Computation tree logic

Last updated March 30, 2023

Computation tree logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized. It is used in formal verification of software or hardware artifacts, typically by software applications known as model checkers, which determine if a given artifact possesses safety or liveness properties. For example, CTL can specify that when some initial condition is satisfied (e.g., all program variables are positive or no cars on a highway straddle two lanes), then all possible executions of a program avoid some undesirable condition (e.g., dividing a number by zero or two cars colliding on a highway). In this example, the safety property could be verified by a model checker that explores all possible transitions out of program states satisfying the initial condition and ensures that all such executions satisfy the property. Computation tree logic belongs to a class of temporal logics that includes linear temporal logic (LTL). Although there are properties expressible only in CTL and properties expressible only in LTL, all properties expressible in either logic can also be expressed in CTL*.

Syntax of CTL

The language of well-formed formulas for CTL is generated by the following grammar:

{\begin{aligned}\phi &::=\bot \mid \top \mid p\mid (\neg \phi )\mid (\phi \land \phi )\mid (\phi \lor \phi )\mid (\phi \Rightarrow \phi )\mid (\phi \Leftrightarrow \phi )\\&\mid \quad {\mbox{AX }}\phi \mid {\mbox{EX }}\phi \mid {\mbox{AF }}\phi \mid {\mbox{EF }}\phi \mid {\mbox{AG }}\phi \mid {\mbox{EG }}\phi \mid {\mbox{A }}[\phi {\mbox{ U }}\phi ]\mid {\mbox{E }}[\phi {\mbox{ U }}\phi ]\end{aligned}}

where $p$ ranges over a set of atomic formulas. It is not necessary to use all connectives – for example, $\{\neg ,\land ,{\mbox{AX}},{\mbox{AU}},{\mbox{EU}}\}$ comprises a complete set of connectives, and the others can be defined using them.

${\mbox{A}}$ means 'along All paths' (inevitably)
${\mbox{E}}$ means 'along at least (there Exists) one path' (possibly)

For example, the following is a well-formed CTL formula:

{\mbox{EF }}({\mbox{EG }}p\Rightarrow {\mbox{AF }}r)

The following is not a well-formed CTL formula:

{\mbox{EF }}{\big (}r{\mbox{ U }}q{\big )}

The problem with this string is that $\mathrm {U}$ can occur only when paired with an $\mathrm {A}$ or an $\mathrm {E}$ .

CTL uses atomic propositions as its building blocks to make statements about the states of a system. These propositions are then combined into formulas using logical operators and temporal operators.

Operators

Logical operators

The logical operators are the usual ones: ¬, ∨, ∧, ⇒ and ⇔. Along with these operators CTL formulas can also make use of the boolean constants true and false.

Temporal operators

The temporal operators are the following:

Quantifiers over paths
- AΦ –All: Φ has to hold on all paths starting from the current state.
- EΦ –Exists: there exists at least one path starting from the current state where Φ holds.
Path-specific quantifiers
- Xφ – Next: φ has to hold at the next state (this operator is sometimes noted N instead of X).
- Gφ –Globally: φ has to hold on the entire subsequent path.
- Fφ –Finally: φ eventually has to hold (somewhere on the subsequent path).
- φUψ –Until: φ has to hold at least until at some position ψ holds. This implies that ψ will be verified in the future.
- φWψ –Weak until: φ has to hold until ψ holds. The difference with U is that there is no guarantee that ψ will ever be verified. The W operator is sometimes called "unless".

In CTL*, the temporal operators can be freely mixed. In CTL, operators must always be grouped in pairs: one path operator followed by a state operator. See the examples below. CTL* is strictly more expressive than CTL.

Minimal set of operators

In CTL there are minimal sets of operators. All CTL formulas can be transformed to use only those operators. This is useful in model checking. One minimal set of operators is: {true, ∨, ¬, EG, EU, EX}.

Some of the transformations used for temporal operators are:

EFφ == E[trueU(φ)] ( because Fφ == [trueU(φ)] )
AXφ == ¬EX(¬φ)
AGφ == ¬EF(¬φ) == ¬ E[trueU(¬φ)]
AFφ == A[trueUφ] == ¬EG(¬φ)
A[φUψ] == ¬( E[(¬ψ)U¬(φ∨ψ)] ∨EG(¬ψ) )

Semantics of CTL

Definition

CTL formulae are interpreted over transition systems. A transition system is a triple ${\mathcal {M}}=(S,{\rightarrow },L)$ , where $S$ is a set of states, ${\rightarrow }\subseteq S\times S$ is a transition relation, assumed to be serial, i.e. every state has at least one successor, and $L$ is a labelling function, assigning propositional letters to states. Let ${\mathcal {M}}=(S,\rightarrow ,L)$ be such a transition model, with $s\in S$ , and $\phi \in F$ , where $F$ is the set of well-formed formulas over the language of ${\mathcal {M}}$ .

