2  Preliminaries: Communicating Systems and Games

The core background of this thesis is the trinity of characterizations for behavioral equivalences: relational, modal, and game-theoretic.

This chapter takes a tour into the field of formalisms used to model programs and communicating systems, which are accompanied by many notions for behavioral equivalence and refinement to relate or distinguish their models.

The tour is agnostic, building on the basic formalism of labeled transition systems and standard equivalences such as trace equivalence and bisimilarity. Simultaneously, the approach is opinionated, focusing on Robin Milner’s tradition of concurrency theory with a strong pull towards game characterizations.

shows the scaffold of this section along the trinity, instantiated to the classic notion of bisimilarity:

Figure 2.1: Core-correlations for bisimilarity between relational definition, modal distinguishability, and equivalence game.

Readers familiar with the contents of might mostly skim through this chapter of preliminaries (although they are quite exciting!). The two core insights this chapter aims to seed for the upcoming chapters are:

Idea 2.1: It’s all a game!

Equivalence games are a most versatile way to handle behavioral equivalences and obtain decision procedures. The Hennessy–Milner theorem appears as a shadow of the determinacy of the bisimulation reachability game.

Idea 2.2: Modal first!

Modal characterizations allow a uniform handling of the hierarchy of equivalences. Productions in grammars of potential distinguishing formulas translate to game rules for equivalence games.

Both points might seem non-standard to those more accustomed to relational or denotational definitions of behavioral equivalences. To provide them with a bridge, we will start with relational and denotational definitions—but once we have crossed this bridge, we will not go back.

2.1 Behavior of Programs

Every computer scientist has some model in their head of what it is that their algorithms and programs are doing. Usually these models are wrong, especially, once concurrency enters the picture. The area of formal methods tries to make models sufficiently precise that one at least can say what went wrong.

1 But some are useful, as the saying goes.

2.1.1 Labeled Transition Systems

Labeled transition systems are the standard formalism to discretely express the state space of programs, algorithms, and more. One can think of them as nondeterministic finite automata where the finiteness constraint has been lifted.

Definition 2.1 (Transition Systems) A labeled transition system (LTS) S=(P,Act,)\mathcal{S}=(\mathcal{P},\mathit{Act},\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}) consists of

  • P\mathcal{P}, a set of states,
  • Act\mathit{Act}, a set of actions, and
  • P×Act×P{\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}} ⊆ \mathcal{P}× \mathit{Act}× \mathcal{P}, a transition relation.

We write Der(p,α)\operatorname{Der}(p, α) for the set of derivative states {ppαp}\{p' \mid p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p'\}, and Ini(p)\operatorname{Ini}(p) for the set of enabled actions {αp.pαp}\{α \mid \exists p' \ldotp p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p'\}.

There is a canonical example used to discuss equivalences within transition systems, which we want to draw from. We will take the formulation that Henzinger used at CAV’23 as seen in .

Example 2.1 (A Classic Example) Consider the transition system SPQ=({P,pa,pb,p1,p2,Q,qab,q1,q2},{a,b,τ},PQ)\mathcal{S}_\mathsf{PQ} = (\{\mathsf{P}, \mathsf{p_a}, \mathsf{p_b}, \mathsf{p_1}, \mathsf{p_2}, \mathsf{Q}, \mathsf{q_{ab}}, \mathsf{q_1}, \mathsf{q_2}\}, \{\mathsf{a}, \mathsf{b}, τ\}, \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\cdot}$}}}_\mathsf{PQ}) given by the following graph:

Figure 2.3: Example system SPQ\mathcal{S}_\mathsf{PQ}.

The program described by the transitions from P\mathsf{P} chooses non-deterministically during a ττ-step between two options and then offers only either a\mathsf{a} or b\mathsf{b}. The program Q\mathsf{Q} on the other hand performs a ττ-step and then offers the choice between options a\mathsf{a} and b\mathsf{b} to the environment.

There are two things one might wonder about :

  1. Should one care about non-determinism in programs? Subsection shows how non-determinism arises naturally in concurrent programs.
  2. Should one consider P\mathsf{P} and Q\mathsf{Q} equivalent? This heavily depends. Section will introduce a notion of equivalence under which the two are equivalent and one under which they differ.

Remark 2.1 (A Note on ττ). The action ττ (the greek letter “tau”) will in later chapters stand for internal behavior and receive special treatment in . For the scope of this and the following three chapters, ττ is an action like every other.

Generally, this thesis aims to be consistent with notation and naming in surrounding literature. Where there are different options, we usually prefer the less-greek one. Also, we write literals and constant names in sans-serif\textsf{sans-serif} and variables in italics\textit{italics}. For the internal action, the whole field has converged to ττ in italics, however—so, we will run with this.

2.1.2 Calculus of Communicating Systems

To talk about programs in this thesis, we use Milner’s () Calculus of Communicating Systems (CCS), which—together with other great contributions—earned him the Turing award. It is a tiny concurrent programming language that fits in your pocket, and can be properly described mathematically!

Definition 2.2 (Calculus of Communicating Systems) Let A\mathcal{A} be a set of channel names, and X\mathcal X a set of process names. Then, CCS\textsf{CCS} processes, communicating via actions ActCCSA{ααA}{τ}\mathsf{Act}_\textsf{CCS}≔ \mathcal{A}\cup \{ \overline{α} \mid α ∈ \mathcal{A}\} \cup \{τ\}, are given by the following grammar: P  ::=  α. ⁣Pwith αA“input action prefix”α. ⁣Pwith αA“output action prefix”τ. ⁣P“internal action”0“null process”Xwith XX“recursion”P+P“choice”PP“parallel composition”P\Awith AA“restriction” \begin{array}{cllr} P \;::=\; & α\ldotp\! P & \quad\text{with } α ∈ \mathcal{A}& \text{“input action prefix”} \\ & \overline{α}\ldotp\! P & \quad\text{with } α ∈ \mathcal{A}& \text{“output action prefix”} \\ & τ\ldotp\! P & & \text{“internal action”} \\ & \mathbf{0}& & \text{“null process”} \\ & X & \quad\text{with } X ∈ \mathcal X& \text{“recursion”} \\ & P +P & & \text{“choice”} \\ & P \, \mid\, P & & \text{“parallel composition”} \\ & P \, \mathbin{\backslash}A & \quad\text{with } A ⊆ \mathcal{A}& \text{“restriction”} \end{array} We call pairs of actions αα and α\overline{α} coactions, and work with the aliasing α=α\overline{\overline{α}} = α. The intuition is that an action αα represents receiving and α\overline{α} expresses sending in communication. A pair of action and coaction can “react” in a communication situation and only become internal activity ττ in the view of the environment.

3  For the examples of this thesis, a simple CCS variant without value passing and renaming suffices.

Each sub-process tree must end in a 0\mathbf{0}-process or recursion. For brevity, we usually drop a final 0\mathbf{0} when writing terms, e.g., just writing ac\mathsf{ac} for ac. ⁣0\mathsf{ac}\ldotp\! \mathbf{0}.

We place parenthesis, ()(…), in terms where the syntax trees are otherwise ambiguous, but understand the choice operator ++ and the parallel operator \mid to be associative.

Example 2.2 (Concurrent Philosophers) Following tradition, we will express our examples in terms of philosophers who need forks to eat spaghetti. So, consider two philosophers PA\mathsf{P_A} and PB\mathsf{P_B} who want to grab a resource fork\mathsf{fork} modeled as an action in order to eat where we express PA\mathsf{P_A} eating with action a\mathsf{a} and PB\mathsf{P_B} eating with b\mathsf{b}. The philosopher processes read:

4  Of course, you can just as well read the examples to be about computer programs that race for resources.

PAfork. ⁣a. ⁣0PBfork. ⁣b. ⁣0 \begin{gathered} \mathsf{P_A} ≔ \mathsf{fork}\ldotp\! \mathsf{a}\ldotp\! \mathbf{0}\\ \mathsf{P_B} ≔ \mathsf{fork}\ldotp\! \mathsf{b}\ldotp\! \mathbf{0} \end{gathered} An LTS representation of PA\mathsf{P_A}’s behavior can be seen in the margin. Process P\mathsf{P} captures the whole scenario where the two philosophers compete for the fork using communication: P(fork. ⁣0PAPB)\{fork} \mathsf{P} ≔ ( \overline{\mathsf{fork}}\ldotp\! \mathbf{0}\mid\mathsf{P_A} \mid\mathsf{P_B} ) \mathbin{\backslash}\{\mathsf{fork}\} The restriction \{fork}… \mathbin{\backslash}\{\mathsf{fork}\} expresses that the fork\mathsf{fork}-channel can only be used for communication within the system.

As the fork\overline{\mathsf{fork}}-action can be consumed by just one of the two philosophers, process P\mathsf{P} expresses exactly the program behavior seen in state P\mathsf{P} of .

The formal relationship between process terms and their LTS semantics is given by the following definition.

Definition 2.3 (CCS Semantics) Given an assignment of names to processes, V ⁣:XCCS\mathcal V\colon \mathcal X→ \textsf{CCS}, the operational semantics CCSCCS×ActCCS×CCS{\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\cdot}$}}}_\textsf{CCS}} ⊆ \textsf{CCS}× \mathsf{Act}_\textsf{CCS}× \textsf{CCS} is defined inductively by the rules:

α. ⁣PαCCSPPαCCSPV(X)=PXαCCSP \dfrac{ }{ α\ldotp\! P \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P } \qquad \dfrac{ P \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P' \qquad \mathcal V(X) = P }{ X \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P' }

P1αCCSP1P1+P2αCCSP1P2αCCSP2P1+P2αCCSP2 \dfrac{ P_1 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1' }{ P_1 +P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1' }\qquad \dfrac{ P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_2' }{ P_1 +P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_2' }

P1αCCSP1P1P2αCCSP1P2P2αCCSP2P1P2αCCSP1P2 \dfrac{ P_1 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1' }{ P_1 \mid P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1' \mid P_2 }\qquad \dfrac{ P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_2' }{ P_1 \mid P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1 \mid P_2' }

P1αCCSP1P2αCCSP2P1P2τCCSP1P2PαCCSPα,αAP\AαCCSP\A \dfrac{ P_1 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P_1' \qquad P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\overline{α}}$}}}_\textsf{CCS}P_2' }{ P_1 \mid P_2 \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}}_\textsf{CCS}P_1' \mid P_2' }\qquad \dfrac{ P \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P' \qquad α, \overline{α} \notin A }{ P \mathbin{\backslash}A \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}}_\textsf{CCS}P' \mathbin{\backslash}A } A process PCCSP ∈ \textsf{CCS} now denotes a position in the transition system (CCS,ActCCS,CCS)(\textsf{CCS}, \mathsf{Act}_\textsf{CCS}, \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}_\textsf{CCS}) defined through .

