Characterising Testing Preorders for Finite Probabilistic Processes

Characterising Testing Preorders for Finite Probabilistic Processes

Yuxin Deng

∗ Jiao Tong University

Shanghai, China

School of CSE, University of New South Wales Sydney, Australia

Rob van Glabbeek

National ICT Australia

Sydney, Australia

Matthew Hennessy

Department of Informatics

University of Sussex Falmer, Brighton, UK

Carroll Morgan

∗

Chenyi Zhang

National ICT Australia

School of Computer Science and Engineering The University of New South Wales

Sydney, Australia

Abstract

In 1992 Wang & Larsen extended the may- and must pre-orders of De Nicola and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They con-cluded with two problems that have remained open through-out the years, namely to find complete axiomatisations and alternative characterisations for these preorders. This pa-per solves both problems for finite processes with silent moves. It characterises the may preorder in terms of simu-lation, and the must preorder in terms of failure simulation. It also gives a characterisation of both preorders using a modal logic. Finally it axiomatises both preorders over a probabilistic version of CSP.

1. Introduction

A satisfactory semantic theory for processes which encom-pass both nondeterministic and probabilistic behaviour has been a long-standing research problem [12, 35, 23, 17, 32, 33, 30, 18, 27, 31, 13, 21, 26, 1, 19, 24, 3, 34, 7]. In 1992 Wang & Larsen posed the problems of finding complete ax-iomatisations and alternative characterisations for a natural generalisation of the standard testing preorders [6] to such processes [35]. Here we solve both problems, at least for finite processes, by providing a detailed account of both may- and must testing preorders for a finite version of the process calculus CSP extended with probabilistic choice. For each preorder we provide three independent character-isations, using (i) co-inductive simulation relations, (ii) a modal logic and (iii) sets of inequations.

Testing processes: Our starting point is the finite process calculuspCSP[8] obtained by adding a probabilistic choice operator to finite CSP; like others who have done the same, we now havethreechoice operators, externalP 2Q,

inter-∗_{We acknowledge the support of the Australian Research Council}

(ARC) Grant DP034557.

nalPQand the newly added probabilistic choicePp⊕Q. So a semantic theory forpCSPwill have to provide a co-herent account of the precise relationships between these operators.

As a first step, in Sec. 2 we provide an interpretation of pCSP as a probabilistic labelled transition system, in which, following [32], transitions likes−→α s from stan-dard labelled transition systems are generalised to the form s −→α ∆, where∆ is adistribution, a mapping assigning probabilities to states. With this interpretation we obtain in Sec. 3 a version of the testing preorders of [6] for pCSP processes,pmay andpmust. These are based on the

abil-ity of processes to pass tests; the tests we use are simply pCSPprocesses in which certainstatesare marked as suc-cess states. See [8] for a detailed discussion of the power of such tests.

The object of this paper is to give useful characterisations of these testing preorders. This problem was addressed previously by Segala in [31], but using testing preorders

Ω

pmay andΩpmustthat differ in two ways from the ones in

[6, 14, 35, 8] and the present paper. First of all, in [31] the success of a test is achieved by theactual executionof a pre-definedsuccess action, rather than the reaching of a success state. We call this anaction-based, as opposed to astate -based, approach. Secondly, [31] employs a countable num-ber of success actions instead of a single one; we call this vector-based, as opposed toscalar, testing. Segala’s results in [31] depend crucially on this form of testing. To achieve our current results, we need Segala’s preorders as a stepping stone. We relate them to ours by considering intermediate preorderspmayandpmustthat arise from action-based but

scalar testing, and use a recent result [9] saying that for fi-nite processes the preordersΩ_pmayandΩ_pmustcoincide with

pmayandpmust. Here we show that onpCSPpmayand

pmustalso coincide withpmayandpmust.1

Simulation preorders: In Sec. 4 we use the transitions s−→α ∆to define two co-inductive preorders, the

tionpreorder_S [30, 24, 8], and the novelfailure simula-tionpreorder_FS overpCSPprocesses. The latter extends the failure simulation preorder of [10] to probabilistic pro-cesses. Their definition uses a natural generalisation of the transitions, first (Kleisli-style) to take the form∆−→α ∆, and then toweakversions∆ =α⇒ ∆. The latter preorder differs from the former in the use of a failure predicate s −→X , indicating that in the statesnone of the actions in X can be performed.

Both preorders are preserved by all the operators in pCSP, and aresoundwith respect to the testing preorders; that isP S QimpliesP pmay QandP FS Q

im-pliesP pmust Q. ForS this was established in [8], and

the proofs forFS are similar. Butcompleteness, that the testing preorders imply the respective simulation preorders, requires some ingenuity. We prove it indirectly, involving a characterisation of the testing and simulation preorders in terms of a modal logic.

Modal logic: Our modal logic, defined in Sec. 7, uses finite conjunction _i∈Iϕ_i, the modality aϕ from the Hennessy-Milner Logic, and a novel probabilistic construct

i∈Ipi·ϕi. A satisfaction relation between processes and formulae then gives, in a natural manner, alogical preorder between processes: P LQmeans that everyL-formula satisfied byP is also satisfied byQ. We establish thatL coincides with_S andpmay.

To capture failures, we add, for every set of actionsX, a formula ref(X) to our logic, satisfied by any process which, after it can do no further internal actions, can per-form none of the actions inXeither. The constructs,a andref()stem from the modal characterisation of the non-probabilistic failure simulation preorder, given in [10]. We show thatpmust, as well asFS, can be characterised in a

similar manner with this extended modal logic.

Proof strategy: We prove these characterisation results through two cycles of inclusions:

L _⊆

S

[8]

⊆ pmay ⊆ pmay

[9]

= Ωpmay ⊆ L

F _⊆

FS ⊆ pmust ⊆ pmust [9]

= Ωpmust ⊆ F

Sec. 7 Sec. 4 Sec. 3 Sec. 5 Sec. 6 Sec. 8

In Sec. 7 we show that P L Qimplies P _S Q(and henceP pmayQ), and likewise forFandFS; the proof

involves constructing, for eachpCSPprocessP, a charac-teristic formulaϕ_P. To obtain the other direction, in Sec. 8 we show how every modal formulaϕcan be captured, in some sense, by a testT_ϕ; essentially the ability of apCSP process to satisfyϕis determined by its ability to pass the testT_ϕ. We capture the conjunction of two formulae by a probabilistic choice between the corresponding tests; in or-der to prevent the results from these tests getting mixed up,

we employ the vector-based tests of [31], so that we can use different success actions in the separate probabilistic branches. Therefore, we complete our proof by demonstrat-ing that the state-based testdemonstrat-ing preorders imply the action-based ones (Sec. 5) and recalling the result from [9] that the action-based scalar testing preorders imply the vector-based ones (Sec. 6).

