## A compositional theory of refinement for branching time (2003)

Venue: | 12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, volume 2860 of LNCS |

Citations: | 12 - 7 self |

### BibTeX

@INPROCEEDINGS{Manolios03acompositional,

author = {Panagiotis Manolios},

title = {A compositional theory of refinement for branching time},

booktitle = {12th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2003, volume 2860 of LNCS},

year = {2003},

pages = {304--318},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. I develop a compositional theory of refinement for the branching time framework based on stuttering simulation and prove that if one system refines another, then a refinement map always exists. The existence of refinement maps in the linear time framework was studied in an influential paper by Abadi and Lamport. My interest in proving analogous results for the branching time framework arises from the observation that in the context of mechanical verification, branching time has some important advantages. By setting up the refinement problem in a way that differs from the Abadi and Lamport approach, I obtain a proof of the existence of refinement maps (in the branching time framework) that does not depend on any of the conditions found in the work of Abadi and Lamport e.g., machine closure, finite invisible nondeterminism, internal continuity, the use of history and prophecy variables, etc. A direct consequence is that refinement maps always exist in the linear time framework, subject only to the use of prophecy-like variables. 1

### Citations

3430 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...g bit protocol (this is an infinite-state problem that was reduced to a finite-state problem using a theorem prover). The branching time notions of simulation and bisimulation, due to Milner and Park =-=[18, 21]-=-, can be decided in polynomial time [20, 7]. In contrast, the corresponding linear time notions, trace equivalence and trace containment, are both PSPACE-complete problems [26]. Second, refinement map... |

1306 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...r concatenation of paths where the left path is finite, e.g., a; ab = aab. Temporal logic was proposed as a formalism for specifying the correctness of computing systems in a landmark paper by Pnueli =-=[22]-=-. I assume that the reader is familiar with temporal logic. 3 Stuttering Simulation Refinement Stuttering simulation depends on the notion of matching I now define. I start with an informal account. G... |

700 |
Concurrency and automata on infinite sequences
- Park
- 1981
(Show Context)
Citation Context ...g bit protocol (this is an infinite-state problem that was reduced to a finite-state problem using a theorem prover). The branching time notions of simulation and bisimulation, due to Milner and Park =-=[18, 21]-=-, can be decided in polynomial time [20, 7]. In contrast, the corresponding linear time notions, trace equivalence and trace containment, are both PSPACE-complete problems [26]. Second, refinement map... |

465 | The existence of refinement mappings
- ABADI, LAMPORT
- 1988
(Show Context)
Citation Context ...tion may contain more state components and may use different data representations than the specification. Refinement maps are used to show how to view an implementation state as a specification state =-=[1]-=-. The classic paper on the topic by Abadi and Lamport [1], which has motivated the work appearing in this paper, contains an in-depth discussion of these topics. The main idea is to use refinement map... |

384 |
Three partition refinement algorithms
- Paige, Tarjan
- 1987
(Show Context)
Citation Context ...oblem that was reduced to a finite-state problem using a theorem prover). The branching time notions of simulation and bisimulation, due to Milner and Park [18, 21], can be decided in polynomial time =-=[20, 7]-=-. In contrast, the corresponding linear time notions, trace equivalence and trace containment, are both PSPACE-complete problems [26]. Second, refinement maps allow one to show that one system simulat... |

349 |
Set theory. An introduction to independence proofs
- Kunen
- 1980
(Show Context)
Citation Context ...vely define a labeling function, l, that assigns an ordinal to nodes in the tree as follows: l.n = 〈∪c : c is a child of n : (l.c) + 1〉. This is the standard “rank” function encountered in set theory =-=[13]-=-. We use the convention that the label of a tree is the label of its root. Lemma 7. If |S| � κ, where κ is an infinite cardinal ( i.e., ω � κ) then for all s, w ∈ S, tree(s, w) is labeled with an ordi... |

319 |
Word problems requiring exponential time
- Stockmeyer, Meyer
- 1973
(Show Context)
Citation Context ... to Milner and Park [18, 21], can be decided in polynomial time [20, 7]. In contrast, the corresponding linear time notions, trace equivalence and trace containment, are both PSPACE-complete problems =-=[26]-=-. Second, refinement maps allow one to show that one system simulates another. This is inherently a branching time notion which has the advantage of being structural and local. However, in order to us... |

285 |
ComputerAided Reasoning: An Approach
- Kaufmann, Manolios, et al.
- 2000
(Show Context)
Citation Context ...achines based on WEBs and I showed that the variant of the Burch and Dill notion of correctness [4] in [24, 25] can be satisfied by machines that deadlock. In addition, I used the ACL2 theorem prover =-=[12, 11, 10]-=- to automate much of the verification. I also verified variants of the pipelined machine including machines with exceptions, interrupts (which lead to non-determinism), and netlist (gate-level) descri... |

279 | Automatic verification of pipelined microprocessor control
- Burch, Dill
- 1994
(Show Context)
Citation Context ...verify the alternating bit protocol in [17]. In [16], I proposed a notion of correctness for pipelined machines based on WEBs and I showed that the variant of the Burch and Dill notion of correctness =-=[4]-=- in [24, 25] can be satisfied by machines that deadlock. In addition, I used the ACL2 theorem prover [12, 11, 10] to automate much of the verification. I also verified variants of the pipelined machin... |

185 |
What good is temporal logic
- Lamport
- 1983
(Show Context)
Citation Context ... more abstract level than the implementation, notions of correctness should allow for stuttering, where the implementation may require several steps before matching a single step of the specification =-=[14]-=-.s– Refinement. The implementation may contain more state components and may use different data representations than the specification. Refinement maps are used to show how to view an implementation s... |

