Quantitative Analysis of Software Approximate Correctness

Parameterized bisimulation provides an abstract description of software correctness. In real world situations, however, many software products are approximately correct. To characterize the approximate correctness, we generalize the parameterized bisimulation to numerical version and probabilistic setting. First, we propose the definition of the parameterized bisimulation index that expresses the degree to which a binary relation is parameterized bisimulation.Then, λ-parameterized bisimulation over environment e and its substitutivity laws are presented. Finally, λ-parameterized probabilistic bisimulation is established to describe complicated software products with probabilistic phenomena.


Introduction
Correctness is a key feature of software trustworthiness [1][2][3], which can be abstracted by using various behavior equivalences between processes, such as (strong and weak) bisimilarity, trace equivalence, testing equivalence, and failure equivalence [4][5][6].Specification and implementation of software are considered as two processes.If a certain behavior equivalence exists between specification and implementation, then the software is considered as correctness.Thus a certain behavior equivalence must be established between specification and implementation to prove software correctness.
However, the prerequisites for successful application of software products may not always hold when they are actually running on the computers.As physical devices, computers cannot be assumed to behave reliably.In addition, standard implementations at best approximate the formal definition of semantics.Ying [7] proposed strong/weak bisimulation indexes to establish the approximate description between specification and implementation.The proposed indexes characterize the degree to which a binary relation between processes is strong/weak bisimulations.Ying and Wirsing [8] presented the strong/weak bisimulation limits and obtained the strong/weak bisimulation topologies to describe that the sequence of implementations can be treated as an evolution toward the specification.Girard and Pappas [9] defined a hierarchy of approximate pseudometric between two systems that quantifies the qualities of the approximations.To verify whether a program behaved as desired, Henzinger [10] introduced quantitative fitness measures for programs, particularly to measure the function, performance, and robustness of reactive programs such as concurrent processes.To compare these existing quantitative models of program approximate correctness, Fahrenberg and Legay [11] presented a distanceagnostic approach to quantify the verification.They defined a spectrum of different interesting system distances that corresponds to the given trace distance.
In fact, some complicated software products contain probabilistic phenomena.These software products can be abstracted as probabilistic processes.Similarly, many quantitative models based on probabilistic processes [12] have existed to obtain the degree to which implementations satisfy their specification.For example, Giacalone et al. [13,14] presented -bisimulation equivalence relation over deterministic probabilistic processes and proposed a kind of measure model to describe the degree of similarity among probabilistic processes.This measure is defined based on the probability differences of the processes that execute the same action.Song et al. [15] proposed a measure model according to the probability of the processes that performs the same trace with a discount factor.Deng et al. [16] defined 2 Mathematical Problems in Engineering state-metrics as a natural extension of bisimulation from nonquantitative systems to quantitative ones over actionlabeled quantitative systems.Alves de Medeiros et al. [17] built a measure relation based on the observable actions of processes.Abate [18] also established an approximate metric based on probabilistic bisimulation.
However, the running of a software depends on its environment.The environment should be considered when the approximation degree between specification and implementation is discussed.The influences of the environment are absent in the existing quantitative models.In [19], Larsen and Skou presented two-thirds bisimulation based on probabilistic transition systems to characterize that two processes are undistinguished when they have the same sets of observations for all tests.If an environment is considered as a set of actions [20], then two-thirds bisimulation expresses the relation in which the process refuses the environment.We proposed two-thirds simulation index and established a measure model to describe the degree of approximation among processes [21].In -calculus [22] and applied -calculus [23], the observation equivalences were researched.And the influence of environment on the execution of software was considered as well.In [22], a process context is speaking a process expression containing a hole.In [23], the contexts may be used to represent the adversarial environment in which a process is run.The environment provides the data that the process inputs and consumes the data that it outputs.