Equations: It is well-known that may- and must testing for standard CSP can be captured equationally [6, 2, 14]. In [8] we showed that most of the standard equations are no longer valid in the probabilistic setting ofpCSP; we also provided a set of axioms which are complete with respect to (probabilistic) may-testing for the sub-language ofpCSP without probabilistic choice. Here we extend this result, by showing, in Sec. 10, that bothP pmay QandP pmustQ

can still be captured equationally over full pCSP. In the may case the essential (in)equation required is

a.(Pp⊕Q) a.Pp⊕a.Q

The must case is more involved: in the absence of the dis-tributivity of the external and internal choices over each other, to obtain completeness we require a complicated in-equational schema.

2. Finite probabilistic CSP

LetActbe a finite set of actions, ranged over bya, b,· · ·, which processes can perform. Then the finite probabilistic CSP processes are given by the following two-sorted syn-tax:

P ::= S | Pp⊕P

S ::= 0 | a.P | P P | S2S | S|_AS

Here P p⊕ Q, for0 < p < 1, represents aprobabilistic

choicebetweenP andQ: with probabilitypit will act like P and with probability1−pit will act likeQ. Any process is a probabilistic combination of state-based processes (the sub-sort S above) built by repeated application of the op-eratorp⊕. The state-based processes have a CSP-like syn-tax, involving the stopped process0, action prefixinga. , internal-andexternal choicesand2, and aparallel com-position|_AforA⊆Act.

The processP Qwill first do a so-calledinternal ac-tionτ∈Act, choosingnondeterministicallybetweenPand Q. Therefore, likea. , acts as aguard, in the sense that it converts any process arguments into a state-based process.

rather than a probability distribution of states, we require its arguments to be state-based as well; the same applies to|_A. ExpressionsP 2 QandP |_A Qfor processesP andQ that arenotstate-based are therefore syntactic sugar for an expression in the above syntax obtained by distributing2 and|_Aoverp⊕.

Finally, the expressionP |_A Q, whereA ⊆Act, repre-sents processesPandQrunning in parallel. They may syn-chronise by performing the same action fromA simultane-ously; such a synchronisation results inτ. In additionPand Qmay independently do any action from(Act\A)∪ {τ}.

[image:3.612.317.552.71.231.2]

We writepCSPfor the set of process terms defined by this grammar, and sCSP for the subset comprising only the state-based process terms. The full language of CSP [2, 15, 29] has many more operators; we have simply cho-sen a reprecho-sentative selection, and have added probabilistic choice. Our parallel operator is not a CSP primitive, but it can easily be expressed in terms of them—in particular P |_A Q = (P_AQ)\A, where_A and\A are the paral-lel composition and hiding operators of [29]. It can also be expressed in terms of the parallel composition, renam-ing and restriction operators of CCS. We have chosen this (non-associative) operator for convenience in defining the application of tests to processes.

As usual we may elide0; the prefixing operatora. binds stronger than any binary operator; and precedence between binary operators is indicated via brackets or spacing. We will also sometimes use indexed binary operators, such as

i∈Ipi·Piwithi∈Ipi= 1and allpi>0, andi∈IPi. The above intuitions are formalised by an operational semanticsassociating with each process term a graph-like structure representing its possible reactions to users’ re-quests: we use a generalisation of labelled transition sys-tems [25] that includes probabilities.

A (discrete) probability distribution over a set S is a function ∆ : S → [0,1]with _s∈S∆(s) = 1; the sup-portof∆is given by∆ = {s∈S | ∆(s) > 0}. We writeD(S), ranged over by∆,Θ,Φ, for the set of all distri-butions overSwith finite support; these finite distributions are sufficient for the results of this paper. We also writes to denote the point distribution assigning probability 1 tos and 0 to all others, so thats={s}.

For∆a distribution overSand functionf:S→Xinto a vector spaceX(typically the reals2) we write_s∈S∆s·fs or Exp_∆(f) for _s∈S∆(s)·f(s), the weighted average of the f_s, or expected value of f. When p∈[0,1], we also write f₁ p⊕ f2 for p·f1 + (1−p)·f2. More gen-erally, for function F : S →

P

+(X) with

P

+(X) be-ing the collection of non-empty subsets of X, we define Exp_∆F := {Exp_∆(f) | f ∈ F}, wheref ∈ F means thatf is achoice functionwithf(s)∈F(s)for alls∈S.

2_{Other possibilities are tuples of reals, or distributions over some set.}

a.P −→a P

P Q−→τ P PQ

τ

−→ Q

s₁−→a ∆

s₁2s₂−→a ∆

s₂−→a ∆

s₁2s₂−→a ∆

s₁−→τ ∆

s₁2s₂−→τ ∆2s₂

s₂−→τ ∆

s₁2s₂−→τ s₁2∆

s₁−→α ∆ α∈A s₁|_As₂−→α ∆|As2

s₂−→α ∆ α∈A s₁|_As₂−→α s₁|_A∆

s₁−→a ∆1, s2−→a ∆2 a∈A s1|As2−→τ ∆1|A∆2

Figure 1. Operational semantics ofpCSP.

We now give the probabilistic generalisation (pLTSs) of labelled transition systems (LTSs):

Definition 1 Aprobabilistic labelled transition systemis a tripleS,Act_τ,→, where

(i) Sis a set of states

(ii) Act_τ is a set of actions Act, augmented byτ∈Act; we letarange overActandαoverAct_τ.

(iii) relation→is a subset ofS×Actτ× D(S).

As with LTSs, we usually writes−→α ∆for(s, α,∆)∈ →, s −→α for∃∆ : s−→α ∆ands→for∃α:s−→α . An LTS may be viewed as a degenerate pLTS, one in which only point distributions are used.