152 | Computing simulations on finite and infinite graphs
- Henzinger, Henzinger, et al.
- 1995
(Show Context)
Citation Context ...oblem that was reduced to a finite-state problem using a theorem prover). The branching time notions of simulation and bisimulation, due to Milner and Park [18, 21], can be decided in polynomial time =-=[20, 7]-=-. In contrast, the corresponding linear time notions, trace equivalence and trace containment, are both PSPACE-complete problems [26]. Second, refinement maps allow one to show that one system simulat... |

143 | Forward and backward simulations. Part I: Untimed systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ...mulation is based on the notions of simulation and bisimulation, which have had a deep impact on how we think about specifications. The literature on this topic is vast and contains many fine surveys =-=[23, 15, 6]-=-. In addition, there have been various extensions of the Abadi and Lamport result [1], including [5, 9, 2, 8]. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmet... |

39 |
and branching structures in the semantics and logics of reactive systems
- Linear
(Show Context)
Citation Context ...mulation is based on the notions of simulation and bisimulation, which have had a deep impact on how we think about specifications. The literature on this topic is vast and contains many fine surveys =-=[23, 15, 6]-=-. In addition, there have been various extensions of the Abadi and Lamport result [1], including [5, 9, 2, 8]. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmet... |

37 | Branching bisimilarity is an equivalence indeed - Basten - 1996 |

30 |
A simple characterization of stuttering bisimulation
- Namjoshi
- 1997
(Show Context)
Citation Context ...ic is vast and contains many fine surveys [23, 15, 6]. In addition, there have been various extensions of the Abadi and Lamport result [1], including [5, 9, 2, 8]. In related previous work, Namjoshi =-=[19]-=- gives a sound and complete proof rule for symmetric stuttering bisimulations which has heavily influenced my work; however, Namjoshi does not consider simulations and does not deal with refinement. S... |

27 | Correctness of pipelined machines
- MANOLIOS
- 2000
(Show Context)
Citation Context ...ations and the related notion of WEBs (Well-founded Equivalence Bisimulations) were used to link theorem proving and model checking and to mechanically verify the alternating bit protocol in [17]. In =-=[16]-=-, I proposed a notion of correctness for pipelined machines based on WEBs and I showed that the variant of the Burch and Dill notion of correctness [4] in [24, 25] can be satisfied by machines that de... |

23 |
Formal verification of an advanced pipelined machine
- SAWADA
- 1999
(Show Context)
Citation Context ...the alternating bit protocol in [17]. In [16], I proposed a notion of correctness for pipelined machines based on WEBs and I showed that the variant of the Burch and Dill notion of correctness [4] in =-=[24, 25]-=- can be satisfied by machines that deadlock. In addition, I used the ACL2 theorem prover [12, 11, 10] to automate much of the verification. I also verified variants of the pipelined machine including ... |

20 | Proving refinement using transduction
- JONSSON, PNUELI, et al.
- 1999
(Show Context)
Citation Context ... about specifications. The literature on this topic is vast and contains many fine surveys [23, 15, 6]. In addition, there have been various extensions of the Abadi and Lamport result [1], including =-=[5, 9, 2, 8]-=-. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmetric stuttering bisimulations which has heavily influenced my work; however, Namjoshi does not consider simulat... |

18 |
The linear time – branching time spectrum I. The semantics of concrete, sequential processes
- Glabbeek
(Show Context)
Citation Context ...mulation is based on the notions of simulation and bisimulation, which have had a deep impact on how we think about specifications. The literature on this topic is vast and contains many fine surveys =-=[23, 15, 6]-=-. In addition, there have been various extensions of the Abadi and Lamport result [1], including [5, 9, 2, 8]. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmet... |

13 | Linking theorem proving and model-checking with well-founded bisimulation
- Manolios, Namjoshi, et al.
- 1999
(Show Context)
Citation Context ...ework. The first is that in the simple case where one is dealing with finite-state systems, it makes sense to use algorithms that can check if one finite-state system refines another. For example, in =-=[17]-=- we use algorithms for deciding stuttering bisimulation to complete a proof of correctness for the alternating bit protocol (this is an infinite-state problem that was reduced to a finite-state proble... |

12 | Eternity variables to simulate specifications
- HESSELINK
(Show Context)
Citation Context ... about specifications. The literature on this topic is vast and contains many fine surveys [23, 15, 6]. In addition, there have been various extensions of the Abadi and Lamport result [1], including =-=[5, 9, 2, 8]-=-. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmetric stuttering bisimulations which has heavily influenced my work; however, Namjoshi does not consider simulat... |

12 | Verification of a simple pipelined machine model
- Sawada
- 2000
(Show Context)
Citation Context ...the alternating bit protocol in [17]. In [16], I proposed a notion of correctness for pipelined machines based on WEBs and I showed that the variant of the Burch and Dill notion of correctness [4] in =-=[24, 25]-=- can be satisfied by machines that deadlock. In addition, I used the ACL2 theorem prover [12, 11, 10] to automate much of the verification. I also verified variants of the pipelined machine including ... |

8 | Liveness-preserving simulation relations
- Attie
- 1999
(Show Context)
Citation Context ... about specifications. The literature on this topic is vast and contains many fine surveys [23, 15, 6]. In addition, there have been various extensions of the Abadi and Lamport result [1], including =-=[5, 9, 2, 8]-=-. In related previous work, Namjoshi [19] gives a sound and complete proof rule for symmetric stuttering bisimulations which has heavily influenced my work; however, Namjoshi does not consider simulat... |

5 | Generalizing Abadi & Lamport’s method to solve a problem posed by A
- Engelhardt, Roever
- 1993
(Show Context)
Citation Context |