Weak Concurrent Kleene Algebra with Application to Algebraic Verification Annabelle McIver1 Tahiry Rabehaja1 Georg Struth3 1 Department of Computing Macquarie University, Sydney, Australia Email: {annabelle.mciver,tahiry.rabehaja}@mq.edu.au 2 Department of Computer Science University of Sheffield, United Kingdom, Email: [email protected] Abstract the left hand side exhibits a greater range of nonde- 3 terminism than the right in the case that x includes 1 We propose a generalisationof concurrent Kleene al- probabilistic behaviours. For example if x is inter- 0 gebra[5]thatcantakeaccountofprobabilisticeffects preted as a program which flips a bit with probabil- 2 inthepresenceofconcurrency. The algebraisproved ity 1/2 then the following nondeterministic choice in soundwith respectto a model ofautomatamodulo a y + z can always be resolved so that y is executed n variant of rooted η-simulation equivalence. Applica- if and only if the bit was indeed flipped. This is a J bility is demonstratedby algebraictreatments of two nota behaviour amongstthose described by xy+xz, examples: algebraicmaytestingandRabin’ssolution where the nondeterminism is resolved before the bit 0 to the choice coordination problem. is flipped and therefore its resolution is unavoidably 3 independentoftheflipping. Instead,incontextssuch as these, distributivity be replaced by a weaker law: ] 1 Introduction L Sub-distributivity: xy+xz ≤ x(y+z) . (1) F Kleenealgebrageneralisesthelanguageofregularex- . pressionsand,asabasisforreasoningaboutprograms Elsewhere[9]weshowthatthisweakeningoftheorig- s c and computing systems, it has been used in appli- inal axioms of Kleene algebra results in a complete [ cations ranging from compiler optimisation, program system relative to a model of nondeterministic au- refinement,combinatorialoptimisationandalgorithm tomata modulo simulation equivalence. 1 design [2, 6, 7, 8, 10]. A number of variants of the Thebehaviouroftheconcurrencyoperatorofcon- v original axiom system and language of Kleene alge- currentKleenealgebra[5]iscapturedinparticularby 3 brahaveextendeditsrangeofapplicabilitytoinclude the Interchange law: 5 probability [12] with the most recentbeing the intro- 1 duction of a concurrency operator [5]. Main benefits (xky)(ukv) ≤ (xu)k(yv) 7 of the algebraic approach are that it captures some . essential aspects of computing systems in a simple which expresses that there is a lesser range of nonde- 1 and concise way and that the calculational style of terministic executions onthe left where,for example, 0 reasoning it supports is very suitable for automated the executionofuisconstrainedtofollowa complete 3 theorem proving. execution of x run concurrently with y but on the 1 In this paper we continue this line of work and right it is not. : v propose weak concurrent Kleene algebra, which ex- Our first contribution is the construction of a i tends the abstract probabilistic Kleene algebra [12] concrete model of abstract probabilistic automata X with the concurrency operator of concurrent Kleene (where the probability is at the action level) over r algebra [5] and thus supports reasoning about con- which to interpret terms composed of traditional a currency in a context of probabilistic effects. This Kleenealgebratogetherwithconcurrentcomposition. extension calls for a careful evaluation of the axiom In this interpretation, each term represents an au- system so that it accurately accounts for the interac- tomaton. For example in Equation (1), x,y and z tions of probabilistic choice, nondeterministic choice are automata and so is xy +xz. We show that the andthetreatmentofconcurrency. Forexampleprob- axiomsystemofconcurrentKleenealgebraweakened abilistic Kleene algebra accounts for the presence of to allow for the presence of probability is sound with probability in the failure of the original distributive respect to those probabilistic automata. Our use law x(y+z) = xy+xz which is also absent in most of probabilistic automata is similar to models where process algebras. That is because when the terms theresolutionofprobabilityandnondeterminismcan x,y,z are interpreted as probabilistic programs,with be interleaved; concurrent composition of automata xy meaning“firstexecutexandtheny”and+inter- models CSP synchronisation [4] in that context. Fi- pretedasanondeterministicchoice,theexpressionon nally we use a notion of rooted η-simulation to inter- pret the inequality ≤ used in algebraic inequations. Our second contribution is to explore some ap- plications of our axiomatisation of weak concurrent ThisworkhasbeensupportedbytheiMQRESgrantfromMac- quarieUniversity. Kleene algebra, to explain our definition of rooted η- simulationintermsofmaytesting[14],andtodemon- stratetheproofsystemonRabin’sdistributedconsen- sus protocol [15]. One ofthe outcomesofthis study isto expose the element of + and 1 is the neutral element of ·. The tensionsbetweenthevariousaspectsofsystemexecu- semiring is then endowed with a unary Kleene star ∗ tion. Some of the original concurrent Kleene algebra representingfiniteiterationtoformaKleenealgebra. axioms[5]requiredforthe concurrencyoperatornow This operator is restricted by the following axioms: fail to be satisfiable in the presence of probabilistic effects and synchronisation supported by the inter- Left unfold: 1+xx∗ = x∗, (2) change law. For example, the term 1 from Kleene Left induction: xy ≤y ⇒ x∗y ≤y, (3) algebra (interpreted as “do nothing”) can no longer be a neutral element for the concurrency operator k wherex≤y ifandonlyifx+y =y. Inthesequelour — weonly havethe specific equality1k1=1andnot interpretations will be over a version of probabilistic the more general 1kx = x. In fact we chose to pre- automata. Inparticularwe will