"Sometimes" and "not never" revisited: on branching versus linear time (preliminary report)

  • Authors:

  • E. Allen Emerson;Joseph Y. Halpern

  • Affiliations:

  • University of Texas, Austin, TX;IBM Research Laboratory, San Jose, CA

  • Venue:
  • POPL '83 Proceedings of the 10th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
  • Year:
  • 1983

Quantified Score

Hi-index 0.00

Visualization

Abstract

Temporal logic ([PR57], [PR67]) provides a formalism fordescribing the occurrence of events in time which is suitable forreasoning about concurrent programs (cf. [PN77]). In definingtemporal logic, there are two possible views regarding theunderlying nature of time. One is that time is linear: at eachmoment there is only one possible future. The other is that timehas a branching, tree-like nature: at each moment, time may splitinto alternate courses representing different possible futures.Depending upon which view is chosen, we classify (cf. [RU71]) asystem of temporal logic as either a linear time logic in which thesemantics of the time structure is linear, or a system of branchingtime logic based on the semantics corresponding to a branching timestructure. The modalities of a temporal logic system usuallyreflect the semantics regarding the nature of time. Thus,in a logicof linear time, temporal operators are provided for describingevents along a single time path (cf. [GPSS80]). In contract, in alogic of branching time the operators reflect the branching natureof time by allowing quantification over possible futures cf.[AB80],[EC80]).Some controversy has arisen in the computer science communityregarding the differences between and appropriateness of branchingversus linear time temporal logic. In a landmark paper [LA80]intended to "clarify the logical foundations of the application oftemporal logic to concurrent programs," Lamport addresses theseissues. He defines a single language based on the temporaloperators "always" and "sometimes". Two distinct interpretationsfor the language are given. In the first interpretation formulaemake assertions about paths, whereas in the second interpretationthey make assertions about states. Lamport associates the formerwith linear time and the latter with branching time (although itshould be noted that in both cases the underlying time structuresare branching). He then compares the expressive power of lineartime and branching time logic. Based on his comparison and otherarguments, he concludes that, while branching time logic issuitable for reasoning about nondeterministic programs, linear timelogic is preferable for reasoning about concurrent programs.In this paper, we re-examine Lamport's arguments and reachsomewhat different conclusions. We first point out some technicaldifficulties with the formalism of [LA80]. For instance, thedefinition of expressive equivalence leads to paradoxicalsituations where satisfiable formulae are classified as equivalentto false. Moreover, the proofs of the results comparing expressivepower do not apply in the case of structures generated by a binaryrelation like those used in the logics of [FL79] and [BMP81]. Wegive a more refined basis for comparing expressive power thatavoids these technical difficulties. It does turn out thatexpressibility results corresponding to Lamport's still hold.However, it should be emphasized that these results apply only tothe two particular systems that he defines. Sweeping conclusionsregarding branching versus linear time logic in general are notjustified on this basis.We will argue that there are several different aspects to theproblem of designing and reasoning about concurrent programs. Whilethe specific modalities needed in a logic depend on the precisenature of the purpose for which it is intended, we can make somegeneral observations regarding the choice between a system ofbranching or linear time. We believe that linear time logics aregenerally adequate for verifying the correctness of pre-existingconcurrent programs. For verification purposes, we are typicallyinterested in properties that hold of all computation paths. It isthus satisfactory to pick an arbitrary path and reason about it.However, there are applications where we need the ability to assertthe existence of alternative computation paths as provided by abranching time logic. This arises from the nondeterminism - beyondthat used to model concurrency - present in many concurrentprograms. In order to give a complete specification of such aprogram, we must ensure that there are viable computation path acorresponding to the nondeterministic choices the program mightmake. (An example is given in section 6.) Neither of Lamport'ssystems is entirely adequate for such applications.In order to examine these issues more carefully, we define alanguage, CTL*, in which a universal or existential path quantifiercan prefix an arbitrary linear time assertion. CTL* is an extensionof the Computation Tree Logic, CTL, defined in [CE81] and studiedin [EH82]. This language subsumes both of Lamport's interpretationsand allows us to compare branching with linear time. Moreover, thesyntax of CTL* makes it clear which interpretation is intended.The paper is organized as follows: In section 2 we summarizeLamport's approach and discuss its limitation. In section 3 wepresent the syntax and semantics of CTL*. We also define somenatural sublanguages of CTL* and compare their expressive power inSection 4. In particular, we show that (cf. Theorem 4.1) a languagesubstantially less expressive than CTL* still subsumes both ofLamport's interpretations. Section 5 then shows how CTL* can beembedded in MPL [AB80] and PL [HKP80]. Finally, section 6 concludeswith a comparison of the utility of branching and linear timelogic.