Then the relation of semantic entailment $({\mathcal {M}},s\models \phi )$ is defined recursively on $\phi$ :

${\Big (}({\mathcal {M}},s)\models \top {\Big )}\land {\Big (}({\mathcal {M}},s)\not \models \bot {\Big )}$
${\Big (}({\mathcal {M}},s)\models p{\Big )}\Leftrightarrow {\Big (}p\in L(s){\Big )}$
${\Big (}({\mathcal {M}},s)\models \neg \phi {\Big )}\Leftrightarrow {\Big (}({\mathcal {M}},s)\not \models \phi {\Big )}$
${\Big (}({\mathcal {M}},s)\models \phi _{1}\land \phi _{2}{\Big )}\Leftrightarrow {\Big (}{\big (}({\mathcal {M}},s)\models \phi _{1}{\big )}\land {\big (}({\mathcal {M}},s)\models \phi _{2}{\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models \phi _{1}\lor \phi _{2}{\Big )}\Leftrightarrow {\Big (}{\big (}({\mathcal {M}},s)\models \phi _{1}{\big )}\lor {\big (}({\mathcal {M}},s)\models \phi _{2}{\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models \phi _{1}\Rightarrow \phi _{2}{\Big )}\Leftrightarrow {\Big (}{\big (}({\mathcal {M}},s)\not \models \phi _{1}{\big )}\lor {\big (}({\mathcal {M}},s)\models \phi _{2}{\big )}{\Big )}$
${\bigg (}({\mathcal {M}},s)\models \phi _{1}\Leftrightarrow \phi _{2}{\bigg )}\Leftrightarrow {\bigg (}{\Big (}{\big (}({\mathcal {M}},s)\models \phi _{1}{\big )}\land {\big (}({\mathcal {M}},s)\models \phi _{2}{\big )}{\Big )}\lor {\Big (}\neg {\big (}({\mathcal {M}},s)\models \phi _{1}{\big )}\land \neg {\big (}({\mathcal {M}},s)\models \phi _{2}{\big )}{\Big )}{\bigg )}$
${\Big (}({\mathcal {M}},s)\models AX\phi {\Big )}\Leftrightarrow {\Big (}\forall \langle s\rightarrow s_{1}\rangle {\big (}({\mathcal {M}},s_{1})\models \phi {\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models EX\phi {\Big )}\Leftrightarrow {\Big (}\exists \langle s\rightarrow s_{1}\rangle {\big (}({\mathcal {M}},s_{1})\models \phi {\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models AG\phi {\Big )}\Leftrightarrow {\Big (}\forall \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\forall i{\big (}({\mathcal {M}},s_{i})\models \phi {\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models EG\phi {\Big )}\Leftrightarrow {\Big (}\exists \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\forall i{\big (}({\mathcal {M}},s_{i})\models \phi {\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models AF\phi {\Big )}\Leftrightarrow {\Big (}\forall \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\exists i{\big (}({\mathcal {M}},s_{i})\models \phi {\big )}{\Big )}$
${\Big (}({\mathcal {M}},s)\models EF\phi {\Big )}\Leftrightarrow {\Big (}\exists \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\exists i{\big (}({\mathcal {M}},s_{i})\models \phi {\big )}{\Big )}$
${\bigg (}({\mathcal {M}},s)\models A[\phi _{1}U\phi _{2}]{\bigg )}\Leftrightarrow {\bigg (}\forall \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\exists i{\Big (}{\big (}({\mathcal {M}},s_{i})\models \phi _{2}{\big )}\land {\big (}\forall (j<i)({\mathcal {M}},s_{j})\models \phi _{1}{\big )}{\Big )}{\bigg )}$
${\bigg (}({\mathcal {M}},s)\models E[\phi _{1}U\phi _{2}]{\bigg )}\Leftrightarrow {\bigg (}\exists \langle s_{1}\rightarrow s_{2}\rightarrow \ldots \rangle (s=s_{1})\exists i{\Big (}{\big (}({\mathcal {M}},s_{i})\models \phi _{2}{\big )}\land {\big (}\forall (j<i)({\mathcal {M}},s_{j})\models \phi _{1}{\big )}{\Big )}{\bigg )}$

Characterisation of CTL

Rules 10–15 above refer to computation paths in models and are what ultimately characterise the "Computation Tree"; they are assertions about the nature of the infinitely deep computation tree rooted at the given state $s$ .