interpret≤ and= as serve the full interchange law in our choice of axioms η-simulations. because it captures so many notions of concurrency Often, the dual of (2-3) i.e. 1 + x∗x = x∗ and already including exact parallel and synchronisation, yx ≤ y ⇒ yx∗ ≤ y are also required. However, (2) suggestingthatitisapropertyaboutgeneralconcur- and (3) are sufficient here and the dual laws follow rent interactions. from continuity of sequential composition for finite A feature of our approach is to concentrate on automata. broadalgebraicstructuresinordertounderstandhow In a Kleene algebra, the semiring structure sup- various behaviours interact rather than to study pre- ports two distributivity laws: cise quantitative behaviours. Thus we do not include an explicit probabilistic choice operator in the sig- Left distributivity: xy+xz = x(y+z),(4) nature of the algebra — probability occurs explicitly Right distributivity: (x+y)z = xz+yz.(5) only in the concrete model as a special kind of asyn- chronous probabilistic action combined with internal Equation (4) however is not valid in the presence events (events that the environment cannot access). of probability. For example, compare the behaviour This allows the specification of complex concurrent of probabilistic choice in the diagrams below. Here, behaviour to be simplified using applications of weak flip denotes the process that flips a p-biased coin, distributivity embodied by Equation (1) and/or the p interchange law as illustrated by our case study. Fi- which we can represent by a probabilistic automaton nally we note that the axiomatisation we give is en- (details aregivenin Section3). Inthe rightdiagram, tirely in terms of first-order expressions and there- fore is supportedbyfirst-orderreasoning. Thusallof ouralgebraicproofshasbeenimplementedwithinthe ? Ipbsrraoabiocefltlceha/enHorbOeemLfost.uh1nedorienmaprerpovoisnitgoreynvoifrfoonrmmeanlits.edTahlegsee- fli(cid:127)(cid:127)(cid:127)p(cid:127)p(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ????f??l?i(cid:31)(cid:31)pp flipp (cid:15)(cid:15)? ntiecwIannaldSgeeccbotrinoacn.uIr2treiwsneteseKsxelpneletoniraeellytahlageembaxriaxiostm.uraeSteioscfatitpoirononsbao3bfaitlnhisde- x(cid:15)(cid:15) (cid:15)(cid:15)y (cid:127)(cid:127)(cid:127)(cid:127)x(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ????y???(cid:31)(cid:31) 4 are devoted to showing the consistency of our ap- proach. A concrete model based on automata and η-simulation is constructed. In section 5, we com- the choice between a and b can be based on the out- pare our approach with probabilistic automata (au- come of the coin flip but such resolutionis not possi- tomata that exhibit explicit probability) and prob- ble in the left-hand diagram. We express the greater abilistic simulation. We conclude that, up to some range of possible outcomes by the general inequation constraint, the concrete model is a very special case (1), specifically here it becomes of that more general model. In sections 6 and 7, we present some applications, in particular an algebraic (flip )y+(flip )z ≤(flip )(y+z). 3 (6) versionofmaytestingisstudiedandvariationsofthe p p p specification of Rabin’s protocol are explored. As mentioned above, the zero of a Kleene algebra In this paper x,y, etc represent algebraic expres- satisfies: sionsorvariables. Termsaredenoteds,t,etc. Letters a,b, etc stand for actions and τ represents an inter- Left annihilation: 0x = 0, (7) nal action. An automaton associated with a term or an expression is usually denoted by the same letter. Right annihilation: x0 = 0. (8) Other notation is introduced as we need it. In this extended abstract we can only explain the Inourinterpretationthatincludesconcurrency,we main properties of weak concurrent Kleene algebra assumethat0capturesdeadlock. However,axiom(8) and sketchthe constructionofthe automatonmodel. isnolongerappropriatebecauseweshouldbeableto Detailedconstructionsandproofsofallstatementsin differentiatebetweenthe processdoinganactionand this paper can be found in an appendix. deadlocking from a process that is just deadlocked. Definition 1. A weak probabilistic Kleene algebra is 2 Axiomatisation a structure (K,+,·,∗,0,1) that satisfies the axioms of Kleene algebra except there is no left distributivity A Kleene algebra is a structure that encodes alge- (it is replaced by (1)) and Equation (8) does not hold braically the sequential behaviour of a system. It is generally. generally presented in the form of an idempotent 2 A concurrency operator was added to Kleene al- semiring structure (K,+,·,0,1) where x·y (sequen- gebraby Hoareet al[5]. Our concurrency operatork tialcomposition)issometimeswrittenusingjuxtapo- sition xy in expressions. The term 0 is the neutral 3We have abused notation in this example by using flip to p 1http://staffwww.dcs.shef.ac.uk/people/G.Struth/isa/ represent both an action and an automaton which performsthat 2Idempotencereferstotheoperation+i.e. x+x=x. action. satisfies the following standard axioms: 3 Concrete Model Associativity: xk(ykz) = (xky)kz, (9) 3.1 Semantic Space Commutativity: xky = ykx, (10) Weusenondeterministicautomatatoconstructacon- One-idempotence: 1k1 = 1. (11) crete model. An automaton is denoted by a tuple In[5], k satisfiesthe identity 1kx=xwhichwedo (P,−→,i,F) not have here because in the concrete model, we will interpret k as the synchronisation operator found in whereP is asetofstates. The set−→⊆P×Σ×P is a CSP [4]. However, we still maintain the instance of atransitionrelationandwewritex−→y whenthere that law in the special case x = 1 (see axiom (11)) is a transition, labelled by a, from state x to state where 1 is interpreted as “do nothing”. y. The alphabet Σ is left implicit and considered to