So, when we were writing “PAfork. ⁣a. ⁣0\mathsf{P_A} ≔ \mathsf{fork}\ldotp\! \mathsf{a}\ldotp\! \mathbf{0}” above, this was actually to claim that we are talking about a CCS system where the process name PAX\mathsf{P_A} \in \mathcal X and V(PA)fork. ⁣a. ⁣0\mathcal V(\mathsf{P_A}) ≔ \mathsf{fork}\ldotp\! \mathsf{a}\ldotp\! \mathbf{0}. By the semantics, this also leads to the existence of a state PA\mathsf{P_A} in the CCS transition system, and usually that is the entity we are interested in when defining a process.

Feel free to go ahead and check that the transitions of indeed match those that prescribes for P\mathsf{P} of ! (For readability, , has shorter state names, however.) For instance, the transition Pτpa\mathsf{P} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}} \mathsf{p_a} of would be justified as follows:

forkCCSforkforkCCS0fork. ⁣aforkCCSaV(PA)=fork. ⁣aPAforkCCSaPAPBforkCCSaPBforkPAPBτCCS0aPBforkCCSτ{fork}(forkPAPB)\{fork}τCCS(0aPB)\{fork}forkCCSV(P)=(forkPAPB)\{fork}PτCCS(0aPB)\{fork} \dfrac{ \dfrac{ \dfrac{ \dfrac{ \vphantom{\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\overline{\mathsf{fork}}}$}}}_\textsf{CCS}} }{ \overline{\mathsf{fork}} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\overline{\mathsf{fork}}}$}}}_\textsf{CCS}\mathbf{0} } \quad \dfrac{ \dfrac{ \overline{ \mathsf{fork}\ldotp\! \mathsf{a} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\mathsf{fork}}$}}}_\textsf{CCS} \mathsf{a} } \qquad \mathcal V(\mathsf{P_A}) = \mathsf{fork}\ldotp\! \mathsf{a} }{ \mathsf{P_A} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\mathsf{fork}}$}}}_\textsf{CCS}\mathsf{a} } }{ \mathsf{P_A} \mid\mathsf{P_B} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\mathsf{fork}}$}}}_\textsf{CCS}\mathsf{a} \mid\mathsf{P_B} } }{ \overline{\mathsf{fork}} \mid\mathsf{P_A} \mid\mathsf{P_B} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}}_\textsf{CCS} \mathbf{0}\mid\mathsf{a} \mid\mathsf{P_B} } \quad \begin{matrix} \vphantom{\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\overline{\mathsf{fork}}}$}}}_\textsf{CCS}}\\ τ \notin \{\mathsf{fork}\} \end{matrix} }{ ( \overline{\mathsf{fork}} \mid\mathsf{P_A} \mid\mathsf{P_B} ) \mathbin{\backslash}\{\mathsf{fork}\} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}}_\textsf{CCS} ( \mathbf{0}\mid\mathsf{a} \mid\mathsf{P_B} ) \mathbin{\backslash}\{\mathsf{fork}\} } \quad \begin{matrix} \vphantom{\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\overline{\mathsf{fork}}}$}}}_\textsf{CCS}}\\ \mathcal V(\mathsf{P}) = ( \overline{\mathsf{fork}} \mid\mathsf{P_A} \mid\mathsf{P_B} ) \mathbin{\backslash}\{\mathsf{fork}\} \end{matrix} }{ \mathsf{P} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}}_\textsf{CCS}( \mathbf{0}\mid\mathsf{a} \mid\mathsf{P_B} ) \mathbin{\backslash}\{\mathsf{fork}\} }

Non-determinism like in P\mathsf{P} of can be understood as a natural phenomenon in models with concurrency. The model leaves unspecified which of two processes will consume an internal resource and, to the outsider, it is transparent which one took the resource until they communicate. There are other ways how non-determinism plays a crucial role in models, for instance, as consequence of abstraction or parts that are left open in specifications.

The second process Q\mathsf{Q} of can be understood as a deterministic sibling of P\mathsf{P}.

Example 2.3 (Deterministic Philosophers) A process matching the transitions from Q\mathsf{Q} in would be the following, where the philosophers take the fork as a team and then let the environment choose who of them eats:

Q(forkfork. ⁣(a+b))\{fork}. \mathsf{Q} ≔ (\overline{\mathsf{fork}} \mid\mathsf{fork}\ldotp\! ( \mathsf{a} +\mathsf{b} )) \mathbin{\backslash}\{\mathsf{fork}\}.

But are P\mathsf{P} and Q\mathsf{Q} equivalent?

2.2 Behavioral Equivalences

A behavioral equivalence formally defines when to consider two processes (or states, or programs) as equivalent. Clearly, there might be different ways of choosing such a notion of equivalence. Also, sometimes we are interested in a behavioral preorder, for instance, as a way of saying that a program does “less than” what some specification allows.

This section will quickly introduce the most common representatives of behavioral equivalences: Trace equivalence (and preorder), simulation equivalence (and preorder), and bisimilarity. We will then observe that the notions themselves can be compared in a hierarchy of equivalences.

2.2.1 Trace Equivalence

Every computer science curriculum features automata and their languages sometime at the beginning. Accordingly, comparing two programs in terms of the sequences of input/ouput events they might expose, referred to as their traces, is a natural starting point to talk about behavioral equivalences.

Definition 2.4 (Traces) The set of traces of a state Traces(p)\mathsf{Traces}(p) is recursively defined as

  • ()Traces(p)\texttt{()}∈ \mathsf{Traces}(p),
  • αwTraces(p)α \cdot \vec w ∈ \mathsf{Traces}(p) if there is pp' with pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' and wTraces(p)\vec w ∈ \mathsf{Traces}(p').

5 We denote the empty word by ()\texttt{()}.

Definition 2.5 (Trace Equivalence) Two states pp and qq are considered trace-equivalent, written pTqp \sim_\mathrm{T} q, if Traces(p)=Traces(q)\mathsf{Traces}(p) = \mathsf{Traces}(q).

States are trace-preordered, pTqp \preceq_\mathrm{T} q, if Traces(p)Traces(q)\mathsf{Traces}(p) ⊆ \mathsf{Traces}(q).

Example 2.4 The traces for the processes of would be Traces(P)={(),τ,τa,τb}=Traces(Q)\mathsf{Traces}(\mathsf{P}) = \{\texttt{()}, τ, τ\mathsf{a}, τ\mathsf{b}\} = \mathsf{Traces}(\mathsf{Q}). Consequently, P\mathsf{P} and Q\mathsf{Q} are trace-equivalent, PTQ\mathsf{P} \sim_\mathrm{T} \mathsf{Q}.

As Traces(pa)={(),a}{(),a,b}=Traces(qab)\mathsf{Traces}(\mathsf{p_a}) = \{\texttt{()}, \mathsf{a}\} ⊆ \{\texttt{()}, \mathsf{a}, \mathsf{b}\} = \mathsf{Traces}(\mathsf{q_{ab}}), pa\mathsf{p_a} is trace-preordered to qab\mathsf{q_{ab}}, paTqab\mathsf{p_a} \preceq_\mathrm{T} \mathsf{q_{ab}}. This ordering is strict, that is, qab̸Tpa\mathsf{q_{ab}} \not\preceq_\mathrm{T} \mathsf{p_a}, due to bTraces(qab)\mathsf{b} ∈ \mathsf{Traces}(\mathsf{q_{ab}}) but bTraces(pa)\mathsf{b} \notin \mathsf{Traces}(\mathsf{p_a}). We could say that trace b\mathsf{b} constitutes a difference between qab\mathsf{q_{ab}} and pa\mathsf{p_a}.

Proposition 2.1 The trace preorder T\preceq_\mathrm{T} is indeed a preorder (i.e., transitive and reflexive) and trace equivalence T\sim_\mathrm{T} is indeed an equivalence relation (i.e., transitive, reflexive, and moreover symmetric).

Trace equivalence and preorder assign programs straightforward denotational semantics: The sets of traces they might expose. For many formal languages, these mathematical objects can be constructed directly from the expressions of the language. With the idea that the program text “denotes” its possible executions, the set of traces is called a “denotation” in this context. CCS, as we use it, follows another approach to semantics, namely the one of “operational semantics,” where the meaning of a program is in how it might interact.

There are several reasons why computer scientist did content themselves with trace equivalence when studying interactive systems. The core argument is that, in this context, one usually does not want to consider processes like P\mathsf{P} and Q\mathsf{Q} to be equivalent: The two might interact differently with an environment. For instance, assume there is a user that wants to communicate (a. ⁣success. ⁣0)\{a}(\dots \mid\mathsf{a}\ldotp\!\mathsf{success}\ldotp\! \mathbf{0}) \mathbin{\backslash}\{\mathsf{a}\}. In interactions with Q\mathsf{Q}, they will always reach success\mathsf{success}; with P\mathsf{P}, there is a possibility of ending up deadlocked in parallel with pb\mathsf{p_b}, never achieving success.

So let us look into more distinctive equivalences!

2.2.2 Simulation and Bisimulation

The other big approach to behavioral equivalence of programs is the one of relating parts of their state spaces to one-another. The idea here is to identify which states of one program can be used to simulate the behavior of the another.

Definition 2.6 (Simulation) A relation on states, RP×P\mathcal{R} ⊆ \mathcal{P}× \mathcal{P}, is called a simulation if, for each (p,q)R(p, q) ∈ \mathcal{R} and αActα ∈ \mathit{Act} with papp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{a}$}}} p' there is a qq' with qαqq \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} q' and (p,q)R(p', q') ∈ \mathcal{R}.

Definition 2.7 ((Bi-)similarity) Simulation preorder, simulation equivalence and bisimilarity are defined as follows:

  • pp is simulated by qq, pSqp \preceq_\mathrm{S} q, iff there is a simulation R\mathcal{R} with (p,q)R(p, q) ∈ \mathcal{R}.
  • pp is similar to qq, pSqp \sim_\mathrm{S} q, iff pSqp \preceq_\mathrm{S} q and qSpq \preceq_\mathrm{S} p.
  • pp is bisimilar to qq, pBqp \sim_\mathrm{B} q, iff there is a symmetric simulation R\mathcal{R} (i.e. R=R1\mathcal{R} = \mathcal{R}^{-1}) with (p,q)R(p, q) ∈ \mathcal{R}.

We also call a symmetric simulation bisimulation for short. Canceled symbols of relations refer to their negations, for instance, pSqp \nsim_\mathrm{S} q iff there is no simulation R\mathcal{R} with (p,q)R(p, q) ∈ \mathcal{R}.

15  Other authors use a weaker definition, namely, that R\mathcal{R} is a bisimulation if R\mathcal{R} and R1\mathcal{R}^{-1} are simulations. Both definitions lead to the characterization of the same notion of bisimilarity.