We now define the operational semantics ofpCSPby means of a particular pLTSsCSP,Act_τ,→, constructed by tak-ingsCSPto be the set of states and interpretingpCSP pro-cessesP as distributions P∈ D(sCSP)as follows:

s := s fors∈sCSP

Pp⊕Q := Pp⊕ Q.

Note that for eachP ∈pCSPthe distribution Pis finite, i.e. it has finite support. The definition of the relations−→α is given in Fig. 1. These rules are very similar to the standard ones used to interpret CSP as an LTS [29], but modified so that the result of an action is a distribution. We sometimes writeτ.P forP P, thus givingτ.P −→τ P.

3. Testing

pCSP

processes

processP we form the processT |_ActP in whichall visi-ble actions ofP must synchronise withT, and define a set of testing outcomesA(T, P)where each outcome, in[0,1], arises from a resolution of the nondeterministic choices in T |_Act P and gives the probability that this resolution will reach asuccess state, one in whichωis possible.

To this end, we inductively define a results-gathering functionV : S →

P

+([0,1]); it extends to typeD(S) →

P

+

([0,1])via the conventionV(∆) :=Exp_∆V.

V(s) :=

    

{1} ifs−→ω ,

{V(∆) | s−→τ ∆} ifs−→ω , s−→τ ,

{0} ifs→

Note that these choices are exhaustive becauseT |_Act Phas onlyτ, ω actions, and thatVis well defined when applied to finite, loop-free pLTSs, such as the one ofpCSP.

Definition 2 For anypCSPprocessPand testT, define

A(T, P) := V T|_ActP.

With this definition, the general testing framework of [6] yields two testing preorders forpCSP, one based onmay testing, writtenP pmay Q, and the other onmusttesting,

writtenP pmustQ.

Definition 3 Themay-andmustpreorders are given by

P pmayQ iff ∀testsT:A(T, P)≤HoA(T, Q)

PpmustQ iff ∀testsT:A(T, P)≤SmA(T, Q)

with≤_Ho,≤_Smthe Hoare, Smyth preorders on

P

+[0,1].3

4. Simulation and failure simulation

LetR ⊆S× D(S)be a relation from states to distributions. We lift it to a relationR ⊆ D(S)×D(S)by letting∆RΘ whenever there is an index setIandp∈ D(I)such that

(i) ∆ =_i∈Ip_i·s_i,

(ii) For eachi∈Ithere is a distributionΦis.t.siRΦi, (iii) Θ =_i∈Ip_i·Φi.

For notational convenience, the lifted versions of the transi-tion relatransi-tions−→α forα∈Act_τare again denoted−→α .

We writes −→ˆτ ∆if eithers −→τ ∆or∆ = s; again ∆1−→τˆ ∆2denotes the lifted relation. Thus e.g. we have

(ab)1

2⊕(ac)

ˆ τ

−→ a1

2⊕((ab)12⊕c) [8]. We now define the weak transition relation=τ⇒ˆ as the transitive and reflexive closure−→τˆ ∗of−→τˆ , while fora=τ

∆1 =⇒ˆa ∆2denotes∆1 =⇒τˆ −→a =τ⇒ˆ ∆2. We writes −→X withX ⊆ Actwhen ∀α∈ X ∪ {τ} : s −→α , and∆ −→X when∀s∈ ∆:s−→X .

3_{The Hoare order is defined byX≤}

HoY iff∀x∈X:∃y∈Y:x≤y, similarly the Smyth order byX≤_SmY iff∀y∈Y:∃x∈X:x≤y.

Definition 4 A relationR ⊆S× D(S)is said to be a fail-ure simulationif for alls,Θ, α,∆we have that

• sRΘ∧s−→α ∆implies∃Θ: Θ=αˆ⇒Θ∧∆RΘ • sRΘ∧s−→X ∆implies∃Θ: Θ=ˆτ⇒Θ∧Θ−→X . We writes FS Θto mean that there is some failure

simu-lationRsuch thatsRΘ. Similarly, we definesimulation andsSΘby dropping the second clause in Def. 4.

Definition 5 Thesimulation preorder_S andfailure sim-ulation preorder_FS onpCSPare defined as follows:

P _SQ iff Q

ˆ τ

=⇒Θfor someΘwith P

SΘ

P _FS Q iff P

ˆ τ

=⇒Θfor someΘwith Q

FSΘ.

(Note the opposing directions.) The kernels of_Sand_FS are called(failure) simulation equivalence, denotedSand FS, respectively.

We have already shown in [8] thatS is a precongruence and that it impliespmay. Similar results can be established

for_FS as well. We summarise these facts as follows:

Proposition 1 Suppose ∈ {_S,_FS}. Thenis a pre-order, and if P_i Q_i fori = 1,2thena.P₁ a.Q₁for a∈ActandP₁P₂ Q₁Q₂ for ∈ {,2,p⊕, |A}.

Proof: The case S was proved in [8, Cor. 6.10 and Thm. 6.13]; the caseFS is analogous. 2

Theorem 1

1. IfP _S QthenP pmayQ.

2. IfP _FS QthenP pmustQ.

Proof: The first clause was proved in [8, Thm. 6.17]; the

second can be shown similarly. 2

The next four sections are devoted to obtaining the con-verse.

5. State- versus action-based testing

Much work on testing [6, 35, 8] uses successstatesmarked by outgoingω-actions; in other work [31, 9], however, it is theactual executionofωthat constitutes success. The for-mer,state-based testing, leads to the preorders we defined in Sec. 3; the latter,action-basedtesting, leads to slightly different preorderspmay andpmust. Without probability

there is no difference between may and may; but

pos-sible divergence makesmust strictly more discriminating

thanmust, and in factmustcoincides with CSP refinement

based on failures and divergences [2, 15, 29]. The action-based approach is formalised as in the state-action-based approach, via a suitableV:

V(s) :=

{V(∆)|s−→τ ∆} ∪ {1|s−→ }ω ifs→

Proposition 2

1. IfP _pmayQthenP _pmayQ. 2. IfP pmustQthenPpmustQ.

Proof: For any testTconstructT by replacing each sub-termω.Qbyτ.ω; thenV T |_Act P =V T|Act Pfor all

pCSPprocessesP. 2

In fact we use the action-based preorders in Thm. 2 below, a (quasi-, thus) converse of Thm. 1; but with Prop. 2 above the two kinds of preorders become identified so that Thms. 1 and 2 are converse to each other.

