List of model checking tools

Last updated May 16, 2024

This article lists model checking tools and gives an overview of the functionality of each.

Overview of some model checking tools

The following table includes model checkers that have

a web site from which it can be downloaded,
a declared license,
a description published in archived literature, and
a Wikipedia article describing it.

In the below table, the following abbreviations are used:

Equivalences:
- SB: Strong Bisimulation
- WB: Weak Bisimulation
- BB: Branching Bisimulation
- STE: Strong Trace Equivalence
- WTE: Weak Trace Equivalence
- me: May Equivalence
- ME: Must Equivalence
- OE: Observational Equivalence
- SE: Safety Equivalence
- t*E: tau*.a Equivalence
Software license:
- FUSC: Free Under Specific Condition (e.g., free for academics)

Name	Model Checking			Equivalence checking		GUI			Availability
	Plain, Probabilistic, Stochastic, ...	Modelling language	Properties language	Supported equivalences	Counter example generation	GUI	Graphical Specification	Counter example visualization	Software license	Programming language used	Platform, OS
BLAST	Code analysis	C	Monitor automata		Yes	No	No	No	Free	OCaml	Windows, Unix related
CADP	Plain and probabilistic	LOTOS, FC2, FSP, LNT	AFMC, MCL, XTL	SB, WB, BB, OE, STE, WTE, SE, tau*E	Yes	Yes	No	Yes	FUSC	C, Bourne shell, Tcl/Tk, LOTOS, LNT	macOS, Linux, Solaris, Windows
CPAchecker	Code analysis	C	Monitor automata		Yes	Yes	No	Yes	Free	Java	Any
DREAM	Real-time	C++, Timed automata	Monitor automata		Yes	No	No	No	Free	C++	Windows, Unix related
Java Pathfinder	Plain and timed	Java	unknown		No	Yes	No	No	Open Source Agreement	Java	macOS, Windows, Linux
Murφ (Murphi)	Plain	Murφ	Invariants, assertions		Yes	No	No	No	Free	C++	Linux
NuSMV	Plain	SMV input language	CTL, LTL, PSL		Yes	No	No	No	Free	C	Unix, Windows, macOS
PAT	Plain, real-time, probabilistic	CSP#, timed CSP, probabilistic CSP	LTL, assertions		Yes	Yes	Yes	Yes	Free	C#	Windows, others with Mono
PRISM	Probabilistic	PEPA, PRISM language, Plain MC	CSL, PLTL, PCTL		No	Yes	No	No	Free	C++, Java	Windows, Linux, macOS
Rumur	Plain	Murφ	Invariants, assertions		Yes	No	No	No	Free	C	macOS, Linux
SPIN	Plain	Promela	LTL		Yes	Yes	No	Yes	FUSC	C, C++	Windows, Unix related
TAPAAL	Real-time	Timed-Arc Petri Nets, age invariants, inhibitor arcs, transport arcs	TCTL subset		No	Yes	Yes	Yes	Free	C++, Java	macOS, Windows, Linux
TAPAs	Plain	CCSP	CTL, μ-calculus	SB, WB, BB, STE, WTE, me, ME, OE	Yes	Yes	Yes	Yes	Free	Java	Windows, macOS, Unix related
UPPAAL	Real-time	Timed automata, C subset	TCTL subset		Yes	Yes	Yes	Yes	FUSC	C++, Java	macOS, Windows, Linux
ROMEO	Real-time	Time Petri Nets, stopwatch parametric Petri nets	TCTL subset		Yes	Yes	Yes	No	Free	C++, Tcl/Tk	macOS, Windows, Linux
TLA+ Model Checker (TLC)	Plain	TLA+, PlusCal	TLA		Yes	Yes	Yes	No	Free	Java	macOS, Windows, Linux