Example 2.5 The following relations are simulations on the LTS of :

  • the empty relation R\mathcal{R}_\varnothing ≔ \varnothing;
  • the identity relation Ridid{P,pa,pb,p1,p2,Q,qab,q1,q2}={(P,P),(pa,pa),(pb,pb),(p1,p1),(p2,p2),(Q,Q),(qab,qab),(q1,q1),(q2,q2)}\mathcal{R}_\mathrm{id} ≔ \mathrm{id}_{\{\mathsf{P}, \mathsf{p_a}, \mathsf{p_b}, \mathsf{p_1}, \mathsf{p_2}, \mathsf{Q}, \mathsf{q_{ab}}, \mathsf{q_1}, \mathsf{q_2}\}} = \{(\mathsf{P}, \mathsf{P}),\allowbreak (\mathsf{p_a}, \mathsf{p_a}),\allowbreak (\mathsf{p_b}, \mathsf{p_b}), (\mathsf{p_1}, \mathsf{p_1}),\allowbreak (\mathsf{p_2}, \mathsf{p_2}), (\mathsf{Q}, \mathsf{Q}), (\mathsf{q_{ab}}, \mathsf{q_{ab}}), \allowbreak(\mathsf{q_1}, \mathsf{q_1}), (\mathsf{q_2}, \mathsf{q_2})\};
  • the universal relation between all final states Rfin{p1,p2,q1,q2}2\mathcal{R}_\mathrm{fin} ≔ \{\mathsf{p_1}, \mathsf{p_2}, \mathsf{q_1}, \mathsf{q_2}\}²,
  • more generally, the relation from final states to all other states: Rup{p1,p2,q1,q2}×P\mathcal{R}_\mathrm{up} ≔ \{\mathsf{p_1}, \mathsf{p_2}, \mathsf{q_1}, \mathsf{q_2}\} × \mathcal{P};
  • a minimal simulation for P\mathsf{P} and Q\mathsf{Q}: RPQ{(P,Q),(pa,qab),(pb,qab),(p1,q1),(p2,q2)}\mathcal{R}_\mathsf{PQ} ≔ \{(\mathsf{P}, \mathsf{Q}), (\mathsf{p_a}, \mathsf{q_{ab}}), (\mathsf{p_b}, \mathsf{q_{ab}}), (\mathsf{p_1}, \mathsf{q_1}), (\mathsf{p_2}, \mathsf{q_2})\};
  • and the combination of the above RmaxRsimRidRup\mathcal{R}_\mathrm{max} ≔ \mathcal{R}_\mathrm{sim} ∪ \mathcal{R}_\mathrm{id} ∪ \mathcal{R}_\mathrm{up}.

The simulation RPQ\mathcal{R}_\mathsf{PQ} shows that PSQ\mathsf{P} \preceq_\mathrm{S} \mathsf{Q}.

However, there is no simulation that preorders Q\mathsf{Q} to P\mathsf{P}, as there is no way to simulate the transition Qτqab\mathsf{Q} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}} \mathsf{q_{ab}} from P\mathsf{P} for lack of a successor that allows a\mathsf{a} and b\mathsf{b} as does qab\mathsf{q_{ab}}. (In , we will discuss how to capture such differences more formally.)

Thus, Q̸SP\mathsf{Q} \not\preceq_\mathrm{S} \mathsf{P}, and PSQ\mathsf{P} \nsim_\mathrm{S} \mathsf{Q}. Moreover, there cannot be a symmetric simulation, PBQ\mathsf{P} \nsim_\mathrm{B} \mathsf{Q}.

Proposition 2.2 The simulation preorder S\preceq_\mathrm{S} is indeed a preorder, and S\sim_\mathrm{S} and B\sim_\mathrm{B} are equivalences.

shows that similarity and bisimilarity do not imply trace equivalence. Still, the notions are connected.

2.2.3 Equivalence Hierarchies

Bisimilarity, similarity and trace equivalence form a small hierarchy of equivalences in the sense that they imply one-another in one direction, but not in the other. Let us quickly make this formal:

Figure 2.4: Core hierarchy of equivalences.

Lemma 2.1 The relation B\sim_\mathrm{B} is itself a symmetric simulation.

Corollary 2.1 If pBqp \sim_\mathrm{B} q, then pSqp \sim_\mathrm{S} q.

Lemma 2.2 If pSqp \preceq_\mathrm{S} q, then pTqp \preceq_\mathrm{T} q. (Consequently, pSqp \sim_\mathrm{S} q also implies pTqp \sim_\mathrm{T} q.)

We also have seen with example that this hierarchy is strict between trace and simulation preorder in the sense that there exist p,qp,q with pTqp \preceq_\mathrm{T} q but not pSqp \preceq_\mathrm{S} q. The hierarchy also is strict between similarity and bisimilarity as the following example shows.

Example 2.6 (Trolled philosophers) Let us extend Q\mathsf{Q} of to include a troll process that might consume the fork\mathsf{fork} and then do nothing: T(forkforkfork. ⁣(a+b))\{fork}. \mathsf{T} ≔ (\overline{\mathsf{fork}} \mid\mathsf{fork} \mid\mathsf{fork}\ldotp\! ( \mathsf{a} +\mathsf{b} )) \mathbin{\backslash}\{\mathsf{fork}\}. This adds another deadlock state to the transition system, seen in .

Figure 2.5: Example with new deadlock q3\mathsf{q_3}.

To similarity, this change is invisible, that is QST\mathsf{Q} \sim_\mathrm{S} \mathsf{T}. (Reason: The relation {(Q,T),(T,Q)}id{qab,q1,q2,q3}\{(\mathsf{Q}, \mathsf{T}), (\mathsf{T}, \mathsf{Q})\} \cup \mathrm{id}_{\{ \mathsf{q_{ab}}, \mathsf{q_1}, \mathsf{q_2}, \mathsf{q_3}\}} is a simulation.)

However, to bisimilarity, Tτq3\mathsf{T} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{τ}$}}} \mathsf{q_3} constitutes a difference. There cannot be a symmetric simulation handling this transition as Q\mathsf{Q} has no deadlocked successors. Thus QBT\mathsf{Q} \nsim_\mathrm{B} \mathsf{T}.

The equivalences we have been discussed so far could also be understood as abstractions of an even finer equivalence, namely graph isomorphism:

Definition 2.8 (Graph Isomorphism) A bijective function f ⁣:PPf \colon \mathcal{P}\to \mathcal{P} is called a graph isomorphism on a transition system if, for all p,p,αp,p', α, the transition pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' exists if and only if the transition f(p)αf(p)f(p) \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} f(p') exists.

Two states pp and qq are considered graph-isomorphism-equivalent, pISOqp \sim_\mathrm{ISO} q, iff there is a graph isomorphism ff with f(p)=qf(p) = q.

Example 2.7 Consider the transition system in . pevenISOpodd\mathsf{p_{even}} \sim_\mathrm{ISO} \mathsf{p_{odd}} because f{pevenpodd,poddpeven}f ≔ \{\mathsf{p_{even}} \mapsto \mathsf{p_{odd}}, \mathsf{p_{odd}} \mapsto \mathsf{p_{even}}\} is a graph isomorphism.

Figure 2.6: Transition system with an isomorphic cycle.

Lemma 2.3 The relation ISO\sim_\mathrm{ISO} is itself a symmetric simulation and thus pISOqp \sim_\mathrm{ISO} q implies pBqp \sim_\mathrm{B} q.

Once again, the hierarchy is strict because of bisimilarity being less restricted in the matching of equivalent states.

Example 2.8 Consider the processes P1(forkfork)\{fork}\mathsf{P_1} ≔ (\overline{\mathsf{fork}} \mid\mathsf{fork}) \mathbin{\backslash}\{\mathsf{fork}\} and P2(forkforkfork)\{fork}\mathsf{P_2} ≔ (\overline{\mathsf{fork}} \mid\mathsf{fork} \mid\mathsf{fork}) \mathbin{\backslash}\{\mathsf{fork}\}. P1\mathsf{P_1} can transition to (00)\{fork}(\mathbf{0}\mid\mathbf{0}) \mathbin{\backslash}\{\mathsf{fork}\}, while P2\mathsf{P_2} has two options, namely (00fork)\{fork}(\mathbf{0}\mid\mathbf{0}\mid\mathsf{fork}) \mathbin{\backslash}\{\mathsf{fork}\} and (0fork0)\{fork}(\mathbf{0}\mid\mathsf{fork} \mid\mathbf{0}) \mathbin{\backslash}\{\mathsf{fork}\}. All three reachable processes are deadlocks and thus isomorphic. But P1ISOP2\mathsf{P_1} \nsim_\mathrm{ISO} \mathsf{P_2} because no bijection can connect the one successor of P1\mathsf{P_1} and the two of P2\mathsf{P_2}. However, P1BP2\mathsf{P_1} \sim_\mathrm{B} \mathsf{P_2}, as bisimilarity is more relaxed.

Graph isomorphism is the strongest equivalence, we have discussed so far. But stronger needs not be better.

2.2.4 Congruences

One of the prime quality criteria for behavioral equivalences is whether they form congruences with respect to fitting semantics or other important transformations. A congruence relates mathematical objects that can stand in for one-another in certain contexts, which, for instance, allows term rewriting. The concept is closely linked to another core notion of mathematics: monotonicity.

Definition 2.9 (Monotonicity and Congruence) An nn-ary function f ⁣:B1××BnCf \colon B_1 \times \dots \times B_n \to C is called monotonic with respect to a family of partial orders (Bk,k)(B_k, \leq_k) and (C,)(C, \leq) iff, for all bB1××Bnb \in B_1 \times \dots \times B_n and bB1××Bnb' \in B_1 \times \dots \times B_n, it is the case that bkbkb_k \leq b'_k for all knk \leq n implies that f(b)f(b)f(b) \leq f(b'). We will usually encounter settings where all components use the same order (B1,1)==(Bn,n)=(C,)(B_1, \leq_1) = \cdots = (B_n, \leq_n) = (C, \leq)

The relation \leq is then referred to as a precongruence for ff. If \leq moreover is symmetric (and thus an equivalence relation), then \leq is called a congruence for ff.

Example 2.9 (Parity as Congruence) As a standard example for a congruence, consider the equivalence relation of equally odd numbers odd:={(m,n)N×Nmmod2=nmod2}.{\sim_\mathsf{odd}} := \{(m,n) \in \mathbb{N}\times \mathbb{N}\mid m \bmod 2 = n \bmod 2\}. For instance, 1odd31 \sim_\mathsf{odd} 3 and 0odd420 \sim_\mathsf{odd} 42, but not 42odd2342 \sim_\mathsf{odd} 23.

odd\sim_\mathsf{odd} is a congruence for addition and multiplication. For instance, the sum of two odd numbers will always be even; the product of two odd numbers, will always be odd.