Next we have the axioms dealing the interaction be fixed for every automaton. The state i ∈ P is of k,+ and ·. the initial state and F ⊆ P is the set of final states of the automaton. In the sequel, we will denote an Monotonicity : xky+xkz ≤ xk(y+z)(12) automaton (P,−→,i,F) by its set of states P when Interchange-law: (xky)(ukv) ≤ (xu)k(yv)(13) no confusion is possible. Theactionsinthe alphabetΣarecategorisedinto The interchange law is the most interesting ax- three kinds: iom of concurrent Kleene algebra. In fact it allows • internal: actions that will be “ignored” by the the derivation of many properties involving k. To il- simulation relation (as in τ and τ ). Internal h t lustrate this in the probabilistic context, consider a actions are never synchronised by k. probabilistic vending machine VM which we describe as the expression • external: actions that can be synchronised. Probabilistic actions are external (as in flip ) p VM = coin·flipp·(τh·(tea+1)+τt·(coffee+1)) but they are never synchronised. • synchronised: external actions that will be syn- where coin,tea,coffee,τ ,τ and flip are all rep- h t p chronised when applying k (as in coin,tea and resented by automata. That is the vending machine coffee). These actions are determined by a set accepts a coin and then decides internally whether it of external actions A. More specifically, k refers will enable the button coffee or tea. The decision is to k whichwe assumeis fixed andgivenbefore- determinedbytheactionflip 4 which(asexplained A p hand. later) enables either τ or τ . The actions τ and τ h t t h areinternalandthe usercannotaccessthem. Now,a Thespecialcaseofprobabilisticchoiceismodelled user who wants to drink tea is specified as bycombiningprobabilisticandinternalactions. That is a process that does a with probability p and does U = coin·(tea+1). b with probability 1−p is interpreted as the follow- ingautomatonwhereflip ∈Σrepresentstheaction p The system becomes UkVM where the concurrent op- erationisCSPlikeandsynchronisesoncoin,teaand coffee. The interchangelaw togetherwiththe other axioms and some system assumptions imply the fol- flipp lowing inequation: (cid:15)(cid:15) ? UkVM ≥ coin·flipp·(τh·(tea+1)+τt) (14) (cid:127)(cid:127)(cid:127)τ(cid:127)h(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ????τ??l?(cid:31)(cid:31) which is proved automatically in our repository. In other words,the user willonlybe satisfiedwith prob- a b ability at least p since the right-hand side equation (cid:15)(cid:15) (cid:15)(cid:15) saysthattheteaactioncanonlybe enabledprovided that τ is enabled, and in turn that is determined by h of flipping a p-biased coin which produces head with the result of the flip action. p probability p and tail with probability 1−p. The in- Now we are ready to define our algebra. ternal actions τ and τ are enabled according to the t h Definition 2. A weak concurrent Kleenealgebra is a resultofflipp. Henceonlyoneofτhandτtwillbeen- weak probabilistic Kleene algebra (K,+,·,∗,0,1) with abledjustafterthecoinflip. Sinceτt andτh areinter- a concurrency operator k satisfying (9-13) nalactions,the choiceis internalandbaseduponthe outcome of flip . The important facts here are that p We assume the operators precedence ∗ < · < k < thechoiceafterflip isinternalsocouldbebasedon +. p theprobabilisticoutcomeofflip andthattheenvi- p Proposition 3. Let s,t be terms, the following equa- ronmentcannotinterferewiththatchoice. Thesetwo tions holds in weak concurrent Kleene algebra. behaviouralcharacteristicsarewhatweconsidertobe the most general features of probability in a concur- 1. All the operators are monotonic. rent setting and they are those which we axiomatise 2. (s∗kt∗)∗ =s∗kt∗. and record in our concrete model. Next,weimposesomeconditionsontheautomata 3. (skt)∗ ≤s∗kt∗. to ensure soundness. 4. (s+t)∗ =(s∗t∗)∗. - reachability: every state of the automaton is reachableby following a finite path fromthe ini- 4i.e. theautomatonthatperformsaflipp action. tial state. - initiality: there is no transitionthat leads to the The proof consists of checking that P + initial state. This means that a∗ corresponds to Q,PQ,PkQ and P∗ satisfy the reachability and ini- the automata associated to 1+aa∗ rather than tiality conditions wheneverP andQ satisfy the same a self loop labeled by a∈Σ. conditions. (See Proposition 20 in the appendix). In the sequel, whenever we use an unframed con- We denote by Aut the set of automata satisfy- currency operator k, we mean that the frame A has ing these two conditions. The next step is to define been given and remains fixed. the operators that act on Aut. We use the standard inductive construction found in [1, 17, 9] and the di- 3.2 Equivalence agramsillustrating the constructions are givenin the appendix. The previoussubsectionhas givenus the objects and operators needed to construct our concrete model. Deadlock: 0 Nextwe turnto the interpretationofequality forour This is the automaton that has only one state, concrete interpretation. namely the initial state, and no transitionatall. Following the works found in [1, 9, 13], we again It is the tuple ({i},∅,i,∅). use a simulation-like relation to define valid equa- tions in the concrete model. More precisely, due to Skip: 1 the presence of internal actions, we will use an η- This is the automaton that has only one state i simulation as the basis for our equivalence. which is both initial and final. This automaton Beforewegivethedefinitionofsimulation,weneed hasnotransitioni.e. isdenotedby({i},∅,i,{i}). the following notation. Given the state x and y, we Single action: write x ⇒ y if there exists a path, possibly empty, The automataassociatedwitha isi−a→◦where fromxtoy suchthatitislabelledbyinternalactions i is the initial