Modelling languages

CCSP: A process calculus obtained from CCS by incorporating some operators of CSP. It is defined by Olderog^[1] and by van Glabbeek/Vaandrager.^[2]
CSP: Communicating sequential processes; formal language for describing patterns of interaction in concurrent systems. FDR2 is a refinement checking tool for CSP, comparing two models for compatibility.
DVE input language: a system is described as Network of Extended Finite State Machines communicating via shared variables and unbuffered channels. Does not contain support for buffered channels and for checking the type of message to be received without performing the receive proper.
FC2: (Common Format V2) Machine-level ASCII representation for synchronized (hierarchical) networks of automata. Defined by the Esprit Basic Research Action CONCUR, 1992. Used as an input and exchange format by a number of verification tools, mainly in the area of process algebras.
FSP: Finite State Processes language defined at Imperial College.
Java: Object-oriented programming language.
LNT: LOTOS New Technology; a specification language inspired by process calculi, functional programming languages, and imperative programming languages; LNT was designed as a modern replacement for LOTOS and E-LOTOS.
LOTOS: Language Of Temporal Ordering Specification (ISO standard 8807); formal specification language based on temporal ordering used for protocol specification in ISO OSI standards.
mCRL2: A specification language for describing concurrent discrete event systems.
Murφ: Guarded commands and an asynchronous, interleaving model of concurrency, with all synchronization and communication done through global variables.
PEPA: Performance Evaluation Process Algebra; it is a stochastic process algebra designed for modelling computer and communication systems.
Plain MC: simple text-file formats used in MRMC and PRISM.
Promela: Process or Protocol Meta Language; it is a verification modeling language. The language allows for the dynamic creation of concurrent processes to model, for example, distributed systems.
TLA+: General-purpose specification language based on the Temporal Logic of Actions, originally used for distributed and concurrent systems. The language for the specifications and their properties is the same.

Properties language

AFMC: Alternation-Free modal μ-calculus.
Assertions: Imperative assertion statements.
CSL: Continuous Stochastic Logic, characterizes bisimulation of continuous-time Markov processes.
CSRL: Continuous Stochastic Reward Logic; a logic to specify measures over CTMCs extended with a reward structure (so-called Markov reward models).
CTL: Computation Tree Logic; a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized.
Invariants: Predicates over a system state.
LTL: Linear temporal logic; a modal temporal logic with modalities referring to time.
MCL: Model Checking Language; Alternation-Free Modal μ-calculus extended with user-friendly regular expressions and value-passing constructs; subsumes CTL and LTL.
mCRL2 mu-calculus: Kozen's propositional modal μ-calculus (excluding atomic propositions), extended with: data-depended processes, quantification over data types, multi-actions, time, and regular formulas.
PCTL: Probabilistic CTL; an extension of CTL which allows for probabilistic quantification of described properties.
PLTL: Probabilistic Linear Temporal Logic.
PRCTL: Probabilistic Reward Computation Tree Logic; it extends PCTL with reward-bounded properties.
PSL: Property specification language
SVA: SystemVerilog standards assertion language subset, standardized as IEEE 1800
XTL: eXtended Temporal Language; a domain-specific language for quickly implementing action-based, explicit-state, value-passing model checkers.

Comparison of model checking tools

Scientific publications

There exists a few papers that systematically compare various model checkers on a common case study. The comparison usually discusses the modelling tradeoffs faced when using the input languages of each model checker, as well as the comparison of performances of the tools when verifying correctness properties. One can mention:

In 1999, Judi Romijn compared two model checkers (CADP and SPIN) on the HAVi interoperability audio-video protocol for consumer electronics.^[3]

In 2003, Yifei Dong, Xiaoqun Du, Gerard J. Holzmann, and Scott A. Smolka published a comparison of four model checkers (namely: Cospan, Murphi, SPIN, and XMC) on a communication protocol, the GNU i-protocol.^[4]