Theorem 2

1. IfP pmayQthenP S Q.

2. IfP pmustQthenPFS Q.

We set this theorem as our goal in the next three sections.

6. Vector-based testing

This section describes another variation on testing, a richer testing framework due to Segala [31], in which countably many success actions exist: the application of a test to a process yields a set ofvectorsover the real numbers, rather than a set of scalars. The resulting action-based testing pre-orders will serve as a stepping stone in proving Thm. 2.

LetΩbe asetof fresh success actions withΩ∩Actτ =∅. An Ω-test is again a pCSP process, but this time allow-ing subterms ω.P for any ω∈Ω. Applying such a test to a process yields a non-empty set of test outcome-tuples

AΩ_{(T, P) ⊆ [0,1]}Ω_{. Eachtuplearises from a resolution} within T |Act P of nondeterministic choices into proba-bilistic choices, and itsω-component gives the probability that this resolution will perform the success actionω.

For vectors we again inductively define a results-gathering function VΩ : S →

P

+

[0,1]Ω; it extends to type D(S)→

P

+[0,1]Ω via VΩ(∆) := Exp∆VΩ just as VandV did. First, for anyαdefineα! : [0,1]Ω→[0,1]Ω so thatα!o(ω)becomes 1 ifω=αbut remainso(ω) other-wise; this function lifts to setsO ⊆ [0,1]Ωas usual, via α!O:={α!o|o∈O}. Now we define

VΩ

(s) :=

{α!(VΩ(∆)) | s−→α ∆} ifs→

{_{0} otherwise}

where0∈[0,1]Ωis given by0(ω) = 0for allω ∈Ω, and theconvex closureXof a setX is defined

X :={_i∈Ip_i·o_i | p∈ D(I)ando:I→X}.

We extend our earlier results-gathering definitions so that

V(s) := V(s) andV(s) := V(s). Note that in case

Ω := {ω}we haveVΩ = V, and the convex-closing

pre-orders based onV,Vcoincide with the simpler ones based

onV,V. Thus convex closure matters only for proper vec-tors, as explained in the remark following Def. 6.

In [9] the results-gathering function VΩ with Ω =

{ω₁, ω₂,· · · }was called simplyW(because action-based/ convex/vector-based testing was assumed there throughout, making the·Ω-indicators superfluous); and it was defined in terms of a formalisation of the notion of a resolution. The inductive definition above yields the same results.

Definition 6 For anypCSPprocessPandΩ-testT, let

AΩ

(T, P) := VΩ T|ActP.

Thevector-based may-andmustpreorders are given by

P Ω_pmayQ iff ∀Ω-testsT:AΩ(T, P)≤HoAΩ(T, Q)

P Ω_pmustQ iff ∀Ω-testsT:AΩ(T, P)≤SmAΩ(T, Q)

where≤Hoand≤Sm are the Hoare- and Smyth preorders on

P

+[0,1]Ωgenerated from≤index-wise on[0,1]Ωitself.

Remark: For proper vector-based testing, convex closure matters, as it allows internal choice to simulate probabilistic choice [13]. Consider the following two processes

P :=ab(a1

2⊕b) and Q:=ab.

It is obvious that P _S Q, and from Thm. 1 it therefore follows that P pmay Q. However if Ω = {ω1, ω2} and

we remove the convex closure in the definition ofVΩ, then with the testT :=a.w₁2b.w₂we would have

AΩ_{(T, P) ={(1,0),(0,1),(0.5,0.5)}}

AΩ_{(T, Q) ={(1,0),(0,1)}}

and so AΩ(T, P) ≤Ho AΩ(T, Q). However, their con-vex closuresAΩ(T, P)andAΩ(T, Q)arerelated under the

Hoare preorder. 2

The testing preorders of [31] are obtained by takingΩ to be a countably infinite set, whereas the preorderspmay

andpmustof Sec. 5 were obtained by takingΩto be the

singleton set{ω}. In [9] we established that for our finite pCSPprocesses the two coincide:

Theorem 3 [9].

1. P Ω_pmayQiffP _pmayQ

2. P Ω_pmustQiffP pmustQ. 2

Thus, with the if-direction of Thm. 3, for Thm. 2 it will suffice to show that P Ω_pmayQ implies P _S Q and P Ω_pmust Q impliesP _FS Q. The crucial characteris-tics ofAΩ needed for that implication are summarised in

Lemma 1 LetPbe apCSPprocess, andT, T_ibe tests.

1. o∈AΩ(ω, P)iffo=ω.

2. Suppose the actionωdoes not occur in the testT. Theno∈AΩ(ω2a.T, P)witho(ω) = 0iff there is a ∆∈ D(sCSP)with P

ˆ a

=⇒∆ando∈AΩ(T,∆).

3. 0∈AΩ(

a∈Xa.ω, P)iff∃∆ : P

ˆ τ

=⇒∆−→X .

4. o∈AΩ(_i∈Ip_i·T_i, P)iffo=_i∈Ip_io_ifor certain oi ∈AΩ(Ti, P).

5. o∈AΩ(_i∈IT_i, P)iff for alli∈Ithere arep_i∈[0,1] and∆i∈ D(sCSP)such that P

ˆ τ

=⇒_i∈Ip_i·∆iand o=_i∈Ip_io_ifor certaino_i∈AΩ(Ti,∆i).

Hereω∈ [0,1]Ωis given byω(ω) = 1andω(ω) = 0for

ω=ω. 2

In writing AΩ(T,∆) above we treat a distribution ∆ as

thepCSPexpression_s∈∆∆s·s; and as usual we define

AΩ

(T,∆) :=Exp∆AΩ(T, ).

7. Modal logic

Our next step towards Thm. 2 is to define a setF of modal formulae, inductively, as follows:

• aϕ∈ Fwhenϕ∈ Fanda∈Act, • ref(X)∈ FwhenX ⊆Act,

• _i∈Iϕ_i∈ Fwhenϕ_i∈ Ffor alli∈I, withIfinite • and_i∈Ip_i·ϕ_i∈ Fwhenp_i∈[0,1]andϕ_i∈ Ffor all

i∈I, withIa finite index set, and_i∈Ip_i= 1. We often writeϕ₁p⊕ϕ2for

i∈{1,2}pi·ϕi withp=p1, andϕ₁∧ϕ₂for_i∈{1,2}ϕ_iand finallyfor_i∈∅ϕ_i.

