Labelled transition systems as a Stone space

A fully abstract and universal domain model for modal transition systems and refinement is shown to be a maximal-points space model for the bisimulation quotient of labelled transition systems over a finite set of events. In this domain model we prove that this quotient is a Stone space whose compact, zero-dimensional, and ultra-metrizable Hausdorff topology measures the degree of bisimilarity such that image-finite labelled transition systems are dense. Using this compactness we show that the set of labelled transition systems that refine a modal transition system, its ''set of implementations'', is compact and derive a compactness theorem for Hennessy-Milner logic on such implementation sets. These results extend to systems that also have partially specified state propositions, unify existing denotational, operational, and metric semantics on partial processes, render robust consistency measures for modal transition systems, and yield an abstract interpretation of compact sets of labelled transition systems as Scott-closed sets of modal transition systems.


Introduction
Labelled transition systems are a fundamental modelling formalism in many areas of computer science and one often needs to compare two or more such systems in applications. For example, in doing state compression prior to model checking one wants to ensure that the compressed system yields the same model checks as the uncompressed one. Similarly, if one system is a specification and another one its implementation, then program correctness can be established by proving these systems to be equivalent. By the same token, if two systems are not equivalent, one may want to know to what degree this is so, e.g. in a risk analysis of a safety-critical system. This paper chooses bisimulation as the notion of equivalence of labelled transition systems. 1 Bisimulation is an established, sufficiently fine-grained notion of equivalence between labelled transition systems [35] so any approximative notions, e.g. testing [37], have bisimulation as a well accepted point of reference. Since quantitative aspects ought to be invariant under bisimulation, we stipulate that the quotient of all labelled transition systems with 2 M. HUTH respect to bisimulation is the right conceptual space for reasoning about and comparing quantitative aspects of labelled transition systems.
If two labelled transition systems are not bisimilar, one may require a quantitative measure of such differences and such a measure has many applications. We mention security protocols [39], where one system is the specification and the other is an implementation and where we may wish to quantify illicit information flow [15] or the effort needed to expose implementation flaws; modal specifications [32], where a specification captures a possibly infinite set of mutually non-bisimilar labelled transition systems; and requirements engineering [16], where each system may be the modal specification of a particular viewpoint and consistency measures on modal specifications are sought.
One principal aim of this paper is to unify several strands of established work in one integrated framework: metric semantics of processesà la Bakker & Zucker [12]; use of Hennessy-Milner logic, domain theory and transition systemsà la Abramsky [1]; means of under-specifying and refining processesà la Larsen & Thomsen [33]; and representations of classical topological spaces as maximal-point spaces of domainsà la Lawson [34]. To that end, we use a domain D, defined in [27] and shown to be a universal model for finitelybranching modal transition systems and fully abstract for their refinement in loc. cit.
Specifically, we discover that the metric induced by the Lawson topology on D is a generalization of the one in [12] to modal transition systems; that the subspace of maximal elements of D is a Stone space with respect to the Lawson (or Scott) topology; and that this Stone space is an isomorphic representation of the quotient of all labelled transition systems modulo bisimulation, so the topology and metric carry over to that quotient. Since a Stone space has a complete ultra-metric, our model has labelled transition systems that are not image-finite, allowing the modelling of continuous state spaces, but all labelled transition systems can be approximated by image-finite ones to any degree of precision.
The compactness of this quotient space then makes it possible to study the topological structure of sets of implementations for modal transition systems, the second principal aim of this paper. In particular, our topological analysis shows that 3-valued model checking [5,6] reasons about compact sets of labelled transition systems, namely the set of all 2valued refinements of a given 3-valued system. We propose two measures, a pessimistic and an optimistic one, for how close any refining labelled transition systems of two such 3-valued systems can be. Using compactness, we prove that the optimistic measure is zero iff the two 3-valued systems in question have a common refinement.
Our concepts and results are also robust under a change of representation, e.g. in moving from event-based to state-based systems or those that combine state and event information. It would be of interest to see whether results similar to the ones of this paper are obtainable for systems that explicitly represent time, probability (e.g. as done in [13,15]) or other quantitative information.
Outline of this paper: In Section 2 we review modal transition systems, their refinement, and a fully abstract domain model for these notions. Section 3 establishes the central result of this paper, showing that the maximal-points space of the fully abstract domain of Section 2 is a Stone space and the quotient of all labelled transition systems with respect to bisimulation. In Section 4 we give three applications of the compactness of this maximalpoints space: a compactness theorem for Hennessy-Milner logic on compact sets of implementations, an abstract interpretation of compact sets of implementations as Scott-closed sets of modal transition systems, and a robust consistency measure for modal transition systems. Section 5 states related work, and Section 6 concludes.