But odd\sim_\mathsf{odd} is no congruence for integer division. For instance, 2odd42 \sim_\mathsf{odd} 4, but 2/2=1̸odd2=4/22 / 2 = 1 \not\sim_\mathsf{odd} 2 = 4 / 2.

Proposition 2.3 Trace equivalence and bisimilarity on the CCS transition system () are congruences for the operators of CCS ().

25  For a generic proof of the congruence properties of trace equivalence, bisimiliarity, and most other notions of the equivalence spectrum, see Gazda et al. ().

The nice thing about congruences is that we can use them to calculate with terms, as is common in mathematics.

Graph isomorphism fails to be a congruence for CCS operators. For instance, consider a. ⁣(00)ISOa. ⁣0\mathsf{a}\ldotp\! (\mathbf{0}\mid\mathbf{0}) \sim_\mathrm{ISO} \mathsf{a}\ldotp\! \mathbf{0}, but a. ⁣0+a. ⁣(00)ISOa. ⁣0+a. ⁣0ISOa. ⁣0\mathsf{a}\ldotp\! \mathbf{0}+ \mathsf{a}\ldotp\! (\mathbf{0}\mid\mathbf{0}) \nsim_\mathrm{ISO} \mathsf{a}\ldotp\!\mathbf{0}+ \mathsf{a}\ldotp\!\mathbf{0}\sim_\mathrm{ISO} \mathsf{a}\ldotp\! \mathbf{0}.

2.2.5 Quotient Systems and Minimizations

One of the prime applications of behavioral equivalences is to battle the state space explosion problem: The transition systems of parallel processes quickly grow in size, usually exponentially with regard to the number of communication participants. But many of the states tend to be equivalent in behavior, and can be treated as one with their equals. This minimization hugely increases the size of models that can be handled in algorithms.

Example 2.10 (Trolled philosophers, minimized) In of “trolled philosophers,” all terminal states are bisimilar, q1Bq2Bq3\mathsf{q_1} \sim_\mathrm{B} \mathsf{q_2} \sim_\mathrm{B} \mathsf{q_3}. We can thus merge them into one state q123m\mathsf{q_{123}^m} as depicted in , without affecting the behavioral properties of the other states with respect to bisimilarity, that is, qabBqabm\mathsf{q_{ab}} \sim_\mathrm{B} \mathsf{q_{ab}^m} and TBTm\mathsf{T} \sim_\mathrm{B} \mathsf{T^m}.

Figure 2.7: Minimized version of .

Definition 2.10 Given an equivalence relation \sim on states, and a transition system S=(P,Act,)\mathcal{S}=(\mathcal{P},\mathit{Act},\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}), each equivalence class for pPp \in \mathcal{P} is defined [p]:={pPpp}[p]_{\sim} \mathrel{:=}\{p' \in \mathcal{P}\mid p \sim p'\}.

The quotient system is defined as S ⁣/ ⁣ ⁣:=(P ⁣/ ⁣ ⁣,Act,){\mathcal{S} \! / \!\! \sim} \mathrel{:=}({\mathcal{P} \! / \!\! \sim}, \mathit{Act}, \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}_{\sim}), where P ⁣/ ⁣ ⁣{\mathcal{P} \! / \!\! \sim} is the set of equivalence classes {[p]pP}\{ [p] \mid p \in \mathcal{P}\}, and PαP iff there are pP and pP such that pαp.P \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}}_\sim P' \text{ iff there are $p \in P$ and $p' \in P'$ such that $p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} p'$.}

Proposition 2.4 On the combined system of S\mathcal{S} and S ⁣/ ⁣ ⁣BS{\mathcal{S} \! / \!\! \sim_\mathrm{B}^{\mathcal{S}}}, states and their derived class are bisimilar, pB[p]BSp \sim_\mathrm{B} [p]_{\sim_\mathrm{B}^{\mathcal{S}}}.

The same reasoning does not apply to graph isomorphism: In , the terminal states might be graph-isomorphic, but merging them changes the number of states and thus prevents isomorphism between T\mathsf{T} and Tm\mathsf{T^m}.

Together with the issue of congruence, we have now seen two reasons why graph isomorphism does not allow the kind of handling we hope for in behavioral equivalences. Thus, the following will focus on equivalences of bisimilarity and below. The next section will revisit a deeper, philosophical reason why bisimilarity is a reasonable limit of the properties one might care about in the comparison of processes.

2.3 Modal Logic

Modal logics are logics in which one can formalize how facts in one possible world relate to other possible worlds. In the computer science interpretation, the possible worlds are program states, and typical statements have the form: “If XX happens during the execution, then YY will happen in the next step.”

We care about modal logics as they too can be used to characterize behavioral equivalences. In this section, we will show how this characterization works and argue that, for our purposes of comparative semantics, modal characterizations are a superb medium.

2.3.1 Hennessy–Milner Logic to Express Observations

Hennessy & Milner () introduce the modal logic that is now commonly called Hennessy–Milner logic as a “little language for talking about programs.” The idea is that HML formulas express “experiments” or “tests” that an observer performs interacting with a program.

Definition 2.11 (Hennessy–Milner Logic) Formulas of Hennessy–Milner logic HML\mathsf{HML} are given by the grammar:

φ  ::=  αφwith αAct“observation”    iIφiwith index set I“conjunction”    ¬φ“negation” \begin{array}{rcllr} φ & \;::=\;& \langle α \rangle φ & \quad\text{with } α ∈ \mathit{Act}& \text{“observation”} \\ & \;\mid\;& \textstyle\bigwedge_{i \in I}φ_i & \quad\text{with index set } I & \text{“conjunction”} \\ & \;\mid\;& \neg φ & & \text{“negation”} \\ \end{array}

We also write conjunctions as sets {φ1,φ2}\textstyle\bigwedge \{φ_1, φ_2…\}. The empty conjunction \textstyle\bigwedge \varnothing is denoted by \top and serves as the nil-element of HML syntax trees. We also usually omit them when writing down formulas, e.g., shortening ab\langle \mathsf{a} \rangle\langle \mathsf{b} \rangle\top to ab\langle \mathsf{a} \rangle\langle \mathsf{b} \rangle.

We will assume a form of associativity through the convention that conjunctions are flat in the sense that they do not immediately contain other conjunctions. In this sense, we consider {φ1,{φ2}}\textstyle\bigwedge \{ φ_1, \textstyle\bigwedge \{φ_2\} \} and {φ1,{φ2},}\textstyle\bigwedge \{ φ_1, \textstyle\bigwedge \{φ_2\}, \top\} just as different representatives of the flattened formula {φ1,φ2}\textstyle\bigwedge \{φ_1, φ_2\}.

The intuition behind HML is that it describes what sequences of behavior one may or may not observe of a system. Observations α\langle α \rangle… are used to build up possible action sequences; conjunctions {}\textstyle\bigwedge \{…\} capture branching points in decision trees; and negations ¬\neg… describe impossibilities.

Definition 2.12 (HML semantics) The semantics of HML  ⁣:HML2P\llbracket \cdot \rrbracket \colon \mathsf{HML}→ 2^{\mathcal{P}} is defined recursively by:

αφ{ppφ.pαp}iIφiiIφi¬φP\φ \begin{array}{rcl} \llbracket \langle α \rangle φ \rrbracket & ≔ & \{p \mid \exists p' ∈ \llbracket φ \rrbracket \ldotp p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p'\}\\ \llbracket \textstyle\bigwedge_{i \in I}φ_i \rrbracket & ≔ & \bigcap_{i ∈ I} \llbracket φ_i \rrbracket\\ \llbracket \neg φ \rrbracket & ≔ & \mathcal{P}\mathbin{\backslash}\llbracket φ \rrbracket \end{array}

Example 2.11 Let us consider some observations on the system of .

  • τa={P,Q}\llbracket \langle τ \rangle\langle \mathsf{a} \rangle \rrbracket = \{\mathsf{P}, \mathsf{Q}\} as both, P\mathsf{P} and Q\mathsf{Q}, expose the trace τaτ\mathsf{a},
  • Qτ{a,b}\mathsf{Q} ∈ \llbracket \langle τ \rangle\textstyle\bigwedge \{\langle \mathsf{a} \rangle, \langle \mathsf{b} \rangle\} \rrbracket, but Pτ{a,b}\mathsf{P} \notin \llbracket \langle τ \rangle\textstyle\bigwedge \{\langle \mathsf{a} \rangle, \langle \mathsf{b} \rangle\} \rrbracket.
  • Pτ¬a\mathsf{P} ∈ \llbracket \langle τ \rangle\neg\langle \mathsf{a} \rangle \rrbracket, but Qτ¬a\mathsf{Q} \notin \llbracket \langle τ \rangle\neg\langle \mathsf{a} \rangle \rrbracket.

2.3.2 Characterizing Bisimilarity via HML

We can now add the middle layer of our overview graphic in : That two states are bisimilar precisely if they cannot be told apart using HML formulas.

Definition 2.13 (Distinctions and Equivalences) We say that formula φHMLφ ∈ \mathsf{HML} distinguishes state pp from state qq if pφp ∈ \llbracket φ \rrbracket but qφq \notin \llbracket φ \rrbracket.

We say a sublogic OHML\mathcal{O}^{}_{} ⊆ \mathsf{HML} preorders state pp to qq, pOqp \preceq_{\mathcal{O}^{}_{}} q, if no φOφ ∈ \mathcal{O}^{}_{} is distinguishing pp from qq. If the preordering goes in both directions, we say that pp and qq are equivalent with respect to sublogic O\mathcal{O}^{}_{}, written pOqp \sim_{\mathcal{O}^{}_{}} q.

By this account, τ¬a\langle τ \rangle\neg\langle \mathsf{a} \rangle of distinguishes P\mathsf{P} from Q\mathsf{Q}. On the other hand, τ{a,b}\langle τ \rangle\textstyle\bigwedge \{\langle \mathsf{a} \rangle, \langle \mathsf{b} \rangle\} distinguishes Q\mathsf{Q} from P\mathsf{P}. (The direction matters!) For instance, the sublogic {τa,τb}\{\langle τ \rangle\langle \mathsf{a} \rangle, \langle τ \rangle\langle \mathsf{b} \rangle\} preorders P\mathsf{P} and Q\mathsf{Q} in both directions; so the two states are equivalent with respect to this logic.

Proposition 2.5 Consider an arbitrary HML sublogic OHML\mathcal{O}^{}_{} ⊆ \mathsf{HML}. Then, O\preceq_{\mathcal{O}^{}_{}} is a preorder, and O\sim_{\mathcal{O}^{}_{}} an equivalence relation.

Lemma 2.4 Hennessy–Milner logic equivalence HML\sim_{\mathsf{HML}} is a simulation relation.

