CTL*

History

LTL has been proposed for the verification of computer programs first by Amir Pnueli in 1977. Four years later in 1981 E. M. Clarke and E. A. Emerson invented CTL and CTL model checking. CTL* was defined by E. A. Emerson and Joseph Y. Halpern in 1986.

Interestingly, CTL and LTL have been developed independently before CTL*. Both sublogics have become standards in the model checking community, while CTL* is of practical importance because it provides an expressive testbed for representing and comparing these and other logics. This is surprising because the computational complexity of model checking in CTL* is not worse than that of LTL: they both lie in PSPACE.

Syntax

The language of well-formed CTL* formulae is generated by the following unambiguous (wrt bracketing) context-free grammar:

where p ranges over a set of atomic formulas. Valid CTL*-formulae are built using the nonterminal Φ . These formulae are called state formulae, while those created by the symbol ϕ are called path formulae. (The above grammar contains some redundancies; for example Φ ∨ Φ as well as implication and equivalence can be defined as just for Boolean algebras (or propositional logic) from negation and conjunction, and the temporal operators X and U are sufficient to define the other two.)

The operators basically are the same as in CTL. However, in CTL, every temporal operator ( X , F , G , U ) has to be directly preceded by a quantifier, while in CTL* this is not required. The universal path quantifier may be defined in CTL* in the same way as for classical predicate calculus A ϕ = ¬ E ¬ ϕ , although this in not possible in the CTL fragment.

Examples of formulae

Remark: When taking LTL as subset of CTL*, any LTL formula is implicitly prefixed with the universal path quantifier   A

Semantics

The semantics of CTL* are defined with respect to some Kripke structure. As the names imply, state formulae are interpreted with respect to the states of this structure, while path formulae are interpreted over paths on it.

State formulae

If a state s of the Kripke structure satisfies a state formula Φ it is denoted s ⊨ Φ . This relation is defined inductively as follows:

1. ( ( M , s ) ⊨ ⊤ ) ∧ ( ( M , s ) ⊭ ⊥ )
2. ( ( M , s ) ⊨ p ) ⇔ ( p ∈ L ( s ) )
3. ( ( M , s ) ⊨ ¬ Φ ) ⇔ ( ( M , s ) ⊭ Φ )
4. ( ( M , s ) ⊨ Φ 1 ∧ Φ 2 ) ⇔ ( ( ( M , s ) ⊨ Φ 1 ) ∧ ( ( M , s ) ⊨ Φ 2 ) )
5. ( ( M , s ) ⊨ Φ 1 ∨ Φ 2 ) ⇔ ( ( ( M , s ) ⊨ Φ 1 ) ∨ ( ( M , s ) ⊨ Φ 2 ) )
6. ( ( M , s ) ⊨ Φ 1 ⇒ Φ 2 ) ⇔ ( ( ( M , s ) ⊭ Φ 1 ) ∨ ( ( M , s ) ⊨ Φ 2 ) )
7. ( ( M , s ) ⊨ Φ 1 ⇔ Φ 2 ) ⇔ ( ( ( ( M , s ) ⊨ Φ 1 ) ∧ ( ( M , s ) ⊨ Φ 2 ) ) ∨ ( ¬ ( ( M , s ) ⊨ Φ 1 ) ∧ ¬ ( ( M , s ) ⊨ Φ 2 ) ) )
8. ( ( M , s ) ⊨ A ϕ ) ⇔ ( π ⊨ ϕ for all paths   π starting in s )
9. ( ( M , s ) ⊨ E ϕ ) ⇔ ( π ⊨ ϕ for some path   π starting in s )

Path formulae

The satisfaction relation π ⊨ ϕ for path formulae   ϕ and a path π = s 0 → s 1 → ⋯ is also defined inductively. For this, let   π [ n ] denote the sub-path s n → s n + 1 → ⋯ :

1. ( π ⊨ Φ ) ⇔ ( ( M , s 0 ) ⊨ Φ )
2. ( π ⊨ ¬ ϕ ) ⇔ ( π ⊭ ϕ )
3. ( π ⊨ ϕ 1 ∧ ϕ 2 ) ⇔ ( ( π ⊨ ϕ 1 ) ∧ ( π ⊨ ϕ 2 ) )
4. ( π ⊨ ϕ 1 ∨ ϕ 2 ) ⇔ ( ( π ⊨ ϕ 1 ) ∨ ( π ⊨ ϕ 2 ) )
5. ( π ⊨ ϕ 1 ⇒ ϕ 2 ) ⇔ ( ( π ⊭ ϕ 1 ) ∨ ( π ⊨ ϕ 2 ) )
6. ( π ⊨ ϕ 1 ⇔ ϕ 2 ) ⇔ ( ( ( π ⊨ ϕ 1 ) ∧ ( π ⊨ ϕ 2 ) ) ∨ ( ¬ ( π ⊨ ϕ 1 ) ∧ ¬ ( π ⊨ ϕ 2 ) ) )
7. ( π ⊨ X ϕ ) ⇔ ( π [ 1 ] ⊨ ϕ )
8. ( π ⊨ F ϕ ) ⇔ ( ∃ n ⩾ 0 : π [ n ] ⊨ ϕ )
9. ( π ⊨ G ϕ ) ⇔ ( ∀ n ⩾ 0 : π [ n ] ⊨ ϕ )
10. ( π ⊨ [ ϕ 1 U ϕ 2 ] ) ⇔ ( ∃ n ⩾ 0 : ( π [ n ] ⊨ ϕ 2 ∧ ∀ 0 ⩽ k < n :   π [ k ] ⊨ ϕ 1 ) )

Decision problems

Model checking of CTL* is PSPACE-complete and satisfiability problem is in 2EXPTIME-complete.