Thesatisfaction relation|=⊆ D(sCSP)× Fis given by: • ∆|=aϕiff there is a∆with∆=⇒ˆa ∆and∆ |=ϕ, • ∆ |= ref(X) iff there is a∆ with ∆ =τ⇒ˆ ∆ and

∆ −→X ,

• ∆|=_i∈Iϕ_iiff∆|=ϕ_ifor alli∈I

• and∆|=_i∈Ip_i·ϕ_i iff there are∆i∈ D(sCSP), for alli∈I, with∆i|=ϕi, such that∆=τ⇒ˆ i∈Ipi·∆i. LetLbe the subclass ofFobtained by skipping theref(X) clause. We writeP L Qjust when P |= ϕ implies

Q |=ϕfor allϕ∈ L, andP

F_{Qjust when P}

|= ϕ is implied by Q |=ϕfor allϕ∈ F. (Note the opposing directions.)

Definition 7 Thecharacteristic formulaϕ_sorϕ_∆of a pro-cesss∈sCSPor∆∈ D(sCSP)is defined inductively:

• ϕ_s:=_{s a−→∆}aϕ_∆∧ref({a|s−→}a )ifs−→τ , • ϕ_s:=_{s a−→∆}aϕ_∆∧_{s τ−→∆}ϕ_∆otherwise, • ϕ_∆:=_s∈∆∆(s)·ϕ_s.

Here the conjunctions _{s a−→∆} range over suitable pairs a,∆, and_{s τ−→∆}ranges over suitable∆.

Writeϕψwithϕ, ψ∈ F if for each distribution∆one has ∆ |= ϕimplies∆ |= ψ. Then it is easy to see that ϕ_sϕ_sand_i∈Iϕ_iϕ_ifor anyi∈I.

The following property can be established by an easy in-ductive proof.

Lemma 2 For any∆∈ D(sCSP)we have∆|=ϕ_∆. 2

It and the following lemma help to prove Thm. 4.

Lemma 3 For any processesP, Q ∈ pCSPwe have that P|=ϕ

Q

impliesP_FS Q.

Proof: DefineRbysRΘiffΘ|=ϕ_s. We first show that

Θ|=ϕ_∆ implies ∃Θ : Θ=⇒τˆ Θ∧∆RΘ. (1)

SupposeΘ|=ϕ_∆withϕ_∆=_i∈Ip_i·ϕ_si, so that we have ∆ = _i∈Ip_i·s_i and for alli∈I there areΘi∈ D(sCSP) withΘi|=ϕsisuch thatΘ=⇒τˆ ΘwithΘ :=

i∈Ipi·Θi. Sinces_iRΘifor alli∈Iwe have∆RΘ.

Now we show thatRis a failure simulation.

• Supposes R Θands −→τ ∆. Thenϕ_s ϕ_∆, so Θ|=ϕ_∆. Now apply (1).

• SupposesRΘands−→a ∆witha∈A. Thenϕ_s

aϕ_∆, soΘ|=aϕ_∆. Hence∃ΘwithΘ=a⇒ˆ Θand Θ|=ϕ_∆. Now apply (1).

• Supposes RΘands−→X withX ⊆A. Thenϕ_s ref(X), soΘ|=ref(X). Hence∃Θ withΘ=τ⇒ˆ Θ andΘ −→X .

Thus we haveΘ |= ϕ_simplies s _FS Θ. Using (1) with P|=ϕ

Qgives

P_FS Qvia Def. 5. 2

Theorem 4

1. IfP LQthenP _SQ.

2. IfP FQthenP _FS Q.

Proof: SupposeP FQ. By Lem. 2 we have Q|=ϕ

Q and hence P|=ϕ

Q. Lem. 3 givesP FS Q.

For theLcase, omitref(X)from the definition of a characteristic formula and begin with P |=ϕ

P. The counterpart of Lem. 3 now says that Q |= ϕ

P implies

8. Characteristic tests

Our final step towards Thm. 2 is taken in this section, where we show that every modal formulaϕcan be characterised by a vector-based testTϕsuch that anypCSPprocess satis-fiesϕjust when it passes the testTϕ.

Lemma 4 For everyϕ∈ Fthere exists a pair(T_ϕ, v_ϕ)with T_ϕanΩ-test andv_ϕ∈[0,1]Ω, such that

∆|=ϕ ⇔ ∃o∈AΩ(T_ϕ,∆) : o≤v_ϕ (2)

for all∆∈ D(sCSP), and in caseϕ∈ Lwe also have

∆|=ϕ ⇔ ∃o∈AΩ(T_ϕ,∆) : o≥v_ϕ. (3)

Tϕis called acharacteristic testofϕandvϕitstarget value.

Proof: First of all note that if a pair(T_ϕ, v_ϕ)satisfies the requirements above, then any pair obtained from(T_ϕ, v_ϕ) by bijectively renaming the elements of Ω also satisfies these requirements. Hence a characteristic test can always be chosen in such a way that there is a success actionω∈Ω that does not occur in (the finite)T_ϕ. Moreover, any count-able collection of characteristic tests can be assumed to be Ω-disjoint, meaning that noω∈Ωoccurs in two different elements of the collection.

The required characteristic tests and target values are ob-tained as follows.

• Letϕ=. TakeT_ϕ:=ωfor someω∈Ω, andv_ϕ:=ω. • Letϕ=aψ. By induction,ψhas a characteristic test T_ψwith target valuev_ψ. TakeT_ϕ :=ω2a.T_ψwhere ω∈Ωdoes not occur inT_ψ, andv_ϕ:=v_ψ.

• Let ϕ = ref(X) with X ⊆ Act. Take Tϕ :=

a∈Xa.ωfor someω∈Ω, andvϕ=0.

• Letϕ =_i∈Iϕ_iwithIa finite and non-empty index set. Choose aΩ-disjoint family(T_i, v_i)i∈I of charac-teristic testsT_i with target valuesv_i for eachϕ_i. Fur-thermore, letp_i∈(0,1]fori∈I be chosen arbitrarily such that_i∈Ip_i = 1. Take T_ϕ := _i∈Ip_i·T_i and v_ϕ:=_i∈Ip_iv_i.

