The interval domain as a semantic foundation for ... - Semantic Scholar

The interval domain as a semantic foundation for reasoning about uncertainty or vagueness Michael Huth Department of Computing and Information Sciences, Kansas State University, Manhattan, KS 66506-2302, [email protected], WWW home page: http://www.cis.ksu.edu/~huth

Abstract. We re-interpret the category of relations according to views, pairs of dcpos h i such that embeds as a set into the set of maximal elements of . A qualitative view hM 2i renders the modal transition systems of K. Larsen and B. Thomsen as a partial view, : ! , of relations, : ! 2. A quantitative view represents relations as fuzzy ( is the unit interval UI) or interval-valued ( is the interval domain I) relations. We specify functors mediating between these categories to provide soundness of these interpretations. As for probability theory, we propose the view hI UIi to embed the set of probability measures into the set of maximal elements of a space of partial probability measures. It is hoped that this provides a foundation for reasoning probabilistically about systems with inherent uncertainty, or vagueness, such as the probabilistic speci cations of B. Jonsson and K. Larsen. P; T

T

P

;

R

R

X

X

Y

P

Y

T

P

;

1 Motivation and outline 1.1 Motivation The work presented here is motivated by the area of model checking, an automated, model-based, and property-veri cation approach to the formal veri cation of systems. Model checking, invented independently in the early eighties by E. Clarke and E.A. Emerson [5], and by J. Quielle and J. Sifakis [28], has become a quite powerful technique for modeling and reasoning about computer systems and the number of supporting tools is growing: see e.g. SMV, Verus, SPIN, cwb, FDR, The Concurrency Workbench of North Carolina, The Bandera Toolset, HyTech, and UPPAAL (the latter two verify hybrid and/or timed systems). The vital components of a model checking framework are 1. a system description language, L, and its operational semantics which can map programs P , written in L, to concrete mathematical models M (e.g. the language SMV and its programs representing Kripke structures [22]); 2. a speci cation language with a precise formal semantics on models as a vehicle of expressing program behavior, originally provided in plain English, in a rigorous fashion (e.g. the branching-time logic CTL and its semantics over Kripke structures [5]);

3. feasible algorithms and implementations for deciding whether a model M, represented by a program P , satis es a formal speci cation of behavior (e.g. symbolic model checking [3] and its implementation based on BDDs [2]); 4. a facility for informative counter-trace generation in case that P /M does not satisfy (e.g. the debugging information provided by SMV [22]); 5. and a host of techniques for state-space reduction, combating the \stateexplosion problem": equivalences (e.g. bisimulation [26, 24]), preorders (e.g. simulations [23]), abstract interpretation [8, 6], partial ordering or induction [22], to name the more prominent ones. So far model checking has been a very successful programme for qualitative system design and analysis and is increasingly adopted by Research & Development departments throughout the hardware and software industry. However, its transfer to qualitative, or more loosely described systems has, by and large, been problematic. Generally speaking, viewing a system in a dierent mode (e.g. a probabilistic analysis) typically involves the invention of new description languages, speci cation logics, abstraction techniques, and veri cation algorithms. Having to learn several, seemingly unrelated, and monolithic model checking platforms will not persuade designers to make more use of these formal methods in their design and analysis processes. It is therefore desirable to have a model checking platform in which such changes of view impact only minimally on the formalisms for specifying systems and behavior; see Section 5.1 for a sketch of a possible, event-based, solution. Moreover, insights gained in one particular mode (e.g. a probabilistic one) may well be meaningful results if re-interpreted in a dierent mode (e.g. a qualitative one). At present, little if no work has been done which would establish links and similarities between such views formally. The pair \qualitative /quantitative " is only one dimension along which one may vary the view of a system. Designers often would like to be more liberal in prescribing which actual implementations, or abstract representations thereof, realize a formally described system. In [20], it has been argued convincingly that equivalence notions such as bisimulations are simply too restrictive to allow for any viable degree of freedom in implementing an abstractly de ned system, for implementations are con ned to equivalence classes of the original system speci cation. As an alternative example, Timed Modal Speci cations [4] is a process calculus which speci es timed labeled transition systems with must and may predicates on state transitions; ignoring \time" for sake of brevity: s !a2 s0 means that state s must be able to perform action a, resulting in state s0 ; and s !a3 s0 denotes that state s may be able to perform action a, resulting in state s0 . Such a description formalism permits more freedom at the implementation level. Dually, potential model checks of such systems will have to be more conservative as their ndings should be safe and sound for all acceptable implementations. Another example of partially described systems are the probabilistic speci cations in [19] whose state-transition function R maps triples hs; a; s0 i to \sets of probabilities", or more importantly and speci cally, to intervals [x; y] with 0 x y 1. One may view these values x=y as lower/upper bounds of

actual probabilities (e.g. if the implementations are viewed as Markov decision processes [11], also known as concurrent Markov chains [31]), or these numbers could stand for lower/upper bounds of more abstract values such as cost, con dence, vagueness, uncertainty, \hot paths", or evidence ; a semantic analysis of such values then has dierent modes as well, such as \average" or \worst/best case" behavior. In adopting the view that nite-state models have state-transition functions R which map into a domain of partial information, in the form of intervals, one obtains a notion of model that makes it possible to express structures used in decision and utility theories, or fuzzy logic inference systems. Bayesian networks (see [17] for a competent introduction), while having practical impact and typically ecient design and inference algorithms, only allow for inferences of the type P (Queries j Evidence) (what is the probability that the query variables take on the speci ed values, given the evidence, i.e. state information?) and little formal work seems to exist that would link and compare the established state-space reduction techniques in (probabilistic) model checking to the design and inference algorithms and compacti cation techniques employed in Bayesian networks. As for fuzzy logic inference systems, they lack a formal semantic foundation that would make them into a proper scienti c notion in the sense that one could predict (aspects of) such system's behaviors. The need for such predictive capabilities is particularly pressing as such inference systems are increasingly used in artifacts using engineering control systems (see e.g. [21]). A model checking framework for interval-valued, nite-state systems would provide a formally de ned tool for reasoning about, and assessing, the dynamics and interaction of a set of fuzzy inference rules, rendering a design & analysis methodology for such structures. We demonstrate below that a wide variety of dierent views of systems, including the ones aforementioned, have a conceptually elegant and rather uniform description if expressed in a framework for totally and partially speci ed systems. Furthermore, we hope that such a uniform model checking framework for partially and totally speci ed systems will provide a better foundation for probabilistic reasoning in the presence of uncertainty, based on models whose state-predicates and state-transitions have interval values; thus, we expects to provide a better account of reasoning with probabilities in the presence of uncertainty than the one provided by theories of evidence developed in the Arti cial Intelligence community. Apart from the current need for a plethora of monolithic model checking tools, another important obstacle in making model checking applicable to largescale industrial projects is met in the \state-explosion problem": every additional state predicate (= bit) typically doubles the size of the system's state space. Hence, techniques are sought which simplify the system in a safe manner down to a manageable size. One approach is based on bisimulations [24, 26] which provide formally de ned equivalence relations for replacing system components by \equivalent ones" and for approximating in nite-state systems by ones with nitely many states; however, this technique seems to perform poorly if applied