Proof. Assume it were not. Then there would need to be pHMLqp \sim_{\mathsf{HML}} q with step pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p', and no qq' such that qαqq \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} q' and pHMLqp' \sim_{\mathsf{HML}} q'. So there would need to be a distinguishing formula φqφ_{q'} for each qq' that qq can reach by an αα-step. Consider the formula φααqDer(q,α)φqφ_α ≔ \langle α \rangle\textstyle\bigwedge_{q' \in \operatorname{Der}(q, α)} φ_{q'}. It must be true for pp and false for qq, contradicting pHMLqp \sim_{\mathsf{HML}} q.

Lemma 2.5 (HML Bisimulation Invariance) If pφp ∈ \llbracket φ \rrbracket and pBqp \sim_\mathrm{B} q then qφq ∈ \llbracket φ \rrbracket.

Proof. Induct over the structure of φφ with arbitrary pp and qq.

  • Case pαφp ∈ \llbracket \langle α \rangle φ \rrbracket. Thus there is pφp' ∈ \llbracket φ \rrbracket with pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p'. Because B\sim_\mathrm{B} is a simulation according to , this implies qq' with pBqp' \sim_\mathrm{B} q'. The induction hypothesis makes pφp' ∈ \llbracket φ \rrbracket entail qφq' ∈ \llbracket φ \rrbracket and thus qαφq ∈ \llbracket \langle α \rangle φ \rrbracket.
  • Case piIφip ∈ \llbracket \textstyle\bigwedge_{i \in I}φ_i \rrbracket. The induction hypothesis on the φiφ_i directly leads to qiIφiq ∈ \llbracket \textstyle\bigwedge_{i \in I}φ_i \rrbracket.
  • Case p¬φp ∈ \llbracket \neg φ \rrbracket. Symmetry of B\sim_\mathrm{B} according to , implies qBpq \sim_\mathrm{B} p. By induction hypothesis, qφq ∈ \llbracket φ \rrbracket implies pφp ∈ \llbracket φ \rrbracket. So, using contraposition, the case implies q¬φq ∈ \llbracket \neg φ \rrbracket.

Combining the bisimulation invariance for one direction and that HML\sim_\mathrm{\mathsf{HML}} is a symmetric simulation ( and ) for the other, we obtain that HML\mathsf{HML} precisely characterizes bisimilarity:

Theorem 2.1 (Hennessy–Milner Theorem) Bisimilarity and HML equivalence coincide, that is, pBqp \sim_\mathrm{B} q precisely if pHMLqp \sim_\mathrm{\mathsf{HML}} q.

Remark 2.2. In the standard presentation of the theorem, image finiteness of the transition system is assumed. This means that Der(p,α)\operatorname{Der}(p, α) is finite for every pPp ∈ \mathcal{P}. The amount of outgoing transitions matters precisely in the construction of φαφ_α in the proof of . But as our definition of HML\mathsf{HML} () allows infinite conjunctions iI\textstyle\bigwedge_{i \in I} …, we do not need an assumption here. The implicit assumption is that the cardinality of index sets II can match that of Der(p,α)\operatorname{Der}(p, α). The original proof by Hennessy & Milner () uses binary conjunction (φ1φ2\varphi_1 \land \varphi_2) and thus can only express finitary conjunctions.

2.3.3 The Perks of Modal Characterizations

There is merit in also characterizing other equivalences through sublogics OHML\mathcal{O}^{}_{} \subseteq \mathsf{HML}. There are four immediate big advantages to modal characterization:

Modal characterizations lead to proper preorders and equivalences by design due to . That is, if a behavioral preorder (or equivalence) is defined through modal logics, there is no need of proving transitivity and reflexivity (and symmetry).

Secondly, checking state equivalence for notions of HML\mathsf{HML}-sublogics can soundly be reduced to checks on bisimulation-minimized systems as the transformation does not affect the sets of observations for minimized states (by combining and ).

Thirdly, modal characterizations can directly unveil the hierarchy between preorders, if defined cleverly, because of the following property.

Proposition 2.6 If OO\mathcal{O}^{}_{} \subseteq \mathcal{O}^{\prime}_{} then pOqp \preceq_{\mathcal{O}^{\prime}_{}} q implies pOqp \preceq_{\mathcal{O}^{}_{}} q for all p,qp,q.

Pay attention to the opposing directions of \subseteq and implication, here!

Fourthly, as a corollary of , modal characterizations ensure equivalences to be abstractions of bisimilarity, which is a sensible base notion of equivalence.

36  Among other things, bisimilarity checking has a better time complexity than other notions as will be discussed in Subsection .

In Chapter , we will discuss how the hierarchy of behavioral equivalences can be understood nicely and uniformly if viewed through the modal lens.

2.3.4 Expressiveness and Distinctiveness

actually is a weak version of another proposition about distinctiveness of logics.

Definition 2.14 We say that an Act\mathit{Act}-observation language O\mathcal{O}^{}_{} is less or equal in expressiveness to another O\mathcal{O}^{\prime}_{} iff, for any Act\mathit{Act}-transition system, for each φOφ ∈ \mathcal{O}^{}_{}, there is φOφ' ∈ \mathcal{O}^{\prime}_{} such that φ=φ\llbracket φ \rrbracket = \llbracket φ' \rrbracket. (The definition can also be read with regards to a fixed transition system S\mathcal{S}.) If the inclusion holds in both directions, O\mathcal{O}^{}_{} and O\mathcal{O}^{\prime}_{} are equally expressive.

Definition 2.15 We say that an Act\mathit{Act}-observation language O\mathcal{O}^{}_{} is less or equal in distinctiveness to another O\mathcal{O}^{\prime}_{} iff, for any Act\mathit{Act}-transition system and states pp and qq, for each φOφ ∈ \mathcal{O}^{}_{} that distinguishes pp from qq, there is φOφ' ∈ \mathcal{O}^{\prime}_{} that distinguishes pp from qq. If the inclusion holds in both directions, O\mathcal{O}^{}_{} and O\mathcal{O}^{\prime}_{} are equally distinctive.

Lemma 2.6 Subset relationship entails expressiveness entails distinctiveness.

  • If OO\mathcal{O}^{}_{} ⊆ \mathcal{O}^{\prime}_{}, then O\mathcal{O}^{}_{} is less or equal in expressiveness to O\mathcal{O}^{\prime}_{}.
  • If O\mathcal{O}^{}_{} is less or equal in expressiveness to O\mathcal{O}^{\prime}_{}, then O\mathcal{O}^{}_{} is less or equal in distinctiveness to O\mathcal{O}^{\prime}_{}.

The other direction does not hold. For instance, HMLHML\{}\mathsf{HML}⊈ \mathsf{HML}\mathbin{\backslash}\{\top\}, but they are equally expressive as ¬¬\neg\neg\top can cover for the removed element. At the same time, {}\{\top\} is more expressive than \varnothing, but equally distinctive.

The stronger version of is thus:

Proposition 2.7 If O\mathcal{O}^{}_{} is less or equal in distinctiveness to O\mathcal{O}^{\prime}_{} then pOqp \preceq_{\mathcal{O}^{\prime}_{}} q implies pOqp \preceq_{\mathcal{O}^{}_{}} q for all p,qp,q.

Remark 2.3. Through the lense of expressiveness, we can also justify why our convention to implicitly flatten conjunctions is sound: As this does not change a conjunction’s truth value, HML\mathsf{HML} subsets with and without flattening-convention are equally expressive and thus distinctive.

Often, an equivalence may be characterized by different sublogics. In particular, one may find smaller characterizations as in the following example for bisimilarity.

Definition 2.16 Consider OBHML\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} \subseteq \mathsf{HML} described by the following grammar.

φB  ::=  αiIφiB    ¬φB \begin{array}{rcll} φ^\mathrm{\lfloor B \rfloor} & \;::=\;& \langle α \rangle \textstyle\bigwedge_{i \in I} φ^\mathrm{\lfloor B \rfloor}_i \\ & \;\mid\;& \neg φ^\mathrm{\lfloor B \rfloor} \end{array}

OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} is a proper subset of HML\mathsf{HML}. For instance, it lacks the observation ab\langle \mathsf{a} \rangle \langle \mathsf{b} \rangle \top. Due to the subset relation, OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} must be less or equal in expressiveness to HML\mathsf{HML}, but this inclusion too is strict as \top cannot be covered for. But both logics are equally distinctive!

Lemma 2.7 OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} and HML\mathsf{HML} are equally distinctive.

Proof. One direction is immediate from as OBHML\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} \subseteq \mathsf{HML}.

For the other direction, we need to establish that for each φHMLφ ∈ \mathsf{HML} distinguishing some pp from some qq, there is a φOBφ' ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishing pp from qq. We induct on the structure of φφ with arbitrary pp and qq.

  • Case αφ\langle α \rangle φ distinguishes pp from qq. Thus there is pp' with pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' distinguishing pp' from all qDer(q,α)q' ∈ \operatorname{Der}(q, α). By induction hypothesis, there must be φqOBφ'_{q'} ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishing pp' from qq' for each qq'. Thus αqDer(q,α)φqOB\langle α \rangle\textstyle\bigwedge_{q' \in \operatorname{Der}(q, α)} φ'_{q'} ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishes pp from qq.
  • Case iIφi\textstyle\bigwedge_{i \in I}φ_i distinguishes pp from qq. Therefore some φiφ_i already distinguishes pp from qq. By induction hypothesis, there must be φiOBφ'_i ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishes pp from qq.
  • Case ¬φ\neg φ distinguishes pp from qq. Thus φφ distinguishes qq from pp. By induction hypothesis, there is φOBφ' ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishing qq from pp. Accordingly, ¬φOB\neg φ' ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishes pp from qq.

The smaller bisimulation logic OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} will become important again later in the next section (in Subsection ).

2.4 Games

So far, we have only seen behavioral equivalences and modal formulas as mathematical objects and not cared about decision procedures. This section introduces game-theoretic characterizations as a way of easily providing decision procedures for equivalences and logics alike. Intuitively, the games can be understood as dialogs between a party that tries to defend a claim and a party that tries to attack it.

2.4.1 Reachability Games

We use Gale–Stewart-style reachability games (in the tradition of ) where the defender wins all infinite plays.

Definition 2.17 (Reachability Game) A reachability game G=(G,Gd, ⁣ ⁣     ⁣ ⁣)\mathcal{G}= (G, G_{\mathrm{d}}, \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}) is played on a directed graph consisting of

  • a set of game positions GG, partitioned into
    • defender positions GdGG_{\mathrm{d}}⊆ G
    • and attacker positions GaG\GdG_{\mathrm{a}}≔ G \mathbin{\backslash}G_{\mathrm{d}},
  • and a set of game moves  ⁣ ⁣     ⁣ ⁣G×G{\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}} ⊆ G × G.

