Equivalences and Preorders between Structures

1
Equivalences and Preorders between Structures
2

• Problem given a logic L and a structure M find a
  smaller structure M that satisfies the same set
  of formulas of the logic L
• Need notion of equivalence that
• guarantees that two structures satisfy the same
  set of formula
• can be efficiently computed
• For CTL we use the notion of bi-simulation
  equivalence

3

• Convenient to consider the set of initial states
  and a set of atomic propositions (and if fairness
  is to be considered, the set of fairness
  constraints)
• M ( AP, S, R, S0, L) (or M ( AP, S, R, S0,
  L, F)
• (Sometimes necessary to transform a structure
  that does not have fairness constraints to one
  which does if so let F S)

4

• Let M ( AP, S, R, S0, L) and M ( AP, S,
  R, S0, L), a relation B lt S x S is a
  bi-simulation relation between M and M iff for
  all s and s if B(s,s) then
• L(s) L(s)
• For every s1 such that R(s,s1) there is s1 such
  that R(s, s1) and B(s1,s1)
• For every s1 such that R(s,s1) there is s1
  such that R(s, s1) and B(s1,s1)
• Two structures M and M are bisimulation
  equivalent (denoted M M ) if there exists a
  bisimulation relation B such that for every s0 ?
  S0 there is s0 ? S0 such that B(s0,s0) and for
  every s0 ? S0 there is s0 ? S0 such that
  B(s0,s0)
• Remark B is symmetric is an equivalence
  relation on the set of structures with the same
  set of atomic propositions.

5

• Unwinding a structure results in a bisimulation
  equivalent structure check 3 conditions hold
  assuming either is initial state.

6

• Show these are bisimulation equivalent (Good
  exercise for student!)

7

• These are not bisimulation equivalent structures.
  Not true that state labeled with b on LHS is in
  relation B with state labeled with b on RHS (
  because state on LHS has 1 successor labeled with
  d whereas state labeled with b on RHS has a state
  labeled with d and a state labeled with c)

8

• Lemma 1 Let s be such that B(s,s). Then for
  every path starting from s there is a
  corresponding path starting from s and
  conversely.
• Proof Let B(s,s) and p s0s1, where s s0.
  Construct p s0s1 from s s0 as follows,
  by induction. Clearly B(s0,s0). Assume B(si,
  si), we use this to find si1. Because R(si,s
  i1) there must be a successor t of si (ie a t
  such that R(si,t) such that B(si1,t). Let
  si1 t.
• The converse construction of p from p is
  analogous.
• Remark Path p s0s1 corresponds to path p
  s0s1 iff for every si, si, B(si,si)

9

• The next Lemma shows us why bisimilarity is
  important if two states are bisimilar, they
  satisfy the same set of CTL formulas, if two
  paths correspond,they satisfy the same set of
  path formulas.
• The proof is by induction on the structure of the
  formulas
• the induction hypothesis is that the if and only
  if relation between satisfaction by states (or
  paths) holds on certain CTL formulas
• we must show that the if and only if relation
  between satisfaction by states (of paths) holds
  on more complex CTL formulas.
• We have to consider separately as cases all the
  ways to construct complex CTL formulas from
  simpler ones.

10

• Lemma 2 Let f be a state or path formula. Assume
  s and s are bisimilar states of structures M and
  M and p and p are corresponding paths. Then
• If f is a state formula then s f iff s f
• If f is a path formula then p f iff p f
• Proof By induction on the structure of f
  (recalling definition of ).
• Base Case f p for p ? AP. Because B(s,s) we
  know L(s) L(s). Thus s p iff s p
• Induction Consider the following cases
• f - g a state formula then s f iff s ? g
  iff s ? g (by induction hypothesis) iff s
  f.
• Similar reasoning works if f is a path formula
• 2. The cases for f g V h and f g h for f
  state formulas or f path formula are similarly
  easy

11

• Suppose f Eg, a state formula and s f. Then
  there is a path p of M starting from s such that
  p g . By Lemma 1 there is a corresponding
  path p of M starting from s and by the
  induction hypothesis p g. Hence
• s Eg. In a similar manner we can show
  that if s f then s f
• The case f Ag is similar to above
• Suppose f g where g is a state formula and p
  f where s0 is the first state of p. But p f
  iff s0 f iff (by induction hypothesis) s0
  f iff p f
• Suppose f Xg, a path formula and p Xg. Then
  p1 g since p and p correspond, so do p1 and
  p1 so p1 g so p Xg. In a similar manner
  we can show that if p Xg then p Xg.
• The case f f U g is similar (see the text).