to a global system in symbolic model checking [15]. Moreover, the state-space reduction achieved by bisimulations is often insucient for actual industrial designs and more aggressive abstraction techniques are required (see e.g. [7]). Simulations [23], for example, allow for much coarser abstractions of systems, yet, this comes at the price of being safe only for universal safety/liveness properties [6]. This is a serious drawback of simulations and the standard framework of abstract interpretation [8] alike, for realistic speci cations of reactive system behavior frequently mix universal and existential path quanti ers in the same formal speci cation (e.g. \for all reachable states, there is some path leading to a reboot state"). The work in [9], although not embedded into the modelchecking paradigm, adapts the conventional abstract interpretation framework to improve on this. One particular objective of this planned work, therefore, aims at providing abstraction/re nement notions which are de ned uniformly across system views and which are safe with respect to model checks of all speci cations, even those that mix universal and existential path quanti ers. This has already been addressed in [18]. The overall objective of this proposed line of research is to make a substantial initial contribution toward a uniform model checking framework for reasoning about totally speci ed systems (e.g. as done for SMV programs in [22]) and partially speci ed ones (e.g. the timed modal transition systems in [4]) in an integrated fashion. Conceptually, this is similar in spirit to the work done by A. Edalat and his research group at Imperial College, London, where they embed classical topological spaces into domains, making it possible to approximate points of the space (total information, e.g. a probability measure) with domain elements (partial information, e.g. a linear combination of point measures). In that project, the introduction of partial elements has led to signi cant contributions to numerical integration [13], the design of new image-compression algorithms based on work in dynamical systems and fractals [12], and the derivation of novel semantics and implementations of exact real arithmetic [14]. Although we propose a non-standard version of an established methodology, we hasten to point out that this subsumes the existing approach, as totally speci ed systems are just a \completed" form of partially given system. Let us discuss such an extended platform informally by means of a very simple example. Doubly Labeled Transition Systems [10] may be written as triples M = (S; R; L), where S is a set of states, R : S Act S ! 2 the state-transition function (2 is the lattice ff < tt and Act is a set of action labels), and L : S AP ! 2 is the state-labeling function (AP is a set of atomic state predicates). They generalize Kripke structures (= state-based models such as SMV programs) and labeled transition systems (= event-based models such as process algebra terms) and there are well understood ways of mapping Doubly Labeled Transition Systems down to Kripke structures and labeled transition systems [10]. We propose to change a view of such a system by changing the domain 2 to some abstract domain T of total elements. In general, if the totally speci ed model M maps into a domain T instead of 2, then a partial aspect of this view would require a domain P such that the

elements of T are identi ed with maximal (= total) elements in P ; a notable example for the probabilistic case is when T is the unit interval domain (UI; ) in the usual ordering and P is the interval domain, I, [25, 29] of all interval [x; y] with 0 x and y 1, ordered under reverse inclusion: [x; y] [u; v] i x u and v y. Note that the set UI can be identi ed with the set of maximal elements f[r; r] j 0 r 1g of I. Thus, the we model a view by a pair of domains hP; T i, here given by hI; UIi, such that T embeds into the set of maximal elements of P . See Figure 1 for a toy example of an unreliable medium and several changes of view. The Kripke structure in (a) is obviously of little use as it allows for no qualitative or quantitative means of avoiding, or assessing, possible erroneous system behavior. The system in (b) is obtained by changing 2 to M, the domain fdk; ff; ttg in which dk (\don't know") is the least element and all others are maximal. Thus, the unifying view is the pair hM; 2i. If one interprets 2 as fttg (necessary/guaranteed) and 3 as fdk; ttg (possible), then such systems are essentially the modal transition systems of [20]; the models of [9] are a slight variation of these as well. The intuition behind s !a2 s0 is that the system guarantees (must be implemented) a state transition s !a s0 in the underlying concrete model with T = 2, whereas s !a3 s0 only says that such a system move is possible (may be implemented); note that there is only one type of action in the statebased example in Figure 1, so the action labels in state transitions are omitted. With the more exible view in (b), one is able to talk about \possible" system failure, but one needs a system as in (c), a Markov chain, to be able to quantify such a possibility by means of probabilistic model checking. The system in (d) also provides such quantitative descriptions, but R(s; a; s0 ) = [x; y] could now be interpreted as specifying lower (x) and upper (y) bounds of state-transition probabilities. As in the case of ordinary Markov chains, \loose Markov chains", as in (d), contain probabilistic information, but they also model the uncertainty, ignorance, or vagueness of such information within the same structure. This is appealing since, expect for Bayesian networks, there are no satisfactory accounts of combining probabilities and uncertainties, or ignorance, in the same framework; this is particularly true for the theories of evidence studied in Arti cial Intelligence when reasoning about knowledge under uncertainty and ignorance.

1.2 Outline In Section 2, we study the notion which is at the heart of this work: relations and their composition with respect to a given view. We de ne a pair of categories of relations for each view hM; 2i and hI; UIi. The category for 2 is just REL, the usual category of relations. The category for UI has fuzzy relations as morphisms, but the category for I recasts fuzzy relations and their composition to render a worst/best case semantics. In Section 3, we propose a notion of partial probability measure which generalizes ordinary probability measures in the sense that the latter turn out to be the maximal elements of a dcpo of partial probability measures. One may use such maps to compute the meaning of, say, linear temporal logic formulas for systems such as the one in Figure 1(d).

empty

empty

2 deliver

full

error

(a) qualitative, fully speci ed

deliver

full error 2 3 (b) qualitative, loosely speci ed empty

full

[1; 1]

1

1 1?

2

deliver

empty 1

2

(c) quantitative, fully speci ed

error

[1; 1]

[1; 1]

full error [1 ? ; 1] [0; ] (d) quantitative, loosely speci ed deliver

Fig. 1. Modeling an unreliable medium [19].

