Computation tree logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized.
It is used in formal verification of software or hardware artifacts, typically by software applications known as model checkers, which determine if a given artifact possesses safety or liveness properties.
For example, CTL can specify that when some initial condition is satisfied (e.g., all program variables are positive or no cars on a highway straddle two lanes), then all possible executions of a program avoid some undesirable condition (e.g., dividing a number by zero or two cars colliding on a highway).
In this example, the safety property could be verified by a model checker that explores all possible transitions out of program states satisfying the initial condition and ensures that all such executions satisfy the property.
CTL was first proposed by Edmund M. Clarke and E. Allen Emerson in 1981, who used it to synthesize so-called synchronisation skeletons, i.e abstractions of concurrent programs.
Because CTL is more computationally efficient to model check, it has become more common in industrial use, and many of the most successful model-checking tools use CTL as a specification language.
[1] The language of well-formed formulas for CTL is generated by the following grammar: where
ranges over a set of atomic formulas.
comprises a complete set of connectives, and the others can be defined using them.
For example, the following is a well-formed CTL formula: The following is not a well-formed CTL formula: The problem with this string is that
CTL uses atomic propositions as its building blocks to make statements about the states of a system.
Along with these operators CTL formulas can also make use of the boolean constants true and false.
In CTL there are minimal sets of operators.
One minimal set of operators is: {true, ∨, ¬, EG, EU, EX}.
Some of the transformations used for temporal operators are: CTL formulae are interpreted over transition systems.
is a transition relation, assumed to be serial, i.e. every state has at least one successor, and
is a labelling function, assigning propositional letters to states.
: Rules 10–15 above refer to computation paths in models and are what ultimately characterise the "Computation Tree"; they are assertions about the nature of the infinitely deep computation tree rooted at the given state
are duals, being universal and existential computation path quantifiers respectively:
Hence an instance of De Morgan's laws can be formulated in CTL: It can be shown using such identities that a subset of the CTL temporal connectives is adequate if it contains
The important equivalences below are called the expansion laws; they allow unfolding the verification of a CTL connective towards its successors in time.
CTL is also a fragment of Alur, Henzinger and Kupferman's alternating-time temporal logic (ATL).
Computation tree logic (CTL) and linear temporal logic (LTL) are both a subset of CTL*.
CTL and LTL are not equivalent and they have a common subset, which is a proper subset of both CTL and LTL.
CTL has been extended with second-order quantification
to quantified computational tree logic (QCTL).
[2] There are two semantics: A reduction from the model-checking problem of QCTL with the structure semantics, to TQBF (true quantified Boolean formulae) has been proposed, in order to take advantage of the QBF solvers.