state and ◦ is a final state. It is only. This notation is also used in [17] with the same the tuple ({i,◦},{i−a→◦},i,{◦}). meaning. Addition: P +Q Definition 5. Let P,Q be automata, a relation S ⊆ This automaton is obtained using the standard P ×Q (or S :P →Q) is called η-simulation if construction of identifying the initial states of P – (i ,i )∈S, and Q. (This is possible due to the initiality P Q property.) – if (x,y)∈S and x−a→x′ then Multiplication: PQ (or P ·Q) a) if a is internal then there exits y′ such that This automaton is constructed in the standard way of identifying copies of the initial state of Q y ⇒y′ and (x′,y′)∈S, with final states of P. b) if a is externalthen thereexistsy andy′ in 1 Concurrency: PAkQ Q such that y ⇒ y1 −a→ y′ and (x,y1) ∈ S This automaton is constructed as in CSP [4]. It and (x′,y′)∈S. is a sub-automaton of the Cartesian product of – if (x,y)∈S and x∈F then y ∈F . P and Q. The initial state is (i ,i ) and final P Q P Q states are reachable elements of F ×F . No- P Q A simulation S is rooted if (i ,y) ∈ S implies y = tice that the set A never contains probabilistic P i . If there is a rooted simulation from P to Q then actions. Further explanation about k is given Q A we say that P is simulated by Q and we write P ≤Q. below. Two processes P and Q are simulation equivalent Kleene star: P∗ if P ≤ Q and Q ≤ P, and we write P ≡ Q. In the This automaton is the result of repeating P al- sequel, rooted any η-simulation will be referred simply lowingasuccessfulterminationaftereach(possi- as a simulation. bly empty) full execution of P. The initial state Relations satisfying Definition 5 are also η- of P∗ is final and copies of the initial state of P simulation in the sense of [17] where property (a) is are identified with the final states of P. replaced by: All automata begin with an initial state and end insome finalordeadlockstate. Ourmainuse offinal if a is internal then (x′,y)∈S. (15) statesisintheconstructionofsequentialcomposition and Kleene star. The identity relation (drawn as dotted arrow) in the The concurrency operator k synchronises transi- following diagram is a simulation relation satisfying A tions labeled by an action in A and interleaves the Definition 5, but it is not a simulation in the sense others (including internal transitions). As in CSP, a of [17]. We need the identity relation to be a simu- synchronisedtransitionwaitsforacorrespondingsyn- chronisation action from the other argument of k. // A This is another reason we do not have 1 kP = P {a} a τ τ because if P = iP −→ ◦ and iP is not a final state, (cid:15)(cid:15) (cid:15)(cid:15) then ◦ //◦ 1 kP =({(i,i )},∅,(i,i ),∅)=0. {a} P P lation here because in our proof of soundness, more complexsimulationsareconstructedfromidentityre- Proposition 4. These operations of weak concur- lations. rent Kleene algebra are well defined on Aut that is if P,Q ∈ Aut then P + Q,PQ,PAkQ and P∗ are Proposition 6. The following statements hold. elements of Aut. 1. The relational composition of two rooted η- The proof consists of detailed verifications of the simulations is again a rooted η-simulation. That axioms for weak probabilistic Kleene algebra (see is, if S,T are rooted η-simulations then S◦T is Proposition 23 in the appendix). also a rooted η-simulation, where ◦ denotes rela- The second part consists of proving that k satis- tional composition. fiestheequations(9-13). Associativitydependsheav- ily on the fact that both concurrentcompositions in- 2. The simulation relation ≤ is a preorder on Aut. volved in xkykz have the same frame set. For in- stance, let Σ={a,b,c}. The identities Proposition 6 is proven in Proposition 21 of the appendix. (a kb) ka=ab0+ba0 Therefore, ≡ as determined by Definition 5 is an {a} {c} equivalence. Infact, we provein the followingpropo- and sition that it is a congruence with respect to +. a k(b ka)=ab+ba {a} {c} Proposition 7. The equivalence relation ≡ is a con- are valid in the concrete model. Hence, the first pro- gruence with respect to + and P ≤Q iff P +Q≡Q. cess will always go into a deadlock state though the secondone willalwaysterminate successfully. There- Theproofadaptsandextendstheonefoundin[17] fore, to have associativity, the concurrency operator andthespecialisedversionforourcaseisProposition must have a fixed frame. 22 in the appendix. It is well documented that η-simulation is not a Proposition 9. (Aut,+,·, k,1) satisfies equations A congruence without the rootedness condition [17]. A (9- 13) modulo rooted η-simulation equivalence for typicalexampleisgivenbytheexpressionsτa+τband any set of synchronisable actions A ⊆ Σ (i.e. no τ(a+b). The automata associated to these expres- probabilistic actions). sions are equivalent under non-rooted η-simulation. The manipulation of probabilistic actions is also Associativity is mainly a consequence of the fact an important facet of our model. We assume that that there is only one frame for k. The other axioms probabilisticactionsarenotsynchronisedandinthat need to be checked thoroughly (see Proposition 24). respect they are similar to internal actions. However Our soundness result directly follows from these probabilistic actions cannot be treated as internal as two propositions. the following examples illustrates. Consider the ac- Theorem 10. (Aut,+,·, k,∗,0,1) is a weak con- tion flip which flips a fair coin. If flip is an A 1/2 current Kleene algebra for any set of synchronisable internal action then the inequality actions A⊆Σ. (flip )(τa+τb)≤(flip )τa+(flip )τb In this theorem, the frame A is fixed beforehand. 