• Let ϕ = _i∈Ip_i·ϕ_i. Choose a Ω-disjoint family (T_i, v_i)i∈I of characteristic testsTi with target values vi for eachϕi, such that there are distinct success ac-tionsωifori∈Ithat do not occur in any of those tests. LetT_i:=T_i1

2⊕ωiandv

i:= 12vi+12ωi. Note that for alli∈IalsoT_iis a characteristic test ofϕ_iwith target valuev_i. TakeT_ϕ:=_i∈IT_iandv_ϕ:=_i∈Ip_iv_i. Note thatv_ϕ(ω) = 0wheneverω∈Ωdoes not occur inT_ϕ. By induction onϕwe now check (2) above.

• Letϕ=. For all∆∈ D(sCSP)we have∆|=ϕas well as∃o∈AΩ(Tϕ,∆) : o≤vϕ, using Lem. 1(1).

• Letϕ = aψ witha∈Act. Suppose∆ |=ϕ. Then there is a ∆ with∆ =a⇒ˆ ∆ and∆ |= ψ. By in-duction,∃o∈AΩ(Tψ,∆) : o ≤ vψ. By Lem. 1(2),

o∈AΩ(Tϕ,∆).

Now suppose∃o∈AΩ(Tϕ,∆) : o≤vϕ. This implies

o(ω) = 0, so by Lem. 1(2) there is a∆with∆=⇒ˆa ∆ ando∈AΩ(T_ψ,∆). By induction,∆|=ψ, so∆|=ϕ. • Letϕ = ref(X)withX ⊆ Act. Suppose∆ |= ϕ. Then there is a ∆ with∆ =⇒τˆ ∆ and∆−→X . By Lem. 1(3),0∈AΩ(Tϕ,∆).

Now suppose∃o∈AΩ(Tϕ,∆) : o≤vϕ. This implies

o =0, so by Lem. 1(3) there is a∆ with∆ =⇒ˆτ ∆ and∆−→X . Hence∆|=ϕ.

• Letϕ=_i∈Iϕ_iwithIa finite and non-empty index set. Suppose∆ |=ϕ. Then∆ |=ϕ_ifor alli∈I, and hence, by induction,∃oi∈AΩ(Ti,∆) : oi≤vi. Thus

o:=_i∈Ip_io_i∈AΩ(T_ϕ,∆)by Lem. 1(4), ando≤v_ϕ. Now suppose∃o∈AΩ(Tϕ,∆) : o≤vϕ. Then, using

Lem. 1(4),o=_i∈Ip_io_i for certaino_i∈AΩ(T_i,∆). One has o_i≤v_i for all i∈I, for if o_i(ω) > v_i(ω) for some i∈I and ω∈Ω, then ω must occur in T_i and hence cannot occur inT_j forj=i. This implies v_j(ω) = 0for allj=iand thuso(ω)> v_ϕ(ω), in con-tradiction with the assumption. By induction,∆|=ϕ_i for alli∈I, and hence∆|=ϕ.

• Let ϕ = _i∈Ip_i·ϕ_i. Suppose ∆ |= ϕ. Then for all i∈I there are ∆i∈ D(sCSP)with ∆i |= ϕi such that ∆ =τ⇒ˆ _i∈Ip_i·∆i. By induction, there are o_i∈AΩ(∆i, Ti) with oi ≤ vi. By Lem. 1(5), o:=_i∈Ip_io_i∈AΩ(Tϕ,∆), ando≤vϕ.

Now suppose ∃o∈AΩ(T_ϕ,∆) : o ≤ v_ϕ. Then, by Lem. 1(5), there areq∈ D(I)and∆i, fori∈I, such that∆ =⇒τˆ _i∈Iq_i·∆i ando = i∈Iqioi for some o_i∈AΩ(∆i, Ti). Now∀i : oi(ωi) = vi(ωi) = 1₂, so

1

2qi =qioi(ωi) =o(ωi)≤vϕ(ωi) =pivi(ωi) = 1₂pi. As_i∈Iq_i=_i∈Ip_i= 1, it must be thatq_i=p_ifor all i∈I. Exactly as in the previous case one obtains o_i ≤v_ialli∈I. By induction,∆i |=ϕifor alli∈I, and hence∆|=ϕ.

In caseϕ∈ L, a straightforward induction yields that|v_ϕ|= 1 and for all ∆∈ D(pCSP) and o∈AΩ(T_ϕ,∆) we have |o|= 1. Here|o|denotes_ω∈Ωo(ω). Therefore,o≤viff

o≥viffo=v, yielding (3). 2

Theorem 5

1. IfP Ω_pmay Qthen P

L _Q

. 2. IfP Ω_pmustQthen P

F _Q

.

(P1) Pp⊕P = P (P2) Pp⊕Q = Q1−p⊕P (P3) (Pp⊕Q)q⊕R = Pp·q⊕(Q(1−p)·q

1−p·q ⊕R) (I1) PP = P

(I2) P Q = QP

(I3) (P Q)R = P (QR) (E1) P 20 = P

(E2) P 2Q = Q2P

(E3) (P 2Q)2R = P 2(Q2R) (EI) a.P 2a.Q = a.P a.Q

(D1) P 2(Qp⊕R) = (P 2Q)p⊕(P 2R) (D2) a.P 2(QR) = (a.P 2Q)(a.P 2R) (D3) P 2Q = (P₁2Q)(P₂2Q)

(P 2Q₁)(P 2Q₂),

[image:8.612.312.552.71.237.2]

provided P =P₁P₂, Q=Q₁Q₂

Figure 2. Common equations

Then Lem. 4 yields∃o∈AΩ(Tϕ, Q). o≤vϕ, and hence, given thatP Ω_pmustQandAΩ(Tϕ, R) =A

Ω

(Tϕ, R)for

anyR ∈ pCSP, we have∃o ∈ AΩ(T_ϕ, P) : o

_≤vϕ. Thus P|=ϕ.

The may-case goes likewise. 2

Combining Thms. 3-5 we obtain Thm. 2, the goal we set ourselves in Sec. 5. Thus, with Thm. 1 and Prop. 2, we have shown that the may preorder coincides with simulation and that the must preorder coincides with failure simulation. 2

9. Equational theories

In order to focus on the essentials we now consider just those processes that do not use the parallel operator|_A; we call the resulting sub-languagenCSP. For a discussion of the axiomatisation for terms involving|Aand the other par-allel operators commonly used inCSPsee Sec. 11.

