A generic bounded model checker.

Kiwami accepts a Kripke structure, a temporal property, and a bound as inputs and either produces a counterexample violating the property or a satisfaction claim under the bound.

It encodes the given structure and property into SMT formulas backed by a solver.

• Modeling language
• In-memory structure / property specification
• Structure checking
• Termination / Maximal step calculation
• Structure minimization
• Encode Kripke structure
• Generate SMT-LIB programs
• LTL model checking
• CTL model checking
• Property simplification
• Z3 Theorem Prover backend

The current version uses the existential model checking technique to check properties by searching a witness trace satisfying their negation release positive normal form.

• .lts: model program
• .smt2: generated SMT program
• .out: solver output

Input: MutualExclusion.lts

model MutualExclusion {
    s0: {}
    s1: {critical0}
    s2: {critical1}
    s3: {critical0, critical1}

    init = s0

    s0 -> s1
    s1 -> s0
    s0 -> s2
    s2 -> s0

    ltl G !(critical0 and critical1)
}

Output:

Unsatisfied under bound 2:
□(¬((critical0) ∧ (critical1)))
with a counterexample:
s0 ()
s2 (critical1)
s3 (critical1, critical0)

It is recommended to experience the in-development version by running test cases in LTLCheckerTest. LTLCheckerTest accepts a sample structure and LTL property, automatically generates, executes an SMT-LIB program by Z3 Theorem Solver, and parses the output.

• Java 17
• Maven 3.6+
• Z3 Theorem Prover 4+

mvn clean compile assembly:single

• Biere, A., Cimatti, A., Clarke, E. M., Strichman, O., & Zhu, Y. (2003). Bounded model checking.
• Clarke, E., Biere, A., Raimi, R., & Zhu, Y. (2001). Bounded model checking using satisfiability solving. Formal methods in system design, 19(1), 7-34.
• Z3 Theorem Prover