Semantic equivalences

The formulae $\phi$ and $\psi$ are said to be semantically equivalent if any state in any model that satisfies one also satisfies the other. This is denoted $\phi \equiv \psi$

It can be seen that $\mathrm {A}$ and $\mathrm {E}$ are duals, being universal and existential computation path quantifiers respectively: $\neg \mathrm {A} \Phi \equiv \mathrm {E} \neg \Phi$ .

Furthermore, so are $\mathrm {G}$ and $\mathrm {F}$ .

Hence an instance of De Morgan's laws can be formulated in CTL:

\neg AF\phi \equiv EG\neg \phi

\neg EF\phi \equiv AG\neg \phi

\neg AX\phi \equiv EX\neg \phi

It can be shown using such identities that a subset of the CTL temporal connectives is adequate if it contains $EU$ , at least one of $\{AX,EX\}$ and at least one of $\{EG,AF,AU\}$ and the boolean connectives.

The important equivalences below are called the expansion laws; they allow unfolding the verification of a CTL connective towards its successors in time.

AG\phi \equiv \phi \land AXAG\phi

EG\phi \equiv \phi \land EXEG\phi

AF\phi \equiv \phi \lor AXAF\phi

EF\phi \equiv \phi \lor EXEF\phi

A[\phi U\psi ]\equiv \psi \lor (\phi \land AXA[\phi U\psi ])

E[\phi U\psi ]\equiv \psi \lor (\phi \land EXE[\phi U\psi ])

Examples

Let "P" mean "I like chocolate" and Q mean "It's warm outside."

AG.P

"I will like chocolate from now on, no matter what happens."

EF.P

"It's possible I may like chocolate some day, at least for one day."

AF.EG.P

"It's always possible (AF) that I will suddenly start liking chocolate for the rest of time." (Note: not just the rest of my life, since my life is finite, while G is infinite).

EG.AF.P

"Depending on what happens in the future (E), it's possible that for the rest of time (G), I'll be guaranteed at least one (AF) chocolate-liking day still ahead of me. However, if something ever goes wrong, then all bets are off and there's no guarantee about whether I'll ever like chocolate."

The two following examples show the difference between CTL and CTL*, as they allow for the until operator to not be qualified with any path operator (A or E):

AG(PUQ)

"From now until it's warm outside, I will like chocolate every single day. Once it's warm outside, all bets are off as to whether I'll like chocolate anymore. Oh, and it's guaranteed to be warm outside eventually, even if only for a single day."

EF((EX.P)U(AG.Q))

"It's possible that: there will eventually come a time when it will be warm forever (AG.Q) and that before that time there will always be some way to get me to like chocolate the next day (EX.P)."

Relations with other logics

Computation tree logic (CTL) is a subset of CTL* as well as of the modal μ calculus. CTL is also a fragment of Alur, Henzinger and Kupferman's alternating-time temporal logic (ATL).

Computation tree logic (CTL) and linear temporal logic (LTL) are both a subset of CTL*. CTL and LTL are not equivalent and they have a common subset, which is a proper subset of both CTL and LTL.

FG.P exists in LTL but not in CTL.
AG(P⇒((EX.Q)∧(EX¬Q))) and AG.EF.P exist in CTL but not in LTL.

Extensions

CTL has been extended with second-order quantification $\exists p$ and $\forall p$ to quantified computational tree logic (QCTL).^[1] There are two semantics:

the tree semantics. We label nodes of the computation tree. QCTL* = QCTL = MSO over trees. Model checking and satisfiability are tower complete.
the structure semantics. We label states. QCTL* = QCTL = MSO over graphs. Model checking is PSPACE-complete but satisfiability is undecidable.

A reduction from the model-checking problem of QCTL with the structure semantics, to TQBF (true quantified Boolean formulae) has been proposed, in order to take advantage of the QBF solvers.^[2]

Related Research Articles

<span class="mw-page-title-main">Logical disjunction</span> Logical connective OR

In logic, disjunction is a logical connective typically notated as $and read aloud as "or". For instance, the English language sentence "it is sunny or it is warm" can be represented in logic using the disjunctive formula, assuming that abbreviates "it is sunny" and abbreviates "it is warm".$

The proof of Gödel's completeness theorem given by Kurt Gödel in his doctoral dissertation of 1929 is not easy to read today; it uses concepts and formalisms that are no longer used and terminology that is often obscure. The version given below attempts to represent all the steps in the proof and all the important ideas faithfully, while restating the proof in the modern language of mathematical logic. This outline should not be considered a rigorous proof of the theorem.

