Computation tree logic

CTL was first proposed by Edmund M. Clarke and E. Allen Emerson in 1981, who used it to synthesize so-called synchronisation skeletons, i.e abstractions of concurrent programs. Since the introduction of CTL, there has been debate about the relative merits of CTL and LTL. Because CTL is more computationally efficient to model check, it has become more common in industrial use, and many of the most successful model-checking tools use CTL as a specification language. == Syntax of CTL ==

The language of well-formed formulas for CTL is generated by the following grammar: :\begin{align} \phi &::= \bot \mid \top \mid p \mid (\neg\phi) \mid (\phi\land\phi) \mid (\phi\lor\phi) \mid (\phi\Rightarrow\phi) \mid (\phi\Leftrightarrow\phi) \\ &\mid\quad \mbox{AX }\phi \mid \mbox{EX }\phi \mid \mbox{AF }\phi \mid \mbox{EF }\phi \mid \mbox{AG }\phi \mid \mbox{EG }\phi \mid \mbox{A }[\phi \mbox{ U } \phi] \mid \mbox{E }[\phi \mbox{ U } \phi] \end{align} where p ranges over a set of atomic formulas. It is not necessary to use all connectives – for example, \{\neg, \land, \mbox{AX}, \mbox{AU}, \mbox{EU}\} comprises a complete set of connectives, and the others can be defined using them. • \mbox{A} means 'along All paths' (inevitably) • \mbox{E} means 'along at least (there Exists) one path' (possibly) For example, the following is a well-formed CTL formula: :\mbox{EF }(\mbox{EG } p \Rightarrow \mbox{AF } r) The following is not a well-formed CTL formula: :\mbox{EF }\big(r \mbox{ U } q\big) The problem with this string is that \mathrm U can occur only when paired with an \mathrm A or an \mathrm E. CTL uses atomic propositions as its building blocks to make statements about the states of a system. These propositions are then combined into formulas using logical operators and temporal operators. ==Operators==

Logical operators The logical operators are the usual ones: ¬, ∨, ∧, ⇒ and ⇔. Along with these operators CTL formulas can also make use of the Boolean constants true and false. Temporal operators The temporal operators are the following: • Quantifiers over paths • A Φ – All: Φ has to hold on all paths starting from the current state. • E Φ – Exists: there exists at least one path starting from the current state where Φ holds. • Path-specific quantifiers • X φ – Next: φ has to hold at the next state (this operator is sometimes noted N instead of X). • G φ – Globally: φ has to hold on the entire subsequent path. • F φ – Finally: φ eventually has to hold (somewhere on the subsequent path). • φ U ψ – Until: φ has to hold at least until at some position ψ holds. This implies that ψ will be verified in the future. • φ W ψ – Weak until: φ has to hold until ψ holds. The difference with U is that there is no guarantee that ψ will ever be verified. The W operator is sometimes called "unless". In CTL*, the temporal operators can be freely mixed. In CTL, operators must always be grouped in pairs: one path operator followed by a state operator. See the examples below. CTL* is strictly more expressive than CTL. Minimal set of operators In CTL there are minimal sets of operators. All CTL formulas can be transformed to use only those operators. This is useful in model checking. One minimal set of operators is: {true, ∨, ¬, EG, EU, EX}. Some of the transformations used for temporal operators are: • EFφ == E[trueU(φ)] ( because Fφ == [trueU(φ)] ) • AXφ == ¬EX(¬φ) • AGφ == ¬EF(¬φ) == ¬ E[trueU(¬φ)] • AFφ == A[trueUφ] == ¬EG(¬φ) • A[φUψ] == ¬( E[(¬ψ)U¬(φ∨ψ)] ∨ EG(¬ψ) ) ==Semantics of CTL==

