This article lists

model checking In computer science, model checking or property checking is a method for checking whether a finite-state model of a system meets a given specification (also known as correctness). This is typically associated with hardware or software system ...

tools and gives an overview of the functionality of each.

Overview of some model checking tools

The following table includes model checkers that have # a web site from which it can be downloaded, # a declared license, # a description published in archived literature, and # a Wikipedia article describing it. In the below table, the following abbreviations are used: * Equivalences: **SB: Strong Bisimulation **WB: Weak Bisimulation **BB: Branching Bisimulation **STE: Strong Trace Equivalence **WTE: Weak Trace Equivalence **me: May Equivalence **ME: Must Equivalence **OE: Observational Equivalence **SE: Safety Equivalence **t*E: tau*.a Equivalence *Software license: ** FUSC: Free Under Specific Condition (e.g., free for academics)

Modelling languages

*CCSP: A process calculus obtained from CCS by incorporating some operators of CSP. It is defined by Olderog E.R. Olderog
''Operational Petri net semantics for CCSP''
/ref> and by van Glabbeek/Vaandrager.Rob van Glabbeek, Frits Vaandrager
''Bundle Event Structures and CCSP''
/ref> * CSP: Communicating sequential processes; formal language for describing patterns of interaction in concurrent systems.

FDR2 FDR (Failures-Divergences Refinement) and subsequently FDR2, FDR3 and FDR4 are refinement checking software tools, designed to check formal models expressed in Communicating sequential processes (CSP). The tools were originally developed by Fo ...

is a refinement checking tool for CSP, comparing two models for compatibility. *DVE input language: a system is described as Network of Extended Finite State Machines communicating via shared variables and unbuffered channels. Does not contain support for buffered channels and for checking the type of message to be received without performing the receive proper. *FC2: (Common Format V2) Machine-level ASCII representation for synchronized (hierarchical) networks of automata. Defined by the Esprit Basic Research Action CONCUR, 1992. Used as an input and exchange format by a number of verification tools, mainly in the area of process algebras. *FSP: Finite State Processes language defined at Imperial College. *

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...

: Object-oriented programming language. *LNT: LOTOS New Technology; a specification language inspired by process calculi, functional programming languages, and imperative programming languages; LNT was designed as a modern replacement for LOTOS and E-LOTOS. * LOTOS: Language Of Temporal Ordering Specification (ISO standard 8807); formal specification language based on temporal ordering used for protocol specification in ISO OSI standards. *

Murφ Murφ (/ˈmɝ.fi/, also spelled Murphi) is an explicit-state model checker developed at Stanford University, and widely used for formal verification of cache-coherence protocols. History Murφ's early history is described in a paper by David ...

: Guarded commands and an asynchronous, interleaving model of concurrency, with all synchronization and communication done through global variables. *

PEPA Performance Evaluation Process Algebra (PEPA) is a stochastic process algebra designed for modelling computer and communication systems introduced by Jane Hillston in the 1990s. The language extends classical process algebras such as Milner's ...

: Performance Evaluation Process Algebra; it is a stochastic process algebra designed for modelling computer and communication systems. *Plain MC: simple text-file formats used in MRMC and PRISM. *

Promela PROMELA (Process or Protocol Meta Language) is a verification modeling language introduced by Gerard J. Holzmann. The language allows for the dynamic creation of concurrent processes to model, for example, distributed systems. In PROMELA models, c ...

: Process or Protocol Meta Language; it is a verification modeling language. The language allows for the dynamic creation of concurrent processes to model, for example, distributed systems. * TLA+: General-purpose specification language based on the Temporal Logic of Actions, originally used for distributed and concurrent systems. The language for the specifications and their properties is the same.

Properties language

* AFMC: Alternation-Free

modal μ-calculus In theoretical computer science, the modal μ-calculus (Lμ, Lμ, sometimes just μ-calculus, although this can have a more general meaning) is an extension of propositional modal logic (with many modalities) by adding the least fixed point opera ...