2 Categories of relations parametric in views We refer to [1] as a general reference for domain-theorectic concepts and results; see e.g. [16] for basic notions of meausure theory, and to [27] as a basic reference to category theory. Let us recall the category REL of relations. Its objects are all sets X; Y; Z; : : :; the morphisms 2 REL (X; Y ) are all subsets of X Y ; the identity morphism for X is idX = f(x; x0 ) 2 X X j x = x0 g, and the composition ; of 2 REL (X; Y ) and 2 REL(Y; Z ) is given by (x; z ) 2 ; i there exists y 2 Y such that (x; y) 2 and (y; z ) 2 :

(1)

According to our agenda put forward in the introduction, we think of this category as REL2 , for the morphisms X Y can be written as functions : X Y ! 2, where 2 is the lattice fff < ttg. We will move freely between these representations throughout this paper. The dcpo 2 models a total domain T of a qualitative view, hP; T i, since morphisms in REL2 specify relations totally (= completely) and in a qualitative manner. To complete the view, we require a domain M which adequately models relations as partial, but qualitative speci cations of morphisms in REL2 . Here we borrow from the work by K. Larsen and B. Thomsen on modal transition systems [20], where they consider state-transition relations whose instances may, or must be realized in an implementation. We will then develop a quantitative pair of categories of relations, based on the view hI; UIi, point out its similarities and dierences to the framework of fuzzy logic, and study ways of shifting the point of view of

relations such that the underlying categorical structure is sound with respect to such shifts. Generally, given a view hP; T i, we seek two categories RELP and RELT , respectively, such that 1. each hom-set RELD (X; Y ) is a dcpo for D = P or T ; 2. RELT embeds as a set into the set of maximal elements of RELP ; 3. morphisms in RELT model totally speci ed relations according to the view hP; T i; 4. morphisms in RELP model partially (= incompletely) speci ed relations according to that view and the notion of approximation in given by the ordering on the hom-sets of RELP ; 5. the composition in these two categories is \sound" with respect to the composition in the category REL, provided that we have a means of saying which concrete relations are approximated by morphisms in RELP . In de ning the category RELM , we set M = fdk; ff; ttg, where this is a dcpo with dk as least and all other elements as maximal elements. The semantics of : X Y ! M is that is approximates concrete relations R X Y such that

8 > may be true, :cannot be true,

if (x; y) = tt; if (x; y) = dk; and if (x; y) = ff.

(2)

The pointwise ordering on the function space RELM (X; Y ) precisely captures this notion of approximation in that the maximal elements above are exactly those concrete relations which are consistent with the partial speci cation . As in [20], we require modalities 2 and 3, for must and may, respectively, but we need to interpret them, more generally, as unary predicates over domains D. For the qualitative view hM; 2i we set

22 = fttg 32 = fttg 2M = fttg 32 = ftt; dkg;

so the modalities agree on 2, all possible elements are also guaranteed elements on 2 and M, and 2 implies 3 on both domains. As for the view hI; UIi, we set

2UI = fr 2 UI j r > 0g 3UI = fr 2 UI j r > 0g 2I = f[x; y] 2 I j x > 0g 3I = f[x; y] 2 I j y > 0g; which enjoys the same properties as mentioned for the view above. Given any view hP; T i, we require that the interpretation of 2 implies the one of 3 on P and T , and that they equal on the set of maximal elements and coincide with the one of T for those maximal elements which correspond to elements of T . These constraints are met for the two views above.

2.1 The qualitative view The category of modal relations The category RELM has as objects all sets and RELM (X; Y ) equals the dcpo of all functions : X Y ! M in the pointwise ordering. To de ne compositions, we need to interpret (1) over M. For that, it suces to give interpretation of conjunctions and disjunctions on M. Let ^M be the unique commutative extension of conjunction over 2 such that d ^M ff = ff and e ^M dk = dk if e = 6 ff. Extend negation from 2 such that :M dk = dk and set M M M M d _ e = : (: d ^ :e). We re-interpret (1) as ; (x; z ) =

W

_M ? 2

y Y

(x; y) ^M (y; z ) ;

(3)

where M is _M extended to arbitrarily many arguments. Note that this expression computes tt i 2(x; y) and 2 (y; z ) hold for some y 2 Y ; otherwise, it computes dk i we have 3(x; y0) and 3 (y0 ; z ) for some y0 2 Y . As identity idX we set idX (x; x0 ) = tt i x = x0 ; otherwise, we have to de ne this as ff (setting any of this to be dk will not result in a two-sided identity). Theorem 1. RELM is a category (of modal relations) such that each hom-set is a dcpo and the maximal elements of RELM (X; Y ) are in a one-to-one correspondence to REL2 (X; Y ). Proof. For the identities, given 2 RELM (X; Y ) we use (3) to conlude that ; idY (x; y) equals (x; y); all terms (x; y0 ) ^M idY (y0 ; y) either yield (x; y0 ) ^M ff or (x; y0 ) ^M tt (if y = y0 ), so the overall result is (x; y) in any event. Similarly, one shows that idY ; = for any 2 RELM (Y; Z ). To prove the associativity of composition, consider 2 RELM (X; Y ), 2 RELM(Y; Z ), and 2 RELM(Z; W ). Since morphisms can take on values only in M, it suces to show that ; ( ; ) (x; w) computes tt/ff i (; ); (x; w) computes tt/ff. 1. If ; ( ; ) (x; w) = tt, then there exists some y0 2 Z with (x; y0 ) = tt and ; (y0 ; w) = tt. The latter then implies that there exists some z0 2 Z with (y0 ; z0) = tt and (z0 ; w) = tt. If we read this in the reverse order, we get ; (x; z0 ) = tt and (z0 ; w) = tt, so (; ); (x; w) = tt follows. 2. The converse of item 1 is argued in a symmetric manner. 3. If (; ); (x; w) = ff, then ; (x; z ) = ff or (z; w) = ff for all z 2 Z . But this implies: for all z 2 Z , (z; w) = ff or (for all y 2 Y , (x; y) = ff or (y; z ) = ff). This ensures that any way of linking (x; w) in ; ( ; ) (x; w) only results in ff, so ; ( ; ) (x; w) = ff. 4. The converse of item 3 is shown in a similar way. One may wonder about the choice of the interpretations ^M and _M that are instrumental in (3), but they do have universal properties. Let us call a map T : M M ! M a t-norm over M i (M; T; tt) is a commutative monoid with

T (d; e) = ff i d or e equals ff. We think of T as an interpretation of conjunction. Contrary to the situation in fuzzy logic, where the domain is UI, such t-norms are unique. Lemma 1. The function ^M is the unique t-norm over M. Proof. Let T be any t-norm over M. Since tt is an identity for T , we get T (d; tt) = d ^M tt. By the condition on T (d; e) = ff, we get T (d; ff) = ff = d ^M ff. Since T is commutative, the only remaining case is T (dk; dk), but since T is monotone we get T (dk; dk) T (tt; dk) = dk, i.e. T (dk; dk) = dk = dk ^M dk.