We denote by G(g0)\mathcal{G}(g_0) the game played from starting position g0Gg_0 ∈ G.

Definition 2.18 (Plays and Wins) We call the paths g0g1G{g_0}{g_1} … ∈ G^{\infty} with gi ⁣ ⁣     ⁣ ⁣gi+1g_{i} \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}g_{i+1} plays of G(g0)\mathcal{G}(g_0). They may be finite or infinite. The defender wins infinite plays. If a finite play g0gn ⁣/ ⁣ ⁣ ⁣ ⁣       ⁣ ⁣g_{0}\dots g_{n}\!\mathrel{\smash{{›/\!\!\!\!\frac{\;\enspace\;}{\;}\!\!›}}} is stuck, the stuck player loses: The defender wins if gnGag_{n} ∈ G_{\mathrm{a}}, and the attacker wins if gnGdg_{n}∈ G_{\mathrm{d}}.

Usually, games are non-deterministic, that is, players have choices how a play proceeds at their positions. The player choices are formalized by strategies:

Definition 2.19 (Strategies and Winning Strategies) An attacker strategy is a (partial) function mapping play fragments ending at attacker positions to next positions to move to, sa ⁣:GGaGs_{\mathrm{a}}\colon G^*G_{\mathrm{a}}\to G, where ga ⁣ ⁣     ⁣ ⁣fa(ρga)g_{\mathrm{a}}\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}f_{\mathrm{a}}(\rho g_{\mathrm{a}}) must hold for all ρga\rho g_{\mathrm{a}} where sas_{\mathrm{a}} is defined.

A play g0g1G{g_0}{g_1} … ∈ G^{\infty} is consistent with an attacker strategy sas_{\mathrm{a}} if, for all its prefixes g0gig_0 … g_i ending in giGag_i \in G_{\mathrm{a}}, gi+1=sa(g0gi)g_{i + 1} = s_{\mathrm{a}}(g_0 … g_i).

Defender strategies are defined analogously, sd ⁣:GGdGs_{\mathrm{d}}\colon G^*G_{\mathrm{d}}\to G.

If ss ensures a player to win, ss is called a winning strategy for this player. The player with a winning strategy for G(g0)\mathcal{G}(g_{0}) is said to win G(g0)\mathcal{G}(g_{0}).

Usually, we will focus on positional strategies, that is, strategies that only depend on the most recent position, which we will type sa ⁣:GaGs_{\mathrm{a}}\colon G_{\mathrm{a}}\to G (or sd ⁣:GdGs_{\mathrm{d}}\colon G_{\mathrm{d}}\to G, respectively).

We call the positions where a player has a winning strategy their winning region.

Definition 2.20 (Winning Region) The set WinaG\mathsf{Win}_\mathrm{a}⊆ G of all positions gg where the attacker wins G(g)\mathcal{G}(g) is called the attacker winning region of G\mathcal{G}. The defender winning region Wind\mathsf{Win}_\mathrm{d} is defined analogously.

Example 2.12 (A Simple Choice) Inspect the game in , where round nodes represent defender positions and rectangular ones attacker positions. Its valid plays starting from (1)(\mathsf{1}) are (1)(\mathsf{1}), (1)[2a](\mathsf{1})[\mathsf{2a}], (1)[2b](\mathsf{1})[\mathsf{2b}], and (1)[2a](3)(\mathsf{1})[\mathsf{2a}](\mathsf{3}). The defender can win from (1)(\mathsf{1}) with a strategy moving to [2b][\mathsf{2b}] where the attacker is stuck. Moving to [2a][\mathsf{2a}] instead would get the defender stuck. So, the defender winning region is Wind={(1),[2b]}\mathsf{Win}_\mathrm{d}= \{(\mathsf{1}),[\mathsf{2b}]\} and the attacker wins Wina={[2a],(3)}\mathsf{Win}_\mathrm{a}= \{[\mathsf{2a}], (\mathsf{3})\}.

Figure 2.8: A simple game.

The games we consider are positionally determined. This means, for each possible initial position, exactly one of the two players has a positional winning strategy ss.

Proposition 2.8 (Determinacy) Reachability games are positionally determined, that is, for any game, each game position has exactly one winner: G=WinaWindG = \mathsf{Win}_\mathrm{a}\cup \mathsf{Win}_\mathrm{d} and WinaWind=\mathsf{Win}_\mathrm{a}\cap \mathsf{Win}_\mathrm{d}= \varnothing, and they can win using a positional strategy.

44  This is just an instantiation of positional determinacy of parity games (). Reachability games are the subclass of parity games only colored by 0.

We care about reachability games because they are versatile in characterizing formal relations. Everyday inductive (and coinductive) definitions can easily be encoded as games as in the following example.

Example 2.13 (The \leq-Game) Consider the following recursive definition of a less-or-equal operator on natural numbers in some functional programming language. (Consider nat to be defined as recursive data type nat = 0 | Succ nat.)

    ( 0 ≤ m )     = True
(Succ n ≤ 0 )     = False
(Succ n ≤ Succ m) = (n ≤ m)

We can think of this recursion as a game where the attacker tries to prove that the left number is bigger than the right by always decrementing the left number and challenging the defender to do the same for the right stack too. Whoever hits zero first, loses.

This means we distribute the roles such that the defender wins for output True and the attacker for output False. The two base cases need to be dead ends for one of the players.

Formally, the game Gleq\mathcal{G}_\mathsf{leq} consists of attacker positions [n,m][n,m] and defender positions (n,m)(n,m) for all n,mNn,m \in \mathbb{N}, connected by chains of moves: [n+1,m] ⁣ ⁣     ⁣ ⁣leq(n,m)(n,m+1) ⁣ ⁣     ⁣ ⁣leq[n,m]. \begin{array}{rcl} [n + 1, m] & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{leq} & (n, m)\\ (n, m + 1) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{leq} & [n, m]. \end{array} Gleq\mathcal{G}_\mathsf{leq} now characterizes \leq on N\mathbb{N} in the sense that: The defender wins Gleq\mathcal{G}_\mathsf{leq} from [n,m][n, m] precisely if nmn \leq m. (Proof: Induct over nn with arbitrary mm.)

The game is boring because the players do not ever have any choices. They just count down their way through the natural numbers till they hit [0,mn][0, m - n] if nmn \leq m, or (nm,0)(n - m, 0) otherwise.

Gleq\mathcal{G}_\mathsf{leq} is quite archetypical for the preorder and equivalence games we will use in the following pages. But do not worry, the following games will demand the players to make choices.

2.4.2 The Semantic Game of HML

As first bigger example of how recursive definitions can be turned into games, let us quickly look at a standard way of characterizing the semantics of HML () through a game. The defender wins precisely if the game starts from a state and formula such that the state satisfies the formula.

Definition 2.21 (HML Game) For a transition system S=(P,Act,)\mathcal{S}= (\mathcal{P},\mathit{Act},\xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{}$}}}), the HML\mathsf{HML} game GHMLS=(GHML,Gd, ⁣ ⁣     ⁣ ⁣HML){\mathcal{G}}_\mathsf{HML}^{\mathcal{S}} = (G_\mathsf{HML},G_{\mathrm{d}},\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML}) is played on GHML=P×HMLG_\mathsf{HML}= \mathcal{P}× \mathsf{HML}, where the defender controls observations and negated conjunctions, that is (p,αφ)Gd(p, \langle α \rangle φ) ∈ G_{\mathrm{d}} and (p,¬iIφi)Gd(p,\neg\textstyle\bigwedge_{i \in I}φ_i) ∈ G_{\mathrm{d}} (for all φ,p,Iφ,p,I), and the attacker controls the rest.

  • The defender can perform the moves: (p,αφ) ⁣ ⁣     ⁣ ⁣HML(p,φ) if pαp and(p,¬iIφi) ⁣ ⁣     ⁣ ⁣HML(p,¬φi) with iI; \begin{array}{rclr} (p, \langle α \rangle φ) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML} & (p', φ) & \text{ if $p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' \quad$ and} \\ (p, \neg{\textstyle\bigwedge_{i \in I}φ_i}) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML} & (p, \neg φ_i) & \text{ with $i ∈ I$;} \end{array}
  • and the attacker can move: (p,¬αφ) ⁣ ⁣     ⁣ ⁣HML(p,¬φ) if pαp and(p,iIφi) ⁣ ⁣     ⁣ ⁣HML(p,φi) with iI and(p,¬¬φ) ⁣ ⁣     ⁣ ⁣HML(p,φ). \begin{array}{rclr} (p, \neg\langle α \rangle φ) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML} & (p', \neg φ) & \text{ if $p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' \quad$ and} \\ (p, \textstyle\bigwedge_{i \in I}φ_i) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML} & (p, φ_i) & \text{ with $i ∈ I \quad$ and} \\ (p, \neg\neg φ) & \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathsf{HML} & (p, φ). & \end{array}

The intuition is that disjunctive constructs (\langle \cdot \rangle\cdots, ¬\neg\textstyle\bigwedge \cdots) make it easier for a formula to be true and thus are controlled by the defender who may choose which of the ways to show truth is most convenient. At conjunctive constructs (¬\neg\langle \cdot \rangle\cdots, \textstyle\bigwedge \cdots) the attacker chooses the option that is the easiest to disprove.

Example 2.14 The game of is exactly the HML game GHMLSPQ{\mathcal{G}}_\mathsf{HML}^{\mathcal{S}_\mathsf{PQ}} for formula τ¬a\langle τ \rangle\neg\langle \mathsf{a} \rangle\top and state P\mathsf{P} of with (1)(P,τ¬a)(\mathsf{1}) ≔ (\mathsf{P}, \langle τ \rangle\neg\langle \mathsf{a} \rangle\top), [2a](pa,¬a)[\mathsf{2a}] ≔ (\mathsf{p_a}, \neg\langle \mathsf{a} \rangle\top), [2b](pb,¬a)[\mathsf{2b}] ≔ (\mathsf{p_b}, \neg\langle \mathsf{a} \rangle\top), and (3)(p1,¬)(\mathsf{3}) ≔ (\mathsf{p_1}, \neg\top).

The defender winning region Wind={(P,τ¬a),(pb,¬a)}\mathsf{Win}_\mathrm{d}= \{(\mathsf{P}, \langle τ \rangle\neg\langle \mathsf{a} \rangle\top), (\mathsf{p_b}, \neg\langle \mathsf{a} \rangle\top)\} corresponds to the facts that Pτ¬a\mathsf{P} \in \llbracket \langle τ \rangle\neg\langle \mathsf{a} \rangle\top \rrbracket and pb¬a\mathsf{p_b} \in \llbracket \neg\langle \mathsf{a} \rangle\top \rrbracket.

