Jul 1, 1994 - that the models form a hierarchy: the reactive model is derivable from the generative model by abstraction from the relative probabilities of ...
July 1994
Report No. STAN-CS-TR-94-1517 PB96-150305
Reactive, Generative and Stratified Models of Probabilistic Processes
by
Rob J. van Glabbeek, Scott A. Smolka and Bernhard Steffen
EhatnDai^_J^:
Department of Computer Science Stanford University Stanford, California 94305
19970609 034 »22C QUALITY n-7,T7'71«T3D &
Form Approved OMB No. 0704-01 »8
REPORT DOCUMENTATION PAGE
PubMc iiuoninu burden for th» collection of information it eiumated to average I hour ot reipome. including the timt for reviewing innrucaonv searching earning data wurctl. aitnennq end maintaining the data naadad. and completing and reviewing trie collection of information. Send comment» regarding thn burden animate or any other aspect of thn Millaninr -* •***-**•**> mriudiM •»»••-««•_«~»-»ducing »educing thn burden, to Wellington Waihington Headquarter» i Service». Directorate for Information Operation» and jeporu. HI» ieffenon and to the Office of Management and ludget. »eperwont «.eduction *rof» "M
PERFORMING ORGANIZATION REPORT NUMBER
10. SPONSORING/MONITORING AGENCY REPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADORESS(ES)
QN'tl NSF HFOSR 11. SUPPLEMENTARY NOTES
.
X^
2 1
a
/x\
J>0~
i \2
b]
C
/x\ Figure 2: Stratified and generative transition systems of Sc'. where the action a identifies the garbage collector, and b and c the user processes. But consider the restriction context in which user c is denied further access to the machine. What would happen to its share of the CPU? Because of the symmetry in the above specification, we would naturally arrive at the expression
fixx{\a.X + \b.X) Now, however, the garbage collector is granted one half of the CPU which is different from our original intent. An exact specification of the scheduler can be obtained through the use of nested expressions of probabilistic choice:
Sc' = fixx{\a.X + \{\b.X + \c.X)) which, in the stratified model, yields the leftmost probabilistic labeled transition system of Figure 2. If user c were now denied access we would obtain
fixx{\a.X + lb.X) as desired. Thus, in the stratified model, the intended relative frequencies are preserved in a level-wise fashion in the presence of restriction. Note that the probabilistic labeled transition system of Sc' in the generative model is simply the right one of Figure 2. Thus, in the generative model, Sc is (unfortunately) equivalent to Sc'. We shall see that, in a broader sense, the generative model is an abstraction of the stratified model, in which the branching structure of probabilistic choices has been "flattened." The extremal case of nested probabilistic choice in the stratified model, in which zero probabilities are permitted, yields a general notion of process priority. For example, the expression IP + 0(1Q + OR) gives priority to process P over Q and R, and priority to Q over R. Thus process R can only be executed in a restriction context that excludes P and Q. Zero probabilities are not considered in this paper, but their role in modeling priority is examined carefully in [SS90]. Summary of Technical Results We will be working within the framework of PCCS, a specification language for probabilistic processes introduced in [GJS90]. PCCS is derived from Milner's SCCS [Mil83] by replacing the operator of nondeterministic process summation with a probabilistic counterpart. Several PCCS expressions have appeared above, which should give the flavor of the language.
For each of the three probabilistic models, and, for comparison purposes, the classical nonprobabilistic model, we present the following: • a structural operational semantics of PCCS, given as a set of inference rules in the style of Plotkin [PI08I] and Milner [Mil89]. For each model, these inference rules determine a semantic mapping from the set of PCCS expressions to a particular domain of probabilistic labeled transition systems. We denote these mappings as #1/]
E{fixxE/X} A £'
=> fe£ A £'
Figure 4: Nonprobabilistic operational semantics of PCCS.
3
The Nonprobabilistic Model
We start with the nonprobabilistic model of PCCS based on Milner's model of SCCS [Mil83]. In this model all probabilities are neglected and the only difference between PCCS and SCCS is the different communication format. The reasons for including this section are to facilitate comparison between the probabilistic models and the classical one, and to present some proofs pertaining to classical bisimulation in such a way that they can be recycled in the probabilistic case.