Let us writeP =E Qto denote thatP =Qcan be de-rived using the equations given in Fig. 2. Given the way we defined the syntax ofpCSP, axiom(D1)is merely a case of abbreviation-expansion. Many of the standard equations forCSP[15] are missing; they are not sound for_FS, as shown in Sec. 4 of [8]. Typical examples include:

a.(P Q) =a.P a.Q P =P 2P

P2(QR) = (P 2Q)(P2R)

P(Q2R) = (P Q)2(PR)

Proposition 3 SupposeP =E Q. ThenP _FS Q.

Proof: Because of Prop. 1 it is sufficient to exhibit witness failure-simulations for axioms in Fig. 2. 2

May:

(May0) a.P2b.Q =a.P b.Q

(May1) P P Q

(May2) 0 P

(May3) a.(Pp⊕Q) a.Pp⊕a.Q

Must:

(Must1) P Q Q

(Must2) R_i∈IP_{i i∈I}a_i.Q_i,

provided P_i=

j∈Jipj(ai.Qij 2Pij)

[image:8.612.60.291.72.254.2]

Q_i=_j∈Jip_jQ_ij inits(R)⊆ {a_i}_i∈I

Figure 3. Inequations

Note that this result also meansP =EQimpliesP SQ. Despite the weakness of this equational theory, it does allow us to reduce terms to a form in which the external choice operator is applied to prefix terms only.

Definition 8 [Normal forms] The set ofnormal formsN is given by the following grammar:

N ::=N₁p⊕N2 | N1N2 |

i∈I a_i.N_i

Proposition 4 For everyP ∈nCSPthere is a normal form N such thatP =E N.

Proof: A fairly straightforward induction, heavily relying

on(D1)–(D3). 2

10. Inequational theories

In order to characterise the simulation preorders, and the associated testing preorders, we introduceinequations. We writeP _Emay QwhenP Qis derivable from the

inequa-tional theory obtained by adding the fourmayinequations in Fig. 3 to the equations in Fig. 2. The first three additions, (May0)–(May2), are used in the standard testing theory ofCSP [15, 6, 14]. For themust case, in addition to the standard inequation(Must1), we require an inequational schema,(Must2); this uses the notationinits(P)to denote the (finite) set of initial visible actions ofP. Formally,

inits(0) = ∅

inits(a.P) = {a}

inits(Pp⊕Q) = inits(P)∪inits(Q)

inits(P 2Q) = inits(P)∪inits(Q)

The side conditions of(Must2)entail that P_i

ai

−→ Q_i

and that there exists some∆such thatR =ˆτ⇒∆ −→X with X = Act\{a_i}_i∈I. Note that(Must2)can be used, to-gether with (I1), to derive the dual of (May3), that is a.Pp⊕ a.Q a.(Pp⊕Q). We writeP Emust Qwhen

P Qis derivable from the resulting inequational theory. An important inequation that follows from(May1)and (P1)is

Pp⊕Q Emay P Q

saying that any probabilistic choice can be simulated by an internal choice. Likewise, we have

P Q _Emust Pp⊕Q .

Theorem 6 ForP, QinnCSP, it holds that (i) P _S Qif and only ifP_EmayQ

(ii) P _FS Qif and only ifP_Emust Q

Proof: Omitted due to lack of space. 2

11. Conclusions and related work

In this paper we continued our previous work [8, 9] in our quest for a testing theory for processes which exhibit both nondeterministic and probabilistic behaviour. We have studied three different aspects of may- and must testing pre-orders for finite processes: (i) we have shown that the may preorder can be characterised as a co-inductive simulation relation, and the must preorder as a failure simulation rela-tion; (ii) we have given a characterisation of both preorders in a finitary modal logic; and (iii) we have also provided complete axiomatisations for both preorders over a proba-bilistic version of recursion-free CSP. Although we omit-ted our parallel operator|_Afrom the axiomatisations, it and similar CSP and CCS-like parallel operators can be handled using standard techniques, in the must case at the expense of introducing auxiliary operators. In future work we hope to extend these results to recursive processes.

We believe these results, in each of the three areas, to be novel, although a number of partial results along similar lines exist in the literature. These are detailed below.

Related work: Early additions of probability to CSP in-clude work by Lowe [23], Seidel [33] and Morgan et al. [27]; but all of them were forced to make compromises of some kind in order to address the potentially complicated interactions between the three forms of choice. The last [27] for example applied the Jones/Plotkin probabilistic power-domain [16] directly to the failures model of CSP [2], the resulting compromise being that probability distributed out-wards through all other operators; one controversial result of that was that internal choice was no longer idempotent, and that it was “clairvoyant” in the sense that it could adapt

to probabilistic-choice outcomes that had not yet occurred. Mislove addressed this problem in [26] by presenting a de-notational model in which internal choice distributed out-wards through probabilistic choice. However, the distribu-tivities of both [27] and [26] constitute identifications that cannot be justified by our testing approach; see [8].

In Jou and Smolka [20], as in [23, 33], probabilistic equivalences based on traces, failures and readies are de-fined. These equivalences are coarser thanpmay. For let

P :=a.((b.d2c.e)1

2⊕(b.f2c.g))

Q:=a.((b.d2c.g)1

2⊕(b.f 2c.e)).

These two processes cannot be distinguished by the equiv-alences of [20, 23, 33]. However, we can tell them apart by the test

T :=a.((b.d.ω1

2⊕c.e.ω)(b.f.ω12⊕c.g.ω))

since A(T, P) = {0,1₂,1} andA(T, Q) = {1₂}, that is, P pmayQ.

Probabilistic extensions of testing equivalences [6] have been widely studied. There are two different proposals on how to include probabilistic choice: (i) a test should be non-probabilistic, i.e., there is no occurrence of probabilistic choice in a test [22, 4, 17, 21, 11]; or (ii) a test can be prob-abilistic, i.e., probabilistic choice may occur in tests as well as processes [5, 35, 28, 18, 31, 19, 3]. This paper adopts the second approach.

Some work [22, 4, 5, 28] does not consider nondetermin-ism but deals exclusively withfully probabilisticprocesses. In this setting a process passes a test with a unique proba-bility instead of a set of probabilities, and testing preorders in the style of [6] have been characterised in terms of prob-abilistic traces[5] andprobabilistic acceptance trees[28]. Cazorla et al. [3] extended the results of [28] with nondeter-minism, but suffered from the same problems as [27].