Propositional calculus is a branch of logic. It is also called propositional logic, statement logic, sentential calculus, sentential logic, or sometimes zeroth-order logic. It deals with propositions and relations between propositions, including the construction of arguments based on them. Compound propositions are formed by connecting propositions by logical connectives. Propositions that contain no logical connectives are called atomic propositions.

Intuitionistic logic, sometimes more generally called constructive logic, refers to systems of symbolic logic that differ from the systems used for classical logic by more closely mirroring the notion of constructive proof. In particular, systems of intuitionistic logic do not assume the law of the excluded middle and double negation elimination, which are fundamental inference rules in classical logic.

In logic, temporal logic is any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. It is sometimes also used to refer to tense logic, a modal logic-based system of temporal logic introduced by Arthur Prior in the late 1950s, with important contributions by Hans Kamp. It has been further developed by computer scientists, notably Amir Pnueli, and logicians.

In propositional logic, double negation is the theorem that states that "If a statement is true, then it is not the case that the statement is not true." This is expressed by saying that a proposition A is logically equivalent to not (not-A), or by the formula A ≡ ~(~A) where the sign ≡ expresses logical equivalence and the sign ~ expresses negation.

Independence-friendly logic is an extension of classical first-order logic (FOL) by means of slashed quantifiers of the form $and, where is a finite set of variables. The intended reading of is "there is a which is functionally independent from the variables in ". IF logic allows one to express more general patterns of dependence between variables than those which are implicit in first-order logic. This greater level of generality leads to an actual increase in expressive power; the set of IF sentences can characterize the same classes of structures as existential second-order logic.$

Epistemic modal logic is a subfield of modal logic that is concerned with reasoning about knowledge. While epistemology has a long philosophical tradition dating back to Ancient Greece, epistemic logic is a much more recent development with applications in many fields, including philosophy, theoretical computer science, artificial intelligence, economics and linguistics. While philosophers since Aristotle have discussed modal logic, and Medieval philosophers such as Avicenna, Ockham, and Duns Scotus developed many of their observations, it was C. I. Lewis who created the first symbolic and systematic approach to the topic, in 1912. It continued to mature as a field, reaching its modern form in 1963 with the work of Kripke.

In abstract algebraic logic, a branch of mathematical logic, the Leibniz operator is a tool used to classify deductive systems, which have a precise technical definition and capture a large number of logics. The Leibniz operator was introduced by Wim Blok and Don Pigozzi, two of the founders of the field, as a means to abstract the well-known Lindenbaum–Tarski process, that leads to the association of Boolean algebras to classical propositional calculus, and make it applicable to as wide a variety of sentential logics as possible. It is an operator that assigns to a given theory of a given sentential logic, perceived as a term algebra with a consequence operation on its universe, the largest congruence on the algebra that is compatible with the theory.

In theoretical computer science, the modal μ-calculus is an extension of propositional modal logic by adding the least fixed point operator μ and the greatest fixed point operator ν, thus a fixed-point logic.

CTL* is a superset of computational tree logic (CTL) and linear temporal logic (LTL). It freely combines path quantifiers and temporal operators. Like CTL, CTL* is a branching-time logic. The formal semantics of CTL* formulae are defined with respect to a given Kripke structure.

Probabilistic Computation Tree Logic (PCTL) is an extension of computation tree logic (CTL) that allows for probabilistic quantification of described properties. It has been defined in the paper by Hansson and Jonsson.

In modal logic, standard translation is a logic translation that transforms formulas of modal logic into formulas of first-order logic which capture the meaning of the modal formulas. Standard translation is defined inductively on the structure of the formula. In short, atomic formulas are mapped onto unary predicates and the objects in the first-order language are the accessible worlds. The logical connectives from propositional logic remain untouched and the modal operators are transformed into first-order formulas according to their semantics.

Dependence logic is a logical formalism, created by Jouko Väänänen, which adds dependence atoms to the language of first-order logic. A dependence atom is an expression of the form $, where are terms, and corresponds to the statement that the value of is functionally dependent on the values of .$

In artificial intelligence and related fields, an argumentation framework is a way to deal with contentious information and draw conclusions from it using formalized arguments.