Soundness of approximation With Theorem 1 in place, it remains to show that RELM is \sound" with respect to the categorical structure of REL2 . To that end, we make use of the interpretation of the modalities on M to de ne two functors F2 and F3 from RELM to REL2. Intuitively, F2 acts on morphisms by providing the largest concrete relation Rmax that is consistent with respect to ; dually, F3 renders the smallest such consistent relation Rmin. Together, they

specify the complete range of possible concrete relations that are approximated by : all relations R with Rmin R Rmax. De nition 1. We de ne F2; F3 : RELM ! REL2 on objects as F2 (X ) = F3 (X ) = X . For morphisms 2 RELM (X; Y ), we set

F2 (X ) = f(x; y) 2 X Y j 2(x; y)g F3 (X ) = f(x; y) 2 X Y j 3(x; y)g:

(4) (5) The soundness of the categorical structure on RELM with respect to the one on REL2 now follows from the fact that F2 and F3 are monotone functors. Proposition 1. The functions F2 and F3 de ned above are monotone functors. Proof. From the de nition of idX in RELM and the interpretation of the modalities on M, it immediately follows that F2 and F3 preserve identities. Given 2 RELM (X; Y ) and 2 RELM (Y; Z ), the set F2 (; ) equals f(x; z ) 2 X Z j 2 (; (x; z ))g. But

_2 ? 2 (; (x; z )) = f2 (x; y) ^M (y; z ) j y 2 Y; 3(x; y); 3 (y; z )g _2 2

(6)

= f(2(x; y)) ^ (2 (y; z )) j y 2 Y; 3(x; y); 3 (y; z )g:

Inspecting (1), we gather that (x; z ) 2 F2 (; ) i (x; z ) 2 F2 (); F2 ( ), so F2 is a functor. Since 2M = fttg is an upper set in M, it follows that F2 is monotone: 0 in RELM (X; Y ) implies F2 () F2 (0 ) in REL2(X; Y ). Similarly, F3Wis monotone as 3M = ftt; dkg is an upper set in M. Since 3 distributes over M and since 3(d ^M e) i 3d and 3e hold, one readily sees that F3 (; ) equals F3 (); F3 ( ).

W

W

Remark 1. Since M and ^M agree with 2 and ^2 on fff; ttg, the image of the function i : x 7! x : 2 ! M, we obtain a functor G : REL2 ! RELM which leaves objects X xed (G(X ) = X ) and send any 2 REL2 (X; Y ) to i 2 RELM(X; Y ).

2.2 The quantitative view

We now present the two categories of relations based on the view hI; UIi.

Fuzzy logic In fuzzy logic, fuzzy sets of type X , where X is an ordinary set, are functions : X ! UI. Similarly, fuzzy relations are functions : X Y ! UI

and compositions are either \sup-min" or \sup-T " versions of (1), where T is a t-norm (over UI). De nition 2. A linear t-norm over UI is a function T : UI UI ! UI which preserves all least upper bounds and greatest lower bounds in each coordinate separately, satis es T (a; b) = 0 i a = 0 or b = 0, and makes (UI; T; 1) into a commutative monoid. An example of a linear t-norm is (a; b) 7! min(a; b). Not every t-norm from fuzzy logic is a linear t-norm. For example, the t-norm LAND(a; b) = max(a + b ? 1; 0) is not linear: take a and b to be 0:5, then LAND(a; b) = 0. The categories RELUI and RELI implicitly depend on a linear t-norm, T , used in de ning composition. In RELUI , objects are all sets, the identity idX maps (x; x0 ) to 1 i x = x0 ; otherwise, it renders 0. Given 2 RELUI(X; Y ) and 2 RELI (Y; Z ), we de ne ; as the sup-T composition of fuzzy logic:

_UI

; (x; z ) = fT ((x; y); (y; z )) j y 2 Y g:

(7)

Observe that we did not require the modalities in the quali cation of this set as 0 does not contribute to the least upper bound of the right hand side. This will change when we consider RELI . Theorem 2. RELUI is a category (of fuzzy relations) such that each hom-set is a dcpo (even a complete lattice). Proof. This will follow directly from the corresponding result for RELI , since 7! 2 : RELI (X; Y ) ! RELUI (X; Y ) will map the categorical structure of RELI onto the one in RELUI.

The category of interval-valued relations If fuzzy sets are totally speci ed, then a partial version has to approximate the degree of belief, uncertainty, or vagueness expressed in (x; y) 2 UI. This naturally leads to considering the interval domain I as a base domain for the corresponding category. Thus, objects in RELI are all sets, the identities idX map (x; x0 ) to [1; 1] i x = x0 ; otherwise, it

returns [0; 0]. The dcpo RELI (X; Y ) is given by all functions of type : X Y ! ordered pointwise. The choice of composition is driven by the fact that we identify [1; 1] with tt and [0; 0] with ff, respectively, and that this identi cation should give rise to two functors from RELI to REL2 which factor through the functors F2 and F3 from RELM to REL2 , respectively. For 2 RELI (X; Y ) and 2 RELI (Y; Z ) set ; (x; z ) = [a; b]. We interpret a/b as the minimal/maximal degree of belief in (x; z ) to \be" in ; ; this degree could also be about some other mode such as evidence, uncertainty, etc. The interpretation of modalities on I is needed to de ne the semantics of composition with respect to the interpretation above. In the sequel, we often write i for pri , where pr1 [x; y] = x and pr2 [x; y] = y (i = 1; 2). The value of a ought to be a minimal and conservative estimate of the degree of membership (if we think of fuzzy sets as the total elements): I,

pr1 (; (x; z )) =

ÛI

fT (1(x; y); 1 (y; z )) j y 2 Y; 2(x; y); 2 (y; z )g; (8)

if the set in (8) is non-empty. Otherwise, there is no guaranteed link between x and z and we decree pr1 (; (x; z )) to be 0. Dually, we obtain V a Wmaximal and conservative degree of membership by changing 2 to 3 and to in (8):

_UI

pr2 ((; ) (x; z )) = fT (2 (x; y); 2 (y; z )) j y 2 Y; 3(x; y); 3 (y; z )g: (9)

Theorem 3. RELI is a category (of interval-valued relations) such that each hom-set is a dcpo and the maximal elements of RELI (X; Y ) are in a one-to-one correspondence to RELUI (X; Y ). Proof. 1. For identities, consider 2 RELI (X; Y ). (a) pr1 (; idY (x; y)) = 0 i :2(x; y0 ) or :2idY (y0 ; y) for all y0 2 Y i :2(x; y) (as y0 = y i 2idY (y0 ; y)) i pr1 (x; y) = 0; (b) if pr1 ; idY (x; y) > 0, then it suces to show that pr1 (; idY (x; y)) = 1 (x; y) by the previous item. Since idY (y;WyUI) = [1; 1] and :2idY (y0 ; y) for all y0 6= y, we infer that pr1 ; idY (x; y) = fT (1 (x; y0 ); pr1 (idY (y0 ; y))) j y0 2 Y; 2(x; y); 2idY (y0 ; y)g equals T (1(x; y); 1) = 1 (x; y) as desired; (c) nally, pr2 (; idY (x; y)) equals

ÛI

fT (2(x; y0 ); pr2 (idY (y0 ; y))) j y0 2 Y; 3(x; y0); 3idY (y0 ; y)g;

and since 3idY (y0 ; y) i y0 = y, the latter equals T (2 (x; y); 1) = 2 (x; y). Similarly, one shows idY ; = for all 2 RELI (Y; Z ). 2. For composition, consider 2 RELI (X; Y ), 2 RELI (Y; Z ), and 2 RELI(Z; W ).