Domain of modal transition systems
Modal transition systems [33] are defined like labelled transition systems, except that transitions come in two modes that specify whether such transitions must or may be implemented. A refinement relation between modal transition systems therefore associates to a modal transition system those refining labelled transition systems in which all implementation choices have been resolved. In this section we formalize these notions and present the domain of [27] as a faithful mathematical model of the model-checking framework of modal transition systems.
2.1. Mixed transition systems and refinement. We define Larsen & Thomsen's modal transition systems [33], their refinement and other key concepts formally and present the domain D which is a fully abstract model of such systems and their refinement [27]. Our results are shown within that domain. In this paper, let (α, β, · · · ∈)Act be a fixed finite set of events and (w, w ′ , · · · ∈)Act * the set of finite words over Act with ǫ denoting the word of length zero. The labelled transition systems considered here have events from Act only. The structural properties of our domain model require that we also define Dams' more general notion of mixed transition systems [9,11]. A modal transition system M has two transition relations R a , R c ⊆ Σ × Act × Σ on a set of states Σ. The sets R a and Σ × Act × Σ \ R c specify contractual promises or expectations about the reactive capacity and incapacity of implementations, respectively. These guarantees are to be understood with respect to the refinement of states. We write "a" in R a to denote asserted behavior and "c" in R c to denote consistent behavior and use these annotations in judgments |= a and |= c below with the same meaning.
Example 2.1. In Figure 1 we see a contractual guarantee that any state refining Drinks cannot have a transition labelled with newPint to a state refining Talks as the triple (Drinks, newPint, Talks) is not in R c . There is a contractual guarantee that any state refining Waits has a R a -transition labelled with newPint to all states that refine Drinks or Talks.
• We call M image-finite iff for all s ∈ Σ, α ∈ Act, and m ∈ {a, c} the set {s ′ ∈ Σ | (s, α, s ′ ) ∈ R m } is finite. • A mixed transition system M with a designated initial state i is pointed, written (M, i). • We call elements of R a must-transitions and elements of R c \R a may-transitions.
(2) Let M = (Σ, R a , R c ) be a mixed transition system.
• A relation Q ⊆ Σ × Σ is a refinement within M [33,9] iff (s, t) ∈ Q implies, for all α ∈ Act, (a) if (s, α, s ′ ) ∈ R a , there exists some (t, α, t ′ ) ∈ R a such that (s ′ , t ′ ) ∈ Q; and  Figure 1: An image-finite modal transition system specifying aspects of "pub behavior." In that case, t refines (is abstracted by) s. • States s and t are refinement-equivalent iff (s≺t and t≺s).
• Let (M, i)≺(N, j) mean that j refines i in the mixed transition system that is the disjoint union of M and N ; (M, i) and (N, j) are refinement-equivalent iff i and j are refinement-equivalent in that union. • The implementations of (M, i) are those pointed modal transition systems without may-transitions that refine (M, i).
As the union ≺ M of all refinements within M is also a refinement within M , ≺ M is the greatest refinement relation within M . Please note that we use the relational inverse of the Q in [33,9,27], as done in [19], so our (M, i)≺(N, j) is written as (N, j)≺(M, i) in [27]. Larsen & Thomsen's modal transition systems and their refinement [33] are partial versions of labelled transition systems and bisimulation [35]. A modal transition system represents those labelled transition systems that refine it, the implementations of M . This representation is sound, for if a modal transition system M refines a modal transition system N , all labelled transition systems that refine M also refine N as ≺ is transitive.
(1) Figures 1 and 2 depict modal transition systems, where dashed and solid lines depict may-transitions and must-transitions, respectively. The refinement Q identifies states with the same activity; e.g. Drinks with TomDrinks and BobDrinks etc. (2) The mixed transition system on the left of Figure 4 is not a modal transition system but is refinement-equivalent to the modal transition system on the right of Figure 4.
Remark 2.4. We may identify modal transition systems (Σ, R, R) with labelled transition systems (Σ, R) and refinement between such modal transition systems with bisimulation [33] and will freely move between these two representations of labelled transition systems and bisimulation subsequently.  Figure 2: An image-finite modal transition system that refines the one in Figure 1.
interval domain [41]      [max(r, r ′ ), min(s, s ′ )], where [x, y] is understood to be ⊥ if x ≤ y, tells us whether its inputs are consistent with each other by checking whether its output is different from ⊥. Non-overlapping intervals cannot possibly approximate the same real number. The domain model D for refinement of modal transition systems [27] has similar properties which we discuss briefly here prior to their technical development in this paper. The completeness proof for implementations for refinement of modal transition systems does not depend on the compactness of max(D), is non-trivial, and presented elsewhere [28]. Universality amounts to showing that every modal transition system has a refinement-equivalent embedding in the domain D. Full abstraction means that the order on D equals the greatest refinement relation on D interpreted as a modal transition system. The maximal-points space max(D) of D gives us a precise model of labelled transition systems and their notion of "nearness." This space turns out to be the quotient of labelled transition systems with respect to bisimulation such that the familiar metric based on tests expressed in Hennessy-Milner logic [37] induces the topology on that space. Finite-state labelled transition systems are shown to be dense in this space. Finally, the compactness of this space is proved and a monotone consistency measure c : D × D → I (2.1) between two modal transition systems is then derived thereof. Said compactness then renders a Galois connection between compact sets of implementations and Scott-closed sets of modal transition systems as shown in Theorem 4.6 below. Apart from these similarities with I, a key difference is that D is algebraic and that the maximal-points space is therefore zero-dimensional.
2.3. The domain model for refinement of modal transition systems. The reader familiar with domain theory [2] may safely skip the next definition.
Definition 2.6. (1) • A topological space (X, τ ) consists of a set X and a family τ of subsets of X such that {} and X are in τ , and τ is closed under finite intersections and arbitrary unions.
sets that are τ -open and τ -closed are τ -clopen. (2) • A subset A of a partial order (D, ≤) is directed iff (for all a, a ′ ∈ A there is some a ′′ ∈ A with a, a ′ ≤ a ′′ ). • We denote by We write K(D) for the set of compact elements of D.
• A bifinite domain, also known as an SFP-domain, is an algebraic dcpo D such that for every finite subset F ⊆ K(D) the set mub ∞ (F ) is finite, contained in K(D), and ub(F ) = ↑mub(F ) where for any X ⊆ D we write • We call X upper iff X = ↑X; lower iff X = ↓X. • the Lawson-topology λ D to consist of all subsets V of D such that x ∈ V implies the existence of some k, l ∈ K(D) with x ∈ ↑k \ ↑l ⊆ V ; and • the σ D -compact saturated subsets of D to be the λ D -closed upper subsets of D.
The definitions of item (3) above are really characterizations [2]. We use the initial solution D of a domain equation, presented in [27] and denoted by D in loc. cit., as the domain whose set of maximal points we prove to be the Stone space of pointed labelled transition systems modulo bisimulation. The items (2) On the right: a modal transition system that is refinement-equivalent to the mixed transition system on the left. Its set of must-transitions is R a ∩ R c (solid lines) and its set of may-transitions is R c (solid or dashed lines).
Thus, the L and U in (2.2) model R a -and R c -transitions within D, respectively. The order-theoretic mix condition (2.2) has an equivalent version for mixed transition systems.
As shown in Proposition 3 in [27], (2.2) ensures that D satisfies the mix condition (MC) since the order on D is a refinement within D: for all (e, α, e ′ ) ∈ R a there is some (e, α, e ′′ ) ∈ R a ∩ R c such that (D, e ′ )≺(D, e ′′ ). Example 2.9. Figure 4 demonstrates that mixed transition systems (Σ, R a , R c ) that satisfy the mix condition (MC) are refinement-equivalent to modal transition systems (Σ, R a ∩ R c , R c ). Therefore, such mixed transition systems are merely modal transition systems in disguise [27].
Remark 2.10. By Proposition 1 in [27] and as seen in the previous example, the mix condition (MC) guarantees that the mixed transition system (D, R a , R c ) is refinement-equivalent to the modal transition system (D, R a ∩ R c , R c ). Therefore all reasoning that is invariant under refinement equivalence, as is the case in this paper, may be done with the latter modal transition system and we abuse notation to refer to that modal transition system as D as well.
The domain model D is universal: There is an embedding (M, i) → | M, i | from the class of image-finite pointed mixed transition system satisfying the mix-condition (MC) to elements of D such that (M, i) and (D, | M, i | ) are refinement-equivalent (Theorem 6.1 in [27]). The domain model D is fully abstract: For all d, e ∈ D, we have d ≤ e iff (D, d)≺(D, e) (Theorem 5 in [27]). For sake of completeness, we sketch the construction of this embedding and needed aspects of the full abstraction proof in the next section.

Stone space of labelled transition systems
We show that the maximal elements of D are precisely the representations of pointed labelled transition systems modulo bisimulation; and that this quotient is a Stone space and therefore determined by a complete ultra metric.
3.1. The maximal-points space. We define the required notions from topology.
open set is the union of τ -clopens; and (d) a Stone space iff it is zero-dimensional, compact, and Hausdorff. Since D is a bifinite domain, the Lawson condition [34] holds for D, namely that the topology τ X is also induced by the λ D -topology: (3.4) We remark that not all bifinite domains D enjoy the property that max(D) is compact in the topology induced by σ D or λ D .

3.2.
Maximal-points space is zero-dimensional and Hausdorff. We first record that τ X is Hausdorff and zero-dimensional. Proposition 3.2 below holds for any algebraic domain satisfying the Lawson condition [34]. We state and prove that proposition for D for sake of completeness. Proof.
• Every U ∈ σ D is the union of σ D -opens ↑k, k ∈ K(D), as D is algebraic. But each ↑k is λ D -clopen as σ D ⊆ λ D and ↑k is λ D -closed. From the Lawson condition for D, (3.4), we infer that M (k) is τ X -clopen and so τ X is zero-dimensional as every O ∈ τ X is the union of such sets. • To show that τ X is Hausdorff, let x = y. Since D is a partial order we may assume x ≤ y without loss of generality. Since D is algebraic, x ≤ y implies k ≤ y and k ≤ x 3.3. Semantics of Hennessy-Milner logic. We use tools from temporal logic to develop a sufficient criterion for membership in max(D).
(1) The set of formulas of Hennessy-Milner logic [24] is generated by the grammar where α ranges over the finite set of events Act.
Please note that |= m [α]φ universally quantifies over transitions in the dual mode ¬m.
Example 3.5. Consider the modal transition system N in Figure 1.
(1) We have (N, Talks)|= c drinks tt because of the R c -transition (Talks, drinks, Drinks). By the semantics of negation, this implies (N, Talks) |= a ¬ drinks tt. We also infer (N, Talks) |= a drinks tt as there is no state s with (Talks, drinks, s) ∈ R a . By the semantics of disjunction, these two judgments render (N, Talks) |= a drinks tt ∨ ¬ drinks tt. This judgment says that we can't determine that drinks tt ∨¬ drinks tt is asserted in state Talks in N . As that formula is a tautology over labelled transition systems we see that judgments (N, Talks) |= a φ under-approximate validity judgments "all refinements of (N, Talks) satisfy φ." As we show below, it turns out that the ability to capture these validity judgments for certain tautologies over labelled transition systems via |= a is what characterizes modal transition systems that are refinement-equivalent to labelled transition systems.   [27]. This construction follows ideas from algebraic semanticsà la Nivat-Courcelle-Guessarian [7] orà la Goguen-Thatcher-Wagner-Wright [21] in that we unfold pointed modal transition systems as finite trees for a fixed depth, adding a may-stub to all leaves of that tree for which there are still outgoing transitions in the pointed modal transition system. This unfolding is presented here via a simple process algebra.
(1) The grammar for the process algebra MPA is where α ranges over the finite set of events Act and no p in p + p is allowed to be ⊥ or 0.
We record that the denotational semantics of MPA in D matches the structural operational semantics. This proof is straightforward and amounts to showing that the saturations with ↓ and ↑ in D do not break refinement equivalence as they always occur in the right direction.  Figure 6: A denotational semantics of MPA in D that interprets 0 as deadlock, ⊥ as the least element, + as the mix union of [23], and the prefixes as expected using saturations with ↓ and ↑ to ensure membership in D. and note, shown in [23] for bifinite domains without reference to a process algebra, that   We define the characteristic formulas for terms p of the process algebra MPA, which will also be the characteristic formulas of the compact elements {| p |} of D.
Proof. We prove this by structural induction on p ∈ MPA.  Figure 9: The characteristic formulas φ p for terms p of the process algebra MPA.
This characterization is the key to proving that D is fully abstract and that refinement is characterized by the semantics for Hennessy-Milner logic. We demonstrate that embeddings of pointed image-finite labelled transition systems are dense in (X, τ X ), which we subsequently show to be the quotient space of all pointed labelled transition systems with respect to bisimulation. The denseness argument rests on the fact that embeddings of implementations are maximal elements of D. Proposition 3.14. The set of all embeddings of pointed image-finite labelled transition systems is dense in (X, τ X ).
Proof. As any pointed image-finite labelled transition system (L, l) is refinement-equivalent to (D, | L, l | ) [27], the embedding | L, l | is in max(D) = X since it satisfies the assumptions of Lemma 3.13.
Let O ∈ τ X be non-empty, so O = U ∩ max(D) for some U ∈ σ D and there is some

3.5.
Compactness of maximal-points space. We show that (X, τ X ) is compact by proving, indirectly, that max(D) is λ D -closed. Using results from [4] one could show that max(D) is λ D -closed by finding a subset T of K(D) that is a finitely branching tree and co-final in K(D). Given a candidate of such a T , the property that is difficult to ascertain is that any two elements of T that have an upper bound in K(D) are comparable. For example, consider the compact elements {| α tt .⊥ + β tt .0 |} and {| α tt .0 + β tt .⊥ |}, both of which have the compact element {| α tt .0 + β tt .0 |} as an upper bound yet neither of them refines the other.
Faced with these difficulties, we therefore take a different route and realize max(D) as the set of those elements d of D that pass a set of judgments (D, d)|= a ψ w, α p where ψ w, α p are formulas of Hennessy-Milner logic. (1) Let w = δ 1 δ 2 . . . δ n ∈ Act * , α ∈ Act, and p ∈ MPA. Then we define the Hennessy-Milner logic formula 10) with φ p as in Figure 9.
For each formula φ in Φ, the test (D, d)|= a φ checks whether there is a certain R creachable state from d with a certain outgoing may-transition that cannot be matched with a corresponding outgoing must-transition. Accordingly, C Φ consists of those elements whose reachable states always find such a match. Intuitively, those should be the elements that represent labelled transition systems. Rather than proving directly that max(D) is λ D -closed, we first establish that C Φ is λ D -closed and then prove max(D) = C Φ . Whence maximal elements in D are exactly those elements whose reachable may-transitions have matching must-transitions. As C Φ is the intersection of sets of the form [| φ |] a , we can show that the former is λ D -closed by proving that all latter sets are λ D -closed. We do this by structural induction on φ which requires a stronger induction hypothesis. Since y ∈ c(y) a α ∩ F φ for all y ∈ C, we get ↑C ⊆ [| α φ |] a as the latter set is upper. Note that for each y ∈ F φ we have c(y) ≤ e in D iff y ∈ e a α . Therefore, e ∈ [| α φ |] a implies e ∈ ↑C. Thus, [| α φ |] a equals ↑C for the finite subset C of K(D).
In [43] open sets are thought of as observable properties, so the denotations of Hennessy-Milner logic formulas in D (and in X) are closed under negation as observations. If we extend these denotations to the modal mu-calculus [31], we expect observable properties to correspond to sets in the Borel algebra generated by σ D .
Using the denseness of embeddings of image-finite labelled transition systems in X, we can prove the inclusion max(X) ⊆ C Φ .
Proof. Let A be the set of all embeddings | L, l | of pointed image-finite labelled transition systems (L, l). Then A ⊆ C Φ follows as • (D, | L, l | ) is refinement-equivalent to (L, l), • α φ ∨ ¬α φ is valid over labelled transition systems for all φ of Hennessy-Milner logic, • [δ i ]φ is valid over labelled transition systems whenever φ is, and • |= a is the standard semantics of Hennessy-Milner logic over labelled transition systems. By Proposition 3.14, A is a dense subset of (X, τ X ) and so its superset C Φ ∩ max(D) is also dense in (X, τ X ) and is τ X -closed by the Lawson condition for D since C Φ is λ Dclosed by Lemma 3.17. But the only dense τ X -closed subset of (X, τ X ) is X itself and so For a proof of the reverse inclusion C Φ ⊆ max(X) we need to clarify the structure of elements in C Φ .

Proof.
(1) Let d ′ be reachable from d in (D, R c ) and let w ′ ∈ Act * be the word obtained by travelling from d to d ′ on such a path. Given ψ w, α p ∈ Φ, the concatenation w ′ w is in Act * and so ψ w ′ w, α p ∈ Φ. Thus the path for w ′ above and We have now all the machinery at our disposal for stating and proving our main results in the next two theorems. Proof. From item (3) of Lemma 3.19 and Lemma 3.13 we infer C Φ ⊆ max(D). Lemma 3.18 then renders max(D) = C Φ . By Lemma 3.17, this means that max(D) is λ D -closed. By Propositions 3.2 and 3.14, it suffices to show that (X, τ X ) is compact. Let X = U for U ⊆ τ X . By the definition of τ X , each U ∈ U is of the form V U ∩ max(D) for some V U ∈ σ D . Since D is a bifinite domain, (D, λ D ) is compact [2]. Since max(D) is λ D -closed it is λ Dcompact as a λ D -closed subset of the compact space (D, λ D ). From X = U and σ D ⊆ λ D we infer that max(D) ⊆ {V U | U ∈ U } ⊆ λ D . The λ D -compactness of max(D) therefore implies the existence of a finite set F ⊆ U with max(D) ⊆ {V U | U ∈ F}. But then X ⊆ F follows.
3.6. Maximal-points space as quotient space of labelled transition systems. Theorem 3.20 is of interest in its own right since max(D) is not λ D -closed for bifinite domains D in general. But we also have to demonstrate that X is the desired quotient space of labelled transition systems modulo bisimulation.  of sets where x = (x α ) α∈Act models the α-successors of x as the τ X -compact set x α , for each α ∈ Act. Proof.
(1) Whenever a state s has infinitely many states {s i | i ∈ I} as α-successors for R c , choose a finite subset F of I, retain transitions (s, α, s i ) and their must/may status for all i ∈ F , discard all (s, α, s i ) with i ∈ F , and create a may-stub s F ({| s F |} = ⊥ D ) and a may-transition (s, α, s F ). Doing this for all events while, at the same time, unfolding (M, i) as a tree ensures that all approximations are imagefinite with limit | M, i | such that (D, | M, i | ) is refinement-equivalent to (M, i). In particular, | M, i | ∈ max(D) by Lemma 3.13 whenever (M, i) is a labelled transition system.
(2) Let d ∈ max(D) and α ∈ Act. The set d a α ∩ d c α is in C Φ , which equals max(D), and d c α = ↑(d a α ∩ d c α ) by Lemma 3.19 and Theorem 3.20. Combining this with (2.2), we But since C Φ is closed under states reachable in (D, R c ), we may assume this representation for all elements e reachable from d in (D, R c ). Therefore, (D, d) is refinement-equivalent to the modal transition system with no may-transitions that replaces ↓(e a α ∩ e c α ) with e a α ∩ e c α for all α ∈ Act and all e reachable from d in (D, R c ).
(3) The isomorphism follows from the equation for D and Lemmas 34.5 and 25 of [4]; the latter is stated for SFP M -domains D, which are bifinite, but its proof only requires that max(D) is λ D -closed.
An immediate consequence of these two main theorems is that sets of implementations of modal transition systems are compact in the quotient space modulo bisimulation.

Applications of compactness
We now discuss some of the consequences of the compactness of τ X : a compactness theorem for Hennessy-Milner logic on compact sets of implementations, an abstract interpretation of compact sets of implementations as Scott-closed sets of modal transition systems, and a robust consistency measure for modal transition systems.

4.1.
A compactness theorem for sets of implementations. Compactness of (X, τ X ), stated in terms of Hennessy-Milner logic, is familiar from first-order logic but here secured without appeal to a complete proof system. Such semantic techniques for proving compactness are not new, we mention model-theoretic techniques based on ultra-filters. A compactness theorem for Hennessy-Milner logic alone already follows from its standard encoding in first-order logic. However, we prove a compactness result that goes beyond Hennessy-Milner logic as it applies to compact sets of labelled transition systems, in particular to the set of common implementations of finitely-many pointed modal transition systems. For a single such system, (D, ⊥ D ), we then regain the familiar compactness theorem for Hennessy-Milner logic. Our result is stronger than this familiar theorem as the sets of implementations of pointed modal transition systems are not expressible through Hennessy-Milner logic. In Theorem 4.8(2) below we see that these sets are expressible in Hennessy-Milner logic extended with greatest fixed points for finite-state modal transition systems. (1) Let Γ be a set of formulas of Hennessy-Milner logic and C a τ X -compact set such that for all finite subsets ∆ of Γ there is some c ∆ ∈ C that satisfies ∆. Then there is some c Γ ∈ C that satisfies all formulas of Γ. Proof. By Corollary 3.23 it suffices to prove item (1). By duality of consistency (i.e. satisfiability) and validity, it suffices to prove the dual statement of item (1): assume that every c ∈ C satisfies as least one φ ∈ Γ and show that there is a finite set ∆ ⊆ Γ such that ∆ is valid over the set C. By this assumption, we have Example 4.2. Figure 10 depicts schematically the set of common implementations of two pointed modal transition systems (D, d) and (D, e), the intersection of the implementations of d and e. This is a compact subset of X and so we get a compactness theorem for Hennessy-Milner logic on that set.

4.2.
Abstract interpretation of τ X -compact sets of implementations. Cousot & Cousot's abstract interpretation framework [8] approximates concrete objects and their transformations by abstract objects and transformations such that reasoning on abstract objects is sound for their concretizations. In a simple setting, one has given a set C of concrete objects (e.g. computer programs) and a partial order (A, ≤) of abstract objects, a monotone abstraction function α : (P(C), ⊆) → (A, ≤), and a monotone concretization function γ : (A, ≤) → (P(C), ⊆). The value a = α(X) should represent the best approximation of X ⊆ C within the partial order (A, ≤) and γ(a) should represent the set of those concrete objects that are abstracted by a. One can encode these intuitions by making α and γ a Galois connection [8], a notion we define below.  The fact that modal transition systems cannot be such optimal abstractions of τ Xcompact sets seems to be related to the incompleteness of modal transition systems for abstraction-based model checking [10] since D is not bounded complete. But there is a Galois connection between τ X -compact subsets of X and σ D -closed subsets of D. For a τ X -compact set C its set of concretizations is the Scott-closed set of all (M, s) for which C ⊆ M ( | M, s | ). Conversely, a Scott-closed subset L of pointed modal transition systems is abstracted as the set of those pointed labelled transition systems that implement all elements of L. (1) Let L[D] = {L | L σ D -closed} be the set of σ D -closed subsets of D, ordered by set inclusion: L is less than or equal to L ′ iff L ⊆ L ′ . (2) Let L 1 and L 2 be complete lattices. A Galois connection [17] is a pair of monotone maps α : L 1 → L 2 and γ : L 2 → L 1 such that for all x ∈ L 1 we have γ(α(x)) ≥ x and for all y ∈ L 2 we have α(γ(y)) ≤ y. In that case, α is the upper adjoint of γ.
form a Galois connection, where α is the upper adjoint of γ. Proof.
• The map γ is well defined. First d ≤ e implies M (e) ⊆ M (d) and so γ(C) is a lower set. Second let (d i ) i∈I be directed in γ(C). Then C ⊆ i∈I M (d i ) and the latter equals M ( i∈I d i ), so γ(C) is σ D -closed. • The map α is well defined. For if L is empty, then α(L) = X is τ X -compact; and if L is non-empty, α(L) is the intersection of λ D -closed elements and so λ D -closed whence τ X -compact. • The map γ is monotone. Let C ⊑ C ′ , i.e. C ′ ⊆ C. Then d ∈ γ(C) means C ⊆ M (d) and so C ′ ⊆ M (d) follows. Therefore d ∈ γ(C ′ ) and so γ(C) ⊆ γ(C ′ ).
Theorem 4.6 remains to be valid if we reverse the orders on the domains C[X, τ X ] and L[D] and swap the names α and β throughout the theorem and its proof. In that case, a τ X -compact set C is abstracted by a set L of pointed modal transition systems and any such L has a set of pointed labelled transition systems as concretizations. This view is perhaps more natural.
Then the topology determined by d D and d X is λ D and τ X , respectively. For practical purposes we wish to enumerate p ∈ MPA in increasing modal depth of φ p in (3.9), corresponding to the iterative unfolding of the functional for bisimulation [35]. In that case, d X is essentially the metric in [12]. These metrics are standard and well understood but result in consistency measures if lifted to compact sets of implementations.
We Example 4.7. Figure 10 shows a scenario where two pointed modal transition systems (D, d) and (D, e) have a common refinement, and so c 1 (d, e) = 0.
Since M (f ) is τ X -compact for all f ∈ D by Corollary 3.23, c 1 (d, e) and c 2 (d, e) are the metric analogue of symmetric ∀∀ and ∃∃ lifts of relations from elements to subsets, here of d X to τ X -compact subsets, respectively. The standard metric c(d, e) between compact subsets M (d) and M (e), the Hausdorff distance, is the symmetric ∃∀-lift of d X to τ X -compact subsets and so  [38,30,42] of the same system such that the degree of consistency between these descriptions needs to be explored.
We prove that c 1 is a robust measure in that its kernel consists of those pairs of pointed modal transition systems that have a common refinement. with d X (m d n , m e n ) < 1/n. Since (X, τ X ) is compact, there is a convergent subsequence (m d n j ) j≥0 of (m d n ) n≥0 with limit m d and so m d ∈ M (d) as the latter is τ X -closed. Since d X (m d n j , m e n j ) < 1/n j for each j ≥ 0, this implies inf {d X (m d , m e n j ) | j ≥ 0} = 0 and so m d is in all τ X -closed sets that contain {m e n j | j ≥ 0}. Therefore, m d is in M (e) and so (D, m d ) is a common refinement of (D, d) and (D, e). as a greatest fixed point. If s has finitely many reachable states in M , then X (M,s) is expressible in the modal mu-calculus, using a "calling context" on the set of states t that are R c -reachable from s and static scoping of the greatest fixed-point operators νZ t .φ. Now for all pointed labelled transition systems (L, l) we have (L, l)|= a X (M,s) iff (M, s)≺(L, l) where we can use the proof of (3) in [32] which works in our setting as conjunctions and disjunctions need not be finite.    So c 1 (d, e) measures the degree of inconsistency of (D, d) and (D, e), a lower bound on the difference between their implementations, c 2 (d, e) is an upper bound on such a difference, and none of them is a metric: From item (4) of Definition 3.1, c 1 satisfies only (b) and c 2 satisfies only (b) and (c). The reducibility of common refinement checks to satisfiability checks in the modal mu-calculus yields EXPTIME as a weak upper bound on its complexity. Since the formulas are defined in terms of greatest fixed points only, one can indeed show a stronger result: the decision problem of common refinements is in PTIME [25]. 4.4. Scope of these results. Our results also apply to 3-valued model checking frameworks in which system observables are state propositions or a combination of state propositions and events. This is so since Godefroid & Jagadeesan's translation between modal transition systems (events only), partial Kripke structures [5] (state propositions only), and Kripke modal transition systems [26] (events and state propositions) and their translations of the respective temporal logic formulas is shown to preserve and reflect refinement and the meaning of model checks [20].