3.1
Nonprobabilistic Operational Semantics of PCCS
The nonprobabilistic operational semantics of PCCS is given by the inference rules of Figure 4. We write N h P -^ P' or just P -^ P' if P -^» P' can be derived from these rules. We refer to p _?4 p> as a transition and its intuitive meaning is that P can perform action a to become P'. The rules of Figure 4 induce a mapping GN to an interpretation of the open (restriction-guarded) PCCS expressions in GN, let PCCS-Cjv be the language PCCS to which all transition systems G G GN have been added as constants. We introduce an operational rule GAG, for each initial transition (I,a,s) in each transition system G = (S,T,I). Here Gs denotes the transition system with the same states and transitions as G, but with s as the initial state. Let tfN be the extension of Act, S G Pr/11 and ß G Act, Hn+\C[E][f], ß, S) < ß(C[F}[f], ß, S)
(8)
Since fj,n+l{C[E][f], ß, S-Pr[f]) = 0, we may in (8) replace S by Sf)Pr[f]. By the definition of 11 we have (Pi,P2) G 11 => (Pi[/],P2[/D € 11. Hence S D Pr[f] is the disjoint union of a collection of sets of the form S'[f] with S' G Pr/11, and it suffices to prove (8) for such sets 12
S'[f] instead of S n Pr[f). Thus we have to show that for all C G PCCS[ ]*, / : Act -> Act, 5' G Pr/Tl and /? € Act, »n+1(C[E][f}, /?, S'l/l) < MOT/], ß, S'lf}) induction n
LHS = max (ß (C[E], a, S'))
,
=>
F ^—>, F'
E M^
C
a\pj-q/r]
=» F x F c
arpl
£? e^i
—>o E
\-^
ci^fc E>
£ cJ^
c
►** ^
„[.]
Ü 6 /. r = 2 to I ft , B"|)
>w) F' x F'
a[p]
E>
=> FU
a[p] E{fixxE/X} c—N £'
c
—>i £' U
(a e A)
"bl =* jia;xF c—N £'
Figure 6: Reactive operational semantics of PCCSß. by Larsen and Skou [personal communication]. They propose to equip a relabeling that renames actions au...,an into a with a probability distribution that associates a probability pi to each of the Oi's. These probabilities then determine the normalization factor. As such a probabilistic relabeling is meaningless in the generative and stratified models, we will not consider this solution in the present paper. The same problems encountered in defining renaming in the reactive model apply to the SCCS product, as relabeling can be expressed in terms of product and the other SCCS operators. For this reason, we have "split" the SCCS product in the PCCS product and relabeling, only the latter of which has to be sacrificed in the reactive model. 4.1
Reactive Operational Semantics of PCCSR
The reactive operational semantics of PCCSß is given in Figure 6 as a set of inference rules. Reactive transitions are of the form a\p]
P C_->i P'
meaning that P, with probability p, can perform an a-transition to become P'. The index i is explained just below. In the second rule, in which j, } denote multiset brackets, r is the normalization factor used to compute the conditional probabilities of the sum under the assumption a. The rest of the rules are straightforward adaptations of their nonprobabilistic counterparts. Unlike in the nonprobabilistic case, all probabilistic transitions are indexed. The set IR of reactive indices is the smallest set such that 0 € IR, j 6 Io,k G IR => j.k G IR, and i,j E Tne IR => (*) j) £ !Rpurpose of the indices is to distinguish different occurrences of the same probabilistic transition. They are constructed so that every outgoing probabilistic transition of an expression has a unique index. (The indices will be used in the next section to define cumulative
15
probability distributions.) The following example is illustrative: o. n
il
([i]a. 0 + [I]a. 0) cü_L>li0 0
(ß]a. 0 + [±]a. 0) c_±+2 0 0
As in the nonprobabilistic case, the reactive operational rules collectively define the semantic mapping ipR from PrR, the closed expressions of PCCSÄ, and even from the open PCCSß expressions, to the domain of reactive probabilistic labeled transition systems. Definition 4 A reactive (probabilistic) transition system is a triple (S,T,I) with — S a set of states, — T C S x Act x (0,1] x IR x S a set of transitions, such that 1. ((s,a,p,i,t) eTA{s,ß,q,i,r)£T)^{a = ßAp = qAt = r) 2. VsGS, VaeAct, £|p|3iG/Ä, teS: (s,a,p,i,t) G T} G {0,1} — and I G S the initial state. The first requirement of T says that all outgoing transitions of a given state have different indices. The second one says that for each state the probabilities of the outgoing o;-transitions, if there are any, sum up to 1, for any action a separately. An isomorphism between two reactive transition systems is a bijective mapping / between their reachable states and transitions, satisfying f(s,a,p,i,t) = (f(s),a,p,j,f{t)), where * and j may be different indices, and /(/) = /', where I and /' are the initial states of the two systems. The mapping ipR is defined just as ipx in the previous section. It is not difficult to see that (pR{P) meets the requirements for reactive transition systems. 4.2
