = 0, then define δ (s )(s 2) = 0 for ll s 2. Otherwise, define δ s follows: δ (s )(s 2) = n δ (s )(s i=1 1) ρ iµ i (s 1)δ i (s 1)(s 2) n j=1 ρ jµ j (s 1 ) s 1 S+ 1 where S 1 + is the set of sttes s 1 in S 1 such tht there exists i such tht µ i (s 1) > 0. We cn sfely ssume tht whenever s 1 S 1 +, we hve δ (s )(s 1) = 0. It follows tht δ is correspondence function nd tht µ δ R ( i ρ iµ i ). 3. By R, we hve V P (s P ) V (s), nd by R, we hve V (s) V (s ). Thus V P (s P ) V (s ). Since s P 0 R s 0, we conclude tht R is stutter stisfction reltion, nd therefore P = N. E Proof of Theorem 3 Proof. Let N 1 = (S 1, A, L 1, AP, V 1, s 1 0) nd N 2 = (S 2, A, L 2, AP, V 2, s 2 0) be two APAs, nd let N 1 N 2 = (S S, A A, L, Σ Σ, Ṽ, (s1 0, s 2 0)) be their conjunction, defined s in [11]. Let P = (S, A, L, AP, V, s 0 ) be PA such tht P = N 1 N 2. We prove tht P = N 1 nd P = N 2. Let R S (S 1 S 2 ) be the stuttering reltion witnessing P = N 1 N 2. Define the reltions R 1 S S 1 nd R 2 S S 2 such tht (s, s 1 ) R 1 iff there exists s 2 S 2 such tht (s, (s 1, s 2 )) R nd (s, s 2 ) R 2 iff there exists s 1 S 1 such tht s, (s 1, s 2 ) R. We prove tht R 1 is stuttering stisfction reltion. The proof for R 2 is symmetric. Let s S nd s 1 S 1 such tht (s, s 1 ) R 1 By construction there exists s 2 S 2 such tht (s, (s 1, s 2 )) R. 19

1. Let A nd ϕ 1 C(S 1 ) such tht L 1 (s 1,, ϕ 1 ) =. By construction of N 1 N 2, there exists ϕ C(S 1 S 2 ) such tht (L)((s 1, s 2 ),, ϕ) =, nd ϕ is such tht µ St( ϕ) iff. the distribution µ 1 : s 1 s 2 S2 µ((s 1, s 2)) is in St(ϕ 1 ) nd there exists ϕ 2 C(S 2 ) such tht L 2 (s 2,, ϕ 2 ) nd the distribution µ 2 : s 2 s 1 S1 µ((s 1, s 2)) is in St(ϕ 2 ). By R, there exists µ Dist(S) such tht s µ nd there exists µ St( ϕ) such tht µ R µ. Let µ 1 : s 1 s µ((s 1, s 2)) be the projection of µ on S 2 S2 1. By construction of ϕ, we hve µ 1 St(ϕ 1 ). Let δ be the correspondence function such tht µ δ R µ nd define δ 1 such tht, for ll s S nd s 1 S 1, δ 1 (s )(s 1) = s δ(s )(s 1, s 2). By construction, δ 2 S2 1 is correspondence function nd we hve µ δ1 R 1 µ 1. 2. Let µ Dist(S) nd A such tht s µ. By R, there exists ϕ 1,... ϕ n C(S 1 S 2 ) such tht for ll i, L((s 1, s 2 ),, ϕ i ) nd there exists ρ i [0, 1] nd µ i St( ϕ i ) such tht i ρ i = 1 nd µ R ( i ρ i µ i ). By construction of N 1 N 2, there exists ϕ 1 1,... ϕ 1 n C(S 1 ) such tht for ll i, L 1 (s 1,, ϕ 1 i ) nd µ 1 i : s 1 s µ i((s 1, s 2)) St(ϕ i ). As consequence, s bove, we hve 2 S2 µ R1 ( i ρ iµ 1 i ). 3. By construction, V P (s) Ṽ ((s 1, s 2 )) = V 1 (s 1 ) V 2 (s 2 ), thus V P (s) V 1 (s 1 ). Finlly, R 1 is stuttering stisfction reltion. Moreover, we hve s 0 R(s 1 0, s 2 0), thus s 0 R 1 s 1 0 nd P = N 1. Symmetriclly, P = N 2. Finlly, we hve [N 1 N 2 ] [N 1 ] [N 2 ]. Let P = (S, A, L, AP, V, s 0 ) be PA such tht P = N 1 nd P = N 2. We prove tht P = N 1 N 2. Let = A \ A. Let R 1 nd R 2 be the stuttering stisfction reltions ssocited to P = N 1 nd P = N 2 respectively. Let R S (S 1 S 2 ) be the reltion such tht s R(s 1, s 2 ) iff. s R 1 s 1 nd s R 2 s 2. We prove tht R is stuttering stisfction reltion. Let s S nd (s 1, s 2 ) S 1 S 2 be such tht s R(s 1, s 2 ). By construction, we hve s R 1 s 1 nd s R 2 s 2. 