Larsen [24] presented parameterized bisimulation equivalence to obtain flexible hierarchic development methods.In the work of Larsen, bisimulation equivalence is parameterized with information about context called environment.Environment  is considered as an object that consumes the actions produced by a process in that environment.However, the abilities of environment to consume actions might be limited.Suppose that  is a process, and it can execute action  to next process   ; that is,    →   .However,  cannot consume the action ; then derivation    →   will never be considered when  is executed in environment .If  and  both perform the same action for all transitions of , then we can determine ∼  .In particular, strong bisimulation in CCS (Communication and Concurrency Systems) model is generalized by parameterized bisimulation equivalence.Parameterized limit bisimulation and parameterized bisimulation limit were proposed in [25,26] to describe the infinite evolution mechanism.
The conditions possessing the same observable actions consumed by the environment are rigorous when we choose parameterized bisimulation to verify software correctness.Sometimes we can determine that two processes fail to meet these conditions.However, these processes are still close to parameterized bisimulation in the sense that whenever a process can execute an action of environment consumption, another process can produce an action that is different from but highly similar to the observable action that the first process executed.Alternatively, another process can perform an action that is highly similar to the observable action that the first process made whenever a process can produce an action that is different from the action of the environment consuming.
The aim of this study is to build mathematical tools that are suitable for describing this kind of approximate parameterized bisimulation.First, we propose parameterized bisimulation index over environment  in order to describe the degree to which binary relation   is a parameterized bisimulation.Then we define -parameterized bisimulation and discuss algebraic properties.We specially prove the congruence of -parameterized bisimulation under various operators.Finally, in order to describe the characterization of software with probabilistic information, we also extend parameterized bisimulation to probabilistic setting and propose the approximate parameterized probabilistic bisimulation.
Compared with the main focuses of [7,8,21], the main focus of our work is on parameterized bisimulation.In [7,8], the set of labels in a labeled transition system is equipped with a metric.Given a binary relation between processes, the degree to which the relation is bisimulation is defined.Similar to [7,21], we also equip the set of actions with a metric.Parameterized bisimulation that includes the information about context is different from bisimulation.For every environment ,   is a binary relation between processes.Therefore, in order to obtain the approximate parameterized bisimulation, we need to establish the bisimulation index for every environment .We consider two cases to obtain the bisimulation index for an environment.One case is that when the environment consumes an action, a process can accept this action and another process cannot accept this action.Another case is that when the environment has the transition with an action, two processes cannot both accept this action.Therefore, our definition about bisimulation index on the environment is different from the definition of bisimulation index in [7].Furthermore, we establish the -parameterized bisimulation on the environment .In order to obtain the hierarchic development and modular decomposition of software, similar to [7,21], we also consider the substitutivity laws of -parameterized bisimulation on the environment under various combinators.
Meanwhile, we notice that many metric models are proposed based on the difference of probabilities in which two processes execute the same action [16].But the influence of environment was not considered in these models.In order to describe the approximation of the complicated software with probabilistic information, we extend parameterized bisimulation to probabilistic setting in order to reflect the environment.First, we extend the environment transition system to probabilistic case.Then, we define parameterized probabilistic bisimulation.Finally, we obtain the parameterized probabilistic bisimulation based on the probabilities that the environment consumes an action and the processes perform the same action.This point is similar to [14,16].Our method is different from the method in [18].In [18], the state space is equipped with a rich structure, whereas the metric is characterized by probabilistic conditional kernels.
In Section 2, we recall the syntax of CCS and parameterized bisimulation.Parameterized bisimulation index over environment  and -parameterized bisimulation are defined in Section 3. Their some algebraic properties are researched in Section 3. In Section 4, the substitutivity laws of -parameterized bisimulation under various operators are proved.In Section 5, parameterized probabilistic bisimulation is proposed and -parameterized probabilistic bisimulation is defined.Furthermore, the congruence of -parameterized probabilistic bisimulation is proved.Our conclusions and future work are presented in Section 6.

Preliminaries
2.1.CCS Summary.This section recalls some fundamental concepts and the results of process calculus needed in the subsequent sections.The following definitions mainly come from the book by Ying [27].
We introduce the names A, the conames A, and labels Γ = A∪A., , . . .range over A, , , . . .range over A, ,   , . . .range over Γ is defined.We also introduce the silent or perfect action .Act = Γ ∪ {} is defined as the set of actions, whereas ,  are defined range over Act.Furthermore, we introduce set ℵ of process variables and set K of processes constants.Mapping  : Γ → Γ is a relabeling function if () = () for every  ∈ Γ.We may extend relabeling function  to be a mapping from Act to itself by decreeing that () = .The syntax of the basic process calculus is presented in the following definition.
Definition 1 (process expression [28]).The class  of process expressions is the smallest class of symbol strings that satisfies the following conditions: (1) ℵ, K ∈ .
( The process expressions without process variables are called processes and the class of processes is denoted by P. For any  ∈ R, we assume that there is a defining equation  def =   , such as  =   =  ⋅  ∈ P. Constants provide us a mechanism of recursion in the process calculus.
The transitional semantics of the basic calculus is presented in the style of Plotkin's structural operational semantics [29].We have the following definition.
Definition 2 (labeled transition system [7]).Let  , Transitions with strings of labels may be defined in a natural way.
→   for some  1 , . . .,  −1 ∈ .In this case, we call  an action sequence of  and   is a -derivative of .If for some  ∈ Act * ,   is a -derivative of , then   is called a derivative of .
In the subsequent sections, we mainly consider the restriction (P, Act, { For example, suppose that a vending machine that sells CocaCola can be described as an expression of CCS: Its behavior can be expressed as a transition diagram as in Figure 1.

Parameterized Bisimulation.
The definition of environment must be introduced because the motivation of parameterized bisimulation is to parameterize the bisimulation equivalence with a special type of information about context called environment.Similar to the assumption that a process may change after performing an action, the assumption that an environment may change after consuming an action is reasonable.Thus environments and their behaviors can be described by labeled transition system  = (Env, Act, ⇒), where Env is the set of environments, Act is the set of actions (identical to the set of actions used in the transition system of process), and ⇒ is a subset of Env × Act × Env called consumption relation.  ⇒   means that " may consume the action  and in doing so become the environment   ."At this point, let us review the parameterized bisimulation equivalence.First, we recall the bisimulation equivalence without environment.
Definition 3 (bisimulation [24]).Bisimulation  is a binary relation on P such that whenever  and  ∈ Act, then Two processes,  and , are considered bisimulation if and only if bisimulation  exists and satisfies (, ) ∈ .
Definition 4 (-parameterized bisimulation [24]).Let  = (Env, Act, ⇒) be a transition system of environments.Then an -parameterized bisimulation, , is an Env-indexed family of binary relations,   ⊆ P × P for  ∈ Env, s.t.whenever    and   ⇒ , then we have the following: Two processes,  and , are said to be bisimulation equivalence in the environment  ∈ Env if and only if parameterized bisimulation  exists, such that   , which is denoted by ∼  .
We can prove that  is a parameterized bisimulation.Thus,  0 ∼  0  0 ,  0 ≁  0 .Therefore,  0 can accept the action ,  0 can also accept the same action, and their next states have the relation   1 when the environment  0 can consume the action  to the next environment  1 .By contrast, if  0 can accept the action , then  0 can also accept the same action, and their next states have the relation   1 .Similarly,  0 and  0 have the same behavior when environment  0 can consume action  to the next environment  2 .Thus,  0 ∼  0  0 .However, according to Definition 3, we can observe that  0 ≁  0 .
Although ( 2 ,  2 ) ∈   1 ,  2 and  2 will never be considered when  2 and  2 are executed in environment  1 .The reason is that when  1 consumes the action  to the environment  3 ,  2 and  2 cannot execute the action  to the next state.
This proposition indicates that parameterized bisimulation equivalence generalizes bisimulation equivalence.

Approximate Parameterized Bisimulation
For the approximate version of parameterized bisimulation, we present the definition of parameterized bisimulation index over the environment that indicates the degree to which a binary relation is parameterized bisimulation.We also generalize some algebraic properties of parameterized bisimulation.
Let  be a metric on A. As expected, we can extend  to a mapping from Act × Act to [0, ∞], which is denoted by  act in the following way: for any ,  ∈ A, act is clearly a metric on Act.In addition,  act is also an ultrametric provided that  is an ultrametric.For simplicity, we always write  for  act .Then the numerical generalization of Definition 4 will be defined.Similar to the parameterized bisimulation, the following assumption is obtained: if  1 can consume an action to  2 ,  and  have the relation   1 , but no transitions exist that can make  and  execute certain actions to obtain some states that are included in   2 , then  and  will never be considered when  and  are executed in  1 .(,   ; ) are the infimum of distances between transitions  and  where  and  are close to .From this point, Definition 9 is clearly a numerical counterpart of Definition 4 and    expresses the degree to which   is parameterized bisimulation.We should indicate that the smaller the value of    , the higher the degree to which   is a bisimulation.We can obtain the conclusion that, for every  ∈ Env,    = 0 when  is parameterized bisimulation.

Proposition 10. (1)
is parameterized bisimulation if and only if, for every  ∈ V,    = 0.In particular,     = 0, where    is the identical relation between processes.
(   Furthermore, (1) in Proposition 10 indicates that, for any  ∈ Env, the parameterized bisimulation index is 0, which is the least value of the bisimulation index over the environment .(2) states that, for any environment  ∈ Env, the bisimulation index of relation   and the bisimulation index of its inverse are the same.(3) means that, for any environment  ∈ Env, the bisimulation index of the composition of two relations is not greater than the sum of the bisimulation indexes of the relation.If the presumed metric on actions is an ultrametric, then it does not exceed even the greatest of the bisimulation indexes of the factor relations.Finally, (4) means that if the degree to which    is a bisimulation is not less than some values for all  ∈ , then the degree to which ⋃ ∈    is a bisimulation is also not less than that value.
In particular, ( 2 ,  2 ) will never be considered when we compute    1 and  1  ⇒  3 .The reason is that the next states of ( 2 ,  2 ) are not in   3 .The other results can be obtained in the same way.Proposition 12. Let  = (V, , ⇒) be an environment transition system.If  is a strong bisimulation relation, then, for every  ∈ V,   =    , where   is the bisimulation index defined in [7].Definition 13.Let  = (P, Act, {   →:  ∈ Act}) be a labeled transition system. = (Env, Act, ⇒) is an environment transition system. is an Env-indexed family of binary relations on P × P; that is,   ⊆ P × P for  ∈ Env,  ∈ [0, ∞).If    ≤ , then   is called a -parameterized bisimulation over the environment .  is   -parameterized bisimulation ( ∈ ), then   is a inf ∈  parameterized bisimulation.
(1) If  is a parameterized bisimulation, then, for any environment  ∈ V,   is a 0-parameterized bisimulation.
( Using the concept of -bisimulation, we can define the notion of -parameterized bisimulation in the usual way over the environment .Definition 15.Let  be an Env-indexed family of binary relations on P × P. For any  ∈ [0, ∞), we define bisimulation over the environment  as In other words, if (, ) ∈   , then  and  are said to be -bisimilar over the environment  whenever -parameterized bisimulation  exists such that (, ) ∈   .If (, ) ∈   ,  can consume some actions to   , but  and  do not have any transition such that their next states are included in    , then  and  will never be considered when  and  are executed in the environment .
Next, we illustrate Definitions 9 and 15 with the following example.
Example 16.Two vending machines are assumed to exist.They can be expressed by the following process expressions: A person who wants to buy a cup of CocaCola can be treated as an environment of the vending machines.According to CCS, the behaviors of the person can be described as a process: The transition diagrams are described in Figure 4. Metric  exists on the set of actions Act, where Act = {1, 1.2, 0.7, CocaCola, Fanta, Collect}.Consider (1, 1.2) = 0.2, (1, 0.7) = 0.3, (1.2,0.7) = 0.5, and (CocaCoca, Fanta) = 0.2.The distance between other actions is ∞.
The following relations can be defined: We can get that The value means that when the person does not do anything, the approximate degree between two vending machines is 0.7.When the person puts 1, then the approximate degree between two vending machines is 0.8.Finally, when the person chooses the CocaCola, the distance between them is 0.
Next, we will try to prove various properties of -parameterized bisimulation over environment .

Congruence of 𝜆-Parameterized Bisimulation over Environment 𝑒
In order to support hierarchic development and modular decomposition of software, it is necessary to ensure that equivalences are congruent with respect to processes combinators.It means that if two processes are equivalent, then the new processes obtained by combining the given processes are also equivalent.In this section, we will mainly discuss these substitutivity laws of -parameterized bisimulation under various combinators.
From the definition above, we can see that -round is a rigorous condition.In [7], they prove that there are only two -round sets in the real line when  > 0. One is the empty set and the other is the real line itself.They also show that it is not the same case as in the real line in general.For example, if  = ⋃ ∈   and {  } ∈ is pairwise disjoint and (, ) >  for any ,  ∈  with  ∈   and  ∈   ( ̸ = ), then each   is -round for every  ≤ .

Parameterized Probabilistic Bisimulation
The behaviors of some complicated software systems are often probabilistic in nature.Usually, a system with probabilistic behaviors may typically be described as a probabilistic process.van Glabbeek et al. [31] introduced three models of probabilistic processes in accordance with the relation between the occurrences of actions and transition probabilities: a reactive system, a generative system, and a stratified model.For example, Larsen and Skou [19] adopted a reactive model for probabilistic processes; Giacalone et al. [14] considered generative probabilistic processes.The probabilistic processes dealt by Smolka and Steffen [32] are in a stratified setting.These models are the extension of SCCS proposed by Milner [33].Ying [34] proposed a new model of probabilistic process, APPA, which is a probabilistic extension of CCS.Giacalone et al. [13] relaxed the notion of probabilistic bisimulation on the class of deterministic PCCS processes, called bisimulation.Two processes can simulate each other with bound  of deviation in probability.Furthermore, a natural notion of distance between deterministic PCCS processes and an accompanying metric space are proposed.However, to show the effect of environment on the execution of software, we can extend parameterized bisimulation to the probabilistic case.Firstly, the syntax and semantics of the probabilistic processes are reviewed.As in SCCS [33], let (Act, ×, 1) be the Abelian monoid.Intuitively, action of the form × represents the simultaneous execution by a process of the actions  and .It will often use juxtaposition to denote products of actions, for example, .It is convenient to assume that ∀ ∈ A, ∃ ∈ A :  ×  =  ×  = 1 and vice versa.
Then (Act, ×, 1, − ) is an Abelian group.Let  be a subset of Act such that 1 ∈  and let  : Act → Act be a monoid morphism. is assumed as a process variable.The syntax of PCCS is defined as the following definition.
Definition 22 (the syntax of PCCS [13]).The set of probabilistic process expressions is the smallest set which includes 0, , and the following expressions: An expression that has no free variables is called a process, and Pr is the set of all PCCS processes.Intuitively, 0 has no derivations, whereas  ⋅  performs action  with probability 1 and then behaves like .A summation expression offers a probabilistic choice among its constituent behaviors, where  is accountable, so ∑ ∈   is a probabilistic distribution.When  = 0, then 0 = ∑ ∈0   .Product represents synchronized process composition.For the restricted expression  ↾ , only actions in  are visible to an observer, while morphism specifies relabeling of actions.Finally fix   defines a recursive process.
Then, similar to [13], we introduce an unindexed arrow that represents the cumulative probabilistic derivation of one process by another.For ,  ∈ Pr and  ∈ Act, we write   → }.Let DPr be the class of deterministic PCCS processes; that is, if  ∈ DPr, then, for any  ∈ Act,  has at most one probabilistic derivation of type .Then, the operational semantics of deterministic PCCS process can be described as follows.
Definition 23 (see [13]).The structure operational semantics of deterministic PCCS process based on probabilistic derivation is given as a set of inference rules, in the style of Plotkin: Act  ⋅   [1]   → ,   →   . ( Similar to the assumption on parameterized bisimulation, the assumption that an environment and its behaviors can be described as a deterministic PCCS process is reasonable.Env is the set of environments, Act is the set of actions (identical to the set of actions used in the transition system of processes),  ⇒   means that  may consume the action  with the probability  and after that becomes the environment   .
Then, parameterized probabilistic bisimulation is defined.
Definition 24.Let  = (Env, Act, ⇒) be a probabilistic environment transition system.Then an -parameterized probabilistic bisimulation, , is an Env-indexed family of binary relations   ⊆ DPr × DPr for  ∈ Env, such that whenever (, ) ∈   and