12

• Theorem 1 If B(s,s) then for every CTL formula
  f,
• s f iff sf.
• Proof This follows directly from Lemma 2.
• Theorem 2 If M M , then for every CTL formula
  f,
• M f iff M f.
• Proof Suppose M f then for all initial
  states s ? M, s f. We need to show that for
  any initial state s of M, s f. Because M
  M for each initial state s of M, there is an
  initial state s of M such that B(s,s). By
  Theorem 1, s f. A similar argument allows is
  to show that if M f then M f.

13

• Remark 1 the converse of Theorem 2 also holds!
• Remark 2 the notion of bisimulation equivalence
  can be extended to structures with fairness
  constraints a relation B lt S x S is a fair
  bisimilation relation between M and M iff for
  all s,s if B(s,s) then
• L(s) L(s)
• For every fair path p s0s1 from s s0 there
  is a fair path p s0s1 from ss0 such that
  for all I, B(si, si)
• For every fair path p s0s1 from s s0
  there is a fair path p s0s1 from s s0 such
  that for all i, B(si, si)
• We say M F M, M and M are fair bisimulation
  equivalent if there exists a fair bisimulation
  relation B such that for all initial states s0 in
  M there is a initial state s0 in M such that
  B(s0, s0) and for all initial s0 of M there is
  initial s0 of M such that B(s0,s0).
• Theorem 2 If M F M , then for every CTL
  formula f, interpreted over fair paths, M F f
  iff M F f.

14

• Sometimes bisimulation equivalence does not
  result in significant reduction in the number of
  states.
• Can get a greater reduction if we
• restrict the logic
• relax the requirement that the structures should
  satisfy exactly the same formulas
• Introduce Simulation relation
• Bisimulation guarantees two structures have same
  behaviours
• Simulation relates one structure to an
  abstraction of the structure that hides some
  details and can have significantly fewer states
• A simulation relation guarantees that every
  behaviour of a structure is also a behaviour of
  its abstraction but abstraction can have some
  behaviours that are not possible in original
  structure

15

• Definition Given structures M and M with AP lt
  AP a relation H lt S x S is a simulation relation
  between M and M if and only if for all s ? M and
  s? M if H(s,s) then
• L(s) n AP L(s)
• For every s1 such that R(s,s1) there is a state
  s1 such that R(s, s1) and H(s1 ,s1).
• We say M simulates M, denoted M M if
  there exists a simulation relation such that for
  every initial state s0 in M there is an initial
  state s0 in M for which H(s0,s0).

16

• Lemma A simulation is a preorder on the set of
  structures, ie, is reflexive and transitive
• Proof Show (1) for all structures M, M M and
  (2) M M and M M then
• M M
• (1) Clearly, for every M, the relation H (s,s)
  s ? S is a simulation between M and M, so
  for all M, M M and is reflexive.
• (2) Assume M M and M M. We need to show
  M M. Let H be the simulation relation between
  M and M and let H be the simulation relation
  between M and M. Define H to be the
  composition of H and H ie
• H s,s exists s H(s,s) and
  H(s,s) .
• Using this H we can show M simulates M
• First Let s0 ? S0 then by definition of
  simulation there is s0 ? S0 such that H(s0,s0)
  and s0 ? S0 such that H(s0, s0) so by
  definition of H, for every initial state s0 in
  S0 there is initial state s0 of S0 such that
  H(s0, s0)