(a) We have pr1 (; ( ; ) (x; w)) = 0 (10) i :2(x; y) or :2( ; (y; w)) for all y 2 Y i for all y 2 Y; :2(x; y) or (for all z 2 Z; :2 (y; z ) or :2(z; w)) i for all z 2 Z; :2(z; w) or (for all y 2 Y; :2(x; y) or :2 (y; z )) i pr1 ((; ); (x; w)) = 0: (b) Let a = pr1 (; ( ; ) (x; w)) > 0. By the previous item, we infer that a0 = pr1 ((; ); (x; w)) has to be greater than 0, so both expressions are de ned as in (8). Thus,

ÛI

a = fT (1(x; y); pr1 ( ; (y; w))) j 2(x; y); 2( ; (y; w))g = = =

ÛI

2(x;y);2( ; (y;w))

ÛI

ÛI

T (1 (x; y); fT (1(y; z ); 1 (z; w)) j 2 (y; z ); 2(z; w)g)

ÛI

2(x;y);2( ; (y;w)) 2 (y;z); 2(z;w)g

ÛI

ÛI

2(x;y);2( ; (y;w)) 2 (y;z); 2(z;w)g

T (1(x; y); T (1 (y; z ); 1 (z; w))) T (T (1(x; y); 1 (y; z )); 1 (z; w)))

using that T is linear, associative and that all 2 terms are de ned as in (8). In a completely similar fashion, without having to regroup the T -expressions, we compute

a0 =

ÛI

ÛI

2(; (x;z));2(z;w) 2(x;y); 2 (y;z)g

T (T (1(x; y); 1 (y; z )); 1 (z; w))):

(13) Since all these in ma are non-empty, the \quanti ers" 2(; (x; z )) and 2( ; (y; w)) are redundant in the presence of the remaining respective quanti ers in (12) and (13). (c) Let b = pr2 (; ( ; ) (x; w)) and b0 = pr2 ((; ); ) (x; w)). Again, using the linearity and associativity of T , we obtain

b= b0 =

_UI

_UI

3(x;y);3( ; (y;w)) 3 (y;z); 3(z;w)g

_UI

(11)

ÛI

3(; (x;z));3(z;w) 3(x;y); 3 (y;z)g

T (T (1(x; y); 1 (y; z )); 1 (z; w))) T (T (1(x; y); 1 (y; z )); 1 (z; w))):

(12)

One readily sees that these least upper bounds range over the same set, so they are equal. The proof of Theorem 3 made crucial use of that fact the the norm T is linear. Let us stress that the identities of RELI are the ones of RELUI if we identify morphisms of RELUI with total elements in RELI , but that this does not extend to the composition in these categories! Since fuzzy relations can be seen as morphisms in RELI , we may compose them according to (8) and (9). This, contrary to the composition in (7), seems to be a more informative semantics as it combines the worst and best case scenario of what the real set may be like. Furthermore, the insertion of 2 and 3 in the quali cations of (8) and (9) was necessary, unlike in the case of (3).

Soundness of approximation Let D be any domain with appropriate interpretations of the modalities and let RELD be a category of D-valued relations. For 2 RELD (X; Y ), we may de ne an interval of sets [2; 3] by 2 = f(x; y) 2 X Y j 2(x; y)g and 3 = f(x; y) 2 X Y j 3(x; y)g. Cearly 2 3. If we set ID (X; Y ) to be the dcpo of all those pairs [S; T ] with S T X Y and order such pairs as in I, then in RELD (X; Y ) should imply [2; 3] [2; 3 ]. This suggests that the construction of I is more fundamental and should apply to domains other than UI as well. Returning to I itself, we mean to de ne a monotone functor H : RELI ! RELM ; its composition with the functors F2 and F3 , respectively, then gives us two monotone functors from RELI to REL2 . De nition 3. We de ne H : RELI ! RELM on objects by H (X ) = X . On morphisms 2 RELI (X; Y ), we set H () (x; y) to be tt i 2(x; y); ff i :3(x; y); and dk in the remaining case (3(x; y) ^ :2(x; y)). Proposition 2. The function H : RELI ! RELM de ned above is a monotone functor.

Proof. 1. For identities, H (idX ) (x; x0 ) equals tt i 2idX (x; x0 ) i x = x0 ; it equals ff i :3idX (x; x0 ) i x 6= x0 ; and it cannot take on the value dk since idX (x; x0 ) cannot satisfy \:2 ^ 3". Thus, H (idX ) equals idX in RELM . 2. For composition, let 2 RELI (X; Y ) and 2 RELI (Y; Z ). (a) Let H (;W ) (x; z ) = ff. Then :3(; (x; z )) implies that pr2 ((; ) (x; z )), which is UI fT (2(x; y); 2 (y; z )) j y 2 Y; 3(x; y); 3 (y; z )g, equals 0. But then all the T expressions must be 0, so :3(x; y) or :3 (y; z ) holds for all y 2 Y . But then H () (x; y) = ff and H ( ) (y; z ) = ff for all y 2 Y , which implies H (); H ( ) (x; z ) = ff. (b) Let H (; ) (x; z ) = tt. Then 2(; (x; z )) implies that pr1 ((; ) (x; z )) is greater than 0. Therefore, pr1 ((; ) (x; z )) equals

ÛI

fT (1(x; y); 1 (y; z )) j y 2 Y; 2(x; y); 2 (y; z )g:

Since this expression is greater than 0 we must have some y0 2 Y such that 2(x; y0 ) and 2 (y0 ; z ). But then H (); H ( ) (x; z ) = tt since H () (x; y0 ) ^M H ( ) (yo ; z ) = tt. (c) Finally, if H (; ) (x; z ) = dk, then we infer :2(; (x; z )) as well as 3(; (x; z )). The rst gives us :2(x; y) or :2 (y; z ) for all y 2 Y ; the second implies the existence of some y1 2 Y with 3(x; y1 ) and 3 (y1 ; z ). The rst fact ensures that no term H () (x; y) ^M H ( ) (y; z ) equals tt; the second fact implies that at least one of these terms is dierent from ff. Combining this, we infer that H (); H ( ) (x; w), the disjunction in M of all such terms, has to be dk. 3. For monotonicity, let 2 RELI (X; Y ). If H () (x; y) = tt, then 2(x; y) holds, so 2 (x; y) follows since 2I is an upper set in I; but then H ( ) (x; y) = tt follows. If H () (x; y) = ff, then :3(x; y) holds, so (x; y) = [0; 0], so :3I = f[0; 0]g is an upper set in I; but then :3 (x; y) renders H ( ) (x; y) = ff. If H () (x; y) = dk, then H () (x; y) H ( ) (x; y) is clear as dk is the least element of M. Corollary 1. We have monotone functors

H ; F2 : RELI ! REL2 H ; F3 : RELI ! REL2 :

(14)

Remark 2. Let j : M ! I be the map which sends dk to [0; 1], ff to [0; 0], and to [1; 1]. If we de ne L : RELM ! RELI by L(X ) = X and L() = j for all sets X and Y and any 2 RELM (X; Y ), then L is a functor, since the composition in (8) and (9) faithfully matches the one in (3) on the image of the function j .

tt

3 Partial probability measures We already encountered the view hI; UIi when we studied the categories of I and relations, respectively, in Section 2. In this section, we demonstrate that this view can be successfully extended to probability theory. For that, we develop a notion of partial probability measure, based on I, which is sound for the conventional probability theory, based on UI. We rst study a set of inequalities as axioms for a partial version of probability measures. Then we turn these axioms into equalities and speculate on what justi cations one could give for either one, or some other choice of axioms. UI-valued

3.1 Inequational Axioms De nition 4. A sigma-algebra over a set X is a set, (X ), of subsets of X which contains X , and is closed under set complementation and countable unions. We write (X ) ! D for the set of functions : (X ) ! D and we de ne to mean (A) (A) in D, for all A 2 (X ).