In 2005, Elena M. Bortnik, Nikola Trcka, Anton Wijs, Bas Luttik, J. M. van de Mortel-Fronczak, Jos C. M. Baeten, Wan Fokkink, and J. E. Rooda published a comparison of four model checkers (namely: CADP, muCRL, SPIN, and UPPAAL) on an industrial manufacturing system, a rotating drilling machine.^[5]

In 2018, F. Mazzanti and A. Ferrari published a comparison of ten model checkers (namely: CADP, CPN Tools, FDR4, NuSMV/nuXmv, mCRL2, ProB, SPIN, TLA+, UMC, and UPPAAL) on a train supervision problem, taking into account both the user-friendliness of the languages and the performance of the tools.^[6]

International software competitions

Since 2007, the Hardware Model Checking Competition (HWMCC) compares the performances of model checking tools oriented towards hardware design.
Since 2011, the Model Checking Contest (MCC) compare performances of model checking tools designed to analyze highly concurrent systems.

Related Research Articles

In computer science, formal methods are mathematically rigorous techniques for the specification, development, analysis, and verification of software and hardware systems. The use of formal methods for software and hardware design is motivated by the expectation that, as in other engineering disciplines, performing appropriate mathematical analysis can contribute to the reliability and robustness of a design.

In computer science, communicating sequential processes (CSP) is a formal language for describing patterns of interaction in concurrent systems. It is a member of the family of mathematical theories of concurrency known as process algebras, or process calculi, based on message passing via channels. CSP was highly influential in the design of the occam programming language and also influenced the design of programming languages such as Limbo, RaftLib, Erlang, Go, Crystal, and Clojure's core.async.

In the context of hardware and software systems, formal verification is the act of proving or disproving the correctness of a system with respect to a certain formal specification or property, using formal methods of mathematics. Formal verification is a key incentive for formal specification of systems, and is at the core of formal methods. It represents an important dimension of analysis and verification in electronic design automation and is one approach to software verification. The use of formal verification enables the highest Evaluation Assurance Level (EAL7) in the framework of common criteria for computer security certification.

In computer science, model checking or property checking is a method for checking whether a finite-state model of a system meets a given specification. This is typically associated with hardware or software systems, where the specification contains liveness requirements as well as safety requirements.

In theoretical computer science a bisimulation is a binary relation between state transition systems, associating systems that behave in the same way in that one system simulates the other and vice versa.

The calculus of communicating systems (CCS) is a process calculus introduced by Robin Milner around 1980 and the title of a book describing the calculus. Its actions model indivisible communications between exactly two participants. The formal language includes primitives for describing parallel composition, choice between actions and scope restriction. CCS is useful for evaluating the qualitative correctness of properties of a system such as deadlock or livelock.

In logic, linear temporal logic or linear-time temporal logic (LTL) is a modal temporal logic with modalities referring to time. In LTL, one can encode formulae about the future of paths, e.g., a condition will eventually be true, a condition will be true until another fact becomes true, etc. It is a fragment of the more complex CTL*, which additionally allows branching time and quantifiers. LTL is sometimes called propositional temporal logic, abbreviated PTL. In terms of expressive power, linear temporal logic (LTL) is a fragment of first-order logic.

Computation tree logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized. It is used in formal verification of software or hardware artifacts, typically by software applications known as model checkers, which determine if a given artifact possesses safety or liveness properties. For example, CTL can specify that when some initial condition is satisfied, then all possible executions of a program avoid some undesirable condition. In this example, the safety property could be verified by a model checker that explores all possible transitions out of program states satisfying the initial condition and ensures that all such executions satisfy the property. Computation tree logic belongs to a class of temporal logics that includes linear temporal logic (LTL). Although there are properties expressible only in CTL and properties expressible only in LTL, all properties expressible in either logic can also be expressed in CTL*.

In computer science, the process calculi are a diverse family of related approaches for formally modelling concurrent systems. Process calculi provide a tool for the high-level description of interactions, communications, and synchronizations between a collection of independent agents or processes. They also provide algebraic laws that allow process descriptions to be manipulated and analyzed, and permit formal reasoning about equivalences between processes. Leading examples of process calculi include CSP, CCS, ACP, and LOTOS. More recent additions to the family include the π-calculus, the ambient calculus, PEPA, the fusion calculus and the join-calculus.