Dynamic epistemic logic (DEL) is a logical framework dealing with knowledge and information change. Typically, DEL focuses on situations involving multiple agents and studies how their knowledge changes when events occur. These events can change factual properties of the actual world : for example a red card is painted in blue. They can also bring about changes of knowledge without changing factual properties of the world : for example a card is revealed publicly to be red. Originally, DEL focused on epistemic events. We only present in this entry some of the basic ideas of the original DEL framework; more details about DEL in general can be found in the references.

Metric temporal logic (MTL) is a special case of temporal logic. It is an extension of temporal logic in which temporal operators are replaced by time-constrained versions like until, next, since and previous operators. It is a linear-time logic that assumes both the interleaving and fictitious-clock abstractions. It is defined over a point-based weakly-monotonic integer-time semantics.

In model checking, the Metric Interval Temporal Logic (MITL) is a fragment of Metric Temporal Logic (MTL). This fragment is often preferred to MTL because some problems that are undecidable for MTL become decidable for MITL.

In model checking, a field of computer science, Timed Propositional Temporal Logic (TPTL) is an extension of Linear Temporal Logic (LTL) in which variables are introduced to measure times between two events. For example, while LTL allows to state that each event p is eventually followed by an event q, TPTL furthermore allows to give a time limit for q to occur.

References

↑ David, Amélie; Laroussinie, Francois; Markey, Nicolas (2016). Desharnais, Josée; Jagadeesan, Radha (eds.). "On the Expressiveness of QCTL". 27th International Conference on Concurrency Theory (CONCUR 2016). Leibniz International Proceedings in Informatics (LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. 59: 28:1–28:15. doi:10.4230/LIPIcs.CONCUR.2016.28. ISBN 978-3-95977-017-0.
↑ Hossain, Akash; Laroussinie, François (2019). Gamper, Johann; Pinchinat, Sophie; Sciavicco, Guido (eds.). "From Quantified CTL to QBF". 26th International Symposium on Temporal Representation and Reasoning (TIME 2019). Leibniz International Proceedings in Informatics (LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. 147: 11:1–11:20. doi:10.4230/LIPIcs.TIME.2019.11. ISBN 978-3-95977-127-6. S2CID 195345645.

E.M. Clarke; E.A. Emerson (1981). "Design and synthesis of synchronisation skeletons using branching time temporal logic" (PDF). Logic of Programs, Proceedings of Workshop, Lecture Notes in Computer Science. Lecture Notes in Computer Science. Springer, Berlin. 131: 52–71. doi:10.1007/BFb0025774. ISBN 3-540-11212-X.
Michael Huth; Mark Ryan (2004). Logic in Computer Science (Second ed.). Cambridge University Press. p. 207. ISBN 978-0-521-54310-1.
Emerson, E. A.; Halpern, J. Y. (1985). "Decision procedures and expressiveness in the temporal logic of branching time". Journal of Computer and System Sciences . 30 (1): 1–24. doi:10.1016/0022-0000(85)90001-7.
Clarke, E. M.; Emerson, E. A. & Sistla, A. P. (1986). "Automatic verification of finite-state concurrent systems using temporal logic specifications". ACM Transactions on Programming Languages and Systems . 8 (2): 244–263. doi:10.1145/5397.5399. S2CID 52853200.
Emerson, E. A. (1990). "Temporal and modal logic". In Jan van Leeuwen (ed.). Handbook of Theoretical Computer Science, vol. B. MIT Press. pp. 955–1072. ISBN 978-0-262-22039-2.

External links

Teaching slides of CTL

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] David, Amélie; Laroussinie, Francois; Markey, Nicolas (2016). Desharnais, Josée; Jagadeesan, Radha (eds.). "On the Expressiveness of QCTL". 27th International Conference on Concurrency Theory (CONCUR 2016). Leibniz International Proceedings in Informatics (LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. 59: 28:1–28:15. doi:10.4230/LIPIcs.CONCUR.2016.28. ISBN 978-3-95977-017-0.

[2] Hossain, Akash; Laroussinie, François (2019). Gamper, Johann; Pinchinat, Sophie; Sciavicco, Guido (eds.). "From Quantified CTL to QBF". 26th International Symposium on Temporal Representation and Reasoning (TIME 2019). Leibniz International Proceedings in Informatics (LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. 147: 11:1–11:20. doi:10.4230/LIPIcs.TIME.2019.11. ISBN 978-3-95977-127-6. S2CID 195345645.

[1]

[2]