Remark 3. For any dcpo D and sigma-algebra (X ), the pair ( (X ) ! D; ) is a dcpo. We will focus on the cases where D equals the unit interval or the interval domain. De nition 5. Let I, the interval domain [25, 30], be the partial ordering of all closed intervals [x; y] with 0 x y 1, ordered under reverse containment: [u; v] [x; y] i u x and y v. Let UI, the unit interval, be the partial ordering of all numbers r with 0 r 1, ordered in the usual way. Remark 4. The partial orderings UI and I are dcpos. In UI and in its order dual, least upper bounds of directed sets are limits in the W Euclidean V topology. In I, the least upper bound of a family ([xi ; yi ])i2I equals [ "xi ; #yi ]. The dcpo (X ) ! UI contains all probability measures, maps which satisfy the axioms of probability, due to A. N. Kolmogorov:

P1. (X ) = 1, P2. (modular law) (A [ B ) + (A \ B ) = (A) + (B ) for all A; B 2 (X ), andS P P3. ( Ai ) = (Ai ) for all pairwise disjoint families of sets (Ai )i2I in (X ). If only meets axioms P2 and P3, we call a sub-probability measure. The ordering on the ambient space (X ) ! UI, however, is not suitable for approximating such measures. De nition 6. For any sigma-algebra (X ), we denote by P( (X )) the partial ordering of all : (X ) ! UI which satisfy axioms P1, P2, and P3, the ordering being inherited from (X ) ! UI. Lemma 2. Let (X ) be any sigma-algebra. Then the ordering on P( (X )) is equality. Proof. Let in P( (X )) and assume that 6= . Then there has to exist some A 2 (X ) such that (A) < (A). Since X n A 2 (X ) and since and satisfy equation (17), we get (X n A) = (X ) ? (A) < (X ) ? (A) = (X n A), contradicting . We would like to realize (sub)probability measures as maximal elements in a dcpo which is not an ad hoc construction, but whose elements can be seen as partial probability measures. This suggests to choose (X ) ! I as the ambient space, but it is less clear what axioms one should endorse to single out the proper notions of \partiality". Intuitively, a partial probability measure is a map of type : (X ) ! I such that (A) is a safe approximation of the \probability" of A, for all (total) probability measures that re ne . Since sigma-algebras abstract computational state, re nement is adequately modeled by the ordering in (X ) ! I. Note that this allows us to compute such evidence in the presence of uncertainty or vagueness, or if the underlying computational models are,

e.g. not Markov decision processes [11], but system descriptions with inherent vagueness, or uncertainty such as the probabilistic speci cations in [19]. In crafting axioms for a dcpo Pi ( (X )) of partial probability measures, we need to ensure that 1. we view total elements as maximal ones in the dcpo Pi ( (X )); 2. that the maximal elements in Pi ( (X )) have a one-to-one correspondence to elements in P( (X )); and 3. that we achieve the latter by choosing axioms which, if interpreted for maximal elements, \recover" the well known axioms of probability, P1 to P3. These requirements alone are far from determining such axioms. Essentially such conditions on : (X ) ! I should demand consistency with respect to the conventional probability axioms applied to any probability measure that re nes . We write pr1 ; pr2 : I ! UI to denote the projections pr1 [x; y] = x and pr2 [x; y] = y and we abbreviate pri by i in the sequel (i = 1; 2). So : (X ) ! I may be written as a pairing h1 ; 2 i of maps 1 ; 2 : (X ) ! UI with 1 2 . As inequational consistency conditions corresponding to P1, P2, and P3, respectively, we propose:

(X ) [1; 1], (X ) [1; 1], 1 (A [ B ) + 2 (A \ B ) 1 (A) + 1 (B ), 2 (S A [ B ) + 1 (A S\ B ) 2 (P A) + 2 (B ), 1 ( i2I Ai ) 1 ( j2J Aj )? k2J nI 2 (Ak ) for all pairwise disjoint families (AjS )j2J in (X ), S and all I PJ , Ie3(b). 2 ( i2I Ai ) 2 ( j2J Aj )? k2J nI 1 (Ak ) for all pairwise disjoint families (Aj )j2J in (X ), and all I J . Notice the duality in the pair h1 ; 2 i and h ; i in all axioms of type (a) and (b), respectively. Axioms Ie1(a) and Ie1(b) say that the probability of X is

Ie1(a). Ie1(b). Ie2(a). Ie2(b). Ie3(a).

1 regardless of the inherent uncertainty or vagueness of the situation. To justify, say, the inequality in Ie2(a), we may rewrite it as 1 (A [ B ) 1 (A) + 1 (B ) ? 2 (A \ B ) which should hold since the right-hand side is a conservative lower bound for the \total probability" of A [ B given the interpretation of 1 and 2 as providing lower and upper bounds of \total probabilities", respectively; so 1 (A [ B ) cannot be strictly smaller than that. The inequality in Ie2(b) has a dual justi cation. Notice how the combination of these two inequalities recovers the original modular law above in case that the measure satis es (; A) = 0 for all A 2 (X ), where

(; A) = 2 (A) ? 1 (A): To justify, say, Ie3(b), the right hand side is a conservative approximation of the left hand side for similar reasons as stated above, no matter what subset I

we pick. Axiom Ie3 has two special instances of interest. First, if we take the pairwise disjoint family of sets fA; X n Ag and apply Ie3 to it with I = fAg, we obtain

1 (A) 1 (X ) ? 2 (X n A) 2 (A) 2 (X ) ? 1 (X n A):

(15) (16)

Note that

0 (X n A) = 0 (X ) ? 0 (A) (17) holds for all sub-probability measures 0 and that equation (17) follows from (15) and (16) if 1 = 2 . In general, neither 1 nor 2 are conventional probability measures, unless is a maximal (= total) element in the space (X ) ! I. Second, if I = fi0g for a pairwise disjoint family (Aj )j2J in (X ) and i0 2 J , then Ie3 means

[

1 (Ai0 ) 1 (

2

[

j J

2 (Ai0 ) 2 (

2

j J

Aj ) ? Aj ) ?