As the technicalities are tangential to this thesis, we state the characterization result without proof:

45  A detailed presentation of a more general HML game, also extending to recursive HML, can be found in Wortmann et al. ().

Lemma 2.8 The defender wins GHMLS((p,φ)){\mathcal{G}}_\mathsf{HML}^{\mathcal{S}}((p, φ)) precisely if pφp ∈ \llbracket φ \rrbracket.

2.4.3 The Bisimulation Game

We now can add the bottom layer of : That bisimilarity can be characterized through a game, where the defender wins if the game starts on a pair of bisimilar states. This approach has been popularized by Stirling ().

Definition 2.22 (Bisimulation Game) For a transition system S\mathcal{S}, the bisimulation game GBS{\mathcal{G}}_\mathrm{B}^{\mathcal{S}} is played on attack positions GaBP×PG^\mathrm{B}_{\mathrm{a}}≔ \mathcal{P}× \mathcal{P} and defense positions GdBAct×P×PG^\mathrm{B}_{\mathrm{d}}≔ \mathit{Act}× \mathcal{P}× \mathcal{P} with the following moves:

  • The attacker may swap sides [p,q] ⁣ ⁣     ⁣ ⁣B[q,p],[p, q] \quad \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} \quad [q, p],
  • or challenge simulation [p,q] ⁣ ⁣     ⁣ ⁣B(α,p,q)ifpαp;[p, q] \quad \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} \quad (α, p', q) \quad \text{if} \quad p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p';
  • and the defender answers simulation challenges (α,p,q) ⁣ ⁣     ⁣ ⁣B[p,q]ifqαq.(α, p', q) \quad \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} \quad [p', q'] \quad \text{if} \quad q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} q'.

A schematic depiction of the game rules can be seen in . From dashed nodes, the game proceeds analogously to the initial attacker position.

Figure 2.9: Game scheme of the bisimulation game ().

Example 2.15 Consider pevenBpodd\mathsf{p_{even}} \sim_\mathrm{B} \mathsf{p_{odd}} of . The bisimulation game on this system is given by :

Figure 2.10: Bisimulation game under peven,podd\mathsf{p_{even}}, \mathsf{p_{odd}}. Moves are annotated with the game rules from which they derive.

Clearly, there is no way for the attacker to get the defender stuck. Whatever strategy the attacker chooses, the game will go on forever, leading to a win for the defender. That it is always safe for the defender to answer with moves to [peven,podd][\mathsf{p_{even}}, \mathsf{p_{odd}}] and [podd,peven][\mathsf{p_{odd}}, \mathsf{p_{even}}] corresponds to R{(peven,podd),(podd,peven)}\mathcal{R} ≔ \{(\mathsf{p_{even}}, \mathsf{p_{odd}}), (\mathsf{p_{odd}}, \mathsf{p_{even}})\} being a bisimulation.

Example 2.16 Let us recall of the “trolled philosophers,” where we determined Q\mathsf{Q} and T\mathsf{T} to be non-bisimilar. The bisimulation game graph for the system is depicted in .

The attacker can win by moving [Q,T] ⁣ ⁣     ⁣ ⁣B[T,Q] ⁣ ⁣     ⁣ ⁣B(τ,q3,Q) ⁣ ⁣     ⁣ ⁣B[q3,qAB] ⁣ ⁣     ⁣ ⁣B[qAB,q3] ⁣ ⁣     ⁣ ⁣B(a,q1,q3)/ ⁣ ⁣ ⁣ ⁣       ⁣ ⁣B[\mathsf{Q}, \mathsf{T}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{T}, \mathsf{Q}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} (\tau, \mathsf{q_3}, \mathsf{Q}) \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{q_3}, \mathsf{q_{AB}}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{q_{AB}}, \mathsf{q_3}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} (\mathsf{a}, \mathsf{q_1}, \mathsf{q_3}) \mathrel{\smash{{›/\!\!\!\!\frac{\;\enspace\;}{\;}\!\!›}}}_\mathrm{B}. Along this sequence of positions, the defender never has a choice and is stuck in the end. The attacker exploits, that T\mathsf{T} can reach an early deadlock via Tτq3\mathsf{T} \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\tau}$}}} \mathsf{q_{3}}.

Figure 2.11: Bisimulation game on non-bisimilar states Q\mathsf{Q} and T\mathsf{T} of . Moves are labeled by their justification. Defender-won positions are tinted blue.

Theorem 2.2 (Stirling’s Game Characterization) The defender wins the bisimulation game GBS{\mathcal{G}}_\mathrm{B}^{\mathcal{S}} starting at attacker position [p,q][p, q] precisely if pBqp \sim_\mathrm{B} q.

Proof. Sketch for both directions:

  • If R\mathcal{R} is a symmetric simulation with (p,q)R(p,q) ∈ \mathcal{R}, then the following positional defender strategy is well-defined and winning from [p,q][p, q]: s(α,p,q)[p,chooseq.(p,q)Rqαq].s (α, p', q) ≔ [p', \operatorname{choose} q'\ldotp (p', q') ∈ \mathcal{R} \land q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} q'].
  • If there is a positional defender strategy ss winning from [p,q][p, q], then the following relation Rs\mathcal{R_s} with (p0,q0)Rs(p_0,q_0) ∈ \mathcal{R_s} is a symmetric simulation: Rs{(p,q)there is a play (p0,q0),,(p,q) following strategy s}.\mathcal{R_s} ≔ \{(p,q) \mid \text{there is a play $(p_0, q_0),\dots,(p,q)$ following strategy $s$}\}.

Remark 2.4. One of the big advantages of game characterizations is that they provide a way to discuss equivalence and inequivalence interactively among humans. There also are several computer game implementations of bisimulation games.

For instance, Peacock () implements a game about simulation and bisimulation as well as several weaker notions. The human plays the attacker trying to point out the inequivalence of systems according to the rules of . shows a screenshot of said game. It can be played on https://www.concurrency-theory.org/rvg-game/.

Example 2.17 If one plays the bisimulation game of without the swapping moves, it will characterize the simulation preorder.

Consider the family of processes Nn\mathsf{N}_n with nNn \in \mathbb{N}. Define N0:=0\mathsf{N}_0 := \mathbf{0} and Nn+1:=a. ⁣Nn\mathsf{N}_{n + 1} := \mathsf{a}\ldotp\! \mathsf{N}_n. Then, the simulation game played from [Nn,Nm][\mathsf{N}_{n}, \mathsf{N}_{m}] is isomorphic to the \leq-game Gleq\mathcal{G}_{\mathsf{leq}} from .

In this sense, comparisons of programs and of numbers are … comparable.

2.4.4 How Bisimulation Game and HML Are Connected

Let us pause to think how bisimulation game and Hennessy–Milner logic connect.

You might have wondered why we even need a dedicated bisimulation game. The Hennessy–Milner theorem implies that we could directly use the HML game of to decide bisimilarity:

Definition 2.23 (Naive Bisimulation Game) We extend the by the following prefix:

  1. To challenge [p,q][p,q], the attacker picks a formula φHMLφ ∈ \mathsf{HML} (claiming that φφ distinguishes the states) and yields to the defender (φ,p,q)(φ, p, q).
  2. The defender decides where to start the HML game:
    1. Either at (p,¬φ)(p, \neg φ) (claiming φφ to be non-distinguishing because it is untrue for pp)
    2. or at (q,φ)(q, φ) (claiming φφ to be non-distinguishing because it is true for qq).
  3. After that the turns proceed as prescribed by .

This naive game, too, has the property that the defender wins from [p,q][p,q] iff pBqp \sim_\mathrm{B} q. The downside of the game is that the attacker has infinitely many options φHMLφ ∈ \mathsf{HML} to pick from!

The proper bisimulation game of , on the other hand, is finite for finite transition systems. Therefore, it induces decision procedures.

We will now argue that the bisimulation game actually is a variant of the naive game, where (1) the attacker names their formula gradually, and (2) the formulas stem from OBHML\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} \subseteq \mathsf{HML} of . To this end, we will show that attacker’s winning strategies imply distinguishing formulas, and that a distinguishing formula from OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} certifies the existence of winning attacker strategies.

Example 2.18 Let us illustrate how to derive distinguishing formulas using the game of .

Recall that the attacker wins by moving [Q,T] ⁣ ⁣     ⁣ ⁣B[T,Q] ⁣ ⁣     ⁣ ⁣B(τ,q3,Q) ⁣ ⁣     ⁣ ⁣B[q3,qAB] ⁣ ⁣     ⁣ ⁣B[qAB,q3] ⁣ ⁣     ⁣ ⁣B(a,q1,q3)/ ⁣ ⁣ ⁣ ⁣       ⁣ ⁣B[\mathsf{Q}, \mathsf{T}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{T}, \mathsf{Q}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} (\tau, \mathsf{q_3}, \mathsf{Q}) \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{q_3}, \mathsf{q_{AB}}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} [\mathsf{q_{AB}}, \mathsf{q_3}] \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}_\mathrm{B} (\mathsf{a}, \mathsf{q_1}, \mathsf{q_3}) \mathrel{\smash{{›/\!\!\!\!\frac{\;\enspace\;}{\;}\!\!›}}}_\mathrm{B}. In , we label the game nodes with the (sub-)formulas this strategy corresponds to. Swap moves become negations, and simulation moves become observations with a conjunction of formulas for each defender option. This attacker strategy can thus be expressed by ¬τ{¬a}OB\neg\langle \tau \rangle\textstyle\bigwedge \{\neg\langle \mathsf{a} \rangle\top\} \in \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}}.

Figure 2.13: The bisimulation game of with attacker formulas.

More generally, the following lemma explains the construction of distinguishing formulas from attacker strategies:

Lemma 2.9 Let ss be a positional winning strategy for the attacker on GB{\mathcal{G}}_\mathrm{B} from [p,q][p,q]. Construct formulas recursively from game positions, φs(g){φ}_{\mathcal{s}}(g), as follows: φs([p,q]){¬φs([q,p])if s([p,q])=[q,p]α{φs([p,q])qαq}if s([p,q])=(α,p,q) φ_{s}([p,q]) ≔ \begin{cases} \neg φ_{s}([q,p]) & \text{if } s([p,q]) = [q,p] \\ \langle \alpha \rangle \textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} & \text{if } s([p,q]) = (\alpha,p',q) \end{cases} Then φs([p,q])φ_{s}([p,q]) is well-defined and distinguishes pp from qq. Also, φs([p,q])OBφ_{s}([p,q]) ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}}.

Proof.

  1. The given construction is well-defined as ss must induce a well-founded order on game positions in order for the attacker to win, and the recursive invocations remain in the attacker winning strategy.