1. Let A nd ϕ C(S 1 S 2 ) such tht L((s 1, s 2 ),, phi) =. By construction of N 1 N 2, there re two cses. () There exists ϕ 1 C(S 1 ) such tht L 1 (s 1,, ϕ 1 ) = nd ϕ is such tht µ St( ϕ) iff. the distribution µ 1 : s 1 s µ((s 1, s 2)) is in St(ϕ 2 S2 1 ) nd there exists ϕ 2 C(S 2 ) such tht L 2 (s 2,, ϕ 2 ) nd the distribution µ 2 : s 2 s µ((s 1, s 2)) is in St(ϕ 1 S1 2 ). (b) There exists ϕ 2 C(S 2 ) such tht L 2 (s 2,, ϕ 2 ) = nd ϕ is such tht µ St( ϕ) iff. the distribution µ 2 : s 2 s µ((s 1, s 2)) is in St(ϕ 2 ) nd there 1 S1 exists ϕ 1 C(S 1 ) such tht L 1 (s 1,, ϕ 1 ) nd the distribution µ 1 : s 1 s µ((s 1, s 2)) is in St(ϕ 1 ). 2 S2 Assume tht cse () holds (cse (b) is symmetric). Then, by R 1, there exists distribution µ Dist(S) such tht s µ nd there exists µ 1 St(ϕ 1 ) such tht µ R1 µ 1. Moreover, by R 2, there exists ϕ 2 C(S 2 ) such tht L 2 (s 2,, ϕ 2 ) 20

nd there exists µ 2 St(ϕ 2 ) such tht µ R2 µ 2. Let δ 1 nd δ 2 be the ssocited correspondence functions, nd let µ be the distribution such tht for ll s 1 S 1 nd s 2 S 2, µ((s 1, s 2)) = µ 1 (s 1 )µ 2 (s 2 ). By construction, we hve µ St( ϕ). Let δ : S ((s 1 S 2 ) [0, 1]) be such tht, for ll s S, s 1 S 1 nd s 2 S 2, δ(s)((s 1, s 2)) = δ 1 (s 1)δ 2 (s 2). Agin, by construction, we hve tht µ δ R µ. Thus there exists µ Dist(S) such tht s µ nd there exists µ St( ϕ) such tht µ R µ. 2. Let µ Dist(S) nd A such tht s µ. By R 1 nd R 2, there exist constrints ϕ 1 1,... ϕ 1 n C(S 1 ) nd ϕ 2 1,... ϕ 2 m C(S 2 ) such tht for ll i, j, L 1 (s 1,, ϕ 1 i ), L 2 (s 2,, ϕ 2 j ), nd there exist distributions µ1 i St(ϕ1 i ) nd µ2 j St(ϕ2 j ) nd coefficients ρ 1 i, ρ2 j [0, 1] such tht i ρ1 i = j ρ2 j = 1 nd µ R1 ( i ρ1 i µ1 i ) nd µ R2 ( j ρ2 j µ2 j ). Thus, by construction of N 1 N 2, there exist constrints ϕ i,j C(S 1 S 2 ) such tht L((s 1, s 2 ),, ϕ i,j ) =? nd µ i,j St( ϕ i,j ) iff. the distribution µ 1 i,j : s 1 s µ 2 S2 i,j ((s 1, s 2)) is in St(ϕ 1 i ) nd the distribution µ2 i,j : s 2 s µ i,j ((s 1, s 2)) is in St(ϕ 2 1 S1 j ). Let µ i,j be the distributions such tht µ i,j : (s 1, s 2) µ 1 i (s 1)µ 2 j (s 2). As bove, we hve tht for ll i, j, µ i,j St( ϕ i,j ). Moreover, i,j ρ1 iρ 2 j = 1 nd µ R i,j ρ1 i ρ2 j µ i,j. 3. By construction, V P (s) V 1 (s 1 ) nd V P (s) V 2 (s 2 ), thus V P (s) Ṽ ((s 1, s 2 )) = V 1 (s 1 ) V 2 (s 2 ). Thus, R is stuttering stisfction reltion. Moreover, we hve s R(s 1 0, s 2 0) by construction, thus P = N 1 N 2. Finlly, we hve [N 1 ] [N 2 ] [N 1 N 2 ]. F Proof of Theorem 4 Let N = (S, A, L, AP, V, s 0 ) be n APA nd let ψ F (A, AP ) be formul with N[ = ψ. We prove tht for ll PA P such tht P = N, it holds tht P [ = ψ. Proof. If N is inconsistent, the theorem trivilly holds. Let N = (S, A, L, AP, V, s 0 ) be consistent APA, nd ssume tht N is pruned, i.e. N hs no inconsistent sttes. Let ψ F (A, AP ) such tht N[ = ψ. Let P = (S P, A P, L P, AP, V P, s P 0 ) such tht P = N. Let = A P \A be the set of hidden ctions in P. Since P = N, we know tht is consistent set of hidden ctions for P. Let R be the stutter stisfction reltion witnessing P = N. We now prove tht P [ = ψ by induction on the structure of ψ. Bse cse Assume tht ψ = V vl 2 2AP. Since N[ = ψ, we hve s 0 [ = V vl. Thus, V (s 0 ) V vl. Since P = N, we hve V P (s P 0 ) V (s 0 ). As consequence, V P (s P 0 ) V vl nd s P 0 [ = V vl. Therefore, P [ = ψ. Inductive step There re three cses: Assume tht ψ = ψ 1 ψ 2. Since N[ = ψ, we hve tht s 0 [ = ψ 1 nd s 0 [ = ψ 2. By induction, we thus hve tht s P 0 [ = ψ 1 nd s P 0 [ = ψ 2. As consequence, we hve s P 0 [ = ψ 1 ψ 2, nd therefore P [ = ψ. Assume tht ψ = p ψ. Since N[ = ψ, there must exist ϕ C(S) such tht L(s 0,, ϕ) =, nd for ll µ St(ϕ), µ(s ) p. {s s [ =ψ } 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback