## Branching vs. linear time – semantical perspective

Venue: | In Proc. 5th Int’l Symp. on ATVA, LNCS 4762 |

Citations: | 11 - 2 self |

### BibTeX

@INPROCEEDINGS{Nain_branchingvs.,

author = {Sumit Nain and Moshe Y. Vardi},

title = {Branching vs. linear time – semantical perspective},

booktitle = {In Proc. 5th Int’l Symp. on ATVA, LNCS 4762},

year = {},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The discussion in the computer-science literature of the relative merits of linear- versus branching-time frameworks goes back to early 1980s. One of the beliefs dominating this discussion has been that the linear-time framework is not expressive enough semantically, making linear-time logics lacking in expressiveness. In this work we examine the branching-linear issue from the perspective of process equivalence, which is one of the most fundamental notions in concurrency theory, as defining a notion of process equivalence essentially amounts to defining semantics for processes. Over the last three decades numerous notions of process equivalence have been proposed. Researchers in this area do not anymore try to identify the “right ” notion of equivalence. Rather, focus has shifted to providing taxonomic frameworks, such as “the linear-branching spectrum”, for the many proposed notions and trying to determine suitability for different applications. We revisit this issue here from a fresh perspective. We postulate three principles that we view as fundamental to any discussion of process equivalence. First, we borrow from research in denotational semantics and take contextual equivalence as the primary notion of equivalence. This eliminates many testing scenarios as either too strong or too weak. Second, we require the description of a process to fully specify all relevant behavioral aspects of the process. Finally, we require observable process behavior to be reflected in its input/output behavior. Under these postulates the distinctions between the linear and branching semantics tend to evaporate. As an example, we apply these principles to the framework of transducers, a classical notion of state-based processes that dates back to the 1950s and is well suited to hardware modeling. We show that our postulates result in a unique notion of process equivalence, which is trace based, rather than tree based. 1

### Citations

3395 | Communicating Sequential Processes
- Hoare
- 1978
(Show Context)
Citation Context ...r that results from a write action on channel b when the process is in the left branch needs to be specified explicitly. From this point of view, process-algebraic formalisms such as CCS [51] and CSP =-=[40]-=- are underspecified, since they leave important behavioral aspects unspecified. For example, if the distinction between normal termination and deadlocked termination is relevant to the application, th... |

3202 | Communication and Concurrency - Milner |

2400 | Compositional model checking
- Clarke, Long, et al.
- 1989
(Show Context)
Citation Context ...finite-state system with respect to a desired property by checking whether a labeled state-transition graph that models the system satisfies a temporal logic formula that specifies this property (see =-=[22]-=-). Model-checking tools have enjoyed a substantial and growing use over the last few years, showing ability to discover subtle flaws that ⋆ Work supported in part by NSF grants CCR-9988322, CCR-012407... |

1491 |
Reasoning about knowledge
- Fagin, Halpern, et al.
- 1995
(Show Context)
Citation Context ...pture all relevant aspects of their behavior. Once the model is appropriately enriched, the paradox evaporates away. For extensive discussions on modeling multi-agent systems, see Chapters 4 and 5 in =-=[30]-=- and Chapter 6 in [35]. The Principle of Comprehensive Modeling can be thought of as the “Principle of Appropriate Abstraction”. Every model is an abstraction of the situation being modeled. A good mo... |

1328 |
A Calculus of Communicating Systems
- Milner
- 1980
(Show Context)
Citation Context ...es. It is widely accepted in concurrency theory, however, that trace equivalence is too weak a notion of equivalence, as processes that are trace equivalent may behave differently in the same context =-=[51]-=-. An an example, using CSP notation, the two processes if(true → a?x; h!x)✷(true → b?x; h!x)fi if(a?x → h!x)✷(b?x → h!x)fi have the same set of communication traces, but only the first one may deadloc... |

1173 | Automatic Verification of Finite-State Concurrent Systems Using temporal Logic Specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...uction One of the most significant recent developments in the area of formal design verification is the discovery of algorithmic methods for verifying temporal-logic properties of finitestate systems =-=[20, 45, 56, 66]-=-. In temporal-logic model checking, we verify the correctness of a finite-state system with respect to a desired property by checking whether a labeled state-transition graph that models the system sa... |

1046 | A.C.C.: On the security of public key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...ve all input/output traces and by allowing infinite traces, our notion of test is too strong, resulting in an overly fine notion of process equivalence. Similarly, in modeling security protocols, cf. =-=[28]-=-, we may want to require a weaker notion of observability of outputs. We recognize that in some applications one may choose to use a coarser notion of equivalence than the one we use here. Since our f... |

960 |
Negation as failure
- Clark
- 1977
(Show Context)
Citation Context ...er theory, that of nonmonotonic logic, whose main focus is on inferences from absence of premises. The field started with some highly influential papers, advocating, for example “negation as failure” =-=[18]-=- and ”circumscription” [49]. Today, however, there is a profusion of approaches to nonmonotonic logic, including numerous extensions to negation as failure and to circumscription [48]. One is forced t... |

814 |
Circumscription: A Form of Non-Monotonic Reasoning
- McCarthy
- 1980
(Show Context)
Citation Context ...onic logic, whose main focus is on inferences from absence of premises. The field started with some highly influential papers, advocating, for example “negation as failure” [18] and ”circumscription” =-=[49]-=-. Today, however, there is a profusion of approaches to nonmonotonic logic, including numerous extensions to negation as failure and to circumscription [48]. One is forced to conclude that there is no... |

671 | The esterel synchronous programming language : design, semantics, implementation. Rapport de recherche RR-842
- Berry, Gonthier
- 1988
(Show Context)
Citation Context ...utput is, say, “deadlock”. Second, note that inputs at time k take effect at time k + 1. This enables us to define composition without worrying about causalilty loops, unlike, for example, in Esterel =-=[10]-=-. Thirdly, note that the internal state of a transducer is observable only through its output function. How much of the state is observable depends on the output function. 4.2 Synchronous Parallel Com... |

654 |
Concurrency and automata on infinite sequences
- Park
- 1981
(Show Context)
Citation Context ...t only the first one may deadlock when run in parallel with a process such as b!0. In contrast, the two processes above are distinguished by bisumulation, highly popular notion of process equivalence =-=[52, 54, 59]-=-. It is known that CTL characterizes bisimulation, in the sense that two states in a transition system are bisimilar iff they satisfy exactly the same CTL formulas [16] (see also [39]). This is somet... |

535 | Composing specifications
- Abadi, Lamport
- 1993
(Show Context)
Citation Context ...t receptive to communication on channel b, when it is in the left branch. The position that processes need to be receptive to all allowed inputs from their environment has been argued by many authors =-=[1, 24, 46]-=-. It can be viewed as an instance of our Principle of Comprehensive Modeling, which says that the behavior that results from a write action on channel b when the process is in the left branch needs to... |

492 | Algebraic laws for nondeterminism and concurrency
- Hennessy, Milner
- 1985
(Show Context)
Citation Context ...valence [52, 54, 59]. It is known that CTL characterizes bisimulation, in the sense that two states in a transition system are bisimilar iff they satisfy exactly the same CTL formulas [16] (see also =-=[39]-=-). This is sometime mentioned as an important feature of CTL. This contrast, between the pragmatic arguments in favor of the adequate expressiveness of the linear-time approach [65] and its accepted w... |

471 | An introduction to Input/Output automata
- Lynch, Tuttle
- 1989
(Show Context)
Citation Context ...t receptive to communication on channel b, when it is in the left branch. The position that processes need to be receptive to all allowed inputs from their environment has been argued by many authors =-=[1, 24, 46]-=-. It can be viewed as an instance of our Principle of Comprehensive Modeling, which says that the behavior that results from a write action on channel b when the process is in the left branch needs to... |

438 | The existence of refinement mappings
- Abadi, Lamport
- 1991
(Show Context)
Citation Context ...t the first to advocate trace-based notions of process equivalence. It is, for example, the standard approach in the framework of I/O automata [54, 70] (though without much of a discussion). See also =-=[1]-=-. – Testing equivalence, introduced in [26], is clearly a notion of contextual equivalence. Their answer to the question, “What is a test?”, is that a test is any process that can be expressed in the ... |

404 | Testing equivalences for processes
- Nicola, Hennessy
- 1984
(Show Context)
Citation Context ...ocesses under consideration can be “plugged”. This agrees with the point of view taken in testing equivalence, which asserts that tests applied to processes need to themselves be defined as processes =-=[23]-=-. Furthermore, all tests defined as processes should be considered. This excludes many of the “button-pushing experiments” of [51]. Some of these experiments are too strong–they cannot be defined as p... |

393 |
Algebraic Theory of Processes
- Hennessy
- 1988
(Show Context)
Citation Context ...ling of deadlocks when such modeling is desired, but would not force users to apply such explicit modeling. The underlying semantics of the language, say, in terms of structured operational semantics =-=[38]-=-, can expose deadlocked behavior for some language features and not for others. In other words, Vaandrager’s concerns about users being force to adopt a low-level view should be addressed by designing... |

259 | Automated verification of pipelined microprocessor control
- BURCH, L
- 1994
(Show Context)
Citation Context ...finement, for example, deriving pipelined architectures from non-pipelined architectures. In such cases, establishing a structural relationship between implementation and specification is appropriate =-=[19, 46, 56]-=-. This does not mean that in these cases branching-time semantics is appropriate; rather, it means that branching time can be useful in the “service” of linear time. (In fact, it was already shown in ... |

245 |
Trace Theory for Automatic Hierarchical Verification of Speed-independent Circuits
- Dill
- 1989
(Show Context)
Citation Context ...t receptive to communication on channel b, when it is in the left branch. The position that processes need to be receptive to all allowed inputs from their environment has been argued by many authors =-=[1, 24, 46]-=-. It can be viewed as an instance of our Principle of Comprehensive Modeling, which says that the behavior that results from a write action on channel b when the process is in the left branch needs to... |

244 |
Sometimes” and “Not Never” Revisited: On Branching versus Linear Time Temporal Logic
- Emerson, Halpern
- 1986
(Show Context)
Citation Context ...entially the linear fragment of CTL ⋆ . The discussion of the relative merits of linear versus branching temporal logics in the context of system specification and verification goes back to the 1980s =-=[44, 26, 8, 55, 28, 27, 58, 19, 17, 63, 64]-=-. As analyzed in [55], linear and branching time logics correspond to two distinct views of time. It is not surprising therefore that LTL and CTL are expressively incomparable [19, 27, 44]. The LTL fo... |

234 |
Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...uction One of the most significant recent developments in the area of formal design verification is the discovery of algorithmic methods for verifying temporal-logic properties of finitestate systems =-=[20, 45, 56, 66]-=-. In temporal-logic model checking, we verify the correctness of a finite-state system with respect to a desired property by checking whether a labeled state-transition graph that models the system sa... |

221 |
Reasoning about uncertainty
- Halpern
- 2003
(Show Context)
Citation Context ...ects of their behavior. Once the model is appropriately enriched, the paradox evaporates away. For extensive discussions on modeling multi-agent systems, see Chapters 4 and 5 in [30] and Chapter 6 in =-=[35]-=-. The Principle of Comprehensive Modeling can be thought of as the “Principle of Appropriate Abstraction”. Every model is an abstraction of the situation being modeled. A good model necessarily abstra... |

201 |
Non-Well-Founded Sets
- Aczel
- 1988
(Show Context)
Citation Context ...ts [23]. In particular, the tests required to define bisimulation equivalence [2, 51] are widely known to be too strong [11–13,33]. In spite of its mathematical elegance [5, 59] and ubiquity in logic =-=[9, 4]-=-, bisimulation is not a reasonable notion of process equivalence, as it makes distinctions that cannot be observed. Bisimulation is a structural similarity relation between states of the processes und... |

194 | Bisimulation can’t be traced - Bloom, Istrail, et al. - 1995 |

175 |
Nonmonotonic logic: context dependent reasoning
- Marek, Truszczyński
- 1993
(Show Context)
Citation Context ...tion as failure” [18] and ”circumscription” [49]. Today, however, there is a profusion of approaches to nonmonotonic logic, including numerous extensions to negation as failure and to circumscription =-=[48]-=-. One is forced to conclude that there is no universally accepted way tosdraw conclusions from absence of premises. (Compare also to the discussion of negative premises in transition-system specificat... |

163 |
The temporal logic of branching time
- Ben-Ari, Pnueli, et al.
- 1983
(Show Context)
Citation Context ...entially the linear fragment of CTL ⋆ . The discussion of the relative merits of linear versus branching temporal logics in the context of system specification and verification goes back to the 1980s =-=[44, 26, 8, 55, 28, 27, 58, 19, 17, 63, 64]-=-. As analyzed in [55], linear and branching time logics correspond to two distinct views of time. It is not surprising therefore that LTL and CTL are expressively incomparable [19, 27, 44]. The LTL fo... |

162 |
A nal coalgebra theorem
- Aczel, Mendler
- 1989
(Show Context)
Citation Context ...der only a small family of tests [23]. In particular, the tests required to define bisimulation equivalence [2, 51] are widely known to be too strong [11–13,33]. In spite of its mathematical elegance =-=[5, 59]-=- and ubiquity in logic [9, 4], bisimulation is not a reasonable notion of process equivalence, as it makes distinctions that cannot be observed. Bisimulation is a structural similarity relation betwee... |

146 | Computing simulations on finite and infinite graphs
- Henzinger, Henzinger, et al.
- 1995
(Show Context)
Citation Context ..., it is clear from the 1 This is referred to as the “Next ‘700 . . .’ Syndrome.” [4] 2 Some authors require a relation of similarity, rather then bisimilarity between implementation and specification =-=[44]-=-. The arguments against bisimilarity apply, however, also to similarity.terminology of “observational equivalence” used in [62] that the intention there was to formulate a concept of equivalence base... |

135 |
Characterizing finite kripke structures in propositional temporal logic
- Browne, Clarke, et al.
- 1988
(Show Context)
Citation Context ...of process equivalence [52, 54, 59]. It is known that CTL characterizes bisimulation, in the sense that two states in a transition system are bisimilar iff they satisfy exactly the same CTL formulas =-=[16]-=- (see also [39]). This is sometime mentioned as an important feature of CTL. This contrast, between the pragmatic arguments in favor of the adequate expressiveness of the linear-time approach [65] and... |

135 | Logic Synthesis and Verification Algorithms
- Hachtel, Somenzi
- 1996
(Show Context)
Citation Context ...ects is one that can be made only by the model builder and users. For example, a digital circuit is a model of an analog circuit in which only the digital aspects of the circuit behavior are captured =-=[34]-=-. Such a model should not be used to analyze non-digital aspects of circuit behavior, such as timing issues or issues of metastable states. Such issues require richer models. The Principle of Comprehe... |

123 | Parametric quantitative temporal reasoning
- Emerson, Trefler
- 1999
(Show Context)
Citation Context ... This has given rise to formalisms in which the eventually operator F is replaced by a bounded-eventually operator F ≤k . The operator is parameterized by some k ≥ 0, and it bounds the wait time to k =-=[7, 29]-=-. In the context of discrete-time systems, the operator F ≤k is simply syntactic sugar for an expression in which the next operator X is nested. Indeed, F ≤kθ is just θ ∨ X(θ ∨ X(θ∨ k−4 . . . ∨Xθ)). A... |

121 |
Characterizing correctness properties of parallel programs as
- Emerson, Clarke
- 1981
(Show Context)
Citation Context ...entially the linear fragment of CTL ⋆ . The discussion of the relative merits of linear versus branching temporal logics in the context of system specification and verification goes back to the 1980s =-=[44, 26, 8, 55, 28, 27, 58, 19, 17, 63, 64]-=-. As analyzed in [55], linear and branching time logics correspond to two distinct views of time. It is not surprising therefore that LTL and CTL are expressively incomparable [19, 27, 44]. The LTL fo... |

117 | Verification tools for finitestate concurrent systems. This volume
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...of the branching paradigm. In particular, the computational advantage of CTL model checking over LTL model checking made CTL a popular choice, leading to efficient model-checking tools for this logic =-=[21]-=-. Through thes1990s, the dominant temporal specification language in industrial use was CTL. This dominance stemmed from the phenomenal success of SMV, the first symbolic model checker, which was CTL-... |

115 |
Transition system specifications with negative premises
- Groote
- 1993
(Show Context)
Citation Context ... is forced to conclude that there is no universally accepted way tosdraw conclusions from absence of premises. (Compare also to the discussion of negative premises in transition-system specifications =-=[13, 33]-=-.) Going back to our problematic process if(true → a?x; h!x)✷(true → b?x; h!x)fi The problem here is that the process is not receptive to communication on channel b, when it is in the left branch. The... |

102 |
Algebraic Structure Theory of Sequential Machines
- Hartmanis, Stearns
- 1966
(Show Context)
Citation Context ...ce-based equivalence provides the “right” notion of process equivalence. 4 Case Study: Transducers Transducers constitute a fundamental model of discrete-state machines with input and output channels =-=[37]-=-. They are still used as a basic model for sequential computer circuits [34]. We use nondeterministic transducers as our model for processes. We define a synchronous composition operator for such tran... |

83 |
Specification-oriented semantics for communicating pro-cesses. Acta Informatica 23
- Olderog, Hoare
- 1986
(Show Context)
Citation Context ...o been shown that many notions of process equivalence studied in the literature can be obtained as contextual equivalence with respect to appropriately defined notions of directly observable behavior =-=[14, 41, 47, 53]-=-. These notions fall under the title of decorated trace equivalence, as they all start with trace semantics and then endow it with additional observables. These notions have the advantage that, like b... |

78 | The ForSpec temporal logic: A new temporal property-specification language
- Armoni, Fix, et al.
- 2002
(Show Context)
Citation Context ...formal verification, and is amenable to combining enumerative and symbolic search methods. Indeed, the trend in the industry during this decade has been towards linear-time languages, such as ForSpec =-=[6]-=-, PSL [25], and SVA [67]. In spite of the pragmatic arguments in favor of the linear-time approach, one still hears the arguments that this approach is not expressive enough, pointing out that in sema... |

78 |
Modalities for model checking: Branching time logic strikes back
- Emerson, Lei
- 1987
(Show Context)
Citation Context |

74 |
The meaning of negative premises in transition system specifications
- Bol, Groote
- 1996
(Show Context)
Citation Context ... is forced to conclude that there is no universally accepted way tosdraw conclusions from absence of premises. (Compare also to the discussion of negative premises in transition-system specifications =-=[13, 33]-=-.) Going back to our problematic process if(true → a?x; h!x)✷(true → b?x; h!x)fi The problem here is that the process is not receptive to communication on channel b, when it is in the left branch. The... |

64 |
Observation equivalence as a testing equivalence
- Abramsky
- 1987
(Show Context)
Citation Context ...riments are too strong–they cannot be defined as processes, and some are too weak–they consider only a small family of tests [23]. In particular, the tests required to define bisimulation equivalence =-=[2, 51]-=- are widely known to be too strong [11–13,33]. In spite of its mathematical elegance [5, 59] and ubiquity in logic [9, 4], bisimulation is not a reasonable notion of process equivalence, as it makes d... |

44 |
sometime” is sometimes ”not never”: on the temporal logic of programs
- Lamport
- 1980
(Show Context)
Citation Context ...guage used by the designers). One of the major aspects of all temporal languages is their underlying model of time. Two possible views regarding the nature of time induce two types of temporal logics =-=[44]-=-. In linear temporal logics, time is treated as if each moment in time has a unique possible future. Thus, linear temporal logic formulas are interpreted over linear sequences and we regard them as de... |

38 |
Processes: A Mathematical Model of Computing Agents
- Milner
(Show Context)
Citation Context ...ture [22], also suffers from lack of receptiveness, as it does not distinguish between inputs and outputs.) It is interesting to note that transducers, which were studied in an earlier work of Milner =-=[50]-=-, which led to [51], are receptive. Transducers are widely accepted models of hardware. We come back to transducers in the next section. Remark 3. The Principle of Comprehensive Modeling is implicit i... |

37 |
A fully abstract trace model for dataflow and asynchronous networks
- Jonsson
- 1994
(Show Context)
Citation Context ...o been shown that many notions of process equivalence studied in the literature can be obtained as contextual equivalence with respect to appropriately defined notions of directly observable behavior =-=[14, 41, 47, 53]-=-. These notions fall under the title of decorated trace equivalence, as they all start with trace semantics and then endow it with additional observables. These notions have the advantage that, like b... |

35 |
and Branching Structures in the Semantics and Logics of Reactive Systems
- Linear
- 1985
(Show Context)
Citation Context |

34 |
Expressibility results for linear-time and branching-time logics
- Clarke, Draghicescu
- 1988
(Show Context)
Citation Context |

34 |
A practical introduction to PSL
- Eisner, Fisman
- 2006
(Show Context)
Citation Context ...rification, and is amenable to combining enumerative and symbolic search methods. Indeed, the trend in the industry during this decade has been towards linear-time languages, such as ForSpec [6], PSL =-=[25]-=-, and SVA [67]. In spite of the pragmatic arguments in favor of the linear-time approach, one still hears the arguments that this approach is not expressive enough, pointing out that in semantical ana... |

32 | Methodology and system for practical formal verification of reactive hardware
- Beer, Ben-David, et al.
- 1994
(Show Context)
Citation Context ... This has given rise to formalisms in which the eventually operator F is replaced by a bounded-eventually operator F ≤k . The operator is parameterized by some k ≥ 0, and it bounds the wait time to k =-=[7, 29]-=-. In the context of discrete-time systems, the operator F ≤k is simply syntactic sugar for an expression in which the next operator X is nested. Indeed, F ≤kθ is just θ ∨ X(θ ∨ X(θ∨ k−4 . . . ∨Xθ)). A... |

31 | Is Abstraction the Key to Computing
- Kramer
- 2007
(Show Context)
Citation Context ...e the current level of abstraction; at one level of abstraction this distinction is erased, but at a finer level of abstraction this distinction is material. For further discussion of abstraction see =-=[42]-=-.sThe Principle of Comprehensive Modeling requires a process description to model all relevant aspects of process behavior. It does not spell out how such aspects are to be modeled. In particular, it ... |

27 | On ambiguities in the interpretation of game trees
- Halpern
- 1997
(Show Context)
Citation Context ...accepted models of hardware. We come back to transducers in the next section. Remark 3. The Principle of Comprehensive Modeling is implicit in a paper by Halpern on modeling game-theoretic situations =-=[36]-=-. The paper shows that a certain gametheoretic paradox is, in fact, a consequence of deficient modeling, in which states of agents do not capture all relevant aspects of their behavior. Once the model... |

14 | Basic observables for processes
- Boreale, Nicola, et al.
- 1999
(Show Context)
Citation Context ...o been shown that many notions of process equivalence studied in the literature can be obtained as contextual equivalence with respect to appropriately defined notions of directly observable behavior =-=[14, 41, 47, 53]-=-. These notions fall under the title of decorated trace equivalence, as they all start with trace semantics and then endow it with additional observables. These notions have the advantage that, like b... |