CTL* is a superset of computational tree logic (CTL) and linear temporal logic (LTL). It freely combines path quantifiers and temporal operators. Like CTL, CTL* is a branching time logic. The formal semantics of CTL* formulae are defined with respect to a given Kripke structure.
Contents |
LTL has been proposed for the verification of computer programs first by Amir Pnueli in 1977. Four years later in 1981 E. M. Clarke and E. A. Emerson invented CTL and CTL model checking. CTL* was defined by E. A. Emerson and Joseph Y. Halpern in 1986.
Interestingly, CTL and LTL have been developed independently before CTL*. Both sublogics have become very important in the model checking community, while CTL* is not yet of practical importance. This is surprising because the computational complexity of model checking in CTL* is not worse than that of LTL: they both lie in PSPACE.
The language of well-formed CTL* formulae is generated by the following unambiguous (wrt bracketing) context-free grammar:
where ranges over a set of atomic formulas. Valid CTL*-formulae are built using the nonterminal . These formulae are called state formulae, while those created by the symbol are called path formulae. (The above grammar contains some redundancies; for example as well as implication and equivalence can be defined as just for Boolean algebras (or propositional logic) from negation and conjunction, and the temporal operators X and U are sufficient to define the other two.)
The operators basically are the same as in CTL. However, in CTL, every temporal operator () has to be directly preceded by a quantifier, while in CTL* this is not required. The universal path quantifier may defined in CTL* in the same way as for classical predicate calculus , although this in not possible in the CTL fragment.
Remark: When taking LTL as subset of CTL*, any LTL formula is implicitly prefixed with the universal path quantifier
The semantics of CTL* are define with respect to some Kripke structure. As the names imply, state formulae are interpreted with respect to the states of this structure, while path formulae are interpreted over paths on it.
If a state of the Kripke structure satisfies a state formula it is denoted . This relation is defined inductively as follows:
The satisfaction relation for path formulae and a path is also defined inductively. For this, let denote the sub-path :