Related work
Bakker & Zucker use domain equations and metric completions for a metric and denotational treatment of concurrency in [12].
Lawson proposes the notion of a maximal-point space to represent classical topological spaces as maximal points of a domain in the topology induced by the domain's Lawsonand Scott-topology [34].
Abramsky [1] provides a fully abstract domain of synchronization trees for partial bisimulation between labelled transition systems that have a divergence predicate. The domain equation of loc. cit. uses a sum construction on the convex powerdomain. Maximal points are not part of that paper's agenda and are therefore not discussed therein. Labelled transition systems with a divergence predicate and partial bisimulation are recognized as certain modal transition systems and their refinement in [26].
Mislove et al. present a fully abstract domain model, which combines the probabilistic power domain with a convex variant of the Plotkin powerdomain, for finite-state processes with non-deterministic and probabilistic choice [36].
Alessi et al. The paper [27] presents the domain D and its modal transition system D, both denoted as D in loc. cit., and proves full abstraction and a characterization of D's compact elements in terms of formulas of Hennessy-Milner logic.
In [28] it is shown that the co-inductive refinement of modal transition systems has an extensional description: a pointed modal transition system (M, i) refines a pointed modal transition system (N, j) if, and only if, the set of implementations of (M, i) is a subset of the implementations of (N, j).
Dams & Namjoshi [10] show that finite-state modal transition systems are incomplete as abstractions of infinite-state modal transition systems for modal mu-calculus checking. They propose focused transition systems as a generalization of modal transition systems, show completeness for this class of models, and define a game semantics for refinement of focused transition systems and a game semantics for model checks of alternating tree automata on focused transition systems. It is straightforward to write down a domain equation for focused transition systems but a programme of maximal-points spaces won't directly render pointed Kripke structures since, as noted in [10], focused transition systems can have maximal refinements that have inconsistent constraints on propositions at states.
In [25] consistency, satisfiability, and validity problems are studied for collectively model checking a set of views endowed with labelled transitions, hybrid constraints on states, and atomic propositions. A PTIME algorithm for deciding whether a set of views has a common refinement (consistency) is given. It is proved that deciding whether a common refinement satisfies a formula of the hybrid mu-calculus [40] (satisfiability), and its dual (validity), are EXPTIME-complete. Two generically generated "summary" views are defined that constitute informative and consistent common refinements and abstractions of a set of views (respectively).
Di Pierro et al. [15] develop a quantitative notion of process equivalence as the basis for an approximative version of non-interference and precise quantifications of information leakage. They present two semantics-based analyzes for approximative non-interference where one soundly abstracts the other.
Desharnais et al. [13] show that each continuous-state labelled Markov process has a sequence of finite acyclic labelled Markov processes as abstractions which is precise for a probabilistic modal logic; an equivalence between the category of Markov processes and simulation morphisms and a recursively defined domain, viewed as a category, is given.
Desharnais et al. [14] define a pseudo metric between labelled concurrent Markov chains where zero distance means weak bisimilarity. The metric is characterized in a real-valued modal logic and shown to allow for compositional quantitative reasoning.

Conclusions
We presented the fully abstract and universal domain model D for pointed modal transition systems and refinement of [27]. Using techniques from concurrency theory and topology, we demonstrated that D is the right fully abstract and universal model for labelled transition systems and bisimulation since the quotient space of all pointed labelled transition systems with respect to bisimulation, (X, τ X ), is obtained as the maximal-points space of D. We furthermore revealed the fine-structure of X, notably we proved that its topology τ X inherited from the Scott-and Lawson-topology of D is compact, zero-dimensional, and Hausdorff (a Stone space). In particular, τ X is determined by a computationally meaningful, complete ultra-metric d X for which image-finite labelled transition systems approximate labelled transition systems to any degree of precision. Modulo refinement, (D, k) is imagefinite for all k ∈ K(D), so this denseness also applies to modal transition systems for the Lawson-topology and its metric d D . Thus our results unify denotational, operational, and metric semantics of labelled and modal transition systems. We finally derived consequences of this compact representation: a compactness theorem for Hennessy-Milner logic on compact sets of implementations, an abstract interpretation of compact sets of implementations as Scott-closed sets of modal transition systems, and a robust consistency measure for modal transition systems.