𝛼[𝑝]
⇒ , then we have the following: Two processes,  and , are said to be probabilistic bisimulation equivalence on the environment  ∈ Env if and only if there exists -parameterized probabilistic bisimulation  such that (, ) ∈   .We write parameterized probabilistic bisimulation by using the following signal, ∼ pr  , to distinguish the difference between parameterized bisimulation and parameterized probabilistic bisimulation.
Example 25.Let , , and  be given in Figure 5.The Envindexed family  is shown as follows: Then, according to Definition 24,  is -parameterized probabilistic bisimulation.So,  0 ∼ pr Next, we try to relax the -parameterized probabilistic bisimulation to establish the approximate parameterized probabilistic bisimulation.In [18], there is a rather rich state-space structure and a metric between two processes employs the probabilistic conditional kernels underlying the two stochastic processes.Another metric is based on the dynamical properties of the two processes.Compared with the metric in [18], our model only focuses on the difference of probabilities where two processes can execute the same action.(1) If  is a parameterized probabilistic bisimulation, then, for  ∈ V,   is 0-probabilistic bisimulation.( If  and  are said to be -probabilistic bisimilar on the environment , then -probabilistic bisimulation   exists such that (, ) ∈   .Thus, we can write ∼ pr,  .Example 30.Let , , and  be given in Figure 6.The Envindexed family  is shown as follows: Then we can obtain that  0 ∼ pr,0.3 Theorem 31.Let  = (V, , ⇒) be a probabilistic environment transition system;  ∈ [0, 1]: (1) If ∼ ,  , then  ⋅ ∼ , ⋅  ⋅ .
In fact, if () Notice that we do not show the proof of the substitutivity law of the synchrony operator × and restrict operator ↾.The main reason is that we can not find a suitable --parameterized probabilistic bisimulation according to Definition 24.Therefore, our model only uses prefix operator , relabeled operator [], and sum operator ∑ to help us verify the approximate correctness.In the future, I will attempt to find a suitable model to support the substitutivity law.

Conclusion
In this study, we formalized the approximate correctness of software products.We focused on the approximate version of parameterized bisimulation and extended parameterized bisimulation to probabilistic settings.We presented the definitions of -parameterized bisimulation and parameterized probabilistic bisimulation over the environment .These approximate versions provide theoretical foundations to verify the degree to which the software is approximately correct.In the future, we will try to find some effective algorithms to realize the verification.The substitutivity laws of -parameterized bisimulation over the environment  and -parameterized probabilistic bisimulation over the environment  are presented.
The modal logical characterizations of -parameterized bisimulation and -parameterized probabilistic bisimulation over the environment  are useful to verify whether or not two processes are approximate under parameterized bisimulation.In the future, we will attempt to establish the modal logical descriptions of -parameterized bisimulation and -parameterized probabilistic bisimulation.

Figure 1 :
Figure 1: An example of CCS.

Figure 3 :
Figure 3: An example of parameterized bisimulation index.