X 6= 2

X

i0 k J

6= 2

2 (Ak )

(18)

1 (Ak ):

(19)

i0 k J

This will allow us to recover axiom P3 in case that 1 = 2 . De nition 7. Let Pi( (X )) be the partial ordering of all maps : (X ) ! I which satisfy the axioms Ie1, Ie2, and Ie3 above, the ordering being inherited from (X ) ! I. We establish that Pi ( (X )) is a dcpo and that P( (X )) has a natural embedding into the set of maximal elements of Pi( (X )). Proposition 3. The partial ordering Pi( (X )) is a dcpo and its least upper bounds of directed sets are the ones formed in (X ) ! I. W Proof. Let (j )j2J be a directed set in Pi( (X )). Since : A 7! "j (A) is the least upper bound of that set in (X ) ! I, it suces to show that this map satis es the axioms Ie1 to Ie3. Ie1. If j (X ) = [1; 1] for all i 2 J , then (X ) = [1; 1] is clear. Ie2(a). AssumeWthat 1 (A [ B )+ 2 (A \ B ) < 1 (A)+ 1 (B ) and note that the latter equals "(j1 (A) + j1 (B )) since + preserves least upperWbounds of directed sets. Since the left hand side is strictly smaller than "(j1 (A) + j1 (B )), there exists some j0 2 J such that 1 (A [ B )+ V2 (A \ B ) < j10 (A)+ j10 (B ). W But the left hand side equals "j j1 (A [ B ) + #j j2 (A \ B ) and since + preserves greatest lower bounds of ltered sets we dually conclude that there 0

0

W

is some j1 j0 in J such that "j j1 (A [ B )+ j21 (A \ B ) < j10 (A)+ j10 (B ) which is less than, W or equal, to j11 (A) + j11 (B ) as j1 j0 . But then j11 (A [ j1 B )+ 2 (A \ B ) "j j1 (A [ B )+ j21 (A \ B ) < j11 (A)+ j11 (B ) contradicts the fact that j1 2 Pi ( (X )). Ie2(b). The reasoning for this case is dual to the one in Ie2(a). Ie3(a). This has an argument that is dual to the one put forward for Ie3(b) below. Ie3(b). LetS(t )t2T be directed in Pi(P (X )). For each t 2 T , t 2 Pi( (X )) implies S t t 2 ( i2I Ai ) 2 ( j2J Aj ) ? k2J nI t1 (Ak ) for all pairwise disjoint familiesS(Aj )j2J and I J . Let be the least upper bound of (t )t2T . Then 2 ( i2I Ai ) equals

^# [ 2

t T

t2 ( Ai ) 2

i I

0 ^ #@ [ t2 (

2

2

X

Aj ) ?

2 n

1 1 (A )A t

k

0 1 1 0 ^ [ X _ # " = @ 2 ( A )A ? @ 1 (A )A 02 2 1 2 2 n ^ [ X _" (?) @ #2 ( A )A ? 1 (A ) 2 2 2 [ X 2n t T

j J

k J I

t

t T

j J

= 2 (

2

j J

k

t T k J I

t

t T

t

j

(20)

t

j

j J

k

k J It T

Aj )) ?

2 n

1 (Ak )

k J I

giving us Ie3(b) for , if only we can show that

_ "X 2 2

t T l L

t1 (Al )

X _" 2 2

l Lt T

t1 (Al )

(21)

hold for all L J . But this is certainly the case if L is a nite set, for + preserves least upper bounds of directed sets. If L is in nite, then the in nite sum is a directed supremum of sums formed over nite subsets of L, and then we get a contradiction if we assume that the left hand side is strictly below the one on the right hand.

Proposition 4. The map iX : P( (X )) ! Pi( (X )), de ned by iX () A = [(A); (A)] for all A 2 (X ), is injective, monotone, and maps into the set of maximal elements in Pi( (X )).

Proof. One immediately veri es that iX () is an element of Pi ( (X )), for the axioms P1 to P3 ensure the validity of Ie1 to Ie3, noting that 1 equals 2 for = iX (). Since the ordering on maximal elements is equality, the map iX is injective. Since the ordering on P( (X )) is equality, any map of this type is monotone.

Question 1. Can one characterize those sigma-algebras (X ) for which all maximal elements of Pi( (X )) are of the form iX () for some probability measure ?

Since Pi ( (X )) is a dcpo, we know that every element 2 Pi( (X )), seen as a partial probability measure, has at least one maximal element ^ in Pi ( (X )) above it. If none of these elements are in the image of iX , one would like to establish that is somehow probabilistically inconsistent; see the discussion in Section 4.

P

Remark 5. Let ri 2PUI and i 2 Pi ( (X )) for i = 1; 2; : : :; n such i = 1. P that rP Then the function ri i : (X ) ! !I which maps A to [ ri i1 (A); ri i2 (A)] and is an element of Pi ( (X )). Axioms Ie3, notably the inequalities (15) and (16), fail in general if one extends this construction such that ri are proper intervals.

4 Equational axioms The axioms presented for partial probability measures were all inequalities and seemed consistent upon rst inspection. However, if computing values of for sets in (X ) is all we have access to, then these inequalities have to be turned into equalities. For example, if 1 (A [ B ) > 1 (A) + 1 (B ) ? 2 (A \ B ) were the case, then the computation of 1 (A [ B ) has to involve some additional, hidden information that goes beyond what can provide in isolation. Therefore, it would be of great interest to render a justi cation of axioms of probability with uncertainty or vagueness, such as the ones proposed below, by successfully transferring the game-theoretic justi cation of the axioms of probability, provided by B. de Finetti in 1931. He showed that if some agent assigns degrees of beliefs (= elements of UI) to a subset of (X ), then these numbers violate the axioms of probability if, and only if, a betting game derived from these degrees has a winning strategy for another agent. Our modi ed degrees of belief would now be intervals (= elements of I). Such a game-theoretic characterization on consistency would greatly aid in and ultimately justify the choice among a host of possible partial versions of probability measures, thereby rendering a clean mathematical foundations for the semantics of systems with uncertain probabilistic information. Alternatively, let us call a set of axioms A consistent i the partial ordering of all : (X ) ! !I which satisfy A is a dcpo whose maximal elements are isomorphic to P( (X )). Another satisfactory justi cation for our choice of axioms would be to show that E1 to E3 are somehow a minimal set of consistent sets and Pe( (X )), therefore, a maximal \consistent domain".

De nition 8. Let Pe( (X )) be the partial ordering of all maps 2 (X ) ! I

which satisfy the axioms E1, E2, and E3 which are obtained from the axioms Ie1 to Ie3 by changing all inequalities to equalities.

A version for partial sub-probability measures would only consider axioms E2 and E3.

Proposition 5. The partial ordering Pe( (X )) is a dcpo and its least upper bounds of directed sets are the ones formed in (X ) ! I. Proof. Since Pe ( (X )) is a subset of Pi ( (X )), it suces to show the dual inequalities of Ie1 to Ie3, which is reasoned is a similar way.

Proposition 6. The map eX : P( (X )) ! Pe( (X )), de ned by eX () A = [(A); (A)] for all A 2 (X ), is injective, and monotone and maps into the set of maximal elements of Pe( (X )). Moreover, the image of eX equals the set of maximal elements in Pe( (X )).