In computer science, concurrency is the ability of different parts or units of a program, algorithm, or problem to be executed out-of-order or in partial order, without affecting the outcome. This allows for parallel execution of the concurrent units, which can significantly improve overall speed of the execution in multi-processor and multi-core systems. In more technical terms, concurrency refers to the decomposability of a program, algorithm, or problem into order-independent or partially-ordered components or units of computation.

Calculus in its most general sense is any method or system of calculation.

In computer science Language of Temporal Ordering Specification (LOTOS) is a formal specification language based on temporal ordering of events. LOTOS is used for communications protocol specification in International Organization for Standardization (ISO) Open Systems Interconnection model (OSI) standards.

In theoretical computer science, the modal μ-calculus is an extension of propositional modal logic by adding the least fixed point operator μ and the greatest fixed point operator ν, thus a fixed-point logic.

<span class="mw-page-title-main">E. Allen Emerson</span> American computer scientist

Ernest Allen Emerson II, better known as E. Allen Emerson, is an American computer scientist and winner of the 2007 Turing Award. He is Professor and Regents Chair Emeritus at the University of Texas at Austin, United States.

Reo is a domain-specific language for programming and analyzing coordination protocols that compose individual processes into full systems, broadly construed. Examples of classes of systems that can be composed with Reo include component-based systems, service-oriented systems, multithreading systems, biological systems, and cryptographic protocols. Reo has a graphical syntax in which every Reo program, called a connector or circuit, is a labeled directed hypergraph. Such a graph represents the data-flow among the processes in the system. Reo has formal semantics, which stand at the basis of its various formal verification techniques and compilation tools.

PRISM is a probabilistic model checker, a formal verification software tool for the modelling and analysis of systems that exhibit probabilistic behaviour. One source of such systems is the use of randomization, for example in communication protocols like Bluetooth and FireWire, or in security protocols such as Crowds and Onion routing. Stochastic behaviour also arises in many other computer systems, for example due to equipment failures, unbreliable sensors and actuators, or unpredictable communication delays. PRISM has been used to analyse a diverse range of applications, from robot planning to computer network performance analysis to biochemical reaction networks.

CADP is a toolbox for the design of communication protocols and distributed systems. CADP is developed by the CONVECS team at INRIA Rhone-Alpes and connected to various complementary tools. CADP is maintained, regularly improved, and used in many industrial projects.

TAPAs is a tool for specifying and analyzing concurrent systems. Its aim is to support teaching of process algebras. Systems are described as process algebra terms that are then mapped to labeled transition systems (LTSs). Properties can be verified by checking equivalences between concrete and abstract system descriptions or by model checking temporal formulas over the obtained LTS. A key feature of TAPAs that makes it particularly suited for teaching is that it maintains a consistent graphical and textual representation of each system. After a change in the graphic notation, the textual representation is updated immediately; but after textual modifications, the update of the graphical representation has to be manually triggered.

<i>Principles of Model Checking</i> Computer science textbook

Principles of Model Checking is a textbook on model checking, an area of computer science that automates the problem of determining if a machine meets specification requirements. It was written by Christel Baier and Joost-Pieter Katoen, and published in 2008 by MIT Press.

Kim Guldstrand Larsen R is a Danish scientist and professor of computer science at Aalborg University, Denmark. His field of research includes modeling, validation and verification, performance analysis, and synthesing of real-time, embedded, and cyber-physical systems utilizing and contributing to concurrency theory and model checking. Within this domain, he has been instrumental in the invention and continuous development of one of the most widely used verification tools, and has received several awards and honors for his work.