Reactive Bisimulation
We now consider reactive bisimulation, a notion of probabilistic bisimulation for reactive processes due to Larsen and Skou [LS91]. By definition, all reactive bisimulations are equivalence relations. Intuitively, two processes P,Q are probabilistically bisimilar in the reactive model if, for each action symbol, they derive reactive bisimulation classes with equal cumulative probability. To define reactive bisimulation, we first need to define the cumulative probability distribution function (cPDF) which computes the total probability by which a process derives a set of processes. Adopting the convention that the empty sum of probabilities is 0, we have: Definition 5 (Reactive cPDF) pR: (PrR x Act x V{PrR)) —► [0,1] is the total function given by: Va G Act, VP G PrR, VS C PrR, HR{P,a,S) = Y, i Pi \P ^—* QandQe S\
16
Reactive bisimulation can now be defined as follows: Definition 6 ([LS91]) An equivalence relation K Q PrR x PrR is a reactive bisimulation if {P, Q)e1Z implies: VS G PrR/K, Va G Act, HR{P,a,S)=i*R(Q,a,S) Two processes P, Q are reactive bisimulation equivalent (written P £ Q) if there exists a reactive bisimulation TZ such that (P, Q) G TZ. By the same proof as was used for nonprobabilistic bisimulation, reactive bisimulation equivalence can be shown to be an equivalence relation indeed. Furthermore, reactive bisimulation equivalence is the largest reactive bisimulation and can be found by a straightforward adaptation of the fixed-point iteration technique of [Mil89]. Like strong bisimulation does for SCCS or CCS, reactive bisimulation equivalence provides a compositional semantics for PCCSÄ that is consistent with the operational semantics defined in the last section. Specifically: Theorem 4 (Congruence) For E,F G PCCSß, C G PCCSÄ[ ]:
E ~ F implies C[E] ~ C[F]
Proof: Following the previous congruence proof, we define K as the equivalence closure of W = {(C[E],C[F]) | E ~ F, C G PCCSß[ ]*}. The top of a context C G PCCSÄ[ ] is the part that remains after first removing every subcontext of the form a.E and subsequently every subcontext not containing SI. Now let PCCS^[ ] be the set of all PCCS« contexts with at most k nested summation operators in their top. This time we have to show that for all E, F G PCCS« with E&F, and for all k G N, MC G PCCSk[ ]*, VS G PrR/Tl, Va G Act, fiR(C[E], a, S) = HR(C[F], a, S)
(10)
This will be done by three nested inductions. First we apply induction on the number of free variables in E and F and choose E,F G PCCSR with E ~ F for the induction step. Then we apply induction on k and suppose (10) holds for k < I. Finally the proof of (10) for k = I continues exactly like the one for ~ (i.e. with induction on the depth of derivations), substituting R for JV and PCCS'ß[ ] for PCCS[ ], except that the function nR- (P^R X Act x V{PrR)) —> [0,1] is given by: Va G Act, VP G PrR, VS C PrR, VnR(P,a,S) =^2{pi\R\-nP £-^i Q and Q G S\ i€lR
and every time we invoke the induction hypothesis, we check that it is applied to contexts in PCCSft[ ]* only (in the case of recursion this follows by guardedness of PCCSÄ expressions). Moreover the case of relabeling is dropped—the congruence proof would break down where the operation max is applied—and the last line in the case of summation is replaced by: T^UH-MCiMcS) LHS = Ziel \Pi I VR(Ci[E), a, PrR) ± Ofr
indU i0n
< ~
Z P G~ Q for P,Q € Pr. Theorem 8 (or Lemma 1) implies D CR HR{P,a,S) = HGR{P,a,S) and hence P ~ Q ■& P ~ Q for summation-guarded P,Q G Pr^. □ Theorem 8 does not hold in the presence of general summation. Consider the process P= \a.X + l{\a.Y + ±b.Z) In ipGRiVGiP)) the probabilities of a.X and a.Y are equal, while in m E'