. * Assertions: Imperative assertion statements. *CSL: Continuous Stochastic Logic, characterizes bisimulation of continuous-time Markov processes. *CSRL: Continuous Stochastic Reward Logic; a logic to specify measures over CTMCs extended with a reward structure (so-called Markov reward models). * CTL: Computation Tree Logic; a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized. * Invariants: Predicates over a system state. * LTL: Linear temporal logic; a modal temporal logic with modalities referring to time. * MCL: Model Checking Language; Alternation-Free

Modal μ-calculus In theoretical computer science, the modal μ-calculus (Lμ, Lμ, sometimes just μ-calculus, although this can have a more general meaning) is an extension of propositional modal logic (with many modalities) by adding the least fixed point opera ...

extended with user-friendly regular expressions and value-passing constructs; subsumes CTL and LTL. * mCRL2 mu-calculus: Kozen's propositional

(excluding atomic propositions), extended with: data-depended processes, quantification over data types, multi-actions, time, and regular formulas. * PCTL: Probabilistic CTL; an extension of CTL which allows for probabilistic quantification of described properties. *PLTL: Probabilistic Linear Temporal Logic. *PRCTL: Probabilistic Reward Computation Tree Logic; it extends PCTL with reward-bounded properties. * PSL: Property specification language *SVA: SystemVerilog standards assertion language subset, standardized as IEEE 1800 *XTL: eXtended Temporal Language; a domain-specific language for quickly implementing action-based, explicit-state, value-passing model checkers.

Comparison of model checking tools

Scientific publications

There exists a few papers that systematically compare various model checkers on a common case study. The comparison usually discusses the modelling tradeoffs faced when using the input languages of each model checker, as well as the comparison of performances of the tools when verifying correctness properties. One can mention: * In 1999, Judi Romijn compared two model checkers ( CADP and

SPIN Spin or spinning most often refers to: * Spinning (textiles), the creation of yarn or thread by twisting fibers together, traditionally by hand spinning * Spin, the rotation of an object around a central axis * Spin (propaganda), an intentionally ...

) on the HAVi interoperability audio-video protocol for consumer electronics. * In 2003, Yifei Dong, Xiaoqun Du, Gerard J. Holzmann, and Scott A. Smolka published a comparison of four model checkers (namely: Cospan, Murphi,

, and XMC) on a communication protocol, the GNU i-protocol. *In 2005, Elena M. Bortnik, Nikola Trcka, Anton Wijs, Bas Luttik, J. M. van de Mortel-Fronczak, Jos C. M. Baeten, Wan Fokkink, and J. E. Rooda published a comparison of four model checkers (namely: CADP, muCRL,

, and UPPAAL) on an industrial manufacturing system, a rotating drilling machine. * In 2018, F. Mazzanti and A. Ferrari published a comparison of ten model checkers (namely: CADP, CPN Tools, FDR4, NuSMV/nuXmv, mCRL2, ProB,

, TLA+, UMC, and UPPAAL) on a train supervision problem, taking into account both the user-friendliness of the languages and the performance of the tools.

International software competitions

* Since 2007, the Hardware Model Checking Competition (HWMCC) compares the performances of model checking tools oriented towards hardware design. * Since 2011, the Model Checking Contest (MCC) compare performances of model checking tools designed to analyze highly concurrent systems.

References

External links

Tools
a database for verification tools
A list of verification and synthesis tools (public domain repository on GitHub)

A list of verification tools for probabilistic, stochastic, hybrid, and timed systems
;Common benchmarks
MCC
(models of the Model Checking Contest): a collection of hundreds of Petri nets originating from many academic and industrial case studies.
VLTS
(Very Large Transition Systems): a collection of Labelled Transition Systems of increasing sizes, used in many scientific publications. {{DEFAULTSORT:Model Checking Tools Formal methods tools Lists of software