1/2 1/2 1/2 Inotherwords,amodelofweakconcurrentKleeneal- gebra is constructed for each possible choice of A. In would be valid when interpreted in the concrete particular,if A is empty then the concurrencyopera- model. In other words, we would have the following tor is interleaving all actions i.e. no actions are syn- simulation: chronised. Thisparticularmodelsatisfiestheidentity 1kx = x of the original concurrent Kleene algebra ∅ found in [5]. //88::33 ? flip1/2 (cid:15)(cid:15) flip1(cid:127)(cid:127)(cid:127)/(cid:127)(cid:127)2(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ????f??l?i(cid:31)(cid:31)p1/2 aIfllwyTehhcaeovnseesiqsdtuereornnfitginaeilrteapnarduoptcoeomrntaicetusarrionennlttyhce—ocmoapnuoctsroiemttieoantmaaowcdtietuhl-. ? (cid:127)(cid:127)(cid:127)(cid:127)τ(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ????τ???(cid:31)(cid:31) τ22 (cid:15)(cid:15) 22(cid:15)(cid:15)τ fittihnnaiuttoetluyhsemsineatnthwyeosstoeapnteseresaoatofnr[ds9]tar(raseenecsoiPtnirodoniptsio—osniattilholynenS2c5woeattnsdchoo2nw7- in the appendix). a b a b (cid:15)(cid:15) (cid:15)(cid:15) 22(cid:15)(cid:15) 22(cid:15)(cid:15) 5 Relationship to Probabilistic Processes Firstly, it is shown in [11] that a probabilistic choice But this relationship (which implies distributivity ap⊕b simulates the nondeterministic choice a+b. A of flip through +) does not respect the desiredbe- similar result also holds in our setting. In the ab- p senceofinternaltransitions,simulationhasbeenalso haviour of probability which, as we explained earlier, defined elsewhere [1, 17, 9] which we will refer to as satisfiesonlyaweakerformofdistributivity. Whence, strongsimulation. Recallthat(flip )a+(flip )b≤ we assume that probabilistic actions such as flip p p 1/2 (flip )(a+b) is a general property of probabilistic are among the external actions which will never be p synchronised. Kleenealgebra[12]so itis validunder strongsimula- tionequivalence[1,9]. Due tothe absenceofinternal actions, the middle part of the diagram of Figure 1 4 Soundness doesnotexistwithrespecttostrongsimulationequiv- alence. In this section, we prove that the set Aut endowed In the contextof Definition 5, the right-handsim- with the operators defined in Subsection 3.1 mod- ulation of Figure 1 is the refinement of probabilis- ulo rooted η-simulation equivalence (Subsection 3.2) tic choice by nondeterminism. This example gives forms a weak concurrent Kleene algebra. an explicit distinction between (flip )(a + b) and ThefirstpartistoprovethatAutisaweakprob- p (flip )a+(flip )b by considering the fact that the abilistic Kleene algebra. p p choice in (flip )(a + b) can depend on the proba- p Proposition 8. (Aut,+,·,∗,0,1) is a weak proba- bilistic outcome of (flip ), but this is not the case bilistic Kleene algebra. p for (flip )a+(flip )b. p p 33 // flip flip p p fli(cid:127)(cid:127)(cid:127)p(cid:127)p(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127) ?????f??l?i(cid:31)(cid:31)pp 22 (cid:127)(cid:127)(cid:127)(cid:127)τ(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)2244(cid:15)(cid:15)?????τ???22(cid:31)(cid:31) 66 (cid:127)(cid:127)(cid:127)(cid:127)a(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)//2244 (cid:15)(cid:15)?????b???66(cid:31)(cid:31) a b a b (cid:15)(cid:15) (cid:15)(cid:15) 22(cid:15)(cid:15) 22(cid:15)(cid:15) Figure 1: Refinements between probabilistic choice and nondeterminism. Secondly, we discuss about the relationship be- Definition 12. A probabilistic automaton is defined tween our concrete model and probabilisitic au- as a tuple (P,−→,∆,F) where P is a set of states, tomata. Remind that our interpretation of proba- −→ is a set of labelled transitions from state to dis- bility lies in the use ofactions that implicitly contain tributions 6 of states i.e. −→⊆P×Σ×DP, ∆ is the probabilistic information. In its most general form, initial distribution and F ⊆P is a set of final states. a probabilistic choice between n possibilities can be written as Thenotionofsimulationalsoexistsforprobabilis- tic automata [16] and, in particular, simulation and flip ·(τ ·a +...+τ ·a ) failure simulation is discussed in [3] where they are p1,...,pn 1 1 n n proven to be equivalent to may and must testing re- where p = 1. In this algebraic expression, we spectively. implicitPlyienisure that each guard τ is enabled with Togiveaproperdefinitionofprobabilisticsimula- i a corresponding probability p . Therefore, if these tion, we need the following notations which are bor- i τ ’s are not found directly after the execution of the rowedfrom[3]and[17]. GivenarelationR⊆P×DQ, i probabilisticactionthenmatchingthemwiththecor- the lifting of R is a relationRˆ ⊆DP ×DQ such that responding p becomes a difficult task. We call p- i φRˆψ iff: automaton5 a transitionsystemasper the definition of Subsection 3.1 such that if a probabilistic action - φ= p δ , 7 has associated τ transitions then all of them follow Px x x that action directly. - for each x ∈ supp(φ) (the support of φ) there Another complication also arises from the use of exists ψ ∈DQ such that xRψ , x x these τ ’s. Consider the following two processes i - ψ = p ψ . Px x x flip ·(τ ·a+τ ·b) p1,p2 1 2 Similarly, the lifting of a transition relation −τ→ is and denote−τ→ˆ whosereflexivetransitiveclosureisdenote flipp1,p2 ·(τ1·b+τ2·a) =τ⇒ˆ . For eachexternal actiona, we write =aˆ⇒ for the wherep1+p2 =1. Wecanconstructa(bi)simulation sequence =τ⇒ˆ −a→. relationbetweenthe correspondingautomatathough theprobabilitiesofdoinganaaredifferent. Hencewe Definition 13. A probabilistic simulation S between need to modify the definition of η-simulation(Defini- two probabilistic automata P and Q is a relation S ⊆ tion 5) to account for these particular structure. R×DQ such that: Definition 11. A p-simulation S between two p- - (∆ ,∆ )∈Sˆ, P Q automata P,Q is a η-simulation such that if - if (x,ψ) ∈ S and x −a→ φ then there exists ψ′ ∈ - xflip−p1→,...,pn x′ −τ→i x′i′ is a transition in P, DQsuchthatψ =aˆ⇒ψ′ and(φ,ψ′)∈Sˆ(forevery a∈Σ∪{τ}). - y flip−p1→,...,pn y′ −τ→i y′′ is a transition in Q, i - if x∈F and (x,ψ)∈S then supp(ψ)⊆F . P Q - and (x,y)∈S we denote by ProbAut the set of probabilistic then (x′′,y′′)∈S, for each i=1,...,n. automata modulo simulation equivalence. i i We can now construct a mapping ǫ : p-Aut → This definition ensures that the probability of do- ProbAut such that each instance of structure sim- ing a certain action from y is greater than doing ilar to flip · (τ · a + ... + τ · a ) is col- that action from x. With similar proofs as in the p1,...,pn 1 1 n n lapsed into probabilistic transitions. More precisely, previous Sections, we can show that the set of p- letP ∈p-Autand−→beitstransitionrelation. The automata modulo p-simulation forms again a weak automatonǫ(P)hasthesamestatespaceasP (upto concurrent Kleene algebra. We denote p-Aut the set accessibility with respect to the transitions of ǫ(P)). of p-automata modulo p-simulation. The initial distribution of ǫ(P) is δ and the set of We will now show that this definition is a very iP final states of ǫ(P) is F again 8 . special case of probabilistic simulation on probabilis- P ticautomata. Tosimplifythecomparison,weassume 6Weassumethatalldistributionsarefinitelysupported. that τ transitions occur only as part of these proba- 7Wedenotebyδx thepointdistributionconcentratedonx. bilistic choices in p-automata. 8Noticethatbyassumingthestructureflipp1,...,pn·(τ1·a1+ 5Thenamep-automatadescribesprobabilisticautomataandas τ..t.r+anτsniti·oanns,isthneevsetrataefibneatwlseteantet.hHeeflnipceawcteioanretshaefecotroreusspeoFnPdinags wewillseelateron,thereisarelationshipbetweenthetwoofthem. thefinalstateofǫ(P) The set of transitions −→ is constructed as 6 Algebraic Testing ǫ(P) follow. Let x −a→ x′ be a transition of P, there are In this section, we describe an algebraictreatment of two possible cases: testing. Testing is a natural ordering for processes a) if a is probabilistic i.e. of the form flip that was studied first in [14]. The idea is to “mea- p1,...,pn sure”thebehaviouroftheprocesswithrespecttothe and is followed by the τ ’s, then the transition i environment. In other words, given two processes x τ and y and a set of test processes T, the goal is to x−→p δ +...+p δ 1 x′1 n x′n compare the processes xkt and ykt for every t ∈ T. In our case, the set T will contain all processes. isin−→ wherex′ −τ→i x′ isatransitioninP. We consider a function o from the set of terms to ǫ(P) i the set of internal expressions I = {x | x ≤ 1}. The b) else the transition x−a→x′ is in −→ǫ(P). function o:TΣ →I is defined by We nowprovethatǫis amonotonicfunction from o(x)=x if x∈I o(st)=o(s)o(t) p-Aut to ProbAut. o(a)=τ for any a ∈Σ−I o(s∗)=1 o(s+t)=o(s)+o(t) o(skt)≤o(s)o(t) Proposition 14. If P ≤Q then ǫ(P)≤ǫ(Q). Inthe model,the functiono isinterpretedby sub- Proof. Assume that S is a p-simulation from P to stitutingeachexternalactionwiththeinternalaction Q. Considerthe exactsamerelationbutrestrictedto τ (o(a) =τ for any a ∈Σ−I). Then any final state the state space of ǫ(P) and ǫ(Q). We show that this is labelledby 1 anddeadlockstates arelabelled by 0. restriction is a probabilistic simulation. Inductively, we label a state that leads to some final - Obviously, (δ ,δ )∈Sˆ. state by 1, else it is labelled by 0. This is motivated iP iQ by the fact that x0 =0 for any x∈ I so each transi- - Let x −a→ φ and (x,ψ) ∈ Sˆ. Since τ transitions tion leading to deadlock states only will be removed. Therefore, only states labelled by 1 will remain and only occur as part of probabilistic choices, we the transitions between them. Hence, o(s) 6= 0 iff have two possibilities: the resulting automaton contains at least one state τ labelled by 1. In other words, o(s)=0 iff x must not – x −→ p δ +...+p δ is a transition of 1 x′1 n x′n terminate successfully. ǫ(P) and (x,ψ) ∈ S where ψ = δy. Since Without loss of generality (by considering au- (x,y)belongstotheoriginalS. Inthiscase, tomata modulo simulation), we assume that τ is the y −τ→ p δ +...+p δ is a transition of onlyinternalactioninΣanditsatisfiesττ =τ. This ǫ(Q)and1 eya1′ch(x′,y′)nbeylno′ngstotheoriginal equation is valid in the concrete model. i i The existence of a well-defined function o satis- S (Definition of p-simulation). fying these conditions depends on our definition of – x−a→x′ andaisanexternalaction. There- simulation. That is, we can show that if P ≤Q then fore there are two possibilities again, y −τ→i o(P)≤o(Q) where we haveabused notationby writ- y −a→ y′ or y −a→ y′. In both cases, we ingo(P)astheapplicationofoonthetermassociated i to P. A detailed discussion about this can be found have (x′,y′)∈S. in the appendix under Remark 28. - Conservation of final states follows easily from Definition 15. The may testing order is given by the fact that S is a p-simulation. Since our Definition (13) implies the definition of x⊑may y iff ∀t∈TΣ.[o(ykt)=0⇒o(xkt)=0]. 