Software Modelling and Analysis

Short Notes on

Model Checking Tools

 Spin Model Checker

SPIN is a general tool for verifying the correctness of concurrent
software models in a rigorous and mostly automated fashion. It was written
by Gerard J. Holzmann and others in the original Unix group of the
Computing Sciences Research Center at Bell Labs, beginning in 1980. The
software has been available freely since 1991, and continues to evolve to
keep pace with new developments in the eld
Failure of System Software might be a disaster. To avoid software system
failure, We have to prove the correctness of a system software and
sonVeri cation of software is needed. SPIN is designed to provide An
intuitive, program-like notation for specifying design choices unambiguously
without implementation detail. Powerful, concise, notation for expressing
general correctness requirements. Scalability : Reduce limitation of problem
size, machine memory size, maximum runtime

Spin accepts specifications written in a meta-language named PROMELA,

(short for Process Meta Language). The semantics of the language are
carefully chosen to make it impossible to define anything other than models
for which the reachable system states can, in principle be enumerated
exhaustively, thus guaranteeing the decidability of standard safety and
liveness properties.
The three main types of objects that can be manipulated are
a. processes,
b. channels, and
c. variables.
Only a bounded number of each of these types of objects can be instantiated.
The focus of the language, and of the model checking system behind it, is on
the specification of the interactions in a distributed system (i.e., on
coordination); the focus is deliberately not on the specification of
computations . This means that the language is strong in its support for all the
ways in which concurrent processes might interact, through message
channels, rendezvous operations, or through the manipulation of shared
variables. For the same reason the language is weak in the expression of the
computational aspects of programming. There is, for instance, no support for
floating point operations, no support for explicit memory or process
management, and only rudimentary support for functions.

RA1911033010088
fi

fi
.

ISABELLE
The Isabelle automated theorem prover is a higher-order logic (HOL)
theorem prover, written in Standard ML and Scala. As an LCF-
style theorem prover, it is based on a small logical core (kernel) to
increase the trustworthiness of proofs without requiring — yet supporting
explicit proof objects. Isabelle was named by Lawrence
Paulson after Gérard Huet's daughter

Isabelle is a generic proof assistant. It allows mathematical formulas to

be expressed in a formal language and provides tools for proving those
formulas in a logical calculus. The main application is the formalisation
of mathematical proofs and in particular formal veri cation, which
includes proving the correctness of computer hardware or software and
proving properties of computer languages and protocols
The most widespread instance of Isabelle nowadays is Isabelle/HOL,
which provides a higher-order logic theorem proving environment that is
ready to use for big applications
Isabelle/HOL includes powerful speci cation tools, e.g. for
(co)datatypes, (co)inductive de nitions and recursive functions with
complex pattern matching
Proofs are conducted in the structured proof language Isar, allowing for
proof text naturally understandable for both humans and computers
For proofs, Isabelle incorporates some tools to improve the user's
productivity. In particular, Isabelle's classical reasoner can perform long
chains of reasoning steps to prove formulas. The simpli er can reason
with and about equations. Linear arithmetic facts are proved
automatically, various algebraic decision procedures are provided.
External  rst-order provers can be invoked through sledgehammer
Abstract speci cations are supported by a module system (known as
locales), of which type classes are a special case

RA1911033010088
fi
fi
.

fi
.

fi
.

fi
fi
.

 NuSMV
NuSMV is a reimplementation and extension of SMV symbolic model
checker, the rst model checking tool based on Binary Decision
Diagrams (BDDs). The tool has been designed as an open architecture for
model checking. It is aimed at reliable veri cation of industrially sized
designs, for use as a backend for other veri cation tools and as a research
tool for formal veri cation techniques
NuSMV has been developed as a joint project between ITC-IRST (Istituto
Trentino di Cultura in Trento, Italy), Carnegie Mellon University, the University
of Genoa and the University of Trento
NuSMV 2, version 2 of NuSMV, inherits all the functionalities of NuSMV.
Furthermore, it combines BDD-based model checking with SAT-based model
checking. It is maintained by Fondazione Bruno Kessler, the successor
organisation of ITC-IRST

NuSMV supports the analysis of speci cations expressed in CTL and LTL.

User interaction is performed with a textual interface, as well as in batch
mode

NuSMV is a reimplementation and a reengineering of the SMV model checker

developed by McMillan at Carnegie Mellon University during his PhD
With respect to SMV, NuSMV provides the following additional features
1. Interaction. In addition to the usual SMV batch mode, NuSMV provides
a textual interaction shell.

Through the shell the user can activate various NuSMV computation
steps as system commands with different options. These computation
steps can therefore be invoked separately and possibly undone
2. Analysis of invariants. Specialized routines allow for checking
invariants, i.e. formulae which must hold uniformly on the model, on the
y during reachability analysis
3. Partitioning methods. The model can be partitioned conjunctively and
disjunctively. The partitions can be inspected, and (for the conjunctive
case) ordered according to the heuristics de ned in 
4. LTL Model Checking. LTL model checking is performed via reduction to
CTL model checking, according to the algorithm proposed in . An LTL
speci cation is automatically converted into a tableau, which is then
used to extend the model in synchronous product. The result is provided
by checking the truth of a CTL formula in the extended model

RA1911033010088
fl
fi
.

fi
fi
.

fi
fi
fi
fi
.