Difference between LTL and CTL

(Note that this article assume some intuitive understanding of CTL.)

I’m currently teaching a course on Hardware Description and Verification, in which we cover computation tree logic (CTL) model checking. In preparing for the course, I wanted to fully understand the differences between CTL and LTL. The common informal explanation that LTL has linear time while CTL has branching time is useless without further explanation. I had a certain understanding of CTL, and my initial assumption was that LTL is what you get by excluding all $E$ formulas from CTL. This assumption turned out to be wrong.

My assumption would imply that LTL is a subset of CTL, but the Wikipedia page claims that neither logic is a subset of the other. It seems like I’m not alone in being confused about the difference between the two logics: This Stack Exchange page has the same question. The answer on that page talks about the LTL formula

$$\mathit{\text{FG}}p$$

which, apparently, is not the same as the CTL formula

$$\mathit{\text{AF}}\mathit{\text{AG}}p$$

(as I previously thought). After reading the Stack Exchange answer I started to get a sense of the difference, but I still wasn’t able to formulate it easily. So I had no more excuses not to look into the actual formal semantics of LTL and CTL. This survey by Emerson served as a good reference for that.

Common superset: CTL*

The difference between LTL and CTL is easiest to understand by considering CTL* which has both LTL and CTL as subsets. CTL* has two syntactic categories giving rise to two different kinds of formulas: state formulas and path formulas. A state formula is something that holds for a given state in a system (modeled as a Kripke structure), while a path formula holds for a given path. A path is an infintie sequence of states such that each consecutive pair of states is in the transition relation; i.e. a trace of an infinite run of the system. Note that, even though a state formula is a property of a single state, it can still talk about future states by using the path quantifiers $A$ and $E$.

Now, the important thing to note is that an LTL formula is a (restricted) CTL* path formula while a CTL formula is a (restricted) CTL* state formula. Path formulas are not very interesting on their own, since one is usually interested in expressing properties of all or some paths from the initial state. Hence, the real meaning of an LTL formula is obtained by adding an implicit $A$ quantifier to it turning it into a state formula. Thus the meaning of the LTL formula $f$ is the meaning of the CTL* formula $Af$.

The example

With this understanding, we can try to reformulate the above examples in English:

The LTL formula $\mathit{\text{FG}}p$ can be read as

“Every path (implicit $A$) will eventually ($F$) reach a point after which $p$ is always true ($Gp$).”

Or perhaps more clearly:

“Every path has a finite prefix after which $p$ is always true.”

The CTL formula $\mathit{\text{AF}}\mathit{\text{AG}}p$ can be read as

“Every path ($A$) will eventually ($F$) reach a state from which every path ($A$) has the property that $p$ is always true ($Gp$).”

These formulas are subtly different, and they can be distinguished by the following system of three states:

$S_1\mapsto S_1\mathrm{\text{or}}{S}_2(\mathrm{\text{atomic:}}p)$

$S_2\mapsto S_3(\mathrm{\text{atomic:}}\neg p)$

$S_3\mapsto S_3(\mathrm{\text{atomic:}}p)$

Every run of this system will either (1) stay in $S_1$ forever, or (2) wait some finite time and then make a transition to $S_2$ and $S_3$. In both cases, it holds that the trace has a finite prefix after which $p$ is always true. Hence the LTL formula holds.

However, the CTL formula does not hold, because there is a path that never reaches a state at which $\mathit{\text{AG}}p$ holds. This is the path in which the system stays in $S_1$ forever. Even if it stays in $S_1$ forever, it always has the possibility to escape to $S_2$.

Summary

As demonstrated by the above example, the difference between LTL and CTL (except for the absense of $E$ in LTL) is that an LTL formula can be verified by considering each path in isolation. If each individual path obeys the path formula, the LTL formula is true. To verify a CTL formula, one may also have to consider the alternative possibilities for each state in a path.