9 probabilisticsimulationin[3], weconcludethatmax- imal probability of doing a particular action in p- We nowprovidesome resultsaboutalgebraicmay automata is increased by p-simulation. This remark testing. Itfollowsfrommonotonicityofkwithrespect provides a formal justification of our earlier exam- to≤(Proposition3)thatmayordering⊑ isweaker may ple. Thatis,Equation(14)ensuresthatthe maximal than the rooted η-simulation order. probability that a buyer will be satisfied when using the probabilistic vending machine is at least 1/2 be- Proposition 16. x≤y implies x⊑ y. may cause the maximal probability of a trace containing tea in the automata described by Infact, ⊑ istooweakcomparedto≤: maytest- may ing is equivalent to language equivalence. Given a coin·flip·(τ ·(tea+1)+τ term s, the language Tr(s) of s is the set of finite h t wordsformedbyexternalactionsandareacceptedby is 1/2. the automata represented by s. In other word, it is Inthe proofofproposition14, the simulationcon- the set offinite tracesin the sense of CSP whichlead structedis averyparticularcaseofprobabilisticsim- tofinalstates. The precisedefinitionofthis language ulation so it is too weak to establish certain rela- equivalence can be found in the appendix and so is tionships between p-automata. For instance, the au- theproofofthefollowingproposition(Proposition29 tomaton represented by a ⊕(a ⊕b) should be equiv- of the appendix). p q alentto a ⊕bbut Definition11willnotprovide p+q−pq Proposition 17. In Aut, ⊑ reduces to language such equality. This line of research is part of our fu- may ture work where we will study proper probabilistic equivalence. automata and simulations against weak concurrent 9Noticek shouldbe framedbecausesome externalactionsare Kleene algebra. notsynchronised. Butinthesettingoftesting,wecanalsoassume thatallexternalactionsaresynchronisedwhichpermitstofollow upallexternalactionspresentintheprocess. We haveshownthat⊑ is equivalentto language easilytontourists). Thetourists’jointactionisspec- equivalenceandhenceitismwayeakerthanoursimulation ified as (P +Q)∗. This ensures that when a tourist order. This is also a consequence of the fact that has started his turn by reading the board, he will our study of may testing is done in a qualitative way not be interrupted by any other tourist until he is because the probabilities are found implicitly within doneandgoesinsidethecurrentplaceortotheother actions. A quantitative study of probabilistic testing place. This condition is crucial for the protocol to orders can be found in [3]. work properly. The actions of the locations process are specified by (M +C)∗ which ensures that each tourist can be 7 Case Study: Rabin’s Choice Coordination at one place at a time only — this is a physical con- straint. Now, the whole system is specified by The problem of choice coordination is well known in the areaofdistributed systems. It usually appearsin init· [P(α,u)+Q(β,v)]∗ k(M +C)∗ (16) theformofprocessesvotingforacommongoalamong (cid:16) {c,m} (cid:17) somepossibilities. Rabinhasproposedaprobabilistic protocol which solves the problem [15] and a sequen- where init is the initialisation of the values on tial specification can be found in [11]. the boards, notepads and initial locations. Speci- We specify the protocol in our algebra and prove fication 16 describes the most arbitrary behaviour that a fully concurrent specification is equivalent to of the tourists compatible with visiting and inter- a sequential one. Once this has been done, the full acting with the locations in the manner described verificationcanproceedbyreusingthe techniques for above. Rabin’s design of the protocol means that sequential reasoning [11]. this behaviour is equivalent to a serialised execution The protocol consists of a set of tourists and two where first one location is visited, followed by the places: a church C and a museum M. Each tourist other. We can write that behaviour behaviour as has a notepad where he keeps track of an integer k. [((P +Q)kM)∗((P +Q)kC)∗]∗, where (for this sec- Each place has a board where tourists can read and tion only) we denote the concurrency operator by k write. We denote by L (resp. R) the value on the instead of k to make the notation lighter. The {c,m} church board (resp. museum board). next theorem says that this more uniform execution In this section, we use · again for the sequential is included in S = [P(α,u) + Q(β,v)]∗k(M + C)∗, composition to make the specifications clearer. described by Specification 16. • The church is specified as C = (c!L)∗ · (c?L) Theorem 18. We have wherethechannelcrepresentsthechurch’sdoor. c!L means that the value of L is available to be S ≥[((P +Q)kM)∗((P +Q)kC)∗]∗ read in the channel c and c?L waits for an input which is used as value for L in the subsequent The proof is a simple application of Proposition process. 3. Theorem 18 means S could execute all possible actionsrelatedto doorM,andthen those atdoorC, In other words, each tourist can read as many and then back to door M and so one. In fact, we times as they want from the church board but can also prove the converse i.e. Proposition 18 could write on it only once. Repeated writing will be be strengthen to equality. But for that, we need the considered in the specification of the protocol. continuity of the operators · and k. Similarly, the museum is specified as M = (m!R)∗·(m?R). Theorem19. Intheconcretemodel,thespecification of Rabin’s protocol satisfies • Each tourist is specified as P(α,k) where α ∈ {c,m} is the door before which the tourist cur- S =[((P +Q)kM)∗((P +Q)kC)∗]∗ rently stands and k is the actual value written on his notepad. A detailed description of P can The proof of this theorem depends heavily on the be found in the appendix but roughly, we have fact that the concurrent and sequential compositions are continuous in the the concrete model. The com- P(α,k)=(α?K)·rabin·[α:=α] 10 plete proof can be found in the appendix. Intheproof,ifwestoppedatthedistributionover k, we obtain the equivalent specification where c = m and m = c. In other words, the tourist reads the value on the place specified by S =[(P +Q)kM +(P +Q)kC]∗ α,executesRabin’sprotocolrabinandthengoes totheotherplace. Noticethattheprocessrabin which describes a simpler situation where P or Q in- contains the probabilistic component of Rabin’s teracts at the Museum or at the Church. This is protocol. Essentially, it describes the rules that similar to the sequential version found in [11], which are used by