A generic bounded model checker.
Kiwami accepts a Kripke structure, a temporal property, and a bound as inputs and either produces a counterexample violating the property or a satisfaction claim under the bound.
It encodes the given structure and property into SMT formulas backed by a solver.
- Modeling language
- In-memory structure / property specification
- Structure checking
- Termination / Maximal step calculation
- Structure minimization
- Encode Kripke structure
- Generate SMT-LIB programs
- LTL model checking
- CTL model checking
- Property simplification
- Z3 Theorem Prover backend
The current version uses the existential model checking technique to check properties by searching a witness trace satisfying their negation release positive normal form.
.lts: model program.smt2: generated SMT program.out: solver output
Input: MutualExclusion.lts
model MutualExclusion {
s0: {}
s1: {critical0}
s2: {critical1}
s3: {critical0, critical1}
init = s0
s0 -> s1
s1 -> s0
s0 -> s2
s2 -> s0
ltl G !(critical0 and critical1)
}
Output:
Unsatisfied under bound 2:
□(¬((critical0) ∧ (critical1)))
with a counterexample:
s0 ()
s2 (critical1)
s3 (critical1, critical0)
It is recommended to experience the in-development version by running test cases in LTLCheckerTest.
LTLCheckerTest accepts a sample structure and LTL property, automatically generates, executes an SMT-LIB program by
Z3 Theorem Solver, and parses the output.
- Java 17
- Maven 3.6+
- Z3 Theorem Prover 4+
mvn clean compile assembly:single- Biere, A., Cimatti, A., Clarke, E. M., Strichman, O., & Zhu, Y. (2003). Bounded model checking.
- Clarke, E., Biere, A., Raimi, R., & Zhu, Y. (2001). Bounded model checking using satisfiability solving. Formal methods in system design, 19(1), 7-34.
- Z3 Theorem Prover