Moreover G \-E -Sj F, £ —+J E", i ? j =* /(») # /COProof: In Lemma 1 / happened to be the identity function and was therefore not mentioned. Unfortunately, / can not be chosen bijective this time. In order to get rid of this complication in an early stage, we split the proof in two parts by considering an intermediate operational semantics G'. The inference rules of G" are exactly the same as the ones of G, except that in the rule for product when i and j are both 0 the resulting index is also 0 instead of (0,0). Let /' : IG -> la be the function that exhaustively replaces all occurrences of (0,0) in an index by 0. Then afp] , abl ,_,, G\-E -^ii E' . iSG. This function can be chosen bijective. Recall that /g = JsU {0} and let jgG be the largest set of sequences over I°s such that an index (i,j) can only be followed by either 0 or an index (k,l) such that i.kj.l G I°SG, and an index 0 can only be followed by an index 0. Then ISG = I°SG n (Js)*0. This follows from the fact that product is a static operator, i.e. the syntactic subtree of occurrences of product in a PCCS expression is preserved under stratified derivations. Define head : IG> -> i§, tail : la -> la and the partial function • : Jg x IG> ->■ IG< by head(0)=0 head(i.j)=i
,/• ^
/,
tail(0)=0 tail(i.j)=j ^-M,
^
head(i,j) = (head{i),head{j))
+
-ir ^
0.0 = 0 fj=t.j
J(*«J(*),*a«(j))if#(0,0)
tail{i,j) = -> ^SG by . _ J 0 •^ = 1 head{i).f(tail(i)) and g : IsG ~> -fc' by
if t = 0 otherwise
g{io- ■ ■ ■ -in) = (*0 • (■ • • (*n-l • in) ■ • '))
29
(18)
Note that / transforms pairs of sequences into sequences of pairs. Clearly f(i) e ISG for i E Ic and g(i) E IG> for i € ISG- Further g is the inverse of / by (18), and hence / is bijective. The bijectivity of / together with the limited injectivity of /' establishes the "moreover" part of the lemma. We now proceed to prove a\p]
a\p]
G'yE-^iE'^S + IMARSG \-E —►
m
E'
by structural induction on i. In case i = 0 (the induction base) E must be summation-free and there is almost no difference between the generative and stratified (=nonprobabilistic) inference rules, and the statement holds. In case i^Owe again use induction on the depth of derivation trees, albeit modified ones. Here the modification of a G' derivation tree consists of removing all ancestors of transitions from summation expressions, and the modification of an S +IMARSG derivation tree consists of erasing any subtree ending with a clause that is used as the second argument in an application of IMARSG- Moreover, the remaining application of IMARSG doesn't count. We now use the notation hn to refer to the depth of modified derivations, and prove afp]
a\p]
G'\-nE —>i E' ^=> S + IMARSGK^ —>f(i) E' by induction on n. We distinguish several cases, depending on the topmost operator of E. Asi^O this operator cannot be action prefixing. Ea[p]
\pi] Ei
iei iff S + IMARSG I- Ej
ot[q]
>j.k E'
a[q]
iff G' h Ej
>■/(*) E' and p = pj ■ q (by induction (k < j.k))
Ea\p]
v^
\pi\Ei
>f{j_k) E' (since S hi 2^ ]pi]Ei i
iei
h E", F a\p]
iff S + IMARSG U E
F I
f{taü{i))
> tail®
E
iff S hn+i ExF I (a,ß)[r2] iff 5 Hn+1 ExF I
>f{j) F" and p-q = r (by induction)
>head{j) F ) ßlii]
Pl
-p2 ■ qx ■ q-i = r
91 >head{i) E',
G'hE'x F'
ß[q]
E", F' —> f(taii(j)) F" and
pi
G'Y-E'
>{iJ) E" x F"
91
S + IMARSG H E' —► a[p2]
(a,ß)[r]
^/W E", F
>head(i) E', "b2]
iff S hn E I
>j Ej).
>j F" and p-q = r
Pi iff S hn E I
Pj
i€l
Product: In case i^O^j: G' hn+1 ExF iff G' \-n E
>k E' and p = pj ■ q
F I /3[92]
>head(j) F ,
\ F' —> taii(j) F" and
Pl
■ p2 ■ qi ■ q2 = r (by induction)
>(head(i),head(j)) E X F ,
>tail{itj) E" x F" and rx-r2 = r >head(i,j) E' x F', (a /3)[r2]
S + IMARSG \-E' X F' —■
>f{taü{i,j)) E" x F" and rx-r2 = r (by induction)
{a,ß)[r\
iff S + IMARSG U+I ExF
>f{iJ) E" x F". 30
In case i ^ 0 = j: G' \~n+i ExF
>{i,0) E" x F"
a[r]
iff G' Vn E
ß[l]
-^i E", F
iff S + lMARsG^-nE
>o F"
a[r]
)/(i) E", F
>o F" (by induction)
W(i) E', F ► F", o[r2] ßW S + IMARSG \~ E' >f{taii(i)) E", F >o F" and n • r2 = r
iff S \-n E i
iff S \-n E i G'hE'
► F",
>head{i) E', F a[T2]
>tail(i) E", F—^->o F" and n-r2 = r (by induction) ►(ww.o) E' x F,
iff S hn+1 ExF i (a /3)[J"2]
G"rE' xF —■
haii(ifi) E" x F" and rl-r2 = r
iff S hn+1 ExF I
>head(i,0) E' x F, {a,ß)[T2
5 + IMARSG \~ E'X F
\ f{tail{m E" x F" and n-r2 = r (by induction)
(a ß)[r]
iff 5 + IMARSG Hn+i ^ x F
'■
>f(ifi) E" x F".