each tourist to update their actual canbetreatedbystandardprobabilisticinvariantsto valueforkwithrespecttothevalueontheboard complete a full probabilistic analysis of the protocol. and vice versa. The whole specification of the protocolexecuted 8 Conclusion by each tourist is described by the automata of Figure 2 An algebraic account of probabilistic and concurrent system has been presented in this paper. The idea was to combine probabilistic and concurrent Kleene algebra. Asoundnessresultwithrespecttoautomata Wearereadytospecifythewholesystem. Assume androotedη-simulationhasbeenprovided. Thecon- we have two tourists P and Q (our result generalises crete model ensures not only the consistency of the 10Anyactionwrittenwithinsquarebracketswilldenoteinternal axiomsbutprovidesalsoasemanticspaceforsystems exhibitingprobabilistic,nondeterministicandconcur- action(seeappendixforthedetailedspecification). rent behaviour. We also showed that the model has P(α,k) α?K (cid:15)(cid:15) [K•=zztoo thtetrtet]tttt Joo JJ[JkJ>[JKKJ6=J]JhJeJr$$e] α!here zztttttt[kt<ttKtt] (cid:15)(cid:15)[k=K] yysssss[sks:s=sKss] (cid:15)(cid:15)flip1/2 α!k (cid:15)(cid:15) yyssssτshssssss AAAAAτAtAA [α:=α]◦(cid:15)(cid:15) [k:=JJKJJ+J2J]JJJJJ$$ (cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)(cid:127)[k(cid:127):(cid:127)=K+2] α!k (cid:15)(cid:15) [α:=α] (cid:15)(cid:15) ◦ Figure 2: p-automaton that describes the protocol P(α,k) executed by each tourist. stronger properties than just the algebraic axiomati- cesses. In In LICS07: Proceedings of the 22nd sation. For instance, sequential and concurrent com- Annual IEEE Symposium on Logic in Com- positions are both continuousin the caseof finite au- puter Science. IEEE Computer Society Press, tomata. Los Alamitos, CA, pages 313–325,2007. We provided some applications of the framework. An algebraic account of may testing has been dis- [4] C. A. R. Hoare. Communicating sequential pro- cussed in Section 6. It was shown that may ordering cesses. Commun. ACM, 21:666–677, August reduces to language equivalence. 1978. We also provided a case study of Rabin’s solu- [5] C. A. R. Hoare, B. Mo¨ller, and I. Struth, tion to the choice coordination problem. A concur- G.andWehrman. ConcurrentKleenealgebra. In rent specification was provided and it was shown to Proceedings of the 20th International Conference be structurally equivalentto the sequentialone given on Concurrency Theory, CONCUR 2009, pages in [11]. 399–414, Berlin, Heidelberg, 2009. Springer- Though the algebra was proven to be powerful Verlag. enough to derive non-trivial properties for concrete protocols,theconcretemodelstillneedstoberefined. [6] D. Kozen. A completeness theorem for Kleene For instance, the inclusion of tests is important es- algebrasandthealgebraofregularevents. Infor. pecially for the construction of probabilistic choices. and Comput., 110(2):366–390,May 1994. Tests need to be introduced carefully because their algebraic characterisation are subtle due to presence [7] D. Kozen. On Hoare logic and Kleene algebra ofprobability. Wealsoneedtoimproveandrefinethe withtests. Trans.Computational Logic,1(1):60– manipulation of quantitative properties in the model 76, July 2000. as part of our future work. [8] D.KozenandM.C.Patron.Certificationofcom- Finally, it is customary to motivate automated piler optimizations using Kleene algebra with support for algebraic approaches. The axioms sys- tests. In JohnLloyd, Veronica Dahl, Ulrich Fur- tem for weak concurrent Kleene algebra is entirely bach, Manfred Kerber, Kung-Kiu Lau, Catus- first-order, therefore proof automation is supported cia Palamidessi, Luis Moniz Pereira, Yehoshua and automatised version of our algebraic proofs can Sagiv, and Peter J. Stuckey, editors, Proc. 1st be found in our repository. Int. Conf. Computational Logic (CL2000), vol- ume1861ofLNAI,pages568–582,London,July References 2000. Springer-Verlag. [1] E. Cohen. Weak Kleene algebra is sound [9] A. McIver, T. M. Rabehaja, and G. Struth. On and (possibly) complete for simulation. CoRR, probabilisticKleenealgebras,automataandsim- abs/0910.1028,2009. ulations. InProceedings of the12th international conference on Relational and algebraic methods [2] J. H. Conway. Regular Algebra and Finite Ma- in computer science, RAMICS’11, pages 264– chines. Chapman and Hall, Mathematics series, 279, Berlin, Heidelberg, 2011. Springer-Verlag. 1971. [10] A. K.McIver,E. Cohen,and C.C. Morgan. Us- [3] Y. Deng and R. Van Glabbeek. Characteris- ingprobabilisticKleenealgebraforprotocolver- ing testing preorders for finite probabilistic pro- ification. InIn Relmics/AKA2006, volume4136 of LNCS. Springer Verlag. [11] A. K. McIver and C. C. Morgan. Abstrac- tion, Refinement And Proof For Probabilistic Systems (Monographs in Computer Science). SpringerVerlag,2004. [12] A.K.McIverandT.Weber. Towardsautomated proof support for probabilistic distributed sys- tems. In In Proceedings of Logic for Program- ming and Automated Reasoning, volume 3835 of LNAI, pages 534–548.Springer, 2005. [13] R. Milner. An algebraic definition of simulation between programs. Technical report, Stanford, CA, USA, 1971. [14] R. De Nicola and M. Hennessy. Testing equiv- alence for processes. In Proceedings of the 10th Colloquium on Automata, Languages and Pro- gramming, pages 548–560, London, UK, 1983. Springer-Verlag. [15] M. O. Rabin. The choice coordination problem. Acta Inf., 17:121–134,1982. [16] R. Segala and N. Lynch. Probabilistic simula- tionsforprobabilisticprocesses. InNordic Jour- nalofComputing,pages481–496.Springer,1994. [17] R. G. van Glabbeek. The linear time-branching time spectrum (extended abstract). In J. C. M. BaetenandJ.W.Klop,editors,CONCUR1990, volume 458 of LNCS, pages 278–297. Springer, 1990.