17

• Second, we need to show that H satisfies the two
  conditions of simulation relation, ie if
  H(s,s), then
• L(s) n AP L(s)
• For every s1 such that R(s,s1) there is a state
  s1 such that R(s, s1) and H(s1,s1).
• Suppose H(s,s). So there is s such that
  H(s,s) and H(s,s). By definition of
  simulation, L(s) n AP L(s) and L(s) n AP
  L(s). Thus L(s) n AP n AP L(s) n AP
  L(s). But AP lt AP, so AP n AP AP thus,
  L(s) n AP L(s).
• Let s1 be state such that R(s,s1) is transition
  in M. Because H is a simulation, there is s1 and
  transition R(s, s1) in M such that H(s1,s1)
  Because H is a simulation, there is s1 and
  transition R(s,s1) in M such that
  H(s1,s1). H(s1,s1) and H(s1,s1) tell us
  H(s1,s1).

18

• Definition if H is a simulation, paths p s0s1
  in M and p s0s1 in M correspond iff for
  every i, H(si,si).
• Lemma 3 Let H be a simulation and assume that s
  and s are such that H(s,s) then for every
  path p starting from s there is a corresponding
  path p starting from s.
• Proof Clear from definition of simulation (check
  out Lemma 1).
• Theorem 2 Suppose M M then for every ACTL
  formula f with atomic propositions from AP, M
  f implies M f
• Intuition behind Proof every behaviour of M is
  a behaviour of M and formulas of ACTL
  describe properties that are quantified over all
  possible behaviours. (must do a proof by
  induction over the structure of ACTL formulas
  analogous to proof of Lemma 2 and Theorem 2)

19

• What have we achieved ie why is this good for
  model checking?
• if M is much more complicated than M -- then
  if we can establish ACTL property holds for M
  this is enough to show that it holds for M the
  converse does not hold which implies that if we
  have a counterexample for a formula f for M the
  formula f may or may not hold for M.

20

• The two structures are not bi-simulation
  equivalent - but each simulates the other. To
  show M simulates M (M lt M) chose a simulation
  relation that associates states 3 and 4 in M
  with 1 in M and otherwise states in M with
  states in M with same labels. (some work to do
  here)
• Consider the AG( b -gt EX c). It is easy to see
  this is true for M but false for M. This is not
  an ACTL formula.

21

• Simulation can be extended to fair structures in
  the same way that bisimulation is extended to
  fair structures
• Definition Given structures M and M with AP lt
  AP a relation H lt S x S is a fair simulation
  relation between M and M if and only if for all
  s ? M and s? M if H(s,s) then
• L(s) n AP L(s)
• For every fair path p s0s1 from s s0 in M
  there is a fair path p s0s1 in M from s
  s0 such that for every i, H(si,si).
• Write M F M if there exists a fair
  simulation relation H such that for every initial
  state s0 in M there is an initial state s0 in M
  for which H(s0,s0). is a preorder on fair
  structures and if M F M, then for every ACTL
  formula f, if M F f implies M F f.

22

• Check out the text for algorithm to determine if
  two structures, M and M are bisimulation
  equivalent (M ? M or if M simulates M (M M).

23

• Definition Tableau for ACTL formula f is a
  structure Tf that is the maximal model for the
  formula under F
• this means that for every structure M,
  MF f iff M F Tf consequently to determine
  if MF f, it suffices to check if Tf simulates
  M
• See text for construction of this maximal model
  -- idea behind construction
• each state in Tf is a set of elementary formulas
  obtained from f (eg el(p) el(-p) p p in
  AP, el(g v f ) el (g) U el (f) etc
• The labeling L is defined so that each state is
  labeled by the set of atomic propositions
  contained in the state
• sat(g) for each formula g ( a satisfaction
  relation) is defined as youd expect
• (s,s) is in R iff
• T (s e sat (AX g) gt s e sat (g))
• intersection over all AX g in el( f )

24

• Theorem For any f and structure M. M
  satisfies f iff M precedes Tf in the simulation
  preorder i.e., for any f and any M, M F f
  iff M F Tf.