  2. The distinction can be derived by induction on the construction of φs([p,q])φ_{s}([p,q]): Assume for p,qp',q' appearing in recursive invocations of the definition of φsφ_{s} that φs([p,q])φ_{s}([p', q']) distinguishes them and that φs([p,q])OBφ_{s}([p', q']) ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}}. We have to show that the constructions in φsφ_{s} still fulfill this property:

    • As φs([p,q])φ_{s}([p',q']) distinguishes pp' from qq', its negation ¬φs([p,q])\neg φ_{s}([p',q']) must distinguish qq' from pp' by the HML semantics. Moreover, the grammar of is closed under negation.
    • For α{φs([p,q])qαq}\langle \alpha \rangle \textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} to distinguish pp from qq, there must be pαp{φs([p,q])qαq}p \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} p^* \in \llbracket \textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} \rrbracket, and for all qq^* with qαqq \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q^* it must be that q{φs([p,q])qαq}q^* \notin \llbracket \textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} \rrbracket. We choose p=pp^* = p', because, as ss is an attacker winning strategy, s([p,q])=(α,p,q)s([p, q]) = (\alpha, p', q) is a valid move with pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} p'. Also, all qq' the defender may select in answers remain in the winning domain of the attacker, and we may use the induction hypothesis that qφs([p,q])q' \notin \llbracket φ_{s}([p',q']) \rrbracket. Therefore, for each qq^* there is a false conjunct with q=qq' = q^* in {φs([p,q])qαq}\textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} that proves q{φs([p,q])qαq}q* \notin \llbracket \textstyle\bigwedge \{ φ_{s}([p',q']) \mid q \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{\alpha}$}}} q' \} \rrbracket.

Lemma 2.10 If φOBφ ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} distinguishes pp from qq, then the attacker wins from [p,q][p,q].

Proof. By induction on the derivation of φOBφ ∈ \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} according to the definition from with arbitrary pp and qq.

  • Case φ=αiIφiφ = \langle α \rangle \textstyle\bigwedge_{i \in I} φ_i. As φφ distinguishes pp from qq, there must be a pp' such that pαpp \xrightarrow{\smash{\raisebox{-2pt}{$\scriptstyle{α}$}}} p' and that iIφi\textstyle\bigwedge_{i \in I} φ_i distinguishes pp' from every qDer(q,α)q' \in \operatorname{Der}(q, α). That is, for each qDer(q,α)q' \in \operatorname{Der}(q, α), at least one φiOBφ_i \in \mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} must be false. By induction hypothesis, the attacker thus wins each [p,q][p',q']. As these attacker positions encompass all successors of (α,p,q)(α, p', q), the attacker also wins this defender position and can win from [p,q][p,q] by moving there with a simulation challenge.
  • Case φ=¬φφ = \neg φ'. As φφ distinguishes pp from qq, φφ' distinguishes qq from pp. By induction hypothesis, the attacker wins [q,p][q, p]. So they can also win [p,q][p, q] by performing a swap.

and , together with the fact that OB\mathcal{O}^{}_{\mathrm{\lfloor B \rfloor}} and HML\mathsf{HML} are equally distinctive (), yield:

Theorem 2.3 The attacker wins GB{\mathcal{G}}_\mathrm{B} from [p,q][p,q] precisely if there is φHMLφ ∈ \mathsf{HML} distinguishing pp from qq.

Of course, we already knew this! is just another way of gluing together the Hennessy–Milner theorem on bisimulation () and Stirling’s bisimulation game characterization (), modulo the determinacy of games. We thus have added the last arrow on the right side of .

2.4.5 Deciding Reachability Games

All we need to turn a game characterization into a decision procedure, is a way to decide which player wins a position. describes how to compute who wins a finite reachability game for each position in time linear to the size of the game graph  ⁣ ⁣     ⁣ ⁣\left|\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}\right|.

def  compute_winning_region(G=(G,Gd, ⁣ ⁣     ⁣ ⁣)) ⁣:defender_options:=[gngGn={gg ⁣ ⁣     ⁣ ⁣g}]attacker_win:=todo:={gGddefender_options[g]=0}while  todo ⁣:g:=some  todotodo:=todo\{g}if  gattacker_win ⁣:attacker_win:=attacker_win{g}for  gp( ⁣ ⁣     ⁣ ⁣g) ⁣:defender_options[gp]:=defender_options[gp]1if  gpGadefender_options[gp]=0 ⁣:todo:=todo{gp}Wina:=attacker_winreturn  Wina \begin{array}{lr} \operatorname{\mathbf{def}}\; \mathtt{compute\_winning\_region}(\mathcal{G}=(G,G_{\mathrm{d}},\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}})) \colon & \\ \quad \mathtt{defender\_options} := [g \mapsto n \mid g \in G \land n = \left|\{g' \mid g \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}g'\}\right|] & \\ \quad \mathtt{attacker\_win} := \varnothing & \\ \quad \mathtt{todo} := \{g\in G_{\mathrm{d}}\mid \mathtt{defender\_options}[g]=0\} & \\ \quad \operatorname{\mathbf{while}}\; \mathtt{todo} \neq \varnothing \colon & \\ \quad \quad \mathtt{g} := \operatorname{\mathbf{some}}\; \mathtt{todo} & \\ \quad \quad \mathtt{todo} := \mathtt{todo} \mathbin{\backslash}\{\mathtt{g}\} & \\ \quad \quad \operatorname{\mathbf{if}}\; \mathtt{g} \notin \mathtt{attacker\_win} \colon & \\ % note: the if should not be necessary for sets. \quad \quad \quad \mathtt{attacker\_win} := \mathtt{attacker\_win} \cup \{\mathtt{g}\} & \\ \quad \quad \quad \operatorname{\mathbf{for}}\; \mathtt{g_{p}} \in (\cdot \mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}\mathtt{g}) \colon & \\ \quad \quad \quad \quad \mathtt{defender\_options}[\mathtt{g_{p}}]:=\mathtt{defender\_options}[\mathtt{g_{p}}]-1 & \\ \quad \quad \quad \quad \operatorname{\mathbf{if}}\; \mathtt{g_{p}} \in G_{\mathrm{a}}\lor \mathtt{defender\_options}[\mathtt{g_{p}}]=0 \colon & \\ \quad \quad \quad \quad \quad \mathtt{todo} := \mathtt{todo} \cup \{\mathtt{g_{p}}\} & \\ \quad \mathsf{Win}_\mathrm{a}:= \mathtt{attacker\_win} & \\ \quad \operatorname{\mathbf{return}}\; \mathsf{Win}_\mathrm{a}& \\ \end{array}

Algorithm 2.1: Algorithm for deciding the attacker winning region Wina\mathsf{Win}_\mathrm{a} of a reachability game G\mathcal{G} in linear time of  ⁣ ⁣     ⁣ ⁣\left|\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}\right| and linear space of G\left|G\right|.

Intuitively, compute_winning_region\mathtt{compute\_winning\_region} first assumes that the defender were to win everywhere and that each outgoing move of every position might be a winning option for the defender. Over time, every position that is determined to be lost by the defender is added to a todo\mathtt{todo} list.

50  Variants of this algorithm and explanation have also been used in Bisping () and Bisping et al. ().

At first, the defender loses immediately exactly at the defender’s dead-ends. Each defender-lost position is added to the attacker_win\mathtt{attacker\_win} set. To trigger the recursion, each predecessor is noted as defender-lost, if it is controlled by the attacker, or the amount of outgoing defender options is decremented if the predecessor is defender-controlled. If the count of a predecessor position hits 0, the defender also loses from there.

Once we run out of todo\mathtt{todo} positions, we know that the attacker has winning strategies exactly for each position we have visited.

The following lists how computes the winning region Wina={[2a],(3)}\mathsf{Win}_\mathrm{a}= \{[\mathsf{2a}], (\mathsf{3})\} of the game of .

Table 2.1: Solving the game of
g\mathtt{g} defender_options\mathtt{defender\_options} todo\mathtt{todo}
- (1)2(\mathsf{1}) \mapsto 2, (3)0(\mathsf{3}) \mapsto 0 (3)(\mathsf{3})
(3)(\mathsf{3}) (1)2(\mathsf{1}) \mapsto 2, (3)0(\mathsf{3}) \mapsto 0 [2a][\mathsf{2a}]
[2a][\mathsf{2a}] (1)1(\mathsf{1}) \mapsto 1, (3)0(\mathsf{3}) \mapsto 0 \varnothing

The inner loop of clearly can run at most  ⁣ ⁣     ⁣ ⁣\left|\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}\right|-many times. Using sufficiently clever data structures, the algorithm thus shows:

Proposition 2.9 Given a finite reachability game G=(G,Gd, ⁣ ⁣     ⁣ ⁣)\mathcal{G}=(G,G_{\mathrm{d}},\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}), the attacker’s winning region Wina\mathsf{Win}_\mathrm{a} (and Wind\mathsf{Win}_\mathrm{d} as well) can be computed in O( ⁣ ⁣     ⁣ ⁣)\mathit{O}(\left|\mathrel{\smash{›\!\!\frac{\;\enspace\;}{}\!\!›}}\right|) time and O(G)\mathit{O}(\left|G\right|) space.

2.5 Discussion

This chapter has taken a tour of characterizations for standard notions of behavioral preorder and equivalence on transition systems such as trace equivalence and bisimilarity.

In particular, in constructing the relationships of for bisimilarity, we have collected the theoretical ingredients for a certifying algorithm to check bisimilarity of states.

Figure 2.14: Checking bisimilarity and providing certificates.

describes how to not only answer the question whether two states pp and qq are bisimilar, but how to also either provide a bisimulation relation or a distinguishing formula for the two as certificates for the answer. (The arrows stand for computations, the boxes for data.)

In this view, the game of possible distinctions and their preventability between attacker and defender serves as the “ground truth” about the bisimilarity of two states. Bisimulation relations and modal formulas only appear as witnesses of defender and attacker strategies, mediating between game and transition system. The Hennessy–Milner theorem emerges on this level as a shadow of the determinacy of the bisimulation game (). This whole framework draws heavily from Stirling ().

We have disregarded the topic of axiomatic characterizations for behavioral equivalences. In these, sets of equations on process algebra terms (such as CCS\textsf{CCS}) define behavioral congruences. Thus, they tend to be coupled to specific process languages and lack the genericity we pursue in starting out from transition systems.

We have observed that behavioral equivalences can be arranged in hierarchies and that these hierarchies could be handled nicely using modal characterizations to rank distinguishing powers (Subsection ). We have also seen how to link game rules to productions in a language of potentially distinguishing formulas (Subsection ). This departs from common textbook presentations that motivate the bisimulation game through the relational (coinductive) characterization (e.g. ). In later chapters, we will rather derive equivalence games from grammars of modal formulas (), to generalize the framework of for whole spectra of equivalences.

But first, we have to make formal what we mean by equivalence spectra.