Definition CTL formulae are interpreted over transition systems. A transition system is a triple \mathcal{M}=(S,{\rightarrow},L), where S is a set of states, {\rightarrow} \subseteq S \times S is a transition relation, assumed to be serial, i.e. every state has at least one successor, and L is a labelling function, assigning propositional letters to states. Let \mathcal{M}=(S,\rightarrow,L) be such a transition model, with s \in S, and \phi \in F, where F is the set of well-formed formulas over the language of \mathcal{M}. Then the relation of semantic entailment (\mathcal{M}, s \models \phi) is defined recursively on \phi: • \Big( (\mathcal{M}, s) \models \top \Big) \land \Big( (\mathcal{M}, s) \not\models \bot \Big) • \Big( (\mathcal{M}, s) \models p \Big) \Leftrightarrow \Big( p \in L(s) \Big) • \Big( (\mathcal{M}, s) \models \neg\phi \Big) \Leftrightarrow \Big( (\mathcal{M}, s) \not\models \phi \Big) • \Big( (\mathcal{M}, s) \models \phi_1 \land \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \land \big((\mathcal{M}, s) \models \phi_2 \big) \Big) • \Big( (\mathcal{M}, s) \models \phi_1 \lor \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \lor \big((\mathcal{M}, s) \models \phi_2 \big) \Big) • \Big( (\mathcal{M}, s) \models \phi_1 \Rightarrow \phi_2 \Big) \Leftrightarrow \Big( \big((\mathcal{M}, s) \not\models \phi_1 \big) \lor \big((\mathcal{M}, s) \models \phi_2 \big) \Big) • \bigg( (\mathcal{M}, s) \models \phi_1 \Leftrightarrow \phi_2 \bigg) \Leftrightarrow \bigg( \Big( \big((\mathcal{M}, s) \models \phi_1 \big) \land \big((\mathcal{M}, s) \models \phi_2 \big) \Big) \lor \Big( \neg \big((\mathcal{M}, s) \models \phi_1 \big) \land \neg \big((\mathcal{M}, s) \models \phi_2 \big) \Big) \bigg) • \Big( (\mathcal{M}, s) \models AX\phi \Big) \Leftrightarrow \Big( \forall \langle s \rightarrow s_1 \rangle \big( (\mathcal{M}, s_1) \models \phi \big) \Big) • \Big( (\mathcal{M}, s) \models EX\phi \Big) \Leftrightarrow \Big( \exists \langle s \rightarrow s_1 \rangle \big( (\mathcal{M}, s_1) \models \phi \big) \Big) • \Big( (\mathcal{M}, s) \models AG\phi \Big) \Leftrightarrow \Big( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \forall i \big( (\mathcal{M}, s_i) \models \phi \big) \Big) • \Big( (\mathcal{M}, s) \models EG\phi \Big) \Leftrightarrow \Big( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \forall i \big( (\mathcal{M}, s_i) \models \phi \big) \Big) • \Big( (\mathcal{M}, s) \models AF\phi \Big) \Leftrightarrow \Big( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \big( (\mathcal{M}, s_i) \models \phi \big) \Big) • \Big( (\mathcal{M}, s) \models EF\phi \Big) \Leftrightarrow \Big( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \big( (\mathcal{M}, s_i) \models \phi \big) \Big) • \bigg( (\mathcal{M}, s) \models A[\phi_1 U \phi_2] \bigg) \Leftrightarrow \bigg( \forall \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \Big( \big( (\mathcal{M}, s_i) \models \phi_2 \big) \land \big( \forall (j • \bigg( (\mathcal{M}, s) \models E[\phi_1 U \phi_2] \bigg) \Leftrightarrow \bigg( \exists \langle s_1 \rightarrow s_2 \rightarrow \ldots \rangle (s=s_1) \exists i \Big( \big( (\mathcal{M}, s_i) \models \phi_2 \big) \land \big( \forall (j Characterisation of CTL Rules 10–15 above refer to computation paths in models and are what ultimately characterise the "Computation Tree"; they are assertions about the nature of the infinitely deep computation tree rooted at the given state s. Semantic equivalences The formulae \phi and \psi are said to be semantically equivalent if any state in any model that satisfies one also satisfies the other. This is denoted \phi \equiv \psi It can be seen that \mathrm A and \mathrm E are duals, being universal and existential computation path quantifiers respectively: \neg \mathrm A\Phi \equiv \mathrm E \neg \Phi . Furthermore, so are \mathrm G and \mathrm F. Hence an instance of De Morgan's laws can be formulated in CTL: :\neg AF\phi \equiv EG\neg\phi :\neg EF\phi \equiv AG\neg\phi :\neg AX\phi \equiv EX\neg\phi It can be shown using such identities that a subset of the CTL temporal connectives is adequate if it contains EU, at least one of \{AX,EX\} and at least one of \{EG,AF,AU\} and the Boolean connectives. The important equivalences below are called the expansion laws; they allow unfolding the verification of a CTL connective towards its successors in time. :AG\phi \equiv \phi \land AX AG \phi :EG\phi \equiv \phi \land EX EG \phi :AF\phi \equiv \phi \lor AX AF \phi :EF\phi \equiv \phi \lor EX EF \phi :A[\phi U \psi] \equiv \psi \lor (\phi \land AX A [\phi U \psi]) :E[\phi U \psi] \equiv \psi \lor (\phi \land EX E [\phi U \psi]) ==Examples==

Let "P" mean "I like chocolate" and Q mean "It's warm outside." • AG.P :"I will like chocolate from now on, no matter what happens." • EF.P :"It's possible I may like chocolate some day, at least for one day." • AF.EG.P :"It's always possible (AF) that I will suddenly start liking chocolate for the rest of time." (Note: not just the rest of my life, since my life is finite, while G is infinite). • EG.AF.P :"Depending on what happens in the future (E), it's possible that for the rest of time (G), I'll be guaranteed at least one (AF) chocolate-liking day still ahead of me. However, if something ever goes wrong, then all bets are off and there's no guarantee about whether I'll ever like chocolate." The two following examples show the difference between CTL and CTL*, as they allow for the until operator to not be qualified with any path operator (A or E): • AG(PUQ) :"From now until it's warm outside, I will like chocolate every single day. Once it's warm outside, all bets are off as to whether I'll like chocolate anymore. Oh, and it's guaranteed to be warm outside eventually, even if only for a single day." • EF((EX.P)U(AG.Q)) :"It's possible that: there will eventually come a time when it will be warm forever (AG.Q) and that before that time there will always be some way to get me to like chocolate the next day (EX.P)." ==Relations with other logics==

Computation tree logic (CTL) is a subset of CTL* as well as of the modal μ calculus. CTL is also a fragment of Alur, Henzinger and Kupferman's alternating-time temporal logic (ATL). Computation tree logic (CTL) and linear temporal logic (LTL) are both a subset of CTL*. CTL and LTL are not equivalent and they have a common subset, which is a proper subset of both CTL and LTL. • FG.P exists in LTL but not in CTL. • AG(P⇒((EX.Q)∧(EX¬Q))) and AG.EF.P exist in CTL but not in LTL. == Extensions ==

CTL has been extended with second-order quantification \exists p and \forall p to quantified computational tree logic (QCTL). There are two semantics: • the tree semantics. We label nodes of the computation tree. QCTL* = QCTL = MSO over trees. Model checking and satisfiability are tower complete. • the structure semantics. We label states. QCTL* = QCTL = MSO over graphs. Model checking is PSPACE-complete but satisfiability is undecidable. A reduction from the model-checking problem of QCTL with the structure semantics, to TQBF (true quantified Boolean formulae) has been proposed, in order to take advantage of the QBF solvers. ==See also==