The work most closely related to ours is [18, 19]. In [18] Jonsson and Wang characterised may- and must-testing preorders in terms of “chains” of traces and failures, respec-tively, and in [19] they presented a “substantially improved” characterisation of their may-testing preorder using a notion of simulation which is weaker thanS (cf. Def. 5). They only considered processes withoutτ-moves. In [8] we have shown that tests with internal moves can distinguish more processes than tests without internal moves, even when ap-plied to processes that have no internal moves themselves.

References

[1] E. Bandini & R. Segala (2001): Axiomatizations for prob-abilistic bisimulation. In Proc. ICALP’01, LNCS 2076, Springer, pp. 370–381.

[2] S.D. Brookes, C.A.R. Hoare & A.W. Roscoe (1984): A the-ory of communicating sequential processes. Journal of the ACM 31(3), pp. 560–599.

[3] D. Cazorla, F. Cuartero, V.V. Ruiz, F.L. Pelayo & J.J. Pardo (2003):Algebraic theory of probabilistic and nondeterminis-tic processes. Journal of Logic and Algebraic Programming 55, pp. 57–103.

[4] I. Christoff (1990): Testing equivalences and fully abstract models for probabilistic processes. In Proc.CONCUR’90, LNCS 458, Springer, pp. 126–140.

[5] R. Cleaveland, Z. Dayar, S.A. Smolka & S. Yuen (1999): Testing preorders for probabilistic processes. Information and Computation 154(2), pp. 93–148.

[6] R. De Nicola & M. Hennessy (1984): Testing equivalences for processes.Theoretical Computer Science 34, pp. 83–133.

[7] Y. Deng & C. Palamidessi (2007):Axiomatizations for prob-abilistic finite-state behaviors. Theoretical Computer Sci-ence 373(1-2), pp. 92–114.

[8] Y. Deng, R.J. van Glabbeek, M. Hennessy, C.C. Morgan & C. Zhang (2007): Remarks on testing probabilistic pro-cesses.ENTCS 172, pp. 359–397.

[9] Y. Deng, R.J. van Glabbeek, C.C. Morgan & C. Zhang (2007): Scalar outcomes suffice for finitary probabilistic testing. In Proc.ESOP’07, LNCS 4421, Springer, pp. 363– 368.

[10] R.J. van Glabbeek (1993): The linear time – branching time spectrum II; the semantics of sequential systems with silent moves.In Proc.CONCUR’93, LNCS 715, Springer, pp. 66– 81.

[11] C. Gregorio-Rodr´ıguez & M. N´u˜nez (1999): Denotational semantics for probabilistic refusal testing. ENTCS 22, pp. 111–137.

[12] H. Hansson & B. Jonsson (1990): A calculus for com-municating systems with time and probabilities. In Proc. RTSS’90, IEEE Computer Society Press, pp. 278–287.

[13] He Jifeng, K. Seidel & A.K. McIver (1997): Probabilis-tic models for the guarded command language. Science of Computer Programming 28, pp. 171–192.

[14] M. Hennessy (1988): An Algebraic Theory of Processes. MIT Press.

[15] C.A.R. Hoare (1985):Communicating Sequential Processes. Prentice-Hall.

[16] C. Jones & G.D. Plotkin (1989): A probabilistic powerdo-main of evaluations. In Proc.LICS’89, Computer Society Press, pp. 186–195.

[17] B. Jonsson, C. Ho-Stuart & Wang Yi (1994): Testing and refinement for nondeterministic and probabilistic processes. In Proc.FTRTFT’94, LNCS 863, Springer, pp. 418–430.

[18] B. Jonsson & Wang Yi (1995): Compositional testing pre-orders for probabilistic processes. In Proc.LICS’95, IEEE Computer Society Press, pp. 431–441.

[19] B. Jonsson & Wang Yi (2002): Testing preorders for proba-bilistic processes can be characterized by simulations. The-oretical Computer Science 282(1), pp. 33–51.

[20] C.-C. Jou & S.A. Smolka (1990): Equivalences, congru-ences, and complete axiomatizations for probabilistic pro-cesses. In Proc.CONCUR ’90, LNCS 458, Springer, pp. 367–383.

[21] M.Z. Kwiatkowska & G. Norman (1998): A testing equiva-lence for reactive probabilistic processes.ENTCS 16(2), pp. 114–132.

[22] K.G. Larsen & A. Skou (1991): Bisimulation through prob-abilistic testing.Information and Computation 94(1), pp. 1– 28.

[23] G. Lowe (1993): Representing nondeterminism and prob-abilistic behaviour in reactive processes. Technical Report TR-11-93, Computing laboratory, Oxford University.

[24] N. Lynch, R. Segala & F.W. Vaandrager (2003): Composi-tionality for probabilistic automata. In Proc.CONCUR’03, LNCS 2761, Springer, pp. 204–222.

[25] R. Milner (1989): Communication and Concurrency. Prentice-Hall.

[26] M.W. Mislove (2000): Nondeterminism and probabilistic choice: Obeying the laws. In Proc.CONCUR’00, LNCS 1877, Springer, pp. 350–364.

[27] C.C. Morgan, A.K. McIver, K. Seidel & J.W. Sanders (1996): Refinement oriented probability for CSP. Formal Aspects of Computing 8, pp. 617–647.

[28] M. N´u˜nez (2003): Algebraic theory of probabilistic pro-cesses.Journal of Logic and Algebraic Programming 56, pp. 117–177.

[29] E.-R. Olderog & C.A.R. Hoare (1986): Specification-oriented semantics for communicating processes. Acta In-formatica 23, pp. 9–66.

[30] R. Segala (1995): Modeling and Verification of Randomized Distributed Real-Time Systems. PhD thesis, MIT.

[31] R. Segala (1996): Testing probabilistic automata. In Proc. CONCUR’96, LNCS 1119, Springer, pp. 299–314.

[32] R. Segala & N.A. Lynch (1994): Probabilistic simulations for probabilistic processes. In Proc.CONCUR’94, LNCS 836, Springer, pp. 481–496.

[33] K. Seidel (1995): Probabilistic communicating processes. Theoretical Computer Science 152(2), pp. 219–249.

[34] R. Tix, K. Keimel & G.D. Plotkin (2005): Semantic domains for combining probability and non-determinism. ENTCS 129, pp. 1–104.