References

↑ E.R. Olderog: Operational Petri net semantics for CCSP
↑ Rob van Glabbeek, Frits Vaandrager: Bundle Event Structures and CCSP
↑ Romijn, Judi (June 1999). Model Checking a HAVi Leader Election Protocol (Technical report). Amsterdam: CWI. SEN-R9915. Archived from the original on 2019-09-11. Retrieved 2018-06-14.
↑ Dong, Yifei; Du, Xiaoqun; Holzmann, Gerard; Smolka, Scott (2003). "Fighting Livelock in the GNU i-Protocol: A Case Study in Explicit-State Model Checking". Software Tool for Technology Transfer. 4 (4): 505–528.
↑ Bortnik, Elena M.; Trcka, Nikola; Wijs, Anton; Luttik, Bas; van de Mortel-Fronczak, J. M.; Baeten, Jos C. M.; Fokkink, Wan; Rooda, J. E. (2005). "Analyzing a chi model of a turntable system using Spin, CADP and Uppaal" (PDF). Journal of Logical and Algebraic Methods in Programming. 65 (2): 51–104. doi: 10.1016/j.jlap.2005.05.001 . Archived (PDF) from the original on 2021-01-27. Retrieved 2018-05-25.
↑ Mazzanti, Franco; Ferrari, Alessio (2018). "Ten Diverse Formal Models for a CBTC Automatic Train Supervision System". Proceedings of the 3rd Workshop on Models for Formal Analysis of Real Systems and 6th International Workshop on Verification and Program Transformation (MARS/VPT’18), Thessaloniki, Greece. Electronic Proceedings in Theoretical Computer Science. Vol. 268. pp. 104–149. arXiv: 1803.10324v1 . doi:10.4204/EPTCS.268.4.

External links

Tools: a database for verification tools
A list of verification and synthesis tools (public domain repository on GitHub)
A list of verification tools for probabilistic, stochastic, hybrid, and timed systems

Common benchmarks

MCC (models of the Model Checking Contest): a collection of hundreds of Petri nets originating from many academic and industrial case studies.
VLTS (Very Large Transition Systems): a collection of Labelled Transition Systems of increasing sizes, used in many scientific publications.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CCSP1-1] E.R. Olderog: Operational Petri net semantics for CCSP

[CCSP2-2] Rob van Glabbeek, Frits Vaandrager: Bundle Event Structures and CCSP

[3] Romijn, Judi (June 1999). Model Checking a HAVi Leader Election Protocol (Technical report). Amsterdam: CWI. SEN-R9915. Archived from the original on 2019-09-11. Retrieved 2018-06-14.

[4] Dong, Yifei; Du, Xiaoqun; Holzmann, Gerard; Smolka, Scott (2003). "Fighting Livelock in the GNU i-Protocol: A Case Study in Explicit-State Model Checking". Software Tool for Technology Transfer. 4 (4): 505–528.

[5] Bortnik, Elena M.; Trcka, Nikola; Wijs, Anton; Luttik, Bas; van de Mortel-Fronczak, J. M.; Baeten, Jos C. M.; Fokkink, Wan; Rooda, J. E. (2005). "Analyzing a chi model of a turntable system using Spin, CADP and Uppaal" (PDF). Journal of Logical and Algebraic Methods in Programming. 65 (2): 51–104. doi: 10.1016/j.jlap.2005.05.001 . Archived (PDF) from the original on 2021-01-27. Retrieved 2018-05-25.

[6] Mazzanti, Franco; Ferrari, Alessio (2018). "Ten Diverse Formal Models for a CBTC Automatic Train Supervision System". Proceedings of the 3rd Workshop on Models for Formal Analysis of Real Systems and 6th International Workshop on Verification and Program Transformation (MARS/VPT’18), Thessaloniki, Greece. Electronic Proceedings in Theoretical Computer Science. Vol. 268. pp. 104–149. arXiv: 1803.10324v1 . doi:10.4204/EPTCS.268.4.

[1]

[2]

[3]

[4]

[5]

[6]