The case i = 0 ^ j is symmetric. a[p]
Relabeling: G' hn+1 £[/] iff G' \-n E
H E"[f]
ß\p\
^i E" and /(/?) = a
iff S + IMARSG \~n E
>m E" and f{ß) = a (by induction)
iff ShnE ^head{i) E', S + IMARSG h E' ^>
f{tail{i))E",
Pi'P2=P and /(/?) = a
iff ShnE ^head(i) E\ G' h £' -^ t««(0 #'. Pi -P2 = P and /(/?) = a (by induction) iff Shn+1£[/]AMi)^[/], G'hE'[f]^tail{i)E"[f], Pi-P2=P iff Sh„+1E[/]ÄM^'[/], 5 + IMARSG h^[/]-Ä/(taa(0)£?"[/], Pi-P2=P (ind.) Q[P]
iff 5 + IMARSG l-n+i-B[/] Recursion: G' hn+i fixxE
►/« #"[/]•
>i E a\p]
iff G' h„ E{fixxE/X}
>t E" a\p]
iff 5 + IMARSG hi £{.fe£/X}
>m E" (by induction)
iff S \-n E{fixxE/X} ^head(i) E\ S+IMARSG r-F iff Sh,+i./u*E ^>w(i) #, 5 +IMARSG H^ (x\p\
iff 5 + IMARSG ^n+i /w*£
" " >/(te«(0) £"andprP2=p ° ' >/(ta«t(»)) #" and pi-p2=p
►/« ^"-
As an immediate consequence of this lemma, we obtain the following commutativity result: 31
D
Theorem 11 (Commutativity) Let P e Pr be restriction-free. Then ipsoi^PsiP)) = VG(P)Corollary 12 Let P,Q £ Pr be restriction-free PCCS processes. Then P ~ Q =4> P ~ Q. Proof: Theorem 10 says that P ~ Q =» P ^ Q for P, Q € Pr. Theorem 11 (or Lemma 2) implies HG(P,a,S) = HSG(P,a,S) and hence P ~ Q P ?? Q for restriction-free ?,Qe Pr. □ Theorem 11 does not hold for arbitrary PCCS processes. Consider the process
P=ia.O + |(i6.0 + ic.O)r{a,6}
► E' =>• E 32
c
—>o E'
Q
a[q]
E
[vs(£,{«})]
_£+. E' c—>j E" => E c
^ £"
This inter-model abstraction rule defines a mapping ipsR ■ ®s -» ®R- Like the composed mapping tpoR o ipso ■ f(i) E" and a e A (by induction)
iff S\-nE^head{i)E', S + lMARsRhE'^f{tail{i))E", pvp2 = p-us(E, {a}) and aEA iff Sr-nE^wW^, R^E'P%Q. By means of the same counterexample that we used at the end of Section 7.1, one shows that the equivalence induced on the stratified model by reactive bisimulation through (fsR is not a congruence for relabeling. As a consequence, no compositional definition of relabeling in the reactive model is possible that allows a generalization of Theorem 14. The corresponding counterexample for summation is also valid for ipoR ° fsc but not for ipsR (in fact, it couldn't be, by Theorems 14 and 4). Hence these two mappings are different. It appears that ipsR preserves some of the stratified flavor of nested PCCS summations, which is lost by VGR ° tfSG-
7.4
The Probabilistic to Nonprobabilistic Abstraction
Let E, E' be PCCS expressions. Then IMARSJV is given by E ^i £'-A E" => E-% E" Similarly IMARGAT and IMAR^ are given by
E
a
a\p]
u E'
=>
E
> E'
a\p]
E c—>.
E'
=>
E —> E'
These inter-model abstraction rules simply throw away all probabilities. It is comparatively straightforward to establish the remaining commutativity results announced in the introduction. Theorem 16 (Abstraction) Let G,H G GR. Then G % H =>