Proof. We may copy the proof for iX and Pi( (X )) except in two places. First, eX is a well S de ned mapPsince eX () satis es the equations E1 to E3; for P3, note that l ( i2I Ai ) = i2I l (Ai ) holds for = eX () and l = 1; 2. Second, we also have to show that a maximal element in Pe( (X )) is in the image of eX . To that end consider : (X ) ! UI de ned by (A) = (1 (A) + 2 (A))=2. If 2 P( (X )), then clearly eX () in (X ) ! I, for 1 (A) 2 (A) implies 1 (A) (1 (A) + 2 (A))=2 2 (A). Since is maximal in Pi ( (X )), this would nish the proof. Thus, it suces to show that 2 P( (X )):

P1. (X ) = (1 (X ) + 2 (X ))=2 = (1 + 1)=2 = 1 by E1 applied to ; P2. (A[B )+(A\B ) = (1 (A[B )+2 (A[B ))=2+(1 (A\B )+2 (A\B ))=2 and we can use axioms E2(a) and E2(b) on to rearrange the latter expression to (A) + (B ). P3. We proceed as for P2, but also use the fact that in nite sums over UI are least upper bounds of directed sets. Let (Aj )j2J be a pairwise disjoint family in (X ). Then we compute (22) (Ai0 ) = (1 (Ai0 ) + 2 (Ai0 ))=2 [ X [ X = (1 ( Aj ) ? 2 (Ak ))=2 + (2 ( Aj ) ? 1 (Ak ))=2 2 [

j J

= (1 (

2

[

j J

= (

2

j J

6=

Aj ) + 2 (

Aj ) ?

[

i0 k

X 6=

2

j J

Aj ))=2 ?

(Ak )

X 6=

2

j J

i0

6=k

(1 (Ak ) + 2 (Ak ))=2

i0 k

i0 k

yielding P3 for . Partial probability measures may not enjoy properties that are known to hold for probability measures. For example, each 2 P( (X )) is monotone: A B in (X ) implies (A) (B ). However, for 2 Pe( (X )) this is true i 1 = 2 i is a maximal element in that dcpo i it \is" a probability measure.

References 1. S. Abramsky and A. Jung. Domain theory. In S. Abramsky, D. M. Gabbay, and T. S. E. Maibaum, editors, Handbook of Logic in Computer Science, volume 3, pages 1{168. Clarendon Press, 1994. 2. R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986. 3. J. R. Burch, E. M. Clarke, D. L. Dill K. L. McMillan, and J. Hwang. Symbolic model checking: 1020 states and beyond. Proceedings of the Fifth Annual Symposium on Logic in Computer Science, June 1990. 4. K. Cerans, J. Chr. Godskesen, and K. G. Larsen. Timed Modal Speci cation | Theory and Tools. In Costas Courcoubetis, editor, 5th International Conference, CAV'93, pages 253{267. Springer Verlag, 1993. Elounda, Greece, June 28{July 1, 1993. 5. E. M. Clarke and E. M. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In D. Kozen, editor, Proc. Logic of Programs, volume 131 of LNCS. Springer Verlag, 1981. 6. E. M. Clarke, O. Grumberg, and D. E. Long. Model Checking and Abstraction. In 19th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 343{354. ACM Press, 1992. 7. E.M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D.E. Long, K.L. McMillan, and L.A. Ness. Veri cation of the Futurebus+cache coherence protocol. In L. Claesen, editor, Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and their Applications. North-Holland, April 1993. 8. P. Cousot and R. Cousot. Abstract interpretation: a uni ed lattice model for static analysis of programs. In Proc. 4th ACM Symp. on Principles of Programming Languages, pages 238{252. ACM Press, 1977. 9. Dennis Dams, Rob Gerth, and Orna Grumberg. Abstract interpretation of reactive systems. ACM Transactions on Programming Languages and Systems, 19(2), 1997. 10. R. de Nicola and F. Vaandrager. Three Logics for Branching Bisimulation. Journal of the Association of Computing Machinery, 42(2):458{487, March 1995. 11. C. Derman. Finite-State Markovian Decision Processes. Academic Press, 1970. New York. 12. A. Edalat. Dynamical systems, Measures and Fractals via Domain Theory. Information and Computation, 120(1):32{48, 1995. 13. A. Edalat and M. H. Escardo. Integration in Real PCF. In IEEE Symposium on Logic in Computer Science. IEEE Computer Society, IEEE Computer Society Press, 1996. 14. A. Edalat, P. J. Potts, and M.. Escardo. Semantics of exact arithmetic. In Twelfth Annual IEEE Symposium on Logic in Computer Science. IEEE Computer Society Press, 1997. 15. K. Fisler and M. Y. Vardi. Bisimulation and Model Checking. In Proceedings of the 10th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Veri cation Methods, September 1999. To appear. 16. P. R. Halmos. Measure Theory. D. van Norstrand Company, 1950. 17. D. Heckerman. A tutorial on learning Bayesian networks. Technical Report MSRTR-95-06, Microsoft Research, March 1995. 18. M. Huth. A Unifying Framework for Model Checking Labeled Kripke Structures, Modal Transition Systems, and Interval Transition Systems. In 19th International Conference on the Foundations of Software Technology & Theoretical Computer

19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.

Science, Lecture Notes in Computer Science. Springer Verlag, 1999. to appear in December 1999. B. Jonsson and K. G. Larsen. Speci cation and Re nement of Probabilistic Processes. In Proceedings of the International Symposium on Logic in Computer Science, pages 266{277. IEEE Computer Society, IEEE Computer Society Press, July 1991. K. G. Larsen and B. Thomsen. A Modal Process Logic. In Third Annual Symposium on Logic in Computer Science, pages 203{210. IEEE Computer Society Press, 1988. C.T. Lin and C.S.G. Lee. Neural-network-based fuzzy logic control and decision system. IEEE Transactions on Computers, 40:1320{1336, 1991. K. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993. R. Milner. An algebraic de nition of simulation between programs. In 2nd International Joint Conference on Arti cial Intelligence, pages 481{489. British Computer Society, London, 1971. R. Milner. Communication and Concurrency. Series in Computer Science. PrenticeHall International, 1989. R. E. Moore. Interval Analysis. Prentice-Hall, Englewood Clis, 1966. D. M. Park. Concurrency on automata and in nite sequences. In P. Deussen, editor, Conference on Theoretical Computer Science, volume 104 of Lecture Notes in Computer Science. Springer Verlag, 1981. B. Pierce. Basic Category Theory for Computer Scientists. Foundations of Computing Series. The MIT Press, 1991. J. P. Quielle and J. Sifakis. Speci cation and veri cation of concurrent systems in cesar. In Proceedings of the fth International Symposium on Programming, 1981. D. S. Scott. Continuous lattices. In F. Lawvere, editor, Toposes, Algebraic Geometry and Logic, volume 274 of Lecture Notes in Mathematics, pages 97{136. Springer Verlag, 1972. D. S. Scott. Lattice Theory, Data Types and Semantics. In Formal Semantics of Programming Languages, pages 66{106. Prentice-Hall, 1972. M. Vardi. Automatic Veri cation of Probabilistic Concurrent Finite-State Programs. In Proc. FOCS'85, pages 327{338. IEEE, 1985.